During our first session of Fraud Office Hours, an attendee asked, "How do fraudsters obtain synthetic ID or lost card information to be used on Fintech platforms?" Watch this video clip to see how Unit21's Head of Fraud Risk, Alex Faivusovich, responded.
How Fraudsters Obtain Synthetic ID or Lost Card Information
"Something very interesting that we are seeing is that we currently have so many entry-level fraudsters coming in with a great desire to conduct fraud.
But we also see the people who hold the databases, (the people who steal those identities and put them up for sale, the operators of the marketplaces, etc), realizing that all those new fraudsters don't understand how to access the dark web.
So, what we are experiencing is that marketplace owners are slowly shifting from the dark web into the deep web. So basically, you have a regular website where you can log in from your browser. You can use Chrome or any other browser that you like to use, which gives you access to all those stolen identities. It can be cards, it can be social securities. It can be medical records. Some marketplaces go as far as even selling bots.
So basically, you can buy a bot that infects the machine and takes all the information. So bad actors not only get the identity of the person, but they also get all the cookies and all the passwords stored in said Chrome browser as well. Once the bot has been purchased, the fraudster doesn't have to stop it from working. It keeps working. So this person, whose computer has been compromised, is actually a victim now that technically belongs to the person committing fraud.
This is a very interesting shift in supply demand. You can call it. The market always sticks to balance. And I think this is exactly what we're seeing.
We're seeing a lot of fraudsters who don't have the technical abilities to go to the dark web and try all those different forums and buy from those forums. Then they'll go to the deep web, which is essentially an eCommerce experience.
You sign up for the website. Sometimes they will ask you to do a small deposit in Bitcoin just to make sure you're serious about your intentions. And then you get access to pretty much an unlimited amount of identities and cards, and you name it."
Leverage Third Party Data and Risk Scores Using Unit21
Fortunately, Unit21’s flexible rule-based system allows teams to develop rules specifically designed to prevent synthetic ID fraud. Let’s look at an example of how it can be used to do this.
To start, we’re going to include some data points from identity verification into a transaction monitoring rule, something that’s made possible by the easy at which users can ingest custom and third party data into their rules development.
Let’s take a look at a case where someone had a synthetic risk score that was a little bit high, but not high enough to be automatically rejected. We can write a rule utilizing that synthetic risk score specifically, writing in a variable to the rule that flags situations where that score falls between 25 and 50. And we want to keep the monitoring broad, but not too broad, so we further refine the rule to identify only cases where the user has made 3 or more transactions that are $50 or more in the last 5 days.
This gives us a basic check on users based on their identity verification scores, allowing teams to directly leverage that data to create more refined rules that reduce false positives and allow your team to focus on cases that pose a legitimate risk.
Looking for more insights? Check out our first session of Fraud Office Hours on-demand for a deeper dive into current fraud trends and which preventative measures to consider.