We believe Gartner’s report, “The Growing Problem of Synthetic Identity and First-Party Fraud Masquerades as Credit Losses,” discusses the rise of synthetic identity and first party fraud losses being concealed as credit losses. In Part 2 of this webinar series we will explore Gartner’s recommendations and provide some real-world advice on how you can prepare your business to fight this trend.
In Part 2 of this webinar series, we’ll conclude with:
- Exploring how to battle synthetic identities and first party fraud
- Reviewing Gartner’s recommendations for building a comprehensive fraud prevention strategy
- Looking at some specific capabilities for helping to stop this type of fraud
*Gartner: Take a New Approach to Establishing and Sustaining Trust in Digital Identities, Tricia Phillips, Danny Luong, 1 March 2018.
2. 2
EDDIE GLENN
S E N I O R M A N A G E R , P R O D U C T M A R K E T I N G ,
I O V A T I O N
25+ years in product management and product marketing,
with focus on safety-critical and risk-prone software
Co-author Definitive Guide to Next Gen Fraud Prevention
Articles have appeared in ITSP Magazine, Totally Gaming,
Gambling Insider, iGaming,
Drives go-to-market initiatives for fraud solutions at iovation
3. 3
CREDIT
WRITE-OFFS ARE
ON THE RISE
2%
21%
Q2 Q3
Loan Loss Y/Y
20171
1First Data US Financial Institution Quarterly. December 2017. Volume 1, Issue 4
“…a top 5 US Retail
Bank reported a 26%
increase in credit
losses in Q1 2017…2
”
2”Surprise Surge in Card Defaults Sinks Capital One”, Bloomberg.com
4. 4
“The Growing Problem of Synthetic
Identity and First-Party Fraud
Masquerades as Credit Losses”
Written by Gartner Analysts:
Tricia Phillips
Danny Luong
A complimentary copy of this Gartner document is available by
request from iovation
Gartner, The Growing Problem of Synthetic Identity and First-Party Fraud Masquerades as Credit Losses,
Tricia Phillips, Danny Luong, 1 March 2018. GARTNER is a registered trademark and service mark of
Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights
6. 6
“By 2021, first-party fraud and synthetic
identity fraud will account for 40% of credit
write-offs, up from an estimated 25% today.”
The Growing Problem of Synthetic Identity and First-Party Fraud Masquerades as Credit
Losses, Tricia Phillips, Danny Luong, 1 March 2018. GARTNER is a registered
trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and
internationally, and is used herein with permission. All rights reserved.
7. 7
WHY DOES IT MATTER WHAT
DRIVES CREDIT LOSSES?
SILOS TIMECLASSIFICATION
8. 8
WHY DOES IT MATTER WHAT
DRIVES CREDIT LOSSES?
UNDERWRITING, CREDIT PROCESSES, AND MODELS ARE DESIGNED TO
DETERMINE CREDIT WORTHINESS AND ARE UNABLE TO DETECT
FRAUD
11. 11
STEP 1
P E R F O R M A C R O S S F U N C T I O N A L A U D I T O F N E V E R P A Y L O S S E S
Enlist help of fraud and new
account/underwriting leaders
throughout organization
Look for miscategorized
cases
Synthetic identity fraud
First party fraud
Use this data to quantify
losses and trends
12. 12
STEP 2
M A P Y O U R L O S S E S T O C U R R E N T M I T I G A T I O N T E C H N I Q U E S
CURRENT
CREDIT
MODELS
CURRENT
FRAUD
DETECTION
TOOLS
1st Party (unintentional default)
1st Party fraud (intentional default)
3rd Party synthetic identity fraud
3rd Party stolen identity fraud
+
+
+
X
X
X
-
-
+ X-Performs well Rarely performs well Performs poorly
13. 13
Take an inventory of fraud tools that your entire
organization uses today
Detecting money laundering
Preventing account takeover
Detecting fraudulent transactions
Just because your group doesn’t use them, they
might still be helpful
Can they be used to help with identifying first party fraud or
fraud from synthetic or stolen identities?
STEP 3
I D E N T I F Y C U R R E N T F R A U D P R E V E N T I O N T O O L S T H A T C O U L D B E
L E V E R A G E D
14. 14
Device Risk & Digital Identity Assessment
Behavior
Reputation
Real-world identity assessment
TOOLS THAT CAN BE USEFUL
F O R H E L P I N G C O M B A T F I R S T P A R T Y & S Y N T H E T I C I D E N T I T Y F R A U D
17. 17
MD5 Hash of the full font list
Random sample of 15 fonts
Flash SharedObjects not writable
Flash socket 843 based ip (real IP)
Boolean indicator: flash took longer
than expected to execute
Accepted Char Sets in HTTP header
Accepted languages in HTTP header
Browser user agent comment string
Browser name / OS / Ver / language
Cookie writes excluded
Boolean indicator, javascript enabled
Count of fonts in the full list
Flash 3-part version (16.0.0)
Flash 4-part version (16.0.0.305)
List of browser plugins
JavaScript screen resolution
Simbar toolbar GUID from HTTP hdr
Timezone offset in minutes
... and more
WiFi (or Bluetooth) MAC Address
Network configuration
iOS Device Model
Battery level / AC mode
Device orientation
File system size
Physical memory
CPU Type / Count /Speed
Number attached accessories
Has proximity sensor?
Screen brightness and resolution
System uptime
iOS Device Name (MD5 Hash)
OS Name and/or version
Device advertising UUID
Kernel version
iCloud Ubiquity Token
Application Vendor UUID /name/vers
Locale language / currency code
… and more
Model and Device Model
Build.DEVICE & Build.HARDWARE
Build.HOST & Build.ID
Manufacturer
Build.PRODUCT & Build.TIME
Network Operator ID & Name
Sim Operator ID & Country
System Uptime in Seconds
Is the device plugged in
CPU Type
Physical memory
Unique build fingerprint of app
Android SDK Level
Android Build Number (DISPLAY)
Android Device System Version
Detected attempt at hiding root detect
Kernel Version (was AKV)
Android Locale Country Code
Desktop Wallpaper Hash
… and more
AT ANY ONLINE TRANSACTION
HUNDREDS OF DEVICE ATTRIBUTES CAN BE COLLECTED
Web Device Print iOS SDK Android SDK
Adaptive analytics and machine learning can be used to determine level of risk.
18. 18
Is this device trying to
evade detection?
Does a combination of
attributes indicate risk?
Timezone mismatch,
odd screen size/OS version
IP Proxy masking, TOR, VPN,
Fraud Fox, Anti-Detect
EXAMPLE EXAMPLE
SAMPLE RISK INDICATORS
20. 20
Is device being being evasive?
Is transaction velocity high?
Has device been used to access
many accounts?
Has device recently created many
new accounts/applications?
Was the credit application filled out
quicker than humanly possible?
DEVICE
BEHAVIOR
21. 21
Is there a high number of
associations between different
devices?
Are there other odd relationships
between multiple devices and
accounts?
DEVICE
ASSOCIATIONS
23. 23
CYBERCRIMINALS FREQUENTLY
SWITCH IDENTITIES.
THEY DON’T FREQUENTLY
SWITCH DEVICES.
If you flag one application as being
fraudulent, it may not stop others.
USE DEVICE REPUTATION
TO FLAG DEVICES ASSOCIATED
WITH FRAUD
24. 24
HARNESS THE POWER OF A NETWORK
FRAUD ANALYSTS FLAG DEVICES WHEN FRAUD IS CONFIRMED. THE REST OF THE NETWORK
BENEFITS FROM THIS DEVICE REPUTATION EVEN WHEN DIFFERENT PERSONAL IDENTITIES ARE USED.
SYNTHETIC IDENTITY
STOLEN IDENTITY
FIRST PARTY APP FRAUD
CREDIT CARD FRAUD
25. 25
MAXIMIZING PROTECTION
Is this device associated with past stolen identity?
Is this device associated with a past first party application
fraud?
Are any device risk factors present: location, jailbroken,
evasion, velocity, other inconsistencies?
Is this device associated with past synthetic identity?
Has this device been seen before?
How many applications have been created recently?
SUBMIT
D U R I N G L O A N O R C R E D I T A P P L I C A T I O N P R O C E S S
26. 26
DEALING WITH THE UNKNOWN
GOOD CUSTOMER
True identity, good
intent, good credit
RISKY CUSTOMER
True identity, good
intent, bad credit
BAD CUSTOMER
True identity, bad
intent, variable credit
CRIMINAL
Stolen/synthetic
identity, bad intent,
variable credit
27. 27
RISK SIGNALS
P R O V I D E D B Y O N L I N E F R A U D D E T E C T I O N T O O L S
Device
Risk
Real-
World
Identity
Reputatio
n
Digital
Identity
Assessment
Behavio
r
Good Customers (true identity,
good intent, good credit)
Risky Customers (true identity,
good intent, bad credit)
Bad Customers (true identity, bad
intent, variable credit)
Criminals (stolen/synthetic ID,
bad intent, variable credit)
+
+
X X
?
X Negative signals
? Mixed signals
+ Positive signals
+
+
+
+
X X
X
+ + +
+ +
+?
?
29. 29
IOVATION STATS FOR FINANCIAL SERVICES
O N L I N E F R A U D P R E V E N T I O N A N D A U T H E N T I C A T I O N U S I N G D E V I C E
I N T E L L I G E N C E
Total financial transactions
protected
3.3B
Risky transactions stopped 22M
Reputation reports filed 418K
Devices seen previously 77%
Iovation data, June 2017 – June 2018
Velocity
Multiple Factors
Device Risk
Reputation
Location
Risk
Device
Age
Other Risks
Factors our customers use to stop fraudulent activity
30. 30
Work across your organization;
underwriting and fraud
prevention departments
To fight application fraud from
first party, synthetic, and stolen
identities you have to classify it.
Underwriting tools and
processes are not useful for
fighting this kind of fraud
Use a combination of tools and
processes:
Device Risk & digital identity
Assessment
Real-world identity assessment
Reputation
Behavior
SUMMARY
Thank you Brooke. Hello everyone. Thank you for taking the time to join today’s webinar. Because I know how busy everyone is, I’m going to keep this at around 30 minutes, so let’s get started!
During last month’s webinar, we discussed that multiple industry indicators are showing an increase in credit losses. For example, First Data US Financial Institution Quarterly reported that losses rose from 2% in Q2 of 2017 to 21% of Q3 that same year. Today, we’ll explore specific recommendations for how you can battle this concerning trend.
Several Gartner analysts investigated this trend and produced a report titled “The Growing Problem of Synthetic Identity and First-Party Fraud Masquerades as Credit Losses.”
As an attendee of this webinar, iovation will provide you a copy of this report.
For the remainder of this webinar, we’ll dive into the details of this report, including strategies on how you can combat this type of fraud.
In their report, Gartner identified 4 possible reasons to explain the industry’s increased credit losses”
Unintentional fraud – loans or credit cards that consumers opened up with every intent to pay but for whatever reason, a divorce, medical situation, or job loss, have been unable to pay.
First party fraud – loans or credit cards opened by fraudulent consumers with the deliberate intent of never to repay
Stolen identity fraud – loans or credit cards opened up by fraudsters using someone else’s identity
And finally, synthetic identity fraud – loans or credit cards opened up by fraudsters using bits and pieces of real identities. Synthetic identities are often very hard to spot because they look real, the credit file of the identity doesn’t look much different from that of a young person, someone with a light credit history.
Gartner is estimating credit losses from first party application fraud and synthetic identity fraud is on the rise. They estimate that 25% of credit losses in 2018 are due to these types of fraud and they expect that to grow to 40% by 2021.
That’s a concerning trend. But, what can credit institutions do to address this?
During last month’s webinar, someone asked us the question why does it matter what is driving credit losses. Gartner goes into much detail in their report.
Primarily it matters because it impacts how you will need to vary your strategy to reduce fraud losses based on what is driving them in the first place.
<CLICK>
First, in order to be able to stop a credit loss, you need to have metrics to help determine how serious of a problem you have. In order to build metrics, you need to be able to classify what caused the loss. If it is indeed an underwriting problem, then is there a problem with your credit scoring model? If it is first party fraud, then what type of first party application fraud? By having metrics and classification, you can begin to think about what types of preventative and detection tools to use.
In addition, misclassification prevents the necessary tracking of specific fraud types which makes it close to impossible to build an ROI for the investment of new tools to detect these types of activities.
<CLICK>
The next consideration is around who is responsible for fighting the fraud that led to the loss. Financial institutions often separate their fraud and underwriting cases. These groups have different organizational structures, use different preventative technology, and rely on different performance indicators. Working in silos makes patterns of related incidents harder to identify. If they are hard to identify, then they are hard to stop.
Fraudsters don’t work in silos. They are using every tactic available to them to commit fraud. They count on financial institutions being silo’d and thus they have found a rich payday in fraud. They may start out committing first party application fraud, then switch to using stolen identities and then synethetic identities.
<CLICK>
Finally, time is of the essence. If your institution is under a coordinated or repeated fraud attack, you want to know that as quickly as possible. If you are misclassifying first party fraud or synethetic fraud as unintentional fraud, your silo’d fraud group may not even know there is a coordinated attack and that there are related incidents of fraud occurring because these are being reported as non-pays.
You don’t want to wait months for an account to be in the collections process only to later find out that it was a case of synthetic identity fraud. How many more cases may have happened during this time?
Keep in mind…if your credit losses aren’t due to a credit worthiness problem, then your underwriting, credit processes, and models will not help you detect and fight the kind of fraud that is leading to the credit losses.
So let’s look at what Gartner’s recommendations are.
According to Gartner, if you can’t name it, you can’t measure it, and if you can’t measure it, you can’t set acceptable levels or monitor trends. And if you can’t monitor trends, you can’t build an ROI to invest in tools to detect and stop it.
Each form of fraud requires different detection and prevention measures and behavior models. The lack of accurate and consistent categorization results in ineffective application of mitigation techniques and causes difficulty for your organization to justify new tools, strategies, and training.
So let’s look at these step by step.
The first thing that Gartner suggests is that your organization gets a better understanding of what level of a problem you have with credit losses. Credit losses that may have previously been attributed to unintentional fraud may not actually be that. So you should review, perhaps the past 12-18 months cases of all credit losses.
Reach out to others in your organization, leaders in new account and underwriting departments and set up a cross organizational task force to look for cases of credit loss that is due to issues other than unintentional defaults. This will increase the likelihood that clues to the type of loss will be detected.
Look for cases of synthetic identity and first party fraud.
Finally, use this data to quantify losses and trends and to categorize them. Does this data show an increase in synthetic identity fraud? Or first party application fraud?
So, what tools and processes are you currently using to mitigate your losses? Not all tools and processes perform the same way based on the reason for the credit loss.
For example,
<CLICK>
…
Next, looking across your organization, develop an inventory of various fraud prevention tools that are already being used. Just because your group isn’t using them today,
many of them might be useful to repurpose to help you fight fraud from first party and synthetic identity.
Gartner identifies some categories of fraud prevention tools that can be helpful. We’ll look at each category in more detail in the next few slides.
The first category of tools centers around the devices that fraudsters use when conducting online transactions such as submitting a credit application.
So, what kind of information can a device provide that is useful for detecting and stopping fraud?
Even if you aren’t completely sure who the person is on the other end…after all it could be a fraudster using a stolen identity or synthetic identity…or their own identity, using a device intelligence tool you can discover some important information.
The first thing that a device intelligence tool needs to do is to collect information about the device. This information is used for two purposes.
The first purpose is to create a unique device identification for the device. In cases of synthetic identity fraud and stolen identity fraud, it is IMPERATIVE, that the device identification is performed INDEPENDENTLY of any personal information provided by the user. Afterall, a fraudster is rarely providing accurate information about themselves. Not all device intelligence tools do this so when you are looking at your options, you really should focus on the ones that can uniquely identify a device without need of any personal information.
We often refer to this device identification as a ‘device fingerprint’. When I say that, I don’t mean the user’s fingerprint read from the device, but instead am referring to a unique set of attributes from the device that allows us to recognize that device again and again as being the same device.
It’s important to note that when we talk about device identification we aren’t referring to a device manufacturer’s identification number that is sometimes stored in each device, or even an operating system device identifier. These are easily changed and spoofed by a fraudster.
Once the device has been recognized and a unique identification assigned to the device, then we can look at what else the device attributes can provide you. These attributes are very useful in detecting risk that the device poses to the online transaction.
For instance, you can tell if the person is trying to lie about where they are located at. Even though it is relatively easy to alter the location of the person and device in an online transaction, there are many device indicators that reveal the true location. If the individual is intentionally lying about their location or even just trying to hide it by using a proxy service, then this is a risk signal that may indicate that other aspects of what they are telling you is incorrect.
Hundreds of attributes can be collected from a device. The exact list varies depending on if the user is using your mobile app to submit a credit application or using a web browser.
Adaptive analytics and machine learning can be very useful in picking up subtle risk patterns to help alert you if a particular device is posing risk. Let’s look at a few example risk indicators.
In an earlier slide, I mentioned that location information can signal risk. Specifically, we can look at if the multiple geolocation indicators all match up to the same location. If they do not, then this could be a signal that a fraudster is trying to manipulate their device.
You can also determine if the fraudster is trying to hide their location by using proxy masking such as TOR, VPN or a web browser tool like Fraud Fox or Anti-Detect. While evasion doesn’t always mean that the person is trying to commit fraud, it is a risk signal that should prompt you to use caution when processing the transaction.
There are other attributes that can be read from the device as well that indicate risk. For example, if the device is reporting that it is a mobile device but the screen resolution is not correct for the type of mobile device, then this could indicate that a fraudster is manipulating their device information.
At iovation, we have seen an increase of fraud when devices have been jailbroken. Sometimes fraudsters do this to install special software to help them evade detection. Another common attribute that is associated with a risk of fraud is when an emulator is being used.