Main Points for Consideration:
- Traditional Identity Theft schemes steal the identity of a known person to impersonate the victim.
- Synthetic Identity Theft uses a Social Security Number for form a new, but fake person.
- Synthetic identities can satisfy known loan underwriting procedures.
- Synthetic identities create additional risk factors for Blockchain systems.
- Synthetic identities can be formed before being included into a Blockchain system.
- Synthetic identities may be used to impersonate known participants.
Advances in Blockchain technology can develop platforms to protect individuals’ identities from theft and also help businesses authenticate participants. But how can Blockchain provide assurances that the identities are valid in the first place? Answers may be found by understanding the threats of Synthetic Identity Theft, and how to mitigate those threats.
In a more traditional identity theft scheme, a perpetrator will steal Personally Identifiable Information (PII) to impersonate the victim. But Identity Theft has evolved into a hybrid form known as Synthetic Identity Theft where a perpetrator is not trying to impersonate the victim. Instead of stealing and impersonating the identity of actual persons, a new persona is invented by the perpetrator. This is accomplished by using a Social Security number to create a completely fictitious personal profile.
Synthetic Identity Theft – How It’s Done
Identity thieves obtain Social Security numbers using familiar techniques like Phishing schemes; forming phony websites to collect PII from victims; using corrupt internal employees who have access to PII; and even buying stolen SSANS obtained from data breaches. The fraudster will add a name, date of birth, and address to create new PII for a fictitious person. The new identity is then used establish records in public databases, credit files, phone and utility records, and social media profiles, etc. Afterwards, the perpetrators can monitor the payment history, credit score and public persona of the fake person. The new accounts established by the fraudster can be immediately used for financial fraud schemes, or, used as sleeper accounts that lay dormant for long periods of time. The dormant accounts can be sold on the black market to other criminals.
Synthetic Identity Theft Schemes – Where Are They Found?
Fictitious synthetic identities are often used to attack internet-based business transactions. As an example, the automobile industry uses internet-based sales for purchasing vehicles without face-to-face interactions with a sales person. Some dealerships have been victimized by perpetrators forming fake identities used to satisfy standard loan underwriting requirements. Financing arrangements were completed with fake personas and vehicles were delivered to other locations where the vehicles were used in other criminal activity.
These schemes have impacted government operations including Veterans’ benefits, Social Security benefits, Medicare and Medicaid programs, Health Care systems, and private medical insurance systems. For example, synthetic identities have been used to obtain health insurance policies from private insurance companies. Also concerning is the potential use of fake synthetic identities by terrorist groups to launder money through established government financial systems and/or cryptocurrencies. The laundered money can fund terrorists for living expenses, safe houses, renting cars, international travel, and purchasing restricted goods.
Fraudulent identity profiles have also been found in the mortgage process, auto insurance claims, staged accident schemes, schemes involving the IRS, Small Business Administration, FEMA, and other government entities. Within the health care industry, the government is encouraging the digitalization of medical records, and these records are based on the PII of patient. This creates more opportunities for the theft of PII.
Anyone’s Social Security number can be stolen, but certain demographic groups are specifically targeted. SSANs of minors are more likely to be stolen because the younger a child is, the longer the fraudulent identity can be used. The SSANs of elderly people, college students, and indigent people are also targeted. The fraudsters have been known to solicit financially destitute people to buy their identity.
Synthetic Identity Fraud is a Worldwide Problem
In 2017, the World Bank released a study concluding that more than 1.1 billion people in the world lack access to vital government services because they are unable to prove their identity. The World Bank Group’s Identification for Development (ID4D) initiative launched a High Level Advisory Council to advance the realization of robust, inclusive and responsible digital identification systems as a sustainable development priority.
The United States Federal Deposit Insurance Corporation (FDIC) recently estimates there are 10 million unbanked or underbanked households in the country. The FDIC defines unbanked as those adults without an account at a bank or other financial institution and are considered to be outside the mainstream for one reason or another. Many people are squeezed out of normal banking systems because of poor credit. Others choose not to participate in government systems to avoid regulation, oversight, and excessive fees.
Why is This a Concern for Blockchain Technology?
The World Bank ID4D recommends efforts to provide reliable digital identities to 1.1 billion people who want to participate in the economy, but lack provable identities. Similarly, unbanked people choosing to use alternative financial instruments, think cryptocurrencies, also desire a safe and reliable system to conduct financial transactions.
Blockchain technology is envisioned as the record keeping system for new digital identities and/or established identities. And it may be safe to assume that the immutable Blockchain distributed ledger can make it more difficult to use a stolen identity. But vexing questions continue to appear: Prior to the adoption of a Blockchain ecosystem, could a criminal or terrorist form a fake Synthetic identity only to be added to the Blockchain ledger? If so, the Blockchain may then become a hiding place for persons intent on doing harm.
Also, once a permissioned Blockchain system is formed with approved participants, could a synthetic identity be formed to impersonate a participant? If so, could a fake participant cause harm to the information being added to the Blockchain?
These possibilities may not be surprising to persons who use ledgers for normal accounting and business purposes. The ledgers can accurately record numbers and information. As accountants and auditors will certainly attest, ledgers can also accurately record falsified information. The ledger system cannot guarantee the integrity of the information before entries are made, and neither can Blockchain. Only people can determine the integrity of other people.
Mitigating Synthetic Identity Theft:
Synthetic Identity Theft schemes can defeat known preventative measures such as credit checks, locking down credit, changing passwords, two-factor authentication because the schemes do not necessarily involve obtaining credit. The fight against Synthetic Identity Theft will be waged by combining known preventative measures with improved Artificial Intelligence (AI) to study behavior, and Biometric verification, such as voice, face, fingerprints, and DNA to verify the identity of actual persons. As such, maintaining a balance between Security and Privacy will always present challenges.
Conclusion: The intention of raising these issues Synthetic Identity theft is not to discredit the Blockchain infrastructure. Instead, and just like any other new technology, it is imperative to understand risk factors as the technology is developed and implemented. Identifying and understanding risk factors should result in strong measures to mitigate the risks. Blockchain developers and end users will certainly need to develop and improve counter-measures to mitigate Synthetic Identity Theft threat vectors.