Ghosts in the Credit System Machine
A low and slow means of fraud is costing banks hundreds of millions of dollars in losses typified by a frustrating game where investigators are literally chasing shadows in an effort to collect debt from individuals who don’t really exist.
Criminals with time, resources, and patience are cashing out after using existing or unassigned Social Security or credit profile numbers (CPNs) to create fraudulent credit profiles and slowly build up credit–and debt–in those accounts.
“It’s not a quick form of fraud,” said Ian Gray, cyber intelligence analyst at Flashpoint. “It’s slow and requires a certain amount of work, but if you’re able to build up $15,000 in credit tied to a Social Security number, it will benefit you [as a criminal].”
Noteworthy is recent activity on popular cybercrime forums advertising the availability of ghost profiles, which Gray said could be just a rebranding of a relatively new label given to this type of fraud called synthetic identity theft. Ghost profiles are established using real Social Security numbers, likely belonging to adolescents or elderly people who are less likely to have active credit profiles. It’s unknown how criminals are in possession of the SSNs, especially unassigned numbers created by the Social Security Administration.
Massive Debt Belonging to Non-Existent Individuals
Synthetic identity theft and the creation or purchase of ghost profiles is a departure for criminals proficient in identity theft, who have for years purchased personally identifiable information stolen in breaches, including payment card data, from Deep & Dark Web (DDW) markets.
“This is likely reserved for more experienced cybercriminals, who would be required to maintain the account for a time until it’s profitable,” Gray said. “They would have to be knowledgeable in fraudulent schemes like this and the ancillary things necessary to make it viable. You would have to know how to build up credit with these accounts. I’m not sure a criminal with lesser sophistication would have the savvy to execute this.”
A recent Wall Street Journal article said that consumer credit reporting agency TransUnion estimates that last year alone, $355 million in outstanding credit card balances are linked to non-existent individuals. Banks, meanwhile, have extended credit to millions of synthetic identities, the Journal reported. Forbes, for its part, reported that analysts believe 5 percent of uncollected debt and 20 percent of credit losses, may be linked to synthetic identity theft.
KYC Standards Falling Down
Synthetic identity theft may have also exposed a glaring gap in the credit industry around Know Your Customer (KYC) security standards which require that individuals present several forms of identification upon opening accounts or lines of credit. Excessive trust and lax KYC standards allow criminals to get away with a certain amount of fraud, analysts said.
The growing interest in ghost profiles and synthetic identity theft could also be a reaction to the success of robust fraud-detection systems which are adept and proficient at spotting stolen PII and phony identities created with breached data, for example.
Ghost profiles differ from types of fraud where credit profile numbers are used. CPNs are nine-digit identifiers, issued for example to high profile individuals such as celebrities as an alternative to their Social Security number. Fraudsters use them in order to avoid triggering delinquency alerts, for example but get away with it if banks and credit bureaus fail to verify and therefore allow for the creation of a new credit profile. In both schemes, the criminal builds up credit history on that profile, amasses thousands in debt and lenders are unable to collect.
Flashpoint analysts, meanwhile, remain unclear on the recent spike in interest in ghost profiles on underground crime forums, especially since last summer’s AlphaBay shutdown. They assess, however, that buyers have enough interest in them, and actors will continue to advertise their availability.
Michael Mimoso brings over a decade of experience in IT security news reporting to Flashpoint. As Editorial Director, he collaborates with marketing, analyst, and leadership teams to share the company’s story. Prior to Flashpoint, Mike was as an Editor of Threatpost, where he covered security issues and cybercrime affecting businesses and end-users.
Prior to joining Threatpost, Mike was Editorial Director of the Security Media Group at TechTarget and Editor of Information Security magazine where he won several ASBPE national and regional writing awards. In addition, Information Security was a two-time finalist for national magazine of the year. He has been writing for business-to-business IT publications for 11 years, with a primary focus on information security.
Earlier in his career, Mike was an editor and reporter at several Boston-area newspapers. He holds a bachelor’s degree from Stonehill College in North Easton, Massachusetts.