Editor’s note: Matt Botti is director of product management at marketing technology and services firm Acxiom, Conway, Ark. This is an edited version of a post that originally appeared here under the title, “Don’t get Frankensteined: Two ways organizations can prevent synthetic fraud.”
Frankenstein’s monster made its debut in Mary Shelley’s classic 19th century novel. Today’s fraudsters are inventing their own monsters through data pieced together from many sources.
Increasingly, fraudsters are combining real and fictitious consumer data to create false identities – synthetic identities – to commit fraud. In this scenario, fraudsters combine one true piece of identity with fake information; or they piece a Social Security number (SSN) from here, a former address from there and a monster (a synthetic or fictitious identity) is born – one that can wreak havoc on your organization by interacting with your business in a number of ways that expose your organization to risk and loss if not addressed.
For example, in the health care industry, stealing patients’ identities is lucrative. Medical records are worth more to crooks than credit card numbers. They contain more information and can be used to obtain prescriptions for controlled drugs. Or, in financial services, fraudsters might apply for credit card accounts using “scraps” (a name, a SSN, etc.) of stolen identities.
It is estimated that synthetic identity theft resulted in at least $6 billion in losses to banks in 2016 alone.
Before the holidays, I first addressed cyber fraud prevention in this blog. Today, I’d like to deepen that conversation. Here are two ways to innovate in cyber fraud prevention and detection, tearing apart those monsters before they come to life.
1. Validate existence and establish a confidence score.
Establishing and maintaining a trust-based relationship with a customer is foundational. How do organizations do this? How can organizations determine the likelihood that a SSN represents a real person and not Frankenstein’s monster?
First, you need to validate that the person exists in the real world and has been seen as a customer over time. By using entity resolution technology you can determine if a SSN has been seen in the past.
Next, you can use data element scoring algorithms to establish a confidence score about the SSN – this number indicates how confident you can be, based on the data, that this person is who they say they are. There are three tiers to this analysis:
- validity of SSN (numerically valid, not deceased, etc.);
- relationship of the SSN to an individual; and
- relationship of a person to the SSN.
If the confidence level does not raise any alarms, then you can let the customer proceed. However, if there are signals of synthetic identity, then you should introduce friction such as the knowledge-based authentication exam strategy.
2. Use first-party data in your knowledge-based authenticationexams.
I’d like to suggest a new twist on an old fraud prevention strategy, and that’s the introduction of first-party data – your own customer data – into your knowledge-based authentication exams. Think of it as a modern Q&A test that uses your customer information, which may include names, addresses, phone numbers, Web site data and information about products purchased. First-party data represents a huge opportunity for your organization to be more current, real-time and relevant.
The general rule of thumb is this: you don’t want to disenfranchise (annoy, irritate, disgust) your customer – you want them to still like your organization by the end of the “exam.” You want them to feel protected (against fraud) by you, not hassled and prevented from conducting business with you.
While synthetic identities can blend into the general population, the use of first-party data from your organization has the power to introduce knowledge that the fraudster will find more difficult to obtain. And, this first-party data represents information that is more personal, fresh and top-of-mind for your customers so they don’t have to think super hard about it.
For example, you can use first-party data to ask specific, fact-based questions:
- When was your last trip on our airline?
- What was your last purchase at our store?
- Where was your last hotel stay with our organization?
Not many brands are using this approach today; however, it’s much more relevant than questions such as: What was your home address 20 years ago? These questions force the customer to think really hard and introduce a high level of friction that, as I said before, organizations should avoid when possible.
By using first-party data, your knowledge-based authentication exam questions can reach beyond the easy and the familiar, the low-hanging fruit that even fraudsters can grab. When brands use first-party data in their knowledge-based authentication, they empower their own strategies.
There are ways to prevent Frankenstein’s monster from getting up off that table and walking through the digital doors of your organization. Start today.