Fraud and data breaches have always had a close, if destructive, relationship. As the US transitioned to hard-to-counterfeit EMV payment card technology several years ago, criminals flocked to card not present (CNP) fraud, often combining identity fragments and card numbers stolen in breaches to make illicit purchases online. Five years later, data breaches and downstream fraud continue their symbiotic relationship, with a steady increase in synthetic identity fraud.
Financing Cars with Synthetic Identities
It’s true: synthetic identities have become a major method for perpetrating auto lending fraud. Criminals are using parts of both fabricated and real identities (mined directly, or stolen during data breaches and purchased off the Dark Web) to create synthetic identities, which in turn are used to secure auto loans or other financial products. Synthetic identities can also be cultivated over time by various means, such as a legitimate cardholder getting an additional card for a person who does not exist, a process also known as “pollination.”
In the case of auto fraud, once a synthetic fraudster has possession of the new vehicle, they will often ship them overseas and immediately abandon any loan payment obligations. The fact that auto lending synthetic fraud has been increasing — it is up 500% since 2011 — is an indication that many of the synthetic identities pollinated or otherwise created years ago, and cultivated to appear credit-worthy, are moving into the bust-out phase.
Today’s Data Breach Is Tomorrow's Fraud
I recently talked about synthetic auto loan fraud with executives from Santander Bank and GM Financial at the AFSA Vehicle Finance Conference, on a panel discussion about cybersecurity and third-part risk management (TPRM). Synthetic identity fraud provides a vivid illustration of the evolving continuum of cybersecurity and fraud: Party A’s data breach today (facilitated by poor cybersecurity defenses) becomes Party B’s synthetic identity fraud tomorrow. In the auto lending industry, most cases involve a multi-step process between one party’s data breach and another’s fraud. Sometimes these parties are business partners operating in the same automotive ecosystem.
In dollar terms, synthetic loan fraud comprises about $600 million of the $1.2 trillion in outstanding auto loans. That’s a small proportion overall, but still a significant number in terms of fraud losses.
An Empirical Tool to Gauge Third-Party Risk
Synthetic identify fraud is a sobering outcome of the unknown, and largely uncontrolled, cyber risk exposure companies face from the partners they do business with. Addressing it requires effective third-party risk management (TPRM), starting with a baseline measurement of business partners’ cyber risk.
The FICO® Cyber Risk Score is an ideal empirical tool to measure and monitor third-party risk exposure at any scale. FICO enterprise customers are using the Cyber Risk Score to continuously measure the third-party cyber risk posed by tens of thousands of partners (and more) they do business with.
TPRM is a big theme for FICO and the entire enterprise cybersecurity industry, because companies recognize that while their own cybersecurity defenses may be strong, those of the third and fourth parties (vendors of vendors) they connect with may not. PwC, which, along with Deloitte, KPMG and McKinsey, has a major TPRM practice, sums up the business imperative:
“In a business landscape loaded with potential pitfalls like cyber threats … that result in supply chain disruption, making sure your partners are following appropriate procedures is vital and will enable you to avoid risks and reputation damage.”
Using the FICO Cyber Risk Score to empirically assess third-party cyber risk is a critical first step.
In addition to helping organizations recognize and measure cyber security risk, for themselves and for their extended supply chain, FICO is an industry leader in fraud detection and prevention technologies. For more information on the mechanics of synthetic identity fraud, please download our Synthetic Identity e-book to learn more.
Follow me on Twitter @dougoclare for the latest developments in TPRM and the FICO Cyber Risk Score.