a16z Podcast - a16z Podcast: Stories from the Frontlines of Synthetic Fraud
Episode Date: June 25, 2019Synthetic fraud—yes, it's a thing: a new evolution of consumer fraud that’s been emerging in financial services, to the tune of $1-$2B a year. In this episode of the a16z Podcast, Naftali Harris, ...co-founder and CEO of Sentilink, which builds technology to detect and stop synthetic fraud, talks with a16z's Hanne Tidnam and operating partner for information security Joel de la Garza all about what this new kind of fraud is. Where did this new form of fraud come from, and why is it on the rise? Who are true victims here (hint: it's not the Joneses... or maybe it is!). And what is the fundamental security issue really at the heart of it all? The conversation covers the fascinating life cycle of this long con: how these “synthetic” identities get made, incubated, and finally busted out… and some of the wildest stories (and art of storytelling!) behind the strangest fraud rings we've seen. The views expressed here are those of the individual AH Capital Management, L.L.C. (“a16z”) personnel quoted and are not the views of a16z or its affiliates. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by a16z. While taken from sources believed to be reliable, a16z has not independently verified such information and makes no representations about the enduring accuracy of the information or its appropriateness for a given situation. This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisers as to those matters. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services. Furthermore, this content is not directed at nor intended for use by any investors or prospective investors, and may not under any circumstances be relied upon when making a decision to invest in any fund managed by a16z. (An offering to invest in an a16z fund will be made only by the private placement memorandum, subscription agreement, and other relevant documentation of any such fund and should be read in their entirety.) Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Andreessen Horowitz (excluding investments and certain publicly traded cryptocurrencies/ digital assets for which the issuer has not provided permission for a16z to disclose publicly) is available at https://a16z.com/investments/. Charts and graphs provided within are for informational purposes solely and should not be relied upon when making any investment decision. Past performance is not indicative of future results. The content speaks only as of the date indicated. Any projections, estimates, forecasts, targets, prospects, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others. Please see https://a16z.com/disclosures for additional important information. Where did this new form of fraud come from, and why is it on the rise? Who are true victims here (hint: it's not the Joneses... or maybe it is!). And what is the fundamental security issue really at the heart of it all? The conversation covers the fascinating life cycle of this long con: how these “synthetic” identities get made, incubated, and finally busted out… and some of the wildest stories (and art of storytelling!) behind the strangest fraud rings we've seen.
Transcript
Discussion (0)
The content here is for informational purposes only, should not be taken as legal business tax
or investment advice or be used to evaluate any investment or security and is not directed
at any investors or potential investors in any A16Z fund. For more details, please see A16Z.com
slash disclosures.
Hi, and welcome to the A16Z podcast. I'm Hannah, and this episode is all about synthetic
fraud, a new evolution of consumer fraud that's emerging in financial services to the tune of
$1 to $2 billion a year. In this episode, Neftali Harris, co-founder and CEO of Centilink,
which builds technology to detect and stop synthetic fraud, talks to me an A16Z operating partner
for information security, Joel de la Garza all about what this new kind of fraud is,
including the life cycle of this long con, how these synthetic identities get made, incubated,
and finally busted out, and some of the wildest stories behind the strange fraud rings he's seen.
We also touch on why this new fraud is on the rise, who the true victims are, and at the end of the day, what the foundational security issue at the heart of it all truly is.
We're here to talk about synthetic fraud, which I have to confess I didn't even know what that really meant when we first started talking about it.
What does synthetic fraud even mean?
Almost no one hears about it in the public outside of financial services industry.
I hope that neither of you have been the victim of identity theft.
I have.
Okay.
I'm sorry to hear that.
Yeah. And if you haven't, you probably know someone that has been. Right. And so the general public is very aware of identity theft because there's that consumer victim. With identity theft, you're stealing a real person's identity. Yeah. With synthetic fraud, you're saying, forget the real person. I'm going to make up a totally fake one. And that means like fake from the very ground up. Fake from the ground up. So a fraudster will use a synthetic identity. So a made-up named date of birth and SSM combination in order to open up an account with a bank or get a loan from a bank.
bank. The key thing here is that there's no one record, there's no one, one actual person
that it all belongs to. And then what they'll be able to do is actually acquire quite a bit
of credit, take out a lot of loans, usually a few tens of thousands of dollars from every
major bank and lender, and then use that to get a lot of money and not repay any of it.
How prevalent is this kind of fraud in the industry? I mean, how much is this happening versus
like we all hear about identity theft all the time? So this is one of the super interesting things.
So we've added up the losses across the industry, and within lending, it's somewhere from one to two billion dollars a year of losses annually.
Wow. And how aware of it are the banks? At what point do they catch on?
That's also one of the really interesting things. Because there's no consumer victim, the banks have a really hard time figuring out which of their losses are attributable to synthetic fraud, as opposed to somebody that had a hardship or lost their job.
Oh, right. Same pattern of behavior. Exactly. With identity theft, what happens is somebody opens up an account. They get a new credit card.
They steal a lot of money from the bank, and the way the bank finds out about it is eventually the victim contacts them and says, hey, I didn't take out this credit card. This wasn't me. And they'll sign an affidavit, and then the bank will realize this was an actual victim of identity theft, as opposed to someone that just had a hardship and took out more money than they should have. And with synthetic fraud, all the bank sees is a large set of people that haven't been making payments for the loans. And they have a really hard time of figuring out which of these are people that have had some
toward of local economic challenges.
Yeah, legitimate need for the loan, basically.
Exactly.
And which of them are people that were actually defrauding them?
Synthetic fraud is a relatively newish phenomenon.
So I think it's something that's kind of grown up as banks have gotten better at spotting
identity theft and credit freezes and those sorts of things, it seems that that correlated
to the rise in synthetic fraud.
Identity theft used to be ridiculously simple, right?
If you think back 10 to 15 years ago, as bank fraud teams got better, they're
they got better tools to catch this kind of thing.
You had credit freezes come to effect.
It seems like the fraudsters pivoted in this direction.
Yeah, that's exactly right.
I mean, another big one actually is the rise of the EMV chip.
Oh, that is a factor in this?
Absolutely.
You know, fraudsters are committing fraud as a business.
And what they do is they gravitate towards channels, so to speak, that are profitable
for them.
And it used to be you can make a lot of money doing card skimming.
The EMV chip made that a lot harder.
So you saw a lot of fraud move online to card not present fraud.
so people stealing credit cards online.
There's been a lot of great technology that's arisen there recently,
which has made that harder to do.
Still certainly happens, as we all know.
And then a lot of progress towards identity theft,
and that's gotten harder.
And so they're moving on to synthetic fraud,
which is very challenging for banks and letters to detect
and quite lucrative for the fraudster.
But can we just go back to that moment of opening the account?
Why is it so hard to verify an actual birthday
against an actual name against an actual SSN?
Like, if those things are not matching, why is that initial moment not the place to catch it?
So what most people don't realize is that financial institutions, so banks and lenders,
do not have a list of all named data birth and SSN combinations in the United States.
A lot of people think that the credit bureaus have this list, you know,
Experian, Equifax and TransUnion, and they don't have it either.
Essentially, the banks and lenders believe, certainly until recently, had believed that the
three credit bureaus had lists of all named data birth and SSN combination.
So everybody's thought somebody else was doing it?
Exactly.
That's absurd.
That's quite funny, actually.
And this is the way that fraudsters actually create these synthetic identities.
If you apply for credit with a named data birth and SSN repeatedly, the credit bureaus will
believe that it's a real person and they'll create a record for this totally fake person.
Because they're only tracking the applications.
They're not backing it up to reality.
Yeah, and they have no way of doing so.
I feel like we're giving tips to everybody in the world.
I'm like how to create.
Kids don't do this or not do this.
Exactly.
Don't do this.
It is very easy.
But that is such a gaping hole in like the information flow,
a weird blind spot that everybody else just kind of assumes that.
Yeah, it's pretty interesting.
I mean, so banks and lenders believe that the bureaus have records on everybody.
Most of the general public believes that as well.
The logic on the bureau side is essentially banks and lenders have strong,
know your customer procedures.
They're doing a great job of risk.
And so consequently they say, oh, you know, everyone's talking about John Smith. That must be a real person. But actually, nobody really knows here. And so everyone's pointing fingers at everybody else.
It seems like actually it was this gaping hole for quite a while, right? So why was there always some level of this? And then it just spiked.
I think the interesting point is sort of the actual genesis of this whole situation, which is that there is no source of truth for proofing identity. And that really lies at the center of kind of a lot.
of these issues. There's sort of a coordination and a collaboration that has to happen in between
entities that while wanting to minimize fraud, these entities are also competing with one another
in a number of different product categories. And so there isn't always a necessarily aligned
financial incentive for them to collaborate. It's always been possible. But the thing that's
really challenging about synthetic fraud is it is such a long con. It's challenging.
What do you mean by that? It's not sufficient to just make a fake identity.
Okay. You can do that and it's pretty easy. But when you do that, all you have is a person who exists on one of the bureaus or all three of them, but doesn't actually have real credit to their name. No bank is going to give them $100,000 or even $10,000. Right. So it's like me when I first got out of college or whatever. Yeah. It's like when you first entered their credit space. And so there are some fraudsters that will just try to turn through $300 cards, but there's not a ton of money in that. The real money that the fraudsters are pursuing is getting.
getting access to all the prime credit cards to big auto loans to huge unsecured personal loans.
And that requires building up their credit over a period of one to two years.
Get some low limit credit cards, start making a little bit of payment, build their credit.
They do it quite aggressively because they're optimizing to when can they get to that 700 plus
credit score or better.
But it does take a long time.
And I think that's the answer as to why we hadn't seen it in the past.
Because in the old days, you know, you could go steal someone's identity, open a line of credit, have access to that credit within a week, maybe even a couple days, depending on how you did the disbursement of funds.
But then sort of as people got better about reporting those things as consumers actually started to notice when lines of credit were open for them or they had credit monitoring capabilities, the response time was a lot quicker.
So you couldn't necessarily get those funds out in the amount of time.
And so this is kind of the new process that they've moved on to and to the earlier point,
like this does take some amount of time in preparation.
So creating lots of identities, going through the process of establishing credit for them over a period
of one to two years, and then getting to a cash out that in the old days you could have done
in five days to maybe a month.
So a lot more work for that same size hit.
The hit actually can be even bigger than for identity theft.
So with identity theft, you're racing against the clock because the victim will actually
notice this at some point and they will, they will say, this wasn't me. And so they go back
to the bank, they go to the lender and they say, stop doing this. And they'll put a freeze
on their credit report and so forth. But with synthetic fraud, there's, there's no race for the
clock. There's no one who's watching for this. There's no one that, uh, that, uh, that is
going to notice this, uh, until they stop making payments. Yeah, are you seeing the synthetic
fraudsters actually make payments? Oh, absolutely. Absolutely. So they're, they're taking out loans.
They're making the payments.
except for the initial fraud of the identity.
They're not, the behavior is not, is not at that point doing anything wrong.
So there are three phases in the lifetime of a synthetic identity.
The first part is the creation phase.
So this is where a synthetic identity starts applying for credit a couple of times.
Oftentimes, they'll actually start with any lender that does a pull from all three credit bureaus.
So most lenders only pull from one of the three bureaus.
So TransUnion Experian and Equifax.
but when you first create a synthetic identity, you want to get that synthetic ID to have credit
records on all three of the major bureaus.
So one of the things that we see synthetic identities doing is initially the first place
that they'll apply for credit is anywhere that does a tri-bureau pull that pulls from all three
of the major bureaus.
Because they want immediately to disperse that information.
Exactly.
Okay.
So in this creation phase of the synthetic identities life, they will apply for credit at places
that do tribe bureau polls. They'll sign the synthetic identities up for an email address and for a phone
number. So it's really, it's becoming like a real identity almost in a lot of dimensions.
They'll sign them up for social media accounts. So get them a Facebook or even better as a LinkedIn or a
Twitter. The reason being that later on, a fraud investigator is going to be looking for this person
and this gives them a little bit more legitimacy. That is so much, that's so much attention paid at that
early phase. Absolutely. So one of the things that we've, we noticed with a lot of the fraud rings,
the traditional fraud rings, was a tremendous amount of technical sophistication. So highly automated,
really well, a really deep understanding of not just the fraud controls, but the entire technical
stack. With this kind of fraud, it seems very manual. It seems very kind of almost like an artisanal
form of fraud. Yeah, it's like a bespoke, like you literally create these lives. Absolutely.
cloth. So, okay, so that is. So that's phase one. The birth. The birth of the, the birth. The birth. The birth. The birth. The birth of the fake person. Yeah. Exactly. So then in phase two, that's the buildup phase. This is where it takes one to two years. And in this phase, the synthetic identity is acquiring credit as quickly as I can. So often this means getting small credit cards, introductory credit cards, and actually making oftentimes the minimum payments, but anything that shows this person has a good repayment.
history. Now, when eventually down the road, this is discovered and people are presumably going back
to figure out, can you start tracing those payments when you look back and start understanding
where that money comes from and have like understanding into the fraud from that route?
Well, those payments often come from bank accounts in the names of the synthetic identities.
Isn't there a point when you open the bank account where you need more than those three pieces of
information? You're supposed to collect four. It's actually technically named.
data birth, SSN, and address.
Okay.
It's called the customer identification program.
And you're supposed to verify these things in a number of different ways, but because
there's simply no way of doing it, a lot of times, you know, people say, oh, they have
a credit record that's sort of sufficient.
You know, most of the account opening anti-fraud stuff people do is focused on identity
theft, which has traditionally been the big account opening from a fraud.
So for account opening, if you want to prevent identity theft, what you're doing is.
doing is trying to see whether the person submitting the application is the same as the identity
that they're using to apply for credit. So as an example, if you see John Smith apply for credit
using Naftali Harris at gmail.com as their email address. Problem. Yeah, problem. Exactly. It's
probably not John Smith doing it. It's probably Naftali Harris. But if you see John Smith applying for
credit with John Smith at gmail.com, then it looks fine. Yeah. But what if it's actually
Naftali Harris that made John Smith and made John Smith at GMA.com.
Let's go back to the life cycle.
So we talked about the birth.
Then we talked about the like development.
The incubation.
Where is the moment where they die?
So that's every foster's favorite part of the life cycle.
It's the bust out.
Once you have a synthetic identity that has been making payments, which has gotten access
to higher credit lines.
So at the end of that incubation period, the synthetic ID has a credit score over 700 or 750 plus or even I've seen in the 800s.
Yeah. They look great. Yeah. And at this point, every bank and lender, especially in today's
low rate environment, wants to throw as much money at them as they can. Right. And so in the
bust out phase, fraudsters acquire as much credit as they possibly can. They max out any credit
card they've had. And all of a sudden, they just stop making payments. They go from your model
customer to your worst one. They stop paying their loans. And then what happens next?
So someone stopped making payments, and so the bank starts pushing them through their collections process.
So somebody starts calling.
Yeah, it's usually it's a polite email.
Yeah.
Hey, John Smith.
Right.
Notice you missed your payment.
Could you please do that as soon as you can?
Yeah.
And then that becomes a little bit more stringent, and then it starts paying phone calls.
In some cases, the fraudsters will ignore it completely and vanish from the face of the earth.
Yeah.
And in that case, it's uncollectable.
Right.
In other cases, they'll pick up the phone and they'll say, oh, I'm really sorry I couldn't make payments. I lost my job. I had a hardship. Someone in my family got ill. I can't make payments right now. And they buy some time. And they buy some time. And eventually the loan gets charged off.
Why does this not at that moment trigger when you suddenly, your behavior suddenly changes and you take a big loan? You know, there are all sorts of legitimate reasons for that kind of sudden big loan.
But why is that not automatically getting flagged just for a little check at that point?
To the earlier point, right, there's a very big interest to grow your creditor base,
to grow the base of people you're loaning money to.
And in that process, friction is generally found upon, right?
It's a risk determination.
Some of these organizations, they've built risk models that feel comfortable enough about the validity of this identity,
and they make kind of the business decision to take a risk on extending credit to them.
and it's probably one of those things where they need to make some adjustments to that risk model.
So I'd say that there's probably some perfectly rational process-driven reason why this is happening.
Fraud, like most of these kinds of criminal enterprises, are very much games of cat and mouse.
And this is just sort of the mouse finding a way around the cat in this instance.
So where in the life cycle do you guys try and intervene?
Like how do you look at this life cycle and where do you think is the weak point and with what kind of tools?
The places where they really are experts are on the U.S. credit system, they understand that very deeply, honestly better than probably a lot of people who have that as their careers.
You know, they know who does a Tribunal credit poll. They know how to get through the KIC processes at different organizations.
They know who is weak at the beginning. And so at a high level, the way we actually solve this problem is we have a team of risk analysts that manually review transactions looking for fraud.
investigating cases, deeply trying to understand individual fraud transactions and understanding what is new in the fraud world.
And then on the other hand, we have a sister team of technologists, so engineers, machine learning engineers, data scientists who are taking the insights and the labels from the risk operations team and using those to build productionized machine learning models that actually can detect this sort of fraud in real time.
It almost sounds like a detective agency on one side and then like building the tech on top of the knowledge.
So, I mean, a lot of the tech is based on the fact that we understand synthetic fraud
extremely well.
Different kinds of products naturally fall in one or different parts.
So like a high limit rewards credit card from a top 10 card issuer, those will tend to get
hit towards the end of that process a little bit before the bust out.
And so in that case, you have more history through which to actually identify an application
as synthetic.
Right.
But we also work with card issuers that are trying to.
give cards to immigrants or to young people, even as early as in college. And there we're really
playing at sort of the very beginning during phase one or the very beginning of phase two to differentiate
between those real people and those fake people. A big thing that we do is around clustering,
connecting together applications that come from the same fraud ring. So for this form of
synthetic fraud, most of it comes from organized crime rings. And, you know, $100,000 per identity
is great. But if you want to make a business out of it, the fraudsters are a lot more ambitious.
And so they make a number of these different synthetic identities and incubate all of them at the
same time. Oh my gosh, it sounds like the Matrix. Yeah, it's a lot of fake people. We've seen them
be so ambitious as to actually make families. So they'll have like a mother. But only a families
of lendable ages. Exactly. So they'll be like a mother and father. So have the same last
name with birthdays that are a couple years apart, and they'll have like five kids, all of them
are in their early 20s or something like that. Address history that shared at different points,
and they tried to make the ages staggered and stuff like that. It's like scripting a story.
So you've seen that more than once? We've seen a number of such families, quote unquote,
created. Internally, we call it the Keeping Up with the Jones's approach, because the first time we
saw this, the last name was Jones. You know, a family that commits fraud together still.
together. We need like a symbol, but on, butch. Thank you. I'll be here all week. I was going to
suggest we call this a fraudcast. Another good one. So what are some of the other types of fraud rings
that you guys see? We oftentimes see alleged people that have no relationship with each other who are
sharing address history at some point. And it's really interesting what causes that. So one reason this
happens is that a fraudster will oftentimes reuse the same address, or for that matter,
the same phone number or email address if they're lazy. But during the incubation period,
one of the ways in which Frosters boost up someone's credit quite a bit is by purchasing
authorized user trade lines. That's when you give a credit card to your spouse or one of your
kids. So like when you're younger, sometimes your parents will give you a credit card.
The credit card actually is in the name of your parents and they're the ones that are actually
responsible for making the payments. But what a lot of people don't realize is that that credit card
will oftentimes show up on the recipient's credit report. So if you're a kid and your parent gives you
a credit card, which they're responsible for, it'll end up on your credit report. And that's sort of
what all the major card issuers had historically thought was the point of having an authorized user
card. It's to usually within a family or, you know, at most friends or maybe employees or something
like that. But actually, you'll find hundreds of these, hundreds of these marketplaces that let
you purchase or sell a high limit credit card that you have. And that's legitimate? It's not,
but it is, as far as I know, legal. Whoa. So you sell your ability to borrow to somebody else?
I mean, it sounds like such a bad idea. The recipient won't actually get the card. The card will show up
on their credit report, but the card actually won't get sent to them. And the purpose of it
actually is essentially credit score arbitrage. If you have a high limit $20,000 credit card
that you've had since 2005, it looks really good when it shows up on somebody else's credit
report. And they're willing to pay for it. So fraudsters who are very prolific about buying
and selling these authorized user cards will oftentimes have shared addresses. And the reason
the addresses are shared, is that multiple of these synthetic identities at one point or another
bought the same authorized user credit card. Our technology can detect this and realize that
these people, 50 of them throughout the United States, who should have no relationship to each
other, nonetheless have shared history. What's the weirdest thing you've seen besides the Joneses?
So we saw one case where the fraudster actually had taken two different, totally different people
and matched their identities together
and one of the identities
that was matched together
was someone that was actually in prison
for murder
so that person
if they ever get out
might be pretty upset about this
So it's like half identity fraud
half synthetic like a kind of weird
Hollywood mashup
like you take two movies
and slice them together
with lazy storytelling
basically.
One that I thought was
just really amusing
and we saw a fraud ring
that had so many identities in it
that the way
way they kept track of who, which identity had which SSN is actually included the last four of
the SSN in the email addresses of the synthetic identities. So lots of people have, you know,
Naftali Harris and then month day at Gmail.com or a lot of people have, you know, Naftali Harris,
year of birth at gmail.com. These fraudsters actually use Naftali Harris, last four of SSN
at Gmail. Wow. And they did this for all several hundred of their identity.
So that was an immediate first signal.
Yeah, essentially the identities all looked very cookie cutter to us.
As though somebody was following directions for how to create a synthetic identity.
They had something that worked.
They all used the same original institution as their first inquiry.
They all were structured the same way.
They all had first name, last name, last four of SSN at g-emil.com was the one that they used.
Everything about them was sort of similar, even though none of the information
was overlapping in that case.
So, you know, when we looked at this,
people used the SSN4 in their email address.
Almost everyone who did that was fraudulent,
but there were some that were not.
Right.
And some people just didn't realize
that you're not supposed to put the last four of your SSN
in your email address.
I think most of us realize that,
but, you know, some people don't.
Yeah, that's another tip for our listeners
if you're doing that change your email right now.
So you look for patterns,
you look for clustering.
Are there other Hallmark?
that you look for that you guys are paying attention to?
It's a lot around the consistency of the history.
Synthetic identities have histories that are not really cohesive.
So we'll do things like look at state-by-state migration patterns.
So it's pretty common for people to move from Florida to Georgia.
It's a lot less common for people to move from Florida to Alaska.
Obviously, it does happen.
And apologies to whoever's listening and did just that.
But statistically, there are certain patterns that are
more or less likely. So we'll look at when SSNs were issued and then when and where those were
issued and see if they match up with someone's actual credit history. We'll look at where they've
been moving, how fast that's happening. It's pretty rare for someone to be in a, have a residential
home in a new state every, you know, one or two months, just not very frequent. So we'll look for a
lot of things around cohesiveness of the identity. And weird outliers. Weird outliers.
I think there's a really interesting salient point here that's being made, which is that kind of the first two generations of large-scale consumer fraud were mostly about technical weaknesses, underlying technology weaknesses, lack of two-factor authentication, inability to secure endpoints, right?
It was very kind of software-driven or computer breach driven.
This is actually a business process hack or a hack of sort of existing broken business process.
Yeah.
You know, essentially it's social engineering.
at scale. So in some ways it sounds terrible to say, but it kind of feels a little bit like a
victimless crime because you're not stealing money from another person. You're stealing it from
this like institution. The funny thing about that is. I know that's not true. Having worked at institutions
that had lots of things attempted to be stolen from them. Yeah. Like can you talk about how that impacts
the whole? Yeah, absolutely right. Losses of these nature, of this nature go directly against the
bottom line of the corporation, right? So this is, you know, losses like these translate directly
into the financial performance of the stock. And these are the kinds of things that shareholders
and board members and anyone with the fiduciary responsibility that they want to tackle
as quickly as possible, because reducing losses in these kinds of categories can translate
into meaningful movement of stock, especially if you're talking about a billion to two billion
dollars, right? That's not trivial. So usually the way that these starts to materialize is that
This will translate into higher costs associated with borrowing for legitimate customers.
So these expenses, they're not going to get eaten by the corporation.
They're going to get probably pushed out in the forms of new fees or higher interest rates to people opening new accounts.
It's going to translate probably into more internal controls, more expense on the back end to start validating some of these transactions to do more verification.
And we're going to pay for it.
And it's going to be maybe a tenth of a percent, maybe a fifth of a percent.
but it's going to start to drive up costs of borrowing for consumers.
That's usually where it turns out.
There's actually two other sorts of ways in which certain groups are victims.
So one of them is that synthetic identities look like people that are new to credit.
And those populations, the legitimate populations there are often young people and immigrants.
Oh, so it's making it harder for all the people who need credit the most.
Exactly.
Yeah.
So it makes banks a lot less comfortable lending to immigrants and a lot less comfortable lending to immigrants
and a lot less comfortable lending to young people or even just people that decided they didn't
need credit for a long time.
A lot of money will say, I have no reason I should get a credit card and get trapped in debt
until they decide they might want a mortgage.
And it makes it harder for those kinds of people to acquire credit because they look like
they might be not a real person.
We did a podcast before about sort of different areas of cybercrime and different geographic
concentrations of different kinds of fraud.
Is there a geographic concentration or is there a type of fraudster that tends to gravitate
towards this kind of fraud?
Yeah, a lot of this form of fraud is geographically concentrated.
So we see a lot from Southern California, a lot nowadays from the Atlanta region, a lot from South Florida.
And is that just because people get good at it?
And then the organization gets bigger?
Or they're telling their friends.
It's like Amway or something.
Yeah.
A lot of it is organized crime.
Typically the way we've seen these illicit criminal industries develop is that they start off as sort of what you could think of as sort of like familial clusters, right?
groups of small groups of individuals that figure out a neat trick, share it among a couple
friends, perhaps locally, which is why you're seeing that concentration, concentration.
Right. And then that information gets distributed more broadly and other more professionalized
career type criminals start to move in and in industry develops. You'll get sort of a one-stop
shop, right, a group of individuals that do soup to nuts, this kind of fraud. Specific tasks now
will start to get broken up. So you'll be able to probably go by these identities in the
dark web, there's probably places that are actually farming them, developing them, and then
selling them to other parts of the organization. And then you'll get specific groups that are
focusing on kind of the bust out rings and those sorts of things. The industrialization of
synthetic fraud. I would suspect that we're either in that phase or we're moving towards
it. We're seeing sort of that hockey stick growth of a new industry, right? And it's just
kind of the criminal variant of it. And so as that starts to ramp up, it's going to be interesting.
So I am not aware of any large scale arrests of people involved in this kind of
activity. I'm interested if you know if like any of the regulators have said anything about
synthetic fraud or are interested in looking at it. You know, that's one of the really
interesting things. Synthetic fraud right now is a huge money laundering issue, but a totally
underappreciated one. If you look at the regulations around KYC, so specifically the laws that
require this, they really contemplated identity thefts and did not contemplate synthetic fraud
almost at all. Everyone's assumption for a really long time has been that identities that are used
to apply for credit are real. And as we've discovered over the last couple years, that's really not
the case. So the banks are starting to understand it and noticing it and getting new tools to try
and notice it. When the banks catch this and they stop it, do they then alert the authorities? Do people
try and pursue this at all? No, the first instinct of banks is to try to have it not happen again.
and they're not quite as focused on having law enforcement step in and apprehend the people doing it.
What would be the tipping point for that to have to happen if it becomes this big industrialized?
So it's dollars, right? Arrests typically happen towards the end of the life cycle of something like this.
And so as it gets professionalized, as you see kind of the industrialization of this sort of activity,
regulators will start to notice, you know, law enforcement will start to notice they may have already,
there may already be active investigations, we don't know, but they'll start to kind of move against
these sorts of organizations as large-scale criminal organizations that are engaged in things
that, you know, maybe drugs, maybe terrorism could be things that are life-threatening.
You know, they're always looking for new conduits for money laundering.
So sometimes what happens is that money or some of that activity will find its way into
some of these channels is a way to clean and rinse some of these funds. And that'll also
draw the attention of law enforcement. And then you really have to pay attention to where
interesting. You don't necessarily see criminals from other forms of crime moving into this
sort of crime. So you won't see racketeers or you won't see narcotics traffickers like quitting
their day jobs and deciding to do synthetic fraud. It's the specialists. Exactly. But they will,
they will sort of, you know, give money to people to run it through these systems to clean it for a
fee, right? And that's usually where you start to see the real professionalization.
That's where it starts spreading through the criminal system.
And then you start to see the cases come and you'll see arrests made. And that's usually how
these things start to get rolled up. Are there sort of fundamentally new human behaviors that
you're noticing or is it the same fundamental criminal behavior, but just manifesting itself
in different, in new and different ways? I think that's actually a really, the really
interesting point here about all of this. And I mean, I think most of the fraud discussions and just
broadly a lot of security issues we have in general. It all comes back to that kind of earlier
discussion about like the social security number that, you know, if you look at your social security
card, it says this is not to be used for identification, right? Like this is, this number should
mean, it's almost like Monty Python, right? Like we've built all these things on something that
said, don't make me the Messiah. And we kind of did that. And then as a country, we've sort of refused
to meaningfully consider any kind of national level identity or identity management. And so
you have the proliferation of a lot of these issues. And that's that's sort of the really fascinating
thing about almost all the fraud discussions. So if there is this huge kind of foundational crack in all
these systems that we've built up, that it feels like a house of cards almost with this
missing kind of giant verification piece at the bottom, how do you get at the heart of that
problem? So I think one thing that Joel mentioned earlier was the sort of cat and mouse nature
of a lot of fraud. We want to go a step beyond that. There are many organizations,
out there, even beyond financial services that are verifying identities as part of their
business. So every major bank and lender does this, but so do online marketplaces like Lyft
or Airbnb. So do also retailers, so anyone that is taking payments. You're probably
did this a couple times even today. Yeah. And one thing that we've observed is that these
organizations with respect to customer identification don't really work together, despite the fact
that it's fundamentally the same problem they're solving, like figure out if someone is who
they say they are and if they actually exist. All these organizations are fighting the same fraudsters
and they're verifying the same 300 million Americans. So the way this really should work is
the government should step in and make a sort of national ID, I think, to really solve this.
One that does have printed on it. You should use this.
There's web standards for how to do this and then, you know, cryptography has advanced quite a bit
And there are ways of doing this.
I don't think we're going to see the U.S. government
and step in and do this.
And so we're building it.
Thank you so much for joining us on the A16 and Z podcast.
My pleasure.