The a16z Show - a16z Podcast: Stories from the Frontlines of Synthetic Fraud
Episode Date: June 25, 2019Synthetic fraud—yes, it's a thing: a new evolution of consumer fraud that’s been emerging in financial services, to the tune of $1-$2B a year. In this episode of the a16z Podcast, Naftali Harris, ...co-founder and CEO of Sentilink, which builds technology to detect and stop synthetic fraud, talks with a16z's Hanne Tidnam and operating partner for information security Joel de la Garza all about what this new kind of fraud is. Where did this new form of fraud come from, and why is it on the rise? Who are true victims here (hint: it's not the Joneses... or maybe it is!). And what is the fundamental security issue really at the heart of it all? The conversation covers the fascinating life cycle of this long con: how these “synthetic” identities get made, incubated, and finally busted out… and some of the wildest stories (and art of storytelling!) behind the strangest fraud rings we've seen. The views expressed here are those of the individual AH Capital Management, L.L.C. (“a16z”) personnel quoted and are not the views of a16z or its affiliates. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by a16z. While taken from sources believed to be reliable, a16z has not independently verified such information and makes no representations about the enduring accuracy of the information or its appropriateness for a given situation. This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisers as to those matters. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services. Furthermore, this content is not directed at nor intended for use by any investors or prospective investors, and may not under any circumstances be relied upon when making a decision to invest in any fund managed by a16z. (An offering to invest in an a16z fund will be made only by the private placement memorandum, subscription agreement, and other relevant documentation of any such fund and should be read in their entirety.) Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Andreessen Horowitz (excluding investments and certain publicly traded cryptocurrencies/ digital assets for which the issuer has not provided permission for a16z to disclose publicly) is available at https://a16z.com/investments/. Charts and graphs provided within are for informational purposes solely and should not be relied upon when making any investment decision. Past performance is not indicative of future results. The content speaks only as of the date indicated. Any projections, estimates, forecasts, targets, prospects, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others. Please see https://a16z.com/disclosures for additional important information. Where did this new form of fraud come from, and why is it on the rise? Who are true victims here (hint: it's not the Joneses... or maybe it is!). And what is the fundamental security issue really at the heart of it all? The conversation covers the fascinating life cycle of this long con: how these “synthetic” identities get made, incubated, and finally busted out… and some of the wildest stories (and art of storytelling!) behind the strangest fraud rings we've seen. Stay Updated:Find a16z on YouTube: YouTubeFind a16z on XFind a16z on LinkedInListen to the a16z Show on SpotifyListen to the a16z Show on Apple PodcastsFollow our host: https://twitter.com/eriktorenberg Please note that the content here is for informational purposes only; should NOT be taken as legal, business, tax, or investment advice or be used to evaluate any investment or security; and is not directed at any investors or potential investors in any a16z fund. a16z and its affiliates may maintain investments in the companies discussed. For more details please see a16z.com/disclosures. Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
Transcript
Discussion (0)
The content here is for informational purposes only, should not be taken as legal business, tax,
or investment advice, or be used to evaluate any investment or security and is not directed at any
investors or potential investors in any A16Z fund. For more details, please see A16Z.com
slash disclosures. Hi, and welcome to the A16Z podcast. I'm Hannah, and this episode is all about
synthetic fraud, a new evolution of consumer fraud that's emerging in financial services to the tune of
one to two billion dollars a year. In this episode, Neftali Harris, co-founder and CEO of Centilink,
which builds technology to detect and stop synthetic fraud, talks to me, an A16Z operating partner
for information security, Joel de la Garza all about what this new kind of fraud is, including the
life cycle of this long con, how these synthetic identities get made, incubated, and finally busted out,
and some of the wildest stories behind the strange fraud rings he's seen. We also touch on why this
new fraud is on the rise, who the true victims are, and at the end of the day, what the
foundational security issue at the heart of it all truly is. We're here to talk about synthetic
fraud, which I have to confess I didn't even know what that really meant when we first started
talking about it. What does synthetic fraud even mean? Almost no one hears about it in the public
outside of financial services industry. I hope that neither of you have been the victim of identity theft.
I have. Okay. I'm sorry to hear that. And if you haven't, you probably know someone that has been.
Right.
And so the general public is very aware of identity theft because there's that consumer victim.
With identity theft, you're stealing a real person's identity.
Yeah.
With synthetic fraud, you're saying, forget the real person.
I'm going to make up a totally fake one.
And that means like fake from the very ground up.
Fake from the ground up.
So a fraudster will use a synthetic identity, so a made-up named data birth and SSM combination
in order to open up an account with a bank or get a loan from a bank.
The key thing here is that there's no one record, there's no one,
one actual person that it all belongs to. And then what they'll be able to do is actually acquire
quite a bit of credit, take out a lot of loans, usually a few tens of thousand dollars from every
major bank and lender, and then use that to get a lot of money and not repay any of it.
How prevalent is this kind of fraud in the industry? I mean, how much is this happening versus
like we all hear about identity theft all the time? So this is one of the super interesting things.
So we've added up the losses across the industry and within lending, it's somewhere from one to
$2 billion a year of losses annually. Wow. And how aware of it are the banks? At what point do
they catch on? That's also one of the really interesting things. Because there's no consumer
victim, the banks have a really hard time figuring out which of their losses are attributable to
synthetic fraud as opposed to somebody that had a hardship or lost their job. Oh, right. Same
pattern of behavior. Exactly. With identity theft, what happens is somebody opens up an account,
they get a new credit card. They steal a lot of money from the bank. And the way the bank finds out about it
is eventually the victim contacts them and says, hey, I didn't take out this credit card.
This wasn't me.
And they'll sign an affidavit.
And then the bank will realize this was an actual victim of identity theft as opposed to someone
that just had a hardship and took out more money than they should have.
And with synthetic fraud, all the bank sees is a large set of people that haven't been making
payments for the loans.
And they have a really hard time of figuring out which of these are people that have had
some sort of local economic challenges.
Yeah, legitimate need for the loan, basically.
Exactly.
And which of them are people that were actually defrauding them?
Synthetic fraud is a relatively newish phenomenon.
So I think it's something that's kind of grown up as banks have gotten better at spotting
identity theft and credit freezes and those sorts of things, it seems that that correlated
to the rise in synthetic fraud.
Identity theft used to be ridiculously simple, right?
If you think back 10 to 15 years ago, as bank fraud teams got better, they got better tools
to catch this kind of thing.
You had credit freezes come to effect.
It seems like the fraudsters pivoted in this direction.
Yeah, that's exactly right.
I mean, another big one actually is the rise of the EMV chip.
Oh, that is a factor in this?
Absolutely.
You know, fraudsters are committing fraud as a business.
And what they do is they gravitate towards channels, so to speak, that are profitable for them.
And it used to be you can make a lot of money doing card skimming.
The EMV chip made that a lot harder.
So you saw a lot of fraud move online to card not present fraud.
So people stealing credit cards online.
There's been a lot of great technology that's arisen there recently.
which has made that harder to do.
Still certainly happens, as we all know.
And then a lot of progress towards identity theft, and that's gotten harder.
And so they're moving on to synthetic fraud, which is very challenging for banks and letters to detect and quite lucrative for the fraudster.
But can we just go back to that moment of opening the account?
Why is it so hard to verify like an actual birthday against an actual name against an actual SSN?
Like if those things are not matching, why is that initial moment not the place to catch it?
So what most people don't realize is that financial institutions, so banks and lenders, do not have a list of all named data birth and SSN combinations in the United States.
A lot of people think that the credit bureaus have this list, you know, Experian, Equifax and TransUnion, and they don't have it either.
Essentially, the banks and lenders believe, certainly until recently, had believed that the three credit bureaus had lists of all named data birth and SSN combinations.
So everybody's thought somebody else was doing it.
Exactly.
That's absurd.
It's quite funny, actually, and this is the way that fraudsters actually create these synthetic identities.
If you apply for credit with a named date of birth and SSN repeatedly, the credit bureaus will believe that it's a real person.
And they'll create a record for this totally fake person.
Because they're only tracking the applications.
They're not backing it up to reality.
Yeah, and they have no way of doing so.
I feel like we're giving tips to everybody in the world.
I don't like how to create.
Just do not do this.
Exactly. Don't do this.
But that is such a gaping hole in, like, the information flow, a weird blind spot that everybody else just kind of assumes that.
Yeah, it's pretty interesting. I mean, so banks and lenders believe that the bureaus have records on everybody, mostly general public, believes that as well.
The logic on the bureau side is essentially banks and lenders have strong, know your customer procedures, they're doing a great job of risk.
And so consequently they say, oh, you know, everyone's talking about John Smith. That must be a real person.
but actually nobody really knows here.
And so everyone's pointing fingers at everybody else.
It seems like actually it was this gaping hole for quite a while, right?
So why was there always some level of this and then it just spiked?
I think the interesting point is sort of the actual genesis of this whole situation,
which is that there is no source of truth for proofing identity.
And that really lies at the center of kind of a lot of these issues.
There's sort of a coordination and a collaboration.
that has to happen in between entities that while, while, you know, wanting to minimize fraud,
these entities are also competing with one another in a number of different product categories.
And so there isn't always a necessarily aligned financial incentive for them to collaborate.
It's always been possible. But the thing that's really challenging about synthetic fraud is it is such a long con.
It's challenging.
What do you mean by that?
It's not sufficient to just make a fake identity.
Okay.
You can do that and it's pretty easy.
but when you do that, all you have is a person who exists on one of the bureaus or all three of them,
but doesn't actually have real credit to their name. No bank is going to give them $100,000 or even $10,000.
Right. So it's like me when I first got out of college. Exactly. It's like when you first entered their credit space.
And so there are some fraudsters that will just try to churn through $300 cards, but there's not a ton of money in that.
The real money that the fraudsters are pursuing is getting access to all the, all the,
prime credit cards to big auto loans to huge unsecured personal loans. And that requires building up
their credit over a period of one to two years. Get some low limit credit cards, start making a little bit
of payment, build their credit. They do it quite aggressively because they're optimizing to when can
they get to that 700 plus credit score or better. But it does take a long time. And I think that's the
answer as to why we hadn't seen it in the past. Because in the old days, you know, you could
you could go steal someone's identity, open a line of credit,
have access to that credit within a week,
maybe even a couple days, depending on how you did the disbursement of funds.
But then sort of as people got better about reporting those things,
as consumers actually started to notice when lines of credit were open for them,
or they had credit monitoring capabilities,
the response time was a lot quicker.
So you couldn't necessarily get those funds out in the amount of time.
And so this is kind of the new process that they've moved on to
and to the earlier point, like this does take some amount of time in preparation.
So creating lots of identities, going through the process of establishing credit for them over a period of one to two years,
and then getting to a cash out that in the old days you could have done in five days to maybe a month.
So a lot more work for that same size hit.
The hit actually can be even bigger than for identity theft.
So with identity theft, you're racing against the clock because the victim will actually notice this at some point.
and they will say, this wasn't me, and so they go back to the bank, they go to the lender
and they say, stop doing this, and they'll put a freeze on their credit report and so forth.
But with synthetic fraud, there's no race for the clock.
There's no one who's watching for this.
There's no one that is going to notice this until they stop making payments.
Are you seeing the synthetic fraudsters actually make payments?
Oh, absolutely.
Absolutely.
So they're taking out loans.
They're making the payments, except for the initial,
fraud of the identity. The behavior is not, is not at that point doing anything wrong.
So there are three phases in the lifetime of a synthetic identity. The first part is the
creation phase. So this is where a synthetic identity starts applying for credit a couple of times.
Oftentimes, they'll actually start with any lender that does a pull from all three credit
bureaus. So most lenders only pull from one of the three bureaus. So TransUnion Experience and Recofax.
But when you first create a synthetic identity, you want to get that synthetic ID to have credit records on all three of the major bureaus.
So one of the things that we see synthetic identities doing is initially the first place that they'll apply for credit is anywhere that does a tri-boreau pull that pulls from all three of the major bureaus.
Because they want immediately to disperse that information.
Exactly.
Okay.
So in this creation phase of the synthetic identities life, they will apply for credit at places
that do Tribunal polls. They'll sign the synthetic identities up for an email address and for a phone number.
So it's really, it's becoming like a real identity almost in a lot of dimensions.
They'll sign them up for social media accounts. So get them a Facebook or even better as a LinkedIn or a Twitter.
The reason being that later on, a fraud investigator is going to be looking for this person and
this gives them a little bit more legitimacy.
That is so much, that's so much attention paid at that early phase.
Absolutely.
So one of the things that we've, we noticed with a lot of the fraud rings, the traditional
fraud rings, was a tremendous amount of technical sophistication.
So highly automated, really well, really deep understanding of not just the fraud controls,
but the entire technical stack.
With this kind of fraud, it seems very manual.
It seems very kind of almost like an artisanal form of fraud.
Yeah, it's like a bespoke.
like you literally create these lives.
Absolutely.
So, okay, so that is...
So that's phase one.
The birth.
The birth. The birth. The birth. The birth. The birth. The birth. The birth.
The birth. Exactly. So then in phase two, that's the buildup phase. This is where it takes one to two years.
And in this phase, the synthetic identity is acquiring credit as quickly as I can. So often this means getting small credit cards, introductory credit cards and actually making oftentimes the minimum payments.
but anything that shows this person has a good repayment history.
Now, when eventually down the road, this is discovered and people are presumably going back to
figure out, can you start tracing those payments when you look back and start understanding
where that money comes from and have like understanding into the fraud from that route?
Well, those payments often come from bank accounts in the names of the synthetic identities.
Isn't there a point when you open the bank account where you need more than those three
pieces of information? You're supposed to collect four. It's technically named data birth,
SSN, and address. It's called the customer identification program. And you're supposed to verify
these things in a number of different ways. But because there's simply no way of doing it,
a lot of times, you know, people say, oh, they have a credit record that's sort of sufficient.
You know, most of the account opening anti-fraud stuff people do is focused on identity theft,
which has traditionally been the big account opening from a fraud. But for, for,
account opening, if you want to prevent identity theft, what you're doing is trying to see whether
the person submitting the application is the same as the identity that they're using to apply for credit.
So as an example, if you see John Smith apply for credit using Naftali Harris at gmail.com
Right.
As their email address.
Problem.
Yeah, problem.
Exactly.
It's probably not John Smith doing it.
It's probably Naftali Harris.
But if you see John Smith applying for credit with John Smith at gmail.com, then it looks fine.
Yeah.
But what if it's actually Naftali Harris that made John Smith and made John Smith at GMA.com?
Let's go back to the life cycle.
So we talked about the birth.
Then we talked about the like development.
Incubation.
The incubation.
Where is the moment where they die?
So that's every foster's favorite part of the life cycle.
It's the bust out.
Once you have a synthetic identity that has been making payments, which has gotten access
to higher credit.
lines. So at the end of that incubation period, the synthetic ID has a credit score over 700 or
750 plus or even at the 800s. Yeah. They look great. Yeah. And at this point, every bank and lender,
especially in today's low rate environment, wants to throw as much money at them as they can.
Right. And so in the bust out phase, fraudsters acquire as much credit as they possibly can.
They max out any credit card they've had. And all of a sudden, they just stop making payments.
They go from your model customer to your worst one.
They stop paying their loans.
And then what happens next?
So someone stops making payments.
And so the bank starts pushing them through their collections process.
So somebody starts calling.
Yeah, it's usually it's a polite email.
Hey, John Smith.
Right.
Notice you missed your payment.
Could you please do that as soon as you can?
Yeah.
And then that becomes a little bit more stringent.
And then it starts paying phone calls.
In some cases, the fraudsters will ignore it completely and vanish
from the face of the earth.
Yeah.
And in that case, it's uncollectable.
Right.
In other cases, they'll pick up the phone and they'll say, oh, I'm really sorry.
I couldn't make payments.
I lost my job.
I had a hardship.
Someone in my family got ill.
I can't make payments right now.
And they buy some time.
And they buy some time.
And eventually the loan gets charged off.
Why does this not at that moment trigger when you suddenly, your behavior suddenly changes
and you take a big loan, you know,
there are all sorts of legitimate reasons for that kind of sudden big loan.
But why is that not automatically getting flagged just for a little check at that point?
To the earlier point, right, there's a very big interest to grow your creditor base,
to grow the base of people you're loaning money to.
And in that process, friction is generally found upon, right?
It's a risk determination.
Some of these organizations, they've built risk models that feel comfortable enough about the validity of this identity,
and they make kind of the business decision to take a risk on extending credit to them.
And it's probably one of those things where they need to make some adjustments to that risk model.
So I'd say that there's probably some perfectly rational process-driven reason why this is happening.
Fraud, like most of these kinds of criminal enterprises, are very much games of cat and mouse.
And this is just sort of the mouse finding away around the cat in this instance.
So where in the life cycle do you guys try and intervene?
Like how do you look at this life cycle and where?
do you think is the weak point and with what kind of tools?
The places where they really are experts are on the U.S. credit system,
they understand that very deeply, honestly better than probably a lot of people who have that as
their careers.
You know, they know who does a Tribunal credit poll.
They know how to get through the KYC processes at different organizations.
They know who is weak at the beginning.
And so at a high level, the way we actually solve this problem is we have a team of risk
analysts that manually review transactions looking for fraud, investigating cases, deeply trying
to understand individual fraud transactions, and understanding what is new in the fraud world.
And then on the other hand, we have a sister team of technologists, so engineers, machine
learning engineers, data scientists, who are taking the insights and the labels from the risk operations
team and using those to build productionized machine learning models that actually can detect
this sort of fraud in real time.
It almost sounds like a detective agency on one side and then like building the tech on top of the knowledge.
So, I mean, a lot of the tech is based on the fact that we understand synthetic fraud extremely well.
Different kinds of products naturally fall in one or different parts.
So like a high limit rewards credit card from a top 10 card issuer, those will tend to get hit towards the end of that process a little bit before the bust out.
And so in that case, you have more history through which to actually identify an application.
of synthetic. But we also work with card issuers that are trying to give cards to immigrants
or to young people, even as early as in college. And there we're really playing at sort of the
very beginning during phase one or the very beginning of phase two to differentiate between those real
people and those fake people. A big thing that we do is around clustering, connecting together applications
that come from the same fraud ring. So for this form of synthetic fraud, most of it comes from
organized crime rings and you know a hundred thousand dollars per identity is great but if you want to
make a business out of it uh the fraudsters are a lot more ambitious um and so they make a number of
these different synthetic identities and incubate all of them at the same time oh my gosh it sounds
like the matrix that way it's a lot of fake people we've seen them be so ambitious as to
actually make families so they'll have like a but only a families of lendable ages exactly
So they'll be like a mother and father.
So I have the same last name with birthdays that are a couple years apart.
And they'll be like five kids, all of whom are in their early 20s or something like that.
Address history that shared at different points.
And they tried to make the ages staggered and stuff like that.
It's like scripting a story.
So you've seen that more than once?
We've seen a number of such families, quote unquote, created.
Internally, we call it the Keeping Up with the Jones's approach.
because the first time we saw this,
the last name was Jones.
You know, a family that commits fraud together,
stays together.
We need like a symbol, but on, but...
Thank you.
I'll be here all week.
I was going to suggest we call this a fraudcast.
Yeah.
There you go.
Another good one.
So what are some of the other types of fraud rings
that you guys see?
We oftentimes see alleged people
that have no relationship with each other
who are sharing address history at some point.
And it's really interesting what causes that.
So one reason this happens is that a Frosster will oftentimes reuse the same address,
or for that matter, the same phone number or email address if they're lazy.
But during the incubation period, one of the ways in which Frosters boost up someone's credit quite a bit
is by purchasing authorized user trade lines.
That's when you give a credit card to your spouse or one of your kids.
So like when you're younger, sometimes your parents will give you,
a credit card, the credit card actually is in the name of your parents, and they're the ones
that are actually responsible for making the payments. But what a lot of people don't realize is that
that credit card will oftentimes show up on the recipient's credit report. So if you're a kid and
your parent gives you a credit card, which they're responsible for, it'll end up on your credit
report. And that's sort of what all the major card issuers had historically thought was the point
of having an authorized user card. It's to usually within a family or, you know, at most friends,
or maybe employees or something like that.
But actually, you'll find hundreds of these marketplaces
that let you purchase or sell a high limit credit card that you have.
And that's legitimate?
It's not, but it is, as far as I know, legal.
Whoa.
So you sell your ability to borrow to somebody else?
I mean, it sounds like such a bad idea.
The recipient won't actually get the card.
The card will show up on their credit report,
but the card actually won't get sent to them.
And the purpose of it actually is essentially credit score arbitrage.
If you have a high limit $20,000 credit card that you've had since 2005,
it looks really good when it shows up on somebody else's credit report.
And they're willing to pay for it.
So fraudsters who are very prolific about buying and selling these authorized user cards
will oftentimes have shared addresses.
And the reason the addresses are shared is that multiple of these synthetic
identities at one point or another, but the same authorized user credit card. Our technology can
detect this and realize that these people, 50 of them throughout the United States, who should have
no relationship to each other, nonetheless have shared history. What's the weirdest thing you've
seen besides the Joneses? So we saw one case where the fraudster actually had taken two different,
totally different people and matched their identities together. And one of the identities that was
mashed together with someone that was actually in prison for murder. So that person, if they ever
get out, might be pretty upset about this. So it's like half identity fraud, half synthetic, like a kind of
weird Hollywood mashup. Like you take two movies and slice them together with lazy storytelling,
basically. One that I thought was just really amusing. And we saw a fraud ring that had so many
identities in it that the way they kept track of who, which identity had which SSN is actually
included the last four of the SSN in the email addresses of the synthetic identities.
So lots of people have, you know, Naftali Harris and then month day at Gmail.com or a lot of
people have, you know, Naftali Harris, year of birth at gmail.com.
These fraudsters actually use Naftali Harris, last four of SSN at Gmail.com.
And they did this for all several hundred of their identities.
So that was an immediate first signal.
Yeah.
Essentially, the identities all looked very cookie cutter to us.
As though somebody was following directions for how to create a synthetic identity.
They had something that worked.
They all used the same original institution as their first inquiry.
They all were structured the same way.
They all had first name, last name.
Last four of SSN at g-gmail.com was the one that they used.
everything about them was sort of similar, even though none of the information was overlapping
in that case.
So, you know, when we looked at this, people used the SSN4 in their email address.
Almost everyone who did that was fraudulent, but there were some that were not.
Right.
And some people just didn't realize that you're not supposed to put the last four of your SSN
in your email address.
I think most of us realize that, but, you know, some people don't.
Yeah, that's another tip for our listeners if you're doing that change your email right now.
So you look for patterns, you look for clustering. Are there other hallmarks that you look for that you guys are paying attention to?
It's a lot around the consistency of the history. Synthetic identities have histories that are not really cohesive.
So we'll do things like look at state-by-state migration patterns. So it's pretty common for people to move from Florida to Georgia. It's a lot less common for people to move from Florida to Alaska. Obviously it does happen. And apologies to whoever's listening and did just that.
But statistically, there are certain patterns that are more or less likely.
So we'll look at when SSNs were issued and then when and where those were issued and see if they match up with someone's actual credit history.
We'll look at where they've been moving, how fast that's happening.
It's pretty rare for someone to have a residential home in a new state every, you know, one or two months, which is not very frequent.
So we'll look for a lot of things around cohesiveness of the identity.
And weird outliers.
Weird outliers.
I think there's a really interesting salient point here that's being made, which is that
kind of the first two generations of large-scale consumer fraud were mostly about technical weaknesses,
underlying technology weaknesses, lack of two-factor authentication, inability to secure endpoints, right?
It was very kind of software-driven or computer breach-driven.
This is actually a business process hack or a hack of sort of existing broken business process.
Yeah, you know, essentially it's social engineering at scale.
So in some ways it sounds terrible to say, but it kind of feels a little bit like a victimless crime because you're not stealing money from another person.
You're stealing it from this like institution.
The funny thing about that is.
I know that's not true.
Having worked at institutions that had lots of things attempted to be stolen from them.
Yeah.
Like, can you talk about how that impacts the whole?
Yeah, absolutely right.
Losses of these nature, of this nature go directly against the bottom line of the corporate.
Right. So this is, you know, losses like these translate directly into the financial performance of the stock. And these are the kinds of things that shareholders and board members and anyone with the fiduciary responsibility that they want to tackle as quickly as possible because reducing losses in these kinds of categories can translate into meaningful movement of stock, especially if you're talking about a billion to $2 billion, right? That's not trivial. So usually the way that these starts to materialize is that this will translate into higher costs.
associated with borrowing for legitimate customers.
So these expenses, they're not going to get eaten by the corporation.
They're going to get probably pushed out in the forms of new fees or higher interest rates
to people opening new accounts.
It's going to translate probably into more internal controls, more expense on the back end
to start validating some of these transactions to do more verification.
And we're going to pay for it.
And it's going to be maybe a tenth of a percent, maybe a fifth of a percent.
But it's going to start to drive up costs of borrowing for consumers.
that's usually where it turns out.
There's actually two other sorts of ways in which certain groups are victims.
So one of them is that synthetic identities look like people that are new to credit.
And those populations, the legitimate populations there are often young people and immigrants.
Oh, so it's making it harder for all the people who need credit the most.
Exactly.
Yeah.
So it makes banks a lot less comfortable lending to immigrants and a lot less comfortable lending to young people,
or even just people that decided they didn't need credit for a lot.
long time. A lot of money will say I have no reason I should get a credit card and get trapped in
debt until they decide they might want a mortgage. And it makes it harder for those kinds of people
to acquire credit because they look like they might be not a real person. We did a podcast before
about sort of different areas of cyber crime and different geographic concentrations of different
kinds of fraud. Is there a geographic concentration or is there a type of fraudster that tends to
gravitate towards this kind of fraud? Yeah, a lot of this form of fraud is geographically concentrated.
So we see a lot from Southern California, a lot nowadays from the Atlanta region, a lot from South Florida.
And is that just because people get good at it? And then the organization gets bigger?
Or they're telling their friends. It's like Amway or something.
Yeah. A lot of it is organized crime.
Typically the way we've seen these illicit criminal industries develop is that they start off as sort of what you could think of as sort of like familial clusters, right?
Groups of small groups of individuals that figure out a neat trick, share it among.
a couple friends, perhaps locally, which is why you're seeing geographic concentration.
And then that information gets distributed more broadly and other more professionalized career-type
criminals start to move in and in industry develops. You'll get sort of a one-stop shop,
right, a group of individuals that do soup to nuts, this kind of fraud. Specific tasks now will
start to get broken up. So you'll be able to probably go buy these identities in the dark web.
There's probably places that are actually farming them, developing them, and then selling them to
other parts of the organization.
And then you'll get specific groups that are focusing on kind of the bust out rings and
those sorts of things.
The industrialization of synthetic fraud.
I would suspect that we're either in that phase or we're moving towards it.
We're seeing sort of that hockey stick growth of a new industry, right?
And it's just kind of the criminal variant of it.
And so as that starts to ramp up, it's going to be interesting.
So I am not aware of any large scale arrests of people involved in this kind of activity.
I'm interested if you know if like any of the regulators have said anything about
synthetic fraud are interested in looking at it?
You know, that's one of the really interesting things.
Synthetic fraud right now is a huge money laundering issue, but a totally underappreciated
one.
If you look at the regulations around KYC, so specifically the laws that require this,
they really contemplated identity thefts and did not contemplate synthetic fraud almost at all.
Everyone's assumption for a really long time has been that identities that are used to apply for
credit are real. And as we've discovered over the last couple years, that's really not the case.
So the banks are starting to understand it and noticing it and getting new tools to try and notice
it. When the banks catch this and they stop it, do they then alert the authorities? Do people try and
and pursue this at all? No, the first instinct of banks is to try to have it not happen again.
and they're not quite as focused on having law enforcement step in and apprehend the people doing it.
What would be the tipping point for that to have to happen if it becomes this big industrialized?
So it's dollars, right? Arrests typically happen towards the end of the life cycle of something like this.
And so as it gets professionalized, as you see kind of the industrialization of this sort of activity,
regulators will start to notice, you know, law enforcement will start to notice.
They may have already, there may already be active investigations, we don't know.
But they'll start to kind of move against these sorts of organizations.
As large-scale criminal organizations that are engaged in things that, you know, maybe drugs,
maybe terrorism could be things that are life-threatening, you know, they're always looking
for new conduits for money laundering.
So sometimes what happens is that money or some of that activity will find its way into
some of these channels is a way to clean and rinse some of these funds. And that'll also draw
the attention of law enforcement. And then you really have to pay attention to where interesting.
You don't necessarily see criminals from other forms of crime moving into this sort of crime. So you
won't see racketeers or you won't see narcotics traffickers like quitting their day jobs and
deciding to do synthetic fraud. It's the specialist. Exactly. But they will, they will sort of,
you know, give money to people to run it through these systems to clean it for a fee, right? And that's,
that's usually where you start to see the real professionalization.
That's where it starts spreading through the criminal system.
And then you start to see the cases come and you'll see arrests made.
And that's usually how these things start to get rolled up.
Are there sort of fundamentally new human behaviors that you're noticing?
Or is it the same fundamental criminal behavior, but just manifesting itself in different, in new and different ways?
I think that's actually a really, the really interesting point here about all of this.
And I mean, I think most of the fraud discussions and just broadly a lot of the, a lot of security issues we have in general, it all comes back.
back to that kind of earlier discussion about like the social security number that,
you know, if you look at your social security card, it says this is not to be used for
identification, right? Like this is, this number should mean nothing to you. I mean, it's almost
like Monty Python, right? Like we've built all these things on something that said, don't make me
the Messiah, and we kind of did that. And then as a country, we've sort of refused to
meaningfully consider any kind of national level identity or identity management. And so
you have the proliferation of a lot of these issues. And that's that's sort of the really
fascinating thing about almost all the fraud discussions. So if there is this huge kind of foundational
crack in all these systems that we've built up, that it feels like a house of cards almost with this
missing kind of giant verification piece at the bottom, how do you get at the heart of that problem?
So I think one thing that Joel mentioned earlier was the sort of cat and mouse nature of a lot of
fraud. We want to go a step beyond that. There are many organizations out there, even beyond financial
services that are verifying identities as part of their business. So every major bank and lender
does this, but so do online marketplaces like Lyft or Airbnb. So do also retailers. So one that
is taking payments. You're constantly having to do this. Yeah. Yeah. You probably do this a couple
times even today. Yeah. And one thing that we've observed is that these organizations with respect
to customer identification don't really work together, despite the fact that it's fundamentally the same
problem they're solving, like figure out if someone is who they say they are, and if they actually
exist. All these organizations are fighting the same fraudsters, and they're verifying the same
300 million Americans. So the way this really should work is the government should step in
and make a sort of national ID, I think, to really solve this. One that does have printed on it.
You should use this. There's web standards for how to do this, and then, you know,
cryptography has advanced quite a bit, and there are ways of doing this. I don't think we're going to
see the U.S. government and step in and do this. And so we're building it. Thank you so much for
joining us on the A16D podcast. My pleasure.