Blog Posts Process Analysis

Synthetic Identities: From Data Breaches to Auto Loan Fraud

Blog: Enterprise Decision Management Blog

Yul Brynner from Westworld

Fraud and data breaches have always had a close, if destructive, relationship. As the US transitioned to hard-to-counterfeit EMV payment card technology several years ago, criminals flocked to card not present (CNP) fraud, often combining identity fragments and card numbers stolen in breaches to make illicit purchases online. Five years later, data breaches and downstream fraud continue their symbiotic relationship, with a steady increase in synthetic identity fraud.

Financing Cars with Synthetic Identities

It’s true: synthetic identities have become a major method for perpetrating auto lending fraud. Criminals are using parts of both fabricated and real identities (mined directly, or stolen during data breaches and purchased off the Dark Web) to create synthetic identities, which in turn are used to secure auto loans or other financial products. Synthetic identities can also be cultivated over time by various means, such as a legitimate cardholder getting an additional card for a person who does not exist, a process also known as “pollination.”

In the case of auto fraud, once a synthetic fraudster has possession of the new vehicle, they will often ship them overseas and immediately abandon any loan payment obligations. The fact that auto lending synthetic fraud has been increasing — it is up 500% since 2011 — is an indication that many of the synthetic identities pollinated or otherwise created years ago, and cultivated to appear credit-worthy, are moving into the bust-out phase.

Today’s Data Breach Is Tomorrow’s Fraud

I recently talked about synthetic auto loan fraud with executives from Santander Bank and GM Financial at the AFSA Vehicle Finance Conference, on a panel discussion about cybersecurity and third-part risk management (TPRM). Synthetic identity fraud provides a vivid illustration of the evolving continuum of cybersecurity and fraud: Party A’s data breach today (facilitated by poor cybersecurity defenses) becomes Party B’s synthetic identity fraud tomorrow. In the auto lending industry, most cases involve a multi-step process between one party’s data breach and another’s fraud. Sometimes these parties are business partners operating in the same automotive ecosystem.

In dollar terms, synthetic loan fraud comprises about $600 million of the $1.2 trillion in outstanding auto loans. That’s a small proportion overall, but still a significant number in terms of fraud losses.

An Empirical Tool to Gauge Third-Party Risk

Synthetic identify fraud is a sobering outcome of the unknown, and largely uncontrolled, cyber risk exposure companies face from the partners they do business with. Addressing it requires effective third-party risk management (TPRM), starting with a baseline measurement of business partners’ cyber risk.

The FICO® Cyber Risk Score is an ideal empirical tool to measure and monitor third-party risk exposure at any scale. FICO enterprise customers are using the Cyber Risk Score to continuously measure the third-party cyber risk posed by tens of thousands of partners (and more) they do business with.

TPRM is a big theme for FICO and the entire enterprise cybersecurity industry, because companies recognize that while their own cybersecurity defenses may be strong, those of the third and fourth parties (vendors of vendors) they connect with may not. PwC, which, along with Deloitte, KPMG and McKinsey, has a major TPRM practice, sums up the business imperative:

“In a business landscape loaded with potential pitfalls like cyber threats … that result in supply chain disruption, making sure your partners are following appropriate procedures is vital and will enable you to avoid risks and reputation damage.”

Using the FICO Cyber Risk Score to empirically assess third-party cyber risk is a critical first step.

In addition to helping organizations recognize and measure cyber security risk, for themselves and for their extended supply chain, FICO is an industry leader in fraud detection and prevention technologies. For more information on the mechanics of synthetic identity fraud, please download our Synthetic Identity e-book to learn more.

Follow me on Twitter @dougoclare for the latest developments in TPRM and the FICO Cyber Risk Score.

The post Synthetic Identities: From Data Breaches to Auto Loan Fraud appeared first on FICO.

Leave a Comment

Get the BPI Web Feed

Using the HTML code below, you can display this Business Process Incubator page content with the current filter and sorting inside your web site for FREE.

Copy/Paste this code in your website html code:

<iframe src="" frameborder="0" scrolling="auto" width="100%" height="700">

Customizing your BPI Web Feed

You can click on the Get the BPI Web Feed link on any of our page to create the best possible feed for your site. Here are a few tips to customize your BPI Web Feed.

Customizing the Content Filter
On any page, you can add filter criteria using the MORE FILTERS interface:

Customizing the Content Filter

Customizing the Content Sorting
Clicking on the sorting options will also change the way your BPI Web Feed will be ordered on your site:

Get the BPI Web Feed

Some integration examples