For many merchants, the biggest security focus is around credit card fraud: the moment when a bad actor pulls out a fake credit card and makes a fraudulent transaction. But in the online space, that’s only one of the ways fraudsters are taking advantage of businesses.
From bank accounts and mobile wallets to shopping accounts and rewards programs, consumers are opening a wide range of online accounts without ever speaking with another human. Want to browse freelancer profiles on Upwork? Sign up for the frequent flyer program? Buy movie tickets? You’ll need to open an account.
Account opening fraud happens when the fraudster has material financial incentives to create the account under a false identity. This could be by opening a new credit card account or crypto wallet, opening multiple user accounts to take advantage of promotions, a merchant being onboarded at a payment service provider, or automated bot accounts. Account opening fraud is varied, on the rise, and much higher up the risk spectrum because the financial loss can be much larger than a retail transaction with a stolen credit card.
According to Javelin Strategy & Research’s 2018 Identity Fraud Report, the number of identity fraud victims increased by 8 percent in 2018, numbering 16.7 million U.S. consumers. Much of that fraud was account-related, with 1.5 million victims of existing account fraud having had another fraudulent account opened in their name.
How are those accounts opened? Through synthetic identities.
Enabled by Synthetic ID
Synthetic identity fraud is different than just stealing credit card info. Instead of plugging in a stolen credit card, this type of fraud combines real (often stolen or bought on the black market) and fake information to create a new identity plausible enough to open fraudulent accounts and conduct fraudulent financial transactions.
For example, a fraudster may steal real names, dates of birth, and social security numbers, then add burner phone numbers and email addresses that they have access to. It’s big business, and growing. In one case, a South Carolina man used synthetic identities to obtain 558 credit cards from Capital One, withdrawing an estimated $340,000. And with so many data breaches over the years, almost any SSN might be compromised.
The combination of real and fake information makes spotting synthetic identities difficult—especially when placed beside the goal of trying to reduce friction in the sign-up process. How do you increase sign-ups while still ensuring a legitimate consumer is behind these brand new accounts?
The power of progressive sign-up flows
Whereas credit card payment fraud is best assessed in a transaction risk setting, account opening fraud needs a different approach.
Increased friction during the sign-up process (i.e. asking for additional documentation to inform identity data or requiring a customer to speak with a customer service representative in person) can help reduce the number of accounts opened using synthetic identities. But there’s no reason to ask your best customers to go through these extra steps.
Progressive sign-up flows are a smart way to apply that friction to suspicious accounts without creating barriers to new accounts from customers you have more confidence in. For example, if you verify that the email or phone number on the account application is low-risk (well established, associated with the customer, and from a trusted phone carrier or email provider), you can allow the account to be set up after a simple two-factor authentication. But if the email first-seen date is recent, the phone number is VoIP, or you see some other potential risk signal, you can require the user to take additional steps before opening the account.
The key to creating effective progressive sign-up flows is to layer strong identity verification data over the sign-up process. This allows you to ask customers for less data initially, then route them into the right sign-up flow according to the risk analysis. Whether you let them through with a two-factor authentication step or require them to supply additional documentation, you can feel more confident that only authentic accounts are being opened.
Ekata’s phone, email and identity validation API products help companies shut out synthetic ID fraud and give fraud teams the insights they need to build progressive sign-up flows based on risk segments. Learn more about our solutions for account opening today.