Using biometrics to fight back against rising synthetic identity fraud

Synthetic identity fraud—when cybercriminals create new identities with stolen or fabricated data—is the fastest growing financial crime in the United States,¹ and it shows no sign of abating. Not only can bad actors purchase personally identifiable information on the dark web for a pittance,² but advancements in generative AI are making it easier to produce images and videos in someone else’s likeness—whether they may be real or imaginary.

The Deloitte Center for Financial Services expects synthetic identity fraud to generate at least US$23 billion in losses by 2030,³ prompting many banks and fintechs to develop more advanced biometric security systems to weed out would-be perpetrators. These projections incorporate historical data on the rate of synthetic fraud and expectations of growth in noncash payments in the United States until 2030.⁴ We used the Federal Reserve Payments Survey to find this expected payment volume—excluding prepaid debit cards—and assumed that synthetic identity fraud would grow incrementally each year.

Synthetic identity fraud is both increasing with the rise of digital interactions and becoming more complex as generative AI and other technologies advance. Many fraudsters concoct entire personas using a mix of real and fabricated information, which are often pinned to social security numbers taken from children or the recently deceased. These bad actors may spend months or years nurturing their synthetic identities, and more than half have a credit score over 650,⁵ just shy of what agencies consider “good.”⁶ The average payoff is estimated to be between US$81,000 and US$98,000,⁷ but a single attack can sometimes result in the theft of several millions.⁸ Synthetic fraudsters may also try to disguise themselves as new customers so they can add themselves to existing bank accounts, or look for lenders who will grant loans to “credit invisible” consumers with no reportable financial history.⁹

What makes synthetic identity fraud notoriously difficult to detect? For a start, fraudsters often create an extensive history in the public domain using their fabricated credentials. They can also correctly enter information to common identity verification questions about their manufactured lives. In fact, 85% of synthetic identities in the emerging consumer sector elude third-party risk models, according to LexisNexis Risk Solutions.¹⁰ These external tools will be increasingly useful for detecting anomalous behavior and reducing false positive rates, especially if they utilize deep learning to analyze multiple characteristics and data points of users’ identities at once. Banks and financial institutions should follow rigorous model risk management procedures to help ensure they are properly monitoring algorithms for performance, transparency, and interpretability.

Stronger biometrics can help to create a wider safety net

Both physical and behavioral biometrics systems can add overlapping lines of defense; they can work together to catch opportunistic hoaxers who would have fallen through the cracks of traditional security checks. Unlike passwords or PINs, physical biometric technology can analyze traits that are unique to each consumer’s makeup, such as their palm vein patterns, retina details, vocal pitch, and ear canal shapes. These biometric security tools can improve outcomes for ID verification and authentication, but many emerging solutions are susceptible to low-cost, creative workarounds. Researchers, for example, recently hacked facial identification technology by placing glasses with tape where eyes should be over smartphones owners’ faces while they slept.¹¹ Smartphone users have also found a myriad of ways to dupe fingerprint sensors, including with gummy bears,¹² wood glue,¹³ and cheap printed circuit boards.¹⁴ These “deepfakes” have passed through some banks’ know your customer (KYC) protocols.¹⁵

To help counteract these fraudulent actions, new and powerful biometric tools can provide additional layers of defense by evaluating whether users are human, testing the veracity of visual artifacts and manipulated recordings, and identifying anomalies that may be atypical of online consumer behavior. These loopholes may create more demand for biometrics capabilities that can assess “liveness.”

Financial institutions should expend more effort refining “liveness detection” checks that distinguish human consumers from synthetic identities who use stolen or AI-generated content to act as the face of their alter egos. These tests may use a range of techniques to verify that a user is responding in real time, for example, by asking them to tilt their head to the side, smile, or blink. Security systems for physical biometrics can compete with the growing sophistication of spoofers by adding elements like skin texture, facial imperfections, perspiration, and blood flow.¹⁶ Banks and card issuers can then evaluate whether the results match up with government-issued ID documents, as well as third-party consortium data and any national ID verification services available to them. They can also check for other indicators of synthetic identity fraud, such as a lack of connections to family members and associates.¹⁷

Banks and card issuers are also planning to significantly expand capabilities in emerging behavioral biometrics tools. These systems can provide continuous authentication by tracking dynamic information about users and learning more about them over time. Moreover, this information can usually be gathered with no additional input from consumers, and it is nearly impossible to replicate. For example, behavioral biometrics technologies aim to analyze a consumer’s touchscreen behavior, mobile app navigation, and typing habits. As a result, even if cyber criminals had the correct password for the user they’re trying to impersonate, the technology could flag that they’re entering a password slower than usual or applying less pressure to the device’s screen.

Behavioral biometrics is expected to be particularly effective in spotting synthetic identities, since fraudsters usually type information quickly across multiple forms, copy and paste it from other sources, or use uncommon keyboard shortcuts.¹⁸ The test results can then be supplemented with nonbiometric factors, such as location histories and spending habits, to trigger instant alerts of unusual transactions that require further review. Moreover, banks can also work more closely with startups and established technology firms to develop multimodal biometric security that evaluates several indicators at once, such as fingerprints, natural speech patterns, and word choice. These enhanced systems may also perform better in a variety of settings and lighting environments and work more effectively with underrepresented consumer groups.¹⁹

Banks and fintechs should take a proactive approach to managing and testing their proprietary and third-party tools, including validation of controls, by feeding them with “synthetic” or artificial biometric data. Synthetic data can be immensely valuable when it is too costly, time-consuming, or sensitive to collect real data that make biometrics algorithms produce more accurate predictions.²⁰ For instance, many current AI systems used for facial recognition have been typically trained on white subjects.²¹ By including digitally generated datasets that include more diverse demographics, the tools can become better at identifying diverse faces. Banks and financial institutions should also take additional steps to check the maturity of the controls of their banking partners.

One of the biggest challenges facing financial institutions in the longer term is extending biometric security to new and emerging consumer technologies and having them work together to monitor for anomalous activity contemporaneously. For example, financial institutions may need to develop interactive dashboards that may link behavioral biometric systems to new tools for flagging one-time password fraud, SIM swap fraud, and mobile wallet fraud in real time. In addition, these organizations should consider determining how to safeguard biometric data shared between devices connected by a network, including the Internet of Things (IoT). In the longer term, it may also be imperative for businesses to contemplate how the cryptography-breaking power of quantum computers²² could undermine existing processes for biometric authentication.

Biometrics are important to a zero-trust security model

Physical and behavioral biometrics are becoming a more critical component of the zero-trust security model, which assumes all network traffic is malicious. Financial institutions should continually monitor users and devices instead of trusting that the network’s security perimeter will be sufficient to prevent breaches. Biometrics can buttress the “never trust, always verify” ethos by adding heightened controls that require hard-to-copy information such as fingerprints at every access point in the network.

Biometric systems may also become increasingly important as digital currencies such as central bank digital currencies (CBDCs) enter the mainstream, and consumers conduct more transactions using digital wallets. The European Union, for example, plans to examine how biometrics can be used to verify and authenticate users of the EU Digital Identity Wallet,²³ where the digital euro will likely be stored. The expansion of these verification systems can offer additional safeguards beyond the banking sector by confirming a user’s identity when sharing medical data, taking online exams, or making age-restricted purchases.²⁴

Biometrics can also create seamless customer experiences

Banks and card issuers have another incentive to continue investing in biometrics: Many customers really seem to like it.

Physical biometrics can improve customer experience and reduce abandonment rates in account opening and onboarding processes or other digital transactions due to burdensome security measures. One-quarter of UK adults would exit the account opening process if the identity checks were too time-consuming or complex.²⁵

Some brands are tapping biometrics as an innovative payment method. Panera Bread and Whole Foods Markets, for example, recently unveiled palm payments, which allows users to make purchases by waving their hand over a sensor.²⁶ In just a few years, three billion global consumers are expected to make US$5.1 trillion of purchases using biometric payments.²⁷ Merchants have also expressed interest in using biometrics to offer personalized services or loyalty rewards to consumers at checkout.

Finally, biometrics can also help facilitate financial inclusion by allowing those who lack formal documents used to establish identity, and who have thus been unable to access traditional financial services, to execute safe and secure digital transactions. It can also expand branchless banking services to mobile consumers and protect the assets of women or other vulnerable individuals by offering them sole access to bank accounts.²⁸ And since consumers could no longer be required to recall complex sequences or credentials, it can improve accessibility for groups with cognitive and learning disabilities.

In the end, biometrics should be a win-win for banks. Not only can biometrics play a critical role in detecting and mitigating fraud, synthetic or otherwise, but it may help expand financial inclusion and provide more secure and seamless customer experiences.