In a recent report the Aite Group outlined in detail the threats and challenges posed to financial services institutions from application fraud. The report brings up detailed and pertinent considerations, making it a must read for any fraud and security professional.
The report identified that application fraud is projected to cost $4.1 Bn (USD) by 2023. Unsurprisingly, in an effort to defend themselves, more than two thirds of organizations interviewed in the report plan on adding or replacing fraud prevention vendors over the next 2 years.
The report also highlighted the importance of using a number of different technologies and techniques to counter the threat posed by application fraud. Callsign completely agree with this assessment.
In light of this information, we wanted to consider the threats posed by application fraud, and how organizations are mitigating against them.
What is application fraud?
Application fraud is where a bad actor opens an account under false pretenses. They may, for example, be looking to apply for a loan or credit card with no intention of paying off the balance, or looking to open a ‘mule account’ to store the proceeds of other crimes that they have committed. Some particularly sophisticated bad actors may even fraudulently open an account with a utility provider, in order to obtain a false proof of address with which to apply for financial products.
So how is it done? There are a few ways that bad actors can commit application fraud:
Use their own information
Known as ‘first party fraud’, this is the simplest and most easily countered method. In this case, the bad actor will provide their real personal information, along with falsified information to open an account that they wouldn’t otherwise be eligible for. They could, for example, overstate their income on a credit card application or falsely claim to be entitled to a service such as disability benefits.
To counter this fraud, organizations typically deploy credit checks. The details of the customer’s application are compared against those that are held on file at a Credit Reference Agency (CRA) and any discrepancies can be highlighted and dealt with on a case by case basis.
Steal someone else’s information
Commonly called ‘identity theft’, bad actors will steal someone else’s personal details and use these to make applications for financial products in their name. This type of attack has become worryingly common.
Once a bad actor has stolen another’s personal details, they will typically input them into as many product application forms as they can find. To do this manually is quite onerous, so bad actors use bots to undertake credential stuffing attacks: the bots automatically navigate to product application pages and fill in the forms with the victim’s personal data.
To counter this, organizations often rely on bot detection capabilities. These will either identify the JavaScript that controls them, or pick up on telltale signs that give away a bot, like a typing cadence that is too regular.
Create an entirely new identity
The most sophisticated bad actors will seek to combine real information and fake information to create a so-called ‘synthetic identity’. They may for example use John Doe’s social security number, Jane Doe’s home address, and a fabricated name and date of birth to create an entirely new ‘person’.
The power of a synthetic identity is that it has no clear or single victim. In the case of identity theft, when a bad actor that gets through the application controls and opens an account in another’s name, the genuine customer is likely notified that something has gone wrong – perhaps they received an unexpected bill or saw an adverse impact on their credit report.
However, with a synthetic identity there is no genuine customer to recognize the suspicious activity and raise a complaint. The synthetic ‘person’ is made up of the attributes of a number different people, and therefore goes largely undetected. After all, if a bill came to my house addressed to another person, from a bank that I don’t have a relationship with, I’d probably ignore it.
If the synthetic identity remains under the radar, the bad actor can use it almost indefinitely. Moreover, each time it is used, the identity is strengthened, quietly building up credibility in the background. One day, the bad actor can use it to make a big score: he takes out a huge loan and disappears.
It is possible to counter synthetic identities by requiring users to upload identity documentation that is hard to forge, such as passports or drivers’ licenses.
How do I stop application fraud?
As you can see, application fraud comes in many different guises. Tackling it is complex and, unfortunately, there is no ‘one size fits all’ solution.
Although robust credit checks are likely to spot first party fraud, they will not detect the applications made using stolen or synthetic identities. Bot detection technology may identify credential stuffing attacks that exploit stolen identities, but they will not prevent first party fraud or synthetic identity attacks. Enhanced identity and verification technologies that require a user to upload a copy of a physical credential such as a passport or driving license, may pick up some synthetic identity attacks, but they will not prevent first party fraud and will have limited impact in preventing identity theft.
Organizations must therefore take a multilayered approach, using a series of technologies in concert to prevent the full range of threats. Until recently, this was incredibly costly and complicated: the vendors had to be carefully selected and integrated into the organization’s ecosystem and then managed in an ever-changing environment.
Fortunately, advances in orchestration technology allow organizations to quickly introduce an end-to-end solution to tackle each different type of application fraud. What is more, as the tactics of bad actors evolve, orchestration layers enable organizations to keep pace, ensuring that they are never at the mercy of a new type of fraud.
How can Callsign help?
Callsign can equip your organization with all the tools you need to create the end-to-end fraud solution required to combat fraud in all its guises.
Our orchestration layer makes it easy to manage the disparate technologies needed to counter fraud effectively. Being API based, it can integrate with third party technologies such as credit checks and identity verification software, which help to prevent first party fraud, identity theft, and the use of synthetic identities. Meanwhile, our own threat detection capabilities can enhance the recognition of identity theft and synthetic identities and can also prevent credential stuffing attacks.
Furthermore, Callsign can help your organization evolve in line with the threats you face. New processes, policies, and technologies can be tested and rolled out without the need for expensive and slow change projects. As such, your organization will never lag behind the bad actors.
Finally, Callsign’s platform does much more than simply protecting your organization from application fraud. Our market leading positive identification technology uses device fingerprinting, behavioral biometrics, location analysis and Mobile Network Operator (MNO) data to ensure that a user is who they claim to be.
As a consequence, we are able to protect your organization from a full range of threats. Whether tackling application fraud, protecting accounts from takeover, and combating social engineering, Callsign is here to make everyone’s digital experience as easy and safe as possible.