Industry executives and experts share their predictions for 2024. Read them in this 16th annual VMblog.com series exclusive.
Emerging Fraud and Identity Authentication Threats to Watch in 2024
The Synthetic Fraud
Bubble Grows; SIM Swaps Persist; AI Deepfakes Give Fraudsters a Leg Up;
Enterprises Walk a "Fraud vs. Friction" Tightrope
By Jason Lord, vice president
of global fraud solutions, TransUnion
As digital transactions become increasingly intertwined with
online activities, the threat of fraud has grown exponentially for consumers
and enterprises alike. Although sophisticated detection mechanisms
that blend technology, data analytics and human expertise have been adopted by some
institutions, a more holistic approach to fraud fighting efforts is needed to
effectively counter evolving and emerging threats.
Looking ahead to
2024, security and risk teams should remain particularly vigilant in several key
areas.
1. The synthetic fraud bubble keeps growing as financial institutions struggle
to gauge their risk exposure.
The 2008 financial crisis was caused
by subprime loans that started to fall apart when new homeowners found
themselves unable to pay their mortgages as their homes decreased in value. A
similar reckoning may be on the horizon in the financial industry due to synthetic fraud, as
credit exposure steadily grows with no actual individual behind the credit.
TransUnion estimates that the
total lending exposure to synthetic fraud in the
U.S. has reached nearly $3 billion, the highest point since the company began
tracking in 2009 and a 38% rise year-over-year. The synthetic identity issue
has been noticed by those monitoring deposit accounts (savings and checking)
but a lack of focus from the credit-risk and compliance side will enable the
total lending exposure within credit portfolios to keep growing.
Organized criminals and bad actors use
these synthetic identities and real lines of credit to interact in the physical
world and eventually "bust out" by maxing out their credit lines before
disappearing into the night. Nowhere is this problem more prevalent than with
auto loans, which currently represent more than 60% of total
synthetic fraud risk ($1.8 billion). Still, many financial institutions don't understand
their level of risk exposure to this growing threat.
Action is required to address this synthetic fraud epidemic,
and institutions must refresh their approach to
authenticating identity to ensure synthetic profiles are caught before the
origination process advances. Failing to act could spur another crisis.
2. SIM swap fraud keeps happening, and most organizations
admit they can't solve it.
A "SIM" is the chip in smartphones that
enables calling and texting. SIM swaps happen when criminals trick a carrier
into connecting a phone number to a phone in the fraudster's possession, often
by impersonating victims and claiming that their SIM card/phone has been lost
or damaged. Once a SIM swap has occurred, the fraudster can then intercept all
incoming one-time passcodes (OTPs), making it easy to take over victims'
accounts. In 2021, the FBI received 1,611 reports of SIM swapping, with losses totaling over $68 million - a more than five-fold
increase from 2018 and 2019 combined - and this trend is expected to accelerate in 2024.
Account takeovers via SIM swaps affect
almost all verticals, with financial institutions being a popular target. A Forrester survey of 300 fraud decision-makers found less than 1 in 3
organizations confident in their current ability to prevent OTP fraud, and
almost half (46%) felt they lack the technology to detect it.
Given the ubiquity of the OTP as the primary
method of establishing identity via two-factor authentication (2FA), seeing so many stories of
victims losing significant sums to Adversary-in-the-Middle (AitM) attacks is
not surprising. And it's not just consumers being victimized: SIM swaps are an increasingly
popular component of enterprise attacks, with
threat actors targeting and compromising trusted employees to gain access.
The SIM swap scourge has spurred
action. In July,
for example, the FCC introduced new requirements for carriers
to address security gaps in their authentication processes. But attacks are only
increasing and likely to become more pervasive. Preventing this type of fraud
requires partnering with an organization that can use phone carrier data to
indicate the risk of common fraud activity (e.g., SIM swap, call forwarding, unauthorized
reassignment) prior to the OTP being sent.
3. Generative AI is already making new account fraud much
easier, and it's only going to get worse.
Fraud stemming from AI deepfakes spiked during the pandemic. From October 2019 to June 2020, the
number of detected fakes rose 330%, and it is growing rapidly. Despite the significant
challenges the threat poses for organizations that need to accurately
authenticate and verify user identities, fewer than 30% of companies have
established a deepfake defense plan.
One major problem area is new account
fraud, or "phantom fraud," which has resulted in losses of roughly $3.4 billion.
Fraudsters create a completely new identity using forged birth certificates or
driver's licenses and prepaid SIM cards, and they use these fake identities to
open new accounts with a telecom provider. With a real telecom account and
their fake identity, they can receive codes to pass OTP, 2FA and Know Your
Customer (KYC) requirements. Because most document verification providers rely
primarily on visual inspections of documents, they are vulnerable to this rise
in deepfakes.
Similarly, there have been multiple high-profile incidents of enterprising
fraudsters using AI to fake voice biometric
authentication systems in the call center, allowing them direct access to
consumer accounts. This has many fraud experts questioning the viability
of voice biometrics as a secure authentication measure. Because AI tools can
outwit document scans and voice authentication to take over accounts,
organizations need to use a multi-layered defense leveraging additional signals
(device reputation, credit-based identity checks, forensic phone carrier
analysis, etc.) and not rely on biometrics alone.
4. Business battles itself on customer experience.
Internally, many fraud leaders are
battling with business leaders on whether to beef up fraud controls or reduce
friction for better customer experiences and higher conversion rates. In the
financial world, a tightening credit environment in a competitive landscape,
with increasing consumer appetite for instant access to funds and credit, makes
it critical for fraud practitioners not to introduce friction that will
adversely impact acquisitions/originations, the consumer experience, or access
to funds. For online retailers, guest checkouts are especially vulnerable to
losses from friendly fraud and Card Not Present (CNP) fraud, and fraudsters are
increasingly exploiting these vulnerabilities. However, fraud mitigation and
consumer experience need not be zero sum. Employing an omnichannel and multilayered
fraud strategy means not only mitigating fraud, but also identifying more of
the good consumers and transactions to let them through with ease.
Fraud and other
identity-based risks are to some extent inevitable in an increasingly interconnected
world full of instant transactions. But it is critical that risk and security professionals
keep a close eye on the evolving threat landscape to better anticipate
potential vulnerabilities with the identity verification processes they rely
on. As with any other technology, they must take a holistic view of identity
authentication to ensure existing mechanisms are effectively establishing
trust.
##
ABOUT THE
AUTHOR
Jason Lord
is Vice President of Global Fraud Solutions for TransUnion. A fifteen-year
veteran of marketing and fraud technology, Jason has previously led teams for
Neustar and PointRoll. He currently lives in Chicago, IL.