The PII Well is Poisoned. Here’s What You Can Do About It
If data is the digital world’s new oil, then Personally Identifiable Information (or PII) is the digital world’s new water. Just like water covers 70% of the world’s surface, PII is “all over the Internet.” Just like water is key to life, PII is key to ‘living’ online—you won’t get far in any digital transaction without providing some level of PII, even if it’s as simple as your name.
Traditional fraud stacks rely heavily on PII verification and matching as a tool to prevent fraud, either using it alone or with consortium data to identify an individual’s likelihood of being a fraudster. They treat PII ‘water’ as if it is fresh-from-a-countryside-stream levels of pure, pristine, and potable.
The problem is that today’s PII is actually a polluted well of filth and fraud. Synthetic identity fraud especially thrives on stolen PII: “synthetic identities” are those created by fraudsters that do not correspond to any real person, but contain bits and pieces of ‘real person’ PII—which is enough to get them past traditional identity verification systems that match PII to identities.
The result? When businesses rely primarily on PII verification for fraud prevention in account opening, they run the risk of verifying synthetic fraudsters and never realizing it until it’s too late. Or to extend our PII-as-water metaphor: PII-based fraud stacks continuously go to a well, pull up dirty water, and ask you to trust them and take a drink.
Stolen PII & Synthetic Fraud: High-Cost And Hard To Catch
As Paypers recently put it (emphasis mine):
The ‘personally identifiable information’ (PII) of people is extremely valuable; that’s the reason why criminal syndicates work together to steal PII in data breaches (identity theft). It’s the fuel necessary for the growth of identity fraud; without it, criminals would have a difficult time . . .
You read that right: PII, the supposedly reliable identifying information, is actually fueling the growth of digital fraud. The dark web economy relies on sales of compromised PII databases, giving fraudsters a skeleton key to unlock endless doors to cyber criminality.
And it doesn’t help that many digital institutions just don’t realize the threat of PII-focused identity theft: because there is typically no victim to raise a ruckus (since a synthetic identity is made up, instead of stolen from a real person), this type of fraud often goes undetected. Yet it is extremely costly. Over weeks, months, or even years, these synthetic identities build up a good credit record using that stolen PII—then they ‘bust out.’ Fraud rings can even establish thousands of synthetic digital identities, all of which would almost certainly bypass PII-based identity and fraud verification systems. One synthetic fraud ring racked up $200 million of losses for banks before it was caught—all from 7,000+ synthetic PII-based identities.
Putting The “Person” Back Into Personally Identifiable Information
PII is unreliable as a fraud detection source. But it’s not worthless—it just needs to be approached as one source, not THE source of truth for identity verification. Fraud prediction and prevention should never rely on one stagnant well of PII-water, but should also incorporate some real-time flowing information.
The Mitigating Synthetic Identity Fraud in the U.S. Payment System report from the Federal Reserve puts it this way (emphasis mine):
Synthetic identity accounts behave more like normal customers – building credit over a period of time – than conventional identity fraudsters, who must rapidly cash in before the victim notices and reports the theft. According to fraud industry experts, organizations that have the most success are those that look beyond basic PII elements (such as name, SSN, date of birth and address) . . . to gain reasonable assurance of the applicant’s identity.
Today’s advanced, PII-based fraud detection technology is useless against synthetic and other fraud types that use stolen PII—and it’s only going to get worse as criminals get more sophisticated. Machine-learning techniques don’t work, because they can’t be trained on synthetic digital identity fraud models. Document-based identity verification that looks for fake IDs also struggles because the IDs used at the time of application are real—just not in the combination they’re being used.
This PII-reliant identity verification relies on a post-submit consortium of breached, compromised PII that is wholly disconnected from the point-in-time user.
NeuroID’s pre-submit, behavior-based digital intent signal prescreens identity before any PII is collected. So, prior to hitting the consortium of identity data, you get identity decisioning based on:
- The text, types, and swipe of users relevant to their intent (for example, do they misspell their own name? Forget their own phone number?)
- Behavior compared to other genuine customers
- Behavioral profile of the user
- The sequence of actions or behaviors
- Alerts of navigation data that resembles machine-like or bot behavior
This pre-submit behavioral data can be used to weed out customers who aren’t familiar with their own PII, push genuine customers through onboarding faster, and reduce the number of false declines, false positives, and account-opening friction.
The PII well is polluted—but think of pre-submit behavioral data as a sieve that you can pour that well water through and it’ll catch those chunks of dirt and grime before they get into your drinking glass. It’s a new layer of protection to ensure you’re getting the clean, purified customers into your system, without interrupting the flow of business.