Synthetic ID, Fraud Magazine
Featured Article

The synthetic ID you can't see

Criminals are using a new form of fraud called credit privacy numbers (CPN) to defraud financial institutions and game credit bureaus. Fraud examiners will have to pool their resources and use investigative skills to connect the dots between credit bureaus and banks, and find new ways to combat this plague.

A call rings out on a police radio: “2-Charlie-34 to any available kilo unit reference a Signal 53 in progress.” In plain language, a patrol officer has just asked to speak with a detective from the economic crimes unit about a fraud in progress. A detective answers, and the officer on the scene tells him that he’s taken a man into custody at an auto dealership for attempting to purchase a vehicle and attain financing using a Social Security number (SSN) in the application that isn’t his.

The detective and his partner respond to the scene. Their initial investigation reveals that the subject has a valid state-issued ID bearing his name, which they confirm through a records check. The dealership provides the detectives a copy of the financing application and a credit report as evidence. The credit report shows that the name and date of birth match the ID and person standing in front of them. The subject’s credit score is in the high 700s, and he has multiple open accounts with varying lengths of reporting history.

Additional research shows that the suspect has a different SSN than what’s listed on the credit report and finance application. The detectives are unsure of exactly what’s happened, but they know that there’s fraud afoot, so they take the suspect in for questioning.

They begin the interview, and the suspect fills the room with half-truths and misdirection. He first claims the nine-digit number he put on the application is his SSN, but he later says it’s “like an SSN for his business.” However, he has no registered business and no issued Employer Identification Number, so his claims aren’t adding up. The detectives finally confront the suspect with possible identity theft charges, and he shouts, “I didn’t steal anyone’s identity! I just used my CPN!” The detectives play it cool and quickly excuse themselves from the interview room. One detective looks at the other with a curious face and asks, “CPN?”

“You got me. …” the second detective shrugs.

If, like the detectives, you’ve never heard about CPN, you’re not alone. In fact, unless you’re a criminal dealing in fraud, or a bank fraud investigator that does their research, it’s likely that you have no clue what a CPN is because it’s the newest way fraudsters are committing fraud against financial institutions. The term stands for either credit privacy number or credit profile number depending on whose “credit repair” or “financial advisory” YouTube channel you subscribe to. It’s also sometimes referred to as a secondary credit number (SCN), though less frequently.

Do your homework and you’ll undoubtedly discover a plethora of legitimate-looking websites attempting to sell you CPNs and access to “authorized user trade lines” (individual credit lines that appear on the credit report) used to “season” them to a respectable score. Fraudsters add authorized user trade lines to a CPN profile to give them perceived legitimacy by making it appear that they have higher access to credit and longer histories. The websites will tell you that CPNs are a legal mechanism with which to secure your identity, and the rich, famous and politicians use them to protect their privacy.

Don't be fooled — CPNs aren't legal when used to apply for credit.

Don’t be fooled — CPNs aren’t legal when used to apply for credit. They’re a manufactured product sold as a false promise of hope to those seeking a new financial start or those seeking a way to commit fraud. If you use a CPN you’ll eventually get arrested.

I learned about CPNs in late 2016 when I responded to an auto dealership with my partner to investigate a “Signal 53 in progress.” Yes, I was one of those detectives in our opening case. Since then, we’ve seen a steady flow of these cases from that specific dealership — sometimes taking multiple calls per week.

I don’t believe the fraudsters were specifically targeting this dealership at a greater rate than other local dealerships, but the sales staff had become so adept at identifying synthetic identities in the application process they steadily called us to investigate. They also were at risk of carrying the losses, so they had an incentive to prevent fraud.

As time progressed, other suspects (who we’d later arrest) started showing up to the dealership in new cars from other dealerships around town. They’d go through the same credit application process using their CPNs, the sales staff would subsequently identify them as crooks and we’d arrest them.

We’d examine their credit reports during our subsequent investigations and see multiple credit inquiries or loans from the other dealerships, including dealerships from which the suspect purchased the new car. However, we hadn’t received calls for fraud from any of those other dealerships. Either they weren’t seeing it because they didn’t know what to look for, or they didn’t care. The lenders at the other dealerships were unaware they were lending to a ghost.

We’d unsuspectingly stumbled into a hot new fraud trend. But through a network of industry professionals, research and one-on-one time with the individuals in the game, the last two years have been very enlightening.

A history lesson in credit reporting

To explain why a CPN works, you need a basic understanding of how financial institutions authorize new loans or credit and how credit bureaus operate in that process.

The U.S. government created SSNs in 1936 so it could track citizens’ benefits throughout their working lives. (See The First Social Security Number and the Lowest Number, Social Security website.)

The government didn’t intend for the private sector to use SSNs as identifiers. A paper published by the Federal Reserve Bank of Philadelphia in June 2002, An Overview and History of Credit Reporting, by Mark Furletti, recounts the modest beginnings of credit bureaus as local industry organizations that gathered any information businesses could use in specific industries.

In the 1970s, U.S. credit bureaus consolidated themselves into large national repositories of consumer information driven in part by computer database automation, the proliferation of credit cards and the passage of the U.S. Fair Credit Reporting Act, which drove market demand by banks for consumer credit information. (See A Century of Consumer Credit Reporting in America, by Robert M. Hunt, Federal Reserve Bank of Philadelphia, June 2005.) But this huge influx of consumer data and the need to differentiate one person from another meant banks and credit bureaus had to have an efficient way to assess financial risks of individuals. So, they began using unique SSNs, which every person had by this time. (Credit bureaus aren’t associated with any federal agency. They have no special access to the Social Security Administration and are solely reliant on information reported to them by their users.)

A credit profile is the file that contains all information credit bureaus have on you — from the time you were 18 years old and applied for your first credit card or from last week at age 50 when you were shopping for a home equity line of credit, and three banks made three separate inquiries into your credit.

Credit bureaus maintain records of your current credit lines, or trade lines, with your outstanding balances, your addresses and any time an institution makes an inquiry about you. Each bureau has its unique way of assessing these factors and assigning a number to your profile that end users can use to determine how risky you are to lend to.

This is where the CPN makes its entrance. Fraudsters use CPNs to game a system that’s been built over the last 50 years. I suspect legislatures will deal with them eventually, but it’s a reactive process that takes time. As of now, that time’s on the side of criminals. So, how do fraudsters create and use them?

Getting clean digits

First, a fraudster finds a nine-digit number that doesn’t have a current credit profile. This might be a future SSN that hasn’t been assigned to someone or belongs to a young child or to a deceased person who didn’t trigger a new file prior to their death. When you pay for a CPN you’re essentially paying someone to spend time “farming” you a number. They do this by running soft credit hits on random numbers through a complicit or wholly fraudulent company or using employment verification sites. The SSA reports they’ve issued around 450 million of the nearly 1 billion possible SSNs. So, as you can see, there’s no shortage of numbers to choose from. (See The Story of the Social Security Number, by Carolyn Puckett, Social Security Bulletin, Vol. 69, No. 2, 2009.)

Gaming the credit bureaus

Once a criminal has a clean number they’ll create an application using the CPN. Here’s where CPNs are different than other forms of synthetic IDs: those selling CPNs, plus experts on dark web criminal message boards, coach would-be fraudsters to use their real information (they routinely also use fictitious information, but that presents ID issues when they deal with lenders), including their real names and dates of birth. However, the criminal coach explicitly instructs them to use new phone numbers and to list addresses outside of their counties. The idea here is that they’ll have legitimate identification to back up their new financial identities, but the automated controls within the credit bureaus’ systems won’t link the two separate credit profiles because of the information differences. Next, they’ll apply for an auto loan via an online lender and be denied, but that’s all part of the show. The bank will reject them because the borrower doesn’t exist in the credit bureaus. However, the inquiry by the bank is the trigger that causes the credit bureaus to create a file. Thus, a CPN is born.

Fraudsters then will tri-merge the CPN by opting-in to credit solicitations, which causes the first credit bureau to share (merge) the file with the other two major bureaus. Then the fraudsters will season the file by applying for credit cards from high-risk, high-rate lenders — who are willing to issue credit lines on thin credit files — or by obtaining secured credit cards. These are both called primary lines or primaries because the primary account holder is the CPN. They won’t be able to increase their scores or attain worthwhile credit access at this stage without showing a long credit history that grows organically, but that would take too much time.

Authorized user accounts

An authorized user is a great feature when you want to add your children to one of your accounts to help them build credit. However, as with any good thing, it’s ripe for exploitation and is the secret weapon fraudsters use to game the credit-scoring system. And it seems like banks love authorized user accounts. From a bank’s perspective, you’re taking someone deemed low risk — possibly a long-term customer — and adding additional people, which increases their charges without the bank taking on the risk of new customers.

An account holder can add their child or other designated person — sometimes as many as nine additional users — and control their access, which ensures they don’t run up the bill while the additional users enjoy the consumer’s good credit and helps to build their own. The consumer’s account will now appear on their report of the authorized user, which shows they have access to that line of credit.

For example, if you have a $20,000 credit line with $18,000 of available credit and a 10-year history, your authorized user now will show the same information on their credit report, which will also have a positive effect on their score. This makes sense when performed to assist family and friends, but websites sell authorized user trade lines to total strangers. But why would someone with good credit allow someone they might not know to use their credit like this? Simply put, they’re either renting it willingly for payment, or they don’t know they have authorized users on their accounts.

Depending on the vendor, getting an authorized user trade line on an account can cost you $1,000 to $1,500 a month. Websites like businesstradelines.net will let you rent out your legitimate trade lines. The account holder has no risk — they’re simply adding someone as an authorized user who doesn’t physically have access to their account or credit card. The icing on the cake is that there’s no blowback to the account holder when the authorized user defaults on all their subsequent loans. This is because any subsequent loans taken out on the CPN have nothing to do with the trade line in the fraudster’s credit report that boosted their score and provided a false image to the lender when they made their risk decision.

Fraudsters use CPNs to game a system that's been built over the last 50 years.

Alternatively, unwitting accomplices can become victims of account takeovers without even knowing it. In the past, fraudsters used account takeovers to drain an account as quickly as possible and then moved on to the next, but it’s often much more lucrative to rent access to the victim’s good credit. Some financial institutions permit up to nine authorized users, so the fraudster can instead silently take over the account and rent a victim’s good-credit account to up to nine individuals and charge each authorized user a monthly fee for the access. The victim might never even know, and the fraudster will likely never touch any of the victim’s money as long as they can keep billing authorized users for their access.

Now, a criminal can use authorized user accounts to season CPNs long enough to increase their score and make their credit reports look legitimate before busting out, which is when the fraudster maxes out all lines of credit, pays balances with a bad check and then maxes out the line again before burning the CPN and walking away. By attaching the authorized user account to the CPN, the casual observer — plus automated scoring metrics — will view the CPN as having large amounts of available credit and long-standing credit lines, which mimic a low-risk credit file.

CPN legality

You now have a new credit profile on record at each of the three major credit bureaus with a great credit score attached to your name. Is it illegal? I’m not the authority to answer that, but purveyors of CPNs probably believe that no real crime has been committed ... yet. It’s like making a fictitious driver’s license — until I use it to identify myself or go for a drive, I’m probably not breaking any laws. I’ve yet to see what a CPN can be used for other than to commit fraud against financial institutions.

The criminal act arises when a potential borrower knowingly makes a material misstatement in the application process to a lender, which the lender uses in their decision to fund the loan. Despite their new, clean financial identity, the account holder is still the same person. By using a CPN, the account holder is depriving the lender from making an educated decision based on all the facts that, if known, could cause them to deny the loan. Secondary to the intentional misrepresentation of their SSN, we’ve found that employment and income are almost always fabricated and inflated, as well.

How do we protect ourselves from CPNs?

Education is key to identifying CPNs, and fraud examiners can look for clues when assessing credit reports. One auto dealership can identify CPNs weekly while another is oblivious — the difference is that the first dealership’s finding them because it’s looking for them.

Authorized user accounts on a CPN credit report will be the largest and oldest accounts because they use them to mimic a more mature file and don’t have the time to get those types of quality trade lines organically. The report will sometimes denote it’s an authorized user trade line with an A/ beside it, but I’ve also seen smaller credit agency reports with no obvious designation. There also will be primary accounts with low limits that have only been open three to six months. These are the largest clues.

You also can look for signs using risk-mitigation data companies such as LexisNexis or TLO to identify addresses or search the borrower by name to find similar identities. If you don’t have access to those kinds of paid resources, a simple search on Google can do wonders. You can identify listed addresses as homes for sale on Zillow, or otherwise vacant properties used as drop houses (vacant properties where fraudsters can receive mail), and search the companies the borrower claims to work for.

Can you see it?

From my experience, it’s evident that this CPN problem is much greater than the attention it’s getting. So why are financial institutions not seeing it for the problem it is?

I believe the financial industry isn’t getting the opportunity to review these files. The red flags of a CPN bustout often look like any other uncollectible debt. No ID theft victims exist to make reports, and dealerships that deal with the fraudster have no interest flagging the sale because it would affect their commission. Lenders are left completely in the dark until the loan is defaulted, and when the loan’s sent to the collection department, debt collectors aren’t trained to recognize this fraud. A fraud examiner won’t see it because the debt collector will write it off as bad debt and file it away once they've exhausted all attempts to contact the ghost borrower.

Moving forward

The lending process is based on two large preventative measures to protect banks from ongoing losses: Loans are secured against assets that banks have a legal mechanism with which to recover and reduce their losses, and banks can report those who don’t honor their debts. When a CPN is used, however, both of these avenues of recourse are stripped away. Assets are difficult to locate because addresses tend to be vacant properties or are of no relation to the debtor, and only a nonexistent person’s reputation is tarnished.

A long-term solution will have to come from a partnership between the credit bureaus and the SSA to validate the new credit files, on which the banks rely so heavily. In the law enforcement community we can use government records to identify the true SSN of a subject, which makes our task a bit simpler. In the financial sector, investigators and fraud examiners will have to pool their resources and use investigative skills to connect the dots and find new ways to combat this plague.

Jesse Gossman, CFE, is president and founder of Bottom Line Fraud LLC. Contact him at jgossman@bottomlinefraud.com or visit www.bottomlinefraud.com for further information.

Begin Your Free 30-Day Trial

Unlock full access to Fraud Magazine and explore in-depth articles on the latest trends in fraud prevention and detection.