Synthetic identity fraud — where attackers create accounts using partially real, partially fabricated identity data — is now the #1 financial fraud vector in the US. This fintech was losing $180,000 per month to it.
The fraudsters were creating accounts using real SSN fragments combined with fabricated names and DOBs. Each account passed KYC checks because the identity data technically existed in credit bureau records. Once verified, they immediately initiated ACH transfers to external accounts and disappeared.
Why Traditional KYC Failed
KYC verifies identity documents. It does not verify that the person presenting those documents is actually a human sitting at a real device. The fraudsters were operating a semi-automated pipeline — real identity data, bot-driven account creation.
Sentinel's Role
Sentinel's SDK was added to the signup flow to evaluate the device and behavioral context of each new account application. Despite the identities passing KYC, the devices failed: headless browser signatures, proxy-masked connections, and TLS fingerprints inconsistent with the claimed device types.
Outcome
97% reduction in synthetic identity fraud accounts within two weeks of deployment. Zero legitimate users were blocked or asked for additional verification. The fintech's fraud ops team went from reviewing 400 suspicious accounts per week to under 12.
Why Synthetic Identity Fraud Beats KYC
Traditional KYC verifies that an identity exists. It does not verify that the person presenting the identity is the rightful owner, nor that a human is involved at all.
The attack pattern: take a real SSN (often from a child or elderly person whose credit isn't actively monitored), combine it with a fabricated name and DOB, and apply for accounts. Credit bureaus eventually generate a thin file for the synthetic identity, which after 6-12 months of nurturing (small loans paid on time, low credit-utilization revolving accounts) becomes indistinguishable from a real person to most lenders.
By the time the synthetic identity is mature enough to abuse, KYC is helpless. The identity has tradelines, a credit history, address history, and sometimes employment records. Document verification passes. ID-photo matching passes. Everything passes — because the identity, on paper, is real.
The Device Layer Is Where Synthetics Reveal Themselves
Synthetic identities are operated at scale, and scale leaves device fingerprints. The fintech we worked with discovered that 87% of their synthetic-identity accounts were operated from just 23 distinct physical devices — even though those accounts had 23,000 distinct names, SSNs, addresses, and DOBs.
The signals that revealed the operation:
- Headless browser signatures — most synthetic-identity ops automate signup with Puppeteer or Playwright, even when patched with stealth plugins
- Proxy-masked TCP fingerprints — TLS handshake signatures that don't match the claimed device OS
- Velocity patterns — 40-80 account applications per device per day, far above any legitimate consumer baseline
- Audio context collisions — the same AudioContext signature appearing across "different" applicants days apart
The Integration
The fintech added Sentinel's SDK to two endpoints: /signup and /initiate-transfer. They didn't change KYC. They didn't ask users for additional documents. They added a pre-KYC device check that blocked applications matching known synthetic-identity device clusters.
Critically, the device check produced a binary signal — either the device was associated with a known fraud cluster or it wasn't. There were no false-positive challenges to legitimate users. The fraud-ops team reviewed the cluster matches weekly and unblocked any that turned out to be coincidences (almost zero, in practice).
Numbers After 30 Days
- Synthetic-identity accounts created: down 97% (from ~620/week to ~18/week)
- Confirmed ACH fraud losses: down from $180k/month to $4.2k/month
- Legitimate signups blocked: 0 (no false-positive challenge step exists in the flow)
- Manual review queue: from 400 accounts/week to under 12
- Time-to-decision on flagged signups: from 2.3 days average to under 200ms