Evolution of Identity Fraud
Financial institutions (FIs) have been battling identity fraud for decades. According to Javelin Strategy & Research, $16 billion were stolen from 12.7 million identity fraud victims in 2014 alone. Fraudsters are constantly developing new, sophisticated ways to carry out their crimes. Therefore, combating fraud can be compared to a balloon that gets squeezed. The spot that’s being squeezed shrinks, but the air (fraud) doesn’t diminish, it’s simply pushed to a different part of the balloon (a new channel). Combine the evolution of fraud with the digital environment, where customer verification can be challenging, and banks have a massive problem. The question then becomes, how do FIs pop the fraud balloon.
Defining Identity Fraud
Identity theft and identity fraud are terms used to refer to all types of crimes in which a criminal wrongfully obtains and uses another person’s personal data. The use of the data involves fraud and deception for economic gain. Combating identity fraud starts with understanding its various types.
- Identity theft – illegal use of a social security number, name, date of birth, or a combination thereof. The victim has their identity taken and the fraudster uses his or her own address, phone number, or email to receive goods.
- Identity manipulation – systematic variations around personally identifiable information (PII) meaning slight alterations in the date of birth, social security number, or address.
- Synthetic identity – any combination of a fabricated social security number, name, date of birth, address, or phone number resulting in an artificial identity with no particular person behind it.
The fraudster will use the stolen identity to “bust out” a credit line through a combination of cash advances, balance transfers, and buying fence-able goods with no intention of paying the credit off. For the FI, many of the losses associated with fraud are written off as credit losses, not as fraud losses because there’s no individual victim. This might cause the impact of fraud to be underestimated or even make the credit loss seem greater. Banks that devote concerted attention to recognizing and preventing fraud stand to realize improved margins and healthier balance sheets.
Popping the Balloon
FIs need to efficiently balance their security measures with the desired customer experience, cost of preventing fraud, and actual losses. According to a Ponemon consumer survey, 63% of respondents believe organizations should be obligated to provide identity theft protection. Consumers expect their banks to protect them from identity fraud; however, if the bank took every measure to curb fraud they would certainly provide a horrible customer experience. Here are nine ways to minimize fraud that don’t have a negative impact on delivering a great customer experience:
- Utilizing an algorithm when an application for credit is presented to aid in determining whether or not the combination of PII has been used before.
- Checking non-bureau data sources during the application process to determine whether the SSN or combination of name and date of birth has a valid history. Doing this first and not going directly to pulling data from the credit bureaus means there will be no hard inquiry created for the false credentials.
- Utilizing RSA tokens to enable two-factor authentication technology. When users attempt to access a resource, they are prompted for a unique passcode. The passcode is a combination of the user’s PIN and the code that is displayed on the authenticator token at the time of log in.
- Implementing biometric identity schemes that require a customer to produce a fingerprint or retina for identification during the account opening process.
- Including mobile device identification with biometrics, such as facial recognition. For a fraudster to successfully impersonate a consumer they would not only have to steal the consumer’s mobile device, but the victim’s face (while this is said in jest, facial recognition technology watches the eye region of an image and looks for the user to blink which rules out the use of a static photo).
- Using out-of-band authentication such as a phone call or text to the phone number on record.
- Looking for anomalies such as a high FICO score compared to a short length of history on file.
- Monitoring the velocity of line increase requests, etc. as this may allow for identifying credit at risk of a “bust out.”
- Providing customers with the option to receive notifications of suspicious activity. These notifications are based on personal preferences such as email or text message.
Consumers and FIs alike must stay on guard as fraudsters will always be looking for any loophole to exploit for their illicit gain.
Many Needles to Pop the Balloon
Popping the fraud balloon is a complex problem that requires collaboration between several parties—Social Security Administration (SSA), consumer, retailer, lender. A social security number is one piece of data that clearly defines the identity of a person. It is needed to get through banks’ Know Your Customer (KYC) rules to open accounts; however, KYC does not mean the bank truly knows their customer. It means the FI has been through a process that makes it “likely” the person is who they say they are and since it is a risk-based process, it’s not definitive. Given that banks have fewer tools to know if an SSN is legitimate, it might be beneficial for the SSA to improve the cost and availability of its ID number lookup service.
Consumers can help minimize fraud by actively monitoring their identities and accounts. This includes being on the lookout for mail that is sent to your home with someone else’s name on it, reviewing credit reports regularly, and developing habits such as locking your cell phone and using strong passwords. Retailers need to boost security and start thinking proactively to be ready to handle a breach. Lenders should increase their fraud filters as appropriate during the account opening and lending process while balancing the customer experience. There is not a one-size-fits-all defense against fraudsters. It is going to take many vigilant needles to pop the fraud balloon.