All posts by Mike Gross
Since the advent of the internet, our lives have changed drastically for the better. We can perform many of life’s daily activities from the comfort of our own home. According to Aite, in 2016 alone 36 million Americans made some form of mobile payment — paying a bill, purchasing something online, paying for fast food or making a mobile wallet purchase at a retailer. Simply put, the internet has made our lives easier. But with the good also comes the bad. While most consumers have moved to the digital world, so have fraudsters. With minimal risk and high reward at stake, e-commerce fraud attacks have increased dramatically over the last few years, with no signs of slowing down. We recently analyzed millions of transactions from the first half of 2017 to identify fraud attack rates based on billing and shipping addresses and broke down the findings into various geographic trends. Fraud attack rates represent the attempted fraudulent e-commerce transactions against the population of overall e-commerce orders. Consumers living out West and in the South have experienced more than their fair share of fraud. During the first half of 2017, the West and the South were the top two regions for both billing and shipping attacks. While both regions were at the top during the same time last year, the attacks themselves have increased substantially. Given the proximity to seaports and major international airports, this is somewhat unsurprising — particularly for shipping fraud — as many fraudsters will leverage reshippers to transport goods soon after delivery. .dataTb{margin:20px auto;width:100%}.dataTb:after{clear:both}.dataTb table{}.dataTb td,.dataTb th{border:1px solid #ddd;padding:.8em}.dataTb th{background:#F4F4F4}.tbL{float:left;width:49%}.tbR{float:right;width:49%;margin:0 0 0 2%} Shipping: Riskiest Regions Region Attack rate West 38.1 South 32.1 Northeast 27.0 North Central 20.7 Billing: Riskiest Regions Region Attack rate West 37.2 South 32.9 Northeast 27.3 North Central 24.0 At the state level, the top three shipping fraud states remained the same as 2016 — Delaware, Oregon and Florida — but the order changed. Oregon was the most targeted, with a fraud rate of 135.2 basis points, more than triple its rate at in the end of 2016. Though no longer in the top spot, Delaware saw alarming spikes as well, with shipping attack rates nearly triple last year’s rate at 128.6 basis points and billing attacks at 79.6 basis points. .dataTb{margin:20px auto;width:100%}.dataTb:after{clear:both}.dataTb table{}.dataTb td,.dataTb th{border:1px solid #ddd;padding:.8em}.dataTb th{background:#F4F4F4}.tbL{float:left;width:49%}.tbR{float:right;width:49%;margin:0 0 0 2%} Shipping: Riskiest States State Attack rate Oregon 135.2 Delaware 128.2 Florida 57.4 New York 45.0 Nevada 36.9 California 36.9 Georgia 33.5 Washington, D.C 30.8 Texas 29.6 Illinois 29.4 Billing: Riskiest States Region Attack rate Oregon 87.5 Delaware 79.6 Washington, D.C. 63.0 Florida 47.4 Nevada 38.8 California 36.9 Arkansas 36.6 New York 35.5 Vermont 34.2 Georgia 33.4 Diving a bit deeper, ZIPTM codes in Miami, Fla., make up a significant portion of the top 10 ZIP CodeTM lists for shipping and billing attacks — in fact, many of the same ZIP codes appear on both lists. The other ZIP Code that appears on both lists is South El Monte, Calif., which has a high percentage of industrial properties — common targets for fraudsters to ship packages, then reship overseas. You can download the top 100 riskiest Zip Codes in the U.S. for H1 2017. .dataTb{margin:20px auto;width:100%}.dataTb:after{clear:both}.dataTb table{}.dataTb td,.dataTb th{border:1px solid #ddd;padding:.8em}.dataTb th{background:#F4F4F4}.tbL{float:left;width:49%}.tbR{float:right;width:49%;margin:0 0 0 2%} Shipping: Top 10 riskiest ZIP™ Codes ZIP Code Attack rate 33122 [Miami, Fla.] 2409.4 91733 [South El Monte, Calif.] 1655.5 33198 [Miami, Fla.] 1295.2 33166 [Miami, Fla.] 1266.0 33195 [Miami, Fla.] 1037.3 33192 [Miami, Fla.] 893.9 97251 [Portland, Ore.] 890.6 07064 [Port Reading, NJ] 808.9 89423 [Minden, Nev.] 685.5 77072 [Houston, Tex.] 629.3 Billing: Top 10 riskiest ZIP™ Codes ZIP Code Attack rate 77060 [Houston, Tex.] 1337.6 33198 [Miami, Fla.] 1215.6 33122 [Miami, Fla.] 1106.2 33166 [Miami, Fla.] 1037.4 91733 [South El Monte, Calif.] 780.1 33195 [Miami, Fla.] 713.7 97252 [Portland, Ore.] 670.8 33191 [Miami, Fla.] 598.8 33708 [St. Petersburg, Fla.] 563.6 33792 [Miami, Fla.] 493.0 As e-commerce fraud continues to grow, businesses need to be proactive to keep themselves and their customers safe. That means incorporating multiple, layered fraud prevention strategies that work together seamlessly — for example, understanding details about users and their devices, knowing how users interact with the business and evaluating previous transaction history. This level of insight can help businesses distinguish real customers from nefarious ones without impacting the customer experience. While businesses are ultimately responsible for the safety of customers and their data, the onus doesn’t rest solely with them. Consumers should also be vigilant when it comes to protecting their digital identities and payment information. That means creating strong, unique passwords; actively monitoring online accounts; and using two-factor authentication to secure account access. At the end of the day, e-commerce fraud is a challenge that businesses and consumers will experience for the foreseeable future. But rising attack rates don’t have to spell doom and gloom for the industry. E-commerce growth is still extremely strong, as consumers interact through multiple channels (in-store, mobile and web) and expect a personalized experience. Establishing trust and verifying digital identities are key to meeting these latest expectations, which provide new opportunities for businesses and consumers to interact seamlessly and transact securely. With multiple safeguards in place, businesses have a variety of options to protect their customers and their brand reputation. Experian is a nonexclusive full-service provider licensee of the United States Postal Service®. The following trademarks are owned by the United States Postal Service®: ZIP and ZIP Code. The price for Experian’s services is not established, controlled or approved by the United States Postal Service.
We live in a digital world where online identities are ubiquitous. But with the internet’s inherent anonymity, how do you know you’re interacting with a legitimate individual rather than an imposter? Too often we hear stories about consumers who see unauthorized purchases on their credit cards, enable access to their devices based on an imposter claiming to be a security vendor or send money to someone they met online only to learn they’ve been “catfished” by a fraudster. These are growing problems, as more consumers transition to digital services and look to businesses to protect them, enable seamless trusted interactions and maintain their privacy. I recently chatted with MarketWatch about how consumers can protect themselves and their privacy when using online dating apps, as well as what businesses are doing to safeguard digital data. As part of the discussion, I mentioned that a simple, standard verification process companies of all sizes can leverage is vital to our rapidly evolving digital economy. Today, companies have their own policies, processes and definitions of identity verification, depending on the services they offer. This ranges from secure access requiring strong identity proofing, document verification, multifactor authentication and biometric enrollment to new social profiles that do little more than validate receipt of an email to establish an online account. To satisfy those diverse risk-based needs, more organizations are turning to federated identity verification options. A federated system allows businesses to leverage trusted, reputable, third-party sources to validate identity by cross-referencing the information they’ve received from a consumer against these sources to determine whether to establish an account or allow a transaction. While some organizations have attempted to develop similar identity verification capabilities, many lack a trusted identity source. For example, there are solutions that leverage data from social media accounts or provide multifactor fraud and authentication options, but they often become easily compromised because of the absence of verifiable data. A trusted solution aggregates data across multiple providers that have undergone thorough security and data quality vetting to ensure the identity data is accurately submitted in accordance with business and compliance requirements. In fact, there are only a handful of trusted identity sources with this level of due diligence and oversight. At Experian, we assess verification requests against an aggregate of hundreds of millions of records that include identity relationships, profile risk attributes, historical usage records and demographic data assets. With decades of knowledge about identity management and fraud prevention, we help companies of all sizes balance risk mitigation and maintain compliance requirements — all while ensuring consumer data privacy. Trust takes years to build and mere seconds to lose, and the industry has made undeniable progress in security. But there is much left to do. Consumers are increasingly involved in the protection and use of their data. However, they often don’t realize downloading a hot new app and entering personal details or linking to their friends exposes them to unnecessary risk. It’s important for businesses to be clear about their identity verification processes so consumers can make educated decisions before electing to provide invaluable identity data. The most effective fraud prevention and identity strategy is one that quickly establishes trust without inconveniencing the consumer. By staying up to date on verification methods, businesses can ensure customers have a smooth, personalized and engaging online experience.
Last week we had the pleasure of joining more than 400 clients at the 35th annual Vision Conference — connecting business leaders to ideas and solutions. Over the next few weeks, we’ll be sharing some insights from our fraud and identity dedicated session track. I had the pleasure of presenting alongside the U.S. Secret Service, and we had a packed session to discuss the Dark Web — what it is, how it’s accessed, how criminals are exploiting it to commit fraud and the human impact of the massive global cybercrime problem. According to McAfee®, cybercrime represents a $500 billion cost to the global economy — and that’s projected to rise to $600 billion this year, outpacing any other form of crime. With the Internet economy generating between $2 trillion and $3 trillion annually, that means cybercrime is extracting roughly 15 to 20 percent of the entire value created by the Internet. This is a massive problem, and it’s not going away. Unfortunately, there are countless tools and services to commit fraud available on the Web, providing attackers with the cloak of anonymity they need to compromise accounts, mimic legitimate users and submit fraudulent transactions. Device intelligence helps unmask these activities. It is a critical component to defend against the threat, and it provides insight into every interaction throughout a typical customer journey (from account setup to login and account maintenance to transactions). Without this visibility into users’ historical behavior and typical population patterns, organizations often have limited options to target attackers and identify anomalous behaviors. This is key to a successful cybercrime detection and mitigation strategy. Another important point in the session regarded recent law enforcement and private industry successes in identifying, tracking, apprehending and prosecuting online attackers. We thankfully have made significant strides in this area, as evidenced by the work of the Secret Service and other law enforcement organizations, but the collaboration must continue — and intensify. As mentioned in a CNBC story published on the same day as our presentation, the Dark Web is an increasingly mainstream source for everything from financial crime to drug trade and human trafficking. Unfortunately, most businesses are in the dark about the growing criminal underground, but Experian can help. With proper fraud expertise and innovative tools to defend against these ever-evolving threats, organizations can uncloak the attackers and safeguard the business.
False declines are often unwarranted and occur due to lack of customer information Have you ever been shopping online, excited to get your hands on the latest tech gadget, only to be hit with the all-too-common disappointment of a credit card decline? Whom did you blame? The merchant? The issuer? The card associations? The answer is probably all of the above. False declines like the situation described above provoke an onslaught of consumer emotions ranging from shock and dismay to frustration and anger. Of course, consumers aren’t the only ones negatively impacted by false declines. Many times card issuers lose their coveted “top of wallet” position and/or retailers lose revenue when customers abandon the purchase altogether. False declines are unpleasant for everyone, yet consumers struggle with this problem every day — and fraud controls are only getting tighter. How does the industry mutually resolve this growing issue? The first step is to understand why it occurs. Most false declines happen when the merchant or issuer mistakenly declines a legitimate transaction due to perceived high risk. This misperception is usually the result of the merchant or issuer not having enough information to verify the authenticity of the cardholder confidently. For example, the consumer may be a first-time customer or the purchase may be a departure from the card holder’s normal pattern of transaction activity. Research shows that lack of a holistic view and no cross-industry transaction visibility result in approximately $40 billion of e-commerce declines annually. Think about this for a minute — $40 billion in preventable lost revenue due to lack of information. Merchants’ customer information is often limited to their first-hand information and experience with consumers. To solve this growing problem, Experian® developed TrustInsight™, a real-time engine to establish trusted online relationships over time among consumers, merchants and issuers. It works by anonymously leveraging transactional information that merchants and financial institutions already have about consumers to create a crowd-sourced TrustScore™. This score allows first-time online customers to get a VIP experience rather than a brand-damaging decline. Another common challenge for merchants is measuring the scope of the false declines problem. Proactively contacting consumers, directly capturing feedback and quickly verifying transaction details to recoup potential lost sales are best practices, but merchants are often in the dark as to how many good customers are being turned away. The solution — often involving substantial operational expense — is to hold higher-risk orders for manual review rather than outright declining them. With average industry review rates nearing 30 percent of all online orders (according to the latest CyberSource Annual Fraud Benchmark Report: A Balancing Act), this growing level of review is not sustainable. This is where industry collaboration via TrustInsight™ offers such compelling value. TrustInsight can reduce the review population significantly by leveraging consumers’ transactions across the network to establish trust between individuals and their devices to automate more approvals. Thankfully, the industry is taking note. There is a groundswell of focus on the issue of false declines and their impact on good customers. Traditional, operations-heavy approaches are no longer sufficient. A trust-based industry-consortium approach is essential to enhance visibility, recognize consumers and their devices holistically, and ensure that consumers are impacted only when a real threat is present.
Device emulators — wolves in sheep’s clothing Despite all the fraud prevention systems and resources in the public and private sectors, online fraud continues to grow at an alarming rate, offering a low-risk, high-reward proposition for fraudsters. Unfortunately, the Web houses a number of easily accessible tools that criminals can use to perpetrate fraud and avoid detection. The device emulator is one of these tools. Simply put, a device emulator is one device that pretends to be another. What began as innovative technology to enable easy site testing for Web developers quickly evolved into a universally available tool that attackers can exploit to wreak havoc across all industry verticals. While it’s not new technology, there has been a significant increase in its use by criminals to deceive simple device identification and automated risk-management solutions to carry out fraudulent activities. Suspected device emulation (or spoofing) traffic historically has been difficult to identify because fraud solutions rely heavily on reputation databases or negative lists. Detecting and defeating these criminals in sheep’s clothing is possible, however. Leveraging Experian’s collective fraud intelligence and data modeling expertise, our fraud research team has isolated several device attributes that can identify the presence of an emulator being used to submit multiple transactions. Thanks to these latest FraudNet rule sets, financial institutions, ecommerce merchants, airlines, insurers and government entities alike now can uncloak and protect against many of these cybercriminals. Unfortunately, device emulators are just one of many tools available to criminals on the Dark Web. Join me at Vision 2016, where U.S. Secret Service and I will share more tales from the Dark Web. We will explore the scale of the global cybercrime problem, walk through the anatomy of a typical hack, explain how hackers exploit browser plug-ins, and describe how enhanced device intelligence and visibility across all channels can stop fraudsters in their tracks. Listen to Mike Gross as he shares a short overview of his Vision 2016 breakout session in this short video. Don’t miss this innovative Vision 2016 session! See you there.
Your password is weak, whether you use 40 random characters or your dog’s name. With so many large data breaches leading to hundreds of millions of compromised credentials and payment cards in the past two years, it\'s no surprise that e-commerce account takeover attempts have grown dramatically in recent months – to a degree we have never seen before. Previously, account takeover was primarily a banking issue, not something merchants had to deal with. Account takeover fraud is an alarming trend that spans global airline loyalty programs, e-commerce transactions, social networking logins and virtually any web site leveraging username and password authentication. News of the latest cybersecurity concern should serve as yet another reminder that we live in a heightened state of risk where establishing online trust based solely on username and password or identity data is not sufficient. There are a number of factors that are contributing to the evolving fraud landscape namely that the Internet was not designed for security. This places pressure on organizations to continually adopt new approaches to managing fraud like this growing account takeover threat. In this case, multiple layered controls including device intelligence are essential. As merchants extend more services online and allow customers to store payment information or get more convenient checkout via logged in vs. guest access, we\'ll continue to see fraud migrating deeper into the e-commerce ecosystem. The account takeover problem will continue as consumers share usernames and passwords across dozens of online profiles and e-commerce logins, opening the door for attackers to access multiple accounts through a single compromised credential. Most of the account portals used by e-commerce merchants and loyalty programs were not built with the same level of security that their online transaction and fraud management systems have in place. So it\'s a bit of a new risk, but fraudsters are aggressively exploiting the security gaps around things like simple username/password authentication. What can consumers and organizations do to protect themselves? Our recommendation for consumers is that they have unique username and password combinations for every online profile. This protects against attackers compromising one site and leveraging the same credentials to access all of the victim\'s accounts and online profiles across the web. For businesses, we recommend implementing technology solutions that increase visibility to and recognition of devices for every online interaction so the organization can differentiate attackers from legitimate consumers. Some businesses believe that their products, services and loyalty offerings do not require the same level of protection as online bank accounts, so they leave them exposed to cyber criminals via simple authentication controls. As we’ve seen fraudsters will migrate to the path of least resistance and exploit the fact that most consumers re-use credentials out of convenience. In the digital age where consumers are increasingly represented by their devices the ability to know when there are authentication discrepancies between the data presented by the user and the device presenting those credentials is absolutely important to effectively controlling the threat. The authentication process will shift from a single view to a layered, risk-based authentication approach that will include comprehensive and real-time updates of consumer information. Conversations around the fact that the password is dead or dying have been circulating in the industry recently. What we don’t want is consumers getting tired of constantly changing passwords and giving up trying to protect themselves online. That is the worst case scenario that is becoming more of a reality as the days pass. Educated and aware consumers are still the best way to identify fraudulent attacks, and to keep identity data safe from hackers and devices free of malware. Increased adoption of biometrics, device intelligence and the sharing of authenticated and credentialed identities across industries will become commonplace to help combat account takeovers as they increase. Until then we need to find a password replacement. Learn more about 41st Parameter: https://www.experian.com/decision-analytics/41st-parameter.html?INTCMP=DA_Blog_Post072414 Related: The World Cup of Fraud
Your password is weak, whether you use 40 random characters or your dog’s name. With so many large data breaches leading to hundreds of millions of compromised credentials and payment cards in the past two years, it’s no surprise that e-commerce account takeover attempts have grown dramatically in recent months – to a degree we have never seen before. Previously, account takeover was primarily a banking issue, not something merchants had to deal with. Account takeover is an alarming trend that spans global airline loyalty programs, e-commerce transactions, social networking logins and virtually any web site leveraging username and password authentication. News of the latest cybersecurity concern should serve as yet another reminder that we live in a heightened state of risk where establishing online trust based solely on username and password or identity data is not sufficient. There are a number of factors that are contributing to the evolving fraud landscape namely that the Internet was not designed for security. This places pressure on organizations to continually adopt new approaches to managing fraud like this growing account takeover threat. In this case, multiple layered controls including device intelligence are essential. As merchants extend more services online and allow customers to store payment information or get more convenient checkout via logged in vs. guest access, we’ll continue to see fraud migrating deeper into the e-commerce ecosystem. The account takeover problem will continue as consumers share usernames and passwords across dozens of online profiles and e-commerce logins, opening the door for attackers to access multiple accounts through a single compromised credential. Most of the account portals used by e-commerce merchants and loyalty programs were not built with the same level of security that their online transaction and fraud management systems have in place. So it’s a bit of a new risk, but fraudsters are aggressively exploiting the security gaps around things like simple username/password authentication. What can consumers and organizations do to protect themselves? Our recommendation for consumers is that they have unique username and password combinations for every online profile. This protects against attackers compromising one site and leveraging the same credentials to access all of the victim’s accounts and online profiles across the web. For businesses, we recommend implementing technology solutions that increase visibility to and recognition of devices for every online interaction so the organization can differentiate attackers from legitimate consumers. Some businesses believe that their products, services and loyalty offerings do not require the same level of protection as online bank accounts, so they leave them exposed to cyber criminals via simple authentication controls. As we’ve seen fraudsters will migrate to the path of least resistance and exploit the fact that most consumers re-use credentials out of convenience. In the digital age where consumers are increasingly represented by their devices the ability to know when there are authentication discrepancies between the data presented by the user and the device presenting those credentials is absolutely important to effectively controlling the threat. The authentication process will shift from a single view to a layered, risk-based authentication approach that will include comprehensive and real-time updates of consumer information. Conversations around the fact that the password is dead or dying have been circulating in the industry recently. What we don’t want is consumers getting tired of constantly changing passwords and giving up trying to protect themselves online. That is the worst case scenario that is becoming more of a reality as the days pass. Educated and aware consumers are still the best way to identify fraudulent attacks, and to keep identity data safe from hackers and devices free of malware. Increased adoption of biometrics, device intelligence and the sharing of authenticated and credentialed identities across industries will become commonplace to help combat account takeovers as they increase. Until then we need to find a password replacement. Learn more about 41st Parameter fraud detection and prevention solutions here.
Your password is weak, whether you use 40 random characters or your dog’s name. With so many large data breaches leading to hundreds of millions of compromised credentials and payment cards in the past two years, it’s no surprise that e-commerce account takeover attempts have grown dramatically in recent months – to a degree we have never seen before. Previously, account takeover was primarily a banking issue, not something merchants had to deal with. Account takeover is an alarming trend that spans global airline loyalty programs, e-commerce transactions, social networking logins and virtually any web site leveraging username and password authentication. News of the latest cybersecurity concern should serve as yet another reminder that we live in a heightened state of risk where establishing online trust based solely on username and password or identity data is not sufficient. There are a number of factors that are contributing to the evolving fraud landscape namely that the Internet was not designed for security. This places pressure on organizations to continually adopt new approaches to managing fraud like this growing account takeover threat. In this case, multiple layered controls including device intelligence are essential. As merchants extend more services online and allow customers to store payment information or get more convenient checkout via logged in vs. guest access, we’ll continue to see fraud migrating deeper into the e-commerce ecosystem. The account takeover problem will continue as consumers share usernames and passwords across dozens of online profiles and e-commerce logins, opening the door for attackers to access multiple accounts through a single compromised credential. Most of the account portals used by e-commerce merchants and loyalty programs were not built with the same level of security that their online transaction and fraud management systems have in place. So it’s a bit of a new risk, but fraudsters are aggressively exploiting the security gaps around things like simple username/password authentication. What can consumers and organizations do to protect themselves? Our recommendation for consumers is that they have unique username and password combinations for every online profile. This protects against attackers compromising one site and leveraging the same credentials to access all of the victim’s accounts and online profiles across the web. For businesses, we recommend implementing technology solutions that increase visibility to and recognition of devices for every online interaction so the organization can differentiate attackers from legitimate consumers. Some businesses believe that their products, services and loyalty offerings do not require the same level of protection as online bank accounts, so they leave them exposed to cyber criminals via simple authentication controls. As we’ve seen fraudsters will migrate to the path of least resistance and exploit the fact that most consumers re-use credentials out of convenience. In the digital age where consumers are increasingly represented by their devices the ability to know when there are authentication discrepancies between the data presented by the user and the device presenting those credentials is absolutely important to effectively controlling the threat. The authentication process will shift from a single view to a layered, risk-based authentication approach that will include comprehensive and real-time updates of consumer information. Conversations around the fact that the password is dead or dying have been circulating in the industry recently. What we don’t want is consumers getting tired of constantly changing passwords and giving up trying to protect themselves online. That is the worst case scenario that is becoming more of a reality as the days pass. Educated and aware consumers are still the best way to identify fraudulent attacks, and to keep identity data safe from hackers and devices free of malware. Increased adoption of biometrics, device intelligence and the sharing of authenticated and credentialed identities across industries will become commonplace to help combat account takeovers as they increase. Until then we need to find a password replacement. Learn more about 41st Parameter fraud detection and prevention solutions here.
As we prepare to attend next week’s FS-ISAC & BITS Summit we know that the financial services industry is abuzz about massive losses from the ever-evolving attack vectors including DDoS, Malware, Data Breaches, Synthetic Identities, etc. Specifically, the recent $200 million (and counting) in losses tied to a sophisticated card fraud scheme involving thousands of fraudulent applications submitted over several years using synthetic identities. While the massive scale and effectiveness of the attack seems to suggest a novel approach or gap in existing fraud prevention controls, the fact of the matter is that many of the perpetrators could have been detected at account opening, long before they had an opportunity to cause financial losses. Synthetic identities have been a headache for financial institutions for years, but only recently have criminal rings begun to exploit this attack vector at such a large scale. The greatest challenge with synthetic identities is that traditional account opening processes focus on identity verification compliance around the USA PATRIOT Act and FACT Act Red Flags guidance, risk management using credit bureau scores, and fraud detection using known fraudulent data points. A synthetic identity ring simply sidesteps those controls by using new false identities created with data that could be legitimate, have no established credit history, or slightly manipulate elements of data from individuals with excellent credit scores. The goal is to avoid detection by “blending in” with the thousands of credit card, bank account, and loan applications submitted each day where individuals do not have a credit history, where minor typos cause identity verification false positives, or where addresses and other personal data does not align with credit reports. Small business accounts are an even easier target, as third-party data sources to verify their authenticity are sparse even though the financial stakes are higher with large lines of credit, multiple signors, and complex (sometimes international) transactions. Detecting these tactics is nearly impossible in a channel where anonymity is king — and many rings have become experts on gaming the system, especially as institutions continue to migrate the bulk of their originations to the online channel and the account opening process becomes increasingly faceless. While the solutions described above play a critical role in meeting compliance and risk management objectives, they unfortunately often fall short when it comes to detecting synthetic identities. Identity verification vendors were quick to point the finger at lapses in financial institutions’ internal and third-party behavioral and transactional monitoring solutions when the recent $200 million attack hit the headlines, but these same providers’ failure to deploy device intelligence alongside traditional controls likely led to the fraudulent accounts being opened in the first place. With synthetic identities, elements of legitimate creditworthy consumers are often paired with other invalid or fictitious applicant data so fraud investigators cannot rely on simply verifying data against a credit report or public data source. In many cases, the device used to submit an application may be the only common element used to link and identify other seemingly unrelated applications. Several financial institutions have already demonstrated success at leveraging device intelligence along with a powerful risk engine and integrated link analysis tools to pinpoint these complex attacks. In fact, one example alone spanned hundreds of applications and represented millions of dollars in fraud saves at a top bank. The recent synthetic ring comprising over 7,000 false identities and 25,000 fraudulent cards may be an extreme example of the potential scope of this problem; however, the attack vector will only continue to grow until device intelligence becomes an integrated component of all online account opening decisions across the industry. Even though most institutions are satisfying Red Flags guidance, organizations failing to institute advanced account opening controls such as complex device intelligence can expect to see more attacks and will likely struggle with higher monetary losses from accounts that never should have been booked.
Learn More Image
