Cont. Understanding Gift Card Fraud By: Angie Montoya In part one, we spoke about what an amazing deal gift cards (GCs) are, and why they are incredibly popular among consumers. Today we are going to dive deeper and see why fraudsters love gift cards and how they are taking advantage of them. We previously mentioned that it’s unlikely a fraudster is the actual person that redeems a gift card for merchandise. Although it is true that some fraudsters may occasionally enjoy a latte or new pair of shoes on us, it is much more lucrative for them to turn these forms of currency into cold hard cash. Doing this also shifts the risk onto an unsuspecting victim and off of the fraudster. For the record, it’s also incredibly easy to do. All of the innovation that was used to help streamline the customer experience has also helped to streamline the fraudster experience. The websites that are used to trade unredeemed cards for other cards or cash are the same websites used by fraudsters. Although there are some protections for the customer on the trading sites, the website host is usually left holding the bag when they have paid out for a GC that has been revoked because it was purchased with stolen credit card information. Others sites, like Craigslist and social media yard sale groups, do not offer any sort of consumer protection, so there is no recourse for the purchaser. What seems like a great deal— buying a GC at a discounted rate— could turn out to be a devalued Gift card with no balance, because the merchant caught on to the original scheme. There are ten states in the US that have passed laws surrounding the cashing out of gift cards. * These laws enable consumers to go to a physical store location and receive, in cash, the remaining balance of a gift card. Most states impose a limit of $5, but California has decided to be a little more generous and extend that limit to $10. As a consumer, it’s a great benefit to be able to receive the small remaining balance in cash, a balance that you will likely forget about and might never use, and the laws were passed with this in mind. Unfortunately, fraudsters have zeroed in on this benefit and are fully taking advantage of it. We have seen a host of merchants experiencing a problem with fraudulently obtained GCs being cashed out in California locations, specifically because they have a higher threshold. While five dollars here and ten dollars there does not seem like it is very much, it adds up when you realize that this could be someone’s full time job. Cashing out three ten dollar cards would take on average 15 minutes. Over the course of a 40-hour workweek it can turn into a six-figure salary. At this point, you might be asking yourself how fraudsters obtain these GCs in the first place. That part is also fairly easy. User credentials and account information is widely available for purchase in underground forums, due in part to the recent increase in large-scale data breaches. Once these credentials have been obtained, they can do one of several things: Put card data onto a dummy card and use it in a physical store Use credit card data to purchase on any website Use existing credentials to log in to a site and purchase with stored payment information Use existing credentials to log in to an app and trigger auto-reloading of accounts, then transfer to a GC With all of these daunting threats, what can a merchant do to protect their business? First, you want to make sure your online business is screening for both the purchase and redemption of gift cards, both electronic and physical. When you screen for the purchase of GCs, you want to look for things like the quantity of cards purchased, the velocity of orders going to a specific shipping address or email, and velocity of devices being used to place multiple orders. You also want to monitor the redemption of loyalty rewards, and any traffic that goes into these accounts. Loyalty fraud is a newer type of fraud that has exploded because these channels are not normally monitored for fraud— there is no actual financial loss, so priority has been placed elsewhere in the business. However, loyalty points can be redeemed for gift cards, or sold on the black market, and the downstream affect is that it can inconvenience your customer and harm your brand’s image. Additionally, if you offer physical GCs, you want to have a scratch off PIN on the back of the card. If a GC is offered with no PIN, fraudsters can walk into a store, take a picture of the different card numbers, and then redeem online once the cards have been activated. Fraudsters will also tumble card numbers once they have figured out the numerical sequence of the cards. Using a PIN prevents both of these problems. The use of GCs is going to continue to increase in the coming years— this is no surprise. Mobile will continue to be incorporated with these offerings, and answering security challenges will be paramount to their success. Although we are in the age of the data breach, there is no reason that the experience of purchasing or redeeming a gift card should be hampered by overly cautious fraud checks. It’s possible to strike the right balance— grow your business securely by implementing a fraud solution that is fraud minded AND customer centric. *The use of GC/eGC is used interchangeably
Gift card fraud Gift cards have risen in popularity over the last few years— National Retail Federation anticipated more than $31B in gift card sales during the 2014 holiday season alone. Gift cards are the most requested gift item, and they have been for eight years in a row. Total gift card sales for 2014 were anticipated to top $100 Billion. Gift cards are a practical gift – the purchaser can let the recipient pick exactly what they want, eliminating the worry of picking something that doesn’t fit right, that is a duplicate, or something that the recipient just might not want. They are also incredibly convenient, quick, and easy to purchase. The stigma behind gift cards is starting to fade, and it no longer seems as though they are an impersonal gifting option. Additionally, the type of gift cards available has expanded greatly in the last few years. If you are of the procrastinating nature, there are eGift Cards or eCertificates, which can be emailed in a matter of minutes to the recipient. If you are truly unsure what to purchase altogether, you can give an open-loop card, which are usually branded by Visa, MasterCard, and American Express, and can be used anywhere their logo appears. It also seems like a quick win for merchants to carry gift cards. The overhead cost to store them is extremely low because a small box of gift cards takes up very little space. When customers come in to redeem their GC, they usually spend more than the original value of the card itself, thus allowing for additional revenue capture. Something else that merchants have started doing in this big data world we live in is tying gift cards to consumer loyalty programs. Reloadable cards are now linked to a specific customer, who can also tie their credit card to the account, which is automatically charged once their account is below a pre-defined threshold. These new consumer loyalty accounts can be used to track spending history, tailor offers to the specific customer, and continue to expand on the immersive brand experience. Recently, a certain Mexican-themed fast food establishment launched their new mobile app; in the app, you could pre-order food, send and redeem eGCs, and find the nearest location. I don’t even eat at this establishment, but the innovation of their app was so enticing that I installed it the morning it came out, purchased an eGC for my husband, and pre-ordered breakfast. It was extremely easy and convenient, and I got a free taco! Now they have my soul. Okay, maybe not my soul, but they have my credit card data, purchasing preferences, device information, and location, which is almost the same thing at this point. After the experience I found myself asking why other merchants haven’t already done this or why it hasn’t taken off yet. This is a great example of how gift cards and emerging technology are being used as a marketing tool to entice consumers to build up a customer base. In the rare instance that a gift recipient does not actually find value in their gift card (the horror!) there’s a multitude of options for trading them in or redeeming for cash. Some well-known websites for trade-in are Giftcard Granny, Card Hub, and raise.com; it’s also incredibly common to find discounted GCs for sale on eBay, Craigslist, and Facebook groups. A couple familiar names that have recently entered into the mix are Wal-Mart and CoinStar. You can now exchange your physical gift card for cash at a specific CoinStar machines, and if you don’t feel like leaving your home, you can exchange your card online with Wal-Mart, and they will provide you with a Wal-Mart gift card that can be redeemed online or in stores. It’s such common practice that you can find articles on this topic on local, national, and 24-hour news websites. This tremendous revenue booster does not come free of risk, however. We know that fraudsters are clever and opportunistic. They will penetrate every weakness possible and take advantage of programs that are being used to enhance the consumer experience. But are they really stealing all these gift cards for personal gain and taking all of their friends out to their favorite local coffee shop for free drinks? Stay tuned for the second part of this blog that talks more about the fraud risks associated with gift cards and what you can do to mitigate them. Please note: *The use of GC/eGC is used interchangeably.
The evolution of identity verification Knowing who you are doing business with isn’t just a sound business practice to protect your bottom line. In many cases, it also is a legal requirement. Identity verification techniques have been evolving over the past few years to meet business priorities beyond fraud prevention, including customer experience, operational costs and regulatory compliance. We recently wrote about the challenges of customer authentication on mobile devices to meeting new business priorities. Fraud prevention tools have responded to these shifting priorities. While extremely fast and very accurate at detecting fraud, they also: Are less invasive to customers Provide a strong return on investment Ensure consistency in compliance and audit Listen to what Matt Ehrlich, Experian fraud and identity director of product management, has to say about how verification techniques have changed: Download our fraud prevention perspective paper to gain more insight on how you can prepare your business.
The news of the latest breach last week reported that tens of millions of customer and employee records were stolen by a sophisticated hacker incursion. The data lost is reported to include names, birth dates, Social Security numbers, and addresses. The nature of the stolen data has the potential to create long-term headaches for the organization and tens of millions of individuals. Unlike a retailer or financial breach, where stolen payment cards can be deactivated and new ones issued, the theft of permanent identity information is, well, not easily corrected. You can’t simply reissue Social Security numbers, birth dates, names and addresses. What’s more, the data likely includes identity data on millions of dependent minors, who are prime targets for identity thieves and whose credit goes frequently unmonitored. According to the Identity Theft Resource Center’s 2014 Data Breach Report, a record 783 breaches, representing 85 million records, occurred from January through September 2014 alone. The breaches have ranged across virtually every industry segment and data type. So where does all this breached data go? It goes into the massive, global underground marketplace for stolen data, where it’s bought and sold, and then used by cybercriminals and fraudsters to defraud organizations and individuals. Like any market, supply and demand determines price, and the massive quantity of recent breaches has made stolen identities more affordable to more fraudsters, exacerbating the overall problem. In fact, stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number, according to Don Jackson, director of threat intelligence at PhishLabs, a cyber crime protection company. The big question: So what now? The answer: Assume that all data has been breached, and act accordingly. Such a statement sounds a bit trivial, but it’s a significant paradigm shift. It’s a clear-headed recognition of the implications of the ongoing, escalating covert war between cybercriminals and fraudsters, on one side, and organizations and consumers on the other. For individuals, we need to internalize this fact: our data has likely been breached, and we need to become vigilant and defend ourselves. Sign up for a credit monitoring service that covers all three credit bureaus to be alerted if your data or ID is being used in ways that indicate fraud. Include your children, as well. A child’s identity is far more valuable to a fraudster as they know it can be several years before their stolen identity is detected. Many parents do not check their child’s credit regularly, if at all. For organizations, it’s a war on two fronts: data protection and fraud prevention. And the stakes are huge, bigger than many of us recognize. We’re not just fighting to prevent financial theft, we’re fighting to preserve trust — trust between organizations and consumers, at the first level, and ultimately widespread consumer trust in the institutions of finance, commerce, and government. We must collectively strive to win the war on data protection, no doubt, and prevent future data breaches. But what breaches illustrate is that, when fundamental identity data is breached, a terrible burden is placed on the second line of defense — fraud prevention. Simply put, organizations must continually evolve their fraud prevention control and skills, and minimize the damage caused by stolen identity data. And we must do it in ways that reinforce the trust between consumers and organizations, enhance the customer experience, and frustrate the criminals. At 41st Parameter, we are at the front lines of fraud prevention every day, and what we see are risks throughout the ecosystem. Account opening is a particular vulnerability, as consumer identity data obtained in the underground will undoubtedly be used to open lines of credit, submit fraudulent tax returns, etc. unbeknownst to the consumer. Since so much data has been breached, many of these new accounts will look “clean,” presenting a major challenge for traditional identity-based fraud and compliance solutions. But it’s more than new accounts — account takeover, transactions, loyalty, every stage is in jeopardy now that so much identity data is on the loose. Even the call center is vulnerable, as the very basis for caller authentication often relies on components of identity. At 41st Parameter and Experian Fraud & Identity solutions, we advocate a comprehensive layered approach that leverages multiple solutions such as FraudNet, Precise ID, KIQ, and credit data to protect all aspects of the customer journey while ensuring a seamless, positive user experience across channels and lines of business. Read our fraud perspective paper to learn more. Now is the time to take action. http://www.reuters.com/article/2014/09/24/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924
In a recent webinar, we addressed how both the growing diversity of technology used for online transactions and the many different types of access can make authentication complicated. Technology is ever-changing and is continually reshaping the way we live. This leaves our industry to question how device intelligence factors into both the problem and solution surrounding diverse technologies in the online transaction space. Industry experts Cherian Abraham from the Experian Decision Analytics team and David Britton from 41st Parameter, a part of Experian, weighed in on the discussion. Putting It All Into Context Britton harkened back to a simpler time of authentication practices. In the early days of the web, user names and passwords were the only tools people had to authenticate online identities. Eventually, this led organizations to begin streamlining the process. “They did things like using cookies or placing files onto a computer so that the computer would be “known” to the business,” said Britton. However, those original methods are now struggling to fit into the modern-day authentication puzzle. “The challenge has been that for both privacy reasons and for the advancements of technology we have actually moved to a more privacy-centric environment where those types of things have fallen away in terms of their efficacy. For example, cookies are often easily deleted by simply browsing incognito. So as a result there’s been a counter move approach to how to authenticate online,” said Britton. New Technology – A Quick Fix? Don’t be fooled. Newer technologies cannot necessarily provide an easy alternative and incorporate older authentication methods. Britton referenced how the advent of mobile has actually made recognizing the consumer behind the device, the behavior of the machine and the data that the consumer is presenting even more complex. Additionally, rudimentary methods of authentication don’t actually exist well in the mobile environment. On the other hand, newer technologies and the mobile environment force a more layered approach to authentication methods. “There is a better way and the better way is to look at a variety of other inspirations beyond user names and passwords before vindicating the customer. This is all the more evident when you get to newer channels such as mobile where consumer expectations are so different and you cannot rely on the customer having to answer a long stream of characters and letters such as a user name or a password,” said Abraham. Britton weighed in as well on device intelligence and the layered approach. “Our whole philosophy around this has been that if you can recognize aspects of the device in the form of device intelligence – we’re able to actually leverage that information without crossing the boundaries of good privacy management. Furthermore, we are then able to say we recognize the attributes of the device and can recognize the device as that person is attempting to come back into an environment,” said Britton. He emphasized how being able to help companies understand who might be on the other end of the device has made a world of difference. This increasingly points to how authentication will continue to evolve in a in a multi-device, multi-screen and multi-channel environment. For more information and access to the full webinar – Stay tuned for additional #fraudlifecycle posts.
Fraud is not a point-in-time problem and data breaches should not be considered isolated attacks, which break through network defenses to abscond with credentials. In fact, data breaches are just the first stage of a rather complex lifecycle that begins with a vulnerability, advances through several stages of validation and surveillance, and culminates with a fraudulent transaction or monetary theft. Cyber criminals are sophisticated and have a growing arsenal of weapons at their disposal to infect individual and corporate systems and capture account information: phishing, SMSishing and Vishing attacks, malware, and the like are all attempts to thwart security and access-protected information. Criminal tactics have even evolved to include physical-world approaches like infiltrating physical call centers via social engineering attacks aimed at unsuspecting representatives. This, and similar efforts, are all part of the constant quest to identify and exploit weaknesses in order to stage and commit financial crimes. There are some companies that claim malware detection is the silver bullet to preventing fraud. This is simply not the case. The issue is that malware is only one method by which fraudsters may obtain credentials. The seemingly endless supply of pristine identity and account data in the criminal underground means that detecting a user’s system has been compromised is akin to closing the barn door after the hose has bolted. That is, malware can be an indicator that an account has been compromised, but it does not help identify the subsequent usage of the stolen credentials by the criminals, regardless of how the credentials were compromised. Compromised data is first validated by the seller as one of their “value adds” to the criminal underground and typically again by the buyer. Validation usually involves logging into an account to ensure that the credentials work as expected, and allows for a much higher “validated” price point. Once the credentials and/or account have been validated, cyber criminals can turn their attention to surveillance. Remember, by the time one realizes that credential information has been exposed, cyber criminal rings have captured the information they need – such as usernames, passwords, challenge responses and even token or session IDs – and have aded it to their underground data repositories. with traditional online authentication controls, it is nearly impossible to detect the initial fraudulent login that uses ill-gotten credentials. That is why it is critical to operate from the assumption that all account credentials have been compromised when designing an online authentication control scheme.
Online crooks are getting more sophisticated by the second. Nowadays, fraudsters have the ability to conduct “clean fraud,” obtaining legitimate identities of users from the black market or data breaches to compromise a victim’s card account. Malware, too, is becoming more sophisticated both in the mobile and non-mobile space. But how can organizations fight such high-level tactics in such a broad, complex space? John Sarreal, Senior Director of Product Management at 41st Parameter, an online fraud prevention player, sat down with PYMNTS after the recent release of the white paper “Surveillance, Staging, and the Fraud Lifecycle” to reveal the inner workings of a cyber criminal’s mind, what should be done before and after data is snatched, and which aspects of account takeover are the most overlooked and dangerous. Interview excerpts Take us through the mind of a cyber-criminal. What are the most sophisticated tactics used today to capture account information from corporate systems? JS: The amount of clean fraud that we see with our customers is unprecedented. By focusing on obtaining legitimate credentials and identities, fraudsters are more easily able to bypass traditional controls. This means that fraud tools need to adapt and gather additional attributes to augment their fraud screening. Although the techniques they’re using now to obtain these credentials are increasingly sophisticated, the MOs are still rooted in basic phishing and social engineering attacks. Fraudsters will use identity information obtained from the black market or data breaches to conduct very convincing phishing attacks to reveal everything that is needed to compromise a victim’s card account. There’s also increasing sophistication in the use of malware to steal sensitive credentials in both the mobile and non-mobile arena. In Android, for example, Google recently passed a vulnerability that allows sophisticated malware to impersonate digital certificate signing authorities. This vulnerability allowed the malware to install itself on a mobile device without any user notification or intervention – obviously, a very dangerous attack. Link to the podcast and transcript here.
Surag Patel, vice president of global product management for 41st Parameter, led a panel discussion on Digital Consumer Trust with experts from the merchant community and financial services industry at this week’s CNP Expo. During the hour-long session, the expert panel – which included Patel, Jeff Muschick of MasterCard and TJ Horan from FICO – discussed primary research explaining the $40 billion in revenue lost each year to unwarranted CNP credit-card declines and what businesses can do to avoid it. Patel began the Thursday morning session by asking the audience how many have bought something online—of course, everyone raised their hands. He then asked how many had been declined—about half the hands stayed up. “Of those with your hands still up,” he said, “how many of you are fraudsters?” The audience chuckled, but the reality of false positives and unnecessary declines is no laughing matter. Unnecessary declines cause lost revenue and damage the customer relationship with merchants, banks and card issuers. The panel cited a 41st Parameter survey of 1,000 consumers and described their responses to the question, what do you do after you get declined? While many would call the card issuer or try a different payment method, one in six would actually skip the purchase altogether, one in ten would purchase from a different online merchant, and one in twelve would go buy the item at a brick-and-mortar store. So regardless of who the customer blames, ultimately, when a good purchase is declined, everybody loses. Jeff Muschick, who works in fraud solutions for MasterCard, spoke about the need for a solid rules engine, and recommended embracing new tools as they emerge to enhance their fraud prevention strategy. He acknowledged that for smaller merchants, keeping up with fraudsters can be incredibly taxing, and often even at larger organizations, fraud departments are understaffed. For that reason, he highlighted a tool that many fraud prevention strategies are leaving on the table, and that’s cooperation: “We talk about collaboration, but it’s not as gregarious as we’d like it to be.” TJ Horan, who is responsible for fraud solutions at FICO, encouraged merchants, banks, and card issuers to mitigate the damage of good declines through customer education. He observed that “if there was a positive thing to come out of the Target breach (and that’s a big ‘if’), it is an increase in general consumer awareness of credit-card fraud and data protection.” This helps inform customers’ attitudes when they are declined, because they realize it is probably a measure being taken for their own protection, and they are likely to be more forgiving. Click here for more information about TrustInsight and how online merchants can increase sales by approving more trusted transactions.
As we prepare to attend next week’s FS-ISAC & BITS Summit we know that the financial services industry is abuzz about massive losses from the ever-evolving attack vectors including DDoS, Malware, Data Breaches, Synthetic Identities, etc. Specifically, the recent $200 million (and counting) in losses tied to a sophisticated card fraud scheme involving thousands of fraudulent applications submitted over several years using synthetic identities. While the massive scale and effectiveness of the attack seems to suggest a novel approach or gap in existing fraud prevention controls, the fact of the matter is that many of the perpetrators could have been detected at account opening, long before they had an opportunity to cause financial losses. Synthetic identities have been a headache for financial institutions for years, but only recently have criminal rings begun to exploit this attack vector at such a large scale. The greatest challenge with synthetic identities is that traditional account opening processes focus on identity verification compliance around the USA PATRIOT Act and FACT Act Red Flags guidance, risk management using credit bureau scores, and fraud detection using known fraudulent data points. A synthetic identity ring simply sidesteps those controls by using new false identities created with data that could be legitimate, have no established credit history, or slightly manipulate elements of data from individuals with excellent credit scores. The goal is to avoid detection by “blending in” with the thousands of credit card, bank account, and loan applications submitted each day where individuals do not have a credit history, where minor typos cause identity verification false positives, or where addresses and other personal data does not align with credit reports. Small business accounts are an even easier target, as third-party data sources to verify their authenticity are sparse even though the financial stakes are higher with large lines of credit, multiple signors, and complex (sometimes international) transactions. Detecting these tactics is nearly impossible in a channel where anonymity is king — and many rings have become experts on gaming the system, especially as institutions continue to migrate the bulk of their originations to the online channel and the account opening process becomes increasingly faceless. While the solutions described above play a critical role in meeting compliance and risk management objectives, they unfortunately often fall short when it comes to detecting synthetic identities. Identity verification vendors were quick to point the finger at lapses in financial institutions’ internal and third-party behavioral and transactional monitoring solutions when the recent $200 million attack hit the headlines, but these same providers’ failure to deploy device intelligence alongside traditional controls likely led to the fraudulent accounts being opened in the first place. With synthetic identities, elements of legitimate creditworthy consumers are often paired with other invalid or fictitious applicant data so fraud investigators cannot rely on simply verifying data against a credit report or public data source. In many cases, the device used to submit an application may be the only common element used to link and identify other seemingly unrelated applications. Several financial institutions have already demonstrated success at leveraging device intelligence along with a powerful risk engine and integrated link analysis tools to pinpoint these complex attacks. In fact, one example alone spanned hundreds of applications and represented millions of dollars in fraud saves at a top bank. The recent synthetic ring comprising over 7,000 false identities and 25,000 fraudulent cards may be an extreme example of the potential scope of this problem; however, the attack vector will only continue to grow until device intelligence becomes an integrated component of all online account opening decisions across the industry. Even though most institutions are satisfying Red Flags guidance, organizations failing to institute advanced account opening controls such as complex device intelligence can expect to see more attacks and will likely struggle with higher monetary losses from accounts that never should have been booked.
By: Kennis Wong On the surface, it’s not difficult to define existing account fraud. Obviously, it is fraud perpetrated against an existing account. But the way I see it, existing account fraud can be broken down into four types. The first type is account takeover fraud, which is what most organizations think as the de facto existing account fraud. This is when a real consumer using his or her own identity to open a legitimate account, but the account later on get taken over by an identity fraudster. The idea is that when the account was first established, it was created by the rightful person. But somewhere along the way, the account and identity information were compromised. The fraudster uses the compromised information to engineer their way into the account. The second type is impersonation. Impersonation is somewhat similar to account takeover in the sense that it is also misusing the victim’s account. But the difference is that impersonation is more of a one or few times misuses of the account. Examples are a fraudulent use of a credit card or wire transfer. These are the obvious categories. But I think we should also think about these other categories. My definition of existing account fraud also includes this third type – identity fraud that was undetected during application. In other words, an account is established based on stolen identity. Many organizations call this “new account fraud”, which I don’t have a problem with. But I think it’s really also existing account fraud, because – is this existing account? The answer is yes. Is this fraud? Absolutely. It’s not that difficult, is it? Similarly, I am including first-party fraud in existing account fraud as well. A consumer can use his or her own identity to open an account, with an intention to default after the account is established. Example is bust out fraud. You see that this is an expanded definition of existing account fraud, because my focus is on detection. No matter at what point and how identity fraud comes in, it becomes an account in your organization, and that is where we need to discover the fraud. But at the end of the day, it’s not too important how to categorize or name the fraud - whether it\'s application fraud, existing account fraud, first party fraud or third party fraud, as long as organizations understand them enough and have a good way to detect them. Read more blog posts on existing account fraud.
Another consumer protection article in the news recently highlighted some fraud best practices for social networking sites. Click here to read the article. When I say fraud best practices, I mean best practices to minimize fraud and identity theft risk…not best practices for fraudsters. Although I wonder if by advising consumers about new fraud trends and methods, some fraudsters are picking up new tips and tricks? Anyway, many of the suggestions in the article are common sense items that have been making the rounds for some time now: don’t post vacation plans, things that might provide clues to your passwords or secret questions, etc. What I found surprising was that this list of “6 Things You Should Never Reveal on Facebook” still included birth date and place and home address. Are people overly trusting or just simply unaware of the risk of providing personal identifying information out in cyber space, unsecured? The US government has gone to a lot of trouble to protect consumers from identity theft through its issuance of the Red Flags rule and Red Flags guidelines for financial institutions of all types. I work with many clients that are going to large efforts to meet these important goals for fraud and compliance. Not just because the legislation requires it but because they know it is in the best interest of fostering long term and trust-based relationships with their customers. But just as much responsibility lies on us as consumers to protect ourselves. Each individual or family should have their own little identity theft prevention program that includes: guidelines for sharing information on social networking sites, shredding of paper documents with personal data, safe storage of passwords (i.e. not written down by your computer!), and up to date virus and malware protection on their computer.
The overarching ‘business driver’ in adopting a risk-based authentication strategy, particularly one that is founded in analytics and proven scores, is the predictive ‘lift’ associated with using scoring in place of a more binary rule set. While basic identity element verification checks, such as name, address, Social Security number, date-of-birth, and phone number are important identity proofing treatments, when viewed in isolation, they are not nearly as effective in predicting actual fraud risk. In other words, the presence of positive verification across multiple identity elements does not, alone, provide sufficient predictive value in determining fraud risk. Positive verification of identity elements may be achieved in customer access requests that are, in fact, fraudulent. Conversely, negative identity element verification results may be associated with both ‘true’ or ‘good’ customers as well as fraudulent ones. In other words, these false positive and false negative conditions lead to a lack of predictive value and confidence as well as inefficient and unnecessary referral and out-sort volumes. The most predictive authentication and fraud models are those that incorporate multiple data assets spanning traditionally used customer information categories such as public records and demographic data, but also utilize, when possible, credit history attributes, and historic application and inquiry records. A risk-based fraud detection system allows institutions to make customer relationship and transactional decisions based not on a handful of rules or conditions in isolation, but on a holistic view of a customer’s identity and predicted likelihood of associated identity theft, application fraud, or other fraud risk. To implement efficient and appropriate risk-based authentication procedures, the incorporation of comprehensive and broadly categorized data assets must be combined with targeted analytics and consistent decisioning policies to achieve a measurably effective balance between fraud detection and positive identity proofing results. The inherent value of a risk-based approach to authentication lies in the ability to strike such a balance not only in a current environment, but as that environment shifts as do its underlying forces.
By: Kristan Frend I recently gave a presentation on small business fraud at the annual National Association of Credit Managers (NACM) Credit Congress. Following the session, several B2B credit professionals shared recent fraud issues The attendees confirmed what we’ve been hearing from our customers: fraudsters are shifting from consumer to business/commercial fraud and they’re stepping up their game. One of the schemes mentioned by an attendee included fraudsters obtaining parcel provider’s tracking numbers to reroute shipments meant for their B2B customer. The perpetrator calls the business’s call center, impersonates the legitimate business customer to place an order, obtains the tracking number, and then calls back with the tracking number to request that the shipment be rerouted. Often the new shipping location is a residential address where an individual has been recruited for a work-at-home employment opportunity. The individual is instructed to sign for deliveries and then reship merchandise to a freight company within the country or directly to destinations outside the United States. The fraud is uncovered once the legitimate B2B customer receives an invoice for goods which they never ordered or received. I encourage you to take a look at your business’s policies and procedures on handling change of address shipment requests. What tools do you employ to verify the individual making the request? Are you verifying who the new address belongs to? You may also want to ask your parcel provider about account setting options available for when your employees submit reroute requests. While a shipping reroute request isn’t always indicative of fraud, I recommend you assess your fraud risk and consider whether your fraud-related business processes need refining. Keep an eye out here for postings on these topics: known fraud, bust out fraud, and how best to minimize fraud loss.
-- by Heather Grover I’m often asked in various industry forums to give talks about, or opinions on, the latest fraud trends and fraud best practices. Let’s face it – fraudsters are students of their craft and continue to study the latest defenses and adapt to controls that may be in place. You may be surprised, then, to learn that our clients’ top-of-mind issues are not only how to fight the latest fraud trends, but how they can do so while maximizing use of automation, managing operational costs, and preserving customer experience -- all while meeting compliance requirements. Many times, clients view these goals as being unique goals that do not affect one another. Not only can these be accomplished simultaneously, but, in my opinion, they can be considered causal. Let me explain. By looking at fraud detection as its own goal, automation is not considered as a potential way to improve this metric. By applying analytics, or basic fraud risk scores, clients can easily incorporate many different potential risk factors into a single calculation without combing through various data elements and reports. This calculation or score can predict multiple fraud types and risks with less effort, than could a human manually, and subjectively reviewing specific results. Through an analytic score, good customers can be positively verified in an automated fashion; while only those with the most risky attributes can be routed for manual review. This allows expensive human resources and expertise to be used for only the most risky consumers. Compliance requirements can also mandate specific procedures, resulting in arduous manual review processes. Many requirements (Patriot Act, Red Flag, eSignature) mandate verification of identity through match results. Automated decisioning based on these results (or analytic score) can automate this process – in turn, reducing operational expense. While the above may seem to be an oversimplification or simple approach, I encourage you to consider how well you are addressing financial risk management. How are you managing automation, operational costs, and compliance – while addressing fraud?
