Fraud & Identity Management
2011 was the 12th consecutive year that identity theft topped the list of FTC consumer complaints. Florida had the highest rate of complaints, followed by Georgia and California. Rank State Complaints per 100,000 population 1 Florida 179 2 Georgia 120 3 California 104 Learn how to detect and manage fraud activity while meeting regulatory requirements. Source: Consumer info.com infographic and FTC\'s Consumer Sentinel Network Data Book for January-December 2011.
The Consumer Financial Protection Bureau (CFPB) now has the ability to write and enforce 18 consumer protection laws that guide financial products and services. The new regulator has signaled the following issues as priorities: Clarity on how credit scores affect lender decisions: Beginning July 21, 2011, lenders were required to disclose the credit score that they used in all risk-based pricing notices and adverse action notices Shorter and simpler consumer disclosure forms: One of the first priorities is to make the terms and conditions associated with purchasing a mortgage or applying for a credit card shorter and clearer Enforcing the Fair Debt Collection Practices Act: The CFPB will enforce the Fair Debt Collection Practices Act and review current debt collector practices Learn more about the CFPB
This is last question in our five-part series on the FFIEC guidance on what it means to Internet banking, what you need to know and how to prepare for the January 2012 deadline. Q: How are organizations responding? Experian estimates that less than half of the institutions impacted by this guidance are prepared for the examinations. Many of the fraud tools in the marketplace, particularly those that are used to authenticate individuals were deployed as point-solutions. Few support the need for a feedback loop to identify vulnerabilities, or the ability to employ a risk-based, “layered” approach that the guidance is seeking. _____________ This is the last of our five-part series but we\'re happy to answer more questions as we know you need to know how to prepare for the January 2012 deadline.
This is fourth question in our five-part series on the FFIEC guidance and what it means Internet banking. Check back each day this week for more Q&A on what you need to know and how to prepare for the January 2012 deadline. If you missed parts 1-3, there\'s no time to waste, check them out here: Go to question one: What does “multi-factor” authentication actually mean? Go to question two: Who does this guidance affect? And does it affect each type of credit grantor/ lender differently? Go to question three: What does “layered security” actually mean? Today\'s Q&A: What will the regulation do to help mitigate fraud risk in the near-term, and long-term? The FFIEC’s guidance will encourage financial institutions to re-examine their processes. The guidance is an important reinforcement of several critical ideas: Fraud losses undermine faith in our financial system by exposing vulnerabilities in the way we exchange goods, services and currencies. It is important that members of the financial services community understand their role in protecting our economy from fraud. Fraud is not the result of a static set of tactics employed by criminals. Fraud tactics evolve constantly and the tools that combat them have to evolve as well. Considering the impact that technology is having on commerce, it is more important than ever to review the processes that we once thought made our businesses “safe.” The architecture and flexibility of fraud prevention “capabilities” is a weapon unto itself. The guidance provides a perspective on why it is important to be able to understand the risk and to respond accordingly. At the end of the day, the guidance is less about a need to take a specific action---and more about the “capability” to recognize when those actions are needed, and how they should be structured so that high-risk actions are met with strong and sophisticated defenses. _____________ Look for part five, the final in our series tomorrow.
This is third question in our five-part series on the FFIEC guidance and what it means Internet banking. If you missed the firstand second question, you can still view - our answer isn\'t going anywhere. Check back each day this week for more Q&A on what you need to know and how to prepare for the January 2012 deadline. Question: Who does this guidance affect? And does it affect each type of credit grantor/ lender differently? The guidance pertains to all financial institutions in the US that fall under the FFIEC’s influence. While the guidance specifically mentions authenticating in an on-line environment, it’s clear that the overall approach advocated by the FFIEC applies to authentication in any environment. As fraud professionals know, strengthening the defenses in the on-line environment will drive the same fraud tactics to other channels. The best way to apply this guidance is to understand its intent and apply it across call centers and in-person interactions as well. _____________ Look for part four of our five-part series tomorrow. If you have a related question that needs an answer, submit in the comments field below and we\'ll answer those questions too. Chances are if you are questioning something, others are too - so let\'s cover it here! Or, if you would prefer to speak with one of our Fraud Business Consultants directly, complete a contact form and we\'ll follow up promptly.
This is second question in our five-part series on the FFIEC guidance and what it means Internet banking. If you missed the first question, don\'t worry, you can still go back. Check back each day this week for more Q&A on what you need to know and how to prepare for the January 2012 deadline. Question: What does “multi-factor” authentication actually mean? “Multi- Factor” authentication refers to the combination of different security requirements that would be unlikely to be compromised at the same time. A simple example of multi-factor authentication is the use of a debit card at an ATM machine. The plastic debit card is an item that you must physically possess to withdraw cash, but the transaction also requires the PIN number to complete the transaction. The card is one factor, the PIN is a second. The two combine to deliver a multi-factor authentication. Even if the customer loses their card, it (theoretically) can’t be used to withdraw cash from the ATM machine without the PIN. _____________ Look for part three of our five-part series tomorrow.
This first question in our five-part series on the FFIEC guidance and what it means Internet banking. Check back each day this week for more Q&A on what you need to know and how to prepare for the January 2012 deadline. Question: What does “layered security” actually mean? “Layered” security refers to the arrangement of fraud tools in a sequential fashion. A layered approach starts with the most simple, benign and unobtrusive methods of authentication and progresses toward more stringent controls as the activity unfolds and the risk increases. Consider a customer who logs onto an on-line banking session to execute a wire transfer of funds to another account. The layers of security applied to this activity might resemble: 1. Layer One- Account log-in. Security = valid ID and Password must be provided 2. Layer Two- Wire transfer request. Security= IP verification/confirmation that this PC has been used to access this account previously. 3. Layer Three- Destination Account provided that has not been used to receive wire transfer funds in the past. Security= Knowledge Based Authentication Layered security provides an organization with the ability to handle simple customer requests with minimal security, and to strengthen security as risks dictate. A layered approach enables the vast majority of low risk transactions to be completed without unnecessary interference while the high-risk transactions are sufficiently verified. _____________ Look for part two of our five-part series tomorrow.
With the most recent guidance newly issued by the Federal Financial Institutions Examination Council (FFIEC) there is renewed conversation about knowledge based authentication. I think this is a good thing. It brings back into the forefront some of the things we have discussed for a while, like the difference between secret questions and dynamic knowledge based authentication, or the importance of risk based authentication. What does the new FFIEC guidance say about KBA? Acknowledging that many institutions use challenge questions, the FFIEC guidance highlights that the implementation of challenge questions can greatly impact efficacy of its usefulness. Chances are you already know this. Of greater importance, though, is the fact that the FFIEC guidelines caution on the use of less sophisticated systems and information that can be easily guessed or obtained from an Internet search, given the amount of information available. As mentioned above, the FFIEC guidelines call for questions that “do not rely on information that is often publicly available,” recommending instead a broad range of data assets on which to base questions. This is an area knowledge based authentication users should review carefully. At this point in time it is perfectly appropriate to ask, “Does my KBA provider rely on data that is publicly sourced” If you aren’t sure, ask for and review data sources. At a minimum, you want to look for the following in your KBA provider: · Questions! Diverse questions from broad data categories, including credit and noncredit assets · Consumer question performance as one of the elements within an overall risk-based decisioning policy · Robust performance monitoring. Monitor against established key performance indicators and do it often · Create a process to rotate questions and adjust access parameters and velocity limits. Keep fraudsters guessing! · Use the resources that are available to you. Experian has compiled information that you might find helpful: www.experian.com/ffiec Finally, I think the release of the new FFIEC guidelines may have made some people wonder if this is the end of KBA. I think the answer is a resounding “No.” Not only do the FFIEC guidelines support the continued use of knowledge based authentication, recent research suggests that KBA is the authentication tool identified as most effective by consumers. Where I would draw caution is when research doesn’t distinguish between “secret questions” and dynamic knowledge based authentication, which we all know is very different.
As I’m sure you are aware, the Federal Financial Institutions Examination Council (FFIEC) recently released its, \"Supplement to Authentication in an Internet Banking Environment\" guiding financial institutions to mitigate risk using a variety of processes and technologies as part of a multi-layered approach. In light of this updated mandate, businesses need to move beyond simple challenge and response questions to more complex out-of-wallet authentication. Additionally, those incorporating device identification should look to more sophisticated technologies well beyond traditional IP address verification alone. Recently, I contribute to an article on how these new guidelines might affect your institution. Check it out here, in full: http://ffiec.bankinfosecurity.com/articles.php?art_id=3932 For more on what the FFIEC guidelines mean to you, check out these resources - which also gives you access to a recent Webinar.
Lately there has been a lot of press about breaches and hacking of user credentials. I thought it might be a good time to pause and distinguish between authentication credentials and identity elements. Identity elements are generally those bits of meta data related to an individual. Things like: name, address, date of birth, Social Security Number, height, eye color, etc. Identity elements are typically used as one part of the authentication process to verify an individual’s identity. Credentials are typically the keys to a system that are granted after someone’s identity elements have been authenticated. Credentials then stand in place of the identity elements and are used to access systems. When credentials are compromised, there is risk of account takeover by fraudsters with mal intent. That’s why it’s a good idea to layer-in risk based authentication techniques along with credential access for all businesses. But for financial institutions, the case is clear: a multi-layered approach is a necessity. You only need to review the FFIEC Guidance of Authentication in an Internet Banking Environment to confirm this fact. Boiled down to its essence, the latest guidance issued by the FFIEC is rather simple. Essentially it’s asking U.S. financial institutions to mitigate risk using a variety of processes and technologies, employed in a layered approach. More specifically, it asks those businesses to move beyond simple device identification — such as IP address checks, static cookies and challenge questions derived from customer enrollment information — to more complex device intelligence and more complex out-of-wallet identity verification procedures. In the world of online security, experience is critical. Layered together, Experian’s authentication capabilities (including device intelligence from 41st Parameter, out-of-wallet questions and analytics) offers a more comprehensive approach to meeting and exceeding the FFIEC’s most recent guidance. More importantly, they offer the most effective and efficient means to mitigating risk in online environments, ensuring a positive customer experience and have been market-tested in the most challenging financial services applications.
By: Kennis Wong On the surface, it’s not difficult to define existing account fraud. Obviously, it is fraud perpetrated against an existing account. But the way I see it, existing account fraud can be broken down into four types. The first type is account takeover fraud, which is what most organizations think as the de facto existing account fraud. This is when a real consumer using his or her own identity to open a legitimate account, but the account later on get taken over by an identity fraudster. The idea is that when the account was first established, it was created by the rightful person. But somewhere along the way, the account and identity information were compromised. The fraudster uses the compromised information to engineer their way into the account. The second type is impersonation. Impersonation is somewhat similar to account takeover in the sense that it is also misusing the victim’s account. But the difference is that impersonation is more of a one or few times misuses of the account. Examples are a fraudulent use of a credit card or wire transfer. These are the obvious categories. But I think we should also think about these other categories. My definition of existing account fraud also includes this third type – identity fraud that was undetected during application. In other words, an account is established based on stolen identity. Many organizations call this “new account fraud”, which I don’t have a problem with. But I think it’s really also existing account fraud, because – is this existing account? The answer is yes. Is this fraud? Absolutely. It’s not that difficult, is it? Similarly, I am including first-party fraud in existing account fraud as well. A consumer can use his or her own identity to open an account, with an intention to default after the account is established. Example is bust out fraud. You see that this is an expanded definition of existing account fraud, because my focus is on detection. No matter at what point and how identity fraud comes in, it becomes an account in your organization, and that is where we need to discover the fraud. But at the end of the day, it’s not too important how to categorize or name the fraud - whether it\'s application fraud, existing account fraud, first party fraud or third party fraud, as long as organizations understand them enough and have a good way to detect them. Read more blog posts on existing account fraud.
The Communications Fraud Control Association’s annual meeting and educational event was held last week (June 14 – 16) at the Allerton hotel in Chicago, IL. The Communications Fraud Control Association is made up of communications and security professionals, fraud investigators, analysts, and managers, law enforcement, those in risk management, and many others. As an organization, they started out as a small group of communications professionals from the major long distance carriers who were looking for a better and more collaborative way to address communications fraud. Now, almost 30 years later, they’ve got over 60 members – a great representation of the industry yet still a nimble size. From what I hear, this makes for a specialized but quite effective “working” conference. Unfortunately I was not able to attend the conference but my colleague, Kennis Wong, attended and presented on the topic of Account Takeover and existing account fraud. It’s an area of fraud and compliance that Experian has spent some R&D on recently, with some interesting findings. In the past, we’ve been more focused on helping clients prevent new account and application fraud. It might seem like an interesting time to expand into this area, with some studies citing large drops in existing account fraud (2011 Identity Fraud Survey Report by Javelin). BUT...consumer costs in this area are way UP, not to mention the headline-grabbing news stories about small business account takeover. Which means it’s still a large pain point for financial institutions. Experian’s research and development in existing account fraud, combined with our expertise in fraud scores and identity theft detection, has resulted in a new product which is launching at the end of this month: Precise ID for Customer Management. Stay tuned for more exciting details.
Whether you call it small business, commercial, or corporate account takeover, this form of existing account fraud has been in the headlines lately and seems to be on the rise. While account takeover happens to individual consumers quite frequently, it’s the sensational loss amounts and the legal battles between companies and their banks that are causing this form of commercial fraud to make the news. A recent BankInfoSecurity.com article, Fraud Verdict: Opinions Vary, is about a court opinion on a high profile ACH fraud case - Experi-Metal Inc. vs. Comerica Bank – that cites a number of examples of corporate account takeover cases with substantial losses: · Village View Escrow of Redondo Beach, Calif.: lost $465,000 to an online hack · Hillary Machinery: settled with its bank for undisclosed terms in 2010. · The Catholic Diocese of Des Moines, Iowa: lost $600,000 in fraudulent ACH transactions. I was curious what information was out there and publicly available to help businesses protect themselves and minimize fraud losses / risk. NACHA, the electronics payment association, had some of the best resources on their website. Labeled the “Corporate Account Takeover Resource Center”, it has a wide variety of briefs, papers, and recommendations documents including prevention practices for companies, financial institutions, and third-party service providers. There’s even a podcast on how to fight ACH fraud! One thing was interesting to note, though. NACHA makes a point to distinguish between ACH fraud and corporate account takeover in this statement at the top of the web page: Corporate Account Takeover is a form of corporate identity theft where a business’ online credentials are stolen by malware. Criminal entities can then initiate fraudulent banking activity. Corporate Account Takeover involves compromised identity credentials and is not about compromises to the wire system or ACH Network. ACH fraud and wire fraud, terms mistakenly used to describe this type of criminal activity, are a misnomer. The ACH Network is safe and secure. Mostly I agree –the ACH Network is safe and secure. But from an F.I.\'s or company’s perspective, corporate account takeover and ACH Fraud often go hand in hand.
At Experian’s recent client conference, Vision 2011, there was a refreshing amount of positive discussion and outlook on origination rates and acquisition strategies for growth. This was coming not only from industry analysts participating in the conference but from clients as well. As a consumer, I’d sensed the ‘cautious optimism’ that we keep hearing about because my mailbox(the ‘original’ one, not email) has slowly been getting more and more credit card offer letters over the last 6 months. Does this mean a return to prospecting and ultimately growth for financial institutions and lenders? It’s a glimmer of hope, for sure, although most agree that we’re a long way from being out of the woods, particularly with unemployment rates still high and the housing market in dire shape. Soooo…..you may be wondering where I’m going with this…. Since my job is to support banks, lenders, utilities and numerous other businesses’ in their fraud prevention and compliance efforts, where my mind goes is: how does a return to growth – even slight – impact fraud trends and our clients’ risk management policies? While many factors remain to be seen, here are a few early observations: · Account takeover, bust out fraud, and other types of existing account fraud had been on the rise while application fraud had declined or stayed the same (relative to the decrease in new originations); with prospecting and acquisition activity starting to increase, we will likely see a resurgence in new account fraud attempts and methods. · Financial institutions and consumers are under increasing risk of malware attacks; with more sophisticated malware technology popping up every day, this will likely be a prime means for fraudsters to commit identity theft and exploit potentially easier new account opening policies. · With fraud loss numbers flat or down, the contracted fraud budgets and delayed technology investments by companies over the last few years are a point of vulnerability, especially if the acquisition growth rate jumps substantially.
By: Kennis Wong Data is the very core of fraud detection. We are constantly seeking new and mining existing data sources that give us more insights into consumers’ fraud and identity theft risk. Here is a way to categorize the various data sources. Account level - When organizations detect fraud, naturally they leverage the data in-house. This type of data is usually from the individual account activities such as transactions, payments, locations or types of purchases, etc. For example, if there’s a purchase $5000 at a dry cleaner, the transaction itself is suspicious enough to raise a red flag. Customer level - Most of the times we want to see a bigger picture than only at the account level. If the customer also has other accounts with the organization, we want to see the status of those accounts as well. It’s not only important from a fraud detection perspective, but it’s also important from a customer relationship management perspective. Consumer level - As Experian Decision Analytics’ clients can attest, sometimes it’s not sufficient to look only at the data within an organization but also to look at all the financial relationships of the consumer. For example, in the situation of bust out fraud or first-party fraud, if you only look at the individual account, it wouldn’t be clear whether a consumer has truly committed the fraud. But when you look at the behavior of all the financial relationships, then the picture becomes clear. Identity level - Fraud detection can go into the identity level. What I mean is that we can tie a consumer’s individual identity elements with those of other consumers to discover hidden inconsistencies and relationships. For example, we can observe the use of the same SSN across different applications and see if the phones or addresses are the same. In the account management environment, when detecting existing account fraud or account takeover, this level of linkage is very useful as more data becomes available after the account is open. Loading...
Learn More Image
