Fraud & Identity Management
When we think about fraud prevention, naturally we think about mininizing fraud at application. We want to ensure that the identities used in the application truly belong to the person who applies for credit, and not from some stolen identities. But the reality is that some fraudsters do successfully get through the defense at application. In fact, according to Javelin’s 2011 Identity Fraud Survey Report, 2.5 million accounts were opened fraudulently using stolen identities in 2010, costing lenders and consumers $17 billion. And these numbers do not even include other existing account fraud like account takeover and impersonation (limited misusing of account like credit/debit card and balance transfer, etc.). This type of existing account fraud affected 5.5 million accounts in 2010, costing another $20 billion. So although it may seem like a no brainer, it’s worth emphasizing that we need to continue to detect fraud for new and established accounts. Existing account fraud is unlikely to go away any time soon. Lending activities have changed significantly in the last couple of years. Origination rate in 2010 is still less than half of the volume in 2008, and booked accounts become riskier. In this type of environment, when regular consumers are having hard time getting new credits, fraudsters are also having hard time getting credit. So naturally they will switch their focus to something more profitable like account takeover. Does your organization have appropriate tools and decisioning strategy to fight against existing account fraud?
By: Kristan Frend According to the 2011 Identity Theft Assistance Center Outlook (ITAC), new forms of small business identity theft are emerging. This shouldn’t be a surprise that criminals view small business accounts as a lucrative funding source. What is surprising is that the ‘new’ form of small business identity theft consists of the U.S. Postal Inspection Service reporting a surge in criminal rings using small business information from stolen mail, check writing software and other tactics to counterfeit checks. That’s the new wave of small business identity theft??? I consider this one of the least sophisticated types of fraud that can easily be eliminated by small business owners not leaving mail unattended. Reading this report makes me realize that we have a long way to go in identifying and reporting the more sophisticated types of small business fraud. As I’ve mentioned before, the industry has come a long way in advancing consumer fraud solutions. Yet, as fraud has migrated into business accounts, we as an industry still have a ways to go in reporting the latest business fraud trends and tracking statistics. I’m adding this to my wish list for 2011… What’s on your wish list? On a side note, I’ve noticed nearly all of the articles posted in our blog include no reader comments. I’d like to think that this means our readers are too busy to add comments and/or our articles are so well-written that they answer all of your questions. One can dream right? Seriously though, as we approach 2011 and plan our topics, we’d love to hear from you- if you can think of any topic you’d like us to cover more in depth, please let us know.
By: Kristan Frend As my colleague Margarita Lim discussed in her December 3rd article, the SSA announced that it will change how social security numbers (SSNs) will be issued, with a move toward a random method of assigning SSNs. For organizations that currently incorporate the validation of an applicant’s SSN issue date and state as a part of their risk-based decisioning, they will lose this piece of applicant authentication post-randomization. But there is some good news - first, this validation piece won’t be entirely terminated on day one of the SSN randomization for organizations. All the change means is that the newly issued SSNs will be randomized. In other words, the only SSNs that the issue data and state won’t be validated on day one are the SSNs that have just been issued to the recently born or immigrants. Given that its likely newborns won’t be applying for credit for another 18 years, the bulk of the newly issued SSNs that organizations will see for a while are those belonging to adults who were recently issued a SSN…A growing number of applicants, but not the majority of applicants. The other bit of good news is this may actually be a good thing for all of us in the long run. While we’ll end up losing the ability to validate an applicant’s SSN issue data and state, the criminals will be at an even greater disadvantage. Consider this- Last year researchers* were able to “identify all nine digits for 8.5 percent of people born after 1988 in fewer than 1,000 attempts. For people born recently in smaller states, researchers sometimes needed just 10 or fewer attempts to predict all nine digits.” I don’t expect this change to drastically reduce third party fraud rates but over time it should eliminate one component of identity theft and ultimately benefit an organization’s Customer Information Program. *The National Science Foundation, the U.S. Army Research Office, Carnegie Melon Cylab, and the Berkman Faculty Development Fund provided support for the research. To view the entire study, please visit http://www.pnas.org/content/106/27/10975.full.pdf+html.
By: Ken Pruett The majority of the customers I meet with use some sort of Velocity Checks to assist with their Fraud and Compliance process. However, there are still quite a few that do not, especially when opening up New Business Accounts. Historical data checks have proven to be an effective form of identity theft prevention for both Consumer fraud and Commercial Fraud. We see scenarios where a perpetrator will have one successful penetration of a business and opens up a fraudulent account. They then try and replicate this against the same business. All of the information may be different, with the exception of one element, often the phone number. Without velocity checks, this may not be identified at the time the account is being opened. More sophisticated rings try to be more creative in their fraudulent attempts. They may gain access to a consumers information and then go and apply at a variety of entities. They are more careful, so they never attempt to target the same business twice. They are aware that many companies have velocity checks, so they do not want to take a chance of having their information questioned. At a minimum, the use of in-house velocity checks should be a standard process for you fraud detection measures. Typical data elements to check against are; name (business or consumer), address, phone number, and Social Security Number. A fraud best practice would be to use a tool that provides velocity checks and incorporates the information into a fraud prevention tool. There are tools that provide checks across multiple businesses and this typically provides the best level of protection. By looking at inquiry information across multiple businesses, you are able to help prevent being a victim of some of the more sophisticated rings. Don’t find yourself being the easiest target. Once you get hit, it could snowball and you may be victimized multiple times. We all know there is no way to stop all of the fraud, but let’s not make it too easy on the perpetrators. Try and find a way to use some sort of velocity checks in your process to at least minimize your fraud risk.
By: Andrew Gulledge Bridgekeeper: “What is the air-speed velocity of an unladen swallow?” King Arthur: “What do you mean? An African or European swallow?” Here are some additional reasons why the concept of an “average fraud rate” is too complex to be meaningful. Different levels of authentication strength Even if you have two companies from the same industry, with the same customer base, the same fraudsters, the same natural fraud rate, counting fraud the same way, using the same basic authentication strategies, they still might have vastly different fraud rates. Let’s say Company A has a knowledge-based authentication strategy configured to give them a 95% pass rate, while Company B is set up to get a 70% pass rate. All else being equal, we would expect Company A to have a higher fraud rate, by virtue of having a less stringent fraud prevention strategy. If you lower the bar you’ll definitely have fewer false positives, but you’ll also have more frauds getting through. An “average fraud rate” is therefore highly dependent on the specific configuration of your fraud prevention tools. Natural instability of fraud behavior Fraud behavior can be volatile. For openers, one fraudster seldom equals one fraud attempt. Fraudsters often use the same techniques to defraud multiple consumers and companies, sometimes generating multiple transactions for each. You might have, for example, a hundred fraud attempts from the same computer-tanned jackass. Whatever the true ratio of fraud attempts to fraudsters is, you can be confident that your total number of frauds is unlikely to be representative of an equal number of unique fraudsters. What this means is that the fraud behavior is even more volatile than your general consumer behavior, including general fraud trends such as seasonality. This volatility, in and of itself, correlates to a greater degree of variance in fraud rates, further depleting the value of an “average fraud rate” metric. Limited fraud data It’s also worth noting that we only know which of our authentication transactions end up being frauds when our clients tell us after the fact. While plenty of folks do send us known fraud data (thus opening up the possibility of invaluable analysis and consulting), many of our clients do not. Therefore even if all of the aforementioned complexity were not the case, we would still be limited in our ability to provide global benchmarks such as an “average fraud rate.” Therefore, what? This is not to say that there is no such thing as a true average fraud rate, particularly at the industry level. But you should take any claims of an authoritative average with a grain of salt. At the very least, fraud rates are a volatile thing with a great deal of variance from one case to the next. It is much more important to know YOUR average fraud rate, than THE average fraud rate. You can estimate your natural fraud rate through a champion/challenger process, or even by letting the floodgates open for a few days (or however long it takes to gather a meaningful sample of known frauds), then letting the frauds bake out over time. You can compare the strategy fraud rates and false positive ratios of two (or more) competing fraud prevention strategies. You can track your own fraud rates and fraud trends over time. There are plenty of things you can do to create standardize metrics of fraud incidence, but good heavens for the next person to ask me what our average fraud rate is, the answer is “No.”
By: Andrew Gulledge I hate this question. There are several reasons why the concept of an “average fraud rate” is elusive at best, and meaningless or misleading at worst. Natural fraud rate versus strategy fraud rate The natural fraud rate is the number of fraudulent attempts divided by overall attempts in a given period. Many companies don’t know their natural fraud rate, simply because in order to measure it accurately, you need to let every single customer pass authentication regardless of fraud risk. And most folks aren’t willing to take that kind of fraud exposure for the sake of empirical purity. What most people do see, however, is their strategy fraud rate—that is, the fraud rate of approved customers after using some fraud prevention strategy. Obviously, if your fraud model offers any fraud detection at all, then your strategy fraud rate will be somewhat lower than your natural fraud rate. And since there are as many fraud prevention strategies as the day is long, the concept of an “average fraud rate” breaks down somewhat. How do you count frauds? You can count frauds in terms of dollar loss or raw units. A dollar-based approach might be more appropriate when estimating the ROI of your overall authentication strategy. A unit-based approach might be more appropriate when considering the impact on victimized consumers, and the subsequent impact on your brand. If using the unit-based approach, you can count frauds in terms of raw transactions or unique consumers. If one fraudster is able to get through your risk management strategy by coming through the system five times, then the consumer-based fraud rate might be more appropriate. In this example a transaction-based fraud rate would overrepresent this fraudster by a factor of five. Any fraud models based on solely transactional fraud tags would thus be biased towards the fraudsters that game the system through repeat usage. Clearly, however, different folks count frauds differently. Therefore, the concept of an “average fraud rate” breaks down further, simply based on what makes up the numerator and the denominator. Different industries. Different populations. Different uses. Our authentication tools are used by companies from various industries. Would you expect the fraud rate of a utility company to be comparable to that of a money transfer business? What about online lending versus DDA account opening? Furthermore, different companies use different fraud prevention strategies with different risk buckets within their own portfolios. One company might put every customer at account opening through a knowledge based authentication session, while another might only bother asking the riskier customers a set of out of wallet questions. Some companies use authentication tools in the middle of the customer lifecycle, while others employ fraud detection strategies at account opening only. All of these permutations further complicate the notion of an “average fraud rate.” Different decisioning strategies Companies use an array of basic strategies governing their overall approach to fraud prevention. Some people hard decline while others refer to a manual review queue. Some people use a behind-the-scenes fraud risk score; others use knowledge based authentication questions; plenty of people use both. Some people use decision overrides that will auto-fail a transaction when certain conditions are met. Some people use question weighting, use limits, and session timeout thresholds. Some people use all of the out of wallet questions; others use only a handful. There is a near infinite possibility of configuration settings even for the same authentication tools from the same vendors, which further muddies the waters in regards to an “average fraud rate.” My next post will beat this thing to death a bit more.
By: Margarita Lim It’s the holiday season and a festive time of year. Colorful Christmas lights and decorations, holiday songs, all of these things contribute to the celebratory atmosphere which causes many people to let their guards down. Unfortunately, fraudsters and other criminals take advantage of the prevailing goodwill and can help make one of the busiest shopping times of the year, a miserable one for their victims. It’s not a surprise that articles and news stories are released advising shoppers on how to continue enjoying their holiday season by not being victims of identity theft or other known fraud activities. Consumers can get tips from the Federal Trade Commission and other websites to prevent or minimize exposure to identity theft but I think key ones include: • If using credit cards for purchases, write ‘Check Photo ID’ on the back of your credit card. • Be very protective about disclosing personal information, especially Social Security Numbers. Did you know that it only takes one piece of personal information about you for a thief to steal your identity? • If shopping online, only make purchases from recognizable online retailers and websites. Many fraudsters will create fake websites that offer goods for sale in order to collect personal and credit information that can then be used to make fraudulent purchases. If consumers need to be careful this holiday season, businesses should also be vigilant. Fraudsters cause businesses like banks, retailers and credit card companies to lose millions of dollars that ultimately get passed on to their customers. Companies need to make sure they have tools in place to minimize these fraud losses. I’ve mentioned this in a previous post but Experian supports Identity Theft Prevention Programs by offering highly accurate consumer identity verification services. Our consumer authentication and fraud prevention product, Precise ID, and our knowledge based authentication product, Knowledge IQ, are highly respected in the marketplace for their reliability, quality and accuracy. Implementing either of these products would go a long way in preventing fraud this holiday season.
The U.S. Senate passed legislation recently that would exempt certain businesses from complying with the Red Flags Rule. Sponsored by Senator John Thune (R-SD), the bill (S. 3987) creates an exception to the Red Flags Rule for businesses that do not advance funds to a customer. The bill would, for example, redefine the term “creditor” as currently described under the Red Flags Rule guidelines, to apply only to those businesses who advance funds to, or on behalf of, a customer, and based upon an obligation to repay those advanced funds. The legislation also still provides the Federal Trade Commission with authority to require certain organizations to comply with the Red Flags Rule. The legislation now moves to the U.S. House of Representatives, where the chamber must approve the bill before the end of the year in order for the bill to become law. This may alleviate many businesses in industries such as law practices, healthcare providers (particularly solo practitioners), and perhaps some service providers in telecommunications and utilities. However, it is likely that many businesses in the utilities space will still fall under Red Flags Rule enforcement given their accessing of consumer credit profiles in many of their application processing procedures. Again, one has to wonder what the original intent of the Red Flags Rule was. If it was to protect consumers from identity theft and other fraud schemes via a robust identity theft prevention program, then vastly narrowing the businesses under which potential enforcement applies seems counter-productive. The advancement of funds or not doesn’t necessarily add to or reduce risk of fraud, as much as the actual obtainment of accounts and services with identity information…regardless of industry. More to follow…
By: Margarita Lim Recently, the Social Security Administration (SSA) announced that it will change how Social Security numbers (SSN) will be issued, with a move toward a random method of assigning SSNs. Social Security numbers are historically 9 digits in length, and are comprised of a three-digit number that represents a geographic area, a two-digit number referred to as a Group number and a four digit serial number.You can go to http://www.ssa.gov/employer/randomization.html to learn more about this procedural change, but in summary, the random assignment of SSNs will affect: • The geographic significance of the first three digits of the SSN because it will no longer uniquely represent specific states • The correlation of the Group number (the fourth and fifth digits of the SSN) to an issuance date range. What does this mean? It means that if you’re a business or agency that uses any type of authentication product in order to minimize fraud losses, one of the components used to verify a consumer’s identity – Social Security number, will no longer be validated with respect to state and date. However, one of the main advantages of utilizing a risk-based approach to authentication is the reduction in over-reliance on one identity element validation result. Validation of SSN issuance date and state, while useful in determining certain levels of risk, is but one of many attributes and conditions utilized in detailed results, robust analytics, and risk-based decisioning. It can also be argued that the randomization of SSN issuance, while somewhat impacting the intelligence we can glean from a specific number, may also prove to be beneficial to consumer protection and the overall confidence in the SSN issuance process.
As the December 31st deadline approaches for FTC enforcement of the Red Flags Rule, we still seem quite a ways off from getting out from under the cloud of confusion and debate related to the definition of ‘creditor’ under the statutory provisions. For example, the Thune-Begich amendment to “amend the Fair Credit Reporting Act with respect to the applicability of identity theft guidelines to creditors” looks to greatly narrow the definition of creditor under the Rule, and therefore narrow the universe of businesses and institutions covered by the Red Flags Rule. The question remains, and will remain far past the December 31 enforcement deadline, as to how narrow the ‘creditor’ universe gets. Will this amendment be effective in excluding those types of entities generally not in the business of extending credit (such as physicians, lawyers, and other service providers) even if they do provide service in advance of payment collection or billing? Will this amendment exclude more broadly, for example ‘buy-here, pay-here’ auto dealers who don’t extend credit or furnish data to a credit reporting agency? Finally, is this the tip of an iceberg in which more entities opt out of the requirement for robust and effective identity theft prevention programs? So one has to ask if the original Red Flags Rule intent to “require many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs – or “red flags” – of identity theft in their day-to-day operations, take steps to prevent the crime, and mitigate the damage it inflicts” still holds true? Or is the idea of protecting consumer identities only a good one when it is convenient? It doesn’t appear to be linked with fraud risk as healthcare fraud, for example, is of major concern to most practitioners and service providers in that particular industry. Lastly, from an efficiency perspective, this debate would likely have been better timed at the drafting of the Red Flags Rule, and prior to the implementation of Red Flags programs across industries that may be ultimately excluded.
As E-Government customer demand and opportunity increases, so too will regulatory requirements and associated guidance become more standardized and uniformly adopted. Regardless of credentialing techniques and ongoing access management, all enrollment processes must continue to be founded in accurate and, most importantly, predictive risk-based authentication. Such authentication tools must be able to evolve as new technologies and data assets become available, as compliance requirements and guidance become more defined, and as specific fraud threats align with various access channels and unique customer segments. A risk-based fraud detection system allows institutions to make customer relationship and transactional decisions based not on a handful of rules or conditions in isolation, but on a holistic view of a customer’s identity and predicted likelihood of associated identity theft. To implement efficient and appropriate risk-based authentication procedures, the incorporation of comprehensive and broadly categorized data assets must be combined with targeted analytics and consistent decisioning policies to achieve a measurably effective balance between fraud detection and positive identity proofing results. The inherent value of a risk-based approach to authentication lies in the ability to strike such a balance not only in a current environment, but as that environment shifts as do its underlying forces. The National Institute of Standards and Technology, in special publication 800-63, defines electronic authentication (E-authentication) as “the process of establishing confidence in user identities electronically presented to an information system”. Since, as stated in publication 800-63, “individuals are enrolled and undergo an identity proofing process in which their identity is bound to an authentication secret, called a token”, it is imperative that identity proofing is founded in an approach that generates confidence in the authentication process. Experian believes that a risk-based approach that can separate valid from invalid identities using a combination of data and proven quantitative techniques is best. As “individuals are remotely authenticated to systems and applications over an open network, using a token in an authentication protocol”, enrollment processes that drive ultimate provision of tokens must be implemented with an eye towards identity risk, and not simply a series of checks against one or more third party data assets. If the “keys to the kingdom” are housed in the ongoing use of tokens provided by Credentials Service Providers (CRA) and binding credentials to that token, trusted Registration Authorities (RA) must employ highly predictive identity proofing techniques designed to segment true, low-risk identities from identities that may have been manipulated, fabricated, or in true-form are subject to fraudulent use, abuse or victimization. Many compliance-oriented authentication requirements (ex. USA PATRIOT Act, FACTA Red Flags Rule) and resultant processes hinge upon identity element (ex. name, address, Social Security number, phone number) validation and verification checks. Without minimizing the importance of performing such checks, the purpose of a more risk-based approach to authentication is to leverage other data sources and quantitative techniques to further assess the probability of fraudulent behavior.
Experian recently contributed to a TSYS whitepaper focused on the various threats associated with first party fraud. I think the paper does a good job at summarizing the problem, and points out some very important strategies that can be employed to help both prevent first party fraud losses and detect those already in an institution’s active and collections account populations. I’d urge you to have a look at this paper as you begin asking the right questions within your own organization. Watch here The bad news is that first party fraud may currently account for up to 20 percent of credit charge-offs. The good news is that scoring models (using a combination of credit attributes and identity element analysis) targeted at various first party fraud schemes such as Bust Out, Never Pay, and even Synthetic Identity are quite effective in all phases of the customer lifecycle. Appropriate implementation of these models, usually involving coordinated decisioning strategies across both fraud and credit policies, can stem many losses either at account acquisition, or at least early enough in an account management stage, to substantially reduce average fraud balances. The key is to prevent these accounts from ending up in collections queues where they’ll never have any chance of actually being collected upon. A traditional customer information program and identity theft prevention program (associated, for example with the Red Flags Rule) will often fail to identify first party fraud, as these are founded in identity element verification and validation, checks that often ‘pass’ when applied to first party fraudsters.
By: Kennis Wong In the last entry, I mentioned that consumers’ participation in protecting their own identity information is an important aspect of an identity theft prevention program to minimize fraud loss. Large financial institutions are starting to take charge in educating their customers, but others are having a hard time investing in such initiatives. I do understand that it is difficult to establish a direct linkage of revenue and positive return on investment for this type of activities. Business may view customer education of identity protection as a public service but not a necessity. After all, if my customer loses his identity information, it doesn’t necessarily mean that identity fraud will happen to my very own organization. But educating customers about identity protection and fraud trends can be a marketing tool and can increase customer loyalty, in additions to actual fraud prevention. Although consumers may not be aware of all the precautions they can take to protect their identity, undoubtedly identity theft is a hot topic in the media today. If there are two banks providing about the same service, but one of them goes an extra mile to provide me education on preventing identity theft, I would go with that bank. Also, as a financial institution, if my customers understand identity protection more, they would understand why I am putting some procedure in place and would be glad to comply with them. For example, they would be more patient when spending another minute in answering knowledge-based authentication questions, so that for their own protection, the bank can assure they are the true identity owners. Consumers can also actively monitor their credit report, whether through the bank or through other third party vendors. When consumers receive fraud alert from activities that could be a result of identity theft, they can actively contact the financial institutions about the situation. The sooner the identity fraud is discovered, the better off for both the consumers and the businesses.
By: Kennis Wong As a fraud management professional, naturally I am surrounded by fraud prevention topics and other professionals in the field all the time. Financial, ecommerce, retail, telecommunication, government and other organizations are used to talking about performance, scoring models, ROI, false-positives, operational efficiency, customer satisfaction trade-off, loss provisioning, decisioning strategy or any other sophisticated measures when it comes to fraud management. But when I bring up the topic of fraud outside of this circle, I am always surprised to see how little educated the general public is about an issue that is so critical to their financial health. I met a woman in an event several weeks ago. After learning about my occupation, she told me her story about someone from XYZ credit card company calling her and asking for her Social Security number, date of birth and other personal identifying information. Only days after she gave out the information that she realized things didn’t seem right. She called the credit card company and got her credit card re-issued. But at the time I talked to her, she still didn’t know enough to realize that the fraudster could now use her identity to start any new financial relationship under her name. As long as consumers are ignorant about protecting their identity information, businesses’ identity theft prevention program will not be complete and identity fraud will occur as a result of this weak link. To address this vulnerability and minimize fraud, consumers need to be educated.
-- by, Andrew GulledgeOne of the quickest and easiest ways to reduce fraud in your portfolio is to incorporate question weighting into your out of wallet question strategy. To continue the use of knowledge based authentication without question weighting is to assign a point value of 100 points to each question. This is somewhat arbitrary (and a bit sloppy) when we know that certain questions consistently perform better than others.So if a fraudster gets 3 easier questions right, and 1 harder question wrong they will have an easier time passing your authentication process without question weighting. If, on the other hand, you adopt question weighting as part of your overall risk based authentication approach, that same fraudster would score much worse on the same KBA session. The 1 question that they got wrong would have cost them a lot of points, and the 3 easier questions they got right wouldn’t have given them as many points. Question weighting based on known fraud trends is more punitive for the fraudsters.Let’s say the easier questions were worth 50 points each, and the harder question was worth 150 points. Without question weighting, the fraudster would have scored 75% (300 out of 400 points). With question weighting, the fraudster would have scored 50% (150 out of 300 points correct). Your decisioning strategy might well have failed him with a score of 50, but passed him with a score of 75. Question weighting will often kick the fraudsters into the fail regions of your decisioning strategy, which is exactly what risk based authentication is all about.Consult with your fraud account management representative to see if you are making the most out of your KBA experience with the intelligent use of question weighting. It is a no-brainer way to improve your overall fraud prevention, even if you keep your overall pass rate the same.Question weighting is an easy way to squeeze more value of your knowledge based authentication tool.
Learn More Image
