Fraud & Identity Management
-- by, Andrew GulledgeThe intelligent use of question weighting in KBA should be a no-brainer for anyone using out of wallet questions. Here’s the deal: some authentication questions consistently give fraudsters a harder time than other questions. Why not capitalize on that knowledge?Question weighting is where each question type has a certain number of points associated with it. So a question that fraudsters have an easier time with might be worth only 50 points, while a question that fraudsters often struggle with might be worth 150 points. So the KBA score ends up being the total points correct divided by the total possible points. The point is to make the entire KBA session more punitive for the bad guys.Fraud analytics are absolutely essential to the use of intelligent question weighting. While fraud prevention vendors should have recommended question weights as part of their fraud best practices, if you can provide us with as many examples as possible of known fraud that went through the out of wallet questions, we can refine the best practice question weighting model to work better for your specific population.Even if we keep your pass rate the same, we can lower your fraud rate. On the other hand, we can up your pass rate while keeping the fraud rate consistent. So whether your aim it to reduce your false positive rate (i.e., pass more of the good consumers) or to reduce your fraud rate (i.e., fail more of the fraudsters), or some combination of the two, question weighting will help you get there.
By: Margarita Lim You may be surprised to learn that identity theft isn’t just a crime committed by an individual or individuals. There are identity theft rings that are organized and operated like corporations. A recent Justice Department press release described such an operation in New Jersey that involved 53 individuals who took part in a known fraud activity called Bust Out Fraud. Basically, the fraud ring purchased valid social security cards and then sold the social security cards to customers who then obtained driver’s licenses and other proof of identity-type cards. The fraud ring then built up the credit scores of these customers by adding them to existing credit card accounts. Once the customers with the fraudulent identities achieved good credit scores, then they opened their own fraudulent bank accounts, credit cards, lines of credit, etc. The credit cards were used to make fraudulent purchases or rack up charges with vendors in co-hoots with the fraud ring and the fraudulent bank accounts were used to pay off the charge accounts or the charges went unpaid. Fraud trends like these cost banks, credit card companies and many others millions of dollars – costs that ultimately get passed on to you and me, the consumers. Fortunately, Experian has Fraud Products that can help companies minimize fraud losses from Bust Out Fraud as well as other types of fraud. Our BustOut Score helps decrease bust out losses by predicting and detecting bust out frauds one to three months in advance of the event happening. In addition, we have Fraud Shield Indicators or fraud alerts available on credit reports that flag when there is a recent or new authorized user added to an established credit account. Experian supports Identity Theft Prevention Programs by offering highly accurate consumer identity verification services. We’re not reliant solely on credit bureau data and are able to use multi-sourced data to confirm different components of a consumer’s identity – name, address, date of birth, etc. Our consumer authentication and fraud prevention product, Precise ID, and our knowledge based authentication product, Knowledge IQ, are highly respected in the marketplace for their reliability, quality and accuracy.
By: Margarita Lim Consumer data has increasingly become commoditized over the years. There’s a lot of it and it’s arguably more easily obtainable. Social Security number and date of birth information was once considered confidential information. Today, those data elements in addition to traditional consumer data such as name, address and phone number are more publicly available (either legitimately or illegitimately). The advent and popularity of social network Internet sites have also made considerable information about a person’s life – both professional and personal, available for anyone’s viewing pleasure. So the question is…how much is too much information? If you’re a consumer who is particular about privacy, then you’ll have a lower threshold. On the other hand, if you’re a business trying to minimize fraud losses, then you’re at the other end of the spectrum - you can never have enough information to help prevent fraud – especially when you’re trying to keep up with fraud trends. Data is a key element in fraud prevention. Experian has access to many data assets and has a reputation for providing high quality fraud products in the marketplace. The data we use in our fraud products comes from multiple sources and sets us apart from our competitors because corroborated data is more reliable than data from a single source. Having access to multiple data sources is especially beneficial in our Knowledge Based Authentication product where the different sources provide data that is critical to generating out of wallet questions. Since companies rely on our fraud products to comply with the government’s Red Flag Rules and support Identity Theft Prevention Programs, it is extremely important that we have as much data as possible in our arsenal to thwart fraudsters’ activities and prevent consumers from being victimized by criminals. Keep in mind that these programs are only as good as the data used to confirm a person’s identity. Although information can be a double-edged sword, I don’t think one can have too much information especially when the goal is to minimize fraud.
By: Kenneth Pruett I really thought I was going to be on easy street after receiving two emails in less than a week. The first email was telling me about some long lost relative in the UK who passed away over 10 years ago. His riches, which were over $20million dollars, would be forfeited to the government if an heir to the fortune did not claim the money. I was impressed how they figured out that I was the long lost “heir” to this millionaire just by looking at my email address. They also identified me specifically by calling me by name, “Dear Sir”. The other email was a bit more intriguing. It involved a suitcase full of money. This was sent to me by a woman, who was in an abusive relationship but somehow had a chest full of money in America. For a certain % of the money, she was willing to pay me for my efforts to help her gain access to the suitcase and its contents. I am still surprised at just how many people fall victim to these types of email scams. They have been going on for quite some time, commonly known as the Nigerian 419 scam. I have noticed that the emails have changed a bit and seem to have become more convincing. The scammers also seem to be a bit more patient and work harder to gain the victims confidence in the legitimacy of the transaction. Individuals who give their information to these scammers will soon find out what a big mistake they have made. The goal of these groups is to gain access to a consumer’s money. They also will attempt to gather personal and banking information. Some victims of these scams may end up having their identity stolen. If they do attempt to use the identity information, they will typically make multiple attempts in a short period of time to establish credit. One way to help fight this type of organized fraud ring activity is to use velocity checks to track data elements. For example, a bank may want to know if a Social Security number has been used more than once within a certain period of time. Fraud analytic studies have also found that tracking data elements across multiple customers can also be very predictive in preventing fraud tied to identity theft rings. Elements often tracked are things like addresses, Social Security numbers and phone numbers. If these scammers attempt to take over consumers current bank accounts, they may attempt to change the address and possibly the phone number on the account. This is to prevent the true consumer from getting a phone call or mail relating to their account changes. Before making these changes, many entities often send out letters or make calls to the prior information before officially making these changes in their systems. One other way to protect against account take over is to run the address and/or phone number against database of known frauds. A National Fraud Database can be helpful in identifying addresses that have been used in previous fraud activity. The Nigerian 419 scams will continue to be a problem. The need for money is just too great for some people to resist. For Banks, Card issuers, and Credit Unions, it is wise to put tools in place to help fight identity theft. This scam only represents a sample of the various fraudulent groups out there who make their living by ripping off these types of businesses. As I often say to my customers… I have done about everything in the fraud space, except commit it, which is the most profitable area. Good luck in your efforts to help us fight this ongoing problem.
In my last entry I mentioned how we’re working with more and more clients that are ramping up their fraud and compliance processes to ensure Red Flag compliance. But it’s not just the FACT Act Identity Theft Program requirements that are garnering all the attention. As every financial institution is painfully aware, numerous compliance requirements exist around the USA PATRIOT Act and Know Your Customer, Anti-Money Laundering, e-Signature and more. Legislation for banks, lenders, and other financial services organizations are only likely to increase with President Obama’s appointment of Elizabeth Warren to the new Bureau of Consumer Financial Protection. Typically FI’s must perform due diligence across more than one of these requirements, all the while balancing the competing pressures of revenue growth, customer experience, fraud referral rates, and risk management. Here’s a case where we were able to offer a solution to one client’s complex needs. Recently, we were approached by a bank’s sales channel that needed to automate their Customer Information Program (CIP). The bank’s risk and compliance department had provided guidelines based on their interpretation of due diligence appropriate for CIP and now the Sales group had to find a tool that could facilitate these guidelines and decision appropriately. The challenge was doing so without a costly custom solution, not sacrificing their current customer service SLA’s, and being able to define the criteria in the CIP decisioning rather than a stock interpretation. The solution was to invest in a customer authentication product that offered flexible, adaptable “off the shelf” decisioning along with knowledge based authentication, aka out of wallet questions. The fact that the logic was hosted reduced costly and time consuming software and hardware implementations while at the same time allowing easy modification should their CIP criteria change or pass and review rates need to be tweaked. The net result? Consistent customer treatment and objective application of the CIP guidelines, more cross selling confidence, and the ability to refer only those applicants with fraud alerts or who did not meet the name, address, SSN, and DOB check for further authentication.
Another consumer protection article in the news recently highlighted some fraud best practices for social networking sites. Click here to read the article. When I say fraud best practices, I mean best practices to minimize fraud and identity theft risk…not best practices for fraudsters. Although I wonder if by advising consumers about new fraud trends and methods, some fraudsters are picking up new tips and tricks? Anyway, many of the suggestions in the article are common sense items that have been making the rounds for some time now: don’t post vacation plans, things that might provide clues to your passwords or secret questions, etc. What I found surprising was that this list of “6 Things You Should Never Reveal on Facebook” still included birth date and place and home address. Are people overly trusting or just simply unaware of the risk of providing personal identifying information out in cyber space, unsecured? The US government has gone to a lot of trouble to protect consumers from identity theft through its issuance of the Red Flags rule and Red Flags guidelines for financial institutions of all types. I work with many clients that are going to large efforts to meet these important goals for fraud and compliance. Not just because the legislation requires it but because they know it is in the best interest of fostering long term and trust-based relationships with their customers. But just as much responsibility lies on us as consumers to protect ourselves. Each individual or family should have their own little identity theft prevention program that includes: guidelines for sharing information on social networking sites, shredding of paper documents with personal data, safe storage of passwords (i.e. not written down by your computer!), and up to date virus and malware protection on their computer.
Anyone keeping tabs on the legal scene would think data breaches are something new, given all of the legislation hitting the floor of Congress, when in reality they have been happening since businesses began saving data. The truth is the average consumer didn’t really think about it until they started to hear about data breaches and fraud trends when California blazed a trail with what is considered to be the “grandma” of data breach laws back in 2002. The California law (CA SB 1386) required entities to report data breaches if a California resident was a record in the breach that included personally identifiable information and met the state’s criteria for breach. One might say that law started it all: data breach reporting, the ability for watchdog tracking, and media coverage – before CA SB 1386 we only saw the tip of the iceberg. There are currently four bills worth watching in Congress right now that could have some significant impact to data breach notification requirements: Senate Bill 139, sponsored by California Sen. Diane Feinstein. The Data Breach Notification Act would cover any agency or business that uses or stores personal identifiable information and make it mandatory that if a breach occurred, the victims would be informed Senate Bill 3579, the Carper-Bennett legislation, entitled the Data Security Act of 2010 applies to financial institutions, retailers and government agencies, and would require these entities to safeguard sensitive information, investigate security breaches and notify consumers when there is a substantial risk of identity theft or account fraud. This bill is aimed to protect consumers and businesses from identity theft and account fraud. Senate Bill 3742, entitled The Data Security and Breach Notification Act of 2010, sponsored by Senators Mark Pryor and Jay Rockefeller would cross industries and requires special requirements for data brokers. It was referred this month to the Committee on Commerce, Science and Technology, which Rockefeller chairs. Senate Bill 1490, entitled the Personal Data Privacy and Security Act, designates as fraud unauthorized access of personally identifiable information and allows the act to lead to racketeering charges. Sponsored by Senate Judiciary Committee Chairman, Patrick Leahy, it would also prohibit concealment of security breaches involved in fraud and prohibit the dismissal of a Chapter 7 bankruptcy case if the debtor is an identity-theft victim. Many organizations already provide for data breach and the security of personally identifiable information as part of an Identity Theft Prevention Program or Red Flags Rule compliance. I’m happy to say that many rely on Experian tools (https://www.experian.com/data-breach/data-breach-resources.html) for data breach or Enterprise Risk Management solutions. However, any of these bills could change the game for many businesses not already regulated by the Gramm-Leach-Bliley Act (GLB), the Fair Credit Reporting Act (FCRA) or Fair and Accurate Credit Transactions Act (FACTA). In fact, two of the bills would essentially subject data brokers to the same kinds of legislation that financial institutions have under FCRA. The reasoning behind it is that fraud trends continue to show risk levels are the same to the consumer, regardless of where the information is stored. The financial industry and credit bureau data have been regulated for years so, in a sense, I think it’s just “more of the same” unless you happen to be in an industry not regulated as stringently. Still… it’s worth keeping those “tabs” and RSS feeds alive.
Quite a scary new (although in some ways old) form of identity theft in the headlines recently. Here’s a link to the article, which talks about how children’s dormant Social Security numbers are being found and sold by companies online under the guise of CPN’s – aka credit profile numbers or credit protection numbers. Using deceased, “found”, or otherwise illicitly obtained Social Security numbers is not something new. Experian’s and any good identity verification tool is going to check against the Social Security Administration’s list of numbers listed as deceased as well as check to ensure the submitted number is in an SSA valid issue range. But the two things I find most troubling here are: One, the sellers have found a way around the law by not calling them Social Security numbers and calling them CPN’s instead. That seems ludicrous! But, in fact, the article goes on to state that “Because the numbers exist in a legal gray area, federal investigators have not figured out a way to prosecute the people involved”. Two, because of the anonymity and the ability to quickly set up and abandon “shop”, the online marketplace is the perfect venue for both buyer and seller to connect with minimal risk of being caught. What can we as consumers and businesses take away from this? As consumers, we’re reminded to be ever vigilant about the disclosure of not only OUR Social Security number but that of our family members as well. For businesses, it’s a reminder to take advantage of additional identity verification and fraud prediction tools, such as Experian’s Precise ID, Knowledge IQ, and BizID, when making credit decisions or opening accounts rather than relying solely on consumer credit scores.
Working with clients in the financial sector means keeping an eye toward compliance and regulations like the Gramm-Leach-Bliley Act (GLB), the Fair Credit Reporting Act (FCRA) or Fair and Accurate Credit Transactions Act (FACTA). It doesn’t really matter what kind of product it is, if a client is a financial institution (FI) of some kind, one of these three pieces of legislation is probably going to apply. The good part is, these clients know it and typically have staff dedicated to these functions. In my experience, where most clients need help is in understanding which regulations apply or what might be allowed under each. The truth is, a product designed to minimize fraud, like knowledge based authentication, will function the same whether using FCRA regulated or non-FCRA regulated data. The differences will be in the fraud models used with the product, the decisioning strategies set-up, the questions asked and the data sources of those questions. Under GLB it is acceptable to use fraud analytics for detection purposes, as fraud detection is an approved GLB exception. However, under FCRA rules, fraud detection is not a recognized permissible purpose (for accessing a consumer’s data). Instead, written instructions (of the consumer) may be used as the permissible purpose, or another permissible purpose permitted under FCRA; such as legitimate business need due to risk of financial loss. Fraud best practices dictate engaging with clients, and their compliance teams, to ensure the correct product has been selected based on client fraud trends and client needs. A risk based authentication approach, using all available data and appropriately decisioning on that data, whether or not it includes out of wallet questions, provides the most efficient management of risk for clients and best experience for consumers.
Quite a scary new (although in some ways old) form of identity theft in the headlines recently. Here’s a link to the article, which talks about how children’s dormant Social Security numbers are being found and sold by companies online under the guise of CPN’s – aka credit profile numbers or credit protection numbers. Using deceased, “found”, or otherwise illicitly obtained Social Security numbers is not something new. Most identity theft prevention programs consider deceased and non-issued ranges as identity theft red flags under the FACTA Red Flag guidelines. In fact, Experian’s and any good identity verification tool is going to check against the Social Security Administration’s list of numbers listed as deceased as well as ensure the submitted number is in an SSA valid issue range – providing fraud alerts if not. A child’s valid but dormant Social Security number, however, would not flag as either. The two things I find most troubling here are: One, the sellers have found a way around the law by not calling them Social Security numbers and calling them CPN’s instead. That seems ludicrous! But, in fact, the article goes on to state that “Because the numbers exist in a legal gray area, federal investigators have not figured out a way to prosecute the people involved”. Two, because of the anonymity and the ability to quickly set up and abandon “shop”, the online marketplace is the perfect venue for both buyer and seller to connect with minimal risk of being caught. What can we as consumers and businesses take away from this? As consumers, we’re reminded to be ever vigilant about the disclosure of not only OUR Social Security number but that of our family members as well. For businesses, it’s a reminder to take advantage of additional identity verification and fraud prediction tools, such as Experian’s Precise ID, Knowledge IQ, and BizID, when making credit decisions or opening accounts rather than relying solely on consumer credit scores. Knowledge IQ’s knowledge based authentication offers out of wallet questions that may help ensure you’re dealing with the true consumer.
Ah…the summer vacation. I’ve just returned from mine and it got me wondering, “Do fraudsters take a vacation?” You know they must. Probably somewhere nice courtesy of their illicit activities. On our summer vacation, we stayed in rental homes rather than in hotels because of the convenience of having a kitchen, more space to move around, etc. There are many websites that provide vacation home rentals, either offered by an agency or directly by the owners themselves. It would be interesting to know how many (any?) of these sites have Identity Theft Prevention Programs in place for their clients and prospective renters. Although Red Flags rules do not apply to this industry, certainly some fraud best practices and a proactive risk management approach is good for business. In the case of the homeowners dealing directly with prospective renters, what struck me is that there is quite a bit of trust involved in these arrangements. It’s safe to say that most transactions, like ours, are conducted over email and/or the phone. Payment is collected in advance by check or credit card but in our case, and in many if not most others, there is no deposit. Since I work daily around commercial and consumer fraud, I couldn’t help but wonder what the exposure is for fraud risk and identity theft – both to the home owner as well as to the person renting the home. Just look at the information exchanged… The renter provides: name, address, phone number, email address, check (which would include account and routing number) OR credit card number and expiration date. The owner provides: name, phone number, email address, and a home or office address (to which the renter mails the payment). Additionally, the renter knows of a second address associated with the owner – the rental property itself! With account takeover fraud still quite prevalent, that’s quite a bit of personal information that both parties know about each other. Now, the fact that these types of rental transactions occur often and without many (at least publicized) known fraud and identity theft incidents seems to indicate that people on both sides are trustworthy. Still…it does make you think of the exposure if one of the parties is less than honest….say a fraudster on their summer vacation?
By: Kennis Wong In the last post, I emphasized the importance of fraud detection even after an account has been approved. If information gathered later indicates an application was fraudulent, credit issuers can still take action on the account to minimize fraud losses. Monitoring your internal systems to find suspicious activities is one way to do it. If the account holder has unusual purchase patterns, such as spending $2000 at a dry cleaner, you may want to stop and have a closer look. But more revealing would be the bigger picture – Is the account holder developing other financial relationships? Do these other applications indicate high identity theft risk? Are there any unusual patterns across the multiple financial relationships? The tricky part is finding the related applications. If you are looking for applications that use the same SSN, name, DOB, address and phone number, you may be missing information that helps detect fraud. Fraudsters often mutate elements of the PIIs when they use stolen identities to hide their fraudulent activity. If you link related applications together, you can then look for unusual patterns collectively. Find that the same social security number was used 10 times, with different addresses, all in the same week? Bad sign. Individual signs may help very little. False-positives and fraud referral rates may be too high if your action is based on just one or two signs. That’s why Experian recommends using a risk-based method for minimizing fraud instead of a rule-based method. You need fraud analytics to put all signs together in a way that is predictive of identity theft. Timeliness is the key to successful fraud account management. If the identity fraudster has already used all available credit on a credit line, then it is too late to minimize fraud and action on the account. The only benefit at that point -- saving time by telling your collection department not to waste effort attempting to collect on the account.
By: Kennis Wong Most lenders authenticate applicants before they extend credit. With identity theft so prevalent today, not ensuring you are dealing with the real consumer before starting a customer relationship is like playing Russian roulette. Especially for installment loans, when the goods are out, the chance of recouping the money in the case of identity theft is slim. Even for secured loans like car loans, fraudsters can always cash out the car in Mexico, and you will never see the shadow of it again. No wonder lenders place a lot of emphasis on checking people’s identities at application. For many cases, this is really the key point where identity fraud can be stopped. But it is not necessarily true for all type of lenders. For revolving loans, lenders could still minimize fraud losses after credit application is approved, as long as available credit still exists. You can imagine that once a fraudster gets hold of someone’s identity, s/he is likely to maximize its value by using it again and again. Therefore, there should be more credit activities, hence more evidence of misuse, by Day 7 than on Day 1. In the unfortunate event that a fraudster passes authentication on Day 1, it is still possible that you discover the fraud on Day 7 if you have new information. If you are a credit card issuer, it means you can still stop the action before the credit card gets to the fraudster’s hand and gets activated. Unfortunately for a lot of smaller lenders, the due diligence stops at the point of application. Even larger lenders only start their “account management” fraud detection at the point of high-risk transaction or payment. By not watching the new customer relationship closer and studying fraud trends, they are missing out fraud loss reduction opportunity.
By: Kristan Frend It seems as though desperate times call for desperate measures- with revenues down and business loans tougher than ever to get, “shelf” and “shell” companies appear to be on the rise. First let’s look at the difference between the two: Shelf companies are defined as corporations formed in a low-tax, low-regulation state in order to be sold off for its excellent credit rating. According to the Better Business Bureau, off-the-shelf structures were historically used to streamline a start-up, but selling them as a way to get around credit guidelines is new, making them unethical and possibly illegal. Shell companies are characterized as fictitious entities created for the sole purpose of committing fraud. They often provide a convenient method for money laundering because they are easy and inexpensive to form and operate. These companies typically do not have a physical presence, although some may set up a storefront. According to the U.S. Department of the Treasury’s Financial Crimes Enforcement Network, shell companies may even purchase corporate office “service packages” in order to appear to have established a more significant local presence. These packages often include a state business license, a local street address, an office that is staffed during business hours, a local telephone listing with a receptionist and 24-hour personalized voice mail. In one recent bust out fraud scenario, a shell company operated out of an office building and signed up for service with a voice over Internet protocol (VoIP) provider. While the VoIP provider typically conducts on-site visits to all new accounts, this step was skipped because the account was acquired through a channel partner. During months one and two, the account maintained normal usage patterns and invoices were paid promptly. In month three, the account’s international toll activity spiked, causing the provider to question the unusual account activity. The customer responded with a seemingly legitimate business explanation of activity and offered additional documentation. However, the following month the account contact and business disappeared, leaving the VoIP provider with a substantial five figure loss. A follow-up visit to the business showed a vacant office suite. While it’s unrealistic to think all shelf and shell companies can be identified, there are some tools that can help you verify businesses, identify repeat offenders, and minimize fraud losses. In the example mention above, post-loss account review through Experian’s BizID identified an obvious address discrepancy - 12 businesses all listed at the same address, suggesting that the perpetrator set up numerous businesses and victimized multiple organizations. The moral of the story? Avoid being the next victim and refine and revisit your fraud best practices today. Click here for more information on Experian\'s BizID
The overarching ‘business driver’ in adopting a risk-based authentication strategy, particularly one that is founded in analytics and proven scores, is the predictive ‘lift’ associated with using scoring in place of a more binary rule set. While basic identity element verification checks, such as name, address, Social Security number, date-of-birth, and phone number are important identity proofing treatments, when viewed in isolation, they are not nearly as effective in predicting actual fraud risk. In other words, the presence of positive verification across multiple identity elements does not, alone, provide sufficient predictive value in determining fraud risk. Positive verification of identity elements may be achieved in customer access requests that are, in fact, fraudulent. Conversely, negative identity element verification results may be associated with both ‘true’ or ‘good’ customers as well as fraudulent ones. In other words, these false positive and false negative conditions lead to a lack of predictive value and confidence as well as inefficient and unnecessary referral and out-sort volumes. The most predictive authentication and fraud models are those that incorporate multiple data assets spanning traditionally used customer information categories such as public records and demographic data, but also utilize, when possible, credit history attributes, and historic application and inquiry records. A risk-based fraud detection system allows institutions to make customer relationship and transactional decisions based not on a handful of rules or conditions in isolation, but on a holistic view of a customer’s identity and predicted likelihood of associated identity theft, application fraud, or other fraud risk. To implement efficient and appropriate risk-based authentication procedures, the incorporation of comprehensive and broadly categorized data assets must be combined with targeted analytics and consistent decisioning policies to achieve a measurably effective balance between fraud detection and positive identity proofing results. The inherent value of a risk-based approach to authentication lies in the ability to strike such a balance not only in a current environment, but as that environment shifts as do its underlying forces.
Learn More Image
