Lately there has been a lot of press about breaches and hacking of user credentials.  I thought it might be a good time to pause and distinguish between authentication credentials and identity elements. Identity elements are generally those bits of meta data related to an individual.  Things like: name, address, date of birth, Social Security Number, height, eye color, etc.  Identity elements are typically used as one part of the authentication process to verify an individual’s identity.  Credentials are typically the keys to a system that are granted after someone’s identity elements have been authenticated.  Credentials then stand in place of the identity elements and are used to access systems. When credentials are compromised, there is risk of account takeover by fraudsters with mal intent.  That’s why it’s a good idea to layer-in risk based authentication techniques along with credential access for all businesses.  But for financial institutions, the case is clear: a multi-layered approach is a necessity.  You only need to review the FFIEC Guidance of Authentication in an Internet Banking Environment to confirm this fact.  Boiled down to its essence, the latest guidance issued by the FFIEC is rather simple. Essentially it’s asking U.S. financial institutions to mitigate risk using a variety of processes and technologies, employed in a layered approach. More specifically, it asks those businesses to move beyond simple device identification — such as IP address checks, static cookies and challenge questions derived from customer enrollment information — to more complex device intelligence and more complex out-of-wallet identity verification procedures. In the world of online security, experience is critical.  Layered together, Experian’s authentication capabilities (including device intelligence from 41st Parameter, out-of-wallet questions and analytics) offers a more comprehensive approach to meeting and exceeding the FFIEC’s most recent guidance. More importantly, they offer the most effective and efficient means to mitigating risk in online environments, ensuring a positive customer experience and have been market-tested in the most challenging financial services applications.

Like their utility counterparts, communications providers routinely participate in federally subsidized assistance programs that discount installation or monthly service for qualified low-income customers. But, as utilities have found, certain challenges must be considered when mining this segment for new growth opportunities, including: Thwarting scammers who use falsified income data and/or multiple IDs to game the system and double up on discounts Equipping internal teams to efficiently process the potential mountain of program applications and recertification paperwork The right tool for the job Experian’s Financial Assistance CheckerSM product is a powerful scoring tool that indicates whether consumers may qualify for low-income assistance programs (such as LifeLine and LinkUp). Originally designed for (and currently used by) utilities, Financial Assistance Checker offers risk-reduction and resource utilization efficiencies that also benefit communications providers. Automation saves time For example, Financial Assistance Checker may be used to help qualify specific individuals among new and existing low-income program participants, as well as others who may qualify but have not yet enrolled. The solution also helps automate labor-intensive manual reviews, making the process less costly and more efficient. Some companies have reduced manual intervention by up to 50% by using financial assistance scores to automatically re-certify current enrollees. Strengthen your overall game plan Experian’s Financial Assistance Checker may be used to: Produce a score that aids in effective decisions Reduce the number of manually reviewed applications Facilitate more efficient resource allocation Mitigate fraud risk by rejecting unqualified applicants   Cautionary caveat Financial Assistance Checker is derived exclusively from Experian’s credit data without demographic factors. While it’s good at qualifying applicants and customers, it may not be used as a basis for adverse action or removal from a program — only to determine eligibility for low-income assistance. Today, acquisitions is the name of the game. If your growth strategy calls for leveraging subsidized segments, consider adding Experian’s Financial Assistance Checker product to your starting lineup. After all, the best offense could just be a strong defense. Link & Learn This link takes you to a short but informative video about LifeLine and LinkUp. See the FCC’s online Lifeline and Link Up program overview here. Hot off the government press! Click to see the FCC’s 6/21/11 report on Lifeline and LinkUp Reform and Modernization  

By: Kennis Wong On the surface, it’s not difficult to define existing account fraud. Obviously, it is fraud perpetrated against an existing account. But the way I see it, existing account fraud can be broken down into four types. The first type is account takeover fraud, which is what most organizations think as the de facto existing account fraud. This is when a real consumer using his or her own identity to open a legitimate account, but the account later on get taken over by an identity fraudster. The idea is that when the account was first established, it was created by the rightful person. But somewhere along the way, the account and identity information were compromised.  The fraudster uses the compromised information to engineer their way into the account. The second type is impersonation. Impersonation is somewhat similar to account takeover in the sense that it is also misusing the victim’s account. But the difference is that impersonation is more of a one or few times misuses of the account. Examples are a fraudulent use of a credit card or wire transfer. These are the obvious categories. But I think we should also think about these other categories. My definition of existing account fraud also includes this third type – identity fraud that was undetected during application. In other words, an account is established based on stolen identity.  Many organizations call this “new account fraud”, which I don’t have a problem with. But I think it’s really also existing account fraud, because –  is this existing account? The answer is yes. Is this fraud? Absolutely. It’s not that difficult, is it? Similarly, I am including first-party fraud in existing account fraud as well. A consumer can use his or her own identity to open an account, with an intention to default after the account is established. Example is bust out fraud. You see that this is an expanded definition of existing account fraud, because my focus is on detection. No matter at what point and how identity fraud comes in, it becomes an account in your organization, and that is where we need to discover the fraud. But at the end of the day, it’s not too important how to categorize or name the fraud – whether it's application fraud, existing account fraud, first party fraud or third party fraud, as long as organizations understand them enough and have a good way to detect them. Read more blog posts on existing account fraud.

Lately there has been a lot of press about breaches and hacking of user credentials.  I thought it might be a good time to pause and distinguish between authentication credentials and identity elements. Identity elements are generally those bits of meta data related to an individual.  Things like: name, address, date of birth, Social Security Number, height, eye color, etc.  Identity elements are typically used as one part of the authentication process to verify an individual’s identity.  Credentials are typically the keys to a system that are granted after someone’s identity elements have been authenticated.  Credentials then stand in place of the identity elements and are used to access systems. When credentials are compromised, there is risk of account takeover by fraudsters with mal intent.  That’s why it’s a good idea to layer-in risk based authentication techniques along with credential access for all businesses.  But for financial institutions, the case is clear: a multi-layered approach is a necessity.  You only need to review the FFIEC Guidance of Authentication in an Internet Banking Environment to confirm this fact.  Boiled down to its essence, the latest guidance issued by the FFIEC is rather simple. Essentially it’s asking U.S. financial institutions to mitigate risk using a variety of processes and technologies, employed in a layered approach. More specifically, it asks those businesses to move beyond simple device identification — such as IP address checks, static cookies and challenge questions derived from customer enrollment information — to more complex device intelligence and more complex out-of-wallet identity verification procedures. In the world of online security, experience is critical.  Layered together, Experian’s authentication capabilities (including device intelligence from 41st Parameter, out-of-wallet questions and analytics) offers a more comprehensive approach to meeting and exceeding the FFIEC’s most recent guidance. More importantly, they offer the most effective and efficient means to mitigating risk in online environments, ensuring a positive customer experience and have been market-tested in the most challenging financial services applications.

Like their utility counterparts, communications providers routinely participate in federally subsidized assistance programs that discount installation or monthly service for qualified low-income customers. But, as utilities have found, certain challenges must be considered when mining this segment for new growth opportunities, including: Thwarting scammers who use falsified income data and/or multiple IDs to game the system and double up on discounts Equipping internal teams to efficiently process the potential mountain of program applications and recertification paperwork The right tool for the job Experian’s Financial Assistance CheckerSM product is a powerful scoring tool that indicates whether consumers may qualify for low-income assistance programs (such as LifeLine and LinkUp). Originally designed for (and currently used by) utilities, Financial Assistance Checker offers risk-reduction and resource utilization efficiencies that also benefit communications providers. Automation saves time For example, Financial Assistance Checker may be used to help qualify specific individuals among new and existing low-income program participants, as well as others who may qualify but have not yet enrolled. The solution also helps automate labor-intensive manual reviews, making the process less costly and more efficient. Some companies have reduced manual intervention by up to 50% by using financial assistance scores to automatically re-certify current enrollees. Strengthen your overall game plan Experian’s Financial Assistance Checker may be used to: Produce a score that aids in effective decisions Reduce the number of manually reviewed applications Facilitate more efficient resource allocation Mitigate fraud risk by rejecting unqualified applicants   Cautionary caveat Financial Assistance Checker is derived exclusively from Experian’s credit data without demographic factors. While it’s good at qualifying applicants and customers, it may not be used as a basis for adverse action or removal from a program — only to determine eligibility for low-income assistance. Today, acquisitions is the name of the game. If your growth strategy calls for leveraging subsidized segments, consider adding Experian’s Financial Assistance Checker product to your starting lineup. After all, the best offense could just be a strong defense. Link & Learn This link takes you to a short but informative video about LifeLine and LinkUp. See the FCC’s online Lifeline and Link Up program overview here. Hot off the government press! Click to see the FCC’s 6/21/11 report on Lifeline and LinkUp Reform and Modernization  

By: Kennis Wong On the surface, it’s not difficult to define existing account fraud. Obviously, it is fraud perpetrated against an existing account. But the way I see it, existing account fraud can be broken down into four types. The first type is account takeover fraud, which is what most organizations think as the de facto existing account fraud. This is when a real consumer using his or her own identity to open a legitimate account, but the account later on get taken over by an identity fraudster. The idea is that when the account was first established, it was created by the rightful person. But somewhere along the way, the account and identity information were compromised.  The fraudster uses the compromised information to engineer their way into the account. The second type is impersonation. Impersonation is somewhat similar to account takeover in the sense that it is also misusing the victim’s account. But the difference is that impersonation is more of a one or few times misuses of the account. Examples are a fraudulent use of a credit card or wire transfer. These are the obvious categories. But I think we should also think about these other categories. My definition of existing account fraud also includes this third type – identity fraud that was undetected during application. In other words, an account is established based on stolen identity.  Many organizations call this “new account fraud”, which I don’t have a problem with. But I think it’s really also existing account fraud, because –  is this existing account? The answer is yes. Is this fraud? Absolutely. It’s not that difficult, is it? Similarly, I am including first-party fraud in existing account fraud as well. A consumer can use his or her own identity to open an account, with an intention to default after the account is established. Example is bust out fraud. You see that this is an expanded definition of existing account fraud, because my focus is on detection. No matter at what point and how identity fraud comes in, it becomes an account in your organization, and that is where we need to discover the fraud. But at the end of the day, it’s not too important how to categorize or name the fraud – whether it's application fraud, existing account fraud, first party fraud or third party fraud, as long as organizations understand them enough and have a good way to detect them. Read more blog posts on existing account fraud.