By: Kristan Frend As my colleague Margarita Lim discussed in her December 3rd article, the SSA announced that it will change how social security numbers (SSNs) will be issued, with a move toward a random method of assigning SSNs. For organizations that currently incorporate the validation of an applicant’s SSN issue date and state as a part of their risk-based decisioning, they will lose this piece of applicant authentication post-randomization. But there is some good news – first, this validation piece won’t be entirely terminated on day one of the SSN randomization for organizations. All the change means is that the newly issued SSNs will be randomized. In other words, the only SSNs that the issue data and state won’t be validated on day one are the SSNs that have just been issued to the recently born or immigrants. Given that its likely newborns won’t be applying for credit for another 18 years, the bulk of the newly issued SSNs that organizations will see for a while are those belonging to adults who were recently issued a SSN…A growing number of applicants, but not the majority of applicants. The other bit of good news is this may actually be a good thing for all of us in the long run.   While we’ll end up losing the ability to validate an applicant’s SSN issue data and state, the criminals will be at an even greater disadvantage. Consider this- Last year researchers* were able to “identify all nine digits for 8.5 percent of people born after 1988 in fewer than 1,000 attempts. For people born recently in smaller states, researchers sometimes needed just 10 or fewer attempts to predict all nine digits.” I don’t expect this change to drastically reduce third party fraud rates but over time it should eliminate one component of identity theft and ultimately benefit an organization’s Customer Information Program. *The National Science Foundation, the U.S. Army Research Office, Carnegie Melon Cylab, and the Berkman Faculty Development Fund provided support for the research.  To view the entire study, please visit http://www.pnas.org/content/106/27/10975.full.pdf+html.

By: Ken Pruett The majority of the customers I meet with use some sort of Velocity Checks to assist with their Fraud and Compliance process. However, there are still quite a few that do not, especially when opening up New Business Accounts. Historical data checks have proven to be an effective form of identity theft prevention for both Consumer fraud and Commercial Fraud. We see scenarios where a perpetrator will have one successful penetration of a business and opens up a fraudulent account.  They then try and replicate this against the same business. All of the information may be different, with the exception of one element, often the phone number. Without velocity checks, this may not be identified at the time the account is being opened. More sophisticated rings try to be more creative in their fraudulent attempts. They may gain access to a consumers information and then go and apply at a variety of entities. They are more careful, so they never attempt to target the same business twice. They are aware that many companies have velocity checks, so they do not want to take a chance of having their information questioned. At a minimum, the use of in-house velocity checks should be a standard process for you fraud detection measures. Typical data elements to check against are; name (business or consumer), address, phone number, and Social Security Number. A fraud best practice would be to use a tool that provides velocity checks and incorporates the information into a fraud prevention tool. There are tools that provide checks across multiple businesses and this typically provides the best level of protection. By looking at inquiry information across multiple businesses, you are able to help prevent being a victim of some of the more sophisticated rings. Don’t find yourself being the easiest target. Once you get hit, it could snowball and you may be victimized multiple times. We all know there is no way to stop all of the fraud, but let’s not make it too easy on the perpetrators. Try and find a way to use some sort of velocity checks in your process to at least minimize your fraud risk.

By: Andrew Gulledge Bridgekeeper: “What is the air-speed velocity of an unladen swallow?” King Arthur: “What do you mean?  An African or European swallow?” Here are some additional reasons why the concept of an “average fraud rate” is too complex to be meaningful. Different levels of authentication strength Even if you have two companies from the same industry, with the same customer base, the same fraudsters, the same natural fraud rate, counting fraud the same way, using the same basic authentication strategies, they still might have vastly different fraud rates.  Let’s say Company A has a knowledge-based authentication strategy configured to give them a 95% pass rate, while Company B is set up to get a 70% pass rate.  All else being equal, we would expect Company A to have a higher fraud rate, by virtue of having a less stringent fraud prevention strategy.  If you lower the bar you’ll definitely have fewer false positives, but you’ll also have more frauds getting through.  An “average fraud rate” is therefore highly dependent on the specific configuration of your fraud prevention tools. Natural instability of fraud behavior Fraud behavior can be volatile.  For openers, one fraudster seldom equals one fraud attempt.  Fraudsters often use the same techniques to defraud multiple consumers and companies, sometimes generating multiple transactions for each.  You might have, for example, a hundred fraud attempts from the same computer-tanned jackass.  Whatever the true ratio of fraud attempts to fraudsters is, you can be confident that your total number of frauds is unlikely to be representative of an equal number of unique fraudsters.  What this means is that the fraud behavior is even more volatile than your general consumer behavior, including general fraud trends such as seasonality.  This volatility, in and of itself, correlates to a greater degree of variance in fraud rates, further depleting the value of an “average fraud rate” metric. Limited fraud data It’s also worth noting that we only know which of our authentication transactions end up being frauds when our clients tell us after the fact.  While plenty of folks do send us known fraud data (thus opening up the possibility of invaluable analysis and consulting), many of our clients do not.  Therefore even if all of the aforementioned complexity were not the case, we would still be limited in our ability to provide global benchmarks such as an “average fraud rate.” Therefore, what? This is not to say that there is no such thing as a true average fraud rate, particularly at the industry level.  But you should take any claims of an authoritative average with a grain of salt.  At the very least, fraud rates are a volatile thing with a great deal of variance from one case to the next.  It is much more important to know YOUR average fraud rate, than THE average fraud rate.  You can estimate your natural fraud rate through a champion/challenger process, or even by letting the floodgates open for a few days (or however long it takes to gather a meaningful sample of known frauds), then letting the frauds bake out over time.  You can compare the strategy fraud rates and false positive ratios of two (or more) competing fraud prevention strategies.  You can track your own fraud rates and fraud trends over time. There are plenty of things you can do to create standardize metrics of fraud incidence, but good heavens for the next person to ask me what our average fraud rate is, the answer is “No.”