Tag: fraud prevention

Technology sharing can unlock a more effective strategy in fighting fraud. Experian’s multi-layered and risk-based approach to fraud management is discussed as many businesses are learning that combining data and technology to strengthen their fraud risk strategies can help reduce losses. Evolving fraud schemes, changes in regulatory requirements and the advent of new digital initiatives make it difficult for businesses to manage all of the tools needed to keep up with the relentless pace of change.

Experian is recognized as a leading security solution provider for fraud and identity solutions in order to protect customers and financial institutions

Unfortunately, identity theft can happen to anyone and has far-reaching consequences for its victims. According to the US Department of Justice (DOJ)’s most recent study, 17.6 million people in the US experience some form of identity theft each year. This includes activities such as fraudulent credit card transactions or personal information being used to open unauthorized accounts. The most obvious consequence that identity theft victims encounter is financial loss, which comes in two forms: direct and indirect. Direct financial loss refers to the amount of money stolen or misused by the identity theft offender. Indirect financial loss includes any outside costs associated with identity theft, like legal fees or overdraft charges. The DOJ’s study found that victims experienced a combined average loss of $1,343. In total, identity theft victims lost a whopping $15.4 billion in 2014. Beyond money lost, identity theft can negatively impact credit scores. While credit card companies detect a majority of credit card fraud cases, the rest can go undetected for extended periods of time. A criminal’s delinquent payments, cash loans, or even foreclosures slowly manifest into weakened credit scores. Victims often only discover the problem when they are denied for a loan or credit card application. Last year, Experian found that these types of fraud take the longest time to resolve. Identity theft doesn’t just impact victims financially; it also often takes a significant emotional toll. A survey from the Identity Theft Research Center found that 69 percent felt fear for their personal financial security, and 65 percent felt rage or anger. And, almost 40 percent reported some sleep disruption. These feelings increased over time when victims were unable to settle the issue on their own, according to the report, which can result in problem as work or school, and add stress to relationships with friends and family. Thankfully, consumers are getting smarter about the best ways to protect their information, like using monitoring services or following security best practices. How are you protecting yourself against identity theft? Learn more about our Identity Protection Services

Experian has been selected as one of the leading players in the fraud detection and prevention space in Juniper Research’s Online Payment Fraud strategies report.

Adam Fingersh, senior vice president and general manager of Experian’s fraud and identity business, shared several fraud prevention strategies that businesses and consumers can use to manage risk and increase security while using Internet-enabled products, also known as the Internet of Things (IoT).

What difference does $4.40 make? It can’t buy you much on its own, but it can make a world of difference when you’re handling the aftermath of a data breach or other cyberattack. That’s how much cyber insurance protection reduces the per-record cost of a data breach, according to the Ponemon Institute’s 2015 Cost of a Data Breach report. Whether you’re a small business owner with just a few hundred customers or a global corporation with records in the millions, the cost of being without cyber insurance in the wake of an incident can be extreme. When you consider the sheer number of records involved in recent mega-breaches — more than 78 million in the Anthem breach alone — the cost reduction can easily soar into hundreds of million dollars saved. And while smaller businesses may have fewer records to be breached, the impact of an attack can be even more devastating to them than to global entities when they experience a mega-breach. Yet less than one-third (32 percent) of businesses surveyed for Ponemon’s study reported having cyber insurance. The percentage was a bit better when the Risk Management Society (RIMS) asked 284 of its members about cyber insurance; 51 percent reported having stand-alone cyber insurance policies. Even fewer small businesses report having cyber insurance. Just 5 percent of small business owners surveyed by Endurance International Group said they carried cyber insurance, despite 81 percent believing cybersecurity is a concern for small business. Those who have cyber insurance clearly understand its value. RIMS members said they bought policies to: Reduce the risk of an incident damaging their company’s reputation (79 percent). Minimize the potential impact of business interruption (78 percent). Aid in data breach response and notification (73 percent). What’s more, of the RIMS members who didn’t have cyber insurance, 74 percent said they were considering buying it within the next 12–24 months. While small business owners also appear aware of the risk, they seem less cognizant of the benefits of cyber insurance and other cybersecurity measures. Endurance found that although 94 percent of small business owners said they do think about cybersecurity issues, and nearly a third have experienced an attack or an attempt, just 42 percent have invested in cybersecurity in the past year. A widely reported study by the National Cyber Security Alliance asserts that 60 percent of small businesses that experience a data breach go out of business within six months. Cyber insurance premiums vary widely and are largely tied to a company’s revenues and exposure. Policies typically aim to address risks commonly associated with a cyberattack, including: Liability for loss of confidential information that occurs through unauthorized access to a company’s computer systems. Data breach costs including notification of affected consumers, customer support and providing credit monitoring to affected customers. The costs of restoring, improving or replacing compromised technologies. Regulatory compliance costs. Business interruption expenses. Of course, like virtually any other type of insurance, cyber insurance policies can be customized to address the risks facing the individual policy holder. Many in the insurance industry feel that cyber insurance products have matured, evolving into a type of protection that businesses both large and small simply can’t afford to do without. When you consider the devastating risk of facing a cyberattack without insurance, that simple per-record cost savings of just $4.40 takes on a much deeper meaning. While more large companies are seeing the value of cyber insurance, small business owners need to begin incorporating this valuable type of protection into their overall cyber security plans. Learn more about our Data Breach solutions

Loyalty fraud and the customer experience Criminals continue to amaze me. Not surprise me, but amaze me with their ingenuity. I previously wrote about fraudsters’ primary targets being those where they easily can convert credentials to cash. Since then, a large U.S. retailer’s rewards program was attacked – bilking money from the business and causing consumers confusion and extra work. This attack was a new spin on loyalty fraud. It is yet another example of the impact of not “thinking like a fraudster” when developing a program and process, which a fraudster can exploit. As it embarks on new projects, every organization should consider how it can be exploited by criminals. Too often, the focus is on the customer experience (CX) alone, and many organizations will tolerate fraud losses to improve the CX. In fact, some organization build fraud losses into their budgets and price products accordingly — effectively passing the cost of fraud onto the consumers. Let’s look into how this type of loyalty fraud works. The criminal obtains your login credentials (either through breach, malware, phishing, brute force, etc.) and uses the existing customer profile to purchase goods using the payment method on file for the account. In this type of attack, the motivation isn’t to receive physical goods; instead, it’s to accumulate rewards points — which can then be used or sold. The points (or any other form of digital currency) are instant — on demand, if you will — and much easier to fence. Once the points are credited to the account, the criminal cashes them out either by selling them online to unsuspecting buyers or by walking into a store, purchasing goods and walking right out after paying with the digital currency. A quick check of some underground forums validates the theory that fraudsters are selling retailer points online for a reduced rate — up to 70 percent off. Please don’t be tempted to buy these! The money you spend will no doubt end up doing harm, one way or another. Now, back to the customer experience. Does having lax controls really represent a good customer experience? Is building fraud losses into the cost of your products fair to your customers? The people whose accounts have been hacked most likely are some of your best customers. They now have to deal with returning merchandise they didn’t purchase, making calls to rectify the situation, having their personally identifiable information further compromised and having to pay for the loss. All in all, not a great customer experience. All businesses have a fiduciary responsibility to protect customer data with which they have been entrusted — even if the consumer is a victim of malware, phishing or password reuse. What are you doing to protect your customers? Simple authentication technologies, while nice for the CX, easily can fail if the criminal has access to the login credentials. And fraud is not a single event. There are patterns and surveillance activities that can help to detect fraud at every phase of your loyalty program — from new account opening to account logins and updates to transactions that involve the purchase of goods or the movement of currency. As fraudsters continue to evolve and look for the least-protected targets, loyalty programs have come to the forefront of the battleground. Take the time to understand your vulnerability and how you can be attacked. Then take the necessary steps to protect your most profitable customers — your loyalty program members. If you want to learn more, join us MRC Vegas 16 for our session “Loyalty Fraud; It’s Brand Protection, Not Just Loss Prevention” and hear our industry experts discuss loyalty fraud, why it’s lucrative, and what organizations can do to protect their brand from this grey-area type of fraud.

Ensure you’re protecting consumer data privacy Data Privacy Day is a good reminder for consumers to take steps to protect their privacy online — and an ideal time for organizations to ensure that they are remaining vigilant in their fight against fraud. According to a new study from Experian Consumer Services, 93 percent of survey respondents feel identity theft is a growing problem, while 91 percent believe that people should be more concerned about the issue. Online activities that generate the most concern include making an online purchase (73 percent), using public Wi-Fi (69 percent) and accessing online accounts (69 percent). Consumers are vigilant while online Most respondents are concerned they will fall victim to identity theft in the future (71 percent), resulting in a generally proactive approach to protecting personal information. In fact, almost 50 percent of respondents say they are taking more precautions compared with last year. Ninety-one percent take steps to secure physical information, such as shredding documents, while also securing digital information (using passwords and antivirus software). Many consumers also make sure to check their credit report (33 percent) and bank account statements (76 percent) at least once per month. There’s still room for consumers to be safer Though many consumers are practicing good security habits, some aren’t: More than 50 percent do not check to see if a Website is secure Fifty percent do not have all their Web-enabled devices password-protected because it is a hassle to enter a password (30 percent) or they do not feel it is necessary (25 percent) Fifty-five percent do not close the Web browser when they are finished using an online account Additionally, 15 percent keep a written record of passwords and PINs in their purse or wallet or on a mobile device or computer Businesses need to be responsible when it comes data privacy  Customer-facing businesses must continue efforts to educate consumers about their role in breach and fraud prevention. They also need to be responsible and apply comprehensive, data-driven intelligence that helps thwart both breaches and the malicious use of breached information and protect all parties’ interests. Nearly 70 percent of those polled in a 2015 Experian–Ponemon Institute study said that the increased visibility and media reporting of breaches, including payment-related incidents, have caused their organizations to step up data security efforts. Experian Fraud & ID is uniquely positioned to provide true customer intelligence by combining identity authentication with device assessment and monitoring from a single integrated provider. This combination provides the only true holistic view of the customer and allows organizations to both know and recognize customers and to provide them with the best possible experience. By associating the identities and the devices used to access services, the true identity can be seen across the customer journey. This unique and integrated view of identity and device delivers proven superior performance in authentication, fraud risk segmentation and decisioning. For more insights into how businesses are responding to breach activities, download our recent white paper, Data confidence realized: Leveraging customer intelligence in the age of mass data compromise. For more findings from the study, view the results here.

Leveraging customer intelligence in the age of mass data compromise Hardly a week goes by without the media reporting a large-scale hack of sensitive personal or account information. Increasingly, the public seems resigned to believe that such compromises are the new normal, producing a kind of breach fatigue that may be lowering the expectations consumers have for identity and online security. Still, businesses must be vigilant and continue to apply comprehensive, data-driven intelligence that helps to thwart both breaches and the malicious use of breached information and to protect all parties’ interests. We recently released a new white paper, Data confidence realized: Leveraging customer intelligence in the age of mass data compromise, to help businesses understand how data and technology are needed to strengthen fraud risk strategies through comprehensive customer intelligence. At its core, reliable customer intelligence is based on high-quality contextual identity and device attributes and other authentication performance data. Customer intelligence provides a holistic, bound-together view of devices and identities that equips companies and agencies with the tools to balance cost and risk without increasing transactional friction and affecting the customer experience. In the age of mass data compromise, however, obtaining dependable information continues to challenge many companies, usually because consumer-provided identities aren’t always unique enough to produce fully confident decisioning. For more information, and to get a better sense of what steps you need to take now, download the full white paper.

While walking through a toy store in search of the perfect gift for a nephew, I noticed the board game Risk, which touts itself as “The Game of Global Domination.” For those who are unaware, the game usually is won by players who focus on four key themes: Strategy — Before you begin the game, you need a strategy to attack new territories while defending your own Attack — While you have the option to sit back and defend your territory, it’s better to attack a weakened opponent Fortify — When you are finished attacking, it’s often best to fortify your position Alliances — While not an official part of the game, creating partnerships is necessary in order to win These themes also are relevant to the world of real-life fraud risk prevention. The difference is that the stakes are real and much higher. Let’s look at how these themes play out in real-life fraud risk prevention:  Strategy — Like in the game, you need a strategy for fraud risk detection and prevention. That strategy must be flexible and adaptable since fraudsters (your enemies) also continuously adapt to changing environments, usually at a much quicker, less bureaucratic pace. For example, your competitors (other countries) may improve their defenses, so fraudsters will mount a more focused attack on you. Fraudsters also may build alliances to attack you from different vectors or channels, resulting in a more sophisticated, comprehensive strike.  Attack — As the game begins, all players have access to all competitors (countries). This means that fraudsters might have the upper hand in a certain area of the business. You can sit back and try to defend the territory you already “own,” where fraudsters have no traction, but it’s best to be aggressive and attack fraudsters by expanding your coverage across all channels. For example, you might have plenty of controls in place to manage your Web orders (occupied territory), but your call center operations (opponents’ territory) aren’t protected, i.e., the fraudsters “own” this space. You need to attack that channel to drive fraudsters out.  Fortify — In the game, you can fortify your position after a successful move — that is, move more troops to your newly conquered territories. In real life, you always have the option to fortify your position, and you should constantly look for ways to improve your controls. You can’t afford to maintain on your current position, because fraudsters constantly are looking for weaknesses.  Alliances — In business, we often are hesitant to share information with our competitors. Fraudsters use this to their advantage. Just as fraudsters act in a coordinated fashion, so must we. Use all available resources and partners to shore up your defenses Leverage the power of consortium data Learn new methods from traditional competitors Always team up with internal and external partners to defend your territory If you apply these themes, you will be positioned for global domination in the fight against fraud risk. You can read more about fraud-prevention strategies in our recent ebook, Protecting the Customer Experience. As a side note, I’m always ready for a game of Risk, so contact me if you’re interested. But be forewarned — I’m competitive.

While marketers typically spend vast amounts of money to increase customer acquisitions, fraud prevention can undercut those efforts. According to a recent 41st Parameter® study, average card-not-present declines represent 15 percent of all transactions; however, one to three percent of those declined transactions turn out to be false positives, equating to 1.2 billion dollars in lost revenue annually. Marketers can avoid unnecessary declines and create a seamless customer experience by communicating campaign plans to the fraud-risk team early on and coordinating marketing and fraud-prevention efforts. Download Experian’s latest fraud prevention report. Report: Holiday Marketing & Fraud

Did you know that privacy policies do not guarantee that your information will be kept private? Most companies use privacy policies to inform customers about how their personal information may be used, i.e. sold, shared, exchanged, not necessarily guaranteeing absolute confidentiality. In today’s increasingly digital world where exchanging personal information – your name, email address, home address, etc. – for access to websites, coupons and the like has become the norm. And, it can be difficult for consumers to understand the value of their personal information. Today is the eighth annual Data Privacy Day, an international awareness effort spearheaded by the National Cyber Security Alliance (NCSA) that encourages all Internet users to consider the privacy implications of their online actions and motivate all companies to make privacy and data protection a greater priority. Since most consumers aren’t fully aware of the implications of sharing personal information, we’re taking a deeper look at what can happen when personal information is shared online. Companies that collect don’t always protect When you share personal information with a company online, that company is responsible for protecting your information. Even data that is seemingly harmless is extremely valuable to cyber criminals, like your email address or your mother’s maiden name for a password reset. When you share this valuable, personal information with a company online be sure to read the company’s privacy policy fine print in order to be certain that your information is not being shared publicly or with outside companies. In some instances, even reading the company’s fine print cannot keep your information safe. Millions were affected last year due to retail and medical data breaches, proving it difficult for companies to protect your data no matter how secure it may seem. Once cyber criminals have their hands on your personal information, you may be surprised at what they can do with it. Cyber criminals patch together your digital profile Bits and pieces of personal information stolen from companies can help cyber criminals patch together a complete picture of your digital identity. They can then use your digital identity to access more important information like your financial records from retail sites that have your credit card information stored. Many consumers leave a trail of personal information on the Internet, leading cyber criminals to steal your identity and your financial information. How to make a difference during Data Privacy Day Here are some tips on how you can increase your privacy online from the NCSA: Think of your personal information like money – value it and protect it. You are often paying for “free” services with your personal information. Before you willingly provide your information to a service, make sure it is a business you trust to handle your information with care. Manage your browser cookies to maximize your privacy and prevent unwanted tracking. Demand that businesses be honest about how they collect, use and share personal information. Be cautious about who you “friend” and communicate with online. Visit our website for more information on identity protection products you can offer your customers.

Our second annual data breach preparedness study, Is Your Company Ready for a Big Breach?, conducted by the Ponemon Institute, reveals good news and bad news for businesses concerned with data security—and that should be all business. First, the good news: more companies are acting to address data breach risks. The majority (73%) of organizations now have a data breach response plan in place – 12 percent more than in 2012. And nearly half (48%) have boosted investment in security technologies in the past 12 months, aiming to better detect and respond to a data breach. Now, for the not-so-good news: they’re not doing enough, and don’t have confidence in the effectiveness of their current measures. Survey results illustrate that not everyone is taking all the necessary steps to prepare for a data breach: A majority of 78 percent don’t regularly update their data breach response plans to address evolving threats. About two-thirds don’t have trained customer service staff who can respond to customer questions, concerns or complaints if a breach occurs. Only 29 percent of companies involve the CEO in dealing with security risks. Nearly three-quarters don’t have cyber insurance policies. Just 44 percent conducted a technical impact assessment to understand potential fallout from an incident. Less than a third had SIEM systems to facilitate early detection of an incident. 66 percent lack Mobile Device Management (MDM) to protect sensitive information from being pushed to mobile devices. Those who have made provisions don’t necessarily feel more secure because of them: 62 percent don’t feel their organizations are prepared to respond to a data breach. 49 percent didn’t feel they were prepared to respond to the theft of information that would require notification to victims and regulators. Just a quarter were confident they could communicate about a breach and manage customer needs. 40 percent worry about the potential for a third party losing their data. Insider threats concern 56 percent, with 43 percent citing BYOD and cloud services as their top two internal threat concerns. As to post-breach response, we are pleased to see however that companies are well aware of the importance of providing customers involved in a breach with identity theft protection products and access to a call center; in fact, they cited those two as the most important services companies could provide post-breach. Many of the concerns companies expressed over data breach preparedness and response – and in particular, worries over customer communication and regulatory compliance – can be addressed by preparing a response plan and practicing the plan on an ongoing basis.  It’s also important to secure external partners such as legal counsel and a public relations firm, and make a selection of a quality identity protection product to offer affected customers ahead of time.  When a breach occurs, the complete response team and moving parts are ready to allow for a quick and smooth response. Learn more about our Data Breach solutions

An employee who never uses a mobile device – personal or company-supplied – for business purposes is becoming a rare creature, indeed. Use of mobile devices is prevalent across virtually every industry, and the convenience and flexibility these devices offer professionals can be great for business. Provided, that is, those devices are secure. Mobile devices continue to be a significant source of data breaches, and a particular concern for anyone engaged in cyber security, according to eSecurity Planet’s Data Breach Roundup. Mobile-related data breaches stem from a range of circumstances, including loss or theft of devices, failure to use anti-malware, or failing to password-protect a device being used for business purposes. Devices can put your data at risk if an employee stores any proprietary information on a mobile device, or if workers use unsecured devices to access your network – even if you’ve taken steps to secure the network itself. Managing mobile devices can be one of the most challenging aspects of your overall cyber security program, but it’s imperative and – fortunately – not impossible. Minimizing mobile device risks CTIA, The Wireless Association, offers some guidelines for mobile device cyber security in its whitepaper “Today’s Mobile Cybersecurity: Blueprint for the Future.” The organization points to five cornerstones of mobile cyber security: Education about the importance of mobile security Devices with security features like anti-malware and anti-spam settings Strong, enforced network security policies Authentication for all network users Secure connections, from cloud to network Many tools exist to help your organization ensure secure footing on each of those cornerstones. CTIA cites options like risk management, security policies and monitoring. We would add to that list, and emphasize the importance of a data breach response plan that addresses the specific challenges and risks associated with a mobile-spurred data breach incident. While your organization can take strong, reasoned steps toward minimizing risks, it’s equally important to be ready to respond when a breach occurs. Mobile device security is sure to be a growing issue throughout 2014, as more people than ever use smartphones, tablets and other mobile devices to work more efficiently. With the right precautions, you can help ensure your employees work safely, as well. Learn more about our Data Breach solutions

The purpose of any type of insurance is to protect your most valuable assets. To combat the prevalence of cyber attacks and data breaches, an increasing number of businesses in the health-care, financial services and technology industries have purchased cyber insurance policies to protect themselves from the crippling cost of a data breach.  This is especially popular among start-up tech companies in Silicon Valley in order to safeguard their intellectual property (IP) since their IP is the backbone of their livelihood1.  Since small businesses generally don’t have a risk manager and IT department dedicated to data security, a good cyber insurance policy can help mitigate cyber security risks. Although accepted in some sectors, cyber insurance is still not an established part of many companies’ IT data security strategies.  This is commonly due to a lack of agreed risk management standards and the challenge of substantiating and quantifying losses, in addition to finding objective data to back up cyber insurance claims.  Some security experts feel that the federal government needs to kick start growth in this market by requiring government contractors to purchase cyber insurance to set a standard for other businesses, sending a message that any company who has cyber security insurance is a signal that the company is competently managing its data security. As the cyber insurance industry evolves, here is a list of what the policies generally cover and what to look for: First-party claims – Costs incurred by the loss of trade secrets and intellectual property. Third-party claims – Damages a business must pay to customers who sue them for lost or compromised personal information. Business interruption coverage – In the event a data breach incident prevents the company from operating or functioning, the company would receive payment reimbursement for expenses incurred due to loss of business. A forensic IT investigation – Policies can cover the cost of an examination into how the data breach occurred and some may even cover the costs of regulatory fines and penalties in addition to the crisis management control which includes data breach notification letters. Security professionals stress that cyber insurance is not meant to be a substitute for data protection and security policies.  In fact, before underwriting a policy, an insurance company will be hyper vigilant in determining that their customers have proper protections and policies in place since the insurance company will want to reduce its own risk. And since insurance has been a positive influence on other industries to improve performance and safety due to risk mitigation, the theory is if a company has cyber insurance, the hope is they will implement proper preventative measures to ensure that they will never have to use it. Learn more about our Data Breach solutions  1http://www3.cfo.com/article/2013/4/data-security_cyber-attacks-cybersecurity-liability-insurance-smb-growth-companies-risk-hogan-lovells