Tag: fraud
Let’s face it – not all knowledge based authentication (KBA) is created equal. I, too, have read horror stories of consumers forced to answer questions about a deceased relative or ex-spouse, or KBA sessions that went on far too long for anyone’s benefit. I have to attribute this to vendor inexperience and a lack of consulting with clients. An experienced vendor will use a fraud best practice such as a fraud analytics model to determine that some consumers do not even need questions and then a “Progressive Question” feature, which uses consumer performance on an initial question set to determine if it is necessary for the consumer to answer additional questions. This way, the true consumer completes the process quickly, improving the customer experience. The product of choice should also use a question mix that balances three factors: · how easily the true consumer can answer the question; · the fraud separation of the question (effectively the measured delta over time between how well true consumers answer the question vs. how well fraudsters do); · how many consumers overall the question can be generated. A list of hundreds of possible questions doesn’t mean much if the questions can only be generated for one quarter of one percent of the population, as is the case for something like airplane ownership or pilot’s license. Ultimately, out of wallet questions should be generated for a large part of the population, easily answered by the true consumer but difficult for a fraudster; and not offensive or what a consumer would consider “creepy” (such as their child’s birthday or name). Well designed questions will be personal but not intrusive and mindful of personal relationships that may have changed. The purpose of a knowledge based authentication session is risk management and/or consumer authentication for fraud prevention and compliance purposes – not to cause the loss of business because the fraud tool crossed the line in the mind of your customer.
Many compliance regulations such the Red Flags Rule, USA Patriot Act, and ESIGN require specific identity elements to be verified and specific high risk conditions to be detected. However, there is still much variance in how individual institutions reconcile referrals generated from the detection of high risk conditions and/or the absence of identity element verification. With this in mind, risk-based authentication, (defined in this context as the “holistic assessment of a consumer and transaction with the end goal of applying the right authentication and decisioning treatment at the right time\") offers institutions a viable strategy for balancing the following competing forces and pressures: Compliance – the need to ensure each transaction is approved only when compliance requirements are met; Approval rates – the need to meet business goals in the booking of new accounts and the facilitation of existing account transactions; Risk mitigation – the need to minimize fraud exposure at the account and transaction level. A flexibly-designed risk-based authentication strategy incorporates a robust breadth of data assets, detailed results, granular information, targeted analytics and automated decisioning. This allows an institution to strike a harmonious balance (or at least something close to that) between the needs to remain compliant, while approving the vast majority of applications or customer transactions and, oh yeah, minimizing fraud and credit risk exposure and credit risk modeling. Sole reliance on binary assessment of the presence or absence of high risk conditions and identity element verifications will, more often than not, create an operational process that is overburdened by manual referral queues. There is also an unnecessary proportion of viable consumers unable to be serviced by your business. Use of analytically sound risk assessments and objective and consistent decisioning strategies will provide opportunities to calibrate your process to meet today’s pressures and adjust to tomorrow’s as well.
When we think about fraud prevention, naturally we think about mininizing fraud at application. We want to ensure that the identities used in the application truly belong to the person who applies for credit, and not from some stolen identities. But the reality is that some fraudsters do successfully get through the defense at application. In fact, according to Javelin’s 2011 Identity Fraud Survey Report, 2.5 million accounts were opened fraudulently using stolen identities in 2010, costing lenders and consumers $17 billion. And these numbers do not even include other existing account fraud like account takeover and impersonation (limited misusing of account like credit/debit card and balance transfer, etc.). This type of existing account fraud affected 5.5 million accounts in 2010, costing another $20 billion. So although it may seem like a no brainer, it’s worth emphasizing that we need to continue to detect fraud for new and established accounts. Existing account fraud is unlikely to go away any time soon. Lending activities have changed significantly in the last couple of years. Origination rate in 2010 is still less than half of the volume in 2008, and booked accounts become riskier. In this type of environment, when regular consumers are having hard time getting new credits, fraudsters are also having hard time getting credit. So naturally they will switch their focus to something more profitable like account takeover. Does your organization have appropriate tools and decisioning strategy to fight against existing account fraud?
By: Staci Baker According to Wikipedia, mobile banking is defined as, “a term used for performing balance checks, account transactions, payments, credit applications, etc. via a mobile device such as a mobile phone or Personal Digital Assistant (PDA).” However, as several large lenders and phone carriers test mobile banking and mobile payments, there is still much to be deciphered. Will it help businesses compete? Is it safe for a consumer? Should a bank offer a mobile solution; and if so, what precautions will they need to take to ensure their customer’s information, i.e. fraud, consumer identity? Peter Garuccio, spokesman for the American Bankers Association in Washington D.C., noted that “various experts predict that some 20 million people may be banking via cell phone this year, and that number is projected to skyrocket to 50 million by 2013.” And, according to a mobile payment study by Juniper Research ,“Combined market for all types of mobile payments is expected to reach more than $630B globally by 2014.” For the purpose of this blog, I will focus on the mobile banking solution, and questions to consider before entering into the mobile banking arena. Mobile banking today is akin to online banking a few years ago. It’s new, getting a lot of press, late adopters want more information, while the early adopters are already participating and it appears to be on the verge of taking over more conventional banking and payments. Before entering into the world of mobile solutions, there are a few things to consider: How will new regulations, such as the Durbin Amendment to the Frank-Dodd Act (a new Interchange fee proposal), affect implementation and usage? The current average interchange fee is between $1 and $1.30, the new cap at $.12 will reduce the charges by up to 90%.While the interchange fee proposal will not be finalized until after February, it is not known how the new “swipe fee” legislation will affect mobile solutions. If the new amendment directly affects debit cards only, mobile solutions can become a new revenue stream for many lenders. As more information becomes available regarding the Durbin Amendment, I will relay additional details and implications. What fraud prevention solutions do you have in place? Fraud is an issue in all industries; therefore utilizing fraud best practices specific to your market, or identifying fraud trends is essential in keeping retailers, consumers and your company safe. As consumers replace the need for a wallet with a phone, identity theft can become an issue. This is especially true of phones with minimal security, or if their phone gets into the hands of a hacker. Therefore companies can initiate an identity theft prevention program to raise awareness in consumers and retailers. As well as implement new internal processes and requirements. As we delve further into an IT-led economy, businesses will continually need to adjust how they do business in order to meet consumer demand, as well as finding new revenue streams. I am curious, how many businesses have already begun to implement a mobile solution, and what issues or results have you already seen? If you have not already implemented a mobile solution, is this in your planning for the upcoming year?
By: Ken Pruett The majority of the customers I meet with use some sort of Velocity Checks to assist with their Fraud and Compliance process. However, there are still quite a few that do not, especially when opening up New Business Accounts. Historical data checks have proven to be an effective form of identity theft prevention for both Consumer fraud and Commercial Fraud. We see scenarios where a perpetrator will have one successful penetration of a business and opens up a fraudulent account. They then try and replicate this against the same business. All of the information may be different, with the exception of one element, often the phone number. Without velocity checks, this may not be identified at the time the account is being opened. More sophisticated rings try to be more creative in their fraudulent attempts. They may gain access to a consumers information and then go and apply at a variety of entities. They are more careful, so they never attempt to target the same business twice. They are aware that many companies have velocity checks, so they do not want to take a chance of having their information questioned. At a minimum, the use of in-house velocity checks should be a standard process for you fraud detection measures. Typical data elements to check against are; name (business or consumer), address, phone number, and Social Security Number. A fraud best practice would be to use a tool that provides velocity checks and incorporates the information into a fraud prevention tool. There are tools that provide checks across multiple businesses and this typically provides the best level of protection. By looking at inquiry information across multiple businesses, you are able to help prevent being a victim of some of the more sophisticated rings. Don’t find yourself being the easiest target. Once you get hit, it could snowball and you may be victimized multiple times. We all know there is no way to stop all of the fraud, but let’s not make it too easy on the perpetrators. Try and find a way to use some sort of velocity checks in your process to at least minimize your fraud risk.
By: Andrew Gulledge Bridgekeeper: “What is the air-speed velocity of an unladen swallow?” King Arthur: “What do you mean? An African or European swallow?” Here are some additional reasons why the concept of an “average fraud rate” is too complex to be meaningful. Different levels of authentication strength Even if you have two companies from the same industry, with the same customer base, the same fraudsters, the same natural fraud rate, counting fraud the same way, using the same basic authentication strategies, they still might have vastly different fraud rates. Let’s say Company A has a knowledge-based authentication strategy configured to give them a 95% pass rate, while Company B is set up to get a 70% pass rate. All else being equal, we would expect Company A to have a higher fraud rate, by virtue of having a less stringent fraud prevention strategy. If you lower the bar you’ll definitely have fewer false positives, but you’ll also have more frauds getting through. An “average fraud rate” is therefore highly dependent on the specific configuration of your fraud prevention tools. Natural instability of fraud behavior Fraud behavior can be volatile. For openers, one fraudster seldom equals one fraud attempt. Fraudsters often use the same techniques to defraud multiple consumers and companies, sometimes generating multiple transactions for each. You might have, for example, a hundred fraud attempts from the same computer-tanned jackass. Whatever the true ratio of fraud attempts to fraudsters is, you can be confident that your total number of frauds is unlikely to be representative of an equal number of unique fraudsters. What this means is that the fraud behavior is even more volatile than your general consumer behavior, including general fraud trends such as seasonality. This volatility, in and of itself, correlates to a greater degree of variance in fraud rates, further depleting the value of an “average fraud rate” metric. Limited fraud data It’s also worth noting that we only know which of our authentication transactions end up being frauds when our clients tell us after the fact. While plenty of folks do send us known fraud data (thus opening up the possibility of invaluable analysis and consulting), many of our clients do not. Therefore even if all of the aforementioned complexity were not the case, we would still be limited in our ability to provide global benchmarks such as an “average fraud rate.” Therefore, what? This is not to say that there is no such thing as a true average fraud rate, particularly at the industry level. But you should take any claims of an authoritative average with a grain of salt. At the very least, fraud rates are a volatile thing with a great deal of variance from one case to the next. It is much more important to know YOUR average fraud rate, than THE average fraud rate. You can estimate your natural fraud rate through a champion/challenger process, or even by letting the floodgates open for a few days (or however long it takes to gather a meaningful sample of known frauds), then letting the frauds bake out over time. You can compare the strategy fraud rates and false positive ratios of two (or more) competing fraud prevention strategies. You can track your own fraud rates and fraud trends over time. There are plenty of things you can do to create standardize metrics of fraud incidence, but good heavens for the next person to ask me what our average fraud rate is, the answer is “No.”
The U.S. Senate passed legislation recently that would exempt certain businesses from complying with the Red Flags Rule. Sponsored by Senator John Thune (R-SD), the bill (S. 3987) creates an exception to the Red Flags Rule for businesses that do not advance funds to a customer. The bill would, for example, redefine the term “creditor” as currently described under the Red Flags Rule guidelines, to apply only to those businesses who advance funds to, or on behalf of, a customer, and based upon an obligation to repay those advanced funds. The legislation also still provides the Federal Trade Commission with authority to require certain organizations to comply with the Red Flags Rule. The legislation now moves to the U.S. House of Representatives, where the chamber must approve the bill before the end of the year in order for the bill to become law. This may alleviate many businesses in industries such as law practices, healthcare providers (particularly solo practitioners), and perhaps some service providers in telecommunications and utilities. However, it is likely that many businesses in the utilities space will still fall under Red Flags Rule enforcement given their accessing of consumer credit profiles in many of their application processing procedures. Again, one has to wonder what the original intent of the Red Flags Rule was. If it was to protect consumers from identity theft and other fraud schemes via a robust identity theft prevention program, then vastly narrowing the businesses under which potential enforcement applies seems counter-productive. The advancement of funds or not doesn’t necessarily add to or reduce risk of fraud, as much as the actual obtainment of accounts and services with identity information…regardless of industry. More to follow…
As the December 31st deadline approaches for FTC enforcement of the Red Flags Rule, we still seem quite a ways off from getting out from under the cloud of confusion and debate related to the definition of ‘creditor’ under the statutory provisions. For example, the Thune-Begich amendment to “amend the Fair Credit Reporting Act with respect to the applicability of identity theft guidelines to creditors” looks to greatly narrow the definition of creditor under the Rule, and therefore narrow the universe of businesses and institutions covered by the Red Flags Rule. The question remains, and will remain far past the December 31 enforcement deadline, as to how narrow the ‘creditor’ universe gets. Will this amendment be effective in excluding those types of entities generally not in the business of extending credit (such as physicians, lawyers, and other service providers) even if they do provide service in advance of payment collection or billing? Will this amendment exclude more broadly, for example ‘buy-here, pay-here’ auto dealers who don’t extend credit or furnish data to a credit reporting agency? Finally, is this the tip of an iceberg in which more entities opt out of the requirement for robust and effective identity theft prevention programs? So one has to ask if the original Red Flags Rule intent to “require many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs – or “red flags” – of identity theft in their day-to-day operations, take steps to prevent the crime, and mitigate the damage it inflicts” still holds true? Or is the idea of protecting consumer identities only a good one when it is convenient? It doesn’t appear to be linked with fraud risk as healthcare fraud, for example, is of major concern to most practitioners and service providers in that particular industry. Lastly, from an efficiency perspective, this debate would likely have been better timed at the drafting of the Red Flags Rule, and prior to the implementation of Red Flags programs across industries that may be ultimately excluded.
As E-Government customer demand and opportunity increases, so too will regulatory requirements and associated guidance become more standardized and uniformly adopted. Regardless of credentialing techniques and ongoing access management, all enrollment processes must continue to be founded in accurate and, most importantly, predictive risk-based authentication. Such authentication tools must be able to evolve as new technologies and data assets become available, as compliance requirements and guidance become more defined, and as specific fraud threats align with various access channels and unique customer segments. A risk-based fraud detection system allows institutions to make customer relationship and transactional decisions based not on a handful of rules or conditions in isolation, but on a holistic view of a customer’s identity and predicted likelihood of associated identity theft. To implement efficient and appropriate risk-based authentication procedures, the incorporation of comprehensive and broadly categorized data assets must be combined with targeted analytics and consistent decisioning policies to achieve a measurably effective balance between fraud detection and positive identity proofing results. The inherent value of a risk-based approach to authentication lies in the ability to strike such a balance not only in a current environment, but as that environment shifts as do its underlying forces. The National Institute of Standards and Technology, in special publication 800-63, defines electronic authentication (E-authentication) as “the process of establishing confidence in user identities electronically presented to an information system”. Since, as stated in publication 800-63, “individuals are enrolled and undergo an identity proofing process in which their identity is bound to an authentication secret, called a token”, it is imperative that identity proofing is founded in an approach that generates confidence in the authentication process. Experian believes that a risk-based approach that can separate valid from invalid identities using a combination of data and proven quantitative techniques is best. As “individuals are remotely authenticated to systems and applications over an open network, using a token in an authentication protocol”, enrollment processes that drive ultimate provision of tokens must be implemented with an eye towards identity risk, and not simply a series of checks against one or more third party data assets. If the “keys to the kingdom” are housed in the ongoing use of tokens provided by Credentials Service Providers (CRA) and binding credentials to that token, trusted Registration Authorities (RA) must employ highly predictive identity proofing techniques designed to segment true, low-risk identities from identities that may have been manipulated, fabricated, or in true-form are subject to fraudulent use, abuse or victimization. Many compliance-oriented authentication requirements (ex. USA PATRIOT Act, FACTA Red Flags Rule) and resultant processes hinge upon identity element (ex. name, address, Social Security number, phone number) validation and verification checks. Without minimizing the importance of performing such checks, the purpose of a more risk-based approach to authentication is to leverage other data sources and quantitative techniques to further assess the probability of fraudulent behavior.
Experian recently contributed to a TSYS whitepaper focused on the various threats associated with first party fraud. I think the paper does a good job at summarizing the problem, and points out some very important strategies that can be employed to help both prevent first party fraud losses and detect those already in an institution’s active and collections account populations. I’d urge you to have a look at this paper as you begin asking the right questions within your own organization. Watch here The bad news is that first party fraud may currently account for up to 20 percent of credit charge-offs. The good news is that scoring models (using a combination of credit attributes and identity element analysis) targeted at various first party fraud schemes such as Bust Out, Never Pay, and even Synthetic Identity are quite effective in all phases of the customer lifecycle. Appropriate implementation of these models, usually involving coordinated decisioning strategies across both fraud and credit policies, can stem many losses either at account acquisition, or at least early enough in an account management stage, to substantially reduce average fraud balances. The key is to prevent these accounts from ending up in collections queues where they’ll never have any chance of actually being collected upon. A traditional customer information program and identity theft prevention program (associated, for example with the Red Flags Rule) will often fail to identify first party fraud, as these are founded in identity element verification and validation, checks that often ‘pass’ when applied to first party fraudsters.
By: Kenneth Pruett I really thought I was going to be on easy street after receiving two emails in less than a week. The first email was telling me about some long lost relative in the UK who passed away over 10 years ago. His riches, which were over $20million dollars, would be forfeited to the government if an heir to the fortune did not claim the money. I was impressed how they figured out that I was the long lost “heir” to this millionaire just by looking at my email address. They also identified me specifically by calling me by name, “Dear Sir”. The other email was a bit more intriguing. It involved a suitcase full of money. This was sent to me by a woman, who was in an abusive relationship but somehow had a chest full of money in America. For a certain % of the money, she was willing to pay me for my efforts to help her gain access to the suitcase and its contents. I am still surprised at just how many people fall victim to these types of email scams. They have been going on for quite some time, commonly known as the Nigerian 419 scam. I have noticed that the emails have changed a bit and seem to have become more convincing. The scammers also seem to be a bit more patient and work harder to gain the victims confidence in the legitimacy of the transaction. Individuals who give their information to these scammers will soon find out what a big mistake they have made. The goal of these groups is to gain access to a consumer’s money. They also will attempt to gather personal and banking information. Some victims of these scams may end up having their identity stolen. If they do attempt to use the identity information, they will typically make multiple attempts in a short period of time to establish credit. One way to help fight this type of organized fraud ring activity is to use velocity checks to track data elements. For example, a bank may want to know if a Social Security number has been used more than once within a certain period of time. Fraud analytic studies have also found that tracking data elements across multiple customers can also be very predictive in preventing fraud tied to identity theft rings. Elements often tracked are things like addresses, Social Security numbers and phone numbers. If these scammers attempt to take over consumers current bank accounts, they may attempt to change the address and possibly the phone number on the account. This is to prevent the true consumer from getting a phone call or mail relating to their account changes. Before making these changes, many entities often send out letters or make calls to the prior information before officially making these changes in their systems. One other way to protect against account take over is to run the address and/or phone number against database of known frauds. A National Fraud Database can be helpful in identifying addresses that have been used in previous fraud activity. The Nigerian 419 scams will continue to be a problem. The need for money is just too great for some people to resist. For Banks, Card issuers, and Credit Unions, it is wise to put tools in place to help fight identity theft. This scam only represents a sample of the various fraudulent groups out there who make their living by ripping off these types of businesses. As I often say to my customers… I have done about everything in the fraud space, except commit it, which is the most profitable area. Good luck in your efforts to help us fight this ongoing problem.
In my last entry I mentioned how we’re working with more and more clients that are ramping up their fraud and compliance processes to ensure Red Flag compliance. But it’s not just the FACT Act Identity Theft Program requirements that are garnering all the attention. As every financial institution is painfully aware, numerous compliance requirements exist around the USA PATRIOT Act and Know Your Customer, Anti-Money Laundering, e-Signature and more. Legislation for banks, lenders, and other financial services organizations are only likely to increase with President Obama’s appointment of Elizabeth Warren to the new Bureau of Consumer Financial Protection. Typically FI’s must perform due diligence across more than one of these requirements, all the while balancing the competing pressures of revenue growth, customer experience, fraud referral rates, and risk management. Here’s a case where we were able to offer a solution to one client’s complex needs. Recently, we were approached by a bank’s sales channel that needed to automate their Customer Information Program (CIP). The bank’s risk and compliance department had provided guidelines based on their interpretation of due diligence appropriate for CIP and now the Sales group had to find a tool that could facilitate these guidelines and decision appropriately. The challenge was doing so without a costly custom solution, not sacrificing their current customer service SLA’s, and being able to define the criteria in the CIP decisioning rather than a stock interpretation. The solution was to invest in a customer authentication product that offered flexible, adaptable “off the shelf” decisioning along with knowledge based authentication, aka out of wallet questions. The fact that the logic was hosted reduced costly and time consuming software and hardware implementations while at the same time allowing easy modification should their CIP criteria change or pass and review rates need to be tweaked. The net result? Consistent customer treatment and objective application of the CIP guidelines, more cross selling confidence, and the ability to refer only those applicants with fraud alerts or who did not meet the name, address, SSN, and DOB check for further authentication.
Another consumer protection article in the news recently highlighted some fraud best practices for social networking sites. Click here to read the article. When I say fraud best practices, I mean best practices to minimize fraud and identity theft risk…not best practices for fraudsters. Although I wonder if by advising consumers about new fraud trends and methods, some fraudsters are picking up new tips and tricks? Anyway, many of the suggestions in the article are common sense items that have been making the rounds for some time now: don’t post vacation plans, things that might provide clues to your passwords or secret questions, etc. What I found surprising was that this list of “6 Things You Should Never Reveal on Facebook” still included birth date and place and home address. Are people overly trusting or just simply unaware of the risk of providing personal identifying information out in cyber space, unsecured? The US government has gone to a lot of trouble to protect consumers from identity theft through its issuance of the Red Flags rule and Red Flags guidelines for financial institutions of all types. I work with many clients that are going to large efforts to meet these important goals for fraud and compliance. Not just because the legislation requires it but because they know it is in the best interest of fostering long term and trust-based relationships with their customers. But just as much responsibility lies on us as consumers to protect ourselves. Each individual or family should have their own little identity theft prevention program that includes: guidelines for sharing information on social networking sites, shredding of paper documents with personal data, safe storage of passwords (i.e. not written down by your computer!), and up to date virus and malware protection on their computer.
Anyone keeping tabs on the legal scene would think data breaches are something new, given all of the legislation hitting the floor of Congress, when in reality they have been happening since businesses began saving data. The truth is the average consumer didn’t really think about it until they started to hear about data breaches and fraud trends when California blazed a trail with what is considered to be the “grandma” of data breach laws back in 2002. The California law (CA SB 1386) required entities to report data breaches if a California resident was a record in the breach that included personally identifiable information and met the state’s criteria for breach. One might say that law started it all: data breach reporting, the ability for watchdog tracking, and media coverage – before CA SB 1386 we only saw the tip of the iceberg. There are currently four bills worth watching in Congress right now that could have some significant impact to data breach notification requirements: Senate Bill 139, sponsored by California Sen. Diane Feinstein. The Data Breach Notification Act would cover any agency or business that uses or stores personal identifiable information and make it mandatory that if a breach occurred, the victims would be informed Senate Bill 3579, the Carper-Bennett legislation, entitled the Data Security Act of 2010 applies to financial institutions, retailers and government agencies, and would require these entities to safeguard sensitive information, investigate security breaches and notify consumers when there is a substantial risk of identity theft or account fraud. This bill is aimed to protect consumers and businesses from identity theft and account fraud. Senate Bill 3742, entitled The Data Security and Breach Notification Act of 2010, sponsored by Senators Mark Pryor and Jay Rockefeller would cross industries and requires special requirements for data brokers. It was referred this month to the Committee on Commerce, Science and Technology, which Rockefeller chairs. Senate Bill 1490, entitled the Personal Data Privacy and Security Act, designates as fraud unauthorized access of personally identifiable information and allows the act to lead to racketeering charges. Sponsored by Senate Judiciary Committee Chairman, Patrick Leahy, it would also prohibit concealment of security breaches involved in fraud and prohibit the dismissal of a Chapter 7 bankruptcy case if the debtor is an identity-theft victim. Many organizations already provide for data breach and the security of personally identifiable information as part of an Identity Theft Prevention Program or Red Flags Rule compliance. I’m happy to say that many rely on Experian tools (https://www.experian.com/data-breach/data-breach-resources.html) for data breach or Enterprise Risk Management solutions. However, any of these bills could change the game for many businesses not already regulated by the Gramm-Leach-Bliley Act (GLB), the Fair Credit Reporting Act (FCRA) or Fair and Accurate Credit Transactions Act (FACTA). In fact, two of the bills would essentially subject data brokers to the same kinds of legislation that financial institutions have under FCRA. The reasoning behind it is that fraud trends continue to show risk levels are the same to the consumer, regardless of where the information is stored. The financial industry and credit bureau data have been regulated for years so, in a sense, I think it’s just “more of the same” unless you happen to be in an industry not regulated as stringently. Still… it’s worth keeping those “tabs” and RSS feeds alive.
Quite a scary new (although in some ways old) form of identity theft in the headlines recently. Here’s a link to the article, which talks about how children’s dormant Social Security numbers are being found and sold by companies online under the guise of CPN’s – aka credit profile numbers or credit protection numbers. Using deceased, “found”, or otherwise illicitly obtained Social Security numbers is not something new. Experian’s and any good identity verification tool is going to check against the Social Security Administration’s list of numbers listed as deceased as well as check to ensure the submitted number is in an SSA valid issue range. But the two things I find most troubling here are: One, the sellers have found a way around the law by not calling them Social Security numbers and calling them CPN’s instead. That seems ludicrous! But, in fact, the article goes on to state that “Because the numbers exist in a legal gray area, federal investigators have not figured out a way to prosecute the people involved”. Two, because of the anonymity and the ability to quickly set up and abandon “shop”, the online marketplace is the perfect venue for both buyer and seller to connect with minimal risk of being caught. What can we as consumers and businesses take away from this? As consumers, we’re reminded to be ever vigilant about the disclosure of not only OUR Social Security number but that of our family members as well. For businesses, it’s a reminder to take advantage of additional identity verification and fraud prediction tools, such as Experian’s Precise ID, Knowledge IQ, and BizID, when making credit decisions or opening accounts rather than relying solely on consumer credit scores.
Learn More Image
