2010 Identity Fraud Study: Threats and Trends
Javelin Strategy & Research is out with its latest Identity Fraud Study. For insight on the study results and what they mean to organizations across industry, James VAN DYKE of Javelin discusses:
- Headlines from this year's study;
- Trends and threats to watch;
- What organizations and individuals can do to better protect themselves.
Van Dyke is founder and president of Javelin Strategy & Research. Javelin is the leading provider of independent, quantitative and qualitative research for payments, multi-channel financial services, security and fraud initiatives. Javelin's clients include the largest financial institutions, card issuers and technology vendors in the industry.
TOM FIELD: Javelin Strategy and Research is out with its 2010 identity fraud survey. What are the headlines? Hi, this is Tom Field, Editorial Director with Information Security Medical Group. I am talking today with James VAN DYKE, head of Javelin Strategy and Research, talking about the study. Jim, thanks so much for joining me again.
JAMES VAN DYKE: Tom, it's great to be here.
FIELD: Jim, just a little background on the study, please. I know you've done this for a number of years now, but maybe you can tell us what's gone into this, and then we can go into some of the headlines from this year's survey.
VAN DYKE: Yeah, thanks, and I appreciate being here. It's about identity fraud; frankly, a few years ago we thought we wouldn't be doing this anymore. We set up to take this project over from the Federal Trade Commission back in 2003, when they broke the story that identity theft was the nation's fastest growing white collar crime, and we thought maybe we would do this for a year or two because we would get some sponsors together and deploy what is the most rigorous study on this very costly subject. We thought this would run its course, maybe, after a couple of years of running it. But what has actually ended up happening, particularly as the economy has worsened, criminals have just found out that they can make more people victims than ever before. And in fact we are now announcing there are more victims than ever before to the tune of over eleven million people -- adults that were victims of identity fraud had transactions committed in their name without their authorization last year.
FIELD: Jim, what do you say the biggest headlines are from the survey?
VAN DYKE: You know, with more people become victimized, it continues to be a multi-channel crime because people are going after more of both a combination of new establishment of fraudulent new accounts as well as accessing existing accounts. Of course, year in and year out there is more -- there are a lot of credit card transaction -- but what we're seeing is more of these particularly damaging new account fraud cases. We are also seeing an interesting trend with individuals using more legal means, so this empowerment message, this partnership message, it's getting out there, and yet we just can't get it out enough, meaning that identity crimes are really unique because they represent a criminal or a group of connected criminals targeting two different types of entities if you will. Not to sound too academic, but the point here is that you've got someone who is being impersonated, the honest individual, they're a victim. They pay on average $373 out of pocket. Now the good news is that has never been lower. That out of pocket cost, even while you have more victims than ever before, and the typical victim doesn't pay anything due to zero liability provisions. But you've got more victims than ever before, more establishments of new accounts, those are on the rise. You've got more data breeches. You've certainly got wilier cyber criminals, so it is just a mess and industry is really carrying more of the load, the financial burden than they ever have before.
FIELD: Jim, when I think back on the news of the past year since we spoke about the previous year's study, I think of the Heartland Data Breach, I think of the ACH fraud attacks that we've seen starting the middle of the year. In your study, what do you see as the biggest changes since last year?
VAN DYKE: Well, the growth rate is certainly the biggest finding. You know, the way in which we are seeing more people being victimized and in this individual empowerment at the same time where you have more people doing things like prosecuting, taking prosecution actions or using various legal means, filling out arrest reports, working with law enforcement on convictions, individuals have to get involved for that kind of result a legal result to happen. And so this individual empowerment message is, like I said, it's getting out there. That had a sharp increase from the previous year. We're also seeing back-end efforts that are translating themselves to a trend that we see in this particular study. Let me explain what I mean by that because for us as researchers it is very interesting to see things like, you know red flag rulings, which called for financial providers to notify consumers in particular ways when addresses have been changed. In a series of connected studies, we've seen that where identity theft occurs there are fewer cases where addresses have been changed. Well, that is direct evidence of banks and technology vendors, service providers getting ready for this legislation to take effect. So even while there is more crime, regulation is working its way through the system. We also see through a separate, say or bank safety score card, that bankers are locking down this information more and are notifying consumers. So we see evidence in the crimes, we see evidence in the back-end systems at the vendor level and the bank level of industry-wide change. So, we can make improvement where we set our mind to it.
FIELD: Now Jim, as you know, we reach beyond financial institutions, and we also have sites for government and for healthcare. When you look at industry in a broad spectrum, what are the biggest trends you are going to be looking at in 2010 in terms of identify fraud?
VAN DYKE: Now, we're going to be looking at healthcare a lot. Now, this is not the area in which we have the greatest losses right now, but we are expecting to see rising losses there. When healthcare fraud does occur, the cases of fraud are much more damaging than a financial crime. Much more damaging by really every metric. Consumer resolution hours, fraud amounts, the face value that the criminal got away with -- that is the amount that industry companies are suffering. There is also the impact of the HITECH act that went into effect last year, and I know you've talked about it on your site, which is really at once it is unique because it gives medical providers -- everything from the local one doctor office to the big healthcare firms -- a financial incentive for putting more records online, and at the same time it stiffens the penalties when they allow a data breach to happen. Now what we think that this problem, this incentive and this at once carrot and stick initiative if you will, is really an opportunity for financial institutions and the tech vendors and the service providers that work in the industry.
FIELD: Given what you've learned about these threats that you've talked about, what do you think the biggest identity fraud threats are to organizations right now?
VAN DYKE: Now, one of the biggest challenges that organizations face is in taking what we call a paternalistic approach to identity fraud. That is some of the financial providers we communicate with and we advise think of identity fraud, these crimes of impersonation, as one in which the victim, the person who is being impersonated, doesn't really have much more to offer. Well, you know, of course, that's part of the puzzle, but the bigger role, the thing that we really need to do more on is viewing these individuals who are either actual fraud victims or are concerned about becoming one, view them as the partner because it's not just a happy face message. That is the way forward on this where we take the two victims, the consumer or it might be a small business owner, who our study found was one and a half times as likely to be a victim of fraud, and the companies. And that is the companies, meaning the banks, like Wells Fargo, one of the other sponsors of the study, Intersection is another sponsor, take those organizations and partner up with the consumer, small business owner, because when they work together you're going to accomplish the most against the criminal.
FIELD: You talked about small business, and you also mentioned healthcare. What do you find to be the types of organizations or even industries that are most at risk right now?
VAN DYKE: Well, healthcare is frankly just a mess. I mean, they need the help of people that have been battling these problems with a much great, you know much more evolved degree of expertise if you will that have been in the healthcare industry. That is where help is needed, and the recent HITECH as mentioned is really only going to just accelerate that need. There is also a need in existing accounts services to provide more advanced alerting capabilities. I mean there is great back-end technologies, things like fraud filters and neuro nets and consolidated ways of presenting account summary data when the customer logs in, but we need to have single fraud fighting systems that treat the individual who might be impersonated the same across all financial institution account relationships centralizing the function, so if you have, for example, loan relationship or investment relationship with a bank, they are treating you as one customer and not several customers across several lines of business. Vendors can play a particularly strong role in that, so it is very interesting to watch a lot of the industry consolidation that is going on among industry vendors that I think the vendors themselves can help banks do a better job of taking a single view of the customer.
FIELD: Well that's a great segue into the question I wanted to ask you next, which is what can organizations and individuals be doing to better protect themselves from fraud?
VAN DYKE: Well it's all about three overall areas of focus, which are: prevention, detection and resolution. So you stop as many of the crimes as you can up front, you detect as many of those crimes as quickly as you can, try to increase that pace of detection, and then you resolve as many of the crimes as quickly as you can. So let me talk about each one of those three. First of all in prevention, stopping the crimes, it is important to separate that into back-end technologies that the consumer or small medium business consumer will never see, as well as the customer involved technologies. You know there is hidden authentication like device recognition. There is the kind of authentication where the consumer might be recognizing a familiar image and certainly adding up tokens, so everything is from the basic to the most advanced. There are all kinds of advanced detection solutions like alerting capabilities that go out through SMS. and you know of course the behind the scenes, the systems that look for pattern recognition and let experts detect fraud before the customer even recognizes it. And there is resolution, and Wells Fargo has something that is somewhat unique. They were certainly the first to roll it out, which is Zero Liability Provision. Just like those you have on credit cards and debit cards for online fraud, so if you become a victim while doing online banking, they cover your losses 100%. There are a lot of banks that don't have that, and I'm sure you and I have both read of those cases where banks have landed themselves in the news because they are asking the customer to foot the bill for a case of fraud that might have been conducted by somebody else. So in summary in all that, because I covered a lot, we recommend that banks focus on those three unique areas, prevention, detection, and resolution, and then apply the overlay of new account fraud and existing account fraud over that. And the reason that is important is you are less likely to have a blind spot that you just missed as you plan your overall budgets and try to set priorities within in.
FIELD: Jim, one last question for you. Looking at this study and the analysis of it, if you could boil it down to a single message about identity fraud, what would that message be?
VAN DYKE: That message is that we need to have more partnership efforts. We need to view this as less of a case where there is some kind of a silver bullet, for example, and the greatest and latest technology, or somehow the regulators will save us from this mess or whatever. It's just not that way. There is no other crime like this because of the fact that you have an impersonator, an individual is being impersonated, preying on companies, and then merchants, banks, processors, all at once. So if we get partnership effort working together and we can solve the problem. Then I would just like to add in on that, don't rule out the potential, bankers, of making money with these solutions. It's not a bad thing. The criminal is the bad guy here, not the vendors, and there are even products ... that consumers are happy to pay for. People pay for protection on things like insurance and other things like that, and people really value the ability to sleep well at night knowing that they have coverage in case they do become a victim of criminal action.
FIELD: Jim, as always, I appreciate your time and your insight. Thanks so much.
VAN DYKE: Tom, we appreciate the opportunity, thank you.
FIELD: We've been talking with James VAN DYKE about the Javelin 2010 Identify Fraud Survey. For Information Security Media Group, I'm Tom Field. Thank you very much.