ID Fraud Costs on the Rise
New Study: Schemes Harder to Detect, More Expensive to FixWhen it comes to anti-fraud solutions, the industry made the least progress in its fight against new-account fraud, which is directly linked to ID fraud, says James Van Dyke, president and founder of Javelin. "Our biggest gains were in existing-account fraud, so we made a lot of gains in having fewer ID fraud victims last year. Unfortunately, we made the biggest gains in the crimes that have the least impact on consumers and banks themselves. This new account-fraud area is one that needs a lot of renewed focus."
While Javelin found that the number of ID fraud incidents dropped 28 percent from 2009, when ID fraud reached an all-time high, in 2010, the expense associated with recovering from ID fraud increased 66 percent.
"I think the weight of solving the problem will ultimately fall on the banks, because the criminals go where the money is. Criminals don't make money in identity fraud unless they turn it into cash," James Van Dyke says.
Consumer fraud trends suggest financial institutions will be looked to for increasing leadership in the fight against ID fraud, says Steve Schwartz, executive vice president of Consumer Services for Intersections, which partnered with Javelin for the study. But consumers will be asked to bear more responsibility as well.
"From our point of view, more of the consumer point of view, it goes back to a partnership between the financial institutions and the consumers," Schwartz says. "There is a significant amount of identity fraud that is a result of things that happen at a bank or other financial institution. They absolutely need to do a better job of verifying people's identity before they open accounts. ... But, on the other side, the proliferation of malware and phishing attacks, and people transacting and doing business online and not protecting their computers, this shows that the consumers have a responsibility as well."
But consumers have been reluctant to take much responsibility, Schwartz says, because they are not responsible for fraud losses. "Zero liability sometimes creates zero accountability in consumers," he says.
ID fraud prevention requires a partnership between the financial institution and the consumer. And that is creating opportunities for banks, Van Dyke says. "So many things go on every time a legitimate transaction happens that the consumer isn't even aware of," he says. "Then you have all these new types of consumer-adopted solutions, like identity-protective services and people signing up for online banking alerts and all those things. What we rarely see, though, is a connection or integration between those two."
Van Dyke says the future of fraud-detection should be built around integrating a bank's back-end solutions with the solutions consumers are already investing in. That kind of integration could open new revenue streams for banks and the services they offer.
During this interview [transcript below], Van Dyke discusses:
- How Javelin defines ID fraud and its connection to identity theft;
- Why consumers, financial institutions and law enforcement face increasing challenges;
- The correlation between ID fraud and the stability of the economy.
James Van Dyke is the president and founder of Javelin Research & Strategy. Before founding Javelin, Van Dyke served as research director of Jupiter Media Metrix, heading all financial services and payments offerings. He also has worked for Hewlett Packard, Ultradata [acquired by Harland] and CCI/Triad. Van Dyke has presented before the U.S. House of Representatives, and his viewpoints reach more than 30 million individuals each year through print and broadcast media around the world. He holds a bachelor's degree in management and a master's degree in business administration.
TRACY KITTEN: Identify fraud, according to Javelin Strategy and Research, incidents of identity fraud saw a drop in 2010, but expenses associated with identity theft and fraud nearly doubled. How can incidents decrease and expenses increase? I'm here today with James Van Dyke, president and founder of Javelin, and Steve Schwartz, executive vice-president of Consumer Services for Intersections, which partnered with Javelin for the study.
James, Javelin has released results from its annual identity fraud survey. How long has Javelin produced this report, and how is the information for the report collected?
JAMES VAN DYKE: Tracy, this is actually an eight year study. The first year, the study was actually deployed by the Federal Trade Commission and we wrote a report on the results. We took that study over and have now been doing it for seven subsequent years. So, it's an eight-year longitudinal study.
Defining 'ID Fraud'
KITTEN: The focus of the report is ID fraud. How do you define ID fraud and does it include identity theft as well as other types of fraud?VAN DYKE: Tracy, that's a great question. There is so much confusion around that, so I'm so happy you opened with that. We use definitions that were actually established by Congress and the Federal Trade Commission, and used throughout law enforcement. Some bankers don't like the term "identity theft," and, frankly, we're not so crazy about it either; because it means so many different things to many different people. I would say, that we used definitions that are widely used throughout law enforcement.
So, we talk about any transaction that involves impersonation by a criminal of some individual, where an actual transaction was conducted. Since new account fraud involves a criminal who establishes a new account, sometimes bankers call that identity theft; sometimes they call it something else. We also include existing account fraud, and there could be card fraud within that as well. So, there is a wide variety of industry terms; but I think the best way to bring on a standard definition, so we are all on the same page, is to think about criminals taking over someone's identity to open new accounts, which is sometimes called identity theft, as well as getting a hold of existing account credentials, whether that's online or through traditional channels.
KITTEN: James, when it comes to breaking all of these different types of fraud down, how did you work with financial institutions to ensure you were getting the right kind of information?
VAN DYKE: Well, we actually don't get the information from financial institutions at all. We sometimes do get information from financial institutions, but I think what gives this report such tremendous credibility is that we don't go to the banks at all to get this data. We certainly learn a great deal from bankers, because when we build the definitions and understand how they fight fraud everyday and how they work with partners at the intersections to go into the blind spots, like detecting new account identity fraud. But we actually go directly to consumers. We call them on a random basis, using a nationally representative build-up of individuals within the United States that we reach by telephone. We get low-income individuals, people who are not on the Internet, and, of course, people who are on the Internet. We reach out to over 5,000 people every year to find out what their experience is with existing-account and new-account fraud.
KITTEN: And, Steve. Could you give us a little background on how you view ID fraud, and tell us how Intersections worked with Javelin on this study?
ID Theft Connects to Fraud
STEVE SCHWARTZ: Sure, our viewpoint on ID fraud is very similar to Javelin, and that is one of the reason we've been partners for a number of years to provide this survey. For us, it starts with an ID theft, which is some theft of information. It may or may not ever become fraudulent; but as soon as a criminal does anything with that information, from something as simple as taking your credit card number and charging a fraudulent transaction to it, to opening up new accounts and creating synthetic identities, all of that is encompassed in the term identity fraud.Intersections has been in this business since 1996. We've been providing consumers with the information that they need and can use to monitor things that are going on in their financial life that they might not be able to otherwise get their hands on in a speedy manner or, sometimes, even at all. Because the only way to tell that you are a victim of fraud, other than having an institution that has said you are in debt, is to catch it upfront and see your information as it is being used, hopefully as quickly as possible, so that you can shut it down. Then the consequences are not quite so bad. We have to tell people, you actually can't prevent identity theft. You can protect yourself against it, and you can do things to make sure that you catch any instances early, but there is so much information out there, it's almost impossible to prevent.
Incidents of ID Fraud Drop, Losses Increase
KITTEN: James, you noted in the introduction that while the number of ID-fraud-related incidents affecting consumers actually decreased from 2009 to 2010, the expenses associated with ID fraud recovery have increased. How is that possible?VAN DYKE: It is a surprising divergence of direction. In short, as you pointed out, there are fewer fraudulent transactions being committed in individuals' names in the U.S., when compared with the previous year, and yet the average individual in the U.S. paid more. There was a sharp increase of about $1 million total in more out-of-pocket cost being paid for by individuals. These are people that will choose to leave their bank, because they have a worsened image of their bank, so it's very costly.
The reason for the divergence relates to a very significant shift inside the numbers within the types of identity fraud that are being conducted. So, remembering that identity fraud or fraudulent transactions committed in somebody else's name is a combination of new-account fraud and existing-account fraud, each of these kinds of fraudulent transactions have unique cost impacts to individuals. There are fewer fraudulent transactions going on within, for example, credit card transactions that the honest individual had legitimately established. Those are typically the more innocuous crimes. They have the lowest cost. However, there were more fraudulent transactions as a proportion of the total that make up what we call new-account fraud, or what some in the industry call identity theft. Those typically have the worst impact, in terms of out-of-pocket costs, and Steve talked about resolution time and so forth. So, there were more, as a proportion of the total, of the worst crimes remaining and fewer of the innocuous crimes remaining.
ID Theft and 'New Account' Fraud
KITTEN: Let's talk about new-account fraud and some of the losses. New account fraud, and the losses associated with it, was the most prevalent form of fraud. Can you give us some idea about what is causing new-account fraud? Why is it difficult to detect, and why is it exceptionally damaging to consumers?VAN DYKE: We're seeing more new account fraud, we believe, because there are, as Steve mentioned, more records floating out there. What is interesting is to see some of the trends that often go unnoticed within the industry. There actually were fewer data breaches, but what we see is that criminals are really digging in to try to use whatever information is remaining, even with fewer data breaches. And one thing that contributed to that was a higher proportion of friendly fraud cases. So, sadly, more criminals were preying on individuals who are close to them, friends or family members. We also saw that there was a higher percentage of cases where older Americans, who are new to the social media bandwagon, were failing to take advantage of privacy settings on social media; so it's possible that some of that information, which could be your pet's name, your birth date, were being revealed on social networking sites, which could contribute to more new-account fraud.
SCHWARTZ: You know, there is another piece in there, too, that makes it harder for criminals to attack your account, and that piece relates to alerts. As you sign up at new banks, many people set up alerts on their accounts, so that when actions occur on their account, a withdrawal over $500, a foreign transaction, they get alerts from their bank. You know, when somebody is opening a new account in your name, not to state the obvious, but you're not getting alerted. So, you don't know until something bad has happened that you have a new account in your name. That is the other reason it takes longer to detect this kind of crime.
KITTEN: I actually have a question for you, Steve, that relates to the lag time between when a fraudulent incident occurs and when it is detected. In 2009, the average ID theft incident was identified within 59 days; but in 2010, ID theft took longer, on average, to identify. Now it's taking about 68 days to catch. Do you attribute that delay to the point that you just mentioned, about alerts and that perhaps we depend on those alerts too much?
SCHWARTZ: Well, I do. It's a combination of things. The fact that pure credit card fraud is lower is the other side of that coin, because we get alerted to that because we set up those alerts on our accounts. I may have something on an alert that says, if more than $250 is taken out at one point in time, alert me. That makes the detection time much faster. On these new accounts, you don't have those kinds of settings; so, yes, I absolutely think that is the reason why that number has changed like that.
KITTEN: And, James, what is your perspective?
VAN DYKE: I think there are more individuals who need to be notified, who need to have advanced notification methods using a lot of new technology; but it's difficult right now, and individuals can't get the information that they often want. Individuals want to take a more active role in their identity, but it is tough to roll out the new technology to make that possible; so we end up with this glaring blind spot, where individuals just can't get real-time information. They can't set controls easily when they go to another country. What we see is that sometimes easy-to-use technology hasn't caught up with consumers' desire, and, as a result, you have these blind spots remaining, and criminals are sometimes able to move more quickly than the banks, law enforcement and the individual identity holders.
KITTEN: James, I'd like to talk a little bit about some of the trends that stood out, based on the historical data. You've said that this particular study has been published for the last seven years, this being the eighth year. So, you've got a lot of historical data to do some comparisons e. Relative to some of those previous years' results, what stands out the most?
Less Retail Spending = More ID Fraud
VAN DYKE: One thing we found very interesting was that identity fraud and fraudulent transactions, within both new accounts and existing accounts, has a very, very slow decline. Every year, it seems like we're seeing about a tenth of a percentage point decrease, if you take away the last couple of years. But we see as a strong correlation over the last couple of years to markers of economic health, and what was most shocking was to see how retail sales levels are almost a perfect inverse correlation. In short, what that means is that when there is less retail spending, there is more identity fraud; and it applies in the same way to criminals right here in the U.S. and to the highly organized, international criminal groups. There are always two crimes in every identity fraud. Steal the data or access the data, and then fraudulently transact with the data. These are complicated and personal crimes, and so we're seeing a correlation that as you get worse in economic health, you get more identity fraud, and vice versa.KITTEN: And Steve?
Consumers Reveal Too Much PII
SCHWARTZ: It's going back to basics. You know, criminals are still using the basic PII [personal identifiable information] that is out there on people: name, address, and Social Security number. They are getting it in more sophisticated ways, but that kind of information floating out there is what is really helping them perpetuate these crimes. In the end, that is kind of information is all you need to set up a financial account somewhere. Once you have that, and if you pair that with some of the social activity, as James said, it's relatively easy. Consumers need to be more aware and more vigilant of the information that is out there and who they are giving it to. To me, as I look the trends, that is one of the things that I picked up on. The basic information is causing all the trouble.KITTEN: When we look at the findings, what do they tell us about lacking fraud-detection measures?
Bankers Can Educate Consumers
VAN DYKE: One of the challenges that we have in fraud detection is that it's difficult for highly motivated individuals to get information that they to stay on top of what is going on with their identity record. They have difficulty keeping up with the potential for fraudulent new account opening, or the potential for unauthorized activity within an existing account, like a bank account or a credit card account. We see from separate research that individuals desire to access this information in a very easy-to-use way, but this practice of being able to give individuals more information is very difficult for bankers in the changing technology realm of social media and mobile. New methods of authentication and the methods criminals use are evolving their methods all the time. It is really tough give people control. So, what I see as our opportunity is to give people the control they want, really focus on usability and focus on education.SCHWARTZ: From our point of view, more of the consumer point of view, it goes back to a partnership between the financial institutions and the consumers. I don't know that I've seen any hard stats, but there is a significant amount of identity fraud that is a result of things that happen at a bank or other financial institution. They absolutely need to do a better job of verifying people's identity before they open accounts for them and issue credit, etc. But, on the other side, the proliferation of malware and phishing attacks, and people transacting and doing business online and not protecting their computers, this shows that the consumers have a responsibility as well. Unfortunately, I think a lot of the advertising around zero liability sometimes creates zero accountability in consumers, and I think that we, as consumers, have a responsibility to make sure that the e-mail that we are reading is legitimate, or that we have the software protection necessary to keep malware and viruses off our machines so that somebody can't steal our information while we're typing banking information into the browser. Then, couple that with the ability to get the ability of the banks to get more information into the consumer's hands. I think that both are viable and consumers can choose what they think is the best way to go about protecting themselves.
VAN DYKE: Steve, if I may just add something to integrate with your message, and that is that one of the challenges we see in all this new technology is that we have more users getting more empowerment through new technology and mobile, social media, all that stuff. With more people doing online banking, I see twin silos evolving, where you get banks that are using great back-end technology, which includes absolutely vital stuff like fraud filters, neural nets, back-end authentication. So many things go on every time a legitimate transaction happens that the consumer isn't even aware of. It's all part of frictionless fraud. That's all great, but then you have all these new types of consumer-adopted solutions, like identity-protective services and people signing up for online banking alerts and all those things. What we rarely see, though, is a connection or integration between those two. What I believe the future will hold around detection, Tracy, back to the original question, is that consumer detection and bank detection will be best when we integrate the back-end solutions with the solutions that consumers are already gravitating toward.
KITTEN: James, that actually answers one of the questions, which is, how can consumer education efforts be improved? It sounds like the industry is doing all that it can, when it comes to consumer education. It's just going to come down to more of those integrated solutions that will actually help to take us to the next level.
SCHWARTZ: Yeah, actually the industry is doing a number of things. There is, I think, from an education, always more they can do, but they have stepped forward with groups like ITAC, the Identity Theft Assistance Corporation, which is sponsored by the banks for education and also for resolution. We also have the Identity Theft Council, which is a local, community-roots-based organization that will help with education and resolution at the community-bank level. All of these different kinds of efforts that take place through communities and community banks, and also the larger banks, just need to get the message out to more people to make them more aware of the problem and the problems that can occur if they are victimized. Education will help get people to be more vigilant. There is always more you can do, but they really do have a lot of back-end systems and some front-end systems, too. There is always more, but it's really education that can help.
VAN DYKE: ID fraud changes so much every year. It evolves very fast. Bankers and the technology companies that provide the solutions make all of this work, to make sure they are up to date on the way that criminals have evolved their methods. If you have identity fraud, new-account, existing-account and card fraud, and you're addressing it based on the way criminals were attacking a year ago, then you're probably missing some opportunities, because it does evolve very quickly. So, that was the purpose of this study, to make sure people are up-to-date with how fraud is changing so that they can keep up with the criminals and protect the consumer.
SCHWARTZ: The criminals are really smart, and we have smart people in institutions, too. The difference is they don't have to play by the rules. It is a constant job to keep up with what is going on and the new things, especially on the electronic side, that criminals are using to get your information into their hands.
Fraud in 2011
KITTEN: Do you expect ID fraud to increase in 2011?SCHWARTZ: I don't know on a percentage basis if it's going to get better or worse. I do know that it's not going away, and I think James made a great point in that it is constantly evolving. And so it is really hard to put your finger on it, and that is what makes it such a difficult crime to really corral. I do think that it will continue to live on, and I think there will be increases in categories; whether it increases as a whole or not, I don't know, but I do know that it will continue on.
VAN DYKE: It is always tough to predict the future in any kind of accuracy, but if we look at this eight-year trend line, outside the awful last two years, economically, we've been through, we're seeing this very slow but significant decline; yet, still, 3.5 percent of everyone in the U.S. is being victimized by fraud, approximately 37 billion in total. It adds up to an awful lot of fraud. We're hoping for just steady losses.
KITTEN: Going back to some of the grassroots efforts that both of you mentioned about some of the community organizations that you're working with, I wanted to know what you collected or what kind of insights you were able to gather. When you talk to some of the consumer respondents, are they aware of legislative and grassroots efforts aimed at combating ID theft and ID fraud?
VAN DYKE: We didn't see in our study a significant amount of consumer awareness on work that various agencies are doing. They are certainly aware that there are law enforcement agencies here to help, but we also see that consumers have gotten a little bit burned out on going to law enforcement. The challenge we see there is that law enforcement themselves don't get timely information. So, one of the things we're doing through this study, thanks to co-sponsors like Intersections, is giving free copies of the full study to any qualified law-enforcement agency. That is important, because you see some well-intended efforts that kind of make us cringe a little, like paper-shred days. If that is your big message in fighting fraud, then we have a long way to go. It's not a good idea, because, for example, you should be telling people to turn the paper off so you have nothing to shred in the first place. Get it out of the mailboxes and protect your computers. Consumers are a bit handicapped, because they don't get clear information; they don't get consistent information and independent information.
SCHWARTZ: Javelin did the survey. We didn't get to talk directly to the consumers, but I would just tell you that the grassroots efforts are in their infancy, and there are a significant number of people out there who are passionate about this -- about educating consumers and getting the message out through sponsorships and social media efforts.
KITTEN: We've talked quite a bit about how we define ID fraud. When we look at the financial industry, a lot of the onus falls on the financial industry to catch. What steps should financial institutions be taking to help prevent ID fraud, and do you think financial institutions will be leading the charge against ID theft and ID fraud?
SCHWARTZ: It's an interesting quandary, because what financial institutions really can do is make it harder to open up an account. More verification means more waiting time, and the problem is that their job is to open up more accounts. So, it is a little hard for them. I think they are honestly interested in reducing fraud, but I think they are struggling with that conflict there. I'm not really sure what the final answer is. It's just not a simple solution. I think people often think it's relatively simple to overcome this, and I don't think that is the answer. I think people sometimes oversimplify it. It is a very complex problem with a lot of implications across many industries.
VAN DYKE: I agree with your thought that the weight of solving the problem will ultimately fall on the banks, because banks are ultimately where criminals are going. Even if the method of criminal's identity fraud centers on some secondary method, they still ultimately have to liquidate that transaction, so to speak. They are buying evincible goods through an existing credit, or, increasingly, a debit, card transaction, like office supplies or flat screens or whatever, and they still have to somehow turn that purchase into cash, which brings it right back to the bank. Ultimately, criminals don't make money in identity fraud or security incidents, unless they can turn it into cash. There is just a handful of methods, actually, that criminals can use that convert bad behaviors into cash. So, again, the purpose of this study is to help banks stay up-to-date on the latest methods. If a consumer is paying extra to protect their identity, which I think a lot of people should, who better to get those solutions from than their financial institution, particularly as banks are trying to find fee replacement strategies? Take the best of new technology, like mobile, for example. I'm really excited about mobile and it's potential to help arm and deputize the consumer; but, of course, I'm very concerned about how things could go very wrong as well. Banks ultimately need to lead this charge.
New-Account Fraud Needs Attention
KITTEN: And in closing, when we look at some of these results, what you would like to share with the audience about the report and its findings?VAN DYKE: I think there is a lot of opportunity around identity fraud, to beat back these crimes. Identity fraud has grown a lot in the last decade or so because we've had frictionless commerce. With frictionless commerce, you get more frictionless fraud. We need to think about brand protection and how we could be creating new forms of revenue. We need to look at fraud holistically, by understanding how it is changing and realize that the consumer is very motivated to take an active role. Get people involved, because those individuals are fighting a common enemy on the part of the banks.
SCHWARTZ: The truth is, I'm thrilled that crime is coming down, because it means two things. It means that on the institutional side, people are more aware. They are taking more actions. They are doing a better job of preventing fraud upfront, and it also means that consumers are starting to gain awareness. So, criminals are still trying to perpetrate the fraud, but the fact that it is actually dropping means that the work we're all doing is actually doing some good. The products and services we recommend and sell are helping to prevent and reduce some forms of identity fraud. Some of them are going up, but others are not. To me, when I look at this report and see the decrease, I think that is good.
VAN DYKE: The challenge that the industry faces is that the area in which we made the least progress is in new-account fraud. Our biggest gains were in existing-account fraud, so we made a lot of gains in having fewer ID fraud victims last year. Unfortunately, we made the biggest gains in the crimes that have the least impact on consumers and banks themselves. This new account-fraud area is one that needs a lot of renewed focus.