May 11, 2004

MasterCard has two primary programs to prevent customer-data breaches and credit card fraud related to online transactions. One is a Web site data-protection program that helps merchants and their banks protect against hackers and other electronic compromises by performing vulnerability scans to identify and plug holes in their security infrastructures. The program, which generally costs less than $2,000 a year, is mandatory for merchants and banks and is subject to a number of compliance conditions. The other is MasterCard's SecureCode, a software plug-in that merchants can add to their sites for use by their customers and the card issuer. At checkout, a pop-up box asks a customer to enter a personal identification code that is provided and verified by the card issuer, guaranteeing the transaction for the merchant. MasterCard also requires third-party vendors that might possess merchants' customer data to participate in breach-prevention education, says John Brady, VP of merchant fraud control.

If a breach occurs, MasterCard does everything it can to minimize the fraud and reduce the chances of having to reissue a card by bringing in a remediation contractor to assess the damage, Brady says. "Risk remediation is key for us. We go in with a professional third-party company, we look at the system to see what the vulnerability was and everyone involved goes through the process with the info-security vendor to determine which risk-remediation option makes the most sense," he says.

Brady and Shaughnessy are well aware that breaches will occur despite the most ambitious efforts to prevent them. The key is reacting quickly. "We understand when one of these breaches happens," Brady says. "But if a security hole leads to the breach, the risk needs to be mediated quickly and effectively."

Avivah Litan, VP and research director of financial services at Gartner, says the credit-card industry's own research predicts triple-digit growth in compromises. "It's getting worse," she says. "Crooks are getting much more aggressive and sophisticated, and it's easy to breach the systems. Viruses, Trojan horses -- there are all types of ways to get passwords and get into the system. Everyone is vulnerable." And there isn't an easy answer. Litan estimates that only 10 percent of companies encrypt credit card data, but it's for a reason. "It's hard to encrypt data and then use it in an operational environment -- its very resource-intensive," she says. Some companies use technology to spot fraudulent activity more quickly and stop the damage. It's an approach that accepts that, no matter how much work companies do to secure their systems, identity and customer-data theft is here to stay. "The problem is like a water balloon -- when you squeeze hard in one spot it gets ready to burst somewhere else," says one financial services executive who asked not to be named. Last year, his company installed a service from startup ID Analytics, which spots fraudulent applications submitted to financial, cell-phone and utility companies. ID Analytics claims its service spots fraudulent applications -- up to 40 percent more -- missed by the anti-fraud systems already in place at those companies.

ID Analytics says that last year it studied more that 200 million credit applications -- including 10 million suspected or known fraudulent applications -- collected by credit-account issuers, retail banks and wireless-service firms to spot the similarities among phony applications. It used this database to develop pattern-recognition software to help companies reject or investigate suspect applications. Since utilities, phone companies and credit-card providers that subscribe to the service feed their data into ID Analytics' system, it's possible to spot potentially fraudulent activity that crosses company borders. For instance, a person planning a fraudulent act may set up a phone number and address on one day and then apply for a car loan. ID Analytics' software can analyze the data from those multiple sources and develop what it calls an ID Score. The company says more than 70 variables on credit applications have proven valuable in spotting suspicious activity. "It's been working very well for us," says the financial-services exec. "It's caught fraudulent activity we otherwise might not have identified right away."

The availability of technology that can better spot fraudulent activity and fight identity theft is good news, but it's little comfort to those whose identities and personal information have already been swiped. Lawmakers hope that tougher laws and prison sentences for hackers and identity thieves and tougher security regulations can slow the spiraling growth of identity theft (see story, "New Laws: Identity Thieves Could Face Stiffer Penalties"). And many companies are working to improve their security and do what they can to lock down customer data. "We're always on the lookout for the next threat," says Bob Justus, senior VP of corporate information security and IS/IT contingency at Union Bank of California.

Guilbert, whose bank account was almost breached, is looking out for the next threat, too. She's in the process of placing a fraud alert on her credit files, and she's eyeing her credit reports for any suspicious activity. She's not certain what the future may hold and if the attempt to scam her ATM card is the end to her situation or the beginning of an identity-theft nightmare. For her upcoming birthday, Guilbert has a new gift request: a paper shredder. Says Guilbert, "What else can I do?"