There's a good news/bad news scenario in the results of Javelin Research's latest identity fraud survey released today: although this type of crime is growing (by 12% in 2009), it's growing less quickly than it did in 2008 (a scary 22% during that tumultuous year) and identity fraud cases are getting reported and resolved more quickly. One aspect of the speedier resolutions is improvements in bank technology such as fraud detection.
According to the 2010 Identity Fraud Survey Report, 11.1 million U.S. adults were victims of identity fraud in 2009, while the total annual fraud amount increased by 12.5 % to $54 billion. Average fraud resolution time dropped 30% to 21 hours, and nearly half of the victims file police reports, resulting in double the reported arrests, triple the prosecutions, and double the percentage of convictions in 2009. The identity information most likely to be compromised in a data breach is full name (63%) and physical address (37%). Health insurance information has been targeted at a year-over-year increased rate of 4%. The percentage of Social Security numbers compromised decreased to 32% from 38% in 2008.
"Identity fraud goes up when economic health goes down," says James Van Dyke, founder and president of Javelin, in an exclusive interview with Bank Systems & Technology. "It's almost a perfect correlation. Criminals are doing more than they've ever done before and they're motivated more right now than ever before."
The survey found an increase in stolen checking account numbers and health information documents and that small business owners suffer identity fraud at 1.5 times the rate of all other adults.
Van Dyke describes identity fraud as a unique crime because often it's interconnected criminals stealing data from family and friends. In 13% of cases, he says, the victims know the identity of the perpetrator. "The closer people are to you, the more they have an advantage because you're looking at a crime of impersonation," Van Dyke explains. "The service provider has to try to use as many legitimate ways as possible to confirm your identity."
On the bright side, this survey and other research Javelin has done prove that banks' fraud-fighting technology works much better than it did a year ago. A case in point in Wells Fargo, which was a co-sponsor of the survey.
"We know that because of all the tools we have in our layered security approach, as well as through relationships we've built with other banks, the actual losses we're seeing (and we guarantee all online banking fraud losses) has actually dropped year over year," says Teddy de Rivera, executive vice president of the Internet Services Group at Wells Fargo, in an exclusive interview. Although he couldn't share numbers, he said online losses at his bank are relatively small.
Wells Fargo's fraud detection systems profile customers' online behavior and monitor it the way credit card fraud detection software analyzes card purchases — any unusual payments or actions are flagged. If a customer logs in from a new location, uses a different computer, changes his bill pay pattern or suddenly makes more or higher payments, those would all be signs of potential fraud. "We're able to detect and discover fraud, get in touch with customers and make sure that we validate before we let payments go through," de Rivera says. While the software Wells Fargo uses to detect online banking fraud is very similar to its card fraud detection tools, it's more effective because the bank has more data about online banking. "We're all creatures of habit, so typically when someone goes in to do online banking, they tend to do a lot of the same things," he says. "We have visibility into all of that information."
The bank has also been rolling out out-of-band two-factor authentication it calls Advanced Access. "If you're setting up a new payment to move money from your BofA account to your Wells Fargo account, the tool asks you to put in a one-time code that we text to you or send via voice alert," de Rivera explains.
But customers have some responsibility to protect their own information, he points out. "The most important thing consumers can do is monitor their bank account and make sure there are no unusual actions," de Rivera says. They can do this by making frequent use of mobile banking and reading the SMS and email alerts the bank sends about account activity such as a low balance or an unusually large payment.
Although a customer who receives frequent email alerts could become susceptible to phishing (whereby the customer opens an email that he thinks is from his bank or some other trusted source and unwittingly gives a criminal the information to access his computer), Wells Fargo educates its customers to recognize and avert this type of fraud. "The basic advice we give is that the bank will not ask you for sensitive information over the phone or through a text message or email," says de Rivera. "That's one of the most important things consumers should know." The bank instructs customers to call the number on the back of their ATM card, go to the bank's official website or walk into a branch if they're not sure about a communication from the bank.
Comparing notes with other financial institutions has also been extremely helpful to Wells Fargo, de Rivera says. The bank is a founding member of the Identity Theft Assistance Center and an owner (along with Bank of America, BB&T and JPMorgan Chase) of Early Warning Services, a company that collects and shares banks' fraud data. "If a fraudster is doing things over at BofA or at Wells, we share some of that information and intelligence," de Rivera says. "That's very powerful because the fraudsters like to play the banks against each other. Sometimes we're able to spot the bad guys by the devices they come in with."
The methodology for the Javelin study was originally created by the Federal Trade Commission, which still uses its results. The research firm phone-interviewed 5,000 U.S. adults aged 18 and up. They were asked 50 questions such as, how they know their information was compromised (of those who do know), how it was used in actual fradulent transactions, what are they doing to protect themselves, and how long did the crime go on.
About one in 20 U.S. adults — 4.8% — believe they were victims of identity fraud in 2009. This year, like every other year, credit card fraud was the most common type of fraud. However, credit card fraud is also the least costly to consumers, Van Dyke points out, because their financial providers make them whole.
New account fraud is on the rise; it accounts for about a third of all fraud cases. "These are the most damaging types of fraud," Van Dyke says. "They typically have higher dollar amounts and if somebody establishes an account in your name, you're less likely to know about it." The number of fraudulent new credit card accounts increased to 39% of all identity fraud victims, up from 33% in 2008. New fraudulent online accounts opened more than doubled over the previous year. This year for the first time, the survey asked about new mobile phone account fraud; 29% of victims said they experienced this.
One finding of the report that surprised de Rivera was that millennials (consumers aged 18 to 24 years old) take nearly twice as many days to detect fraud, compared to other age groups, and thus are fraud victims for longer periods of time. Millennials were found to be the least likely group to monitor accounts regularly and take advantage of monitoring programs offered by financial institutions. "We monitor the stuff that a lot of people are putting on social networking sites like Facebook," he says. "People have to be circumspect about what they put out on their Facebook page." For instance, people can unintentionally reveal personal information via Facebook or Twitter the phishers could use to send realistic-sounding messages to them.