Javelin Strategy & Research has some good news about fraud, and some that’s not so good. First, credit card fraud has dropped for $8.1 billion in 2017 to $6.4 billion in 2018. Forgive the consumer who shrugs — under federal regulations most of those losses were borne by banks.
Fraudsters have shifted their focus to account takeover and new account fraud — using accounts in someone else’s name to buy goods, take out loans or even take out a mortgage. While the numbers of account takeover have declined from $5.1 billion to $4 billion, new account fraud rose slightly from $3 billion to $3.4 billion well above levels as recently as 2016. Unlike card fraud, the account fraud can hit consumers directly with financial losses and/or months or years of recovering identities and correcting credit records.
Fraud has also moved to new areas such as merchant debit cards and prepaid cards, reward programs and takeover of mobile phone accounts — businesses which generally do not have the level of account security that banks have implemented.
“While the decrease in card fraud rates is undoubtedly good news for victims, fraudsters have turned their attention to opening and taking over accounts,” said Al Pascual, senior vice president, research director and head of fraud & security at Javelin Strategy & Research. “As financial institutions and other organizations modernize their account opening processes, it is paramount that they incorporate tools like document scanning, behavioral risk assessments, and digital identity to streamline the process for applying online or on mobile devices while challenging fraudsters.”
The report notes the disparity in account security and the impact of fraud on individuals at companies that have not had the experience, and perhaps regulatory consumer protection requirements that financial institutions have lived with for years.
“With comparatively limited experience with fighting fraud, these organizations have had little reason to invest in the tools, tactics, and personnel to effectively prevent, detect, and resolve fraud. For victims, this means a long, strenuous, and frequently expensive path to regaining control of their identity.”
Javelin found that credit monitoring and identity protection services proved valuable in alerting individuals of fraud undertaken in their name.
“In 2018, the most common way new account fraud victims detected that accounts had been opened in their name was through notification from a credit monitoring or identity protection service…. With the most pronounced growth in loan products such as mortgages, car loans, and HELOCs (Home Equity Line of Credit), victims are much less likely to stumble upon the fraudulent accounts on their own, and the organizations holding the loans are less likely to have a clear way to contact victims directly.”
The Friends and Family Plan common in promotional pricing works in fraud too. Fraud perpetrated by someone the victim knew more than doubled from 7% of fraud to 15% with 51% of new account fraud victims reporting they personally knew the individual committing the fraud. Addressing, much less prosecuting, familiar fraud is difficult because victims often don't want to hurt the fraudster but then wind up with the financial loss.
"With few victims willing to file a police report implicating a friend or relative in a fraud scheme, many familiar fraud victims have a difficult time proving the activity was fraudulent and consequently end up footing the bill," the report said.
While EMV chips have sharply reduced counterfeit credit cards at point of sales (POS), e-commerce fraud where the card is not present (CNP) for the sale grew twice as fast as POS fraud, said Eric Kraus, vice president of fraud management at FIS.
One area fraudsters are going after is loyalty and reward points, he added. “Organizations that provide those services are starting to understand the need for best practices for cards like real-time interrogation of requests as they come in, thorough review of fulfillment orders and multi-factor authentication on mobile apps you have tied to your loyalty account.”
The industry is increasing its collaboration to fight fraud, Kraus added.
“We are seeing a lot of collaboration in the industry, collaboration led by large issuing banks and processors and issuers — sharing data and intelligence across various organizations. What we are very bullish on, especially on e-commerce account openings where we might not get a lot of physical documents, is a robust digital identity, a digital identify that would follow you around as a consumer and leverage biometric, device ID data and geo-spatial information to pull it all together to represent you wherever you are opening an account.”*
Criminals can easily find as much information as they need to open an account at many businesses, Pascual said.
“The problem is that many organizations still have a very remedial means of verifying identity. They look at name, address, date of birth, Social Security number and try to verify they belong to one person and that the person is real, and then they move it further on in their process. That is the extent of their identity verification. There’s a lot of opportunity to leverage digital channel capabilities — device data, location and behavior of the applicant in the web session.
“There are a lot of vendors in ID verification and proofing and I think we will see more because it’s not something we have solved for effectively. It’s a giant hole criminals are driving their trucksthrough. If I can’t steal cards, the next best option is taking another individual’s information and getting a card sent to me.”
Kraus said some firms are reinforcing their new account security by stringent monitoring of new accounts for 60 to 90 days after they are opened.
Criminals have found that merchants are pretty poor at authenticating customers, Pascual said, because they are relying on user names and passwords and don’t use a lot of strong multi-factor authentication.
“So criminals are taking huge password lists and testing them against merchants to see if the password compromised from one place will get them into another merchant, Then they can set up an alternate shipping address. Some merchants flag those and some don’t. So you could have goods shipped to a UPS store or buy online and pick up in the store. That’s a growing problem because merchants try to make the experience seamless and they don’t do a good job checking IDs. They try to have the store staff stay out of the way, and that makes a soft target because online security is pretty weak.”
The industry is making it easier for consumers to protect themselves, with services like deactivating a lost debit or credit card from a smartphone, restricting access to credit bureaus and real-time event notification, Kraus said.
Unlike many European countries the U.S. does not have a national identity registration, Pascual said, although last year Congress passed legislation which allows the Social Security Administration to verify a Social Security number being presented to a permitted entity, like a bank.
He expects more verification programs will be driven by the private sector.
“FIS has thousands of bank clients. If they can build a digital identity platform it will have enough users behind it that we can expect it to be pretty pervasive and multiple industries can rely on it,” he said.
