• United States



by Jame Cofran

Identity Theft Unmasked

Jan 08, 20048 mins
CSO and CISOData and Information Security

In today’s world, nothing (or no one) is as it seems – clearly evidenced by the growing identity theft and fraud crisis. Gartner cites that ID theft in the U.S. is up 79 percent year-on-year, while TowerGroup states financial institutions are losing more than $1 billion a year due to fraudulent loan applications resulting from identity theft. According to the Federal Trade Commission (FTC), nearly 5 percent of American adults have been victims of identity theft within the past five years nearly 10 million adults as victims in the past year alone.

Acts of fraud are damaging to everyone involved. Not only are they extremely irritating to the victims themselves, who often experience lengthy frustrations in clearing their names, but they are costly and embarrassing to businesses and government organizations. In fact, identity theft can cause a single business millions in losses each year. Today, identity theft costs U.S. government and businesses an estimated $48 billion per year while costing consumers $5 billion. Government losses, specifically, are skyrocketing. In 2002, the state of California alone paid $280 million in fraudulent unemployment insurance claims more than tripling its losses due to fraud since 2000.

It’s a daunting challenge that businesses and government agencies are taking very seriously: These organizations must implement solutions to protect their customers as well as their own assets. Unfortunately, businesses can simply no longer trust that their customers are who they say they are.

To tackle the problem, organizations must find sophisticated ways to thwart those who seek to steal the identities of innocent customers and citizens. Given the right tools, it’s certainly possible to stem and even begin to prevent the insidious threat of identity theft. By implementing a series of technical and non-technical solutions-and a healthy dose of common sense-CIOs can protect their organization from this rapidly escalating crime.

YOU Are At Risk

No industry is safe from identity fraud. Of those reporting such thefts to the FTC, 42 percent are victims of credit card fraud, while 22 percent fall prey to telecommunications or utility fraud and 17 percent are victims of bank fraud. Other types of fraud include obtaining fraudulent loans in the victim’s name, using the victim’s personal information to obtain employment, and using personal information to apply for unemployment benefits or tax refunds.

One of the fastest-growing areas for identity theft is government. It’s relatively easy, experts say, to access enough information to claim to be the citizen owed a tax refund or unemployment benefit payment. In some cases, tax preparers have actually blatantly stolen the identity of their customers for their own gain. But perhaps the easiest and most prevalent way to steal a citizen’s identity is by applying for a driver’s license in his or her name. Once a thief has access to the victim’s Social Security Card, birth certificate or other identifying documents, it’s relatively simple to accomplish. And once the thief has been issued a driver’s license in the victim’s name-with the thief’s photo ID attached, he has carte blanche to perform many more fraudulent acts in that citizen’s name.

Attacking the Attackers

Today, there are a host of ways CIOs can attack the problem through technology. One method gaining favor among many organizations is the implementation of a real-time identity authentication framework that enables organizations to examine transactions as they occur, compare them to management criteria, and apply a variety of identity verification processes appropriate to the risk of the specific transaction. Such a system rates the various types of transactions provided by the organization, assigning varying levels of risk to each. Based on the ranking, the system requires a specific level of identity authentication.

A comprehensive identity authentication system will first confirm that the identity being used is a real identity and that no known fraud is associated with the identity. The system will then verify that the person presenting the identity is in fact the rightful owner of the identity by asking questions that only the rightful owner of the identity could answer. Customer queries should be based on a wide range of data sources, including customer information files, geographic data sources, multiple credit bureaus, residential information, and biographical information.

The more risky the transaction, the more types of different authentication “factors” your system should require. Factors include verifiable information about who you are, what you have and what you know. If the transaction is fairly risky-such as a “customer” requesting a change of address (often the first step for identity thieves)-your system might require at least a two-factor authentication: some combination of verifying information about who you are, what you have, and what you know. Positive identification factors highlighting who you are may include biometrics such as iris scanning and fingerprints, while questions about what you have may include producing a digital certificate. Questions should always include information only the rightful owner of the identity could possibly know. Implemented properly, such a system could reduce identity theft by up to 30 percent within a given organization.

Other, less costly steps also can be taken-often with information and systems organizations already have in place. Most organizations, for example, can make better use of the access to data they already own. Take the example of a customer accessing her 401K account online. To reach her statements, she is asked two simple questions: her mother’s maiden name and her zip code. Based on that information, she is allowed access to her account. But by asking such simple questions, organizations are missing the boat, as most identity thieves can easily gain access to such simple information. Instead, these institutions could dig more deeply into their customer data, ask more difficult questions, and thereby make it more difficult to penetrate the account fraudulently.

Non-technical solutions also can go a long way toward preventing identity theft. One example: Before investing in any technology or engaging in initiatives to prevent fraud, clearly articulate how the organization plans to balance the agendas of key stakeholders (risk managers, customer satisfaction managers, and revenue managers). Doing so will help prevent fraud initiatives from failing because key stakeholders don’t have a clear or binding strategy.

In addition, CIOs should institute common-sense controls and procedures. Take the wireless industry as an example. Often, customers purchase wireless plans from mall kiosks through agents or brokers who aren’t employees of the company. Because the agent is compensated by the number of wireless plans he sells, he isn’t motivated to ensure that the account is properly identified and validated. It may make more sense, in this case, to find a way to make the agent somehow accountable for checking for fraud. Other common sense actions include consulting your organization’s internal “known fraud” databases and reviewing credit bureau reports for consumer alerts and fraud alerts. If any suspicious information is found, the organization can require extra verification. In addition, all transactions purchased on bank or retailer credit cards can be reviewed frequently, using existing technology, to detect high-dollar and high-risk purchases and address changes.

Finally, classify identity theft correctly. All too often, when a company is unable to collect on a delinquent account, they simply write off the loss as bad debt. In fact, the account might have been opened fraudulently by an identity thief and the loss may more accurately be attributed to theft. Because the company didn’t see the problem as identity theft, they can’t attack it as identity theft.

Getting it Right

Even if you do everything right, there are still some common pitfalls that can waylay your best efforts at controlling identity theft. Common pitfalls to avoid include:

  • Risking customer satisfaction through lengthy processes. If you are handling a relatively non-risky transaction, make the process quick. Otherwise, you may annoy your customer. If, for example, you require a customer checking her bank balance to fax in documentation and answer seven questions a process that takes 25 minutes you haven’t deployed a fraud strategy commensurate with the risk. In the process, you have probably irritated the customer, possibly losing her forever.
  • Not addressing all channels. Let’s say a consumer can apply for a credit card on paper, over the web or through a call center. If you secure one of those channels but fail to secure the other two, it won’t take very long for identity thieves to find your weakness and flow to the channels with the least resistance. Don’t make the mistake of stopping fraud in one channel, only to push all fraudulent traffic to another channel.
  • Underestimating the fraudsters. Fraud tends to change continuously in response to the protection instituted by businesses and government agencies. Consider fraud prevention an ongoing battle.
  • Ignoring internal employees. As hard as it may be to believe, much of the identity theft taking place today is performed by employees who have access to customer information. Make sure you have methods and procedures in place to detect internal fraud.