For consumers, the scariest part of identity fraud is not knowing they've become victims until six months afterward. For businesses facing the threat of legislation, they can no longer afford to just react to the theft of consumer data. Preventive measures are mandatory for both.
What’s really scary about identity fraud is the final chapter, when victims – not their banks or credit card companies – discover the crime, usually almost six months afterward, with no real advocate to help them argue their innocence and get their money back.
Sometimes, that last chapter has no ending. More than 1 of every 4 victims of identity fraud are unable to resolve their cases after a year of trying, according to a survey by Nationwide Mutual Insurance Co. Even more alarming: 16 percent of victims wind up paying an average of $6,440.
“That shocked me,” says Kirk Herath, chief privacy officer for Columbus, Ohio-based Nationwide. “I was not aware people would be liable for that much.”
The reason they would be in such a hole is because a criminal had used their debit card. Unlike credit card fraud, in which individuals are usually off the hook for anything over $50, liability for losses stemming from a stolen debit card can be anywhere from $1,000 to the total amount, regardless of how much.
Account holders are also responsible for all cash transfers, whether they made them or not. As for the unresolved cases, Herath says they usually drag on because of a lack of evidence; credit card companies are suspicious of their own customers acting dishonestly.
“It’s very hard to prove you didn’t do it,” he says.
In total, stealing financial information to make fraudulent transactions has become such a big business -- 9.3 million Americans were victimized for a total of $52.6 billion last year, according to Javelin Strategy and Research -- that Congress is working on new legislation to protect consumers, with similar bills in progress in dozens of states. Some companies are offering services to help victims. Observers disagree if the problem should be solved with more technology or less.
The most important step after discovering identity fraud, Herath says, is filing a police report. “If law enforcement has deemed you a victim, that goes far with financial institutions and proves you’re not a fraudster trying to get away with something.”
But police, often in smaller jurisdictions, can be indifferent to identity theft, Herath says, because they aren’t trained in computer forensics. “There’s no uniform way to deal with this at the law enforcement level,” he says.
In the Nationwide survey of 1,097 identity-fraud victims, conducted by MarketTools Inc. in June, 40 percent named either the police, financial institutions or credit issuers as the most difficult to work with while attempting to resolve their case.
Nationwide has launched an identity theft recovery service that will save victims from the hassle of phone calls and letters to banks, credit-card companies, credit bureaus and collection agencies. The company’s survey found that victims spend an average of 81 hours trying to clear their name, spending $581, on average, in out-of-pocket expenses on such things as legal fees, telephone charges, copying and postage, and lost work wages.
Nationwide has sold more than 25,000 of the new $45 annual policies since March to holders of its homeowner, condo and renter insurance. A similar victim’s advocate service was launched this week by the New Jersey Skylands Insurance Association and Affinity Federal Credit Union, Basking Ridge, N.J., for their members free of charge in a partnership with Scottsdale, Ariz.-based Identity Theft 911.
As for the companies in charge of securing the personal data of thousands or even millions of people, a majority of them are treading water without a sufficient plan, simply reacting to the new federal regulations as they are passed, says Trey Guerin, the co-founder and chief operating officer of Network Security Consulting in Columbia, Md. That includes the Health Insurance Portability and Accountability Act (Hippa) of nearly a decade ago to the more recent Sarbanes-Oxley and Gramm-Leach-Bliley Acts, with more laws inevitable.
“Now [companies] can no longer afford to do that,” Guerin says.
Guerin believes companies need to start treating information security like any other business function, the same as human resources, sales or marketing. NSC helped Bon Secours Health System, which operates hospitals, nursing care centers and assisted living facilities in nine eastern states, to develop a security program with a core set of requirements that included regulations, information assets, and business procedures.
“Technology is the easy part,” he says. “Cultural and organizational change is the hard part.”
James Van Dyke, the founder of Javelin Strategy and Research, advises his financial institution clients to share more information with their customers when they suspect identity theft. That means sending account holders email alerts if a large amount of money is suddenly withdrawn, or if multiple high-value transactions, especially foreign ones, occur. Wells Fargo heeded his advice this week and introduced just such a service that lists purchases over a certain amount and incorrect login attempts at their online account.
Van Dyke and Nationwide’s Herath agree that consumers should be vigilant about their bank statements. Most people are misinformed about how their personal information was stolen and then used fraudulently (hint: a stolen wallet, dishonest waiter or dumpster diver is more often to blame than the Internet) and those who bank online are less likely to be a victim because they check their accounts more frequently, Van Dyke says. Relying on paper statements through the mail means average losses of nearly $4,000 more, because the extra weeks it takes for the postal mail to be delivered gives crooks more time to spend, literally.
“When it comes to identity fraud and its connection to the Internet, it’s unbelievably misunderstood,” says Van Dyke, who doesn’t expect the incidence of identity fraud to increase next year.
Herath says all of this is not a problem for technology to solve, but simply a matter of unrealistic expectations. Consumers take for granted conveniences like instant credit and don’t seem to recognize the pitfalls – that it’s just as easy for an imposter to open a new credit account, too. The easiest way to change that is to turn back the clock a decade or more and require written signatures on financial documents – and actual human beings to verify them. As a result, applications for credit cards would take three or four weeks, mortgages a week.
“It’s possible to create a more secure system, we just need to slow down,” Herath says. Or, we could keep the instant access but accept three different points of verification, including biometric data like a retina scan or fingerprint – “but it’s extremely expensive and at a certain point it would be a big hassle.”
“People want security, they want privacy, but they aren’t willing to pay for it or wait the extra two to three minutes to get verification,” he says. “There’s a schizophrenic vein in the public. They want complete access to all credit and also be secure.”
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.