Digital DNA. Perhaps the last and best hope in the battle against ID fraud – the kind that brings ruin to credit reports and billions of dollars in losses to card companies and merchants.
News Monday that the Consumer Financial Protection Bureau has walked back from a full-tilt investigation into the Equifax breach brought to mind the personal data of hundreds of millions of people that is now floating across the Badlands of the Dark Web.
And so the latest installment of Data Drivers could not be more timely, as PYMNTS’ Karen Webster and GIACT EVP of product David Barnhardt delved into how identity fraud has progressed, where it might be headed and what conscientious consumers and companies can do in a brave new world where losses are in the billions and victims are in the millions.
Barnhardt related that with the advent of chip cards in the United States, fraudsters have been looking for new avenues through which to continue their criminal enterprises. The data is out there now, more than ever before – and, as he said, all stakeholders need to be proactive in the battle.
“As consumers, what do we need to do to start to be diligent in protecting ourselves?” he posited. “We need to take a stand to help with the monitoring of credit.” And as consumers become ever more aware of the dings to their individual reports, they are holding companies accountable, he said, when they go to sign up for credit or get goods or services.
Complacency is a real danger here, said Barnhardt: The overarching mindset is that “people think ‘it can’t happen to me’ – and then there is the other end of the spectrum, where ‘I’m scared of everything’ and ‘I’m scared to interact with any [monitoring] service’ … they just do not trust it.” He noted that in all the news reports detailing the ravages of identity theft, one thing is notably missing: A list of free services – from the government and elsewhere – that can help individuals monitor whether they have been compromised and how to protect themselves.
But here’s a problem: What to do when the bad guys have been concocting identities from far-flung sources, where a pastiche of data comes back to haunt the unwitting via charge-offs and debt collectors, months and years after the fact? Some sobering stats follow.
Data Point Number One: 13 Percent
This is the percentage of new account fraud victims who discover they are, well, victims when they are contacted by a debt collector. That’s a long runway of fraud before accounts get to the collections stage – and, as Barnhardt noted, can be viewed as a worst-case scenario for a consumer, offering a strong case for credit report monitoring.
“As a consumer, there is no worse feeling than when you are excited to obtain an item that requires you to sign up for and obtain credit, only to find that you are a victim of fraud. And then you have that impending doom as a consumer knowing that you have to go out and try to overcome this event,” he told Webster.
Thus the value of a practice such as those deployed by GIACT, where identity is ascertained before the charge-off takes place, and companies find out if they approved a fraudulent enrollment to begin with. This saves time and effort, not to mention frustration from the consumers who come back later, with charge-offs in hand, for purchases they never made.
“A lot of companies are finding they have great discrepancies,” he told Webster. “We like to say the truth is buried in the details.”
He recounted an incident with a prospective client (now a client) where all the details seemed above board, ranging from driver’s license numbers to Social Security numbers. Yet a GIACT identity test revealed no fewer than 590 applications where Social Security numbers were used to open accounts for people who were deceased. In fact, the dates of death preceded the dates of the credit applications. In other signs of synthetic identity, said the executive, the date of birth was issued many years after the Social Security number.
Welcome to the jigsaw-like nature of synthetic IDs, where the puzzle is constantly changing.
As Barnhardt told Webster, GIACT is seeing incidents where the bad guys will use the Social Security numbers of children or will cobble together names with far-flung addresses, with yet another person’s date of birth.
This differs, of course, from “true name” fraud, where fraudsters will use a Social Security number and date of birth from an actual living person.
Typically, in the past, he said, the bad guys would change the address so the victim would not be tipped off that someone had made off with their identity.
But in recent years, as the methods of constructing synthetic identities have improved along with technology aids via mobile devices, true name fraud has also become more robust – using the name, address, date of birth and Social Security number, with the cell phone number and the email address being the only two changing data points. Thus the need for data inputs that come from social media and other sources, where the tell can be the fact that the cell phone number does not jibe with those other bits of information.
Data Point Number Two: 15.4 million
This is the number of consumers were the victims of identity theft in 2016.
“That we know of,” countered Barnhardt, who said that the way we think of identity proofing needs to change, and change quickly.
“I look at an application as what a consumer gives you, and then you need to have that truth behind it,” said Barnhardt, “the facts of the information that you are being provided.”
Details need details – in short, ascertaining who owns the Social Security number, when it was issued and whether it corresponds with that person’s date of birth, along with email addresses and other avenues of information to solidify identity proofing.
Existing systems at most companies are not well-equipped to handle synthetic fraud, said Barnhardt, as they are based on models that take into account events that a business has already encountered, whether they are good or bad ones. Companies that rely on artificial intelligence alone are relying on systems that are only as good as the data that is fed into them.
“A lot of times, they don’t feed their identity models, or their AI, with enough data to make a truly informed decision,” said Barnhardt. Now, companies are starting to scramble to get their hands on more, and varied, data, to have something to compare and contrast.
That seems especially urgent when the average loss due to identity fraud comes in at $15,000, said Barnhardt – and a huge jump in the number of days the bad guys are getting away with the crime, from 94 days in 2015 to 131 days in 2016.
Data Point Number Three: $6 billion And 20.7 million Hours
Call this a two-fer of the most unfortunate kind.
This first number is the amount the credit card industry lost in 2016 via charge-offs tied to synthetic identity theft, and then there is the time spent on the part of consumers and companies trying to resolve the damage wrought by stolen information. Talk about an expensive problem.
Barnhardt predicted that $6 billion in credit card charge-offs is actually higher, as initially the companies assumed those charge-offs to be consumers just not paying off their open credit lines.
But, he said, once consumers find out that negative charge-offs marks on their credit reports are in fact not attributable to them, and then come back to the card companies, that number likely goes up.
But with appropriate measures in place to verify ID before the charge-off, reinvestigations – that would be, of course, the other data point, tied to the 20.7 million hours in investigation time – comes down. In this case, time really is money, Barnhardt said.
Effective identity proofing comes down to a form of digital DNA, of “managing the customer lifecycle with factual data, and understanding if you are dealing with the person you think you’re dealing with … it’s really the culmination of everything we can put together about a consumer or even a business that can tell a complete identity picture.”