Protecting Consumers Against Identity Theft

Visa USA recently announced a new truncation initiative that aims to remove account numbers and expiration dates from printed receipts. We applaud this move and give Visa credit for taking steps to—in their words—"protect consumers against identity theft". It's interesting to see Visa's marketing mavens position this change in the context of identity theft. Five years ago, the initiative would have been positioned as an enhancement to consumer privacy. Ten years ago, the very same action would have been trumpeted as bold move to stem credit card fraud. But today, identity theft is fraud du jour.

You've no doubt seen the statistics. In 2001, the Federal Trade Commission estimated that 750,000 Americans were victims of identity theft. With a new case every 45 seconds, experts predict that the number of victims will double in the U.S. by 2004.

While stolen credit card numbers might not technically be identity theft, given recent USA Today headlines, you'd have a hard time convincing a consumer victim of such a theft that he or she wasn't a victim of identity theft. If anything, the distinction seems to be blurring. But while both involve the fraudulent use of private personal data, the nature of the crime, the motivation of the criminal, and the ramifications to consumers are far different.

Transaction Fraud

Transaction fraud occurs when someone wrongfully acquires another person's card or bank account information and uses it to fraudulently make purchases from or get cash. Thanks to a safety net of banking regulations, consumers in the U.S. are generally protected against substantial financial losses if they can spot the fraudulent transactions and make their case to the appropriate bank within 60 days. The card associations, in the U.S. at least, actually go beyond this and provide consumers in good standing with "zero liability" protection on unauthorized purchases. With no financial risk, the downside of transaction fraud is the time it takes a consumer to straighten out their account, have a new card issued, and reestablish any recurring payment relationships.

While "zero liability" minimizes financial exposure on card transactions made over the association's networks, it does not apply to PIN-based debit cards, ACH transactions, and traditional checks. Signature-based debit cards are covered by "zero liability" protection. But because the so-called check cards pull funds directly from your bank account, your balance might be drained down to nothing before you discover the fraud and start the process to convince your bank the transactions were fraudulent. In the meantime, you still have to pay the rent. This is especially problematic given the exploding popularity among consumers of debit-based payment mechanisms. (See Glenbrook's "Top Trends 2003" report for the implications of this phenomenon.)

To guard against transaction fraud, the banking industry recommends consumers scrutinize their monthly statements closely and promptly report any suspicious transactions.

Identity Fraud

Identity fraud occurs when someone wrongfully acquires and then uses another person's private personal data in a fraudulent way. By leveraging various combinations of your social security number, address, mother's maiden name, for example, criminals can open new lines of credit, take out new loans, or hijack existing accounts.

Depending on how soon the consumer detects the fraud, the downside is usually a protracted legal battle to reestablish your financial identity. If you suspect that you have been a victim of identity fraud, experts advise that you start "immediately" repairing the damage before it gets worse. Start by contacting the local police and then, depending on the specifics of the theft, you may need to contact all three of the major credit reporting agencies, the Social Security Administration, the U.S. Postal Service, or the Internal Revenue Service.

Given the work involved, it's not surprising the average identity fraud victim will spend about 175 hours of time, spread over the course of a year, and $1,100 in out of pocket expenses repairing the reputation damage wreaked by an impostor (1).

The Nature of Fraud Today

Regardless of the type of fraud, the experts are busy educating consumers on how to minimize the odds of becoming a victim and how to respond once you are a victim. But what makes the problem all the worse is that, as a consumer, you can follow all of the safety recommendations, do everything right, and still see unauthorized activity in your accounts or in your name. There are just too many ways for systems to be compromised.

No matter how well you guard your sensitive financial information you're still more or less counting on every merchant, dentist, and candlestick maker you've ever done business with to also guard your personal information. The problem is that your personal information details are electronically stored in too many databases by too many companies that allow too many of their employees access to your information.

While I give the financial services industry pretty high marks for helping identify many suspicious transactions, no software algorithm can positively spot every bad transaction every time. In today's world, I'm the only person that can tell if a transaction done with my card, my account, or in my name is legitimate or not.

Using my check card as an example, the basic problem is that I only look for fraudulent account activity when I balance my account, which might be anywhere from 15 to 45 days after a fraudulent transaction first occurred. Until I balance my account, or start bouncing checks for insufficient funds, the thief is off to the races with my money!

The industry needs to pay much greater attention to the lag time between when the fraud is initiated and when it is detected. How might we shorten this window?

Get Me Involved

In the case of transaction fraud, the financial service industry is focused on systemically enhancing the payment system infrastructure to make card fraud more difficult. Initiatives like CVV2 and Verified-by-Visa are all steps in the right direction. If adopted across the board by merchants, these initiatives will help minimize card fraud—but not eliminate it. Fraudsters will move on to other types of attacks, just as they have in the past.

Here's an idea. Since I'm the only person that definitely knows if transactions done against my account are legitimate, how about letting me help? Rather than waiting for me to call about a suspicious transaction weeks or months after the fact, I could be spotting them a lot earlier if just given the chance. Just let me know every time a transaction hits my account and I'll let you know if it is bad. Instead of "Computer Aided Design", maybe we need "Consumer Aided Fraud Detection."

But how should I be notified? The best way to integrate this into my daily life is via email. I read and delete a ton of email everyday. Just send me a simple little message that says "$34.95 transaction on your United Airlines Visa Card." If it looks suspicious, trust me, I'll investigate.

But why stop at credit card fraud? It would actually be more valuable (because of the risk involved) if I could have real-time notification of debit transactions (both PIN and signature) against my bank account. If I am online, I'd really prefer an instant message. When I get the pop-up message, the odds would be good that I'm not also simultaneously buying a flat screen television at the local electronics store. Trust me, I'd act.

But You Can't Do This!

Because email and instant messaging are inherently insecure, what I'm proposing is probably a violation of one (or more!) banking regulations. Well, those rules are nice, but as a consumer I don't really care. I'm more worried about stopping fraud being performed in my name than I am about someone intercepting a message that says "$35.17 debit to your bank account."

Besides, it's certainly possible to construct an email message that tells me what I need to know without providing more information (e.g., account numbers, etc.) that might be valuable to an interceptor. I'm not asking to have a "legal" statement that could hold up in court as evidence. I'm only trying to get an early warning on account activity that happened without my consent. The email doesn't need to include my account number. I'll really make it easy -- it doesn't even need to have the name of the payee. If I don't recognize the transaction, I'll track down the payee.

Others would be alarmed that by insecurely exposing just the transaction amount, crafty eavesdroppers would be able to assemble my purchasing profile. While this is true, it's no worse than the risk that my book reading habits are being deduced by someone snooping Amazon.com purchase confirmations that are send to me via email.

Ironically, my bank seems to be the only organization in America that doesn't feel it has the right to send me email. Every other company (and spammer) on the planet seems to think it can send me email on any subject at any time of the day or night.

Just Automate It

Of course, duh, I could just check my own accounts every day using my browser. I could even check them multiple times a day. Some of the card issuers seem to want me to come to their Web site every day. Who are they fooling? I'm not going to do that because it's just way too much work. Why would I want to spend valuable time jumping site-to-site with my browser—reentering username/password credentials each time at each site—when I could just have a heads up sent to me via email?

American Express is starting to take important steps in this direction. Its Account Alerts feature notifies me by email whenever it suspects irregular account activity. While this isn't exactly what I'm looking for—the email messages force me to fumble for my password so I can securely login to their Web site—it is a step in the right direction.

Discover Financial Services is doing an even better job; the company offers cardholders an email alerts capability that sends email notifications on every card transaction over a user-defined threshold. By setting the threshold to zero, a user can be notified on every transaction.

While it's encouraging to see movement in this direction, I still can't get email alerts from my bank. Maybe instead of waiting for the banking industry to provide real-time transaction monitoring for consumers, Yodlee could be enticed to provide this service universally across all financial institutions. Continually polling my accounts for transactions isn't the right way to do this, architecturally, but it's a great way to boot strap quick adoption. I do worry, though, about Yodlee having all the keys to my financial accounts.

There Is Hope

In the case of identity theft, the major credit report bureaus have all started down this path in the last year. Equifax and Experian both offer email alerts within 24 hours after your credit file changes. TransUnion also offers a similar service, but only provides weekly updates. For individuals concerned with identity theft, these services are all wonderful. Equifax, for example, not only sends email alerts when a credit file changes, but will also send occasional email messages that nothing has changed—and in the case of identity theft, no news is good news.

While a good start, the big three credit bureaus could make their email alert services a lot more effective at combating fraud. I should not only be able to watch my credit file, but various other combinations of my social security number, name, address, and telephone number, and other identity attributes. If someone opens a new account with my name and address but with another social security number, for example, I should be alerted. Bureaus should "unmask" the complexity of this situation and let consumers take control of how their identity attributes are accessed, used, and reported.

All three bureaus now charge a yearly fee for this service, which is made available as part of a larger credit monitoring service. If we're serious about fighting fraud, email alerts should be free to consumers and easy to apply for. Let the bureaus raise the price they charge their customers (the credit grantors) to support this. After all, it's my data. Why should I have to pay to help control its abuse?

Even still, this is quite a turn around for an industry segment that until recently advised consumers to check their credit file once per year.

My Challenge

I'll be the first to admit that not everyone wants real-time notifications—but I do. Not everyone is worried about financial fraud—but I am. And the number of folks like me seems to be growing exponentially every day. This market of "one" shouldn't be an issue in a world where products and services are increasingly customized to directly meet each consumer's exact needs. Isn't this what "1:1" is really all about?

If made available, I'll bet there would be others just like me that would want to help the financial services industry fight the growing threat of fraud. Instead of paying for such a service, maybe we should get a reward from the banks for providing them with such a valuable service?

Publication History

Initial Publication Date: March 24, 2003