The ‘personally identifiable information’ (PII) of people is extremely valuable; that’s the reason why criminal syndicates work together: to steal PII in data breaches (identity theft). It’s the fuel necessary for the growth of identity fraud; without it, criminals would have a difficult time stealing money from people’s existing financial accounts (account takeover) and fraudulent new accounts (new-account fraud) by impersonating other people.
For more than a decade, identity fraud has been a perennial growth business. According to one estimate, the criminal identity fraud market grew 42% from USD 502.5 billion in 2019, to USD 712.4 billion in 2020, due to unemployment identity fraud during the COVID-19 pandemic. Post-pandemic identity fraud losses are projected to be USD 635.4 billion by 2023.
The theft, sale, and purchase of stolen credit card numbers, along with corresponding account-holder names, CVV numbers, and expiration dates, also is a growth business. Criminals use stolen cardholder PII in ecommerce to commit card-not-present (CNP) fraud. Juniper Research estimates that retailers will lose an estimated USD 130 billion over a five-year period beginning in 2018 through 2023.
As a former federal prosecutor and identity theft victim, I believe the financial services industry must re-examine several factors that contribute to the growth of identity fraud:
1. industry acceptance of identity fraud;
2. lack of published industry data about identity fraud and effectiveness of identity fraud solutions;
3. continued reliance on static PII for new-account openings.
Living with identity fraud
To date, financial institutions, lenders, payment companies, and other financial service providers have accepted living with identity fraud as a ‘cost of doing business’ because they do not suffer any financial losses. They have passed the identity-fraud buck to consumers as an expense item recovered through higher prices and interest rates for financial products and services. Only consumers and business have been, and continue to be, burdened with identity fraud losses.
Additionally, the major US credit reporting agencies (CRAs) have made a business out of living with identity fraud. Instead of implementing technology and business practices to prevent identity fraud, the CRAs developed a business market to sell consumers and businesses ‘identity theft protection services’ that merely provide paid monthly subscribers with notification of, and remediation assistance for, identity fraud. It’s a market projected to grow to USD 24.9 billion in 2028, from USD 8.9 billion in 2020. Like identity fraud losses, consumers and businesses are, once again, burdened with the cost of remediating identity fraud harm.
The financial services industry should stop making their customers live with and pay for identity fraud losses and identity fraud monitoring. Instead, it should implement identity fraud solutions that have at least a 1:1 return on investment because a 1:1 or better ROI will keep those funds from being diverted from ecommerce to criminals. Moreover, credit monitoring should be free for all consumers, without requiring them to provide more personal data to the CRAs.
Show us the identity fraud data
For decades, the financial industry has not published the annual number and type (i.e. new-account, account takeover) of attempted and successful identity fraud incidents and total year-to-year identity fraud losses. Additionally, major credit reporting agencies (CRAs) do not publish statistics on criminal imposter credit reports and synthetic IDcredit profiles within their databases. The ‘known unknowns’ in the financial industry have made it extremely difficult to understand the full scope of identity fraud, develop effective identity fraud solutions, and measure their effectiveness over time.
Estimates of the scope and growth of identity fraud extrapolated from consumer surveys are poor substitutes for actual data from the financial services industry. In fact, consumer surveys are useless to quantify the growth or decline of identity fraud year-to-year, and the effectiveness of various identity fraud solutions.
The financial services industry should be transparent about identity fraud and the effectiveness of various solutions implemented by financial institutions and other financial service providers. Equally important, the data should be shared with regulatory agencies, law enforcement agencies, and within the industry to develop best practices to prevent the growth of identity fraud.
Enhancing static PII with dynamic PII
Never-ending data breaches are the primary source of stolen PII that is posted for sale on the Internet. According to the non-profit Identity Theft Resource Center (ITRC), there were 1,291 publicly-reported data breaches from January through September 2021, exceeding last years’ total of 1,108 data breaches.
Static PII should be insufficient by itself to open new bank accounts and new accounts for loans and lines of credit. Financial service companies need to supplement traditional static PII with dynamic PII, such as behavioural biometrics and device identification.
Helping identity fraud victims
Financial institutions, lenders, payment companies, and credit reporting agencies need to embrace their role as fiduciaries. They must help consumers protect their identities and personal data from global criminals with the best available technologies and practices. Members of the financial services industry should provide direct support for identity fraud victims or, at the very least, support an established reputable non-profit organisation dedicated to helping victims and prospective victims of identity fraud criminals, such as the non-profit Identity Theft Resource Center (ITRC).
This editorial is part of The Fraud Prevention in Ecommerce Report 2021/2022, the ultimate source of knowledge that delves into the evolutionary trail of the payments fraud ecosystem, revealing the most effective security methods for businesses to win the battle against bad actors.
About Tom O’Malley
Tom O’Mallley is a former federal prosecutor who specialised in computer hacking and identity fraud cases, and a data breach victim. He retired from a 37-year career as a prosecutor to help people protect themselves from becoming identity fraud victims following data breaches.
About Frozen Pii
Frozen Pii, LLC, operates a public service website, FrozenPii.com, dedicated to making identity fraud protection free and easy for consumers. Frozen Pii contains information and verified links to help people protect their credit reports, federal government identity, and personal data files from criminals.