By Russ Jones
Identity theftthe fraudulent use of private personal data and financial
credentialsis getting a lot of attention these days. Consumers are
concerned and legislators are on the march proposing various regulatory
solutions. Since most of the damage is done prior to detection, we argue
that it is critical to get consumers involved as early as possible. Consumers
are more eager to help than the financial services industry might think.
Protecting Consumers Against Identity Theft
Visa USA recently announced a new truncation initiative that aims to
remove account numbers and expiration dates from printed receipts. We
applaud this move and give Visa credit for taking steps toin their
words"protect consumers against identity theft". It’s
interesting to see Visa’s marketing mavens position this change in the
context of identity theft. Five years ago, the initiative would have been
positioned as an enhancement to consumer privacy. Ten years ago, the very
same action would have been trumpeted as bold move to stem credit card
fraud. But today, identity theft is fraud du jour.
You’ve no doubt seen the statistics. In 2001, the Federal Trade Commission
estimated that 750,000 Americans were victims of identity theft. With
a new case every 45 seconds, experts predict that the number of victims
will double in the U.S. by 2004.
While stolen credit card numbers might not technically be identity theft,
given recent USA Today headlines, you’d have a hard time convincing a
consumer victim of such a theft that he or she wasn’t a victim of identity
theft. If anything, the distinction seems to be blurring. But while both
involve the fraudulent use of private personal data, the nature of the
crime, the motivation of the criminal, and the ramifications to consumers
are far different.
Transaction fraud occurs when someone wrongfully acquires another person’s
card or bank account information and uses it to fraudulently make purchases
from or get cash. Thanks to a safety net of banking regulations, consumers
in the U.S. are generally protected against substantial financial losses
if they can spot the fraudulent transactions and make their case to the
appropriate bank within 60 days. The card associations, in the U.S. at
least, actually go beyond this and provide consumers in good standing
with "zero liability" protection on unauthorized purchases.
With no financial risk, the downside of transaction fraud is the time
it takes a consumer to straighten out their account, have a new card issued,
and reestablish any recurring payment relationships.
While "zero liability" minimizes financial exposure on card
transactions made over the association’s networks, it does not apply to
PIN-based debit cards, ACH transactions, and traditional checks. Signature-based
debit cards are covered by "zero liability" protection. But
because the so-called check cards pull funds directly from your bank account,
your balance might be drained down to nothing before you discover the
fraud and start the process to convince your bank the transactions were
fraudulent. In the meantime, you still have to pay the rent. This is especially
problematic given the exploding popularity among consumers of debit-based
payment mechanisms. (See Glenbrook’s "Top
Trends 2003" report for the implications of this phenomenon.)
To guard against transaction fraud, the banking industry recommends consumers
scrutinize their monthly statements closely and promptly report any suspicious
Identity fraud occurs when someone wrongfully acquires and then uses
another person’s private personal data in a fraudulent way. By leveraging
various combinations of your social security number, address, mother’s
maiden name, for example, criminals can open new lines of credit, take
out new loans, or hijack existing accounts.
Depending on how soon the consumer detects the fraud, the downside is
usually a protracted legal battle to reestablish your financial identity.
If you suspect that you have been a victim of identity fraud, experts
advise that you start "immediately" repairing the damage before
it gets worse. Start by contacting the local police and then, depending
on the specifics of the theft, you may need to contact all three of the
major credit reporting agencies, the Social Security Administration, the
U.S. Postal Service, or the Internal Revenue Service.
Given the work involved, it’s not surprising the average identity fraud
victim will spend about 175 hours of time, spread over the course of a
year, and $1,100 in out of pocket expenses repairing the reputation damage
wreaked by an impostor (1).
The Nature of Fraud Today
Regardless of the type of fraud, the experts are busy educating consumers
on how to minimize the odds of becoming a victim and how to respond once
you are a victim. But what makes the problem all the worse is that, as
a consumer, you can follow all of the safety recommendations, do everything
right, and still see unauthorized activity in your accounts or in your
name. There are just too many ways for systems to be compromised.
No matter how well you guard your sensitive financial information you’re
still more or less counting on every merchant, dentist, and candlestick
maker you’ve ever done business with to also guard your personal information.
The problem is that your personal information details are electronically
stored in too many databases by too many companies that allow too many
of their employees access to your information.
While I give the financial services industry pretty high marks for helping
identify many suspicious transactions, no software algorithm can positively
spot every bad transaction every time. In today’s world, I’m the only
person that can tell if a transaction done with my card, my account, or
in my name is legitimate or not.
Using my check card as an example, the basic problem is that I only look
for fraudulent account activity when I balance my account, which might
be anywhere from 15 to 45 days after a fraudulent transaction first occurred.
Until I balance my account, or start bouncing checks for insufficient
funds, the thief is off to the races with my money!
The industry needs to pay much greater attention to the lag time between
when the fraud is initiated and when it is detected. How might we shorten
Get Me Involved
In the case of transaction fraud, the financial service industry is focused
on systemically enhancing the payment system infrastructure to make card
fraud more difficult. Initiatives like CVV2 and Verified-by-Visa are all
steps in the right direction. If adopted across the board by merchants,
these initiatives will help minimize card fraudbut not eliminate
it. Fraudsters will move on to other types of attacks, just as they have
in the past.
Here’s an idea. Since I’m the only person that definitely knows if transactions
done against my account are legitimate, how about letting me help? Rather
than waiting for me to call about a suspicious transaction weeks or months
after the fact, I could be spotting them a lot earlier if just given the
chance. Just let me know every time a transaction hits my account and
I’ll let you know if it is bad. Instead of "Computer Aided Design",
maybe we need "Consumer Aided Fraud Detection."
But how should I be notified? The best way to integrate this into my
daily life is via email. I read and delete a ton of email everyday. Just
send me a simple little message that says "$34.95 transaction on
your United Airlines Visa Card." If it looks suspicious, trust me,
But why stop at credit card fraud? It would actually be more valuable
(because of the risk involved) if I could have real-time notification
of debit transactions (both PIN and signature) against my bank account.
If I am online, I’d really prefer an instant message. When I get the pop-up
message, the odds would be good that I’m not also simultaneously buying
a flat screen television at the local electronics store. Trust me, I’d
But You Can’t Do This!
Because email and instant messaging are inherently insecure, what I’m
proposing is probably a violation of one (or more!) banking regulations.
Well, those rules are nice, but as a consumer I don’t really care. I’m
more worried about stopping fraud being performed in my name than I am
about someone intercepting a message that says "$35.17 debit to your
Besides, it’s certainly possible to construct an email message that tells
me what I need to know without providing more information (e.g., account
numbers, etc.) that might be valuable to an interceptor. I’m not asking
to have a "legal" statement that could hold up in court as evidence.
I’m only trying to get an early warning on account activity that happened
without my consent. The email doesn’t need to include my account number.
I’ll really make it easy — it doesn’t even need to have the name of the
payee. If I don’t recognize the transaction, I’ll track down the payee.
Others would be alarmed that by insecurely exposing just the transaction
amount, crafty eavesdroppers would be able to assemble my purchasing profile.
While this is true, it’s no worse than the risk that my book reading habits
are being deduced by someone snooping Amazon.com purchase confirmations
that are send to me via email.
Ironically, my bank seems to be the only organization in America that
doesn’t feel it has the right to send me email. Every other company (and
spammer) on the planet seems to think it can send me email on any subject
at any time of the day or night.
Just Automate It
Of course, duh, I could just check my own accounts every day using my
browser. I could even check them multiple times a day. Some of the card
issuers seem to want me to come to their Web site every day. Who are they
fooling? I’m not going to do that because it’s just way too much work.
Why would I want to spend valuable time jumping site-to-site with my browserreentering
username/password credentials each time at each sitewhen I could
just have a heads up sent to me via email?
American Express is starting to take important steps in this direction.
Its Account Alerts feature notifies me by email whenever it suspects irregular
account activity. While this isn’t exactly what I’m looking forthe
email messages force me to fumble for my password so I can securely login
to their Web siteit is a step in the right direction.
Discover Financial Services is doing an even better job; the company
offers cardholders an email alerts capability that sends email notifications
on every card transaction over a user-defined threshold. By setting the
threshold to zero, a user can be notified on every transaction.
While it’s encouraging to see movement in this direction, I still can’t
get email alerts from my bank. Maybe instead of waiting for the banking
industry to provide real-time transaction monitoring for consumers, Yodlee
could be enticed to provide this service universally across all financial
institutions. Continually polling my accounts for transactions isn’t the
right way to do this, architecturally, but it’s a great way to boot strap
quick adoption. I do worry, though, about Yodlee having all the keys to
my financial accounts.
There Is Hope
In the case of identity theft, the major credit report bureaus have all
started down this path in the last year. Equifax and Experian both offer
email alerts within 24 hours after your credit file changes. TransUnion
also offers a similar service, but only provides weekly updates. For individuals
concerned with identity theft, these services are all wonderful. Equifax,
for example, not only sends email alerts when a credit file changes, but
will also send occasional email messages that nothing has changedand
in the case of identity theft, no news is good news.
While a good start, the big three credit bureaus could make their email
alert services a lot more effective at combating fraud. I should not only
be able to watch my credit file, but various other combinations of my
social security number, name, address, and telephone number, and other
identity attributes. If someone opens a new account with my name and address
but with another social security number, for example, I should be alerted.
Bureaus should "unmask" the complexity of this situation and
let consumers take control of how their identity attributes are accessed,
used, and reported.
All three bureaus now charge a yearly fee for this service, which is
made available as part of a larger credit monitoring service. If we’re
serious about fighting fraud, email alerts should be free to consumers
and easy to apply for. Let the bureaus raise the price they charge their
customers (the credit grantors) to support this. After all, it’s my data.
Why should I have to pay to help control its abuse?
Even still, this is quite a turn around for an industry segment that
until recently advised consumers to check their credit file once per year.
I’ll be the first to admit that not everyone wants real-time notificationsbut
I do. Not everyone is worried about financial fraudbut I am. And
the number of folks like me seems to be growing exponentially every day.
This market of "one" shouldn’t be an issue in a world where
products and services are increasingly customized to directly meet each
consumer’s exact needs. Isn’t this what "1:1" is really all
If made available, I’ll bet there would be others just like me that would
want to help the financial services industry fight the growing threat
of fraud. Instead of paying for such a service, maybe we should get a
reward from the banks for providing them with such a valuable service?
Initial Publication Date: March 24, 2003