2009 Identity Fraud Report: James Van Dyke, Javelin Strategy & Research
This is the news from the fifth annual Identity Fraud Survey Report from Javelin Strategy & Research. In an exclusive interview, James Van Dyke, Javelin founder and President, discusses:
TOM FIELD: Hi. This is Tom Field, Editorial Director with Information Security Media Group. I'm talking today about the 2009 Identity Fraud Survey Report that has been released by Javelin Strategy and Research. Here to talk about that report is James Van Dyke, President and founder of Javelin Strategy and Research. Jim, thanks so much for joining me today.
JIM VAN DYKE: Thanks. I'm glad to be here.
FIELD: Jim, you've got your report out in its fifth consecutive year.
VAN DYKE: Yes.
FIEL: It's probably the most comprehensive survey produced on the topic. What are the big headlines this year? And I guess my follow up to that is, what kind of surprises did you find?
VAN DYKE: Yeah. This is the most comprehensive and rigorous study on the subject of identity fraud, by the way, which is a study that we believe, in looking at financial services and payments research of all kinds, that this is absolutely the most misunderstood topic that exists, on how people manage their financial affairs, whether that's institutions or consumers. We had a number of interesting findings this year. First of all, for the first year since we've been doing this work, which, we picked up on the Federal Trade Commission's original study in 2003, and expanded that methodology. For the first year since we picked upon that study, way back in 2004, identity fraud has reversed course and gone up. So, I think the industry, overall, was surprised at the whopping nature, the whopping size of identity fraud, back in the early part of the new millennium, but we beat it back strongly, and what we have seen, though, is that in a tough economy, criminals have gotten more desperate, so it' reversed course, and for the first time, it's going back up.
FIELD: Wow. So, Jim, if you sort of look at it as the classic good news/bad news scenario, what's the bad news in this year's report?
VAN DYKE: Well, the bad news is that the consumers are spending more time resolving their affairs, which results in banks losing relationships and having to deal with ill will on the part of consumers. And, you know, this is probably going to drive spending back up. It's, you know, for example, some of the implications of this are that the average consumer now spends 30 hours - the average fraud victim consumer, I should say - spends 30 hours resolving a case of identity fraud. And by the way, we define identity fraud as any time there is a transaction committed in another person's name, that is, using another person's identity without their authorization. So, it was written into law by congress and the FTC, is this identity theft definition. We don't call it that, but this is a broad category that includes everything from one-time fraudulent transactions, for example, a credit card account, to complete account takeovers and new account establishment. And in these cases, you know, where victims are spending 30 hours having to resolve their affairs, of course, they tell everybody they know, they have a lot of bad feelings, they've invested specific time, and they'll never forget about it. As a result of the impact, it's so dramatic that 15% of all consumers leave their current credit card provider - of all victims, again - leave their current credit card provider, 17% leave their current bank of credit union, and 40% of people who are victimized through a debit card get a new relationship.
FIELD: Wow. Okay. Flip side. What's the good news from this year's report?
VAN DYKE: Well, the good news from this report, or from this year's report, is banks are doing more than ever. It's, uh, you know ... they're beating back fraudsters. You know, if it had not been for great industry efforts that we see efforts of, in spades in this report, and we're talking about it a lot in the popular media as part of this release is that we see clear evidence of banks doing a better job than years before. Translated, that means, with more fraud cases in this tough economy -- and we think the two are correlated -- that if banks weren't doing the good job that they are doing, and security vendors that market solutions to banks and issuers and other institutions, and merchants, then we would have seen much, much higher losses. So, for example, consumer out-of-pocket costs, this year, went down to just under $500. That's the amount of actual dollars that the consumer had their load lightened by once they became a fraud victim. And you have $500, and some people say, with zero liability laws and most banks reimbursing consumers who have a, say, a DDA fraud experience, since most fraud is from a DDA or a credit card account, why are people paying anything? It just doesn't seem believable. But, we know that number is absolutely reliable, because in the extreme cases, people are victimized by friends, so called, family members, other people that they may not want to press charges against. There are crimes that go on for a long period, in which people just finally say, "I give up. I can't unravel this. You're asking me too many questions." So, that average fraud amount - or, I'm sorry, that average consumer cost is going down. The average fraud amount, that is, the amount that the criminal at least initially got away with, is going down. And, amidst the disturbing trends, we see that there are fewer cases where the criminal was able just to have their way, if you will, with changing all kinds of individual fields within an account. In the case of .... And of course, they're committing fraud, like PINs, addresses, and other personal information like that, that criminals like to do.
FIELD: Now, Jim, one of the things that struck me in the results was the, the headline that women are more likely to be victims of identity fraud. Why is that?
VAN DYKE: Yeah. You know, along with finding that fraud is on the increase, this was probably the other most surprising finding. We just didn't see this one coming. You know, going along with this trend, we dug deeper into the data and our cross-tabs and all those things that research companies do, and what we saw was that women, their fraud cases linger for a longer period of time. They're not using electronic monitoring methods, like e-mail alerts, and even, in some cases, mobile alerts. They're not using it, they're not taking advantage of technologies that actually can make people safer, to the degree that men are. And, we just don't think that they're probably being educated and aware, and potentially, as self-reliant as they could be, as men, who might be more comfortable with technology, just from what we see in other research data, as well. So, we need to get people comfortable with the advantages of using new technology. And, it's even interesting to see how this shows up with online shopping. Men use online shopping more, and women use more in person purchases more. What does that have to do with it? Well, through electronic methods, you actually have more control. If you're a properly educated and equipped customer, you use the right tools, and you know what you're doing. So, we think there's a real behavioral disparity. Criminals have taken advantage of it, and we need to reverse it.
FIELD: That's interesting. Now, in the course of this conversation, you've mentioned banking institutions a couple of different times. What do you find to be sort of the big news for financial institutions, and what do they need to be watching most closely now?
VAN DYKE: Well, you know, they need to be watching for multi-channel crimes. It's easy just to obsess about the electronic crimes, for example. You know, very well-intended CISO's can think about identity fraud and just say, "Oh, that means I need to step up against cyber-attacks and, you know, the latest form of phishing and vishing [ph] and everything else." You know, the impersonation crimes, where they didn't have a form of social engineering and all that. Well, you know, there's an awful lot of low-tech crimes, as well. And, low-tech crimes tend to have higher dollar impact than high-tech crimes, particularly because the perpetrator is someone closer to you. So, our point is, be agnostic. You know, be aware of all the channels that criminals use, because they do use all the channels, and they don't have this bias towards technology. They use them all. There are more attacks electronically, but there are more successes and higher dollar damage for the traditional crimes. Look at them both, and realize that the cross-channel crimes we have been reporting on for several years, is on the rise. That is, you steal data through one channel and you use it in another. Maybe the theft channel was the traditional one, and the transaction was electronic. That's often the case. But sometimes it's the reverse, steal the data online, and then write a paper check. Who knows? And also, and we go into this a lot in our banking safety scorecards, we look at comparing the features that banks have, and there's a lot of very specific mandates in there for banks, that can improve their safety. Working with the willing customer is very important, and I'll touch on just a couple of areas. One, there is this fallacy that says, completely unsupported by data, even though I hear people, quite frequently, they'll say things like the following, "Consumers don't want to be involved in their own security. They just can't take the time. They can't be effective at it, even if they are willing to get involved, they just can't do anything right, they can't follow instructions." You know, research data just doesn't support any of that. In fact, it speaks just the opposite. People will leave your institution for another one if they are not allowed to be involved in their own safety. They can be just as effective in great technologies like [indiscernible]. And, you know, why buy an expensive technology that tries to mimic the mind of the accountholder, when you've got an accountholder that is dying to get involved in their own security. Our point is, use the best of great back end security technologies, and there are some great ones out there, with the best of consumer willingness, because one out of two fraud cases are first detected by your customer, and if you don't let them get involved, they'll go somewhere else.
FIELD: Jim, did this survey uncover any new data on the insider threat, or is that something you didn't deal with here?
VAN DYKE: We did deal with it. Insider threats, you know, they're among the toughest to study, and yes, we did go into this area, but one of the challenges of the area of insider fraud is that if information was exposed by, say, a bank, or maybe even a merchant employee or somebody else, that it's probably a little less likely to have more information known about it. So, yes, we do ask about it, and there are cases where victims know about it. It shows up on our data. It shows the percentage of cases of crime attributed to that. Having said that, though, this is one in which it's a little more insidious. And when people, when perpetrators are found out, probably doing a complete post mortem with that person is part of the terms of agreeing on jail time, and that sort of thing, is particularly vital, and the industry needs to work together, then, to compare data from those interrogations.
FIELD: Yeah, that makes sense. Now, the other constituency that strikes me is the government. You know, you've got a captive audience, it would seem, in Washington right now, with the new administration. It's going to be very much paying attention to these issues. So, I guess the question is, what is the news to the government regarding potential legislation and regulation about these issues?
VAN DYKE: Yeah, that's another great question, you know, because the financial services industry is doing a good job, even though crime is rising, they're holding down the amounts, they're holding down the consumer costs, even though you have a much more motivated criminal element, because we are dealing with tough economic times. And so, banks are taking some good steps. And, yet, we saw in our data years ago, early alarm bells, if you will, to financial institutions, for things that later on became regulation, so people need to pour into the results of the study, and say, "What actions do I need to take?" This study, the scorecards, and others, all help people do that. And there are backend technologies and the customer-involved technologies that can be applied. There's just dozens and dozens of them. But, you know, one example of how we predicted what later became a regulation that we are now all dealing with was address changes, you know, the red flags ruling. We saw several years ago, before it was even talked about, that criminals were using address changes as part of their perpetration of fraud. And, we also saw from another study that they weren't notifying consumers at the original address when an address had been changed. So, will we see more regulatory action? Well, I think we have a pro-regulation environment right now, in general. Obama has already said we can expect more regulation, as part of his campaigning efforts. Will that extend to this? I'm not going to be a proponent of a lot of big changes in this, because we see a lot of good work going on.
FIELD: Jim, one last question for you. If I could ask you for a bottom line, what are the key risks that financial institutions and consumers need to be watching out for in 2009?
VAN DYKE: You know, multi-channel fraud and ignoring the customer are the biggest risks that are out there. So, multi-channel fraud, criminals will often use multiple channels, and so you need to have an approach of trying to make sure you're not blind to a criminal that stole the data through one channel and used it through another. But, that you are integrating all departments that are fighting fraud, as well as trying to mitigate it on the back end, through technologies that the consumer will never see and shouldn't see. So, good technologies, like fraud filters, neuron nets, and behind the scenes authentication and device fingerprinting, and all those other areas. Great stuff. Also, keep working with your customer. They will go somewhere else if you don't let them. Just as important, they can make a difference in the battle. And so, if you've got this highly motivated, free resource, that is one of your current customers, why turn them away, like so many providers do. We see banks are doing a good job with this today, and we just encourage more of that.
FIELD: Jim, as always, thanks so much for your time and your insight today.
VAN DYKE: Thanks, Tom, we really appreciate it.
FIELD: We've been talking with Jim Van Dyke, President and founder of Javelin Strategy and Research. For Information Security Media Group, I'm Tom Field. Thank you very much.