The Other Victims of ID Fraud Banks --- Karen Krebsbach --- Online Security

Online Security, a global provider of computer forensics and information technology risk mitigation since 1997

Original Source: http://www.banktechnews.com/cgi-bin/readstory.pl?story=20040301BTNC557.xml

The Other Victims of ID Fraud Banks
Author: Karen Krebsbach

ID fraud is becoming more than just a nagging headache for consumers, 27.3 million of whom the Federal Trade Commission says have been victims in the last five years. Now the problem is morphing into a throbbing migraine for financial services firms charged with twin challenges of increased responsibility to protect consumers and greater pressure to defend their own bottom line.

ID theft costs U.S. lenders more than $1 billion annually, says TowerGroup analyst Christine Pratt, who notes that figure doesn’t count sums lost to fraudsters who create IDs and rip off funds through loan, mortgage and credit card applications. But Financial Insights triples that estimated figure, saying ID fraud cost financial firms more than $3.4 billion in 2002 alone—a number that will only rise if banks don’t get serious about stopping the problem in its tracks.

To help stem the flow, banks expect to invest about $600,000 in the next two years on customer-authentication systems, according to Gartner analyst Avivah Litan, whose recent survey of 60 banks indicates as many as one percent of all bank and credit account applications are fraudulent. In fact, 19.3 percent of respondents say curtailing ID theft is the main reason for installing such a system. The firm reports the average fraudulent transaction value is $6,795, while the median reported loss is $1,750 per transaction.

Observers disagree on whether financial services firms are eager to fight the problem head-on. “One attitude is, ‘Fraud happens, and that’s why we have insurance,’” says Ioana V. Carastan, a manager in Global Security Practice at Accenture. “But as insurance premiums go up and scandals go up, banks are more interested in doing something about it.”

Litan agrees “banks don’t have a sense of urgency” about ID fraud. “At the individual bank level, it’s the cost of stopping these loans versus the benefits they get from letting them go through. It’s a basic cost-benefit analysis: They can’t tighten the screws too much, or they’ll turn down a lot of good loans. You don’t want to slow the economy down; you don’t want to slow the bank down. A balance needs to be found.”

Pratt echoes that need for balance. “There’s always been a tension between reputation and operations risk for banks,” she says. “Would it harm your business to talk about it? …Banks are expected to manage risk.” With ID fraud becoming so insidious and widespread, every one of the nation’s financial firms—9,000 banks, 10,000 credit unions and 1,500 finance companies—has had to devise a defensive strategy, she says. But because ID fraud has long been perceived as random and unpredictable, few banks could “justify the IT expenditures” of anti-fraud products, Pratt says.

Lois C. Greisman, associate director of the Division of Planning and Information at the FTC, which tracks ID fraud, says the industry has been combating the problem on many fronts, though those moves haven’t always been made public. “The bank industry is quite keen on doing something serious about ID theft,” she says. “They’ve been fairly aggressive and they know that with early intervention, it’s less likely to happen. …They want to do the right thing.” She cited the September creation of the Coalition on On-line Identity Theft, founded by a group of financial services, technology and e-commerce firms and groups, as one move.

“Banks’ self-interest coincides with consumers’ interest,” says Greisman. “Where the balance of scale tips is different. Consumers have zero tolerance for fraud. Banks have a little more tolerance. …The question is how much money is spent up front.”

Banks have been most successful in stopping fraud at the transaction level, and many have have installed software programs that spot unusual or suspicious activity on cards. “Banks have made the greatest strides with transaction fraud,” says Pratt. “A whole lot of consumers found out their cards were used because they were called by their banks.”

But fraud is still escalating at the application level—where new accounts are opened—and is often undetected and misclassified as credit loss. Problems are also noted at the account-takeover level, where a fraudster cleans out a client’s bank account, says Litan. Banks need to focus more resources on stopping fraud at the application end, say analysts. “Do [banks] really go through the extra hoops to make sure I am who I say I am when I open a checking account or apply for a credit card or loan? Banks are supposed to ‘Know Your Customer,’ but they’re still trying to identify red flags, warning lights that should go off,” says Greisman.

One of those red flags is the instant credit offered at many retail stores. “If it takes an hour to check every single address in my past, I may walk away,” says Greisman. “There are costs to putting in any kind of speed bumps.” And she says she’d like to see more photos on credit cards, for example, even though the bulk of fraud isn’t in “person-to-person transactions.” She is also troubled by increased use of no-PIN-required debit cards, which act as credit cards. “I’d like to keep a close eye on these,” she says. “Someone can wipe out a person’s whole bank account.”

Banks should have a system of checks and balances to trap fraudsters, says Litan, who notes that many drug dealers are giving up street corner sales to the “cleaner and more lucrative” job of committing credit card fraud by stealing card numbers.

Litan believes financial services firms still aren’t “spending enough resources denying credit to imposters, preventing account takeovers, verifying signatures or screening employees” like they should. And there’s the worrisome problem of the inside job, which Litan estimates is responsible for nearly 50 percent of all ID fraud.

For example, Phoenix-based Valley Commerce Bank is still sorting through the details of how small-business owner Sue Parks was allegedly bilked out of $191,000 in line-of-credit advances and $75,000 in credit card charges and cash advances by a now-former employee of her company. Parks, the owner of medical billing and collections firm Parks Health Inc, says the embezzlement was discovered in 2001, after the employee had allegedly borrowed her credit cards and intercepted office mail to obtain PINs. The insider also allegedly forged Parks’ signature in faxed requests to the bank for various transactions, such as authorizations to withdraw funds from the company’s line of credit or raising the limit on company credit cards. “[The bank] could have nipped that in the bud right there, if they could have made one phone call to me,” says Parks. “They just assumed [the employee] was the contact.” Phoenix police confirmed the case is under investigation, but said no charges have been filed.

The Parks Health employee allegedly transacted much of the fraud through the bank’s Internet banking system, the Wave, notes Parks, who says bank officials told her they had purchased Falcon anti-fraud software, but “had never opened the disk.” Valley Commerce Bank president and CEO Robert A. Homco declined comment, saying the case was in litigation. Details of the legal filings could not be determined.

A spokesman for the state’s banking commission, which regulates state-chartered banks, says no written complaint has been filed against Valley Commerce since 2001, and that it has been “very well-rated” in past reviews, which are done regularly by various agencies.

Financial firms stumble often, says Litan, who points to banks that mail “convenience checks” to potential clients, with envelopes stamped: “Highly sensitive. Only to be opened by owner.” She laughs, “Why don’t they just write ‘Steal me!’ on the outside? There’s a lot of mail interception.”

But banks are becoming more determined to thwart ID fraud because of new sections of the Fair and Accurate Credit Transactions Act of 2003, known as FACT, which focus on preventing ID theft. They require lenders to create policies that dictate how debit and credit card numbers will be handled after transactions, as well as underscore credit granters’ responsibility to verify an applicant’s true identity. Section 114, for example, requires financial services firms to look for “patterns, practices and activities.” Pratt says Section 605 is a key one, since it requires lenders to have procedures in place to handle truncation of debit and credit card numbers in print media after an electronic transaction. “Common sense is not overkill,” says Pratt in a research report on the issue. “Unfortunately, due to industry inertia, they are necessary.”

The FTC is soliciting comments from banks on its fraud-prevention guidelines, expected to be released later this year. Those guidelines suggest “common sense recommendations,” says Greisman, like checking for address discrepancies. “I hope we’ll see more banks step up to the plate and commit more resources to curbing ID fraud,” she says. Litan notes that financial services firms without “sufficient incentive” to fight ID fraud before will have it now. “Once the guidelines are out, banks will be audited to make sure they are complying,” she says. “So banks are going to have to spend some resources to get regulators off their back.”