Judging by media reports, almost everyone in the civilized world has lost their identity to cyber-criminals. But while there has been an unending torrent of news about data breaches and related identity thefts, the damage has been much less drastic than that, says a study from Javelin Strategy & Research.
“The impression in the general public is that identity fraud is spiraling out of control, but what we came away with is the contrary; the growth [in the phenomenon] has been contained,” says Rubina Johannes, the Javelin research analyst who wrote the report.
In fact, according to Javelin’s research, the annual amount of what it calls identity fraud has held steady at $57 billion in 2005, the last year covered by the study. This is because while identity fraud has been falling for two years—8.9 million Americans were victims in 2005, down 12 percent from 2003—the damage has been rising: The mean fraud amount per victim rose from $5,200 to $6,400 over the same period. And since financial institutions typically indemnify the victims in the case of credit card fraud, for instance, losses to consumers fell 24 percent in the period, to $420.
Relatively few cases of identity fraud—9 percent—occur because someone hacked into a consumer ‘s computer, and only 6 percent because someone hacked into a corporate data base. Most identity thefts—30 percent—occur because the victim loses a wallet or checkbook, says Javelin. And another 15 percent are committed by people known to the victim.
This may seem a long way from the popular perception of financial institutions haplessly letting cyber-criminals run wild through the private records of helpless consumers, and, in fact, it is. Johannes points out that in an Internet-based crime, the “average consumer cost is $200, while the cost to the consumer from an off-line crime, if the thief is a friend or neighbor, is $1,200.”
The biggest category of these crimes, in fact, isn’t someone siphoning funds out of somebody’s existing account; the rate of fraud in existing accounts is actually dropping. This is mainly because, says Johannes, people are more aware of the danger and how to monitor their accounts for problems, so that they detect them faster, and any damages are limited. And institutions are more vigilant than before.
New accounts is where the growth is: Thirty-five percent of the new accounts fraud cases Javelin surveyed took place among store-branded credit cards, and thirty-eight percent of all fraud cases involved new accounts. This sort of identity fraud is especially insidious, because it takes so long for it to surface. Stealing someone’s identity through the Internet, opening some new credit card accounts, and running through the credit limit can take a day, but the damage doesn’t surface until the victim applies for a new card, or a loan. And in the worst cases, that damage can be filtering into the victim’s credit report for a long time, because so much of this sort of identity fraud is international.
In the most recent large data breach—it surfaced last week—as many as 200,000 customer accounts at an unnamed office-supplies retailer were compromised, leading to substantial debit-card fraud. Charges related to the theft have been reported in Britain, France, Spain, Russia, China. Affected banks include Bank of America, Washington Mutual, and Wells Fargo & Co., all of which have been mailing replacement cards to customers.
Still, in the end, the damage to consumers, as opposed to business, is slight, if exasperating. The real problem is the damage done to public confidence in online commerce. Looked at this way, says Johannes, it might be smart for the financial industry to work together to monitor new account activity as widely as possible, so that if a 43 year-old mother of three from Santa Monica suddenly opens three new credit card accounts in Kiev and starts buying wide-screen plasma TVs, it doesn’t escape notice.
“The new account-verification process has to be ramped up,” says Johannes. “Credit reports reflect new accounts, so banks or credit card companies could provide easier access to credit reports or alerts, —perhaps at a discounted price so it’s more affordable to consumers.”
But business could do a better job in the first place, she adds. “A store issuing a branded credit card could do a greater amount of verification of the information provided on the new account before they actually activate the card; a lot of that information is available online.”
The problem, she says, is that businesses don’t always do this, even in the U.S., much less in Ukraine. “Sharing your new account information is kind of like sharing your customer base,” she says, noting that in many cases a retailer would rather run the risk of fraud than lose a customer. And that problem is magnified by businesses afraid that if they don’t open the account, their rival will.
On the other hand, if an industry as a whole adopted more stringent credit standards, this sort of identity fraud would be minimized. Doing so would strengthen the overall industry, because they would be increasing customer confidence by heading off the problem.
The smartest move, thinks Johannes: Involve the customer in the first place. “Consumers want to be more in charge of their own assets,” she says. “Consumers consider themselves the primary person responsible for their financial health. If the institution gave the consumer more tools to manage [their own accounts]—so they can fight identity crime together—it will benefit the institution.” (Contact: Javelin Strategy & Research, Rubina Johannes, 925-225-9100)