ID Theft Overstated? Some Think So
O'Sullivan, Orla, ABA Banking Journal
It has been dubbed "the fastest-growing crime in America," but what is it?
Achieving a consensus definition of identity theft, a term that by now is familiar to the general public, is one of the aims of an industry roundtable jointly organised by the Federal Reserve Board and Gartner, Inc. when it meets this month.
The shocking statement that almost ten million Americans a year are victims of identity theft, made by the Federal Trade Commission report last September, has provided fresh impetus to the industry's desire to get a better handle on the problem.
Some, including ABA's Senior Federal Counsel Nessa Feddis, say that identity theft is being exaggerated because all kinds of fraud are being redefined as such. "People call identity theft what they would before have called a stolen check," says Feddis.
Judging by sources consulted for this article, the FTC went out on a limb in "exposing" the problem. Avivah Litan, a research director at Gartner, criticises the FTC's methodology, notably its inclusion of all unauthorised credit card use, saying, "Nobody ever did it that way before."
Keith Anderson, an economist in the FTC's Bureau of Economics, defends the FTC's approach by noting, "The misuse of an existing credit card account is considered to be identity theft under the Identity Theft and Assumption Deterrence Act of 1998 Public Law No. 105-318, 112 Stat. 3007--the ID Theft Act.' The Act potentially considers "any name or number" as "means of identification."
Michael Gray, who lectures on identity theft at San Jose State University, adds that "a lot of states treat stolen credit cards as identity theft."
The FTC's Anderson also says that victims may perceive their identities as having been stolen in cases where others in the financial industry would not.
However, non-FTC sources shared the baseline definition of Dennis Behrman, an analyst with Financial Insights, an IDC subsidiary. He says, "Identity theft requires sensitive, personal information," such as someone's Social Security number, in effect a unique, lifelong identifier; "it can't just be a credit card number being hacked."
"The FTC numbers are not feasible," he adds. "It's outrageous to suggest there are ten million victims a year--that's 15% to 20% of the banked population."
More than 6.5 million of the 9.9 million victims identified by the FTC had their credit card accounts misused, possibly in addition to other more serious forms of identity theft. Consumers were surveyed between spring of 2002 and spring of 2003 and their responses projected into an annual number for the FTC report released last September.
The term "identity theft" may set consumers thinking of The Invasion of the Body Snatchers, but financial industry sources increasingly distinguish "account takeover/identity theft" from the far more common phenomenon of "identity fraud," where elements of a real person's identity--typically their Social Security number--are blended with made-up elements, such as a false name, to open new accounts.
There, notes Behrman, "The victim is the institution." The individual's credit history is not tarnished, so they will never know. Meanwhile, when the short-lived account is depleted, "The bank will register it as a credit loss, not a fraud loss."
Behrman disagrees with the contention that the growth in ID theft is not with new accounts, but with unauthorized credit card transactions. Behrman says fraudulent new accounts represent a growing trend that is "very scary."
Financial institutions lost $4.3 billion on identity theft last year, a figure that will likely double to $8.6 billion by 2006, Behrman estimates. He drew these conclusions by analysing data from ten of members of the ID Analytics consortium last summer (see story on pg. 8).
Behrman sees bigger banks as most vulnerable since they have the most outstandings. Indeed, six out of ten superregionals, told the ABA Deposit Account Fraud Survey that identity fraud would be the number one threat to the industry in the next year.
RELATED ARTICLE: New ID theft technology shows promise.
"Most solutions today compare data on an application with data on a commercially available database. That doesn't work anymore." So says Steven Gal, vice-president and co-founder of ID Analytics, San Diego.
He claims to provide the most effective deterrent to identity theft yet, by searching for suspicious patterns within data rather than checking the data itself, and it's a claim supported by a number of industry analysts.
Much identity theft is believed to stem from people with legitimate access to credit reports (see above story), so verifying the kind of information found on the report isn't much of a security check. "ID Analytics are the only ones out there that get around that problem," says Avivah Litan, a research director at Gartner, Inc.
Moreover, TD Analytics claims that the patterns indicative of identity theft can only be seen when one looks across industries as it did in creating "The only database of its kind in the world," says Gal.
Thirteen companies from the financial, online retail and cell phone industries contributed information on 200 million applications. (All plan to be using the ensuing fraud-scoring system by February.) From this data, ID Analytics identified 70 factors in ID theft. "Virtually all are consortium variables, you can't se them if you only took at one company or line of business," explains Gal.
To overcome scenarios where thieves are operating off information gleaned from stolen wallets, a number of other companies, including Equifax and LexisNexis, offer so-called "out-of-wallet" data. "But, all that information is available in public databases," Litan says.
There are also negative databases of verified fraud, held by companies such as Experian, but, notes Gal, it's "honest people," not to be found in such databases whose identities thieves may steal.
Some companies, such as Primary Payment Systems Inc., do check inconsistencies in applications, such as a driver's license issued before a Social Security number. These are flagged after the fact, not scored live. Risk-scoring, Gartner predicts, will become "the standard" approach to identity-theft related fraud by 2006.
ID Analytics' technology is designed to "learn," updating its knowledge daily from thousands of new applications fed it. An interesting proposed use is to ensure that someone phoning a business for information is who they say they are, not an ID thief fishing for more information.
Most thieves don't attempt to "become" the victim (account takeover), rather they apply for credit using some real details about someone and some made-up ones. Data inconsistencies, such as a real Social Security number and a name that doesn't match, are often overlooked, notes Dennis Behrman, an analyst with Financial Insights, an IDC subsidiary. Chances are a new person's "thin" credit file will be created rather than an applicant rejected, he says.
Lauding ID Analytics for taking "a dramatically new approach to detecting identity fraud," Behrman says, "pattern recognition is the name of the game."
ID Analytics was formed in March 2002 by defecting top management from HNC Inc., provider of the dominant credit-card fraud detection system, Falcon, was being acquired by Fair Isaac & Co.
In Analytics new model for which a patent is pending, does not use HNC technology, says Steven Gal. The 2,500 to 3,000 patterns of ID fraud ID Analytics detected represent, says Gal, "a secret sauce." Used by creditors, it could catch 40% more fraud than is caught today, potentially 80% more, he said.
Behrman gave some idea of the recipe: "the same Social [Security number] is used by three different applicants, two of whom share a cell phone number that's linked to another Social on another application. You only see that by looking across industries."
By Orla O'Sullivan, free-lance writer…
Questia, a part of Gale, Cengage Learning. www.questia.com
Publication information: Article title: ID Theft Overstated? Some Think So. Contributors: O'Sullivan, Orla - Author. Journal title: ABA Banking Journal. Volume: 96. Issue: 2 Publication date: February 2004. Page number: 8+. © 2009 Simmons-Boardman Publishing Corporation. COPYRIGHT 2004 Gale Group.
This material is protected by copyright and, with the exception of fair use, may not be further copied, distributed or transmitted in any form or by any means.