Professional Documents
Culture Documents
February2013
HowConsumerscanProtectAgainstIdentityFraudstersin2013
FORWARD
JavelinStrategyandResearchsHowConsumerscanProtectAgainst IdentityFraudstersin2013providesrecommendationstohelpconsumers prevent,detect,andresolveidentityfraud.Thisreportprovideseasyto followguidelinesforconsumerstoprotectthemselvesagainstthis$21 billioncrimeofidentityfraud.JavelinStrategy&Researchsgoalistoequip consumerswithprovenmethodstoprevent,detect,andresolveidentity fraud. Adeeperanalysisofeconomicindicatorsandidentityfraudtrendsis availableforpurchaseinthefullversionofthe2013IdentityFraudReport, alongwithadetailedbreakdownofhowdifferenteconomicfactors, paymentpurchasingtrends,andsecuritydynamicscorrelatewithchanges inidentityfraud.
Nowinitstenthconsecutiveyear,thecomprehensiveanalysisofidentityfraudtrendsis independentlyproducedbyJavelinStrategy&Research,adivisionofGreenwich Associates.Javelinmaintainscompleteindependenceinitsdatacollection,findings,and analysis;thereportisaproductofJavelinonly. Thisresearchstudyismadepossiblebyoursponsors,IntersectionsandCitigroup.These companiesarededicatedtoconsumerfraudpreventionandeducation.
2013 Identity Fraud Report: Data Breaches Becoming a Treasure Trove for Fraudsters Learn More: https:// www.javelinstrategy. com/brochure/276 The full report consists of:
82 56
tables.
An overview of
cross tabulations
Longitudinal U.S.
HowConsumerscanProtectAgainstIdentityFraudstersin2013
TABLEOFCONTENTS
OVERVIEW................................................................................................................................................................4 IdentityFraudvs.IdentityTheft................................................................................................................ 6 HowCriminalsObtainInformation.......................................................................................................... 10 RECOMMENDATIONSFORCONSUMERS............................................................................................................... 11 CONSUMERPROTECTIONCHECKLIST.................................................................................................................... 12 PREVENTION..........................................................................................................................................................13 HowCanIPreventIdentityFraud?.......................................................................................................... 13 DataBreachNotificationLetters............................................................................................................. 18 WhatShouldIDoIfIReceiveaBreachNotificationLetter?.....................................................18 DETECTION.............................................................................................................................................................20 HowCanIDetectIdentityFraud?............................................................................................................ 20 RESOLUTION..........................................................................................................................................................24 WhatShouldIDoIfIBecomeaVictimofIdentityFraud?......................................................................24 IdentityFraudProtectionSolutions......................................................................................................... 25 ABOUTJAVELIN......................................................................................................................................................27 METHODOLOGY.....................................................................................................................................................27 ADDITIONALRESOURCES.......................................................................................................................................27 GLOSSARYOFTERMS.............................................................................................................................................29
TABLEOFFIGURES
Figure1:OverallIdentityFraudIncidenceRateandTotalFraudAmountbyYear..................................................4 Figure2:FraudIncidencebyDataBreachVictims,NonDataBreachVictims,andAllFraudVictims....................7 Figure3:FraudIncidencebyOwnershipofTechnologyProducts........................................................................... 9 Figure4:HowTheftofPersonalInformationHappens......................................................................................... 10 Figure5:JavelinsPrevention,Detection,andResolutionIdentityFraudModel..................................................11 Figure6:DataBreachesAreatanAllTimeHigh................................................................................................... 18 Figure7:HowtoContacttheThreeCreditBureaus.............................................................................................. 20 Figure8:MethodsofDetection,2012................................................................................................................... 21 Figure9:IdentityFraudProtectionServices.......................................................................................................... 26
HowConsumerscanProtectAgainstIdentityFraudstersin2013
OVERVIEW
Forthesecondconsecutiveyear,thenumberofidentityfraudvictimsin theU.S.increased,risingby1millionconsumersin2012toatotalof12.6 millionconsumers.Thismeansthat5.26%ofU.S.adults,ormorethan1in every20consumers,learnedthattheywerevictimsofidentityfraudin 2012. IdentityFraudIsontheRise
Figure1:OverallIdentityFraudIncidenceRateandTotalFraudAmountbyYear
16.0 14.0 12.5 12.0 10.0 8.0 6.0 4.0 $10 2.0 0.0 2005 2006 2007 2008 2009 2010 2011 2012 Millionsofvictims Totaloneyearfraudamount
October 2012, n= varies:4,784 5,249 Base:All Consumers 2013JavelinStrategy& Research
New Account Fraud: the use of a fraud victim's personal information to open fraudulent new accounts in the victims name.
$50 13.9 12.6 11.6 10.6 10.2 $31.4 $28.7 $24.7 $19.9 $18.0 $20.9 $20 $15 $28.9 10.2 $35 $30 $25 $45 $40
11.2
$5 $0
BillionsU.S.
$32.0
Account Takeover Fraud: the method of identity fraud in which a fraud operator attempts to gain access to a consumers account by fraudulently adding his or her information to the account.
Millionsofvictims
HowConsumerscanProtectAgainstIdentityFraudstersin2013
lowerproportionoffraudvictims,butthesetwotypesoffraud consistentlyproducethehighestaveragefraudamountsandconsumer costs.Sowhiletherearefewervictimsofthesetwotypesoffraud,they feelthestingthemost. Averageconsumercostsroseslightlyto$365in2012,upfrom$354in 2011.Consumercostsareanyoutofpocketexpensessufferedbythe fraudvictim,includingunreimbursedmonetarylosses,andlostwagesasa resultoftimespenttoresolvethefraudaswellasanyrelatedlegalcosts andcreditmonitoringcosts.However,ofthe12.6millionvictimsin2012, 80%didnotsufferanyconsumercosts(medianoutofpocketcoststo consumersof$0)atall.Thesecostswereinsteadabsorbedbybanksand creditcardcompaniesthroughtheirzeroliabilitypoliciesandcoverage, whichshieldconsumersfrommostofthecostsassociatedwithfraud. Consumersalsospentrelativelylittletimeresolvingtheirfraudcases.The averageresolutiontimeremainsunchangedat12hours,butmorethan halfofallvictimsspentthreehoursorlessresolvingfraudincidentswith theirproviders.Theexpansionofzeroliabilitypolicies,security protections,anddedicatedfraudandclaimsteamsatfinancialinstitutions (FIs)andcardissuershaveexpeditedtheresolutionprocessincasesof fraudandhavehelpedlowerconsumerscostsoverthelastdecade.
Zero-Liability Policies: Zeroliability policies are fraud protection programs that banks or credit card providers offer to protect consumers from losses associated with fraud on their payment cards (credit, debit, or prepaid) or other financial accounts.
HowConsumerscanProtectAgainstIdentityFraudstersin2013
IDENTITYFRAUDVS.IDENTITYTHEFT
Mostindividualsarefamiliarwiththetermidentitytheft,whichiswidelyusedbymedia, government,andconsumergroups,aswellasnonprofitorganizations.However,itis importanttodistinguishbetweenidentitytheftandidentityfraudbecausethetermshave differentmeanings,althoughJavelinusesidentityfraudmorecommonlythroughoutthe identityfraudsurveyandcorrespondingreports. Identitytheftoccursaftertheexposureofpersonalinformation;typicallysomeones personalinformationistakenbyanotherindividualwithoutexplicitpermission.Identity fraudistheactualmisuseofinformationforfinancialgain;itoccurswhencriminalsuse illegallyobtainedpersonalinformationtomakepurchasesorwithdrawals,createfalse accountsormodifyexistingones,orattempttoobtainservicessuchasemploymentor healthcare.Personallyidentifiableinformation(PII)suchasaSocialSecuritynumber(SSN),a bankorcreditcardaccountnumber,apassword,atelephonecallingcardnumber,a birthdate(month/date/year),aname,oranaddresscanbeusedbycriminalstoprofitata victimsexpense. Byaccessingandusingrelativelybasicinformation,acriminalcantakeoverexistingfinancial accounts(existingcardfraudorexistingnoncardfraud)oruseavictimspersonal informationtocreatenewaccounts(newaccountfraud).Acriminalcancommitidentity fraudnumerousways,including:makinganunauthorizedwithdrawaloffundsfroman account,makingfraudulentpurchaseswithacreditcard,andcreatingnewaccounts(e.g., banking,telephone,utilities,andloans).Allofthemcanhaveadamagingeffectonan individualscredit.Infact,thefirstnotificationthatfraudhasbeencommittedmightbethe appearanceofanunfamiliaraccountonacreditreportoracontactfromadebtcollector.
HowConsumerscanProtectAgainstIdentityFraudstersin2013
ConsumerInformationExposedinDataBreachesLeadstoFraud
Consumersshouldpayparticularlycloseattentiontoanynotificationsor letterstheyreceivefromtheirFIs,creditcardproviders,healthcare providersormerchantsregardingabreachinpersonallyidentifiable information.Almost1in4consumerswhoreceivedadatabreach notificationin2012becameafraudvictim.Ofparticularconcernisthat consumerswhowerenotifiedthattheirSocialSecuritynumberswere compromisedinoneofthesedatabreachincidentswere5timesmore likelytobeavictimofidentityfraudthanallotherconsumersand14times morelikelytobecomeavictimofnewaccountfraud.Asdiscussed previously,newaccountfraudvictimssufferaboveaveragefraudlosses andconsumercosts. FraudRateAmongDataBreachVictimsOutpacesFraudRatesAmongAll Consumers
Figure2:FraudIncidencebyDataBreachVictims,NonDataBreachVictims, andAllFraudVictims
15% 11.8% Allconsumers 10% Nondatabreach victims 5% 4.4% 1.4% 0% 2010 2011 2012
October2010 2012, n= varies337 5,249 Base:Allconsumers,data breach victims,non databreach victims. 2013 JavelinStrategy&Research
4.9% 2.4%
5.3% 2.9%
Databreach victims
HowConsumerscanProtectAgainstIdentityFraudstersin2013
OnlineRetailShoppingIsBecomingMoreLucrativetoFraudsters
Asonlineshoppingexpands,sotoodoesthemisuseofconsumer informationtocommitonlineretailfraud.Onlineretailfraudoccurswhen aperpetratorusesonlinepaymentcredentials,suchasacreditordebit cardaccountnumber,tomakefraudulentpurchasesonline(knowninthe industryascardnotpresent(CNP)purchases).Onlineretailfraud increasedfrom41%ofallfraudvictimsin2011to45%in2012.Payment cards,suchascreditcardsanddebitcards,represent95%ofthemisused informationinthesecases.OnlineretailfraudthroughCNPtransactionsis theleastexpensivefraudtypeforconsumersin2012,withanaverage consumercostof$326.However,itisalsohighlypervasiveintheU.S., affecting7.5millionAmericans,whothenspendanaverageof11hours resolvingthesecases.Consumersshouldtakethetimetoreviewtheir statementseachmonthforfraudulentchargesandcontacttheirFIsand cardprovidersforusefulonlineauthenticationandsecurityoptions.
MalwareAttacksMobileConsumersandPutsThematConstant RiskofFraud
The105millionsmartphoneusersand42milliontabletusersintheU.S. areconstanttargetsforfraudsters,whousemalware,exploitsoftware vulnerabilities,launchphishingandsmishingattacks,andcompromise unsecuredWiFiconnectionstoobtainusersvaluablepersonal information.Tabletusersaremorelikelytobevictimsoffraudthanall consumers(9.6%comparedwith5.3%),whichcanbeattributedbothto tabletusersbeingyoungerandlessriskaversethanolderconsumersand theinherentsecurityvulnerabilitiesthataretypicalofnewtechnologies.
HowConsumerscanProtectAgainstIdentityFraudstersin2013
TabletOwnersAre80%MoreLikelyThanAllOtherConsumersto BecomeFraudVictims
Figure3:FraudIncidencebyOwnershipofTechnologyProducts
Fraudincidencerate
9.6%
5.3%
5.6%
6.0%
6.3%
6.5%
Allconsumers
Mobilephone owners
Laptopowners
Desktop computerowners
Smartphone owners
Tabletowners
Q39A: Please indicate which of the following products you personally own and use. Q5: How long ago did you discover that your personal or financial information had been misused?
HowConsumerscanProtectAgainstIdentityFraudstersin2013
10
HowCriminalsObtainInformation
Manyidentitytheftsoccurthroughtraditionalmethodssuchasstolen walletsandfamiliarfrauds,inwhichapersonknowntothevictimhas accesstothevictimsstatementsorotherlegaldocuments.Identitytheft occurrencesareoftentheresultofsimplelostorstoleninformationand notnecessarilythroughhackingorelaborateInternetschemes,although onlineandmobilethreatsremainviablesourcesofinformation.Figure4 showssomeofthemanywaysthatidentitytheftcanoccur. IdentityTheftOccursThroughVariousMethods
Figure4:HowTheftofPersonalInformationHappens
Throughdumpsterdivingbycrooks Throughshouldersurfing,inwhich lookingforunshreddedpaperworkthat someoneobtainspersonalinformation containspersonalorfinancial bylookingoveryourshoulder information Throughtheftofyourmailfromyour mailboxordiversionofyourmailbya fraudsterwhochangestheaddressto obtainyouraccountstatements THROUGHABUSINESSYOUUSE: Throughasecuritydatabreach, wherebyabusinessororganizationthat accessesyourpersonalinformation (hospital,school,departmentstore, financialcompany,etc.)hasbeen compromised Throughhackingincidences,suchas Trojanhorses,keyloggersoftware, virusesormalware/spywareona computer Bycardskimming,whensomeone illegallyrecordsanimprintofyour creditordebitcardinformationforlater use BYTRICKERYORPRETENSE: Throughphishingorvishing,inwhich someonepretendstobeabankor trustedcompanyandtricksyouinto providingconfidentialpersonal informationviaemails,callsorSMS/ textmessages Throughsocialnetworkingsiteswhere personalinformationcanbefoundand communicationwithfraudulent individualscanoccur
Throughtheseandothernewandinnovativewaysthatcriminalsareconstantly
2013JavelinStrategy&Research
HowConsumerscanProtectAgainstIdentityFraudstersin2013
11
RECOMMENDATIONSFORCONSUMERS
Consumersshouldmonitoraccountsfrequentlyand,ifyouhavenot alreadydoneso,usefinancialalertsforyourbankandfinancialaccounts. Becauseidentitytheftcanoccurbynumerousmethods,youcanprotect yourselfbyadoptingavarietyofbestpracticesandeffectivebehaviors. Javelinrecommendsacomprehensive,threepartapproachtocombat identityfraudeffectively:prevention,detection,andresolution.Thenext sectionprovidesdataoncurrenttrends,stepstopreventfraud,actionsto detectfraudifitoccurs,andwaystoresolvefraudifyoubecomeavictim.
Figure5:JavelinsPrevention,Detection,andResolutionIdentityFraudModel
2013JavelinStrategy&Research
HowConsumerscanProtectAgainstIdentityFraudstersin2013
12
CONSUMERPROTECTIONCHECKLIST
BelowisJavelinsconsumerprotectionchecklist.Thechecklisthighlightstheninemostimportantways toprevent,detect,andresolvefraudinyourfinancialaccounts.Takesometimeandreviewthelist belowtoseehowpreparedyouare.Themoreitemsyoucancheckoffthelist,thegreatersecurityyou haveagainstidentityfraud.Remember,themostefficientwaytocombatfraudisforfinancial institutionsandconsumerstoworktogethertostopcriminals.Togetevenmorecustomized recommendations,visitJavelinsIDSafety.netwebsite,whereweofferan18questionquizthatwill providepersonalizedrecommendationsforyourdailyactivities.
HowConsumerscanProtectAgainstIdentityFraudstersin2013
13
PREVENTION
Consumerscanbestpreventidentityfraudbycarefullyprotectingand limitingtheexposureofsensitiveinformation,suchasPINs,bankingand accountnumbers,andSocialSecuritynumbers.Youalsoshouldbeaware ofcommonfraudstertechniques,suchasphishing,vishing,smishing,and otherscams.
HowCanIPreventIdentityFraud?
MobileDeviceSecurity.Mobiledevicesaretreasuretrovesof informationforfraudsters.Thealwaysonfunctionalityof mobiledevicesprovidesfraudsterswithnewavenuesfor stealinginformation.Werecommendthefollowingstepstoprevent identityfraud: Installmobilesoftwareonlyfromtrustedsourcesandofficialapp stores.
Mostsmartphoneusersshouldalsoinstallanantivirus/ antimalwareprogramtomitigateinstancesofmobilemalware.
HowConsumerscanProtectAgainstIdentityFraudstersin2013
14
Makesurealloperatingsystemsarethelatestversions.
Installorenableapasscodelockonyoursmartphone.
1. Social networking sites can provide fraudsters with personal information to access accounts. 2. Use caution when sharing such details on your profile.
Usecautionwhenusingappsonsocialnetworkingsites.
HowConsumerscanProtectAgainstIdentityFraudstersin2013
15
7.4 % consumers who accessed public wi-fi hotspots in the past 12 months became a fraud victim. This is much higher than those that did not (4.6%)
Useandrecognizesecurewebsites.
Donotprovidecardorpersonalinformationatunsecured sites.
EnsurethatyourInternetconnectionathomeandworkis secureorprotectedbyafirewall.
HowConsumerscanProtectAgainstIdentityFraudstersin2013
16
TurnoffBluetoothandWiFiwhentheyarenotbeingused.
Do not use: Dictionary words, the name of the website, or the word password. Dont just capitalize the first character; instead, capitalize a random letter. Integrate numbers into your password.
Watchoutforemailandattachmentsfromconvincingimitations ofbanks,cardcompanies,charities,andgovernmentagencies.
Instead,useyourbankscontactinfolistedontheirwebsite, onstatements,orthebackofcreditcards.Callthemdirectly.
Followsafepasswordpractices.
Donotuseeasilyguessedpasswords,suchasyourbirthdate, thenameofacloserelative,oryourpetsname.
Wipecleanelectronicdevices,suchassmartphones,tabletsand computers,beforedisposingof,turningin,orsellingthem.
HowConsumerscanProtectAgainstIdentityFraudstersin2013
17
Athomeorwork,secureyourpersonalandfinancialrecordsina lockedstoragedeviceorapasswordprotectedfile.
Javelin Data Snack: In 2012, 12% of all identity fraud crimes were committed by someone known to the victim.
Shredpaperdocumentsthatcontainsensitiveinformation beforedisposingofthem.
WhenyourSocialSecuritynumberisrequestedasanidentifier, askifyoucanprovidealternateinformation.
Javelin Data Snack: In 2012, 28% of fraud victims reported having their SSN stolen.
Requestelectronicstatementsanduseonlinebillpaywhenever possible.
Enrollindirectdeposit,anddontputchecksinanunlocked mailbox.
Switchfrompaperstatementstoonlinefinancialaccount management.
Optoutofpreapprovedcreditoffers.
HowConsumerscanProtectAgainstIdentityFraudstersin2013
18
DATABREACHNOTIFICATIONLETTERS
Organizationstypicallysenddatabreachletterstonotifycustomersaboutthepossibleleak ofpersonallyidentifiableinformation,suchasSocialSecuritynumbers,driverslicense numbers,creditcardnumbers,etc.Theletterwouldalsospecifywhatinformationwas stolenorleakedandthestepsrequiredtoensurefurtherprotectionofcustomersaccounts. In2012,12%ofU.S.adultsreceivedsuchletters.
WhatShouldIDoIfIReceiveaBreachNotificationLetter?
Currently,46states(plustheDistrictofColumbia,Guam,PuertoRico,andtheU.S.Virgin Islands)requirecompaniestonotifyyouifabreachofsecurityoccursattheirplaceof businessandyourpersonalinformationhasbeenplacedatrisk.Receivingthisnotification doesnotnecessarilymeanthatyouwillsufferafraud.However,Javelindatashowsthat consumerswhoreceivedbreachnotificationsin2012hadasubstantiallyhigherriskof identityfraud,almost5timeshigher,thanthosewhodidntreceivethesenotifications.
TakeActiontoProtectYourselfIfYouReceiveaSecurityBreachNotification
Figure6:RecordNumberofDataBreachRecipientsBecameIDFraudVictimsin2012
2013JavelinStrategy&Research
HowConsumerscanProtectAgainstIdentityFraudstersin2013
19
Consumerswhoreceivesecuritybreachnotificationsthereforeneedtotakeactionto protectthemselves.Ifyoureceiveadatabreachletter,takethefollowingsteps: 1. Verifythattheletterislegitimate. 2. Youarestronglyencouragedtotakeadvantageofanyfreeservicesthenotification letteroffers,suchascreditmonitoring. 3. Youshouldalsocallthetollfreenumbersorvisitthewebsiteslistedintheletterto learnmoreaboutthebreach,determineyourlevelofrisk,andidentifytheactions youneedtotaketoprotectyourselffrommoredamage. 4. Differentbreacheshavedifferentlevelsofriskthatrequirespecificactionby consumerstopreventfurtherharm.Theactioncouldbeassimpleaschanging passwordstoemailaccountsthatarelinkedtotheFItocancelingthecreditordebit cardaffectedtochangingsecurityquestionsandanswerstoaffectedaccounts.Or theactioncouldbefarreaching,suchasthefollowing: Monitoringyourfinancialaccounts. Closingaffectedaccounts. Placingafraudalertonyourcreditreportwiththethreeprimarycreditbureaus: Equifax,Experian,andTransUnion(refertoFigure7forcontactdetails).Fraud alertsnotifycreditorsthatapotentialfraudhasoccurredandthattheyshould verifytheapplicantsidentitybeforeextendingcredit.Aninitialalertstaysactive for90days,andanextendedalertforidentityfraudvictimslastssevenyears.A fraudalertwilltriggeracreditreport,whichtheconsumerneedstoreviewfor anysignsoffraud. Placingacreditfreezeonyouraccountwiththethreeprimarycreditbureaus.A creditfreezeisstrongerthanafraudalertbecauseitlocksyourcreditreport downtopreventnewcreditfrombeingextended.
HowConsumerscanProtectAgainstIdentityFraudstersin2013
20
DETECTION
CreditBureauInformation
Figure7:HowtoContacttheThreeCreditBureaus
Mailing address
Note:Toorderafreeannualcreditreportfromanyorallagencies,contact www.annualcreditreport.comorcalltollfreeat8773228228.
2013JavelinStrategy&Research
HowCanIDetectIdentityFraud?
Javelinresearchhasconsistentlyshownthatconsumerscanbevery successfulatdetectingidentityfraudrelatingtotheiraccounts.Themost efficientwaytocombatfraudisforconsumersandinstitutions(banks, governmentagenciessuchastheFederalTradeCommission,andother
HowConsumerscanProtectAgainstIdentityFraudstersin2013
21
SelfDetectionvs.ExternalFraudDetection
FinancialaccountprotectionisasharedresponsibilitybetweenFIsand customers.In2012,frauddetectionwasalmostequallysplitbetween fraudvictimsandexternalsources(e.g.,FIsandlawenforcement).While 50%ofvictimswereabletoselfdetectfraudbyregularlymonitoringtheir accounts,creditreports,orenrollinginidentityprotectionservices,33%of consumersreliedontheirbanksorcreditcardproviders.Thelattergroup realizedtheyhadbeendefraudedonlywhentheywerenotifiedbythese externalsources. ConsumersAreEquallyRelyingonSelfDetectiontoDiscoverFraudon TheirAccounts
Figure8:MethodsofDetection,2012
SelfDetection
50%
Bymonitoring accounts through the Internet,ATM, orother electronic means Monitored account through paper statements Balance shrank/credit overdrawn Reviewedcreditreport Usinga creditmonitoring or identity protection service
Other 17%
HowConsumerscanProtectAgainstIdentityFraudstersin2013
22
Itisimportanttonotethatselfdetectionisstillthemosteffectivewayto detectfraud.CertaintypesoffraudaremoredifficultforFIstodetectand canleadtolongerdetectiontimesandhigherconsumercostsforvictims. Forexample,incasesoffamiliarfraud(instancesoffraudwherethevictim personallyknowstheperpetrator)only10%ofvictimsreportedbeing informedbybanksorcreditcardcompaniesthatfraudulentactivitieshad occurredontheiraccounts,comparedto33%ofvictimsofothertypesof fraud.Thesecasesareoftendifficulttodetectbyexternalsecuritysystems becausetheperpetratorisusuallyfamiliarwiththevictimsbehaviorsand/ orlivesintheclosegeographicalarea.Itisintheconsumersinterestfor themtoplayanactiveroleinmanagingtheirfinancialsecurityandkeeping aclosewatchontheirfinancialactivity. Javelinrecommendsdoingthefollowingtodetectfraudearly: Signupforemailandmobilealertsthroughyourprimarybank, creditcardcompany,and/orserviceprovider.
or by calling 1-877-322-8228.
By contacting a different one of the three credit bureaus every four months, you can stagger your free reports to review your credit three times a year at no charge.
Monitoryourcreditreportonaregularbasis.
HowConsumerscanProtectAgainstIdentityFraudstersin2013
23
Reviewfinancialstatementspromptly.
HowConsumerscanProtectAgainstIdentityFraudstersin2013
24
RESOLUTION
WhatShouldIDoIfIBecomeaVictimofIdentityFraud?
Ifyoubecomeavictimofidentitytheftorfraud,dontpanic.Whenit comestoyourfinancialaccounts,FIsandcreditcardprovidersare preparedtohelpyouresolvetheidentitytheft.MostFIshaveateam dedicatedtoresolvingidentityfraudandguidingvictimsthroughthe process.Withtechnologicaladvancements,identityfraudresolutionhas improved. Byfollowingthefewsimplestepsbelow,youcanhelpensurethatyour fraudcaseishandledquicklyandpainlessly.Theseactionscanserveasa checklist/resourceguideifyoubecomeavictim. Immediatelycontactyourbankandcreditcardcompanies.
Javelin Data Snack: The average amount of time required to resolve a case of identity fraud has steadily decreased, from 18 hours in 2004 to 12 hours in 2012.
IfyourFIprovidesfraudresolutionspecialists,askfortheir assistancetoensurethefraudisresolved.
HowConsumerscanProtectAgainstIdentityFraudstersin2013
25
ContacttheFederalTradeCommission. Placeafraudalertonyourcreditreport.
To report incidents of suspected fraud or identity theft, visit the FTC online at http:// www.consumer.ft c.gov/features/ feature-0014identity-theft or call 1-877-IDTHEFT (1-877-438-4338).
Fileapolicereport.
ConsiderenrollinginahighqualityIDprotectionservice.
IdentityFraudProtectionSolutions
Specificservicesareavailableforconsumerswhowantextraprotection againstnewaccountsfraudthetypeoffraudinwhichacriminalusesa victimsSocialSecuritynumberandotherpersonallyidentifiable informationtocreateafraudulentaccountinthevictimsname(e.g.,
HowConsumerscanProtectAgainstIdentityFraudstersin2013
26
Apaidsubscriptionservicethatmonitorsyourcreditforsuspicious
activityorchangestoyourcreditfile(e.g.,creditinquiries, employmentchanges,newaccountsoraddresschanges) Intendedtodetectpotentialidentityfraud
Personalinformation monitoring
Scanspublicrecords,thirdpartydatabasesandInternetsitesto
detectexposureofyourpersonalinformation(creditcard numbers,SocialSecuritynumbers,etc.) Intendedtodetectpotentialidentitytheft
Consider placing a security freeze on your credit report. If you have been a victim of fraud related to an opening of a new account more than once and you are not actively applying for credit, you may want to place a security freeze on your credit report at each of the three reporting agencies.
Fraudalert
Amessagethatisplacedonyourcreditreport,requiringlenders
andcreditorstoconfirmyouridentitybeforeissuinganewlineof credit Intendedtopreventnewaccountsfraud
Creditfreeze
Freezesyourcreditfileatthecreditreportingagencies,whichare
thenprohibitedfromissuingyourcredithistorytoanylender, creditor,orothers Intendedtopreventnewaccountsfraud 2013JavelinStrategy&Research
HowConsumerscanProtectAgainstIdentityFraudstersin2013
27
ABOUTJAVELIN
JavelinStrategy&Research,adivisionofGreenwichAssociates,provides strategicinsightsintocustomertransactions,increasingsustainableprofits andcreatingefficienciesforfinancialinstitutions,governmentagencies, paymentscompanies,merchants,andothertechnologyproviders.Javelins independentinsightsresultfromauniquelyrigorousthreedimensional researchprocessthatassessescustomers,providers,andthetransactions ecosystem. Authors: Contributors: PublicationDate: Editor JamesJarzab,ResearchSpecialist AlPascual,SecurityRiskandFraudSeniorAnalyst SarahMiller,SecurityRiskandFraudAnalyst MaryMonahan,ExecutiveVicePresidentand ResearchDirector JamesVanDyke,PresidentandFounder February2013 ChuckErvin
Additional Resources The 2013 Identity Fraud Reports sponsors Intersections and Citigroup also make safety recommendations: Intersections http:// www.identityguar d.com/what-isidentity-theft/ Citigroup https:// online.citibank.co m/US/JRS/pands/ detail.do? ID=SecurityCenter
ABOUTTHEMETHODOLOGY
Since2003,Javelinhascollecteddatafromapproximately5,000adults eachyeartomeasuretheoverallimpactofidentityfraudonconsumers.In 2012,5,249adults,including1,186fraudvictims,answeredquestions regardingtheirdailyfinancialpracticesandbehaviorstohelpdetermine thecausesofandprovideimportantdetailsaboutsuchfraud.Javelins identityfraudstudyreachesanaudienceof63millionandisafactual resourcefortheFederalTradeCommission(FTC).
HowConsumerscanProtectAgainstIdentityFraudstersin2013
28
GLOSSARYOFTERMS
accounttakeoverfraud Methodofidentityfraudinwhichafraudoperatorattemptstogain accesstoaconsumersaccountbyfraudulentlyaddinghisorher informationtotheaccount(e.g.,changingaccountmailingaddress, addinghimselforherselfasaregistereduser,ormakingother alterations). Transactioninwhichthecardisnotpresent;carddataismanually entered.Thisincludespurchasesmadeonline,byphone,orthrough themail.
cardnotpresent(CNP)
casualsocialnetworkactivity Socialnetworkuserswhoindicatedthattheysometimesusethe users indicatedsocialnetworkingactivityoroftenusetheindicatedsocial networkingactivity. cloud ThecloudisametaphorfortheInternet.Withthecloud,software servicesanddataarenothostedlocallybutgloballyandare accessibleremotelybybrowser.Amazon,Google,andRackspace,for example,offerlargecloudnetworksthatareleasedtovarious businesses. Outofpocketcostsincurredbythevictimtoresolveafraudcase, includingpostage,copying,notarizingofdocuments,andlegalfees; costsmayalsoincludepaymentofanyfraudulentdebtstoavoid furtherproblems. Securityfreezeplacedonaconsumerscreditfiletopreventthefile frombeingsharedwithcreditors,thusforestallingnewaccounts frombeingopenedintheconsumersname. Servicethatscrutinizesaconsumerscreditfileforsuspiciousactivity orchangesonhisorhercreditreportsuchascreditinquiries, delinquencies,negativebillinginformation,employmentchanges, andaddresschanges.Monitoringisparticularlyhelpfulindetecting newaccountfraudafteritoccurs.Themosteffectivecredit monitoringcompanieswillmonitorallthreecreditbureausbecause manylenderswillcontactonlyone. Unauthorizeddisclosureofinformationthatcompromisesthe security,privacy,orintegrityofpersonallyidentifiabledata. ActofpassivelycompromisingaPCbydownloadingamaliciousfile whilethevictimviewsthecontentofawebsite.
consumercostoroutof pocketcost
creditfreeze
creditmonitoring
databreach drivebydownload
HowConsumerscanProtectAgainstIdentityFraudstersin2013
29
existingaccountfraud existingcardaccountfraud
Identityfraudperpetratedagainsteitherorbothexistingcardand existingnoncardaccounts. Identityfraudperpetratedthroughuseofexistingcreditordebit cardsand/ortheiraccountnumbers.Thisfraudtypecanalsobe referredtoasexistingcardfraudorECF. Identityfraudperpetratedthroughuseofexistingcheckingand savingsaccountsorexistingloan,insurance,telephone,andutilities accountsorotheraccounts.Thisfraudtypecanalsobereferredtoas existingnoncardfraudorENCF. Methodsofdetectingfraudinwhichanexternalresourceisthefirst todiscoverthefraud.Examplesofexternaldetectionmethods includediscoveringfraudthroughnotificationsfromthebank,law enforcement,ordebtcollectors. Totalamountoffundsthefraudoperatorobtainedillegally;these mayresultinactuallossestovariousbusinessesandorganizations and,insomecases,totheconsumer. Socialnetworkuserswhoindicatedthattheyalwaysusethe indicatedsocialnetworkingactivityoroftenusetheindicatedsocial networkingactivity. Fraudcommittedbysomeonewhoknowsthefraudvictim personally,suchasafamilymember,coworker,orfriend.Familiar fraudismoredamaging(hardertodetectandlongertoresolve) becausetheperpetratorstendtobeawareofthevictimshabitsand knowhowtohidethefraud.Also,victimstendnottoreportfamiliar fraudtoauthorities. Unauthorizeduseofsomeportionofanotherspersonalinformation toachieveillicitfinancialgain.Identityfraudcanoccurwithout identitytheft(forexample,byrelativeswhoaregivenaccessto personalinformationorbytheuseofrandomlygeneratedpayment cardnumbers). Unauthorizedaccesstopersonalinformation;identitytheftcanoccur withoutidentityfraud,suchasthroughlargescaledatabreaches. Spywarethatcapturesandrecordsuserkeystrokesonacomputer andisusedbyfraudsterstoobtainpasswords,PINs,logins,andother sensitiveinformation.
existingnoncardaccount fraud
externaldetectionmethods
fraudamount
identityfraud
identitytheft keylogger
HowConsumerscanProtectAgainstIdentityFraudstersin2013
30
Ordersplacedthroughmailortelephonechannels(atypeofcardnot presenttransaction). Malicioussoftwaredesignedtoaccessacomputeroroperating systemwithouttheknowledgeorconsentoftheuser.Some examplesofmalwarearecomputerviruses,worms,Trojanhorses, spyware,maliciousadware,androotkits.Malwareisdamagingcode orprogrammingthatgathersinformationwithoutpermission. Attackinwhichaperpetratorisabletoread,insertinto,andmodify, atwill,messagesbetweentheInternetbrowserandaserverwithout eitherpartysknowingthatthelinkbetweenthemhasbeen compromised. Attackinwhichaperpetratorisabletoread,insertinto,andmodify, atwill,messagesbetweentwopartieswithouteitherpartysknowing thatthelinkbetweenthemhasbeencompromised.MITBattacksare asubsetofMITMattacksinwhichthebrowserisexploitedtotrick thelegitimatepartiesintorevealingsensitiveinformation. MethodbywhichtheFIandthecustomeridentifyeachotherby providingandidentifyingsharedsecrets. Identityfraudperpetratedthroughuseofthevictim'spersonal informationtoopenfraudulentnewaccounts. Servicethatkeepsaneyeonaconsumerspersonallyidentifiable informationbymonitoringchannels,includingonlinesurveillance, publicrecordsanddatabases,Internetsites,andcardingforums (undergroundsiteswherestolencreditcardnumbersareboughtand sold).Thirdpartysolutionsthatofferthisserviceprovideadditional valuebecausetheycanmoreholisticallypreventanddetectidentity fraud,includingmedicalandhealthinsurancefraud. Methodof"fishing"forInternetuserspasswordsandfinancialor personalinformationbyluringthemtoafakewebsitethroughan authenticlookingemailthatimpersonatesatrustedparty.Phishing emailscouldattempttoimpersonateanFI,issuer,merchant,or biller. Userdefinedcontrolsthatallowuserstomanagethevisibilityof variouspartsoftheirsocialmediaprofiles,includingwhohasaccess tospecificinformation.
maninthebrowser(MITB)
maninthemiddle(MITM)
phishing
privacysettings
HowConsumerscanProtectAgainstIdentityFraudstersin2013
31
selfdetectionmethods
Methodsofdetectingfraudinwhichtheconsumeristhefirstto discoverthefraud.Examplesofselfdetectionincludediscovering fraudthroughelectronicorpapermonitoringorreportingacardlost orstolen. Victimswhoreportthattheyhavesufferedasignificantlynegative effectbecausetheyhavebeenfraudvictims.Consumersratethe impacta4or5onascalewhere1representslittleornoeffectand 5representsasevereeffect. Amobiledevicewithphone,keyboard,webaccess,andapps(e.g., Android,iPhone,WindowsMobile,BlackBerry,etc.) Aformofcriminalactivity,usingtechniquessimilartophishing,in whichafraudsterusesSMSmessagestomobiledevicestolure victimsintorevealingpersonalinformation.Similartophishing,it couldattempttoimpersonateanFI,issuer,merchant,orbillerand canincludeafraudulentURLlinktoafakedwebsiteorphone numbertoafakeautomatedvoiceresponsesystem. Amediumforconsumerstointeractwithoneanotheronline.Users areresponsibleforgeneratingcontentandcanpostandedit conversations,pictures,andmedia.Someofthemostpopularsocial mediasitesareFacebook,MySpace,LinkedIn,Twitter,FourSquare, Yelp,andYouTube. Programthatappearstobeausefulfile(e.g.,amusicfileorsoftware upgrade)fromalegitimatesource,trickingthevictimintoopeningit; onceactivated,theTrojanhorseallowsintruderstoaccessprivate information. Reviewandreleasealertsareuserdefinednotificationsthatalertthe consumerwhenthetransactionisstillpending.Thetransactionthat triggeredthealertremainspendinguntiltheconsumercanverifyor denyitwithinthealert. Reviewandrespondalertsnotifyconsumersafteratransactionhas beencompletedbutallowstheconsumertorespondwithinthealert ifheorshewantstotakecertainaction.Thiscouldincludereporting thetransactionasfraudulentortransferringfundsfromoneaccount toanother.
severelyimpacted
smartphone smishing
socialnetworking
Trojanhorse
twowayactionablealerts: reviewandrelease
twowayactionablealerts: reviewandrespond
HowConsumerscanProtectAgainstIdentityFraudstersin2013
32
WiFihotspots
WiFiProtectedAccess (WPA)