Surprise — ID Theft Is Down Despite Data Breaches
Hackers in several financial services industry data breaches targeted customer-contact information that is often thought of as less sensitive. But crooks can use that data and other bits of stolen info to do great harm.February 10
Fake identity fraud is growing, due to the plentiful array of consumer account and card data available in the wake of massive data breaches. It's a crime banks find almost impossible to detect and deter.January 27
The theft of 4.5 million customer records from Community Health Systems could bring a wave of identity theft and illustrates the need to eradicate the Heartbleed bug from banks' networks.August 21
Despite a series of large-scale data breaches over the past two years, identity theft fell for the second consecutive year in a row in the U.S., according to a new study released Tuesday.
Roughly 12.7 million Americans were hit with identity fraud in 2014, a 3% drop from a year earlier, while losses tied to that fraud fell 11% to $16 billion, said the study, which was released by Javelin Strategy & Research.
It may seem counterintuitive, but it's clear that banks and others are getting better at protecting customers' data in the wake of breaches, said Al Pascual, director of fraud and security at Javelin.
"What we've seen is an extraordinary response," he said. "Data breaches are nothing new. In fact, last year was not even a big year for data breaches. But the way we reacted to breaches was unique."
The decrease was attributable in part to the Target breach in 2013. After it occurred, 95% of affected cards were replaced.
"That's an extreme response. That does not happen," Pascual said, adding that generally the number of cards replaced is in the single digits.
Because the Target breach was so high-profile, banks went on the offensive, and the value of the stolen cards on the black market plummeted.
"On top of that, you had every state attorney general coming out of the woodwork to tell businesses that were breached they had to provide identity protection," Pascual said.
Another factor is that law enforcement agencies have been buying stolen identity information as part of their investigations, according to Eva Casey Velasquez, president and CEO of the Identity Theft Resource Center, a non-profit organization that provides victim assistance and consumer education through its call center, website and social media.
The awareness and education coming from the media and organizations like ITRC are making a difference, she said.
"There's a lot more attention from mainstream media," said Valasquez. "We're getting calls every day from people saying, 'I heard or read about this data breach, I might be part of it.'"
In light of all this effort and awareness, the 3% decrease in the number of victims is disappointing, Pascual said. "I see that as a negative," Pascual said. "The proportion of victims went up 20-30% in my mind because we put in so much effort for so little return. That's not sustainable in the long term."
Other experts said that speaks to the pernicious nature of the threat.
"Fraud prevention and protection is a lot like squeezing Jello," said Dr. Stephen Coggeshall, chief scientist at LifeLock, which sponsored the Javelin study. "When you stop it in one place, it squirts out someplace else. There's going to be smart fraudsters all the time, and the modes of fraud continue to evolve."
Although it may have fallen slightly, identity fraud continues to be a huge problem.
In a report issued last week, the Federal Trade Commission said identity fraud is the number-one type of consumer complaint it receives. Out of more than 2.5 million total complaints filed with the FTC in 2014, 332,000 (13%) were related to identity theft. The previous year, 2.2 million complaints were filed and 13% were of identity fraud. (The FTC's data also show a sharp uptick in impostor scams, particularly those related to tax identity fraud.)
Velasquez doesn't see a discrepancy in the Javelin and FTC reports.
"Each of these reports will have unique limitations based on the data they're gathering," she said. "It doesn't surprise me that they don't sync 100%."
She noted that there's no universal standard for defining ID theft and consumers often don't know they're victims. All they know is they got a collection notice about debt they've never seen, or they received a data breach notification.
The Javelin research found that students have also become a favorite target for identity theft. Fraudsters misuse student information four times as much as ordinary consumers.
Javelin suggested that was largely due to "familiar fraud" perpetrated by friends, roommates, family and acquaintances. The victim's identity information is used to create a new account or take over existing accounts.
Familiar fraud is difficult to prevent and resolve. "Often people who know you have access to your personal information," Pascual noted. "If they live in the same place, they may have access to information you leave lying around the house, they can intercept phone calls meant for you to verify transactions or that you've established a new account."
Students also tend to door a poor job of protecting themselves, Pascual said. They typically don't shred documents; they don't lock things in a safe and they overshare on social media.
"The fact of the matter is, they're leaving too much to chance and people who know them are taking advantage," Pascual said.
There are two primary reasons students tend to be ripe targets for identity fraud, Coggeshall said. The first is they're doing a little more activity than the average than a consumer they're getting cell phones, bank accounts, maybe applying for student loans.
"There's a lot of activity going on with establishing services," he said.
The second is bad habits.
"We look at them as being tech-savvy, which they are, but they also haven't developed the warnings and behavior patterns that those of us who have been victimized by scammers throughout the years have grown a shell around us," Coggeshall said. "Millennials tend to be free about sharing information on social networks. Sometimes that information can help identity fraudsters, particularly their date of birth and other types of information that help with knowledge based authentication. And they tend to be a little more cavalier about leaving information around. They're more trusting."
Millennials do tend to do a better job at setting up their privacy settings on Facebook, preventing anyone who's not a friend from seeing their information.
"But the fact of the matter is, they have 1,000 or 2,000 friends and they're sharing all that information with them," Pascual said.
The Javelin research also looked at how consumers react when they've been the victim of a data breach. Almost a third (28%) said they avoid certain merchants; 26% no longer store personal information with cloud-based service providers; 21% switched forms of payment, 19% spend less money online; 10% no longer bank online; 8% switched their primary bank or credit union; 7% spend less money in physical stores; 6% switched credit card companies.
Some of these moves are counterproductive, Pascual said. For instance, online banking can help people protect themselves because it forces them to actively monitor their accounts.
There's a need for greater education around the benefits of that kind of activity, he said.
In the meantime, new account fraud has been decreasing as card fraud continues to rise.
"Fraudsters are stealing as much card data as they can," Pascual said.
Card fraud is easier to execute than opening fake new accounts, which are subject to more scrutiny. "Once EMV comes, that door will shut on them. They'll have to go with it. In the UK, we saw new applications fraud skyrocket. We're going to see the same thing here."
Alternative payment mechanisms and mortgage loans are also becoming more alluring targets for fraud, too.
"Establishing a new PayPal account is a way for criminals to access other accounts and move money," said Pascual. "That can be a really attractive challenge."
The Know-Your-Customer capabilities of some payment services providers are not as strong, he suggested.
"As mobile payments become more popular, account takeover will become more popular," he said.