Identity theft was a bad news, even worse news story in 2017, a new report has found. Despite a painful transition to fraud-fighting chip-enabled credit cards, and a series of other changes designed to stem the tide of fraud, identity theft actually swelled to record highs last year. Making matters worse, thanks largely to the Equifax breach, criminals stole more Social Security numbers than credit card numbers for the first time — putting consumers at even higher risk going forward. Also, in a quietly disturbing trend, ID fraudsters are more successfully attacking non-bank accounts, such as cell phones, e-mail payment accounts, and even rewards points accounts.
Overall, an estimated 16.7 million Americans were victims last year, up from 15.4 million last year, the previous high. The only silver lining — overall losses increased from last year to $16.8 billion in 2017, but that’s still below the all-time record of $22 billion set in 2012.
“I like to have good news to share but the fact of the matter is I don’t really,” said Al Pascual, research director and head of fraud & security, Javelin Strategy & Research, which generates the annual report on incidence of ID theft. “Criminals have so much information …and they’ve gotten really good at using it.”
As expected, the switch to chip-enabled EMV credit cards has largely eliminated card cloning and reduced “card present” fraud in retail stores. But that has simply nudged criminals towards card not present fraud — such as stealing from websites. Card not present fraud is now 81 percent more likely than point of sale fraud, the greatest gap Javelin has observed.
Existing account takeover fraud — when a criminal hacks into a victim’s account and changes contact information so their thefts go undetected — nearly tripled last year, Javelin found. About 1.5% of Americans reported being a victim of this crime, up from just 0.5% one year ago. Criminals also demonstrated their increased ingenuity by a sharp rise in so-called cross account takeover, in which fraudsters hack their way into multiple victim accounts — perhaps their PayPal account their cell phone. It was up 32%.
Perhaps the most concerning element of the report are dramatic increases in ID-based frauds beyond credit cards and traditional bank accounts — what Javelin calls “existing non-card fraud.” Overall, it doubled last year. Mobile account fraud doubled. Criminals now target cell phones so they can defeat two-factor authentication that requires entering a code sent via SMS text message. Attacks on alternative payment services like PayPal are up by about 50%. Brokerage account fraud incidents soared from 2% to 7% of all existing non-card fraud reports. Meanwhile, attacks on “points” programs, such as hotel loyalty programs, have tripled. Such points can be bartered and turned into e-gift cards in the computer underground. Meanwhile, attacks on virtual currency wallets, like Bitcoin wallets, sat at 8% of existing non-card fraud — they didn’t even register in last year’s survey.
Javelin’s report blames poor “controls” — financial security procedures at non-traditional banking firms are simply not as robust. Online retailers are slower to react to account takeovers, for example.
“Large-scale compromise of existing non-card accounts in 2017 was clearly facilitated by poor controls as
fraudsters capitalize on weak authentication.” the report says. “Fraudsters use breached (personal information) or passwords to gain entry to these accounts — sometimes on a large scale through credential stuffing attacks — then monetized the accounts by either making purchases using stored credentials or using them to fund new fraudulent accounts. Often the same data that criminals used to compromise one account can be reused to gain entry to multiple accounts owned by the victim.”
Many of these firms don’t react well to consumer complaints either, said Melba Amissi, chief risk officer at Identity Guard, which helped fund the Javelin survey.
“There’s a lot of the frustration … dealing with large institutions, a lot of emailing back and forth,” Amissi said. “The burden of proof is on the consumer.”
RED TAPE WRESTLING TIPS
It’s critical for consumers to understand that identity theft has now grow up, and moved far beyond simple credit card fraud. Consumers have so many more kinds of accounts that can be valuable to criminals — just ask victims of Starbucks account takeover victims. That makes life much more complicated for consumers, who must protect all these accounts as rigorously as their bank accounts. Sorry, there’s no way around that. It’s hard work, but the risks are quite real, while the consumer protections are not. If a criminal raids your coffee app or your fast food app, you have no legal right to a refund, as you do with a bank account.
Javelin also has these recommendations:
- Turn on two-factor authentication wherever possible – Enabling two-factor authentication on sites that have that capability, where a separate action must be taken beyond providing a user name and password to access an account, can make it significantly more difficult for fraudsters to take over your accounts. For sites without two-factor authentication, use strong passwords or a password manager to secure accounts.
- Secure your devices – With consumers increasingly relying on their digital devices to obtain goods and services, making purchases and sharing personal information, criminals have shifted their focus to these devices for the access they can provide to accounts and the information they store or transmit. Secure online and mobile devices by instituting a screen lock, encrypting data stored on the devices, avoiding public Wi-Fi and/or using a VPN, and installing anti-malware.
- Place a security freeze – If you are not planning on opening new accounts in the near future, a freeze on your credit report can prevent anyone else from opening one in your name – which is especially important if you have been a victim of data breach that has exposed sensitive personally identifiable information. Credit freezes must be placed with all three credit bureaus and prevents everyone except for existing creditors and certain government agencies from accessing your credit report. While costs vary per state, typically each bureau costs below $20. Should you need to open an account requiring a credit check, the freeze can be lifted through the credit bureaus.
- Sign up for account alerts everywhere – A variety of financial service providers, including depository institutions, credit card issuers and brokerages, provide their customers with the option to receive notifications of suspicious activity – as do businesses in other industries, such as email and social media providers. These notifications can often be received through email or text message, making some notifications immediate, and some go so far as to allow their customers to specify the scenarios under which they want to be notified, so as to reduce false alarms.
- Protect yourself from unauthorized online transactions – As EMV makes fraud at physical stores more challenging, fraudsters are moving to target online merchants. Some financial institutions offer alerts for online transactions, the ability to institute limits on online transactions, or even advanced controls through 3-D Secure (e.g., Verified by Visa, SecureCode from Mastercard, etc.). These can help quickly detect and even prevent online fraud from occurring.