ID theft has grown so far, so fast, because financial institutions and other lenders have missed it. A massive study of 200 million new credit card, checking account and cell phone accounts opened during 2001 — with participants like Citibank, Dell, Bank of America, and T-mobile — shows that 7 out of 8 identity thefts are mis-categorized as simple credit losses by lenders.
The problem is simple: to lenders, most identity theft cases look simply like unpaid bills. It’s not until months later, when the identity theft victim discovers the problem and calls to complain, that the lender finds out fraud is involved — and then, the money has already been written off as a credit loss, said Bruce Hansen, CEO of ID Analytics Inc., which performed the study.
That’s one reason financial institutions haven’t reacted more quickly to the identity theft crisis; they just didn’t see it.
“I had this sense that the problem was bigger than people suspected it was,” said Martin Abrams, executive director at the Center for Information Policy Leadership, who has seen the study. Abrams is the former chief privacy officer at credit reporting agency Experian. “I believed the fraud numbers were too low. This study begins to show why that’s the case.”
The massive study included 100 million credit card applications and follow-up data from 2001 supplied by major credit grantors — Bank of America, Capital One, Citibank, Diners Club, and Discover Financial Services. The study included another 100 million accounts from other credit granters like Dell Financial Services, JP Morgan Chase, Sprint, and T-mobile, along with Circuit City’s instant credit arm, First North American National Bank.
“When we started working with fraud folks ... from their perspective, it was still a small problem,” Hansen said. “They were confused by the pressure they were getting. Consumer advocates were hollering, saying there were 750,000 ID thefts in a year, but some of our clients said, ‘We’re vexed. We don’t see the numbers they see.”
Institutions that participated in the study had attributed $85 million in losses to ID fraud in 2001. The study put ID-theft losses at $1.07 billion that year.
Since the study was initially commissioned, several other surveys have indicated that identity theft is much worse than initial estimates. A Federal Trade Commission study released last month said some 10 million people were hit by ID theft last year; a Gartner study pegged the number at 17 million.
The ID Analytics study confirmed that fraud rates were higher than financial institutions thought, and in some ways, is even harder on financial institutions than earlier studies indicated. The study also examined identity fraud — which occurs when a criminal makes up an identity out of thin air, rather than taking over a real person’s identity. That kind of fraud didn’t show up in the FTC and Gartner studies, which involved surveys of victims.
Total fraud rate: 2 percent
The new study found that the total fraud rate among the various types of credit applications was 2 percent — much higher than the 0.25 percent that’s often cited by the credit card industry, Hansen said. And businesses lose about $12 to fraud for each approved application, according to the study.
The study also revealed incredibly high rates of identity fraud in certain segments of credit granting — with instant credit grantors being the most susceptible to ID fraud. So-called “faceless, instant” credit grantors, like Web-based wireless phone sellers, face fraud rates of 7.5 percent, and lose $27 per approved application, the study showed.
Any firm that offers fast credit approval is an easy mark for ID thieves, Abrams said.
“Immediacy is the enemy of accuracy ... ID thieves are successful because we have a marketplace based on immediacy,” Abrams said. “We can’t move away from instant credit but it is the enemy of good authenticity.”
The study also found that ID thieves have no trouble getting real social security numbers. A full 97 percent of incidents involved a legitimate Social Security Number.
Avivah Litan, who authored the Gartner study, said the report goes a long way toward explaining the gap that has existed between financial institutions and consumers on the prevalence of identity theft, but it doesn’t necessarily change the problem. Lenders will be loathe to change their habit of reporting fraud as a credit loss, because it might be poor for their corporate image, she said.
“The question is: Are they doing that intentionally? Maybe they don’t have much incentive to stop,” she said. “Wall Street would frown on the high fraud losses. If they start reporting all this loss as fraud loss, their stock would take a hit.”
ID theft predicted?
ID Analytics was founded last year by former financial industry executives looking for solutions to the identity theft problem. Using the 200 million credit applications, the firm created software that uncovers typical patterns in the behavior of identity thieves and seeks to stop the crimes before credit is granted.
Several executives from the firm also worked for HNC Software Inc., which developed anti-fraud software for credit card companies called Falcon. Many consumers are familiar with Falcon’s work: Often after a sudden rash of big-ticket purchases or travel expenses, consumers are called at home and quizzed about the charge to make sure they are not fraud. That’s Falcon’s “neural network” signalling credit card purchasing that falls outside of normal spending habits, a sign of possible fraud. Such red flags result in phone calls to consumers requesting that the purchases be verified.
ID Analytics is trying to bring that kind of analysis to all credit applications as a way of stopping ID theft before it starts. For example, if software noticed a series of cell phone purchases from different vendors, but all attempted by the same consumer, an alert could be attached to the application forcing human intervention.
“Once you give an ID thief a credit card or a phone, it’s too late,” said Steven Gal, vice president of ID Analytics.
The firm’s technique assigns an “ID score” to each application, similar to a credit score, which indicates the likelihood that a given application is fraudulent. But the system only works if multiple industry players share their data continuously.
Litan says the product shows promise, particularly because it addresses identity theft before it impacts the consumer. But she’s skeptical that lending institutions will spend a lot of money on fraud protection unless there is some legal mandate to do so.
“Industry needs to start treating (ID theft) as a crime instead of as privacy issue,” she said. “Right now there are no laws that say banks have got to attack identity fraud. There’s no carrot. There’s no stick. So they will just be asking themselves the question, ‘Do we want to just live with credit loss and slowly try to whittle it down ourselves?
“No one’s doing this to help the consumer ... I don’t think any companies are going to invest in this as a goodwill gesture,” she added.