The fraud outlook for 2018 continues to be dampened by news of new data breaches, growing fraud rates and the increasing savvy of fraudsters. But that doesn’t mean your business has to be a victim. Payments businesses can make several changes to protect themselves in the new fraud climate. Here are three keys to confronting fraud in an era of widespread data breaches:
#1. Assume every identity has been compromised
In the first half of 2017, the number of data breaches climbed 29 percent. From the Republican National Committee contractor whose breach exposed voting data on nearly 200 million Americans, to Verizon’s breach that affected more than 14 million customers, data hacks are increasing in frequency and severity across all industries.
The recent breach of credit reporting giant, Equifax, is another example. Reported by the Wall Street Journal as the largest social security breach in history, approximately 143 million U.S. consumers’ confidential data, including social security numbers, names, birthdates and addresses were compromised. What’s more, they reported that more than 200,000 consumers’ credit card numbers and 180,000 consumers’ sensitive documents were ascertained.
Because personal data of every kind is only a few clicks away for fraudsters, payments businesses face significant identity verification challenges. They need smarter systems to allow customers to use their own (likely compromised) data, while being able to recognize when criminals are using the same data illegally.
#2. Go beyond Social Security Numbers
For many businesses, the social security number has long been regarded as a key indicator of identity. But if it wasn’t made abundantly clear by the Equifax data breach, social security numbers (SSNs) can no longer be a trusted piece of identity data. In fact, SSNs were never meant to serve this purpose in the first place. They were created solely as a way to keep track of an individual’s earnings for social security and benefits purposes.
So, what do you do if SSNs are a key customer identifier for your business? Start incorporating modern identifiers into your verification process. These attributes, such as home address, phone or IP address, are exponentially more valuable because they travel with a person wherever they go. For example, the proximity of an IP address to the applicant’s physical address or phone location simply can’t be faked. Multiple attributes can also be connected together to prove a person’s identity beyond a reasonable doubt.
#3. Confirm Whole Identities by Linking Identity Data Attributes Together
While it’s easy to use and piece together stolen identity data, it is impossible to fabricate the linkages that effectively mimic a real person. Legitimate customers can be confirmed by verifying many identity data elements and ensuring they all connect to the individual behind the transaction, clearly distinguishing them from bad actors whose data elements won’t correlate properly.
Linkage analysis can include connecting name, address, phone, IP and other non-personally identifiable information (non-PII) data.
Some positive signals include things like:
- an email address age of more than 720 days
- an IP address within 10 miles of the physical address
- a match between phone and address
- a match between email and name
- a match between phone and name
- a match between address and name
And common risk signals include:
- a mismatch between linked email, phone or address details
- an email address less than 90 days old
- a non-fixed VoIP or toll free phone number
- a phone country code and physical address mismatch
- invalid phone, email or address info
- a proxy IP address
The ever expanding volume of personal data available on the dark web has rendered basic identity data attribute verification obsolete. In order to tell if a customer is who they say are whole identity verification is what’s needed. Doing so will help set your business up for reaching records of your own kind.