Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Identity theft

The Top 7 HIPAA Risk Analysis Myths

HIPAA-Risk-Assessment-Infographic-e1406067274883

The Aftermath of a Mega Data Breach

A Ponemon Study sponsored by Experian® explores consumers’ sentiments about data breaches. The goal was to learn the affect data breaches had on consumers’ privacy and data security concerns. A similar study was conducted in 2012 and reveals some interesting trends in consumers’ perceptions.

The study asked consumers who were victims of a data breach questions about their experience. It may not come as a surprise that individuals who have had their personal information lost or stolen increased 100% since the 2012 study when only 25% of individuals surveyed were victims of a data breach.

For purposes of the research, they define a data breach as

the loss or theft of information that can be used to uniquely identify, contact or locate you. This includes, but is not limited to, such information as Social Security number, IP address, driver’s license number, credit card numbers and medical records

797 individuals were surveyed and approximately 400 of these respondents say they were the victims of a data breach. By far, the primary consequence of a data breach is suffering from stress (76% of respondents) followed by having to spend time resolving problems caused by the data breach (39% of respondents).

The most significant findings of the research:-

What companies should do following a data breach

  • 63% of consumers continue to believe that organizations should be obligated to provide identity theft protection
  • 58% believe credit monitoring services should be offered
  • 67% believe compensation such as cash, products or services should be offered

–       These findings are similar to the findings in the 2012 study.

Credit card companies and retail stores sent the most notifications

  • 62% of respondents say they received two data breach notifications involving separate incidents. These notifications can be in the form of a letter, telephone call, email or public notice.

Becoming a victim of a data breach increases fears about becoming an identity theft victim.

  • Prior to having their personal information lost or stolen, 24% say they were extremely or very concerned about becoming a victim of identity theft.
  • Following the data breach, this concern increased significantly to 45%.
  • 48% of respondents say their identity is at risk for years or forever.

How important is media coverage of data breaches?

  • The majority of respondents believe it is important for the media to report details about data breaches. Mainly because it requires companies to be more responsive to victims followed by the creation of greater awareness about how the data breach could affect individuals and alerts potential victims to take action to protect their personal information from identity theft.

Other findings:-

  • 25% of data breach notifications offered identity theft protection such as credit monitoring or fraud resolution services. This is a slight decrease from 2012 when 29% of respondents received such an offer
  • 67% of those receiving a notification wanted the organisation to “Explain the risks or harms that I will experience”
  • 32% said “I ignored the notification(s) and did nothing”
  • 78% were most worried about their Social Security number followed by Password/PIN at 71% and Credit card or bank payment information with 65%
  • 81% of respondents who were victims of a data breach did not have any out of pocket costs. If they did, it averaged about $38
  • 34% say they were able to resolve the consequences of the breach in one day
  • 55% say they have done nothing to protect themselves and their family from identity theft

The full report can be found here.

More Than 12 Million Identity Fraud Victims in 2012, study finds

Javelin Strategy & Research have released their 2013 Identity Fraud Report with some startling results the scariest being “one in four consumers who receive a data breach letter will become the victim of identity fraud.”

This means the days when a breached organisation would try to keep a breach quiet with the hope that it would go away have gone because the odds are far too high to ignore financial impacts that follow Identity Theft. 

This past year was one where there were both successes and setbacks for consumers, institutions and fraudsters,” said Jim Van Dyke, CEO of Javelin Strategy & Research, in a prepared statement. “Consumers and institutions are now starting to act as partners detecting and stopping fraud faster than ever before. But fraudsters are acting quicker than ever before and victimizing more consumers. Consumers must take data breach notifications more seriously and maintain vigilance to safeguard personal information, especially Social Security numbers

Key findings from the study include:

–  $21 billion was stolen in 2012. Higher than in recent years but considerably lower than the $47 billion in 2004

–  Almost 1 in 4 consumers who received a breach notification letter became a victim of identity fraud.

This underscores the need for consumers to take all notifications seriously. Not all breaches are created equal. The study found consumers who had their Social Security number compromised in a data breach were 5 times more likely to be a fraud victim than an average consumer

–  The stolen information was misused for a variety of fraud types, for example credit cards, loans and mobile phone bills and on average was misused for an average of 48 days during 2012 which is down from 55 days in 2011 and 95 days in 2010.

More than 50% of victims were actively detecting fraud using financial alerts, credit monitoring or identity protection services and by monitoring their account

–  15% of all fraud victims changed their online behavior and avoid smaller merchants

While credit card numbers remain the most popular item revealed in a data breach, in reality other information can be more useful to fraudsters. Personal information such as online banking login, username and password were compromised in 10% of incidents and 16% of incidents included Social Security numbers

It’s not just online fraud or data breaches. More than 1.5 million consumers were victims of familiar fraud, which is fraud when victims know the fraudster. Lower income consumers were more likely to be victims of familiar fraud. The information most likely to be taken via familiar fraud includes name, Social Security number, address and checking account numbers

Javelin have produced some guidance for consumers called the “Seven Safety Tips to Protect Consumers”

Javelin Strategy & Research recommends that consumers work in partnership with institutions to minimize their risk and impact of identity fraud by following a three-step approach: Prevention, Detection and Resolution™.

Prevention

1. Keep personal data private—Secure your personal and financial records behind a password or in a locked storage device whether at home, at work and on your mobile device. Familiar fraud is a serious issue with 12 percent of fraud victims knowing the perpetrator personally. Other ways to secure information include: not mailing checks to pay bills, shredding documents, monitoring your accounts weekly, and protecting your computer and mobile device with updated security software. Use a trusted and secure Internet connection (not a public Wi-Fi hotspot) when transmitting personal or financial information, and direct deposit payroll checks.

2. Look for security features—When paying online be sure you have a secure connection. Two ways you can denote a secure connection are to look for “https” and not just http at the start of the merchant’s web address or a bright green box and padlock graphic in the address bar of most browsers. Check for either one of these before entering personal or payment information.

3. Think before you share—Before providing any sensitive information, question who is asking for the information. Why do they need it? How is the information being used? Do not provide the information if you are unsure about the legitimacy of the request. Be careful when clicking on links that then take you to a page asking for personal information. If an organization asks you for your Social Security number to validate your identity, request another question.

Detection

4. Be Proactive—There are many different levels of identity theft protection and consumers should work in partnership with institutions on identity theft prevention. By setting up alerts that can be sent via e-mail and to a mobile device and monitoring accounts online at bank and credit card websites, consumers can take a more proactive role in detecting identity fraud and stopping misuse. In 2012, 50 percent of fraud was first detected by the victims.

5. Enlist others—There are a wide array of services available to consumers who want extra protection and peace of mind including payment transaction alerts, credit monitoring, credit report fraud alerts, credit freezes and database scanning. 3 out of every 5 identity fraud victims did not know the source of their fraud, but many services will now provide alerts directly to a consumer’s smartphone. Some services can be obtained for a fee and others at no cost to the consumers who are victims of a data breach. These services can monitor credit reports, public records and online activity for signs of fraudulent use of personal information.

Resolution

6. Take any data breach notification seriously—If you receive a data breach notification, take it very seriously as you are at a much higher risk according to the 2013 Identity Fraud Report. If you receive an offer from your financial institution or retailer for a free monitoring service after a breach, you should take advantage of the offer, closely monitor your accounts and put a fraud alert on your credit report.

7. Don’t wait. Report problems immediately—If you suspect or uncover fraud, contact your bank, credit union, wireless provider or protection services provider to take advantage of resolution services, loss protections and methods to secure your accounts. A fast response can enhance the likelihood that losses are reduced, and law enforcement can pursue fraudsters so they experience consequences for their actions.

.

2013 looks like being a bigger year than 2012 as the ICO starts catching up with the backlog of breaches

2013 has started as 2012 finished off with UK Information Commissioner (ICO) coming down hard on those who breach the Data Protection Act.

So far this January 3 organisations have fallen foul of the ICO:

  1. Sony Computer Entertainment Europe Limited
  2. Mansfield District Council
  3. Prospect Trade Union

Sony Computer Entertainment Europe Limited

Sony Computer Entertainment Europe Limited fined £250,000 after the April 2011 hacking of the Sony PlayStation Network Platform (PSN). That breach resulted in millions of Sony customers having their data stolen including:

  • Names
  • Addresses
  • Email addresses
  • Dates of birth
  • Account passwords
  • Customers’ payment card details were also at risk.

David Smith, Deputy Commissioner and Director of Data Protection, said:

“If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority. In this case that just didn’t happen, and when the database was targeted – albeit in a determined criminal attack – the security measures in place were simply not good enough.

“There’s no disguising that this is a business that should have known better. It is a company that trades on its technical expertise, and there’s no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe.

“The penalty we’ve issued today is clearly substantial, but we make no apologies for that. The case is one of the most serious ever reported to us. It directly affected a huge number of consumers, and at the very least put them at risk of identity theft.

“If there’s any bright side to this it’s that a PR Week poll shortly after the breach found the case had left 77 per cent of consumers more cautious about giving their personal details to other websites. Companies certainly need to get their act together but we all need to be careful about who we disclose our personal information to.”

Mansfield District Council. The council had several incidents of housing benefit claimants personal data being disclosed to the wrong landlord. The ICO has issued a formal undertaking to Mansfield District Council.

Prospect Trade Union. Prospect unfortunately sent two files containing personal details of approximately 19,000 members of the union to an unknown third party email address in error. The ICO has issued a formal undertaking to Prospect.

Both Prospect and Mansfield District Council have agreed “Formal Undertaking”. An undertaking is a detailed and document agreement between the ICO and the organisation that breached the Data Protection Act, specifically how those that have breached the Act will improve their Data Protection regime.

The Sony hack was widely reporting and was a result of an external attack whilst the other two, Prospect and Mansfield District Council were both the result of avoidable human error.

Want to know who was caught in 2012? Read my post 2012 was a big year for the Data Protection Act with record fines and breaches, see the full 2012 list here.

2012 saw a 5% increase in fraud

CIFAS (Credit Industry Fraud Avoidance System) is a not-for-profit membership association representing the private and public sectors.  CIFAS is dedicated to the prevention of fraud, including staff fraud, and the identification of financial and related crime. CIFAS operates two databases:

  1. National Fraud Database (NFD)
  2. Staff Fraud Database (SFD)

CIFAS’s analysis of fraud trends during 2012 reveals a 5% increase in the overall level of fraud, when compared with 2011. While the rate of the increase has slowed, further key findings present a more complex picture of the true state of the economic crime landscape in the UK:

  • Nearly 250,000 confirmed frauds were identified during 2012 by CIFAS Members, the highest number of frauds ever recorded by CIFAS Members and over 150,000 cases had an identifiable victim.
  • The continued blight of Identity Fraud accounts for over 50% of all frauds recorded in 2012.
  • The takeover of customer accounts increased by 53% from 2011, meaning that data driven identity crimes now constitute the vast majority of all fraud in the UK.
  • Conversely, frauds committed by the genuine account holder or applicant have all declined: the most notable being the decrease in fraudulent misuse of an account (Misuse of Facility fraud) which fell in 2012 by over 15% from the record levels seen in 2011. There has also been a fall in proven false insurance claims and instances of individuals submitting false details or documents in support of an application. 

The 5% increase in fraud levels recorded during 2012 serves as a reminder of the economic trials currently facing UK businesses and consumers. Nearly 250,000 frauds were identified in 2012. This represents a smaller rate of increase from the 9% surge recorded in 2011, but still constitutes the largest number of confirmed frauds ever recorded in a single year by organisations participating in the CIFAS national fraud data sharing scheme.

CIFAS Head of Communications, Kate Beddington-Brown, comments:

 “Fraud is frequently described as a victimless crime, but this is far from the truth. Whether it is an individual being impersonated, or public and private organisations losing funds due to fraudulent applications and transactions, the net effect is that the economic squeeze gets worse. Fraud acts as an impediment to business recovery and damages cashflow for us all; as losses incurred inevitably get passed on to society at large. The increase in fraud levels, therefore, might be seen as organisations getting better at rooting out fraud, but the implications are clear: increased fraud levels mean that organisations and individuals face a bigger problem than ever before.”

Identity crime: the fraudster’s biggest weapon

The fraudulent use of identity details (either those of an innocent victim or completely fictitious ones) is the biggest and most perturbing fraud threat. 50% of all frauds identified during 2012 relate to the impersonation of an innocent victim or the use of completely false identities.

Furthermore, Facility (or Account) Takeover Fraud – where a fraudster gains access to and hijacks the running of an account (e.g. theft of security details through computer hacking, interception of post details, social engineering through popular websites etc) rocketed by 53% compared with the previous year. This means that those frauds where the criminal requires identity details accounted for almost 2 in 3 (65%) of all frauds in 2012. The number of victims of both types of fraud has when combined also risen by 24% from the levels in 2011; underlining the very real cost of these crimes.

Kate Beddington-Brown notes:

 “These increases serve as a warning and a challenge to organisations and consumers equally. Organisations have invested heavily in updating and refreshing their security processes recently, ensuring that extra steps are taken to validate the identity of people with whom they are dealing. In spite of this, however, identity crimes have continued to rise – demonstrating that far more must be done. Equally, for individuals, It is obvious that fraud relating to personal data is an immense criminal trade so, fundamentally, we all have to do all we can to ensure that we also protect ourselves from becoming a victim, as well as demanding that the organisations we deal with take their security responsibilities seriously”

Frauds by account holders in decline

As problematic for organisations and the economy at large is fraud committed by the actual account holder. One piece of apparent good news, therefore, is that all frauds which come under this first party fraud heading declined in 2012: including misuse of facility fraud (where a legitimately obtained account is used fraudulently by the account holder) which decreased by 15% from the levels of 2011.

A substantial proportion of these frauds still bear the hallmarks of ‘money mule’ activity (where a criminal recruits another party to use his or her account on the fraudster’s behalf), but the decrease is encouraging in terms of consumer behaviour.

Kate Beddington-Brown notes:

“Organisations have invested effort into identifying possible victims of money mule operations and ensuring that their customers are educated about the dangers of misusing accounts, and these figures seem to demonstrate that this message is being heard. Any requests to receive and transfer funds on behalf of a person or organisation should be viewed with suspicion and reported, ultimately, to Action Fraud.”

Misuse of an account, however, is still the second largest type of fraud identified in 2012 and therefore increased attention must also be paid to ensuring that individuals are aware of this.

Kate Beddington-Brown explains:

“In these difficult economic times, the motivation to attempt fraud or the vulnerability to being duped into doing so – is perhaps understandable. Organisations, however, must do all that they can, to ensure that consumers are aware that committing fraud can have very serious consequences: from withdrawal of services to criminal charges. If organisations and consumers alike can stamp out this kind of fraud, extra effort can then be dedicated to preventing those criminals who are responsible for the rise in identity crime.”

CIFAS Chief Executive, Peter Hurst, concludes: “With the cost of living increasing, pay levels frozen for many, benefit changes taking effect and a sluggish economy, it is unsurprising that fraud has increased. Prevention remains better than cure, however, and it is time for all organisations and consumers to start reviewing their approaches to preventing fraud rather than just dealing with its effects. Investment in proper fraud prevention systems and approaches, from online security to data sharing, and education are the cornerstones of such an approach and without them the only thing that is guaranteed is an ever increasing fraud losses to organisations and society at large.”

CIFAS’s summary of  identified fraud cases in 2011 and 2012:

  2011 2012 % Change
Fraud cases identified 236,516 248,325 +5.0%

CIFAS’s summary of the types of fraud undertaken is below:

Fraud Type 2011 2012 % Change
Identity Fraud – Total 113,259 123,589 +9.1%
Application Fraud – Total 43,263 39,868 -7.8%
False Insurance Claim 396 279 -29.5%
Facility Takeover Fraud 25,070 38,428 +53.3%
Asset Conversion 532 337 -36.7%
Misuse of Facility 53,996 45,824 -15.1%
Victims of Impersonation 96,611 112,179 +16.1%
Victims of Takeover 25,250 38,686 +53.2%

You might also want to read

.

2012: “A year of Identity & Fraud” a review by Experian

Experian, a global information services company has posted two summaries of its research and blogs for 2012. I have taken the information that relates to Identity theft and fraud and consolidated it into one post.

In March, Experian revealed its latest research which estimated £1.02 billion worth of online shopping transactions were abandoned the previous year by UK consumers frustrated by old and inefficient identity measures. One in five of these abandoned transactions were not taken elsewhere as individuals cancelled their shopping attempt altogether, resulting in £214 million worth of net lost revenue for UK retailers.

The study, which was conducted for Experian by the International Fraud Prevention Research Centre and included survey data as well as insights from online retailers and the Office of National Statistics, revealed that 44% of UK shoppers had abandoned at least one online shopping transaction in the last year having become frustrated with the length and complexity of certain older forms of identity verification.

Older forms of online identity verification, typically complex, standalone systems drawing on single sources of information to corroborate identity information, are unable to validate as many individuals electronically as modern services. As a result, genuine customers might be forced to call a contact centre, submit physical documents through the post or visit the store or branch to confirm identity. Alternatively, the organisation might choose to accept a lower level of proof, and risk higher levels of fraud, in order to minimise customer inconvenience.

In April, Experian revealed that fraudulent applications for mortgages increased by 8% in the previous year. This was the fifth year in a row in which the rate of mortgage fraud has increased. 34 in every 10,000 applications for mortgages were found to be fraudulent in 2011, compared to just 15 in every 10,000 in 2006.

The overall rate of fraud at point of application across the UK’s financial services sector increased by 4% in 2011, to just over 17 in every 10,000 applications. In addition to record mortgage fraud figures, this overall increase was also driven by growth in insurance and current account fraud. 93% of attempted mortgage fraud in 2011 was down to individuals misrepresenting their personal information on applications. Typically these first party frauds involved falsifying employment status or financial information, and most commonly attempting to hide an adverse credit history.

Experian’s demographic insight revealed that Mosaic groups Terraced Melting Pot (young, poorly educated individuals living in small towns) and Suburban Mindsets (predominantly middle aged, middle and skilled working class individuals) were both responsible for around 15% of first party mortgage fraud cases in 2011. The young, well educated professionals of the Liberal Opinions were also prone to attempting first party mortgage fraud, being responsible for 13% of cases.

Nick Mothershaw, UK&I director of identity & fraud at Experian, comments: “About 70 per cent of financial services application fraud in the UK fraud is down to first parties misrepresenting their circumstances, and the products such as mortgages and insurance that have seen fraud soar over the last year have a significant first party fraud element to them. This kind of fraud tends to originate from financially stressed segments of society.”

  • Insurance fraud. Insurance fraud rates reached 11 in every 10,000 applications and claims in 2011, an increase of 23% over the last year. 89% of insurance fraud was first-party led with the Terraced Melting Pot, Suburban Mindsets and Liberal Opinions demographics responsible for the most instances. Combined they accounted for 43% of cases.
  • Current accounts. The rate of current account fraud increased to 36 frauds in every 10,000 applications in 2011, up from 23 in every 10,000 in 2010. 60% of current account fraud in 2011 was committed by first-parties, almost a quarter (23%) of which was down to the Terraced Melting Pot demographic. The remaining 40% of current account fraud attempts were down to third-party identity fraudsters seeking to open accounts as a springboard to obtain other, more lucrative credit products, or for money laundering purposes.
  • Automotive and credit card fraud rates fall. Not all financial products saw fraud rates increase in 2011. Credit card fraud continued to fall, from 19 in every 10,000 applications in 2010 to 12 in every 10,000 in 2011. The rate at which fraudsters target new credit cards is almost a quarter of the level recorded in 2006, when 45 in every 10,000 applications were fraudulent.  Automotive finance providers have also seen fraud rates fall. 23 in every 10,000 applications were found to be fraudulent in 2011, down from 38 in every 10,000 during 2010. 85% of these frauds were first party.

In May, Experian revealed that Slough had overtaken London to become the identity fraud capital of the UK. The Berkshire town recorded 25 identity fraud attempts for every 10,000 households, with residents targeted at around four times the UK national average (seven households in every 10,000). Residents of London, Gravesend, Birmingham, Luton, Manchester and Leicester were also targeted at twice the national average rate. London as a whole experienced 22 attempts for every 10,000 households, although attempts were not spread evenly across the capital.

Substantial hotspots for identity fraud activity were found in and around London’s Olympic neighbourhoods. Financial service providers detected 78 incidents for every 10,000 households in East Ham, as residents were targeted at more than 11 times the national rate. Woolwich and Stratford also experienced significant identity fraud activity, recording 46 and 43 identity fraud attempts respectively for every 10,000 households.

Whilst the instances of fraud across all financial products remained at a constant level between 2010 and 2011 (six in every 10,000 applications were found to be fraudulent), the data shows that there was a surge in identity theft via current accounts and mortgages during this period, with rates doubling (from six to 14 in every 10,000 applications) and quadrupling (from one to four in every 10,000) respectively.

Identity fraud attempts on credit cards fell from 17 to four in every 10,000 applications.

Fraudsters turn their attention away from the wealthy.

  • For the first time, young people renting small flats from local councils or housing associations represent the demographic most likely to be targeted by identity fraudsters. This group, known in Experian’s Mosaic classification as Upper Floor Living, saw its identity fraud risk score increase by 47% to 256 in 2011. Its constituents are two-and-a-half times more likely than the average UK resident to be targeted.
  • Almost as high on the identity fraud danger list are the Terraced Melting Pot (risk score 242), a group of mostly young people with few qualifications that who work in relatively menial, routine occupations, and live close to the centres of small towns or, in London, in areas developed prior to 1914. The Terraced Melting Pot saw its risk score increase by 75% in 2011.
  • Previously, the wealthy Alpha Territory demographic – representing the wealthiest sections of society living in fashionable London neighbourhoods – were most likely to be targeted. The risk score for this group halved in 2011 (from 301 in 2010 to 149) as fraudsters turned their attentions to younger and less affluent sections of society.

In June, Experian revealed that the financial services industry saw a 16% quarter-on-quarter jump in fraud rates in the period January to March 2012, driven primarily by a significant surge in current account fraud. 19 in every 10,000 applications for financial services were found to be fraudulent in the first three months of 2012, up from 16 in the last quarter in 2011. 44 in every 10,000 current account applications were detected as being fraudulent during the first quarter of 2012, 23% higher than Q4 2011.

The current account extended its position as the most targeted financial product, recording the busiest period for current account fraud ever recorded by Experian. Experian’s data shows that the majority (62%) of current account fraud in 2011 was committed by first-party perpetrators, which typically involves an individual painting a knowingly false portrait of their personal circumstances to obtain services to which they are not entitled. 38% of current account frauds were due to individuals attempting to hide adverse credit histories when opening current accounts or applying for overdrafts.

A further 39% of current account fraud involved product or payment abuse, which included people knowingly attempting to make payments with insufficient funds in their accounts. Attempted insurance fraud increased by 37% quarter-on-quarter, to reach its highest point since late 2009. 13 in every 10,000 applications and claims were detected as being fraudulent during Q1, up from 10 in Q4 2011. 58% of insurance fraud involved some form of product abuse, most significantly the provision of false payment information.

A 56% increase in identity fraud attempts pushed credit card fraud up from 10 cases in every 10,000 applications in the final three months of 2011 to 14 in the first quarter of 2012. Attempted identity frauds on cards leapt from five to eight in every 10,000 applications over the same period.

Nick Mothershaw, UK director of identity & fraud services at Experian, comments: “Experian’s data shows further growth in current account fraud during the first quarter of 2012, mostly emanating from individuals providing false information attempting to open new accounts or obtain overdrafts or making payments they knowingly couldn’t afford. The threat of identity fraudsters seeking to open accounts in the names of unsuspecting third parties, for money laundering or as a springboard to attempt fraud on more lucrative credit products, also remains.  Credit cards have seen a resurgence in identity fraud, while a growing number of financially stressed individuals consider misrepresenting their personal or payment information when applying for insurance, contributing to a significant fraud upswing in the first quarter of 2012.” 

  • Automotive finance. Fraud attempts in the automotive finance sector have declined significantly, down 34% on the previous quarter. There were 18 attempted frauds in every 10,000 applications in the first quarter of 2012, the majority of which were individuals attempting to hide an adverse credit history when applying for automotive finance.
  • Loans. The number of fraudulent loan applications has continued to decrease, reaching the lowest point ever recorded by Experian. Four in every 10,000 applications were discovered to be fraudulent in Q1 2012, 38% lower than the previous quarter. Attempting to hide an adverse credit history continues to be the preferred modus operandi in more than half of attempted loan fraud.
  • Mortgages. Attempted mortgage fraud fell by 5% quarter-on-quarter, with 35 in every 10,000 applications uncovered as fraudulent during the first three months of 2012. Attempting to hide an adverse credit history, misrepresenting employment status and falsifying financial information were the most commonly used tactics employed by mortgage fraudsters during Q1.
  • Savings accounts. Savings account fraud rates were 18% lower in the first quarter of this year than the preceding three months. 12 in every 10,000 applications were found to be fraudulent, with identity fraudsters responsible for more than 80% of cases.

In July, it was reported that fraudsters had traded 12 million pieces of personal information online in 2012, representing a threefold increase on corresponding figures for 2010. Experian data indicated that consumers had an average of 26 separate online logins, but just five different passwords across them all.

Experian advised people to change their passwords on a regular basis and try to make them more complex to keep fraudsters from cracking them.

The full story can be found here.

In August, a special investigation revealed that fraudsters were stealing identities in order to take out multiple mobile phone contracts and walk away with valuable handsets. One man returned from a holiday to discover fraudsters had taken out nine contracts in his name.

Experian said around 200 victims were contacting the company each month for help to restore credit histories that had been damaged by the “mobile communications fraud”.

George Hopkin’s original posts can be found here, part one and part two.

.

One in four consumers are victims of card fraud – new study reveals

A global study of more than 5,200 consumers across 17 countries conducted by ACI Worldwide and Aite Group has revealed that one-in-four respondents has been victimised by credit, debit or pre-paid card fraud during the past five years.

More than 20% respondents reporting that they will stop using, or switch from, the card impacted by fraudulent activity.

The report also found the top two countries affected by credit fraud were

  1. Mexico with 44% of residents affected
  2. 42% of United States

The countries with the lowest levels of fraud were The Netherlands and Sweden with fraud at 12%

“The results of this survey show that card fraud continues to be one of the greatest threats and concerns for consumers, financial institutions and retailers,” said Mike Braatz, Senior Vice President, Payments Fraud, ACI Worldwide. “While there have been significant advances in fraud prevention technology, it is clear that more needs to be done to educate consumers about fraud and engage them as allies when it occurs. These results should serve as a call-to-action for financial institutions and retailers to remain constantly vigilant and earn the trust of customers by working with them to combat fraud.”

The 2012 Fraud Survey also found that:

Financial institutions risk losing customers due to fraud

  • Attrition rates after experiencing card fraud average 21% among cardholders.
  • Of cardholders who received replacement cards as a result of a data breach or fraudulent activity in the past year, 46% used the new card less than the original.
  • After experiencing fraud, more than 50% of cardholders used cash or an alternate form of payment instead of their credit or debit card.

Consumers fear identity theft yet continue risky behaviour

  • Identity theft replaced credit card fraud as the greatest concern from fraud exposure in the 2012 survey, with 49% of respondents indicating they were very concerned about possible harm to their financial standing and rating.
  • Many consumers continue to exhibit risky behaviours that put them at higher risk of financial fraud, including keeping written records of PIN numbers, throwing un-shredded documents containing sensitive information into trash bins and using public computers or computers without security software for Internet banking services and to shop online.

Consumers want to partner with banks for fraud prevention

  • If their financial institution notices unusual activity on their bank account or card, 82% of respondents are “very interested” in being notified prior to the bank taking action.
  • Consumers prefer immediate and direct communication from their banks when fraudulent activity is detected. The most preferred method of contact was found to be a call to the respondents’ mobile phone, followed closely by e-mail or text message.  This illustrates a change from 2011 where contact via home phone was the second most preferred method.

“The 2012 Fraud survey paints a compelling picture of the global nature and threat of fraud,” said Shirley Inscoe, Senior Analyst, Aite Group.  “Financial institutions, issuers and retailers need to enlist customers in the fight against fraud, educate them on prevention best practices, and reassure them of policies should fraud occur.  Maintaining customer satisfaction, loyalty and preserving wallet share can be achieved by communicating with and enlisting the customer in the fight against fraud”.

The ACI press release can be found here.

.

Four Things You Need to Know About Risk Analysis

Guest Blog: IDexperts Chris Apgar.

Every privacy professional knows that risk analysis is a foundation for successful information privacy and security, just as flossing your teeth is a foundation for good oral health. If you’re in healthcare, you also know that risk analysis is one of the five core Office for Civil Rights (OCR) “culture of compliance” requirements, and a prerequisite to receiving “meaningful use” dollars for implementing electronic health records (EHR). But what you may not know, according to nationally recognized information security expert and former HIPAA Compliance Officer Chris Apgar, is that compliance is not the biggest reason for conducting ongoing risk analysis. The biggest reason is that it can save your business.

OCR audits are proceeding, and failure to conduct risk analysis can result in a finding of “willful neglect” with penalties up to $50,000 per incident and up to $1.5 million per calendar year for the same type of violation (and any such finding will typically involve multiple types of violations). That risk, alone, justifies the cost of conducting risk analysis. A thorough risk analysis also provides a strategic roadmap for security spending, but Apgar says that even now, when he speaks to groups about medical data privacy, only about 1/3 of all healthcare organizations that are not seeking “meaningful use” dollars indicate that they’ve conducted risk analysis, and he points out that this is dangerous because by deferring the analysis, they may fail to identify other risks such as lawsuits, civil penalties, and loss of reputation that could damage or destroy their business.

Here are three other things Chris Apgar says you need to know risk analysis:

  • Confidentiality is not enough. The three pillars of security are confidentiality, availability, and integrity, and risk analysis needs to account for all of these. Yes, you want to prevent data breach, but that’s not enough. For example, what happens if a patient is in critical care, systems go down, and doctors lose access to critical information they need to make medical decisions?  Data corruption can be even more serious because if doctors unknowingly make bad healthcare decisions based on corrupt information, lives can be lost.
  • Technical security is not enough. Apgar says that, too often, when an organization looks at risks, they look only on the digital side, but PHI risks extend far beyond technical infrastructure. You need to look at every place where PHI lives, in any form, and everyone who touches it. For example, encryption can mitigate risk  in case of a security related incident involving electronic records, but  you can’t encrypt paper.  So if paper records are lost, by definition, that’s a security incident and potentially a reportable breach. People and process risks also have to be assessed as part of the security plan. One privacy officer that Apgar worked with pointed out that he and other compliance professionals in the organization had to be considered as organizational assets and as liabilities, because at that time, they were the only ones who knew how to respond in case of an incident, and if they were unavailable, the organization would be at risk.
  • There’s more than one way to become a covered entity. A new Texas healthcare privacy law goes into effect this month. Apgar says that, in addition to non-compliance penalties over and above the federal, it has a broader definition of covered entities.  Under the Texas law, if an organization handles any sort of electronic healthcare information, no matter its role in the healthcare system, it is covered by the new privacy requirements and considered a covered entity. So, for example, a small dental practice that transmits HIPAA covered transactions in Texas is now a covered entity under Texas law.  In addition, business associates and subcontractors could now face non-compliance fines from both OCR and state of Texas. Other states, including California and Massachusetts, also have high levels of regulation around healthcare information. A thorough and ongoing risk analysis program is necessary to keep organizations of all sizes abreast of new risks and requirements at state and federal levels.

Apgar has a number of practical recommendations for conducting risk analysis.

  • Successful risk analysis begins with a thorough inventory that accounts for all assets: digital, physical, and human. He points out that you need that inventory, anyway, to create a disaster recovery plan, and that keeping that inventory current makes the initial risk analysis and updates relatively simple because you have a baseline to work from.
  • Think of things inside the organization that can hurt you. “Threats” are unpredictable outside factors such as natural disasters and hackers that require response plans, but there are “vulnerabilities” that you can address to head off trouble. For example, you can help preventing network attacks by putting in place a process to ensure security patches are always kept up to date.
  • The risk analysis needs to rate risks both in terms of likelihood and in terms of potential harm or impact. For example, tsunamis are unlikely in Oklahoma so they don’t need to be part of an Omaha hospital’s disaster recovery plan, and unauthorized access to one patient record showing on a computer screen is likely to cause far less damage than a stolen computer full of patient records in lab’s business office. Once you’ve made a reasonable assessment of the likelihood and potential impact, it will become clear how best to spend your security budget and resources.
  • Don’t stop with the risk analysis. Meaningful use requires risk analysis, documentation, a mitigation plan, and implementation of a risk management program. Whether or not your organization is seeking meaningful use dollars, knowing about a risk offers little protection if you don’t act on the knowledge and implement steps to manage risk throughout the year.
  • If you bring in experts to conduct a risk analysis or to help your staff conduct one, look for someone who has done this before in healthcare and who has a track record with your type of healthcare business. Make sure their products and services address more than just technical security, and check references, of course, but also ask colleagues about their reputation. Word travels fast in the healthcare industry, and word on the street may tell you things that you won’t find out in a reference check.

Chris Apgar says the most critical thing to realize about risk analysis is that it stretches beyond what the regulations require. “There are so many other risks: the risk of being sued, of losing your practice, of causing harm to your patients. Yes, doing risk analysis costs time and money, but not doing it is a good way to lose more money or lose your business.”

.

Counting the cost of e-crime to retailers. Actually it’s £205.4 million a year.

The British Retail Consortium (BRC) has released the findings of their first e-crime study. The study is based on responses to a quantitative survey conducted between April and May 2012. Respondents were members of the BRC drawn from a selection of key retailing types including supermarkets, department stores, fashion, health and beauty and mixed retail. The retailers questioned constitute around 45 per cent of the UK retail sector by turnover.

The headline finding is the total cost of e-crime to the retail sector was £205.4 million in 2011-12

This estimate comprises three main components:

1. E-crime Overall. The UK retail sector lost £77.3million as a result of the direct costs of e-crime.

2. Security Data, provided by retailers questioned in this survey suggests that, in 2011-12, at least £16.5 million was spent by the retail sector to provide better protective security for customers against e-crime. This figure excludes payments to banks for systems such as 3D Secure and ‘chargebacks’.

3. Lost Revenue. Estimated losses in revenue experienced as a result of legitimate business being rejected through online fraud prevention measures came to £111.6 million in 2011-12.

The key components making up the direct costs of e-crime were:

  • Identification-Related Frauds such as account takeovers which were the most costly variety of online fraud for retailers, resulting in at least £20 million of losses in 2011-12
  • Card and Card Not Present Frauds which were the next most costly variety, resulting in a minimum of £15 million of losses to the sector in this period
  • Refund Frauds which produced £1.2 million in known losses

The costs of e-crime to the retail sector are further inflated by the need to guard or restore systems against other kinds of threat such as malware, Distributed Denial of Service (DDoS) attacks or hacking. Since retailers do not yet collect precise data on this type of compromise to their systems, the research was unable to derive an overall cost estimate for these losses.

However, the research did find that repairing or restoring systems after DDoS attacks alone now costs up to £100,000 on average. Once these other varieties of threat are factored in, the true cost of e-crime to the retail sector is likely to be far higher than the estimate provided above.

E-Crime – The Emerging Threat

  • The most common fraud experienced by retailers in 2011-12 was Card Not Present fraud, with nearly 80% of UK retailers questioned in the survey stating that this was now common or very common.
  • Identification-Related Fraud was the second most common category with around 50% of retailers saying that the use of false identification was now a common or very common tactic in attempts to defraud their online systems.
  • If other misuses of personal identification (such as account-takeover frauds) are included under the heading of Identification-Related Fraud, then this emerges as the most prevalent category – with around 78 per cent of UK retailers reporting such frauds to be common or very common.
  • Increased threats to e-commerce were also found to be linked to disruptions caused by attacks upon online trading systems. For example, over 20% of retailers reported that Distributed Denial of Service (DDoS) attacks caused serious or very serious disruptions to their systems in the period surveyed.
  • Phishing appears to be a particular problem for UK retailers, with some respondents indicating that a single phishing attack within the period surveyed could have cost the company concerned up to £2 million to deal with. The negative impacts of phishing upon retail reflect a global trend which has indicated that, after US companies, UK brands and companies are now the second most targeted globally (RSA 2012). Find a link to 10 RSA monthly summaries at the bottom of the post.
  • Although more sophisticated attacks like phishing or hacking are often carried out by perpetrators from outside the UK, retailers questioned in this survey suggested that the majority of frauds continue to be perpetrated domestically. Retailers reported that around 86% of attacks originate within the UK
  • The extent and sophistication of the threat is likely to be due to the high level of online sales in the UK.
  • 75% of respondents reported that over 80 per cent of their sales occurred in the UK. Nevertheless, the research found that retailers were often unclear about the breakdown between UK and foreign originated e-crime perpetrated against them.
  • When combined with the difficulties retailers face in tracing the origin of e-crime and the lack of intelligence from law enforcement, the level of e-crime originating outside the UK is likely to be far higher than the estimates provided in this research.

Managing e-crime – Security and Effectiveness

  • 8% of the current losses from e-crime relate to security costs, with the survey indicating that firms across the retail sector spent at least £16.5 million on internal and external security provision.
  • The most significant component of this figure was staffing security systems which cost the sector at least £10.5 million in 2011-12.
  • Investment in security technology amounted to around £6 million for the same period.
  • Online security is managed through both internal and external provisions with third party screening continuing to be the most common, and most expensive, option. The data was not sufficiently robust to enable an overall projection of costs for outsourcing security provision to third parties. However some respondents indicated that this could be as high as 7 pence per transaction.
  • 71% of respondents supplemented third party screening with other automated methods of security such as 3D Secure.
  • 71% of retailers were also deploying the Address Verification System (AVS).
  • 78% of respondents stating that they use customer order history to make online purchases more secure.
  • 64% of respondents also contact the customer or card issuer directly to verify the details of a purchase.
  • 50% of respondents were contemplating investment in new methods or technologies in the future.
  • This increasing expenditure will inevitably lead to higher costs than those outlined within this research.

Law Enforcement Responses and Government Support

Respondents highlighted a number of concerns around the policing of e-crime with the survey finding uniformly low levels of satisfaction with current police responses to retail e-crime.

  • At least half of retailers said they were dissatisfied with current responses
  • Over a quarter of the total expressing strong dissatisfaction
  • 14% indicated that they were very satisfied with current law enforcement support

The reason for such low levels of reporting and satisfaction was that e-crime is not considered to be a priority by many police forces. There were also concerns that national units such as the National Fraud Intelligence Bureau or the Police Central e-Crime Unit (PCeU) do not have the resources or capacity necessary to carry out further investigations.

The research found that there were significantly low levels of reporting.

  • 60% of retailers questioned said they would be unlikely to report any more than 10% of e-crimes to the police. This was largely due to retailers’ concerns with the law enforcement approach to policing e-crime offences.

Of the frauds that were reported to the police, Card Not Present Frauds were the most common

  • 36% of respondents indicating that these would be reported
  • 14% said that they would report other kinds of fraud such as Credit Fraud (by Account Takeover).

Retailers also raised the need for greater government support

  • 57% of respondents expressed strong or moderate dissatisfaction with current support from government
  • Many retailers felt that there was scope for government to offer more support to UK businesses by informing them about potential threats to their business and providing guidance or advice on how best to mitigate these threats

British Retail Consortium Director General Stephen Robertson, said:

“The rapid growth of e-commerce in the UK shows it offers great benefits for customers but also new opportunities for criminals.

“Online retailing has the potential for huge future commercial expansion but Government and police need to take e-crime more seriously if the sector is to maximise its contribution to national economic growth.

“Retailers are investing significantly to protect customers and reduce the costs of e-crime but law makers and enforcers need to show a similarly strong commitment.

“This first comprehensive survey assessing the make-up and scale of e-crime shows where efforts need to be directed.

“Law enforcement and the Government need to work with us to develop a consistent, centralised method for reporting and investigating e-crime and resources must be directed to e-crime in line with the emerging threat. This will encourage retailers to report more offences and allow the police to better identify and combat new threats.”

Find 10 monthly RSA Online Fraud report summaries here.

.

Blog at WordPress.com.

Up ↑

%d bloggers like this: