WHITEPAPER Fraud Mobility: Exploitation Patterns and Insights September 2015
2 Table of Contents Introduction 3 Study Methodology 4 Once a SSN has been Compromised, it Remains at Risk 4 Victims Remain Vulnerable within Specific Markets in the Short-Term 6 Victims often Reappear in Different Industries over the Long-Term 7 Conclusions 7
Introduction 3 Identity theft places a burden on victims and presents tremendous challenges to businesses and government agencies. In 2014, the nature of the breaches had migrated from financial access to identity theft. In fact, 54% of all data breaches were described as identity theft, a dramatic increase from the 20% seen in 2013. 1 Consumers and enterprises are less equipped to deal with the pain, inconvenience, and long-term implications of identity theft fraud as it is substantially more damaging than financial fraud. Enterprises must constantly solve a significant problem: how to determine whether the personally identifiable information (PII) presented on the application is truly the legitimate individual or a fraudster. The greatest challenge to fraud prevention and detection is understanding the speed and cross industry patterns (known as mobility) with which a fraudster will use an identity. There are predictable mobility patterns in how fraudsters initiate financial access fraud in the payment space and how fraudsters transact across industries. For example, it is common for a fraudster that has compromised credit card information, to create a counterfeit card and make a small purchase (perhaps at a gas station). Then, if successful with the small purchase, the fraudster will buy a big-ticket item in a different industry (such as an expensive electronic device). 2 In this study, ID Analytics explores whether similar patterns are identifiable when looking at identity theft patterns. Identity Theft Facts In 2014, 12.7 million US consumers (5.2% of the US population) were victims of identity theft 4 This resulted in over 16 billion dollars of loss to the enterprise 5 Between January and August 2015 alone, nearly 140 million records were compromised in a total of 505 breaches 6 Traditional identity-fraud management technologies lack access to data that is updated frequently enough, or these systems lack information from multiple industries. For example, those enterprises relying on home-grown solutions only have visibility into their own customers. On the other hand, enterprises that rely on bureau or public records-based solutions may have limitations in terms of the industries that are covered and the freshness of their data assets. ID Analytics analyzed the trends and mobility patterns by determining if fraudsters follow a pattern within and across industries. What behavior does a victim s identity exhibit before and after a fraudulent event? What is the longterm behavior for a victim s identity and how does it compare to a legitimate identity? Research indicates that fraud exhibits predictable patterns over time and across industries that have important implications for its prevention. For over a decade, ID Analytics has operated the ID Network, a crossindustry data consortium built for the purpose of enterprise risk management and identity fraud protection. This puts ID Analytics in a unique position to analyze consumer events. Enterprise clients submit more than 55 million consumer-asserted identity elements every day for fraud, credit and identity verification purposes via loan applications, check-order requests, wireless service contracts, and other use cases. Enterprises then describe which events performed normally and which ones went on to be confirmed as identity fraud. In addition, the ID Network is the largest repository of identity fraud in the United States: it contains 3.3 million confirmed fraud events 3. 1 http://breachlevelindex.com/pdf/breach-level-index-annual-report-2014.pdf 2 http://www.cnbc.com/id/46907307 3 The terms application, transaction and event are used interchangeably in this study given that there are different types of transactions in the ID Network, however, the majority are new-account openings associated with loan or service applications. 4 Javelin Strategy and Research 2015 Identity and Fraud 5 Javelin Strategy and Research 2015 Identity and Fraud 6 http://www.idtheftcenter.org/images/breach/itrcbreachstatsreportsummary2015.pdf
Study Methodology 4 ID Analytics studied the behavioral trends for the fraud victims, and non-compromised consumers using historic records and client-reported fraud from the ID Network. Isolating the Social Security number ( SSN ) asserted on the applications as a proxy for an individual, SSNs were isolated into two groups in order to determine mobility patterns. The first group includes SSNs that have been associated by the enterprise with a confirmed fraud. This group is referred to throughout the study as a compromised identity. The second group consists of SSNs that were not associated with confirmed fraud. An SSN from this group is referred to throughout the study as a non-compromised identity. This study analyzed 68 million SSNs of both victims and non-victims over the last five years within the United States. In addition, a smaller subset of applications were isolated to better understand behavior patterns of a single identity over time. This allowed ID Analytics to analyze the differences in behavior surrounding a confirmed fraudulent event compared to behaviors for non-compromised identities. Once a SSN has been Compromised, it Remains at Risk an identity displays the first instance of confirmed fraud, it becomes a compromised identity and exhibits a higher velocity pattern than the non-compromised identity in both the short-term (the first 180 days after the event occurs) as well as the long-term (more than 180 days after the event occurs). To illustrate the difference in behavior of a non-compromised identity as well as a compromised identity let s examine the behavior of two examples, meet Tony and Fred. Case Study 1: Tony, a non-compromised identity Tony has been seen in the ID Network five times over eleven years with an overall application rate of roughly one application every two years Tony s SSN was never associated with a client-confirmed fraud The event of Tony s non-compromised application (randomly chosen from all the noncompromised applications) was seen in December 2008 on a retail credit-card application Prior to this event, Tony was seen submitting two applications, approximately one every two and a half years (both seen in the retail credit card industry) Case Study 2: Fred, a compromised identity Applications with Fred s SSN were seen in the ID Network without any associations to fraud for 11 years averaging roughly one new application every five years. During this time Fred was seen applying to two bankcard enterprises In February 2014, Fred s SSN was first reported by a telecommunications client as being associated with a fraudulent application. Later that same day, Fred s SSN was seen in a new account application that went on to be confirmed as a fraudulent event in the retail credit card industry and there were three additional new-account applications with three different telecommunication enterprises (one of which resulted in a third instance of confirmed fraud) The following day, Fred s SSN was seen on an application for a retail credit card October 2014, two new applications with Fred s SSN are submitted to retail card issuers and later confirmed as associated with fraud by the enterprises
Fred and Tony s behavior is representative of the compromised and non-compromised identity behaviors observed in the study. In general, non-compromised identities are seen on a new application within the ID Network roughly once every five years. The compromised identities behave the same way that non-compromised identities do prior to their first association with fraud. the first confirmed fraudulent event, the following two years show the victim s SSN being asserted at an accelerated rate of 1.5 applications every year. 5 Figure 1: Pre and Post Application Velocity for a Compromised Application vs a Non-Compromised Application Compromised identity 6xs higher within the first day Compromised identity 5xs higher after 360 days 3 1 6 2 3 4 5 360-720 180-360 90-180 30-90 10-30 2-10 0-1 Day 0-1 Day 2-10 10-30 30-90 90-180 180-360 360-720 Compromised Identity Non-Compromised Identity Fraudulent Event Non-Fraudulent Event Just as in the example of Fred and Tony, the velocity surrounding a non-compromised identity (Tony) remains consistent over time while the velocity of a compromised identity (Fred) typically increases once it has been seen as a confirmed fraud. (1) The application volume patterns for compromised identities and non-compromised identities are similar until ten days prior to the known fraudulent event (point two on figure 1) (2) Compromised identities are seen applying for new accounts at a rate 5 times greater than non-compromised identities for the ten days prior to the confirmed fraud event (3) Once the compromised identity becomes a confirmed fraud, the application volume patterns between the compromised identity and the non-compromised identity diverge significantly. (4) In the first ten days after an identity is seen as compromised, the victim s SSN is seen with an increased velocity 7.5 times the velocity of the non-compromised identity (point four in figure 1). Of the frauds occurring within the 0-10 day timeframe, 46% occurred within the first 24 hours of the fraudulent event. (5) 90 days after the confirmed fraud, the application volume returns to a rate similar to that of the non-compromised identities. (6) The application volume for compromised identities spikes 180 days after the first reported fraud event (point 6). It is likely that the confirmed fraud was detected within the first 90 days and the fraudulent behavior is stopped temporarily, however the application volume remains elevated for compromised identities and never returns to the same rates as those of the noncompromised identities
Victims Remain Vulnerable within Specific Markets in the Short-Term 6 Application rates for compromised and non-compromised identities vary in how the identity is seen across industries. ID Analytics expected to see that when an identity was compromised, it would quickly be used for fraudulent new-account applications in multiple industries. Surprisingly, the analysis shows that subsequent applications using the compromised identity were more likely to stay within the same industry rather than cross industries within the first 360 days. Figure 2: Short-Term Movement within Industry Sectors Probability of Crossing Industry 70% 60% 50% 48% 53% 55% 57% 62% 63% 40% 30% 20% 10% 0% 21% 23% 17% 16% 13% 7% 0-10 10-30 30-90 90-180 180-360 360+ Days Non-Fraudulent Event Fraudulent Event Non-Compromised Compromised Figure 2 shows that the probability of an identity applying within a single industry varies greatly between compromised and non-compromised identities. Intuitively, an uncompromised identity may apply to multiple industries within six months. Compromised identities are seen staying within the same industry at a much higher rate than the non-compromised identities. the instance of a confirmed fraud there is a high velocity of applications submitted within the first ten days. During this time, 93% of multiple fraud occurrences took place within the same industry. Often when compromised identities have a high velocity of applications over a short time period, they occur within the same industry but are seen at multiple enterprises. This behavior is most acutely demonstrated in the telecommunications industry. ID Analytics studied the application volume for compromised identities from telecommunication clients within 10 days of the initial fraud event and learned that whenever there was a second confirmed fraud event, 97% of these subsequent frauds occurred in the telecommunications industry.
Victims often Reappear in Different Industries over the Long-Term 7 360 days, identities with a second instance of confirmed fraud are more likely to reappear within a different industry. Figure 2 shows a 174% increase in the probability of the victim s SSN to cross industry after 360 days. The industry that is most impacted by this long-term cross industry movement is the bankcard industry. Bankcard is the only industry in which the second instance of confirmed fraud after 360 days has a higher probability of staying in the same industry rather than to cross industries. In addition, both retail and telecommunications show the highest probability of industry movement into the bankcard industry after 360 days. On average, 48% of the time when a confirmed fraud that occurred in the telecommunications or retail space it then moves into the bankcard industry when another instance of confirmed fraud occurs 360 days later. Conclusion Risk managers should look at ways to update their new-account risk management strategies. The study shows clear differences in how compromised identities behave over time as compared to non-compromised identities. Risk managers should be aware that spikes in volume for a particular identity could be a leading indicator for an imminent fraudulent event. Spikes are only visible through the use of a real-time, identity-fraud management solution. Compromised identities clearly exhibited a pattern of new-account application volume above the rates for non-compromised identities. the first instance of a confirmed fraud, the velocity patterns of a compromised identity drastically increase and do not return to the velocity patterns of a non-compromised identity within the following two years. This implies that speed is of the essence in not only fraud detection, but also in collaborating with prospective victims to make them aware of how their identities have been compromised. To be most effective, a fraud solution should include real-time updates since compromised identities have a high probability of staying within the same industry and moving between multiple enterprises in the first few days after the initial fraud event is detected. The study shows that a compromised identity will most likely be exploited with many enterprises within a particular industry. Fraud solutions that include cross-industry visibility are also important for long-term fraud detection as victim s identity will often be exploited in a new industry 360 days after the initial fraud event. Choosing the Right Fraud Solution is Key to Reducing Identity Fraud Enterprises that have been able to grow their customer base safely beyond their current footprints have used tools designed to recognize complex data patterns in near-real time with cross-industry insights. Access to these types of solutions are key to their fraud prevention strategies because of these offerings are receptive to how identity fraud morphs over time and across industries. A strong fraud solution includes cross-industry visibility, depth of coverage, real-time data to track application velocity, and large number of confirmed fraud tags as part of the underlying data network. Data breaches have put enterprises under constant and increasing threat. ID Analytics provides industry leading solutions to help enterprises to best keep pace with the rapidly changing nature of fraud. With over a decade of experience in identity risk management, ID Analytics state of the art fraud solution includes cross-industry, up-to-the-minute visibility into identity and behavior. To learn more about fraud solutions, contact us at marketinginfo@idanalytics.com or 858-312-6200 or visit us at www.idanalytics.com
2015 ID Analytics. All rights reserved. www.idanalytics.com