Planning, Post-Equifax

With the personal information of up to 143 million consumers stolen, the Equifax data breach is believed to be the worst of all time.

The stolen information is personal credit bureau data that lasts a consumers’ entire lifetime. Fraudsters have Social Security numbers, addresses, drivers’ licenses, dates of birth and credit cards, all pieces of information we rely on to confirm identity. Now that information can be bought and sold many times—and used to defraud banks, credit unions and consumers for years.

Naturally, if fraudsters have so much identifying information on consumers and members, that means the foundation that banks and credit unions use to control new account fraud or application fraud is badly damaged. Fraud departments will need to change.

Impact to Fraud Departments

Expect an increase of better and well-disguised fraud attempts. Therefore, fraud prevention and mitigation tools that worked in the past may not work anymore. How should your fraud department plan for the next 12 to 24 months? Following are five practical ways fraud managers can effectively plan for in the aftermath of the breach. 

1. Plan for knowledge-based authentication tools being less effective.

Knowledge-based authentication (KBA), those pesky multiple-choice tools through which consumers choose answers to questions as a way to authenticate themselves, are doomed. Many questions rely on previous address information, social and other information contained in a credit bureau. Since so much of this information has been compromised, these questions are now less meaningful and spells bad news for lenders that use KBA tools as a primary means to identify fraud. To plan for this, fraud managers should:

• carefully monitor fraud rates on accounts that successfully passed KBA. Is it suddenly increasing?
• consider changing KBA questions to be less credit bureau-based if it looks like fraud rates are increasing.
• consider asking randomized questions designed to get a reaction.  For example, ask the question, “What is your date of birth?” and then ask, “So what age does that make you?”  Fraudsters may be able to read the date of birth off the document but they will likely pause several minutes while they try to calculate the age of the person. That long pause or hesitation is an indication they may not be truthful.
• consider other alternatives to KBA that might be more effective. For example, you could create your own knowledge-based authentication questions related to the relationship they have with your credit union. Leverage prior deposits, withdrawals, direct deposits and credit and debit card activity that only the true customer might know. 

2. Plan for increases in new account fraud and new loan application fraud. 

Armed with valid Social Security numbers, addresses, driver’s licenses and more, fraudsters will continue to target new account and loan application fraud as their means to monetizing their stolen data. New account and loan application fraud rates can be as high as 1 percent or more in some industries, which already makes it 10 to 15 times higher than card fraud loss rates. To plan for this, fraud managers should:

• budget and plan for higher loss rates due to application fraud rates across channels. Fraud rates could increase 10 percent to 15 percent next year if this much data has been exposed.
• consider increasing fraud controls in your application fraud prevention area. Look at alternative scores, such as fraud scores from analytic companies like PointPredictive. These screen the application instantly for fraud risk based on what the borrower is providing against historical patterns of fraud. 
• consider increasing staffing or shifting resources towards application fraud prevention next year to account for the higher loss rates.

3. Plan for increases in credit card fraud.

Account takeover is the type of fraud most likely to increase. Fraudsters have enough information from the breach to change customers’ credit card addresses to their own and pass verification with the stolen information. To plan for this, fraud managers of card issuers should:

• monitor card-not-present, account takeover and application fraud for increased fraud activity.
• consider adjusting account-level fraud strategies and controls to deter these types of fraudulent activity.
• consider using tools like PinPoint Security, which can help detect social engineering fraud and prevent account takeover by third parties.

4. Plan for more fear of fraud, chaos and false alarms.

If close to half the population of the United States suddenly has identity theft protection from Equifax or another monitoring tool, it will impact the originations process at credit unions, banks and lenders. Consumers will likely become overly cautious and jump to conclusions when they don’t immediately recognize a charge on their credit card. As a result, they may close accounts when there is no need to do so.

Additionally, friendly fraud risk could increase. Consumers may feel that they can take advantage of the system by blaming a large security breach for a legitimate charge they made. To plan for this, fraud managers of card issuers should:

• consider educating customer service and underwriting staff how to handle customer inquiries regarding breaches and how their accounts are protected.
• monitor fraud rates closely and monitor for sudden increases in friendly fraud by customers taking advantage of the situation.

5. Plan for more collaboration.

Financial institutions tend to operate in their own silos, yet could benefit by sharing their data to identify fraud trends. In auto lending, many of the top 100 financial institutions are joining the Auto Lending Fraud Consortium led by PointPredictive to collaboratively share and work together to identify patterns of fraud. In keeping with this, fraud managers at all financial institutions should look for opportunities to collaborate more. 

Frank McKenna is chief fraud strategist at PointPredictive Inc. An advocate for fighting fraud, McKenna has worked with more than 150 banks, lenders and companies throughout the world designing strategies, solutions and operational practices that help them reduce costs and increase efficiencies. Connect with him on Twitter @frankonfraud. For information about the Automotive Lending Fraud Consortium, an industry collective aimed at tackling the problem of auto fraud through collaboration, email info@pointpredictive.com.