Fraudulent Credit Applications Starts with the Device

When Jim Smith opens a credit card account, he doesn’t have to pay the bill. That’s because Jim Smith is committing new account fraud by using Fred Jones’s name and Social Security number.

All Jim Smith needs is some basic information about Fred Jones, much of which is available in the phonebook, in his trash, in discarded files in the bank’s dumpster, or on social media sites. Maybe Fred also happens to work with Jim, and Jim has direct access to Fred’s files.

Once Jim has Fred’s information, all he has to do is go online with the PC in his cozy office, or head down to the local coffee shop and fire up his iPad, or even fill out a credit card application from his mobile phone.

Scenarios like this one happen all day long across the globe.  Credit issuers are constantly looking for new tools to identify fraudulent applications faster.

Since online credit applicants can fool you with any number of tricks to get approved for credit leaving you holding the bag for losses, instead of verifying identity information on fraudulent applicants, consider verifying the reputation of the device (or computer) being used to submit the application in the first place. When a fraudster connects to your business, the computer being used can be evaluated in a fraction of a second for its risky intentions.

If you know the device being used is a known fraudster, you don’t have to spend the time, resources, and money running other fraud checks such as verifying identity information.  You know the source is suspect and you can block the transaction upfront. Device fingerprinting coupled with the device’s reputation and risk profile helps identify the bad guys in the acquisition channel, so you don’t have to rely on other fraud detection tools that drive up the cost to decision an application.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit card fraud on NBC Boston. Disclosures

Online Credit Applications Ripe For Fraud

We currently rely on easily counterfeited identification, and we transmit credit card applications using the phone, fax, Internet, or snail mail, all of which are relatively anonymous methods.

Fraudulent credit card applications are the most lucrative form of credit card fraud. Identity thieves love credit cards because they are the easiest accounts to open, and they allow thieves to quickly turn data into cash. Meanwhile, consumers don’t find out that credit cards have been opened in their names until they are denied credit or bill collectors start calling.

Identity thieves use any number of tricks to fool banks, retailers, and creditors into approving their online credit applications, extending credit that leaves the creditor on the line for losses.

It doesn’t need to be this way.

Instead of simply verifying the identification provided by fraudulent applicants, newer technologies allow creditors to verify the reputation of the computer or smartphone being used to submit the application. By instantly evaluating a device’s history for criminal activity, creditors can prevent fraudulent transactions.

“In addition to telling businesses that a single device has been involved in fraud, iovation can also determine if that device is associated with bad activity through its associations,” said, Jon Karl, VP of Corporate Development for iovation.  “Beyond fingerprinting and reputation, we provide our clients with early warnings about devices visiting their website in real-time, based on the behavior of devices and accounts associated with that device.”

Device fingerprinting and device reputation analysis help identify bad guys during the application process, allowing creditors to avoid more expensive solutions.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft in front of the National Speakers Association. (Disclosure)

Survey Shows “Account Takeover Fraud” Drops

Account takeover happens when your existing bank or credit card accounts are infiltrated and money is siphoned out. A hacked account or stolen credit card is often to blame.

The drop in account takeover may be due in part to a few different things.

Less breaches. There was a drop in data breaches from 221 million records in 604 breaches during 2009 to 26 million records breached in 404 reported breaches during 2010. Criminal hacker Albert Gonzalez and his gang were responsible for many of those hacked records and he and many of his cohorts are now in jail.

PCI standards. All those responsible for accepting credit cards are now under strict Payment Card Industry Standards rules and regulations that require a level of security that took about 5 years to implement. Today many of those merchants are doing a much better job of protecting data.

Device reputation management. Technology that checks an Internet transaction by looking at the PC, smartphone or tablet to see if it has a history of bad behavior or is high risk based on device characteristics and behavior. iovation is one such company that has blocked 35 million fraudulent transactions of this sort just last year.

Javelin reports “When examining account takeover trends, the two most popular tactics for fraudsters were adding their name as a registered user on an account or changing the physical address of the account. In 2010, changing the physical address became the most popular method, with 44 percent of account takeover incidents conducted this way.”

If device reputation was integrated at the “profile update / account update” website integration point, a flag would go up when:

– Too many devices are accessing the account (the business has a predetermined threshold)

– Too many countries are accessing the account (Ex: a United States account is being accessed from Ghana)

– A non-allowed country accesses the account (Your United States-only dating site just had devices from Russia and Romania trying to get into accounts, but it’s blocked automatically with customized business rules.)

It’s no secret that it’s often a few bad apples that upset the bunch. Here’s where the 90/10 rule applies. 90% of people are honest whereas maybe 10% aren’t. And it’s the 10% that do 90% of the stealing.  Device reputation knows who is good and who isn’t. Identity thieves are stopped cold and can’t use the hacked data to commit fraud.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft in front of the National Speakers Association. (Disclosures)