Your bank called. Someone just used your credit card online to purchase £727.19 of children’s toys from an American company, based in New York. You're based in London. You do not have children and you’ve never bought toys online. In fact, you can’t remember the last time you bought anything online.
The criminal had your credit card number in his possession as well as the correct billing address and security code. Since American companies rarely require more than the credit card number, billing address, and security code to complete a purchase, the transaction proceeded normally.
The website, a well-known provider of children’s toys, routinely ships toys as gifts, so they didn’t flag the difference between the billing and shipping address as a problem either.
Identity Verification Continues to Plague Companies
Nearly ALL businesses – from corner shops to global brands – struggle with ensuring that they don’t conduct business with criminals. At the crux of the problem, companies find it difficult to verify their customers’ identities. For obvious reasons online transactions allow the criminal to hide his actual identity with relative ease. Yet, identity theft in face-to-face transactions takes place with alarming frequency as well, and it doesn’t just involve individual identities. Criminals often steal or fabricate corporate identities too.
How can this be, and what needs to change for companies to stop criminals stealing and profiting from stolen or fabricated identities?
The Evolution of Identity Management
Usernames and passwords once formed the basis of identity management. It didn’t take long for criminals to steal enough credentials to complete all manner of transactions online, via phone, fax, email, or in person.
Over time, regulators, particularly within the financial sector, began mandating the use of “multiple factors” aka Multi-factor Authentication (MFA), to verify transactions online and face-to-face. Instead of a trip down memory lane, remembering the name of your first pet or the street where you grew up became critical to accessing your bank balance.
Soon, criminals adapted and overcame MFA. In response, regulators across various sectors and rule-setting entities began to stress the importance of a layered approach to identity verification that did not place excessive reliance on a single security measure, such as MFA.
As a result some online companies deployed technology to identify and track individual devices that accessed their site. Other companies added more questions to their paper forms. With each new question, companies placed an ever-growing list of compliance-related hurdles squarely on their customers’ shoulders. Today, simply opening a bank account can feel like a University exam, with the fate of the new account hanging in the balance with each question.
Has the rate of identity theft and fraud slowed in a meaningful way? Many studies designed to capture loss rates by industry and around the globe, show a sustained increase.
So what’s next? How do companies verify their customers’ identities and stay ahead of regulatory expectations?
Let’s return to the initial example involving the fraudulent online purchase of children’s toys. What if the credit card company or the toy company knew the following before approving the transaction?
- Based on biographical information provided by the account holder while completing a loan request with the credit card company, they do not have children.
- Their credit card account activity shows that they last purchased goods online nine months ago, and rarely conducted online transactions using their credit card during the last five years.
- Their credit card history shows no previous travel to South Africa, the toy’s destination.
- The IP address associated with the order originates from the Ukraine, a hotbed of online fraud.
- They recently commented on social media that they never buy from overseas sites, as they prefer to shop in the UK.
- At the time of the order, the email address associated with the purchase was just two hours old.
- The device used to purchase the toys was associated with fraudulent activity involving an offshore gambling site.
Taken together, the credit card and toy company have context for the transaction. While some of information noted above is inconclusive, the fact the IP originated from the Ukraine and device has a fraud track record, represent significant findings, or, in fraud language, “actionable intelligence”.
Integrating Multiple Data Streams: The Way of the Future
Much of the data detailed in the previous scenario exists today. So what’s stopping companies from building a better approach to identity verification and fraud prevention?
Many companies fail to realise the potential that integrating data from multiple sources – public and private - can provide in giving context in order to approve or deny a transaction.
However, it’s only a matter of time before regulators begin encouraging, and ultimately requiring, companies to aggregate data from multiple sources to provide critical context for seemingly normal transactions. If there is one thing for sure, regulators are slow on the uptake but, eventually, they catch up. Now is the time to become more sophisticated in preventing online fraud and also prepare for the inevitable changes in the regulatory environment.
Interested in learning more about how Contego helps businesses improve their ability to verify individual and corporate identities, prevent fraud and ensure regulatory compliance? click here, or call +44 (0)1235 375 000.