Decision Analytics | Risk Based Authentication

--by Monica Bellflower

There seems to be two viewpoints in the market today about Knowledge Based Authentication (KBA): one positive, one negative.  Depending on the corner you choose, you probably view it as either a tool to help reduce identity theft and minimize fraud losses, or a deficiency in the management of risk and the root of all evil.  The opinions on both sides are pretty strong, and biases “for” and “against” run pretty deep.

One of the biggest challenges in discussing Knowledge Based
Authentication as part of an organization’s identity theft prevention program, is the perpetual confusion between dynamic out-of-wallet questions and static “secret” questions.  At this point, most people in the industry agree that static secret questions offer little consumer protection.  Answers are easily guessed, or easily researched, and if the questions are preference based (like “what is your favorite book?”) there is a good chance the consumer will fail the authentication session because they forgot the answers or the answers changed over time.

Dynamic Knowledge Based Authentication, on the other hand, presents questions that were not selected by the consumer.  Questions are generated from information known about the consumer – concerning things the true consumer would know and a fraudster most likely wouldn’t know.  The questions posed during Knowledge Based Authentication sessions aren’t designed to “trick” anyone but a fraudster, though a best in class product should offer a number of features and options.  These may allow for flexible configuration of the product and deployment at multiple points of the consumer life cycle without impacting the consumer experience.

The two are as different as night and day.  Do those who consider “secret questions” as Knowledge Based Authentication consider the password portion of the user name and password process as KBA, as well?  If you want to hold to strict logic and definition, one could argue that a password meets the definition for Knowledge Based Authentication, but common sense and practical use cause us to differentiate it, which is exactly what we should do with secret questions – differentiate them from true KBA.

KBA can provide strong authentication or be a part of a multifactor authentication environment without a negative impact on the consumer experience.  So, for the record, when we say KBA we mean dynamic, out of wallet questions, the kind that are generated “on the fly” and delivered to a consumer via “pop quiz” in a real-time environment; and we think this kind of KBA does work.  As part of a risk management strategy, KBA has a place within the authentication framework as a component of risk- based authentication… and risk-based authentication is what it is really all about.

-- by Matt Ehrlich

There was a recent discussion among members of the Anti Fraud experts group on LinkedIn regarding collaboration among financial institutions to combat fraud.  Most posters agreed on the benefits of such collaboration but were cynical when it came to anything of substance, such as a shared data network, getting off the ground.  I happen to agree with some of the opinions on the primary challenges faced in getting cross industry (or even single industry!) cooperation to prevent both consumer and commercial fraud.  Those being: 1) sharing data and 2) return on investment.

Despite the challenges, there are some fraud prevention and “negative” file consortium databases available in the market as fraud prevention tools.  They’re often used in conjunction with authentication products in an overall risk based authentication / fraud deterrence strategy. Some are focused on the Demand Deposit Account (DDA) market, such as Fidelity’s DebitBureau, while others, like Experian’s own National Fraud Database, address a variety of markets.  Early Warning Services has a database of both “account abuse” – aka DDA financial mismanagement – and fraud records.  Still others like Ethoca and the UK’s 192.com seem focused on merchant data and online retailers.  

Regardless of the consortium, they share some common traits.  Most:

- fall under Fair Credit Reporting Act regulation
- are used in the acquisition phase as part of the new account decision
- require contribution of data to access the shared data network

Given the seemingly general reluctance to participate in fraud consortiums, as evidenced by the group described above, how do we assess value in these consortium databases?  Well, for one, most U.S. banks and credit unions participate in and contribute customer behavior data to a consortium.  Safe to say, then, that the banking industry has recognized the value of collaboration and sharing data with each other – if not exclusively to minimize fraud losses but at least to manage potential risk at acquisition.  I’m speaking here of the DDA financial mismanagement data used under the guiding principle of “past performance predicts future results”. 

Consortium data that includes confirmed fraud records make the value of collaboration even more clear: a match to one of these records compels further investigation and a more cautious review of the transaction or decision.  With this much to gain, why aren’t more companies and industries rushing to join or form a consortium?

In my next post, I’ll explore the common objections to joining consortiums and what the future may look like.

 

--by Heather Grover

In past client and industry talks, I’ve discussed the increasing importance of retail branches to the growth strategy of the bank. Branches are the most utilized channel of the bank and they tend to be the primary tool for relationship expansion. Given the face-to-face nature, the branch historically has been viewed to be a relatively low-risk channel needing little (if any) identity verification – there are less uses of robust risk-based authentication or out of wallet questions.

However, a now well-established fraud best practice is the process of doing proper identity verification and fraud prevention at the point of DDA account opening. In the current environment of declining credit application volumes and approval across the enterprise, there is an increased focus on organic growth through deposits.  Doing proper vetting during DDA account openings helps bring your retail process closer in line with the rest of your organization’s identity theft prevention program. It also provides assurance and confidence that the customer can now be cross-sold and up-sold to other products.

A key industry challenge is that many of the current tools used in DDA are less mature than in other areas of the organization. We see few clients in retail that are using advanced fraud analytics or fraud models to minimize fraud – and even fewer clients are using them to automate manual processes - even though more than 90 percent of DDA accounts are opened manually.

A relatively simple way to improve your branch operations is to streamline your existing ID verification and fraud prevention tool set:

1. Are you using separate tools to verify identity and minimize fraud?

Many providers offer solutions that can do both, which can help minimize the number of steps required to process a new account;

2. Is the solution realtime?

To the extent that you can provide your new account holders with an immediate and final decision, the less time and effort you’ll spend after they leave the branch finalizing the decision;

3. Does the solution provide detail data for manual review?

This can help save valuable analyst time and provider costs by limiting the need to do additional searches.

In my next post, we’ll discuss how fraud prevention in DDA impacts the customer experience.

--by Monica Bellflower

I have already commented on “secret questions” as the root of all evil when considering tools to reduce identity theft and minimize fraud losses.  No, I’m not quite ready to jump off  that soapbox….not just yet, not when we’re deep into the season of holiday deals, steals and fraud.  The answers to secret questions are easily guessed, easily researched, or easily forgotten.  Is this the kind of security you want standing between your account and a fraudster during the busiest shopping time of the year?

There is plenty of research demonstrating that fraud rates spike during the holiday season.  There is also plenty of research to demonstrate that fraudsters perpetrate account takeover by changing the pin, address, or e-mail address of an account – activities that could be considered risky behavior in decisioning strategies.  So, what is the best approach to identity theft red flags and fraud account management?  A risk based authentication approach, of course! 

Knowledge Based Authentication (KBA) provides strong authentication and can be a part of a multifactor authentication environment without a negative impact on the consumer experience, if the purpose is explained to the consumer.  Let’s say a fraudster is trying to change the pin or e-mail address of an account.  When one of these risky behaviors is initiated, a Knowledge Based Authentication session begins. To help minimize fraud, the action is prevented if the KBA session is failed.  Using this same logic, it is possible to apply a risk based authentication approach to overall account management at many points of the lifecycle:

• Account funding 
• Account information change (pin, e-mail, address, etc.)
• Transfers or wires
• Requests for line/limit increase
• Payments
• Unusual account activity
• Authentication before engaging with a fraud alert representative

Depending on the risk management strategy, additional methods may be combined with KBA; such as IVR or out-of-band authentication, and follow-up contact via e-mail, telephone or postal mail.  Of course, all of this ties in with what we would consider to be a comprehensive Red Flag Rules program. (For more on Red Flag guidance, visit our dedicated site at:  http://www.bulldogsolutions.net/ExperianDecisionAnalytics/EXD_RedFlagSite/index.aspx?bdls=16924) 

Risk based authentication, as part of a fraud account management strategy, is one of the best ways we know to ensure that customers aren’t left singing, “On the first day of Christmas, the fraudster stole from me…”

--by Monica Bellflower

In my last post I discussed the problem with confusing what I would call “real” Knowledge Based Authentication (KBA) with secret questions.   However, I don’t think that’s where the market focus should be.  Instead of looking at Knowledge Based Authentication (KBA) today, we should be looking toward the future, and the future starts with risk-based authentication.

If you’re like most people, right about now you are wondering exactly what I mean by risk-based authentication.  How does it differ from Knowledge Based Authentication, and how we got from point A to point B? It is actually pretty simple.  Knowledge Based Authentication is one factor of a risk-based authentication fraud prevention strategy.  A risk- based authentication approach doesn’t rely on question/answers alone, but instead utilizes fraud models that include Knowledge Based Authentication performance as part of the fraud analytics to improve fraud detection performance.  With a risk-based authentication approach, decisioning strategies are more robust and should include many factors, including the results from scoring models.

That isn’t to say that Knowledge Based Authentication isn’t an important part of a risk-based approach.  It is.  Knowledge Based Authentication is a necessity because it has gained consumer acceptance. Without some form of Knowledge Based Authentication, consumers question an organization’s commitment to security and data protection. Most importantly, consumers now view Knowledge Based Authentication as a tool for their protection; it has become a bellwether to consumers. 

As the bellwether, Knowledge Based Authentication has been the perfect vehicle to introduce new and more complex authentication methods to consumers, without them even knowing it.  KBA has allowed us to familiarize consumers with out-of-band authentication and IVR, and I have little doubt that it will be one of the tools to play a part in the introduction of voice biometrics to help prevent consumer fraud.   

Is it always appropriate to present questions to every consumer?  No, but that’s where a true risk-based approach comes into play.  Is Knowledge Based Authentication always a valuable component of a risk based authentication tool to minimize fraud losses as part of an overall approach to fraud best practices?  Absolutely; always.

DING!

Round 1 – Pick your corner

---by Monica Bellflower

There seems to be two viewpoints in the market today about Knowledge Based Authentication (KBA): one positive, one negative.  Depending on the corner you choose, you probably view it as either a tool to help reduce identity theft and minimize fraud losses, or a deficiency in the management of risk and the root of all evil.  The opinions on both sides are pretty strong, and biases “for” and “against” run pretty deep.

One of the biggest challenges in discussing Knowledge Based
Authentication as part of an organization’s identity theft prevention program, is the perpetual confusion between dynamic out-of-wallet questions and static “secret” questions.  At this point, most people in the industry agree that static secret questions offer little consumer protection.  Answers are easily guessed, or easily researched, and if the questions are preference based (like “what is your favorite book?”) there is a good chance the consumer will fail the authentication session because they forgot the answers or the answers changed over time.

Dynamic Knowledge Based Authentication, on the other hand, presents questions that were not selected by the consumer.  Questions are generated from information known about the consumer – concerning things the true consumer would know and a fraudster most likely wouldn’t know.  The questions posed during Knowledge Based Authentication sessions aren’t designed to “trick” anyone but a fraudster, though a best in class product should offer a number of features and options.  These may allow for flexible configuration of the product and deployment at multiple points of the consumer life cycle without impacting the consumer experience.

The two are as different as night and day.  Do those who consider “secret questions” as Knowledge Based Authentication consider the password portion of the user name and password process as KBA, as well?  If you want to hold to strict logic and definition, one could argue that a password meets the definition for Knowledge Based Authentication, but common sense and practical use cause us to differentiate it, which is exactly what we should do with secret questions – differentiate them from true KBA.

KBA can provide strong authentication or be a part of a multifactor authentication environment without a negative impact on the consumer experience.  So, for the record, when we say KBA we mean dynamic, out of wallet questions, the kind that are generated “on the fly” and delivered to a consumer via “pop quiz” in a real-time environment; and we think this kind of KBA does work.  As part of a risk management strategy, KBA has a place within the authentication framework as a component of risk- based authentication… and risk-based authentication is what it is really all about.

--by Keir Breitenfeld
 
Many compliance regulations such the Red Flags Rule, USA Patriot Act, and ESIGN require specific identity elements to be verified and specific high risk conditions to be detected. However, there is still much variance in how individual institutions reconcile referrals generated from the detection of high risk conditions and/or the absence of identity element verification. With this in mind, risk-based authentication, (defined in this context as the “holistic assessment of a consumer and transaction with the end goal of applying the right authentication and decisioning treatment at the right time") offers institutions a viable strategy for balancing the following competing forces and pressures:

• Compliance – the need to ensure each transaction is approved only when compliance requirements are met;
• Approval rates – the need to meet business goals in the booking of new accounts and the facilitation of existing account transactions;
• Risk mitigation – the need to minimize fraud exposure at the account and transaction level.

A flexibly-designed risk-based authentication strategy incorporates a robust breadth of data assets, detailed results, granular information, targeted analytics and automated decisioning. This allows an institution to strike a harmonious balance (or at least something close to that) between the needs to remain compliant, while approving the vast majority of applications or customer transactions and, oh yeah, minimizing fraud and credit risk exposure and credit risk modeling.

 Sole reliance on binary assessment of the presence or absence of high risk conditions and identity element verifications will, more often than not, create an operational process that is overburdened by manual referral queues. There is also an unnecessary proportion of viable consumers unable to be serviced by your business. Use of analytically sound risk assessments and objective and consistent decisioning strategies will provide opportunities to calibrate your process to meet today’s pressures and adjust to tomorrow’s as well.
 
 
 

--by Keir Breitenfeld

As I wrote in my previous posting, a key Red Flags Rule challenge facing many institutions is one that manages the number of referrals generated from the detection of Red Flags conditions.  The big ticket item in referral generation is the address mismatch condition.

Identity Theft Prevention Program
I’ve blogged previously on the subject of risk-based authentication and risk-based pricing, so I won’t rehash that information.  What I will suggest, however, is that those institutions who now have an operational Identity Theft Prevention Program (if you don’t, I’d hurry up) should continue to explore the use of alternate data sources, analytics and additional authentication tools (such as knowledge-based authentication) as a way to detect Red Flags conditions and reconcile them all within the same real-time transaction.

Referral rates
Referral rates stemming from address mismatches (a key component of the Red Flags Rule high risk conditions) can approach or even surpass 30 percent.  That is a lot.  The good news is that there are tools which employ additional data sources beyond a credit profile to “find” that positive address match.  The use of alternate data sources can often clear the majority of these initial mismatches, leaving the remaining transactions for treatment with analytics and knowledge-based authentication and Identity Theft Prevention Program.

Whatever “referral management” process you have in place today, I’d suggest exploring risk-based authentication tools that allow you to keep the vast majority of those referrals out of the hands of live agents, and distanced from the need to put your customers through the authentication wringer.  In the current marketplace, there are many services that allow you to avoid high referral costs and risks to customer experience.  Of course, we think ours are pretty good.

--by Keir Breitenfeld

Well, here we are at the beginning of November and The Red Flags Rule has been with us for nearly two years now.  And to add to that, the FTC’s November 1, 2009 enforcement date has passed (I know I’ve said that before).  There is little value in me chatting about the core requirements of the Red Flags Rule at this point.  Instead, I’d like to shed some light on what we are seeing and hearing these days from our clients and industry experts related to this initiative:

Red Flags Rule client comments

1. Most clients have a solid written and operational Identity Theft Prevention Program that arguably meets their interpretation of the Red Flags Rule requirements.

2. Most clients have a solid written and operational Identity Theft Prevention Program in place that creates a boat-load of referrals due to the address mismatches generated in their process(es) and the requirement to do something with them.

3. Most clients are now focusing on ways in which to reduce the number of referrals generated and procedures to clear the remaining referrals via a cost-effective and automated manner…of course, while preventing fraud and staying compliant..

In 2008, a key focus at Experian was to help educate the market around the Red Flags Rule concepts and requirements.

The concentration in 2009 of Red Flags Rule concepts has nearly fully shifted to assisting the market in creating risk-based authentication programs that leverage holistic views of a consumer, flexible tools that are pointed to a consumer based on that person’s authentication and risk profile. There is also an overall decisioning strategy that balances risk, compliance, and resource constraints.

Spirit of Red Flags Rule
The spirit of the Red Flags Rule is intended to ensure all covered institutions are employing basic identity theft prevention procedures (a pretty good idea).  I believe most of these institutions (even those that had very robust programs in place years before the rule was introduced) can appreciate this requirement that brings all institutions up to speed.  It is now, however, a matter of managing process within the realities of, and costs associated with, manpower, IT resources, and customer experience sensitivities.

-- by Keir Breitenfeld

In my previous three postings, I’ve covered basic principles that can define a risk-based authentication process, associated value propositions, and some best-practices to consider.

Finally, I’d like to briefly discuss some emerging informational elements and processes that enhance (or have already enhanced) the notion of risk-based authentication in the coming year.  For simplicity, I’m boiling these down to three categories:

1. Enterprise Risk Management – As you’d imagine, this concept involves the creation of a real-time, cross channel, enterprise-wide (cross business unit) view of a consumer and/or transaction.  That sounds pretty good, right?  Well, the challenge has been, and still remains, the cost of developing and implementing a data sharing and aggregation process that can accomplish this task.  There is little doubt that operating in a more silo’d environment limits the amount of available high-risk and/or positive authentication data associated with a consumer…and therefore limits the predictive value of tools that utilize such data.  It is only a matter of time before we see more widespread implementation of systems designed to look at a single transaction, an initial application profile, previous authentication results, or other relationships a consumer may have within the same organization -- and across all of this information in tandem.  It’s simply a matter of the business case to do so, and the resources to carry it out.

2. Additional Intelligence – Beyond some of the data mentioned above, some additional informational elements emerging as useful in isolation (or, even better, as a factor among others in a holistic assessment of a consumer’s identity and risk profile) include these areas:  IP address vs. physical address comparisons; device ID or fingerprinting; and biometrics (such as voice verification).  While these tools are being used and tested in many organizations and markets, there is still work to be done to strike the right balance as they are incorporated into an overall risk-based authentication process.  False positives, cost and implementation challenges still hinder widespread use of these tools from being a reality.  That should change over time, and quickly to help with the cost of credit risk.

3. Emerging Verification Techniques – Out-of-band authentication is defined as the use of two separate channels, used simultaneously, to authenticate a customer.  For example: using a phone to verify the identity of that person while performing a Web transaction.  Similarly, many institutions are finding success in initiating SMS texts as a means of customer notification and/or verification of monetary or non-monetary transactions.  The ability to reach out to a consumer in a channel alternate to their transaction channel is a customer friendly and cost effective way to perform additional due diligence.

-- by Keir Breitenfeld

In my previous two blog postings, I’ve tried to briefly articulate some key elements of and value propositions associated with risk-based authentication.  In this entry, I’d like to suggest some best-practices to consider as you incorporate and maintain a risk-based authentication program.

1. Analytics – since an authentication score is likely the primary decisioning element in any risk-based authentication strategy, it is critical that a best-in-class scoring model is chosen and validated to establish performance expectations.  This initial analysis will allow for decisioning thresholds to be established.  This will also allow accept and referral volumes to be planned for operationally.  Further more, it will permit benchmarks to be established which follow on performance monitoring that can be compared.

2. Targeted decisioning strategies – applying unique and tailored decisioning strategies (incorporating scores and other high-risk or positive authentication results) to various access channels to your business just simply makes sense.  Each access channel (call center, Web, face-to-face, etc.) comes with unique risks, available data, and varied opportunity to apply an authentication strategy that balances these areas; risk management, operational effectiveness, efficiency and cost, improved collections and customer experience.  Champion/challenger strategies may also be a great way to test newly devised strategies within a single channel without taking risk to an entire addressable market and your business as a whole.

3. Performance Monitoring – it is critical that key metrics are established early in the risk-based authentication implementation process.  Key metrics may include, but should not be limited to these areas: 

• actual vs. expected score distributions;
• actual vs. expected characteristic distributions;
• actual vs. expected question performance;
• volumes, exclusions;
• repeats and mean scores;
• actual vs. expected pass rates;
• accept vs. referral score distribution;
• trends in decision code distributions; and
• trends in decision matrix distributions. 

Performance monitoring provides an opportunity to manage referral volumes, decision threshold changes, strategy configuration changes, auto-decisioning criteria and pricing for risk based authentication.

4. Reporting – it likely goes without saying, but in order to apply the three best practices above, accurate, timely, and detailed reporting must be established around your authentication tools and results.  Regardless of frequency, you should work with internal resources and your third-party service provider(s) early in your implementation process to ensure relevant reports are established and delivered. 

In my next posting, I will be discussing some thoughts about the future state of risk based authentication.

-- by Keir Breitenfeld
 
In my last blog posting, I presented the foundational elements that enable risk-based authentication.  These include data, detailed and granular results, analytics and decisioning.  The inherent value of risk-based authentication can be summarized as delivering an holistic assessment of a consumer and/or transaction with the end goal of applying the right authentication and decisioning treatment at the right time.  The opportunity, especially, to minimize fraud losses using fraud analytics as part of your assessment is significant.

What are some residual values of risk-based authentication? 

1. Minimized fraud losses involves the use of fraud analytics, and a more comprehensive view of a consumer identity (the good and the bad), in combination with consistent decisioning over time.  This analysis will outperform simple binary rules and more subjective decisioning.

2. Improved consumer experience.  By applying the right authentication and  treatment at the right time, consumers are subjected to processes that are proportional to the risk associated with their identity profile.  This means that lower-risk consumers are less likely to be put through more arduous courses of action, preserving a streamlined and often purely “behind the scenes” authentication process for the majority of consumers and potential consumers.  In other words, you are saving the pain for the bad guys -- and that can be a good thing.

3. Operational efficiencies can be successful with the implementation of a well-designed program. Much of the decisioning can be done without human intervention and subjective contemplation.  Use of score-driven policies affords businesses the opportunity to use automated authentication processes for the majority of their applicants or account management cases.  Fewer human resources will be required which usually means lower costs.  Or, it can mean the human resources you possess are more appropriately focused on the applications or transactions that warrant such attention.

4. Measurable performance is critical because understanding the past and current performance of risk-based authentication policies allows for the adjustment over time of such policies.  These adjustments can be made based on evolving fraud risks, resource constraints, approval rate pressures, and compliance requirements, just to name a few.  Given its importance, Experian recommends performance monitoring for our clients using our authentication products. 

In my next posting, I’ll discuss some best practices associated with implementing and managing a risk-based authentication program.

-- by Keir Breitenfeld

The term “risk-based authentication” means many things to many institutions.  Some use the term to review to their processes; others, to their various service providers.  I’d like to establish the working definition of risk-based authentication for this discussion calling it:  “Holistic assessment of a consumer and transaction with the end goal of applying the right authentication and decisioning treatment at the right time.” 

Now, that “holistic assessment” thing is certainly where the rubber meets the road, right? 

One can arguably approach risk-based authentication from two directions.  First, a risk assessment can be based upon the type of products or services potentially being accessed and/or utilized (example: line of credit) by a customer.  Second, a risk assessment can be based upon the authentication profile of the customer (example: ability to verify identifying information).  I would argue that both approaches have merit, and that a best practice is to merge both into a process that looks at each customer and transaction as unique and therefore worthy of  distinctively defined treatment.

In this posting, and in speaking as a provider of consumer and commercial authentication products and services, I want to first define four key elements of a well-balanced risk based authentication tool: data, detailed and granular results, analytics, and decisioning.

1.  Data: Broad-reaching and accurately reported data assets that span multiple sources providing far reaching and comprehensive opportunities to positively verify consumer identities and identity elements.

2.  Detailed and granular results: Authentication summary and detailed-level outcomes that portray the amount of verification achieved across identity elements (such as name, address, Social Security number, date of birth, and phone) deliver a breadth of information and allow positive reconciliation of high-risk fraud and/or compliance conditions.  Specific results can be used in manual or automated decisioning policies as well as scoring models,

3.  Analytics:  Scoring models designed to consistently reflect overall confidence in consumer authentication as well as fraud-risk associated with identity theft, synthetic identities, and first party fraud.  This allows institutions to establish consistent and objective score-driven policies to authenticate consumers and reconcile high-risk conditions.  Use of scores also reduces false positive ratios associated with single or grouped binary rules.  Additionally, scores provide internal and external examiners with a measurable tool for incorporation into both written and operational fraud and compliance programs,

4.  Decisioning: Flexibly defined data and operationally-driven decisioning strategies that can be applied to the gathering, authentication, and level of acceptance or denial of consumer identity information.  This affords institutions an opportunity to employ consistent policies for detecting high-risk conditions, reconcile those terms that can be changed, and ultimately determine the response to consumer authentication results – whether it be acceptance, denial of business or somewhere in between (e.g., further authentication treatments).

In my next posting, I’ll talk more specifically about the value propositions of risk-based authentication, and identify some best practices to keep in mind.

-- by Heather Grover

In my previous blog, I covered top of mind issues that our clients are challenged with related to their risk based authentication efforts and fraud account management. My goal in this blog is to share many of the specific fraud trends we have seen in recent months, as well as those that you – our clients and the industry as a whole – are experiencing.  Management of risk and strategies to minimize fraud is on your mind.

1. Migration of fraud from Internet to call centers - and back again. Channel specific fraud is nothing new. Criminals prefer non-face-to-face channels because they can preserve anonymity, while increasing their number of attempts. The Internet has been long considered a risky channel, because many organizations have built defenses around transaction velocity checks, IP address matching and other tools. Once fraudsters were unable to pass through this channel, the call center became the new target, and path of least resistance. Not surprisingly, once the industry began to address the call center, fraud began to migrate, yet again. Increasingly we hear that the interception and compromise of online credentials due to keystroke loggers and other malware is on the rise.

2. Small business fraud on the rise. As the industry has built defenses in their consumer business, fraudsters have again migrated -- this time to commercial products. Historically, small business has not been a target for fraud, which is changing. We see and hear that, while similar to consumer fraud in many ways, small business fraud is often more difficult to detect many times due to “shell businesses” that are established.

3. Synthetic ID becoming less of an issue.  As lenders tighten their criteria, not only are they turning down those less likely to pay, but their higher standards are likely affecting Synthetic ID fraud, which many times creates identities with similar characteristics that mirror “thin file” consumers.

4. Family fraud continues. We have seen consumers using the identities of members of their family in an attempt to gain and draw down credit. These occurrences are nothing new, but   sadly this continues in the current economic environment. Desperate parents use their children’s identities to apply for new credit, or other family may use an elderly person’s dormant accounts with a goal of finding a short term lifeline in a bad credit situation.

5. Fraud increasing from specific geographic regions. Some areas are notorious for perpetrating fraud – not too long ago it was Nigeria and Russia. We have seen and are hearing that the new hot spots are Vietnam and other Eastern Europe countries that neighbor Russia.

6. Falsely claiming fraud. There has been an increase of consumers who claim fraud to avoid an account going into delinquency. Given the poor state of many consumers credit status, this pattern is not unexpected. The challenge many clients face is the limited ability to detect this occurrence. As a result, many clients are seeing an increase in fraud rates. This misclassification is masking what should be bad debt.