Business
How to stop ID thieves
Larry Gilbert: Identity theft is one the fastest growing crimes, with businesses and consumers losing billions of pounds each year to identity thieves. You can't count on biometrics. Here's why.
Identity theft is the fastest growing crime in America, with businesses and consumers losing billions of dollars each year to identity thieves.
Stolen personal and financial information is used to make unauthorised purchases, open fraudulent credit and bank accounts and access government services in the name of unsuspecting consumers. In addition to the staggering financial costs, ID crime contributes to passport fraud, counterfeiting, forgery, money laundering, mugging and burglaries -- and 9/11 added terrorism to that list.
While consumers are aware of the words "identity theft", they have little knowledge about how the crime is committed. They turn to banks, credit card companies, retailers, airlines and other businesses to protect them. Businesses across the country are scrambling to re-examine the way they think about identity fraud prevention. This is a great first step; in the past, many businesses considered identity fraud losses to be just another cost of doing business, and felt no responsibility for consumers who were victimised. But with so many new fraud prevention solutions, how do businesses choose the one that balances their own business needs and the interest of their customers?
Is biometric tech the answer?
In recent months, a wide variety of technology solutions have been introduced to battle ID theft. Biometric technology such as fingerprint identification and retinal scanning create great buzz, but are they cost effective? Do they actually work? Can they be implemented in real-world situations? Consumers want protection from identity fraud, but practical implementation requires a secure, convenient and seamless experience, whether shopping, boarding an airplane or entering a screening checkpoint for a government building. Privacy is a significant issue as well. Businesses have legal and moral responsibilities for collection and use of personal information. Crooks are more sophisticated, and organised criminal enterprises involvement has increased. Finally, consumers don't want to sacrifice convenience for security, nor do businesses want complicated new procedures that confuse clerks and inhibit transactions. Neither businesses nor consumers want to bear the financial burden of increased security or loss-prevention technologies. Measured against these requirements, current biometric technology falls short. Most forms of biometrics rely implicitly or explicitly on cooperation by the consumer, rendering them vulnerable to fraudsters. Fingerprints require readable fingers; facial and eye scans require visible, undisguised facial features. As use of biometrics grows, criminals are learning that strongly worded objection will usually get them out of the most sophisticated biometric screening process and into a highly vulnerable "legacy" system. On the other end of the spectrum, honest consumers want assurances of privacy, consistency and reliability. Litigation costs must also be considered for users who are incorrectly singled out by the system and prevented from completing their transaction. What's the ideal solution?
Defining the perfect solution is subjective when it comes to security, as it depends upon the specific environment to be secured. A "perfect" system for security in a nuclear power plant may be extreme overkill when applied to airline passengers. However, for identity fraud prevention during face-to-face transactions, such as retail payment, the following tips can help significantly in making the right decision: 1. Are you verifying the paper, or the person? In most retail environments, the traditional approach to fraud prevention involves verifying cheque or credit card accounts. Look for a solution that moves a step further, verifying the PERSON not the PAPER. Identity verification is the key, as most identity thieves steal or create false financial instruments that pass inspection of the paper. Ensure the PERSON is authorised to use the account. 2. Ensure the system benefits your customers. The decision to purchase a fraud-prevention system is usually made to protect your business (reduce financial losses, prevent theft of confidential information, restrict physical access to specific areas, etc.). Therefore it must show proven results for ROI, employees ease of use, and overall effectiveness in stopping theft. Even more important is maintaining customer trust. Customers need to accept the value of sharing a portion of their identity in exchange for additional protection of their identity. Ensure your solution is non-intrusive and accurate in collecting required data. The consumer-friendly aspect of your initiative is key to success. 3. Choose a system that cannot be easily bypassed by criminals. Biometric systems all rely on identifying features possessed by all consumers, whether honest or fraudster. But the solution's ability to accurately read 100 percent of the population varies dramatically, as does their vulnerability to someone intentionally avoiding being "read" by the system. Any legitimate "non-read" factor is vulnerable to exploitation by crooks, and will alienate honest consumers at the same time. 4. Make certain a secure audit trail records all transactions. A good solution should not only prevent and detect fraud in real-time, but should also record the activity for prosecution of identity thieves. This critical element of fraud prevention ensures your own employees remain honest, and a secure audit trail provides means for prosecution and quick dispute resolution. Loss prevention officers must be armed with proper tools to successfully investigate and/or prosecute identity-related crimes, so evaluate the depth of audit trail records and reporting. 5. Verify that the system respects consumers' privacy. Privacy does not have to be a trade-off in order to provide solid security. Identity verification systems should collect ONLY data needed for fraud prevention. Customers and users of the system should be informed of the exact use of their information before they're enrolled in the system, and ensured that only data necessary for validating identity is collected. Strict policies should prohibit information from use for any other purpose. Conclusion
Conventional fraud prevention services rely on the notion that identity thieves can be stopped through the verification of financial instruments or casual, visual comparison of signature or photo identification. These systems, which are used to verify cheque, debit and credit card transactions, to approve car rentals, airport check-in and building access, overlook the fact that personal and financial transaction documents are easily stolen, duplicated or counterfeited. Most focus on verifying the instrument used for purchase, not the person. The information above, including tips to consider in purchasing identity verification systems, will serve you well in determining the correct system for your needs. Remember that technology continues to offer new advances in this marketplace. Don't fall prey to the hype of technology that isn't ready for real-world consumer adoption. Test the solutions you explore and ask for statistics regarding their success with customers with needs similar to your own. And finally, train your employees to use the solution you choose. They are the first line of defence in preventing identity fraud. They are also in direct communication with your customers, and should be providing assurance that you value the priceless identities your system is implemented to protect. Larry Gilbert is president and CEO of Identico Systems, LLC. To learn more about Mr. Gilbert and Identico's fraud-prevention programs, visit www.identicosystems.com. To have your say online click on TalkBack and go to the ZDNet UK forums.
In recent months, a wide variety of technology solutions have been introduced to battle ID theft. Biometric technology such as fingerprint identification and retinal scanning create great buzz, but are they cost effective? Do they actually work? Can they be implemented in real-world situations? Consumers want protection from identity fraud, but practical implementation requires a secure, convenient and seamless experience, whether shopping, boarding an airplane or entering a screening checkpoint for a government building. Privacy is a significant issue as well. Businesses have legal and moral responsibilities for collection and use of personal information. Crooks are more sophisticated, and organised criminal enterprises involvement has increased. Finally, consumers don't want to sacrifice convenience for security, nor do businesses want complicated new procedures that confuse clerks and inhibit transactions. Neither businesses nor consumers want to bear the financial burden of increased security or loss-prevention technologies. Measured against these requirements, current biometric technology falls short. Most forms of biometrics rely implicitly or explicitly on cooperation by the consumer, rendering them vulnerable to fraudsters. Fingerprints require readable fingers; facial and eye scans require visible, undisguised facial features. As use of biometrics grows, criminals are learning that strongly worded objection will usually get them out of the most sophisticated biometric screening process and into a highly vulnerable "legacy" system. On the other end of the spectrum, honest consumers want assurances of privacy, consistency and reliability. Litigation costs must also be considered for users who are incorrectly singled out by the system and prevented from completing their transaction. What's the ideal solution?
Defining the perfect solution is subjective when it comes to security, as it depends upon the specific environment to be secured. A "perfect" system for security in a nuclear power plant may be extreme overkill when applied to airline passengers. However, for identity fraud prevention during face-to-face transactions, such as retail payment, the following tips can help significantly in making the right decision: 1. Are you verifying the paper, or the person? In most retail environments, the traditional approach to fraud prevention involves verifying cheque or credit card accounts. Look for a solution that moves a step further, verifying the PERSON not the PAPER. Identity verification is the key, as most identity thieves steal or create false financial instruments that pass inspection of the paper. Ensure the PERSON is authorised to use the account. 2. Ensure the system benefits your customers. The decision to purchase a fraud-prevention system is usually made to protect your business (reduce financial losses, prevent theft of confidential information, restrict physical access to specific areas, etc.). Therefore it must show proven results for ROI, employees ease of use, and overall effectiveness in stopping theft. Even more important is maintaining customer trust. Customers need to accept the value of sharing a portion of their identity in exchange for additional protection of their identity. Ensure your solution is non-intrusive and accurate in collecting required data. The consumer-friendly aspect of your initiative is key to success. 3. Choose a system that cannot be easily bypassed by criminals. Biometric systems all rely on identifying features possessed by all consumers, whether honest or fraudster. But the solution's ability to accurately read 100 percent of the population varies dramatically, as does their vulnerability to someone intentionally avoiding being "read" by the system. Any legitimate "non-read" factor is vulnerable to exploitation by crooks, and will alienate honest consumers at the same time. 4. Make certain a secure audit trail records all transactions. A good solution should not only prevent and detect fraud in real-time, but should also record the activity for prosecution of identity thieves. This critical element of fraud prevention ensures your own employees remain honest, and a secure audit trail provides means for prosecution and quick dispute resolution. Loss prevention officers must be armed with proper tools to successfully investigate and/or prosecute identity-related crimes, so evaluate the depth of audit trail records and reporting. 5. Verify that the system respects consumers' privacy. Privacy does not have to be a trade-off in order to provide solid security. Identity verification systems should collect ONLY data needed for fraud prevention. Customers and users of the system should be informed of the exact use of their information before they're enrolled in the system, and ensured that only data necessary for validating identity is collected. Strict policies should prohibit information from use for any other purpose. Conclusion
Conventional fraud prevention services rely on the notion that identity thieves can be stopped through the verification of financial instruments or casual, visual comparison of signature or photo identification. These systems, which are used to verify cheque, debit and credit card transactions, to approve car rentals, airport check-in and building access, overlook the fact that personal and financial transaction documents are easily stolen, duplicated or counterfeited. Most focus on verifying the instrument used for purchase, not the person. The information above, including tips to consider in purchasing identity verification systems, will serve you well in determining the correct system for your needs. Remember that technology continues to offer new advances in this marketplace. Don't fall prey to the hype of technology that isn't ready for real-world consumer adoption. Test the solutions you explore and ask for statistics regarding their success with customers with needs similar to your own. And finally, train your employees to use the solution you choose. They are the first line of defence in preventing identity fraud. They are also in direct communication with your customers, and should be providing assurance that you value the priceless identities your system is implemented to protect. Larry Gilbert is president and CEO of Identico Systems, LLC. To learn more about Mr. Gilbert and Identico's fraud-prevention programs, visit www.identicosystems.com. To have your say online click on TalkBack and go to the ZDNet UK forums.