Count to three. By the time you've done that, someone in the U.S. has been victimized by identity fraud.
In 2012, identity fraud incidents increased by more than one million victims. Fraudsters stole more than $21 billion overall—the highest amount in three years, according to the 2013 Identity Fraud Report, which was published on Feb. 20 by Javelin Strategy & Research.
"The pace of identity fraud is rising faster than expected, and fraudsters are using information faster than ever before," says Jim Van Dyke, Javelin's president and founder.
The report, which is in its tenth year, is based on an October 2012 survey of 5,249 U.S. consumers to identify the impact of fraud, locate areas of progress and provide intelligence for consumers. It's sponsored by Citigroup and Intersections Inc., an identity protection company, though the report is editorially independent, the research company says. Javelin defines identity fraud as the unauthorized use of someone's personal information to achieve an illicit financial gain.
The research found that the amount of money stolen in 2012—$21 billion—was the highest since 2009, when fraud hit $31 billion. That's more than the $18 million in 2011, but well below the record $47 billion in 2004. There were 12.6 million victims in the U.S. in 2012, and identity fraud occurred at a rate of about one incident every three seconds.
Also, about 25% of recipients of breach notifications became a victim of identity fraud, the highest rate in two years. Also, consumers who have had their Social Security numbers compromised in data breaches are five times more likely to be a fraud victim than an average consumer.
Fraudsters are getting more efficient, Javelin reports. Consumer information was misused for an average of 48 days in 2012, which is down from 55 days in 2011 and 95 days in 2010. There's some good news here—more than 50% of victims were actively detecting fraud by using financial alerts, credit monitoring or identity protection services and by monitoring their accounts. "The fraudsters are doing things faster and banks and merchants have to do things faster to prevent fraud," Van Dyke says.
This shortening window is pressuring crooks to jump on ill-gotten information—which in turn stresses fraud mitigation for retailers and issuers.
"The only way criminals can sustain some growth or at least parity in the amount of money they walk away with is to get into the account quickly and more rapidly use the data exposed by the fraud. Criminals aren't sitting on this data," Van Dyke says.
The speed of identity fraud is increasing as the pace of transactions increases due to the growth of mobile and electronic commerce, Van Dyke says.
The maturation of electronic and mobile commerce also affects fraud prevention strategy and tech. Since a digital commerce site is never really closed, legacy fraud prevention technology such as overnight updates or batch processing is no longer enough to shield processing systems from data exposure—placing a premium on emerging security technology such as behavior analytics, business intelligence and social analysis to quickly 'red flag' suspicious transactions. There are a number of business intelligence and security risk management tech companies serving this market, including ACI Worldwide, Accenture, Fair Isaac, IBM, ID Analytics, SAS, Fiserv and Nice Actimize.
"Legacy systems don't cut it…there's now sales that go on 24 hours per day and it forces the good guys to be open at all hours," Van Dyke says.
One of the reports more interesting findings is that small retailers suffer more blowback from ID theft. Fraud victims are more selective about where they shop after an incident, and 15% of all fraud victims decided to change behaviors and avoid smaller online merchants after an incident. This is a much greater percentage than those avoiding gaming sites or larger retailers.
A contributing factor is many smaller retailers lag behind larger chains in developing a security posture. "Smaller merchants come into PCI compliance at later stages," Van Dyke says. "It's harder to make sure they are all on board."
The risks of identity fraud have both merchants and issuers searching for alternative authentication methods, ranging from biometrics to more traditional second factors such as one-time password tokens. Social network identities are also increasing. By 2015, half of new retail customer identities will be based on social network identities, up from about 5% today, according to recent research from Gartner.
While mobile identity theft is still an emerging threat, it's positioned for major growth going forward, says Shirley Inscoe, a senior analyst at Aite Group. "People download so many apps onto their phones now or are responding to text messages, that's a risk for malware. Once all of these smartphones get infested with malware, that will pave a highway for ID thieves," Inscoe says.
The prevalence of personal information on social networks poses clear risks.
"Banks use a lot of authentication questions if a customer calls into a call center or signs in to online banking," says Inscoe. "If the consumer has posted information on a social site like Facebook or LinkedIn, of if there's been a data breach, the crooks may get the answers to these questions and be able to take over a legitimate account more easily than in the past."