In the wake of the Equifax breach, fraudsters now have 143 million new tools at their fingertips to explore new avenues of payments fraud, particularly when it comes to new account enrollments, account takeover and synthetic identity-based fraud.
The impact of this breach will be felt for years to come, with millions of consumers being placed at risk for the indefinite future, perhaps for the rest of their lives.
Questions are already being asked about the regulatory and data security gaps that led to the breach, and credit reporting agencies will likely be subjected to new levels of long-overdue regulatory scrutiny and oversight.
However, for those of us tasked with preventing payments and identity fraud, the cat is already out of the bag and the threat is as immediate as it is drastic. Even before this most recent breach, account takeover and application fraud attempts and losses were rapidly getting worse, but we expect these trends to become even more prominent.
How, as an industry, do we address the myriad threats posed by this unprecedented data breach?
For the payments ecosystem as well as consumers, this breach poses an unprecedented threat without any clear, or immediate, solution. Millions of consumers have been exposed. Equifax has offered consumers a free year of credit monitoring and the option to freeze their credit reports at no cost. At best, these are short-term solutions, but they will not adequately solve the long-term problem of a massive volume of consumers’ personal identifying information being compromised.
One change that the industry can make that will have a huge impact is to shift focus more on preventing fraudulent enrollments, versus transaction fraud.
Historically, the industry has placed much greater emphasis on preventing fraud at the point of transaction without doing enough to stop fraudulent account openings. Recognizing and preventing a fake account opening using either a synthetic or stolen identity stops fraudsters in their tracks; without an account they don’t even have the ability to transact and the fraudsters are kept out of the system. This holds true for almost every segment of the industry, from deposit accounts, credit cards and insurance, to telecom providers, utilities and more.
The tools are readily available to conduct this type of screening at the point of enrollment, but many organizations continue to rely on a single validating data point, such as a consortium score or a credit report, versus checking multiple validation checks that are extremely difficult for fraudsters to fake. Not only should you be checking for valid Social Security number, name, address, and other PII, you should also be cross-referencing with mobile phone numbers, purchase history, known associations with other persons, addresses and companies, as well as social media activity and email addresses.
Financial institutions, card issuers, insurance companies, telecom providers, retailers and others in the payments ecosystem need to rapidly assess and improve their account enrollment and transaction fraud detection capabilities to defend against the coming onslaught of fraud attempts enabled by the breach. Otherwise, they are putting themselves and their customers at risk.