The Federal Trade Commission (FTC) has instituted new regulations known as “Identity Theft Red Flags” that promise to mitigate the havoc posed by identity theft to financial institutions and their customers. Effective May 1, 2009, these new regulations require financial institutions and creditors with covered accounts to implement programs that detect, prevent, and mitigate instances of identity theft.
Under the rules, entities must develop a written program that identifies and detects the relevant warning signs – or “red flags” – of identity theft. The FTC has issued guidelines that identify 26 different red flags to assist in designing identity theft prevention programs. These red flags are not a checklist, rather examples that financial institutions and creditors can model as a reference. They fall into five broad categories:
- Alerts, notifications, or warnings from a consumer reporting agency
- Suspicious documents
- Suspicious personally identifying information, such as a suspicious address
- Suspicious activity relating to a covered account
- Notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts
The Red Flags programs developed by financial institutions must describe appropriate responses that prevent and mitigate the crime and detail a plan to update the program. The regulations also include restrictions for appropriate training and oversight.
Though institutions grapple to comprehend the implications of these new regulations, a new generation of technologies can help businesses cost-effectively ensure compliance. Built on principles of real-time risk assessment and proactive fraud prevention, these solutions can help companies fight fraud across multiple business channels while guaranteeing safer interactions between businesses and their customers.
Red Flags regulations require institutions to exercise special care when issuing new accounts. Dumpster divers and cyberfraudsters can exploit personally identifiable information of innocent people to open accounts. Fraudsters typically use compromised information to open credit cards, mortgages or even HELOC accounts in the name of innocent victims. But financial institutions can use suspicious information in new account requests to either block new account requests or request additional information in such cases before issuing accounts.
Businesses typically use identity management solutions such as provisioning for newly hired employees and contractors. Now, financial institutions can use similar provisioning technologies to issue accounts for new customers. The extra requirements under Red Flags require the provisioning process to be risk-aware. Risk-based solutions enable institutions to ensure that only a legitimate customer can open a new account. Using various identity proofing services in combination with IP geo-location, device and transaction profiling, institutions can now verify that only a legitimate user is creating an account in his or her name by correlating various parameters of a new account request such as an address with the geo-location or a telephone number with information obtained either from credit bureaus or from various public sources. By using risk-aware self-provisioning technologies, businesses can simplify account creation for new customers while eliminating the overhead costs associated with account creation including insider fraud.
Regulations will now require institutions to take actions to mitigate the risk of suspicious activity related to a covered account. To combat the myriad sophisticated security threats, financial institutions can leverage technologies that evaluate risk in real-time and take proactive measures to prevent fraud.
Context-aware authentication ensures that only registered users get access to their accounts while blocking fraudsters who use harvested information from gaining access. Mutual authentication technologies such as secure site and knowledge-based authentication (KBA) verification can prevent phishing scams. Virtual authentication technologies such as virtual pin-pads strengthen most authentication schemes and can safeguard against sophisticated man-in-the-browser threats. Identity verification services using techniques such as geo-location, device fingerprinting, behavioral profiling and Technologies based on cross-channel fraud detection can help institutions to gate account access via traditional channels such as ATM, kiosk and phone banking, in addition to online access. Some risk-based technologies not only block risky transactions but also go a step further and alert authorities if anomalies in access are detected.
Self-service password reset
Password resets are a commonly used technique to hijack user accounts. Attackers increasingly target services that employ static KBA to authorize self service. As institutions embrace automated services such as self-service password reset for purposes of reducing costs and boosting efficiency, these services are being targeted by attackers for the relative ease with which they can be used to gain access to registered accounts. Static KBA lends itself to social engineering attacks as it relies on publicly harvestable questions such as SSN, mother's maiden name, street lived on, city born in, favorite color, movie, book, and so on.
Identity theft is a serious business issue and a consumer hazard. The FTC is now taking action to protect businesses and consumers from fraud. Businesses can ease the pain of complying with the new Red Flags regulations with context-aware technologies. Deployment of risk-based solutions for customer provisioning, authentication and password resets can proactively and incrementally secure businesses against sophisticated identity scams.