For the second time in four years, the U.S. General Accounting Office reported identity theft as the fastest growing crime in America, with businesses and consumers losing billions of dollars to identity thieves.
Stolen personal and financial information is used to make unauthorized purchases, open fraudulent credit and checking accounts, and access government services in the name of unsuspecting consumers. In addition to the staggering financial costs, ID crime contributes to passport fraud, counterfeiting and forgery, money laundering, mugging and burglaries - and Sept. 11 added terrorism to that list.
Consumers, businesses and government agencies can no longer afford the financial and security risks associated with identity theft and fraud, and need ways to efficiently verify the identity of individuals during face-to-face transactions. An independent study completed by Opinion Dynamics Corporation a few years ago identified that one out of every five Americans, or a member of their families, has been victimized by identity theft. Consumers are becoming increasingly aware of the potentially devastating consequences of being a victim of identity fraud. Sophisticated fraud rings not only run up credit card bills and wipe out checking accounts, but have even been known to sell victims' houses without their knowledge, and commit crimes using their names.
While consumers are aware of the words "identity theft," they have very little knowledge about how the crime is committed. Therefore, consumers are turning to banks, credit card companies, retailers, airlines and other businesses to do a better job of protecting them. Businesses across the country are scrambling to re-examine the way they think about identity fraud prevention. This is a great first step; in the past, many businesses considered identity fraud losses to be just another cost of doing business, and felt no responsibility for consumers who were victimized. But with so many new solutions to consider in the market of fraud prevention, how do businesses choose the one that offers the right balance between their own business needs and the interest of their customers?
Is Biometric Technology Really the Answer?
In recent months, a wide variety of technology solutions have been introduced to battle ID theft. Biometric technology such as fingerprint identification and retinal eye scans create a great buzz, but are they cost effective? Do they actually work? Can they be implemented in real-world situations?
Consumers want protection from identity fraud, but practical implementation requires a secure, convenient and seamless experience, whether shopping, boarding an airplane or entering a screening checkpoint for a business or government building. And privacy is a significant issue as well. Businesses have legal and moral responsibilities for how much personal information is collected and how it is used. Also, crooks are getting more sophisticated; a major portion of identity fraud is now carried out by some form of organized criminal enterprise. Finally, consumers don't want to sacrifice convenience for security, nor do businesses want complicated new procedures that confuse clerks and inhibit the flow of transactions. And neither businesses nor consumers want to bear the financial burden of increased security or loss-prevention technologies.
Measured against these requirements, current biometric technology falls short. Most forms of biometrics rely either implicitly or explicitly on some level of cooperation by the consumer, rendering them vulnerable to fraudsters. Fingerprints require a readable finger; facial and eye scans require visible and undisguised facial features. As the use of biometrics grows, criminals are learning that a strongly worded objection will usually get them out of the most sophisticated biometric screening process and into a highly vulnerable 'legacy' system. And on the other end of the spectrum, honest consumers want reasonable assurances of privacy, consistency and reliability. Litigation costs must also be considered for users who are incorrectly singled out by the system and prevented from completing their transaction. Let's look at the two most common methods of biometrics, facial recognition and fingerprint scanning.
Variables such as the biological aging of humans and the differing light cast upon subjects in each facial scan environment cause significant problems to a machine evaluating facial images. For example, last February the Department of Defense Counterdrug Technology Development Program Office released a comprehensive report on the technical performance of automatic facial recognition. In brief, the results of the report appear to show that if we compare each person to a database of 100,000 and wish to narrow the selection to 1,000 potential matches, we would fail to detect a person attempting ID fraud 40 percent of the time.
Fingerprint scanning technology also has a variety of problems associated with it. Fingerprints often are not of a proper quality to be scanned. Women, Asians, the elderly and laborers often can't be enrolled into a fingerprint scanning system, increasing the possibility of discrimination against specific demographic groups. Also, over time we lose the fat layer in our skin and fingerprints wear, degrading the ability to scan the prints into a system, as well as the ability to match our prints after long periods of time have passed.
Many fingerprint scanning systems offer a very good initial false rejection rate below 1 percent, but user tests have indicated that the rates can rise by as much as 400 percent over a period of just six weeks. Finger abrasions, user errors and maintenance issues are factors contributing to this rise. In addition, be wary that most fingerprint scanning systems allow users to adjust machines to ensure low false acceptance rates, which usually leads to an increase in false rejections. In addition, a number of techniques, becoming increasingly known to fraudsters, allow them to prevent a fingerprint reader from obtaining a valid read, thus 'exempting' them from the screening system that is designed to thwart them.
What Makes for an Ideal Solution?
Defining the perfect solution is a subjective question when it comes to security, as it often depends upon the specific environment to be secured. A 'perfect' system for security in a nuclear power plant may be extreme overkill when applied to airline passengers. However, when it comes to identity fraud prevention during a face-to-face transaction, such as retail payment, the following tips can help significantly in making the right decision:
Are you verifying the paper, or the person?
In most retail environments, the traditional approach to fraud prevention involves verifying checking or credit card accounts. It's important to look for a solution that moves a step further in verifying the person, not the paper. Identity verification is the key, as most identity thieves steal or create false financial instruments that pass an inspection of the paper. So focus on ensuring the person is authorized to use the account.
Ensure the system benefits your customers as well as your business.
The decision to purchase a fraud-prevention system is usually made to protect your business (reduce financial losses, prevent theft of confidential information, restrict who can gain access to specific areas/facilities, etc.). Therefore it must show proven results for return on investment, ease of use by employees and overall effectiveness in stopping theft. Perhaps even more important is maintaining the trust of the customer. Customers need to accept the value of sharing a portion of their identity with businesses in exchange for additional protection of their identity. The consumer-friendly aspect of your initiative holds the key to its success. Ensure your fraud-prevention solution is efficient and accurate in collecting the required data. Be certain you are choosing a fast, easy and non-intrusive system and protect the collected information from being used for purposes other than identity theft protection.
Choose a system that cannot be easily bypassed by criminals.
Biometric systems all rely on identifying features possessed by all consumers, whether honest or fraudster. But the ability of the various technologies to accurately read 100 percent of the population varies dramatically, as does their vulnerability to someone who is intentionally trying to avoid being 'read' by the system. Any system that has a legitimate 'non-read' factor will be vulnerable to exploitation by the crooks, and will alienate honest consumers at the same time.
Make certain a secure audit trail records all transactions.
A good solution should not only prevent and detect fraud in real-time, but it should also record the activity for prosecution of identity thieves. This is especially important, because a great deal of ID theft and fraud involves employees. This is a critical element of fraud prevention, as it ensures your own employees remain honest, and a secure audit trail provides the means for prosecution or quick resolution of disputes. Your loss prevention officers must be armed with the proper tools they need to successfully investigate and/or prosecute identity-related crimes, so spend some time looking at the depth of the audit trail records and how they are reported.
Verify that the system respects consumers' privacy.
Privacy does not have to be a trade-off in order to provide solid security. An identity verification system should collect only the data needed for fraud prevention. Customers and users of the system should be informed of the exact use of their information before they are enrolled in the system, and assured that only the data necessary for validating their identity is being collected. Strict policies should prohibit the information from being used for any other purpose.
Conventional fraud prevention services rely on the notion that identity thieves can be stopped through the verification of financial instruments or casual, visual comparison of signature or photo identification. These systems, which are used to verify check, debit and credit card transactions, and to approve car rentals, airport check-in, building access and loan applications, overlook the fact that personal and financial transaction documents are easily stolen, duplicated or counterfeited. Most focus on verifying the instrument used for purchase, not the person. The information above, including the tips to consider in purchasing a verification system to prevent identity fraud, will serve you well in determining the correct system for your needs.
Remember that technology continues to offer new advances in this marketplace, but don't fall prey to the hype of technology that isn't ready for real-world consumer adoption. Test the solutions you explore and ask for statistics regarding their success with other customers who had needs similar to your own. And finally, train your employees to use the solution you choose. They are the first line of defense in preventing identity fraud. They are also in direct communication with your customers, and should be providing assurance that you value the priceless identities your system was implemented to protect.
Larry Gilbert is president and CEO of Identico Systems, LLC. (www.identicosystems.com).