Attorneys general from 31 states have asked the Federal Trade Commission (FTC) to update its Identity Theft Rules.
Noting the proliferation of identity theft and consumers’ inability to divine how information stolen from breaches is being used, the AGs said that the rules – also known as the Red Flags Rule and the Card Issuers Rule –
“appropriately place the burden on certain entities to detect, prevent and mitigate identity theft.” And only those entities, they contended, “have the ability to stop a fraudulent account from being opened at their own place of business or to notify a consumer of a change of address in conjunction with a request for an additional or replacement card, which is a strong indicator that the account may have been taken over by an identity thief.”
As identity theft affects “16.7 million consumers with losses of $16.8 billion according to Javelin Research, this plague of theft has to be fought from all sides to start to cut down on those numbers,” said Robert Capps, vice president and authentication strategist for NuData Security. “Legislation as well as new procedures and technologies are required to battle identity theft.”
Capps said “examples of ‘red flags’ for unauthorized accounts use should include access by new and previously unknown devices, several unsuccessful attempts to input a correct password, and devices using international IP addresses to access multiple accounts,”
The FTC’s identify theft rules have been flexible enough to keep up with the changing times, but the AGs said they need to be amended to reflect changes in communications means (including email addresses and cell phone numbers), and to highlight best practices as well as expand the “Unusual Use Of, or Suspicious Activity Related to, the Covered Account” section.
“Some best practices should include multi-factor verification, a more secure method than knowledge-based authentication questions, given that answers may be available elsewhere online or already compromised from a previous data breach,” said Capps.