On Synthetic Identity Fraud


Add SSN and stir.

CHANCES ARE that identity fraud appeared the moment that presenting valid ID first became needful. Today’s inflated claims aside, The Balance’s Jack Stroup points out that in early U.S. history fake IDs were used to stuff ballot boxes. Since the advent of the minimum drinking age, underage youth out to purchase alcohol have resorted to ID fraud. And, of course, early credit cards were easy prey. Thanks to chips, today’s cards are less convenient prey but not impervious.

In the good old days, ID fraud involved altering or appropriating the bona fides of a real person. Synthetic ID fraud, which Equifax asserts accounts for over 80 percent of today’s identity fraud, obviates the need for a real person.

All that today’s synthetic ID fraudster needs to get started is patience and a Social Security Account number that passes muster. Among other places, such are bought and sold on the dark web. Best are account numbers rarely or not used, automatically pointing fraudsters toward seniors and, more often, children: a Cylab study reports that “children were targeted 51 times more frequently than adults.” 

An alternative for the fraudster is simply to make up account numbers. Since Social Security numbers are no longer tied to birthplaces but randomly generated, such can sail through as if valid. This can cause complications for anyone to whom the Social Security Administration might later assign that number, a consequence that does not seem to give the average fraudster pause.

Whether the SSN is lifted or fabricated, the fraudster creates a name to go with it. Giving the name weight in the credit world takes time, which is where patience comes in. One method is to apply for credit using the phony ID. The initial application will be declined, but a record of the name and account number will have been placed in credit bureaus’ databases. The phony ID will then show up as a real person on the next credit search, possibly qualifying for credit accounts with small spending caps.

IBM’s SecurityIntelligence lists that and two other ways of giving a synthetic ID weight. One way is to add the new ID as an authorized user of a legitimate account. Another is to create a shell company that extends credit to the ID.

Once the synthesized ID’s gains a foothold, more lines of credit can be obtained and limits raised. When the time is right, the fraudster proceeds with a rapid spending and cash advance spree—and then, of course, disappears without paying.

Not a tiny problem

Forbes’s Alan McIntyre reports that synthetic identity fraud costs …

… banks billions of dollars and countless hours as they chase down people who don’t even exist. That is part of the reason why global card losses have been rising at an average annual rate of 18 percent in recent years, according to Accenture estimates. Synthetic identity theft alone may account for 5 percent of uncollected debt and up to 20 percent of credit losses, or $6 billion in 2016, according to some industry analysts. The problem is even more acute with store credit cards and auto loans.

Detecting synthetic security fraud is frustratingly difficult. Real identities are hidden, making perps nearly impossible to identify. Investopeida reports

Sometimes financial institutions can’t even tell that synthetic identity theft has occurred because the criminal will establish a history of using the fraudulent account responsibly before becoming delinquent in order to look like a real person experiencing financial problems and not an outright criminal who racks up charges and becomes delinquent on the account at the first opportunity.

CNBC’s Investor Toolkit page paints no rosier a picture:

When criminals use a blend of different people’s data, as well as some entirely made up information, it becomes harder for law-enforcement officials to both realize the crime and then locate the culprit, said R. Sean McCleskey, a retired United States Secret Service agent who supervised an identity-theft task force for more than a decade. “If you’re using an address you control, the person whose Social Security number you’re using may never be getting the account statements,” he said.

Fighting synthetic identity fraud

On the consumer side, CNBC suggests giving out one’s SSN as seldom as possible, freezing children’s accounts, and keeping tabs on statements and credit reports. On the financial institution side, forewarning and forearming clients with good information is, as always, a best practice. 

Nor are financial institutions entirely defenseless. The major credit reporting agencies and other companies offer AI-esque tools for financial institutions. For that matter, if you will indulge this modest plug for my employer, Fiserv’s VerifyNow service is not to be overlooked.

Posted in Uncategorized by Matt. No Comments

Data for Caffeine

Coffee SpeaksNo sooner did direct marketers commence salivating at targeting opportunities posed by that newfangled Internet thing … than the United States Congress and various regulatory bodies set about passing laws to hamper them. 

Or, at least, that was the idea. Many rules are so plastic as to allow for a good deal of wiggle room—and marketers have proved adept wigglers since the dawn of time. The CAN-SPAM Act, for instance, forbids “false or misleading” headers; but one person’s “false and misleading” may be another’s “creative and charming.” Or, take retargeting, which provides a neat circumvention of rules against emailing website visitors without their express permission. Though it’s perfectly legal, a growing number of consumers are creeped out when ads for a recently searched product suddenly show up wherever they look.

The wisest course for building an online database has always been simply to request data along with permission to use it. Since people rarely give up something for nothing, marketers often dangle a compelling offer in exchange for data and permission. The offer is usually some sort of downloadable file—a document, music, video, images, etc.—or sometimes a non-downloadable incentive that requires shipment.

But SHIRU CAFE, a three-year-old Japanese company, has found a way to deliver a non-downloadable incentive on-the-spot in exchange for data. 

SHIRU CAFE is at once a coffee shop and a gatherer and marketer of data. 

If you’re a student at Brown University in Providence, Rhode Island, SHIRU is a coffee shop—but your money is no good there. The price for a cup of coffee at SHIRU is your personal data. According to NPR’s “The Salt” 

To get the free coffee, university students must give away their names, phone numbers, email addresses and majors, or in Brown’s lingo, concentrations. Students also provide dates of birth and professional interests, entering all of the information in an online form. 

Faculty can pick up a cup of Joe for a dollar. Tough luck if you’re neither a student nor faculty member. You’ll have to go someplace else and pony up.

If you’re a corporate sponsor, SHIRU is a gatherer and marketer of data. Sponsors, if you were wondering, pay for the coffee by purchasing the data. Students who participate, continues NPR,

… open themselves up to receiving information from corporate sponsors who pay the cafe to reach its clientele through logos, apps, digital advertisements on screens in stores and on mobile devices, signs, surveys and even baristas.

It doesn’t take much imagination to understand the value marketers might place on that information. Financial institutions, for instance, could use it to identify students likely to someday prove valuable clients.

There’s no deception or sleight-of-hand going on. SHIRU is up-front about why they want students’ data and how they plan to share it.

As you’d expect, some find the idea distressing. Two Brown students recently called for a boycott. Others have set to work envisioning the worst and writing about it

But come on. College students are big kids. Moreover, no one is forcing their participation. There’s an arguable win-win here, since database marketing is about matching marketers with more-likely prospects, and vice-versa.

Though the Providence café is SHIRU’s only U.S. store and hasn’t yet landed a sponsor, SHIRU operates a number of other profitable, corporate-sponsored cafés in Japan and India.

I’ll be interested to see if the concept grows in the U.S. If it does, expect knock-offs. It would be an easy matter for Starbucks or another chain to offer students coffee in exchange for data. Such would have an easy jump on SHIRU, since in the U.S. you can throw a textbook and hit three Starbucks stores.

For that matter, perhaps a bank looking to capture rising generations might strike a deal with coffee houses near college campuses, offering students free coffee on showing proof-of-account. Although many bank lobbies already make coffee available, a bona fide coffee house presents cachet—and an aura of quality—that no bank lobby can approach. Besides gathering data, a coffee house program would provide an incentive for students to open an account.

Surely there are other possibilities. Perhaps I’ll think of more. But first I’m going to need another shot of caffeine.

Posted in Uncategorized by Matt. No Comments

They loaded your card.
Now what?

Digital card via screenTHE GOOD news for your financial institution is that it’s fairly easy for clients to add your card to a digital wallet. 

The bad news is that it’s fairly easy to add everyone else’s card, too. Or, they can bypass your card entirely with store cards paid via store websites. I need hardly point out that every time that happens represents a lost-opportunity cost to banks.

A major contender perhaps falling in-between is Amazon’s credit card. Issued by Chase, it is at once a merchant card and a full-fledged Visa credit card. Cardholders can choose the card for their default payment option for purchases on Amazon.com—or for their default card, period. And many do, for the card packs an incentive: besides the usual one to two percent reward for use at sundry merchant locations, purchases at Amazon and recent Amazon acquisition Whole Foods Market earn three to five percent. That poses quite the threat. Between Amazon and Whole Foods, about the only purchase category for which customers need stray is gasoline. And by shopping online, they consume less of that, too.

Nonbanks galore, and not just merchants, are getting in on the plastic card act. This represents something of a reverse trend: The Motley Fool suggested that plastics may be the future for digital payments. Paypal now issues its own Mastercard credit card, and Square has introduced a Visa debit card they’re calling Cash Card. (That’s an arguably generic term. I’d be curious to see how it would hold up under a trademark challenge.)

To increase use of their own cards, banks have typically relied on increasing the cardholder base, rewards programs, and promotions à la Use your card for a chance to win a trip for two to Hawaii. These remain viable marketing tactics, but they also smell of old school at a time when consumers expect the new and exciting. Moreover, non-banks engage the same tactics.

Fortunately, there are other tactics for rising to the top of the digital wallet.

Play up security. From the onset, banks can discuss security with greater credibility than nonbanks, thanks to a perception that banks with physical facilities are more secure than other issuers. (See my post “The digital branding challenge” here.) Of course, banks had better back their claims by being truly proactive about security, and by finding ways to discuss the matter with clients that are, first, accessible and, second, that assuage rather than worry.

Mind the brand. Here I am talking about a good deal more than graphic identity, important as that is. I’ve written before about delivering a brand in digital banking by use of designintuitive appsmore than mere functionality, and becoming versus claiming. When your brand is strong, your graphic identity conveys a value perception absent lookalike products. And—let’s be honest—lookalike describes just about every financial service.

User-friendly interface. A by-product of the digital age is the lazy consumer. For example, in 2016, the New York Times suggested that for many a Millennial, breakfast cereal is “… just too much work … Almost 40 percent of the millennials surveyed by Mintel for its 2015 report said cereal was an inconvenient breakfast choice because they had to clean up after eating it.” If rising generations find post-breakfast-cereal-cleanup daunting, do not expect them to bother figuring out a challenging digital banking app. Today, “user-friendly” means “easy to use without having to think very much.”

Make rewards programs simple. In their zeal to differentiate, some banks cook up fancy rewards programs. The problem is that consumers are accustomed to simple spend-X-get-Y programs. Most are not up to the effort required to figure out a new program. Even an arguably superior program, if such exists, must be understandable at a glance.

Collaborate. From BCG.com

An example of a mutually beneficial collaboration is the one between JPMorgan Chase and PayPal, which enables Chase cardholders to easily add their Chase cards to PayPal accounts, see a digital representation of a Chase card in the PayPal interface, and redeem Chase reward points in the PayPal network.

What Jim Marous said. Marous, co-publisher of The Financial Brand and owner/publisher of the Digital Banking Report detailed twelve ways to get to the top of the digital wallet in his article entitled, appropriately enough, “12 ways to get to the top of the digital wallet.” No, I’m not going to summarize it here. Instead, I highly recommend clicking the preceding link and reading the whole piece.

Digital technology has made banking more accessible to clients. But “more accessible to clients” inevitably means “more fiercely competitive than ever for bankers.” This is no time to relax.

Posted in Uncategorized by Matt. No Comments

October is National Cyber Security Awareness Month
And it’s not too late to put it to work

phishing-3390518_960_720I am the first to admit that when it comes names of commemorative months, National Cyber Security Awareness Month isn’t the sexiest. Reducing it to the initialism NCSAM makes it easier to write, but not easier to pronounce—En-see-sam? Nik-sam? Ink-sam?—and it it doesn’t help in the sexiness department, either. 

Perhaps that’s why, even though NCSAM has been around since President Obama signed it into being 14 years ago, it doesn’t generate much press beyond sundry institutional posts. 

Missed opportunity

And that’s a curious thing, considering security concerns are keeping a good deal of people from opting into and using digital banking. Letting October pass without taking advantage of NCSAM is a missed marketing—and service—opportunity for financial institutions. 

Some may hesitate to raise the topic of cyber fraud et al to avoid instilling fears where none existed. But the reality is that the fears already exist and are in fact pervasive. A Fiserv blog post earlier this summer entitled “Why It Pays to Address Consumers’ Concerns About Bill Pay Security” reported (disclosure: Fiserv is my employer):

Among consumers who haven’t used mobile banking in the past 30 days, 57 percent cite security as a concern … At 81 percent, personal data and identity theft is the most common security concern with bills, among all those who are at least somewhat concerned about security and billing. Data breaches (65 percent) [and] Internet security (39 percent) … are other top concerns.

It has become something of a given that reticence when it comes to embracing new technology skews older. Were that the problem with digital banking enrollment and use, a plausible solution (and I beg your forgiveness for saying it with such directness) might be to wait until Millennials have replaced Boomers as the older generation. But this time it turns out that Boomers aren’t necessarily the holdup. For Millennials, technology that connects a game to a TV is one thing, whereas technology that connects a handheld device to their money is quite another. To wit, the Fiserv study also found that …

… early Millennials involved in managing bills are the most likely to have security concerns. When thinking about payment security, 64 percent of those ages 18 to 26 are worried about the safety of paying bills and 49 percent say they’re worried about receiving them.

October is nearly upon us, but it’s not too late to capitalize on NCSAM. After all, like other months, it’s a whole month long. And, happily, there’s a way to put NCSAM to work for you that is a win-win, that is, benefitting clients and financial institutions, yet won’t require much investment in the way of esearch, production, and person-hours.

NCSAM as a marketing—and service—opportunity

Having individual control goes a long way toward alleviating fear. And while great respect for the dangers of online fraud is well advised, there is a good deal that clients can do to increase their control over their online security. Furnishing that information is a great service to clients, and for banks it can mean fewer future cases to resolve. It’s also a great way to make clients view a bank in a favorable light for its thoughtfulness in having provided the information.

While it may be too late to launch a full-blown campaign, other, quick-turnaround PR opportunities are within reach. It should be an easy matter to write up easy-to-implement security tips and distribute them via press releases, newsletter or e-letter articles, and email to clients.

Nor is there any need to scurry about digging up content. Many organizations have already done that for you. Cisco, for instance, offers a wealth of blogs on the subject. The National Cyber Security Alliance maintains the website StaySafeOnline.org and makes its content available for anyone’s use. Of particular help are pages such as:

You might also check with your state university. The University of California has created an online National Cyber Security Awareness Month Toolkit. In my home state, the University of Utah is doing likewise. So is the University of Richmond.

While you’re at it

Besides providing safety tips, be sure to highlight the technology and programs your financial institution has in place for protecting clients. Familiarity may have rendered them banal to you, but to clients they are new, fascinating—and reassuring.

Of course you’ll need to run all material by Compliance and Legal. Just don’t let them rewrite or even edit. To do so would be to ensure impenetrable copy no client will read and that, therefore, will do no good. Ask them to explain what needs to change, and why, and then pay a real writer to do the revising. (If your Compliance officers and attorneys fancy themselves writers, as many do, steel your resolve and stick to your guns.)

The number of financial institutions that miss the chance to capitalize on NCSAM surprises me, but their lapse has its positive side. The few financial institutions that jump on this opportunity will be the ones that stand out.

Posted in Uncategorized by Matt. No Comments

Not bad for a 20-year-old
Happy birthday, Google

Google CandlesHard to believe: Google launched 20 years ago this month. By accident or design, its name is a misspelling of the number googol. If it was by accident, you have to wonder why founders Larry Page and Sergey Brin didn’t bother googling the correct spelling.

Playing trademark roulette

Not long after the Google’s appearance in 1998, google became a verb, as in, “I’m going to google that,” eventually earning itself an entry in the 2006 Merriam-Webster dictionary. Per MW, to google is “to use the Google search engine to obtain information about (someone or something) on the World Wide Web.” Yet I suspect these days googling could refer to searching by use of any search engine. If that’s so, Google’s parent company Alphabet should take heed. Product names that enter the lexicon as verbs or common nouns have a habit of losing their protected status. Google could join the ranks of no-longer protected trademarks the likes of aspirin, elevator, cellophane, and, most recently, monopoly. It’s not hard to imagine a day when you may hear something along the line of, “I googled it on Yahoo.”

As it is, Google plays a bit of Russian Roulette with its trademark. A cardinal rule of trademark protection is to keep the mark consistent, but there’s no telling what treatment of the Google mark will greet you.

Yet maybe Google has no need for concern. While google, lower-case g, is arguably a generic term, there is no ambiguity when it comes to Google, upper-case g, referring to the corporate giant. In terms of company valuation, Google is second only to Apple. As of this writing, Fortune says Google “… has a market capitalization of more than $850 billion, says it has indexed hundreds of billions of pages and is aware of over 100 trillion.”

The ubiquity of Google products after just two decades is staggering. We have Android, ChromeGoogle Maps, Gmail, Google News, Google Analytics, Google Ads, Google Images, Google Translate, Google Docs, and a list of many more that seems to go on all but ad infinitum. 

About you, me, and our neighbors

Google statistics tell us a good deal about ourselves. As I write, the three most googled people of 2018 are Donald Trump, Stephen Hawking, and Stormy Daniels. Most-googled animals are dogcat, and chicken. Most-googled athletes are LeBron James, Tiger Woods, and O.J. Simpson. (I found nothing on most-googled football teams, but I’m confident that each of the top three is the Denver Broncos.)

Google was nearly pre-empted by the United States Air Force. Back in the punch card days of 1963, research engineer Charles Borne and computer programmer Leonard Chatlin were at work on what could rightly be called a Google precursor. The current issue of Smithsonian reports:

The duo’s program was designed to work the way Google does: A user could search for any word in the files. Their database consisted of just seven memos that Bourne typed onto punched paper tapes and then converted to magnetic tape … The data lurched over telephone lines—your smartphone is more than 10,000 times faster—but after a long moment, the right answer popped up. Bourne and Chaitin had proven, for the first time, that online search was possible.

Lucky for Google and for reasons unknown, the Air Force discontinued Borne’s and Chatlin’s work. 

Curiously, notes the article, googling “inventor of search” turns up little to nothing about Borne or Chatlin. You’ll find numerous links to one Alan Emtage, who also wrote a pre-Google search engine. But Emtage was born in 1964, making it unlikely that his search engine pre-dated Borne’s and Chatlin’s 1963 creation.

Genesis and adult supervision

The seeds of Google were sown when Page and Brin met as fellow participants at Stanford University’s computer science graduate program. They began work on an idea for a search engine in 2006. At first they called their project Backrub, a reference to “its initial heavy reliance on back-links to validate the popularity of a website it was indexing,” according to OrangeWebsite. Next came the search algorithm’s moniker, PageRank, which, still in use, is a play on Larry Page’s name. 

Page and Brin were unusually capable mathematician-programmers with a killer idea that took off, but they had the savvy and humility not to mistake initial success for all the business acumen they’d need. In 2001, they recruited technologist and business leader Eric Schmidt to run the company. According to Brin, Google had grown to the point of needing “adult supervision.” 

Today, Google “… processes over 40,000 search queries every second on average … which translates to over 3.5 billion searches per day and 1.2 trillion searches per year worldwide.” That’s according to Internet Live Stats, whose Google Search Statistics page posts informative charts and a running tally and is well worth a visit. 

Two-edged sword

A meteoric rise can be a two-edged sword. Americans tend to celebrate Davids only to turn on them should they become Goliaths. Witness, for instance, Walmart’s journey from being the underdog that took on Sears to today, when many view it as an economic pariah. Predictably, Global News raised the fearful side of success with an article whose headline screams, Google’s “20th anniversary raises questions over whether the company is too powerful”:

That resounding success now has regulators and lawmakers around the world questioning whether the company has become too powerful as its ubiquitous services vacuum up sensitive information about billions of people hooked on its products.

Google’s search engine remains entrenched as the internet’s main gateway, and its digital advertising business is on pace to generate about $110 billion in revenue this year. Much of that revenue now flows through Google’s Android operating system, which powers 80 percent of the world’s smartphones. Google also runs the biggest video site in YouTube, the most popular web browser in Chrome, the top email service in Gmail and the maps that most people use to get around.

Still, a company could do a lot worse than grow to a size that makes people uneasy. Global News goes on to concede: 

Not bad for a company that started 20 years ago … with an initial investment of $100,000. Google and its sibling companies operating under the umbrella of Alphabet Inc. are now worth $800 billion.

Overall, I’d have to agree. Google has done pretty well for a 20-year-old.

Posted in Uncategorized by Matt. No Comments