Red social sobre seguridad informática
2008 Data Breaches and Financial Crimes Scare Consumers Away
Publication Date: 27 February 2009 ID Number: G00165825
About 7.5% of U.S. adults lost money as a result of some sort of financial fraud in 2008, in large part because of data breaches, according to a recent Gartner survey. All this is having an adverse effect on consumer victims who are significantly changing their financial transaction behaviors.
Key Findings
• Data breaches were a leading cause of financial fraud against consumers in 2008 and were the source for much payment card fraud, which was the most-common fraud type.
• Consumers recover the least amount of money stolen when new-account and checking/savings account fraud schemes are used. They recover the most money in the case of credit card fraud.
• When compared with the average consumer, nearly twice as many people who lost money to fraud in 2008 changed their shopping, payment and e-commerce behavior. Fraud victims are also more cautious about which brick-and-mortar stores they shop at and how they pay for goods when they get there, demonstrating more awareness of the risk of data breaches.
• Victims of electronic checking and/or savings account transfer fraud in 2008 were nearly five times more likely to change banks because of security concerns, when compared with the average consumer. About twice as many of the victims curtailed online money transfers and bill payment used in online banking.
Recommendations
• Organizations that are custodians of sensitive consumer data must act now to protect customer records and credentials — a less-costly exercise than customer churn resulting from financial fraud.
• Organizations that manage customer accounts must assume it is likely they will be compromised at attack vectors outside their control. They must protect those accounts with a layered security approach.
• Enterprises whose customer records have been compromised should match the remediation assistance they provide to affected customers with the types of crimes to which they have been subjected.
• Enterprises that have secured their systems should advertise those security steps to gain consumer confidence and business.
Reasons for Low Recovery Rates
Publication Date: 27 February 2009/ID Number: G00165825 Page 8 of 15 © 2009 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
• The main reason consumers did not recover funds stolen during new-account and check forgery scams is that they assumed they would fail in their efforts, so they did not even try. A less-prevalent reason was that the bank that had to return the funds did not believe the consumers.
• The leading reason consumers did not recover funds in the case of credit and debit card fraud is that they fell for a scam and believed there was no one from which to recover the stolen credit or funds. In most cases, card-issuing banks will still give consumers their money back and will charge the fraud to the acquiring (merchant) bank.
Long-Term Damage for Some
• Thirty-five percent of new-account fraud victims further suffered from a damaged credit rating, and slightly more than half of them were able to restore it. Nearly all this population restored their credit rating in less than one month, but about 20% took more than one year. It took three to five years for 9% of this group to restore their credit ratings.
Low Reporting and Conviction Rates
• Less than one-third of the victims reported the crimes to law enforcement, and about 5% reported them to the FTC.
• According to the National Institute of Justice's Electronic Crime Program, which is part of the U.S. Department of Justice, there were only 564 convictions made for about 800 arrests for identity-theft-related fraud in 2007, the last year when such public data is available. There were 8,835 criminal cases opened that year. Given the millions of U.S. adults who lost money in 2007, a conservative estimate is that the chances of a criminal getting arrested and convicted for identity-theft-related fraud are much less than a half of 1%.
Effect of Fraud on Consumer Behavior
In light of security concerns, consumers' behaviors have changed (see Figure 5): • Victims of financial fraud in 2008 were twice as likely to change their behavior as a result
of data breaches and security incidents as the average consumer. Victims of crimes where it's the most difficult to recover stolen funds are even more likely to change their financial behavior than other consumers. There is a direct correlation between how much stolen money victims get back and how worried they are when it comes to conducting financial transactions.
• Fraud victims are more likely to curtail their brick-and-mortar store shopping and payment habits than average consumers, demonstrating their awareness of the risks of data breaches.
• In percentage terms, the behaviors that are most affected across the populations because of security concerns include online shopping and payments. Victims of debit/ATM fraud are most affected in these two particular areas.
• PayPal gets a big boost by those who change their online payment behavior because of security concerns, especially among fraud victims. Worried consumers say they switch to PayPal because of their concerns about online payment safety using other payment mechanisms.
• Online banking takes a big hit among victims of checking account and new-account fraud, where there are fewer protections than there are with payment card fraud, and where consumers recover the least amount of stolen funds. About 20% of worried consumers who changed their online banking behavior stopped or won't start transferring money between accounts; those percentages double among fraud victims. Similar trends show up when it comes to online bill payments.
• Six percent of all consumers say they changed banks as a result of their security concerns, but that number almost quintupled to 28% among victims of checking/savings account transfer fraud. That compares with 5% overall who switched because of concerns regarding the financial health of their banks, and 21% overall because of excessive fees (see Figure 6).
• Brick-and-mortar store shopping habits change among consumers worried about security incidents, but to a lesser extent than online shopping and payment behavior habits. Overall, 18% of security-concerned consumers change their physical store shopping habits, and two-thirds of this population subset try to only shop at well-known retailers. That two-thirds (67%) jumps as high as 81% in the case of fraud victims.
Among all consumers, 39% changed their behavior because of security concerns. Among fraud victims, 71% of them changed their behavior because of security concerns. Figure 5 shows how these population subsets specifically changed their behavior.
Direct-to-Consumer Account Protection Services
Enterprises whose customer accounts have been compromised should offer those customers services that help them monitor their financial accounts to prevent future financial damage, and remediate damage that has already been done. This requires a tailored approach, based on the type of data stolen, and one that recognizes the limitations of solutions available in the market.
New-Account Fraud Prevention Services
• Credit report monitoring is offered directly to consumers by the three credit bureaus (Equifax, Experian and TransUnion) and other newer identity monitoring players (see below), and warns consumers of new-account fraud, or when a thief steals a consumer's identity (for example, name, Social Security number, date of birth, address and phone number) and uses it to apply for a new loan. The information is not conveyed to the victim until after the loan application has been processed, which is already late in the process.
• Identity monitoring is offered directly to consumers mainly by niche companies, such as MyPublicInfo.com, IdentityTruth, Intersections and LifeLock, and monitors public source systems, including driver license, bankruptcy and criminal records, and credit bureau data. They can often detect if a consumer's identity information (for example, Social Security number) has been compromised and/or is being abused by another individual. Some also use third-party services, typically from Cyveillance, to monitor Web chat rooms and other online forums for stolen credentials belonging to the service subscriber. Identity monitoring services are more effective than credit report monitoring in helping prevent new-account fraud and can also prevent other types of crimes that rely on personally identifiable information, such as taking out a driver's license in someone else's name. Some of them work with the customers to clean up the financial damage left behind and/or provide identity theft insurance that refunds victims for the time they spend on remediation (as opposed to direct fraud losses).
• Fraud alerts are offered by specialized companies, such as Debix, and by some of the identity monitoring companies, such as LifeLock, and automatically request the placement of fraud alerts every 90 days (when they automatically expire) on a subscriber's credit bureau files. This way, a subscriber must be contacted if a new loan or account application is being requested using the subscriber's identity. This is useful in preventing new-account fraud, because it is a proactive step rather than a reactive one, such as credit report monitoring. However, it adds a level of inconvenience to the subscriber's financial life, because new-account applications are frequently delayed because of the fraud alert, despite service provider claims that they are not held up, until the lender manually verifies the application and the applicant.
Payment Card (Credit/Debit) Fraud Prevention Services
None of the services listed above will alert customers if their payment card is about to be used by an unauthorized party. Retailers and other third parties whose customers' credit or debit card data has been breached cannot help these customers prevent fraud against their cards by offering credit report or identity monitoring services (which are helpful in preventing new-account fraud).
An effective fraud prevention service can be offered directly to consumers by the various card issuers whose customer accounts were breached. For example, they can alert a customer if a suspect transaction occurs before it is authorized, so that the consumer must explicitly authorize it for it to execute. Nonetheless, the party where the data is breached is typically different from the customer's card issuer, so there are practical business coordination issues that make such a solution impractical for the breached party to offer.
Checking, Savings, Brokerage and Other Financial Account Takeover Prevention Services
The direct-to-consumer services mentioned above that help prevent new-account fraud will do nothing to help customers prevent unauthorized access to their checking, savings, brokerage or other types of financial accounts. As with payment card services, customers' financial account service provider can provide them with an alerting service, but these institutions have historically been different from the entity where customer data has been breached (for example, a retailer or payment processor).
Security as a Customer Retention Tool
Most consumers will say that security is very important to them when doing business with their banks (see Figure 7), and is as important to them as the financial health of the institution (but not nearly as important as bank fees and customer service, as shown in Figure 6). Security rises significantly in importance among customers who have been victims of a financial account takeover. Enterprises that have implemented strong security controls and protections should make this fact visible to their customers. They should also engage customers in jointly participating in security solutions (for example, by signing up for a service that alerts customers to suspect transactions being made against their accounts). This will help institutions retain their
RECOMMENDED READING
"Consumers Don't Want to Change the Ways They Manage Online Passwords" "Heartland Case Shows Stronger Card Security Is Still Needed"
Note 1 Survey Methodology
Gartner conducted a survey of about 5,000 U.S. adults in September 2008. We posed a subset of identical questions on identity theft to online survey respondents and those we reached over the phone. We used both sets of results, which were typically very similar, to arrive at our analysis.
Survey methodology — online: Gartner conducted a survey of 3,985 online adults in September 2008. The survey accessed online U.S. respondents via Ipsos Online Customer Panel. The sample was selected to be representative of the online population: 18 or older in the 48 contiguous states with respect to age, sex, household income, household size, presence of children, geographic region, market size, and broadband vs. dial-up home Internet access. The initial sample was balanced to minimize the need for weighting corrections on the back end to reestablish representativeness. All respondents 18 or older who completed the survey and passed data quality inspection (for example, spent sufficient time on the survey, did not exhibit flatlining or patterning response behaviors, or provided excessive "don't know" responses) were accepted. For those items answered by all respondents (which was a total of 3,985), the margin of error was plus or minus 1.5% at the 95% confidence level. For those questions with a restricted base (asked of only a subset of qualified respondents), the margin of error was larger.
Survey methodology — phone: Gartner conducted a phone survey of 1,003 adults in September 2008. Respondents were recruited using random digit dial and weighting corrections applied on the back end to achieve a nationally representative sample of the population: 18 or older in the 48 contiguous states with respect to age, sex, household income and geographic region. All respondents 18 or older who completed the survey and passed data quality inspection (for example, spent sufficient time on the survey, did not exhibit flatlining or patterning response behaviors, or provided excessive "don't know" responses) were accepted. For those items answered by all respondents (which was a total of 1,003), the margin of error was plus or minus 3.1% at the 95% confidence level. For those questions with a restricted base (asked of only a subset of qualified respondents), the margin of error was larger.
Note 2 ATM Fraud
Armed with ATM card account information and user PINs, fraudsters are able to turn stolen information directly into cash by creating counterfeit ATM cards and using them and the stolen PINs to withdraw hard cash from ATM machines or stores. Although law enforcement officials aren't sure how the crooks get their hands on PINs (which are supposed to be encrypted from the time they are entered until they are validated by the bank card issuer), several PIN security weaknesses have been exposed in 2007 and 2008. These include not only traditional methods of physically skimming PIN numbers typed into a device, but also the decryption of encrypted PINs captured at retailers using old single Data Encryption Standard technology.
PINs are also stolen through phishing attacks directly against consumers, and can be used with ATM cards when the secret track-two authentication data embossed on an ATM card's magnetic stripe is not read by the ATM machine. Furthermore, vulnerabilities in the hardware security modules used to encrypt and decrypt PINs as they move across processors and banks were documented by Israeli researchers in 2006, although it's not clear whether those vulnerabilities have been exploited (see the white paper, "The Unbearable Lightness of PIN Cracking," by Omer Berkman and Odelia Moshe Ostrovsky).
About 7.5% of U.S. adults lost money as a result of some sort of financial fraud in 2008, in large part because of data breaches, according to a recent Gartner survey. All this is having an adverse effect on consumer victims who are significantly changing their financial transaction behaviors.
Key Findings
• Data breaches were a leading cause of financial fraud against consumers in 2008 and were the source for much payment card fraud, which was the most-common fraud type.
• Consumers recover the least amount of money stolen when new-account and checking/savings account fraud schemes are used. They recover the most money in the case of credit card fraud.
• When compared with the average consumer, nearly twice as many people who lost money to fraud in 2008 changed their shopping, payment and e-commerce behavior. Fraud victims are also more cautious about which brick-and-mortar stores they shop at and how they pay for goods when they get there, demonstrating more awareness of the risk of data breaches.
• Victims of electronic checking and/or savings account transfer fraud in 2008 were nearly five times more likely to change banks because of security concerns, when compared with the average consumer. About twice as many of the victims curtailed online money transfers and bill payment used in online banking.
Recommendations
• Organizations that are custodians of sensitive consumer data must act now to protect customer records and credentials — a less-costly exercise than customer churn resulting from financial fraud.
• Organizations that manage customer accounts must assume it is likely they will be compromised at attack vectors outside their control. They must protect those accounts with a layered security approach.
• Enterprises whose customer records have been compromised should match the remediation assistance they provide to affected customers with the types of crimes to which they have been subjected.
• Enterprises that have secured their systems should advertise those security steps to gain consumer confidence and business.
Reasons for Low Recovery Rates
Publication Date: 27 February 2009/ID Number: G00165825 Page 8 of 15 © 2009 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
• The main reason consumers did not recover funds stolen during new-account and check forgery scams is that they assumed they would fail in their efforts, so they did not even try. A less-prevalent reason was that the bank that had to return the funds did not believe the consumers.
• The leading reason consumers did not recover funds in the case of credit and debit card fraud is that they fell for a scam and believed there was no one from which to recover the stolen credit or funds. In most cases, card-issuing banks will still give consumers their money back and will charge the fraud to the acquiring (merchant) bank.
Long-Term Damage for Some
• Thirty-five percent of new-account fraud victims further suffered from a damaged credit rating, and slightly more than half of them were able to restore it. Nearly all this population restored their credit rating in less than one month, but about 20% took more than one year. It took three to five years for 9% of this group to restore their credit ratings.
Low Reporting and Conviction Rates
• Less than one-third of the victims reported the crimes to law enforcement, and about 5% reported them to the FTC.
• According to the National Institute of Justice's Electronic Crime Program, which is part of the U.S. Department of Justice, there were only 564 convictions made for about 800 arrests for identity-theft-related fraud in 2007, the last year when such public data is available. There were 8,835 criminal cases opened that year. Given the millions of U.S. adults who lost money in 2007, a conservative estimate is that the chances of a criminal getting arrested and convicted for identity-theft-related fraud are much less than a half of 1%.
Effect of Fraud on Consumer Behavior
In light of security concerns, consumers' behaviors have changed (see Figure 5): • Victims of financial fraud in 2008 were twice as likely to change their behavior as a result
of data breaches and security incidents as the average consumer. Victims of crimes where it's the most difficult to recover stolen funds are even more likely to change their financial behavior than other consumers. There is a direct correlation between how much stolen money victims get back and how worried they are when it comes to conducting financial transactions.
• Fraud victims are more likely to curtail their brick-and-mortar store shopping and payment habits than average consumers, demonstrating their awareness of the risks of data breaches.
• In percentage terms, the behaviors that are most affected across the populations because of security concerns include online shopping and payments. Victims of debit/ATM fraud are most affected in these two particular areas.
• PayPal gets a big boost by those who change their online payment behavior because of security concerns, especially among fraud victims. Worried consumers say they switch to PayPal because of their concerns about online payment safety using other payment mechanisms.
• Online banking takes a big hit among victims of checking account and new-account fraud, where there are fewer protections than there are with payment card fraud, and where consumers recover the least amount of stolen funds. About 20% of worried consumers who changed their online banking behavior stopped or won't start transferring money between accounts; those percentages double among fraud victims. Similar trends show up when it comes to online bill payments.
• Six percent of all consumers say they changed banks as a result of their security concerns, but that number almost quintupled to 28% among victims of checking/savings account transfer fraud. That compares with 5% overall who switched because of concerns regarding the financial health of their banks, and 21% overall because of excessive fees (see Figure 6).
• Brick-and-mortar store shopping habits change among consumers worried about security incidents, but to a lesser extent than online shopping and payment behavior habits. Overall, 18% of security-concerned consumers change their physical store shopping habits, and two-thirds of this population subset try to only shop at well-known retailers. That two-thirds (67%) jumps as high as 81% in the case of fraud victims.
Among all consumers, 39% changed their behavior because of security concerns. Among fraud victims, 71% of them changed their behavior because of security concerns. Figure 5 shows how these population subsets specifically changed their behavior.
Direct-to-Consumer Account Protection Services
Enterprises whose customer accounts have been compromised should offer those customers services that help them monitor their financial accounts to prevent future financial damage, and remediate damage that has already been done. This requires a tailored approach, based on the type of data stolen, and one that recognizes the limitations of solutions available in the market.
New-Account Fraud Prevention Services
• Credit report monitoring is offered directly to consumers by the three credit bureaus (Equifax, Experian and TransUnion) and other newer identity monitoring players (see below), and warns consumers of new-account fraud, or when a thief steals a consumer's identity (for example, name, Social Security number, date of birth, address and phone number) and uses it to apply for a new loan. The information is not conveyed to the victim until after the loan application has been processed, which is already late in the process.
• Identity monitoring is offered directly to consumers mainly by niche companies, such as MyPublicInfo.com, IdentityTruth, Intersections and LifeLock, and monitors public source systems, including driver license, bankruptcy and criminal records, and credit bureau data. They can often detect if a consumer's identity information (for example, Social Security number) has been compromised and/or is being abused by another individual. Some also use third-party services, typically from Cyveillance, to monitor Web chat rooms and other online forums for stolen credentials belonging to the service subscriber. Identity monitoring services are more effective than credit report monitoring in helping prevent new-account fraud and can also prevent other types of crimes that rely on personally identifiable information, such as taking out a driver's license in someone else's name. Some of them work with the customers to clean up the financial damage left behind and/or provide identity theft insurance that refunds victims for the time they spend on remediation (as opposed to direct fraud losses).
• Fraud alerts are offered by specialized companies, such as Debix, and by some of the identity monitoring companies, such as LifeLock, and automatically request the placement of fraud alerts every 90 days (when they automatically expire) on a subscriber's credit bureau files. This way, a subscriber must be contacted if a new loan or account application is being requested using the subscriber's identity. This is useful in preventing new-account fraud, because it is a proactive step rather than a reactive one, such as credit report monitoring. However, it adds a level of inconvenience to the subscriber's financial life, because new-account applications are frequently delayed because of the fraud alert, despite service provider claims that they are not held up, until the lender manually verifies the application and the applicant.
Payment Card (Credit/Debit) Fraud Prevention Services
None of the services listed above will alert customers if their payment card is about to be used by an unauthorized party. Retailers and other third parties whose customers' credit or debit card data has been breached cannot help these customers prevent fraud against their cards by offering credit report or identity monitoring services (which are helpful in preventing new-account fraud).
An effective fraud prevention service can be offered directly to consumers by the various card issuers whose customer accounts were breached. For example, they can alert a customer if a suspect transaction occurs before it is authorized, so that the consumer must explicitly authorize it for it to execute. Nonetheless, the party where the data is breached is typically different from the customer's card issuer, so there are practical business coordination issues that make such a solution impractical for the breached party to offer.
Checking, Savings, Brokerage and Other Financial Account Takeover Prevention Services
The direct-to-consumer services mentioned above that help prevent new-account fraud will do nothing to help customers prevent unauthorized access to their checking, savings, brokerage or other types of financial accounts. As with payment card services, customers' financial account service provider can provide them with an alerting service, but these institutions have historically been different from the entity where customer data has been breached (for example, a retailer or payment processor).
Security as a Customer Retention Tool
Most consumers will say that security is very important to them when doing business with their banks (see Figure 7), and is as important to them as the financial health of the institution (but not nearly as important as bank fees and customer service, as shown in Figure 6). Security rises significantly in importance among customers who have been victims of a financial account takeover. Enterprises that have implemented strong security controls and protections should make this fact visible to their customers. They should also engage customers in jointly participating in security solutions (for example, by signing up for a service that alerts customers to suspect transactions being made against their accounts). This will help institutions retain their
RECOMMENDED READING
"Consumers Don't Want to Change the Ways They Manage Online Passwords" "Heartland Case Shows Stronger Card Security Is Still Needed"
Note 1 Survey Methodology
Gartner conducted a survey of about 5,000 U.S. adults in September 2008. We posed a subset of identical questions on identity theft to online survey respondents and those we reached over the phone. We used both sets of results, which were typically very similar, to arrive at our analysis.
Survey methodology — online: Gartner conducted a survey of 3,985 online adults in September 2008. The survey accessed online U.S. respondents via Ipsos Online Customer Panel. The sample was selected to be representative of the online population: 18 or older in the 48 contiguous states with respect to age, sex, household income, household size, presence of children, geographic region, market size, and broadband vs. dial-up home Internet access. The initial sample was balanced to minimize the need for weighting corrections on the back end to reestablish representativeness. All respondents 18 or older who completed the survey and passed data quality inspection (for example, spent sufficient time on the survey, did not exhibit flatlining or patterning response behaviors, or provided excessive "don't know" responses) were accepted. For those items answered by all respondents (which was a total of 3,985), the margin of error was plus or minus 1.5% at the 95% confidence level. For those questions with a restricted base (asked of only a subset of qualified respondents), the margin of error was larger.
Survey methodology — phone: Gartner conducted a phone survey of 1,003 adults in September 2008. Respondents were recruited using random digit dial and weighting corrections applied on the back end to achieve a nationally representative sample of the population: 18 or older in the 48 contiguous states with respect to age, sex, household income and geographic region. All respondents 18 or older who completed the survey and passed data quality inspection (for example, spent sufficient time on the survey, did not exhibit flatlining or patterning response behaviors, or provided excessive "don't know" responses) were accepted. For those items answered by all respondents (which was a total of 1,003), the margin of error was plus or minus 3.1% at the 95% confidence level. For those questions with a restricted base (asked of only a subset of qualified respondents), the margin of error was larger.
Note 2 ATM Fraud
Armed with ATM card account information and user PINs, fraudsters are able to turn stolen information directly into cash by creating counterfeit ATM cards and using them and the stolen PINs to withdraw hard cash from ATM machines or stores. Although law enforcement officials aren't sure how the crooks get their hands on PINs (which are supposed to be encrypted from the time they are entered until they are validated by the bank card issuer), several PIN security weaknesses have been exposed in 2007 and 2008. These include not only traditional methods of physically skimming PIN numbers typed into a device, but also the decryption of encrypted PINs captured at retailers using old single Data Encryption Standard technology.
PINs are also stolen through phishing attacks directly against consumers, and can be used with ATM cards when the secret track-two authentication data embossed on an ATM card's magnetic stripe is not read by the ATM machine. Furthermore, vulnerabilities in the hardware security modules used to encrypt and decrypt PINs as they move across processors and banks were documented by Israeli researchers in 2006, although it's not clear whether those vulnerabilities have been exploited (see the white paper, "The Unbearable Lightness of PIN Cracking," by Omer Berkman and Odelia Moshe Ostrovsky).
Comentar
Bienvenido/a a
SeguridadInformatica.es
Última actividad
© 2012 Creado por SICV - webmaster.
¡Necesitas ser un miembro de SeguridadInformatica.es para añadir comentarios!
Participar en SeguridadInformatica.es