Loss prevention has taken on perhaps the greatest scrutiny it has ever experienced because of the jump in identity theft and transactional fraud that has businesses under attack on virtually every revenue-generating front. The ease with which fraudsters can buy or create an identity means that it is that much easier for them to steal from retailers through new account fraud or card-not-present transactions, whether in-store or via online and mobile channels. It’s a lot of territory to cover with limited resources available to help protect against identity theft—and an enormous amount of money at stake.
The scope of the problem lends perspective to exactly what’s at risk. Having reached epidemic proportions, data breaches have given fraudsters a treasure trove of personally identifiable information that has fueled an unprecedented surge in identity theft which poses a real threat to revenues. Reading the news on any given day will reveal any number of articles and research reports detailing how identity theft and the creation of synthetic identities is costing billions of dollars a year and is taking countless hours for companies and customers to address.
Javelin Strategy and Research puts the total value of identity theft at nearly $17 billion in 2017. An Accenture study conducted in 2018 found the time between when a data breach occurs to when the data is used for fraud is typically 12-18 months. This means the data stolen from 147 million users as part of the Equifax breach may have hit the market during this recent holiday shopping season. Given that the nine largest hacks in the 2nd quarter of this year breached 681 million records, and the recent Marriott hack could impact up to 500 million people, evidence suggests that there is no end in sight.
Combine all this stolen data with the simplicity of obtaining a fake ID that is inexpensive and so sophisticated it looks real and you begin to understand how this adds up to a multi-billion-dollar problem.
To fight back, retailers and banks need powerful fraud protection that is:
- Trusted by the consumer
- Fast to avoid cart abandonment
- Easy and inexpensive to deploy
- Simple to use
- Frictionless in onboarding good customers
- Not turning good customers into angry detractors through false negatives
There are several solutions being examined today. Let’s look at a few of them in the context of these requirements.
Biometrics
Among the most common solutions companies examine often include biometrics. Available biometric products run the gamut from fingerprint and iris scans to voice and facial recognition. While biometric solutions can be an extremely effective solution, there are still certain issues that can come into play:
Cost. Most retail establishments do not have biometric scanners at their point of sale. For a large retailer with multiple points of sale in hundreds or thousands of stores, the hardware and software for simple fingerprint scanners can run into millions of dollars.
Vulnerabilities. It’s been demonstrated time and time again that there are problems. Facial recognition has some issues as a stand-alone approach to identification authentication as does fingerprint and voice recognition. And that’s just the beginning. Biometrics do not work for the “first step’ of authentication. Since there is no central repository for biometric data, what do you check against when opening a new account? Even if there was a repository, where would the data be stored, how is it protected and who will have access to it? These issues are many and complex and they must be resolved before biometrics can be viewed as a comprehensive approach.
Consumer trust. A recent survey revealed that over 60 percent of consumers believe sharing their biometrics puts their identity at risk, leading to a reluctance to put their biometric information into a database, something that would be required for new account openings.
Regulatory uncertainty. Some states have already passed legislation regarding biometrics and some members of Congress are looking at Federal legislation.
Biometrics are promising, and in the long run, these issues will be resolved, but it will likely be some time before state and federal regulatory issues are addressed and aligned, along with the issues involving how data is stored, protected, and accessed are ultimately resolved.
Multifactor Authentication
Two-factor or multifactor authentication (MFA) products are another consideration. These involve more than one type of information authentication. The most common is a short message text sent to provide secondary login information. The idea behind multifactor authentication is that if a hacker has gained access to your primary information, the required secondary information makes it much tougher to gain access.
Most consumers are comfortable with being texted a number for authentication. However, there are certain risks:
Account takeovers. With mobile phone account takeovers doubling between 2016 and 2017 and increasing another 15 percent over the past year, a smartphone message raises security questions. With your social security number and address, which can be bought for a few dollars on the dark web, a fraudster can port your phone and quickly change the passwords of your online accounts.
Limited effectiveness. With all the well-documented problems associated with phishing ” and malware, problems remain.
Smartphone vulnerabilities. With mobile phone account takeovers doubling between 2016 and 2017 and increasing another 15% over the past year, information vulnerability is an issue.
Technology gaps. Cloud-based applications are many and that’s an issue for local devices. And that’s just one issue. The variety of technologies require solutions that can drain IT resources quickly.
Cost. The cost of IT resource demands, service and support, the need for training, maintenance requirements, and associated services are not cheap. You also want to look at additional costs like what the price tag will be for development of a mobile app.
Transaction Anomaly Detection
Transaction anomaly detection refers to finding patterns in data that could signal a fraud issue because the data doesn’t reflect expected behavior. While some can be easy to implement, the challenges to these solutions must be considered.
Defining behavior. It is a real challenge to define and cover every possible instance that could and should be included under the umbrella of what analytics defines as normal behavior. and there are issues associated with adequately covering every possible normal behavior, which is at best extremely difficult.
Errors. Misreads are a good way to chase a good customer or a potential customer away. Because this can happen with transaction anomaly with its assumptions of definitions of normal behavior, this is an issue that has to be considered.
Costs. It’s important to look at the cost in terms of all the potential facets ranging from the original investment to the demand on IT resources and support.
Scanners
An ID card scanner is an electronic device that scans a driver license or other barcoded identification reading the data that is stored on the data stripe located on the back. It reads the data stored on the data stripe and displays the data on a screen. Some machines require a telephone or Internet connection in order to function. Some retain data.
What seems like a good solution comes with issues.
Accuracy. Some canners have proven a problem for retailers and law enforcement agencies. The problem is how they operate. Many are limited to decoding the barcode, a simple thing to do, but not authenticating it meets the jurisdictional standard
Vulnerability. Fake IDs are flooding communities across the country. They are inexpensive and readily available. Many scanners have a very mixed record in their ability to detect ever-evolving, sophisticated high-tech fakes according to the many businesses and law enforcement agencies who have shared their information with us. This creates vulnerabilities that are especially problematic for restaurants, retailers, special event programs and age-restricted venues dealing in age-restricted products like alcohol, cannabis, and vaping products.
Privacy. Some scanners retain data. While this can be helpful to build a mailing list or capture demographic information, who has access to that information? How is that information protected? These are serious issues of privacy and potential big issues associated with safety and security. Because of the need for many to use an internet connection or phone line, hacking is also an issue.
Cost. Scanners tend to be costly and that kind of investment for one location let alone multiple locations requires a significant capital investment. Service and maintenance can add to that cost. Some manufacturers charge a fee for downloading scan history to a computer. Some require a phone line or internet connection to work.
Apps, Mobile, and Online Solutions
There are a variety of solutions, both online, mobile and, in some cases, able to integrate with point of sale solutions that are currently available. Some are SaaS technology solutions and do not require hardware. Some use algorithms to seek to detect anomalies that may mean a fraudulent identification, some use biometrics and some use artificial intelligence and machine learning.
The options vary, so understand the issues.
Accuracy. When algorithms are used, what can be perceived as potential fraud, isn’t always the case. Good customers can be turned off and turn away. Some biometric solutions can be spoofed. Fraudsters can be missed. Look for data that the supplier can give you with use cases that underscore measurements.
Privacy. Unresolved issues surrounding biometrics remain a challenge. The lack of consistency in government policy also makes this a more challenging issue for multi-state retailers.
Performance. You need to look at the track record of the solution you are using. Is this a proven solution? Solutions that have users in state and local enforcement agencies and banks as well as in the retail industry give you a real sense of a proven technology sense.
Friction. This is more than a buzzword. Speed and accuracy feed into whether this solution will work for you. It’s important to understand if the experience will be seamless and engaging for the customer and whether it offers value-adds like form population for new accounts, which shaves time off the customer experience.
Cost. Budget realities and resource commitment need to be examined. Examining the capital investment is one factor. Understand what the option you are evaluating means in terms of ease of adoption and use to get a sense of the total investment picture. Understand the cost to your IT resources and what kind of training might be required is another key part of the real cost of a solution. It is important to remember value-adds like form population reduce future costs in terms of eliminating costly man hours, while enhancing the customer experience.
Inaction is not a credible option. Loss prevention, by definition, must deal with the immediate threats in the near term and be prepared for the longer-term threats. From a preparedness and planning point of view, it’s clear that threats are a daily reality and the identity theft crisis is far from over.