Digital Transactions Authoritative, insightful and timely information for payments professionals
Just because a consumer’s financial information is compromised in a data breach does not mean the consumer will become a fraud victim. But the linkage between breaches and fraud is becoming much stronger, according to new data from Javelin Strategy & Research.
Javelin recently reviewed data from its annual identity-fraud studies, one that surveyed 5,249 consumers, to learn more about the connections between breach notifications to consumers and incidents of actual fraud. In all, 12% of consumers Javelin surveyed last October reported being notified of a data breach involving their personal financial information. But 51% of fraud victims had been notified that they were data-breach victims in the past 12 months.
Looked at over three years, the fraud-incidence rate is increasing sharply. In 2010, for example, some 4.4% of all U.S. consumers were fraud victims while 11.8% of data-breach victims became fraud victims. Only 1.4% of consumers who were not data-breach victims became fraud victims.
In 2011, 4.9% of consumers were fraud victims, with 18.9% of data-breach victims reporting they also were fraud victims, But only 2.4% of non-data-breach victims that year reported they also were fraud victims. Respective numbers for 2012 were 5.3%, 22.5% and 2.9%.
In other words, the chances of a data-breach victim becoming a fraud victim nearly doubled in just two years. The reasons for that increase are the likely displacement of hackers “who did it for fun” by those with more businesslike but criminal intentions, according to Al Pascual, senior analyst for security, risk, and fraud at Pleasanton, Calif.-based Javelin, a unit of Greenwich Associates. These callous hackers also are improving their techniques.
“What we really think is driving that more than anything else is criminals are getting better at figuring out what is of value and then going out and really looking for it,” Pascual tells Digital Transactions News. “They’re looking for that low-hanging fruit.”
The lowest-hanging fruits are credit and debit card primary account numbers (PANs) and expiration dates, which can be easily sold on so-called carder Web sites, and used to produce counterfeit cards. There are so many such PANs and accompanying expiration dates on the black market nowadays that they’re going for only $1 to $3 for a Visa standard credit card, as little as one-tenth their price five or six years ago, according to Pascual. “It’s a question of volume,” he says.
Some 6.6% of consumers reported their credit and/or debit card numbers were compromised in 2012, 4.7% mentioned just credit card data, 2.2% said debit card information, and 1.9% said their Social Security number was breached.
Consumers whose debit-card data were compromised, however, were the most likely to report incidents of fraud: 37.1% versus 28.2% for consumers reporting credit and/or debit card numbers were breached, 27.7% for Social Security numbers, and 24.3% for credit card numbers alone.
Credit cards tend to have somewhat tighter fraud-prevention controls than debit cards, which consumers frequently use as substitutes for cash, according to Pascual, a former fraud investigator with processor Fidelity National Information Services Inc. (FIS). “So those controls tend to be a bit looser, [debit card issuers] don’t want to turn down those transactions for fear of losing that customer,” he says.
Card networks typically fine merchants or payment processors when they sustain a data breach, but the costs those entities bear are just a fraction of the total losses breaches cause when actual fraud, consumers’ time to remediate breach-related problems, and related expenses are factored in, says Pascual. “There’s no onus on anyone to improve their data security, and there needs to be,” he says.
n
n
