More ID Fraud Cases Stem from Data Breaches, Report Says

The good news about identity fraud: dollar losses per incident are going down. The bad news: incidents are up. The bad news for merchants: fraud victims, especially young adults, will punish merchants they associate with ID fraud. And some bad news for the payments industry in general: more ID fraud victims claim the source of the fraud was data breaches. Those are just a few of the findings from the 2009 Identity Fraud Survey Report released on Monday by Pleasanton, Calif.-based Javelin Strategy & Research. The results are based on a random sample of 4,784 U.S. consumers who answered a 50-question survey last October. Some 482 respondents reported being fraud victims in 2008. Javelin estimates some 9.9 million adult Americans were ID fraud victims last year, up 22% from 8.1 million in 2007. The incidence of fraud victims in the U.S. population rose to 4.32% last year from 3.58% in 2007. Yet the mean (average) fraud loss fell 11.6% in 2008 to $4,849 from 2007's mean loss of $5,488. In all, Javelin estimates identity theft resulted in $48 billion in losses in 2008, up from $45 billion in 2007 yet well short of the $60 billion in 2004. The greatest increase in ID fraud last year happened on existing card accounts. The median loss per victim?half of all losses higher and half lower?did not change in 2008 from 2007's $750. In fact, the median loss has remained at $750 since the Federal Trade Commission did its landmark ID fraud study in 2003, a study upon which Javelin has based its subsequent annual surveys. The big difference between the annual mean and median losses implies that the worst hit victims suffer very large losses. The mean cost to consumers fell 31% in 2008 to $496 per incident. The median actual cost last year, however, was zero, as it has been in the previous studies, because of credit and debit card issuers' zero-liability policies and other measures by financial institutions to make their customers whole after fraud incidents. Despite those efforts to compensate customers, the study has some sobering numbers for merchants and financial institutions about victim response and customer retention. The most common response to ID fraud by the overall victim base, 61%, was to add anti-virus, anti-spyware, or firewalls to their personal computers. But the most common response by young-adult victims was to “avoid certain merchants,” the survey report says. Some 63% of victims ages 18 to 24 cited that reaction compared with 43% of all victims. And 24% of young adults and 17% of all victims said they switched their primary bank or credit union after a fraud incident. “Younger consumers are more likely to suffer from debit frauds, explaining why a higher percentage of young adults ages 18 to 24 leave their banks after an identity fraud,” the report says. “These frauds have long-lasting consequences for a young adult's primary relationship with banks.” Meanwhile, among the 35% of 2008's ID fraud victims who said they knew how their information was accessed, 11% cited data breaches compared with only 7% in 2007. That news comes while the payment card industry is abuzz about the big breach at merchant acquirer Heartland Payment Systems Inc. (Digital Transactions News, Jan. 26), the full extent of which still isn't publicly known. But despite the headlines data breaches, phishing and malware get, identity fraud remains a crime with a large physical and personal component. Among the cohort that knows how their data were accessed, 43% cited a lost or stolen wallet, checkbook, credit card, or other physical document. Another 13% cited friends, acquaintances, relatives, or in-house help as the source, and 1% blamed stolen paper mail. James Van Dyke, Javelin Strategy's founder and president, says the financial industry has made great strides in recent years in reducing the impact of ID fraud, as evidenced by the declining average losses and other measures. But the industry still has a long ways to go, particularly in enabling customers to identify fraud early, he adds. He cites the transaction alerts many banks now send to customers via e-mail or text message. While such alerts typically warn the customer of something unusual, such as a big purchase or a charge on their card from a foreign location, banks should give customers more power to set detailed alert parameters, he says. Customers, he notes, don't want an alert every time they buy something while vacationing outside the U.S. “Put customers in control and allow them to get highly customizable ones, not just these basic ones,” Van Dyke says. “What's so hard about this for card issuers and network brands is it takes fairly complex technology [for the] capability, but you have to invest in usability testing to make it as simple to use as an iPod.” The margin of error for the entire sample base of nearly 4,800 consumers was plus or minus 1.4% at the 95% confidence level, and plus or minus 4.4% at the 95% confidence level for the 487 fraud victims.