The Equifax Data Breach could be the worst breach of all time. I really believe that. If what Equifax is saying – that up to 143 Million consumers personal information off the credit bureau has been breached – it could make it the single most impactful breach of all time.
Sure there have been larger breaches and we are all used to card breaches, but credit cards have expiration dates. The breached data often has a short useful lifetime of 2 years. This is personal credit bureau data. This data doesn’t expire. It lasts a consumers entire lifetime. This data could be bought and sold many times and be used to defraud banks and consumers for 10, 20, 30 years or more. That is why this breach is so, so bad.
Over 9 billion records have been breached since 2013, Equifax’s 143 million records make up only 2% of that total. But it’s a very bad 2%.
The Keys to the Kingdom Have Been Stolen
The 3 Credit Bureaus literally store and manage the “Keys to the Kingdom” when it comes to granting credit. If that information was stolen, the fraudsters have the keys to perpetrate the perfect fraud against banks.
They have social security numbers, addresses, drivers licenses, dates of birth and credit cards. All the things we rely on to confirm identity. Everything. And naturally, if they have everything that means the foundation that banks use to control new account fraud or application fraud is badly damaged.
On a scale of one to 10, this is a 10 in terms of potential identity theft,” said Gartner security analyst Avivah Litan. “Credit bureaus keep so much data about us that affects almost everything we do
The keys have been lost. What’s the point of even having a lock on a door if every fraudster has the key?
So Bad, So Wrong, In So Many Ways
I don’t want to pile on Equifax here. There are so many negative articles on how they screwed up. I have read most of them.
Class action lawsuits have been filed. The Senate is already licking their chops to bring the executives in and rake them over the coals in front of American voters.
There will be a big shakeup at Equifax. Some will probably lose their jobs. New people will be brought in. Things will change. Hopefully, the company will survive, but some out there doubt it. The liabilities could be crushing to the company or at least impact the financial performance for years to come.
At the end of the day though, Cyberthieves are the real ones to blame. They are the ones that stole the data. They are the ones that are going to monetize it. They are the ones that are going to cause so much financial damage to so many. If you are a victim, it was the cyber thieves that stole and used your data.
We live in a day and an age where we punish companies that have been penetrated by cyber thieves with billions of dollars in fines and lawsuits. Then we underfund law enforcement, de-prioritize fraud crimes and give the criminals a free pass. That’s just wrong. We need to take these people off the streets. I hope these criminals are found and punished for their crimes.
There Will Be Big Impacts to Fraud Departments
So everyone is passing around interesting articles on the Equifax breach at work. But to Fraud Departments, this has to be much more than just reading an interesting article and then continuing on with their normal daily work.
You see this changes things. Potentially it could change things in a big way. And plans need to be made. There will be more fraud. There will be better and more well-disguised fraud attempts. Tools that worked in the past may not work anymore. And to be sure there will more regulations and scrutiny on banks and companies.
So what should Fraud Department’s plan for? What impacts should they expect over the next 12-24 months that could cause them.
Here are 5 things, I think that will require careful planning by fraud managers.
#1 Plan for Knowledge Based Authentication Tools Being Less Effective
Knowledge Based Authentication (KBA), those pesky multiple choice tools where consumers choose answers to questions as a way to authenticate themselves, might be doomed.
I have never been a fan of Knowledge Based Authentication Tools. I just don’t believe they work good enough. The false positives are high. Customers on average can fail 50% of the time and fraudsters on average can succeed 50% of the time.
But with the Equifax breach, you can be sure that KBA Tools will be even less effective. Since many questions rely on previous address information, social and other information involved in the breach, these questions are less meaningful. With this information freely available, fraudsters will have no problem answering questions based on bureau information.
This spells bad news for banks and lenders that use these KBA tools as their primary means to stopping fraud.
To plan for this, Fraud Managers should:
- Carefully monitor fraud rates on accounts that successfully passed KBA. Is it suddenly increasing?
- Consider changing KBA questions to be less Credit Bureau based if it looks like fraud rates are increasing.
- Consider creating randomized “reaction type questions that are designed to see how the person responds vs what they say.
- Consider other alternatives to KBA that might be more effective.
#2 Plan for Increases in Application Fraud
Armed with valid social security numbers, valid addresses, drivers licenses and more, fraudsters will continue to target application fraud as their means to monetizing their stolen data.
Application fraud rates can be as high as 1% or more in some industries which already makes it 10 to 15 times higher than card fraud loss rates.
To plan for this, Fraud Managers should:
- Budget and plan for higher loss rates due to application fraud rates across channels. The fraud rates could increase 10% to 15% next year if this much data has been exposed.
- Consider increasing fraud controls in your application fraud prevention area. Look at alternative scores and tools that can help you better target application fraud.
- Consider increasing staffing or shifting resources towards application fraud prevention next year to account for the higher loss rates.
#3 Plan for Increases in Credit Card Fraud
Forter reported a 15% spike in credit card fraud related activity in August after the breach first occurred. The spike which was originally reported in the New York Post was believed to be related to the Equifax breach according to Forter.
We saw a 15 percent increase in the overall fraud attempts in our system in August, which is an unusual time of year to see such a spike,” said Liron Damri, co-founder of Forter, a fraud prevention service for online retailers
While it is tough to see if there is a direct link, it is probably as fraudsters have the most success using stolen card credentials immediately following the theft of the data before it is announced to the general public.
Credit Card fraud is most likely to increase in the area of Account Takeover though. This will likely be the case as fraudsters have enough information to change customers credit card addresses to their own and pass verification with the stolen information they received from the Equifax breach.
To plan for this, Fraud Managers of card issuers should:
- Monitor CNP, Account Takeover and Application Fraud to determine if they are seeing increased fraud activity.
- Consider adjusting account level fraud strategies and fraud controls to deter these types of fraudulent activity.
- Consider using tools like PinPoint Security which can help detect social engineering fraud and prevent account takeover by third parties.
#4 – Plan for More Fear of Fraud, Chaos and False Alarms
If 143 million Americans (close to half the population of the US) suddenly have Identity Theft Protection on Equifax that will surely have some impact on the originations processes at most banks and lenders.
It doesn’t help that Equifax has thoroughly confused and alarmed most Americans over the last week. First, announcing to the world that everyone has probably been compromised and then sending confusing signals to those people that actually go on their site to do something about it.
This chaos will likely spill over to banks as consumers look for some relief. But it will likely carry on for a long time.
There will likely be an escalated concern among consumers that they are being defrauded when in fact activity is legitimate. When consumers feel their information has been compromised it can make some more paranoid and jump to conclusions when they don’t immediately recognize a charge on their credit card. They may close accounts when there is no need.
Additionally, friendly fraud risk could increase. Consumers may feel that they can take advantage of the system by blaming a large security breach for a legitimate charge they made.
To plan for this, Fraud Managers of card issuers should:
- Consider educating customer service and underwriting staff how to handle customer inquiries regarding breaches and how their accounts are protected.
- Monitor fraud rates closely and monitor for sudden increases in friendly fraud by customers taking advantage of the situation
#5 – Plan for More Regulations and More Scrutiny
Fraud Departments are under the microscope for so much these days. With the recent mortgage meltdown, near constant CFPB fines of banks and lenders, and breaches occurring on a daily basis, the regulators don’t miss a chance to scrutinize anything and everything a fraud department does.
That will only get worse. With half the US population impacted and angry, it will certainly spur congressional hearings. Equifax will be raked over the coals and the end result will be more regulation of banks, lenders, and companies to protect the consumer.
Protecting consumers is always a good thing. But regulations, as you know, can often be too far reaching and frequently result in more pain for customers than benefit.
Some Final Thoughts
Based on what Equifax has said, It’s really hard to say at this point just how many records were compromised. The press release indicated up to 143 million consumers might be impacted. But they are not saying how many, or who.
I myself tried to confirm if my information was compromised and they said that they would “tell me later.”
So it might be too early to declare this Armageddon but it’s never too early to begin the planning process. As we all know, fraudsters will target the path of least resistance so it’s good to avoid being the weakest link.
Best of luck to everyone out there in dealing with this big breach.