Identity Scoring: New Defense Against Data Breaches
Feb 15, 2007 4:00 AM PT
By now, you're probably familiar with the scenario: A major retailer or private institution is hit with a hack that compromises the stored data of thousands of individuals. Names, debit and credit cards, and Social Security numbers are up for grabs to the highest bidder.
The breached institution offers credit monitoring to the affected individuals, along with a perfunctory "We're sorry" letter, and life goes on. However, credit monitoring services fail to pick up some of the most common and dangerous forms of fraud and identity theft. The danger for breach victims goes well beyond what credit monitoring detects.
Identity scoring is the newest form of risk management and fraud detection, which can protect consumers and help businesses far better than credit monitoring. Identity scoring has the potential to be such an effective solution that Gartner recently predicted that identity scoring would overtake credit monitoring as a breach solution by 2009.
Too Much Cost, Too Little BenefitCredit monitoring is the de facto standard for individuals who want to protect their finances from potential fraud or identity theft. This has become a lucrative new revenue stream for the major credit bureaus, which charge anywhere from US$7.95 to $24.95 a month to monitor and place "fraud alerts" on subscriber accounts.
However, credit monitoring only covers credit-related fraud, such as opening new credit card accounts using stolen information. It does not monitor debit card fraud, since banks don't report debit usage data to credit bureaus. With 50 percent of card sales being for debit or ATM cards rather than credit cards, that's potentially billions of dollars' worth of fraud that is going unmonitored.
Further, credit monitoring does not detect misuse of one of the most common identity elements -- the Social Security number. Sophisticated hackers and fraudsters have adopted the tactic of combining part or all of one person's Social Security number with another person's name, creating a "synthetic identity" that can then be used to open credit accounts.
Synthetic identities are especially dangerous because misuse of the Social Security number so often goes unreported. If an identity thief opens an account with a stolen number, the credit bureaus merely open a "sub-file" for the new account under the file of the original number owner.
Original number owners never know their information is being misused, unless a thief runs up debt in their name and bill collectors come calling. Credit bureaus and banks also fail to inform victims that their numbers are misused, citing potential violations of account holders' privacy.
Most of all, credit monitoring and alerts don't work until a data breach or potential fraud has already occurred. While they may offer limited protection, that protection still takes place after the fact.
"AARP's research verifies that data breaches can present significant risks of identity theft for the affected if protective measures aren't in place," said Neal Walters, a policy research analyst for the AARP Public Policy Institute. "It's essential that consumers have the means to proactively protect themselves from identity theft."
Knowing the Score
How does identity scoring succeed in protecting a person's identity?
Identity scoring works on the same principle as other behavioral scoring systems such as credit scoring or auto insurance scoring -- it aggregates data on individuals from various sources and uses predictive analysis to generate a model of behavior.
Unlike typical credit monitoring, identity scoring utilizes all of the available data on an individual to make its judgment; everything from law enforcement records to property deeds to Internet chat logs can be used to generate an identity score. The end results are much more specific and capable of accurately judging a person's information as being authentic.
Identity scoring systems can be used to monitor all types of personal information, including debit card and Social Security number use -- and misuse. They enable monitoring of individual behavior across multiple enterprises, over periods of time, to create the most accurate profile possible of a person's activities.
For example, let's say thieves make off with a laptop containing names and Social Security numbers of employees at a company, which they plan to use to open new credit accounts. To avoid fraud detection, they mix some individuals' names with others' numbers to create synthetic identities, and start racking up the credit bills.
Where typical credit monitoring would not detect any unusual activity, an identity monitoring system that used identity scoring would immediately alert any affected subscribers that their information was being misused. Identity scoring is specifically designed to target identity-theft-related activity, and can warn businesses and customers of potential damage quickly.
Best for Business
Identity scoring is a relatively new concept, and is currently used chiefly by businesses and lenders to gauge potential fraud risk for new customers. Companies such as ID Analytics, Fair Isaac, and Edentify have all developed custom identity scoring applications to prevent "new accounts fraud" and minimize risk in lending to new customers.
Because identity scoring is so new, there are no across-the-board standards or dominant players in the field as yet. Each company has its own system that measures component information differently. There are no identity scoring applications available for consumer use as yet, though MyPublicInfo utilizes identity scoring as the basis for several of its offerings, including a monitoring service.
Identity scoring has the potential to provide the best protection and management services for consumers and businesses alike, and is substantially less expensive than credit monitoring.
As identity thieves and hackers become more sophisticated, the defenses against them have to improve as well, and identity scoring is the best defense available.
Harold Kraft is founder and CEO of MyPublicInfo, an identity scoring firm that provides consumers with access to public records for identity theft prevention. .