Each year the Federal Trade Commission releases a report based on data from its Consumer Sentinel Network. Sentinel is a massive database of consumer complaints received directly by the FTC, as well as sent from state law enforcement organizations and the FBI’s Internet Crime Complaint Center. Unfortunately 2012 was a good year: the FTC saw a record two million incidents added to Sentinel.
Sentinel has been up and running since 1997 and has accumulated over eight million records. Complaints are classified into 30 different categories. With this latest report, identity theft was again the most popular complaint category for the 13th year with about 370,000 incidents. As I’ve recently written, 2012 was also a busy year for hackers breaching corporate networks to scoop up consumer personal data.
By the time an identity theft incident reaches the FTC, the consumer usually has discovered that some type of fraud has already been committed with their identity. The Sentinel database tracks fraud cases as well, and has valuable information as to how the stolen personal identifiers are used.
The largest category is theft of benefits—involving wages or taxes– and government document fraud, which accounts for about 46% of all cases. That’s followed by credit card fraud (13%), and phone or utility fraud (9%).
To make matters worse, identity thieves often create new accounts—new credit card, banking, or mortgage accounts—and as a result, consumers are likely not aware that other transactions are made on their behalf.
What’s being done about it?
In 2003, Congress responded to identify theft through a significant amendment to the Fair Credit Reporting Act by allowing consumers to place a fraud alert on their credit report files held by the credit reporting agencies (or CRAs). The alert typically stays in effect for 90 days, though it’s possible for the alert to remain active for several years.
The big three national CRAs—TransUnion, Experian, and Equifax— are required to inform each other when any one of them receives an alert. The larger point of course is that lenders and other financial companies who use these reports can then prevent additional fraud by denying credit to an identity thief.
How can consumers protect themselves?
Consumers have their role to play through filing a fraud alert, the CRAs do their part by maintaining centralized credit information, but what about businesses? The FTC has what are called Red Flag Rules that certain companies—mostly banks but really anyone that defers a payment to a customer— must follow to prevent or limit identity fraud.
Overall, the FTC suggests businesses take basic security measures such as deleting information that’s no longer necessary to reduce breach risks. The focus of the Red Flag Rule, though, is to help companies limit liabilities caused by identifiers that have already been stolen. They should of course look for alerts on a credit report, but just as importantly they must make reasonable efforts to authenticate customers– asking for social security number, date of birth, or mother’s maiden name are poor authenticators because that’s the kind of information that’s often stolen.
If you’re looking for more guidance on how to strengthen authentication, the FTC recommends this best-practices document from the Federal Financial Institutions Examination Council.