This article outlines how the introduction of PSD2’s Strong Customer Authentication (SCA) will likely fuel the rise of identity theft fraud, and how the early notification of data breaches and appropriate response strategy, as required under Europe’s new data protection laws (GDPR), are critical to combatting ID theft fraud.

Where Next For Fraudsters?

In the PSD2 era, the new Strong Customer Authentication procedure will dramatically reduce ecommerce fraud –  referred to as ‘card not present’ (CNP) fraud – in the EU for transaction values above the €30 threshold set by the Directive. However, the history of payment fraud suggests that a decline in fraud in one area as a result of a successful prevention initiative, is often followed by a rise in fraud activity and volumes in another area. This trampoline effect is of course to be expected. It was evident after the introduction of EMV chip cards in Europe. Fraudsters moved online in Europe or simply moved over to the US where chip cards had not been introduced. So if SCA is successful in stemming CNP fraud, then what will replace it. Where will the fraudsters go next?  Ecommerce fraud activity may start to spike below the €30 threshold. SCA may also be sufficient to deter criminals and many may choose to focus on opportunities elsewhere on the globe.

Identity Theft Is Now An Epidemic

However, the introduction of SCA is likely to fuel the explosion in identity theft fraud. It is now the fastest growing fraud category across the globe regardless whether cards are chip and PIN or not. In the UK, identity theft has reportedly already reached ‘epidemic levels’. According to figures released in Aug 2017 by CIFAS, UK’s leading fraud prevention service, identity theft now accounts for 56% of all fraud reported by its members. Approaching 200,000 cases of ID theft are now being reported on an annual basis. Half of these are fraud attempts against bank accounts and cards.

Whereas CNP fraud essentially involves a criminal using a stolen card to purchase something of value online normally with the intention of reselling it. By contrast, identity theft fraud is when a criminal obtains the right kind of personal data to do one of two things. Either to get into or take over an existing account held in the victim’s name – referred to as Account Take Over fraud (ATO), or alternatively apply for and open an entirely new financial account using the identity of the victim – referred to as account Application fraud.

With regards to ATO fraud, various options are open to the criminal once inside the existing account of the victim. The most basic is to transfer funds out of the account into another account under his control. Under PSD2, the SCA procedure will be required to set up a new beneficiary so a basic funds transfer strategy may not work in all instances for the criminal. Alternatively, the fraudster may apply for a new credit card with the intention of intercepting, or he may change the physical address to which the card will be sent.

In Application fraud, usually what happens is that the fraudster will use the stolen identity to open up as many financial accounts, including but not limited to credit cards, as possible in a compressed period of time. A growing volume of application fraud cases involve an application for new unsecured loans or instant credit providers. Fraudsters are particularly targeting new fintech start-ups where the pressure or desire to accept new customer applications is greater, or where fraud, risk management and governance processes and expertise are not yet sufficiently robust enough to spot a fraudulent application.

A variant of Account Application fraud uses what’s known as a synthetic identity. This is a particularly sophisticated and elaborate fraud scheme in which an entirely new and fictitious identity is created based on various elements of personal data gathered from genuine real identities. Typically, the scheme will start with the fraudster opening an innocuous basic bank account in which they will deposit a small amount of funds probably in cash. They then create a transaction history over a period of time to support the creation of a positive credit file with consumer credit agencies. Once these under the radar steps in place, the fraudster will apply for as many credit cards and unsecured personal loans as possible all linked to the current account held in the fictitious identity. With no real victim, synthetic ID theft fraud often gets written off as a credit loss by the bank and not as fraud loss.

Link Between Data Breaches And ID Theft fraud

There is now a well-documented link between data breaches and the rise of identity theft fraud. Personal data obtained through cyberattacks is simply sold on various online marketplaces managed by the criminal underworld.

Part of the problem with identity theft is that whereas credit cards can get cancelled and reissued, most of our personal data doesn’t change ever. Our names, dates of birth, our National Insurance / Social Security numbers are static data points. Once up for sale on the dark net, the risk of identity theft can linger for years. The recent Equifax data breach spilled personal data from an estimated 143 million Americans, nearly half the population, into the hands of criminals.

Early Data Breach Notification Is Key 

A key component to preventing identity theft is early notification to both the authorities and the individuals impacted. Responding to a data breach and quickly notifying affected customers is a critical step to managing the fall out of a data breach. Early notification is only starting to become the norm. Consider that it took Yahoo nearly years to discover, investigate and then finally disclose in 2016 that its customer accounts had been hacked in 2013. Yahoo was criticised for their late disclosure of the breaches and their security measures. The breaches impacted Verizon Communications‘ July 2016 plans to acquire Yahoo! for about $4.8 billion, and resulted in a drop of $350 million in the final price on the deal which closed in June 2017.

In the case of Equifax, all affected persons were contacted and informed direct. But the company’s overall response was still heavily criticised. Its shares tumbled 18%, the biggest one-day drop in 16 years, as complaints mounted that the company’s online and phone support systems were either broken or insufficient.

The options available to affected persons include essential monitoring of all online accounts for abnormal activity. In the US, consumers have the additional option of what’s known as a ‘security freeze’ which is a temporary access restriction to your credit report and prevents any new financial accounts reliant on a credit report from being opened in your name.  Alternatively, they can opt for an ‘credit report alert’ which will require additional ID verification steps before a credit report is made available to a business. The industry is looking to introduce such freezing and alert tools in the UK and elsewhere. However, fraud alerts such as these may be effective at stopping criminals from opening new accounts in a victim’s name, but they do not prevent fraudsters from misusing your existing accounts. The onus is therefore on the victims of ID theft to essentially monitor all bank, credit card and insurance statements for fraudulent transactions. This largely manual process is a stressful experience and can drag on indefinitely. It really has no fixed end date and has to become a daily routine.

 GDPR Makes Early Data Breach Notification Law

In the EU, GDPR, which will become law in May 25, makes it legal requirement for a data controller to report a notifiable data breach to the competent authority within 72 hours ‘after having become aware of it’ (Article 33), and to then notify the individuals affected ‘without undue delay’ (Article 34). In light of the tight timescales for reporting a breach, the Information Commissioner Office (ICO) points out that it is important for organisations ‘to have robust breach detection, investigation and internal reporting procedures in place.” Failing to notify a breach can result in a fine up to €10 million or 2% of global turnover (whichever is greater) – which in many cases could prove fatal for the organisation in question.

When a data controller can be considered to have become “aware” of a breach was recently addressed by an EU working group. This, the WG determined that this will depend on the circumstances of the specific breach. ‘In some cases, it will be relatively clear from the outset that there has been a breach, whereas in others, it may take some time to establish if personal data have been compromised. However, the emphasis should be on prompt action to investigate an incident’ to establish whether or not a breach has in fact occurred.  During the period of investigation, the controller may not be regarded as being “aware”. However, it is expected that the initial investigation should begin as soon as possible and establish with a reasonable degree of certainty whether a breach has taken place. At this point the controller is assumed to be aware and is required to notify the competent authority. Further, detailed investigation can then follow.

A necessary component of this response involves assessing the likely risk to individuals. This should be facilitated by the ‘data protection impact assessment’(DPIA) which is required prior to carrying out the data processing operation concerned. So basically controllers should know what the risks to individuals would be in the case of data breach.

GDPR emphasises the need for a data breach response plans and governance arrangements which should include reporting an incident upwards to senior management so it can be addressed. Response plans will help the controller to plan effectively and determine who has operational responsibility within the organisation for managing a breach and how or whether to escalate an incident as appropriate.

Organisations Need To Take Action

Organisations large and small need to take action to both prevent data breaches but also to plan a response strategy when an incident does happen. The consequences, for those that don’t, will include massive fines as well as reputational damage that quickly translates into financial damage.