Friday, December 28, 2007

ID THEFT HITS RETAILERS HARDEST

ID theft is one of my pet hates, and yet with the introduction of FICA and FAIS, I fear that instead of the problem being addressed it has been escalated. You see the banks don't trust their own staff and neither can they believe a single thing that they say or do so everytime you walk into the bank you are required to produce your ID (not that I have a problem with that) and they they proceed to make several copies (now this I have a problem with!)

You see the FICA Act says that as an individual you have to 'prove' who you are - nowhere does it say that this means that anyone needs to take copies of your ID!

I was recently challenged by Nedbank to become FICA compliant for my business bank account despite the fact that the account was only opened in August of this year. I received 3 telegrams, a letter and an sms from them threatening me with the freezing of my bank account if I did not become FICA compliant. Unfortunately for them, I learnt the hard way and got the Nedbank staff member to sign in receipt of all my FICA documentation and so told them that if they froze my account I would be opening up a case of theft against them.

Cutting a very, very long story short, they eventually 'found' my documents and all is well - however, I am still somewhat peeved at the manner in which this went down, the threats and the way several of the Nedbank staff actually spoke to and treated me! My God, if I spoke to my clients like that, I would certainly lose them, but then again I suspect that the banking and insurance fraternity think that they are above the law and therefore can do as they please - this was one instance that they found that they couldn't!


ID theft hits retailers hardest
Stephen J Dubner and Steven D Levitt
03 April 2007 at 06h00


Steven Peisner stabs excitedly at his computer keyboard, trolling through a chat room where identity fraudsters buy and sell names, addresses, social security numbers and PINs. Some hustlers are American but others are from Russia, India, the Philippines, Nigeria, Vietnam, Iran - any place, really, where young men and computers cohabit.

How it works
How does this market work? If someone has just hacked a hospital database and come away with 10 000 "fulls" (a full set of personal information, down to your mother's maiden name), he'll post his asking price - typically $10 (R73) to $30 per full, depending on the freshness, along with a sampling of the data to prove legitimacy. Fraudsters also post specific queries. "Here's one," Peisner says, reading from his screen: "'Need female WU [Western Union] confirmer. Your share: 40 percent.' That means they need someone to go to the WU office in some coffee shop in Romania to pick up the cash because Vlad can do a lot of things, but he can't be Amy Weiss from Manhattan Beach, California."

There are as many varieties of identity theft today as there are varieties of mushrooms. And there are as many misconceptions about the scope of the problem, the incentives to stop it and how its costs are borne.

For starters, there are indications that identity theft has peaked. A recent study by Javelin Strategy and Research claimed that 8,4-million United States adults suffered some form of identity fraud in 2006, down from 10,1-million in 2002.

Bear in mind that the Javelin study was paid for in part by three financial services institutions, which certainly have an incentive to alleviate customer fears. But the US Federal Trade Commission also reports a levelling off, as does the Los Angeles county sheriff's department, which runs one of the most aggressive identity theft task forces.


Who cares?Still, identity theft remains an extraordinarily appealing crime. Most police departments don't have the staffing or know-how to even pursue the perpetrators.

The FBI, meanwhile, usually won't get involved unless the fraud reaches $100 000.Which raises an obvious question: If law enforcement doesn't care about identity theft, who does?

The answer would also seem obvious: you, the potential victim. But according to the Javelin data, people probably worry way too much about identity theft. Seventy-three percent of victims incur no out-of-pocket expenses whatsoever; the unlucky minority loses, on average, $2 000 - far less than the scare stories would have us believe. And in more than half the cases of identity theft, the thief is a relative, friend or co-worker.


You don't often loseSo while you were being frightened into never again using a credit card, most of the cost of identity theft was actually being paid by someone else.

Surely, then, it is the banks and credit card companies that are desperate to stop the problem? Sergeant Robert Berardi, who runs the Los Angeles county sheriff department's ID theft task force, has found otherwise.


"The banks are in conflict between security and making a profit," he says. In an industry that is reluctant to add an ounce of friction to a customer's purchase, Berardi says identity theft is seen as simply the cost of doing business.


Business caresSo if the banks, the consumer and the police aren't incentivised to stop identity theft, who is?The merchant. That is what Peisner, a veteran of the credit card business, has discovered. "Let's say one of these hackers takes the information they find in a chat room. He goes to the Sony website, buys a laptop computer for $1 000, and a month later the actual cardholder gets the billing statement. He calls up his bank and says, 'I didn't order a computer from Sony.' "At that point, the credit card issuer, let's say Citibank, sends a 'charge back' through the interchange system to the acquiring bank, and that $1 000 is taken right out of Sony's bank account, and they also get hit with a $25 charge back fee."


So the merchant has lost the money from the sale (as well as the laptop) while paying the charge back fee, other bank fees and processing and shipping costs. "If you're a merchant," Peisner says, "you have all the liability." And, therefore, all the incentive to stop the crime.


That is why Peisner recently started a company, Sell It Safe, which aims to help merchants and banks screen their customers in online and telephone transactions. His main weapon is a massive, live database of stolen personal information, which a merchant can instantaneously check to learn whether Amy Weiss is really Amy Weiss.


When Peisner comes upon stolen data in a hacker chat room, social security numbers and passwords strewn about like underwear after a burglary, he often personally calls the victims and advises them to notify the police and the bank. Usually, they assume at first that he is a hustler himself, or at least a nut. But ultimately they are grateful.


This may be because Peisner himself responded to a phony email message, commonly known as a phish, which supposedly came from eBay. He was in the throes of bidding on a Jack Nicklaus personal credit card - Peisner collects credit card memorabilia - when he received the eBay phish telling him that his account would be suspended if he didn't update his personal information. "I thought, 'It expires in 10 minutes - I better go in and turn my account back on,'" he recalls.If it could happen to Peisner, it could happen to anyone.


In a recent academic paper called Why Phishing Works (PDF), three computer scientists (one from Harvard and two from Berkeley) ran a study and found that "the best phishing site was able to fool more than 90 percent of participants".


Fortunately, most phishing sites are not designed by top-tier computer scientists with good English skills. Peisner recently discovered a fake Bank of America website that asked for a customer's account number, online identification, PIN, social security number and address. Only at the end of the form was the site's illegitimacy - and the creator's foreign origin - revealed, when it asked for information that should have baffled any United States customer: "Father Maiden Name". - The New York Times


Stephen J Dubner and Steven Levitt are the authors of Freakonomics: A Rogue Economist Explores the Hidden Side of Everything. For more Freakonomics, visit the website http://www.freakonomics.com/. This article first appeared in the Business Report.

No comments: