NEW YORK (MainStreet) -- “Sarah” (whose name was changed upon request) cannot read one more article about how identity theft occurs because the victim did not take the necessary precautions.
Three years ago, Sarah, a software engineer and programmer, was the victim of a nefarious attack that brought an already cautious and knowledgeable consumer (and industry professional) to her knees. “It started with tax returns where I later learned, only through the fact that my brother was also hacked, that someone accessed our information through our mortgage provider and stole every aspect of my personal and financial identity,” she said.
During the mortgage crash, Sarah’s information became vulnerable, as her investment property in South Florida ended up on the auction block. “Once this happens, a slew of leaches and dubious individuals have access to your information,” she remarks. “Unfortunately, my brother and I were part of those thousands of people who were hacked and my life as been a nightmare ever since.”
She's certainly not alone. There are 15 million identity theft victims each year in the U.S., and credit card fraud nationally is estimated to be $10 billion to $12 billion alone.
Never one to pay with her debit card and someone who has always watched her credit card charges, Sarah was also the queen of shredding all physical mail containing even the smallest about of personal data. She had intimate knowledge of how online protective measures worked, and where they failed, and took steps beyond what the average consumer would consider.
“My lesson was that it can happen to anyone no matter if they take the right steps and play by the rules,” she says. “I have very few tips for others, because my information was released by a third party. I’m so frustrated when I read the articles that essentially blame the victims. People think that if they are cautious their information is not vulnerable, but that’s just not true anymore. Any time you provide your Social Security information or pay for something online you put yourself at the mercy of the institutions’ security measures.”
Sarah says that three years later she is still waiting for the other shoe to drop as new fraud issues have arisen in drips and drabs. “Will it ever end? It’s hard to tell because just when I think I’m covered something new crops up. My finances have been disrupted so many times, I finally put a security freeze with the three national consumer credit reporting agencies --Transunion, Equifax, and Experian”
Coming from an industry professional, Sarah’s story is jarring, especially to the average layperson who uses a credit and debit cards on an ongoing basis and just follows the protective steps provided by their bank or news resource.It’s Not You, It’s Them
IBC Bank’s senior vice president of electronic services Kevin Mullins understands Sarah’s tale of woe and agrees that scammers can always find the loop holes, regardless of your tenacity.
Mullins is in the process of upgrading thousands of customers’ plastic to EMV-chipped cards, which are designed to reduce fraud and says that Sarah is in the right for the feeling of uneasiness.
“The concern is about counterfeiting,” he says. “That’s where thousands have been burned. That’s where Target, the banks and Home Depot have been burned.”
He explains that adding an EMV-chip to each credit card won’t completely solve the problem but is one piece to a larger puzzle.
“I wish I could say there is a magic bullet that would wipe out fraud but it takes many different steps working toward the problem that will at least reduce the likelihood of having your financial data stolen,” Mullins said.
EMV cards are designed reduce the physical opportunity of having your magnetic stripe data lifted and mass produced, which should alleviate a decent amount of fraud. “However for making online purchases, the risk still exists,” Mullins contends. “Until we get into widespread tokenization for cards we aren’t going to reduce the risk of using your card online.”
One area that remains vulnerable is when the card is not present. Sarah says one of the most recent reports of credit card compromise was with an EMV-chipped card that was used online. “When you're paying online, a chip on your card makes no difference at all,” she says.
Diane Morais, Ally Bank’s CEO and president, says that as customers transition to the EMV-chipped card, her bank’s message is simple. “Regardless of whether [the customers] have an EMV debit card or not, we guarantee they will not be liable for any unauthorized transaction as long as they report the unauthorized transaction within 60 days from when their statement is made available,” she said.
Morais adds that Ally offers an online and mobile security guarantee that ensures customers will not be liable for any unauthorized online or mobile banking transaction as long as they report it within 60 days from when their statement is made available.
Sarah says she went beyond what is typically suggested to protect her financial information, yet was still victimized. “I can’t read one more story that lists the same protective measures,” she says. “Shredding my information and protecting my passwords is second nature.”
Aside from the usual recommendations, Mullins suggests asking about out-of-band authentication, which provides a protective layer if the customer’s account is reached through a new or unrecognized computer or mobile device. “You will have to input and validate information that is straight off the core system to continue to conduct business,” Mullins says. “Even if online banking is compromised, the hacker wouldn’t be able to gain access to the user’s account because out of band authentication would have to take place.”
“When additional verification is needed, we activate extra security measures like asking a question that only the customer knows the answer to, or sending a security code to a device they’ve registered,” Morais says. “This is often called two-step, two-factor or multi-factor authentication.”
Morais also suggests customers ask their bank offers access to free anti-virus or anti-malware software.
Another protective measure consumers can take is to read the privacy statements included with any financial encounter.
“I understand that the legalese jargon can be complex to understand and process, but if you can look for the area regarding whether the organization shares your information with a third party provider, you can either re-consider the agreement or ask questions,” says Alan Akahoshi, security leader for digital banking solution provider Digital Insight.
Most recently, The Today Show’s “Hacking of America” series featured the pitfalls of using insecure free Wi-Fi hotspots at airports and popular tourist destinations such as New York City’s Times Square. The news segment cited that 92% of free Wi-Fi users never read the disclaimer that sometimes clearly states the “network will access personal information.”
With regard to EMV, Akahoshi agrees that the technology is a step in the right direction. “However, until we get to the stages where EMV readers and cards are more prevalent, consumers will face the same challenges,” Akahoshi says.