All posts by Guest Contributor

Your password is weak, whether you use 40 random characters or your dog’s name. With so many large data breaches leading to hundreds of millions of compromised credentials and payment cards in the past two years, it’s no surprise that e-commerce account takeover attempts have grown dramatically in recent months – to a degree we have never seen before. Previously, account takeover was primarily a banking issue, not something merchants had to deal with. Account takeover is an alarming trend that spans global airline loyalty programs, e-commerce transactions, social networking logins and virtually any web site leveraging username and password authentication. News of the latest cybersecurity concern should serve as yet another reminder that we live in a heightened state of risk where establishing online trust based solely on username and password or identity data is not sufficient. There are a number of factors that are contributing to the evolving fraud landscape namely that the Internet was not designed for security.  This places pressure on organizations to continually adopt new approaches to managing fraud like this growing account takeover threat. In this case, multiple layered controls including device intelligence are essential. As merchants extend more services online and allow customers to store payment information or get more convenient checkout via logged in vs. guest access, we’ll continue to see fraud migrating deeper into the e-commerce ecosystem. The account takeover problem will continue as consumers share usernames and passwords across dozens of online profiles and e-commerce logins, opening the door for attackers to access multiple accounts through a single compromised credential. Most of the account portals used by e-commerce merchants and loyalty programs were not built with the same level of security that their online transaction and fraud management systems have in place. So it’s a bit of a new risk, but fraudsters are aggressively exploiting the security gaps around things like simple username/password authentication. What can consumers and organizations do to protect themselves? Our recommendation for consumers is that they have unique username and password combinations for every online profile. This protects against attackers compromising one site and leveraging the same credentials to access all of the victim’s accounts and online profiles across the web. For businesses, we recommend implementing technology solutions that increase visibility to and recognition of devices for every online interaction so the organization can differentiate attackers from legitimate consumers. Some businesses believe that their products, services and loyalty offerings do not require the same level of protection as online bank accounts, so they leave them exposed to cyber criminals via simple authentication controls. As we’ve seen fraudsters will migrate to the path of least resistance and exploit the fact that most consumers re-use credentials out of convenience. In the digital age where consumers are increasingly represented by their devices the ability to know when there are authentication discrepancies between the data presented by the user and the device presenting those credentials is absolutely important to effectively controlling the threat. The authentication process will shift from a single view to a layered, risk-based authentication approach that will include comprehensive and real-time updates of consumer information. Conversations around the fact that the password is dead or dying have been circulating in the industry recently. What we don’t want is consumers getting tired of constantly changing passwords and giving up trying to protect themselves online. That is the worst case scenario that is becoming more of a reality as the days pass. Educated and aware consumers are still the best way to identify fraudulent attacks, and to keep identity data safe from hackers and devices free of malware. Increased adoption of biometrics, device intelligence and the sharing of authenticated and credentialed identities across industries will become commonplace to help combat account takeovers as they increase. Until then we need to find a password replacement. Learn more about 41st Parameter fraud detection and prevention solutions here.

Your password is weak, whether you use 40 random characters or your dog’s name. With so many large data breaches leading to hundreds of millions of compromised credentials and payment cards in the past two years, it’s no surprise that e-commerce account takeover attempts have grown dramatically in recent months – to a degree we have never seen before. Previously, account takeover was primarily a banking issue, not something merchants had to deal with. Account takeover is an alarming trend that spans global airline loyalty programs, e-commerce transactions, social networking logins and virtually any web site leveraging username and password authentication. News of the latest cybersecurity concern should serve as yet another reminder that we live in a heightened state of risk where establishing online trust based solely on username and password or identity data is not sufficient. There are a number of factors that are contributing to the evolving fraud landscape namely that the Internet was not designed for security.  This places pressure on organizations to continually adopt new approaches to managing fraud like this growing account takeover threat. In this case, multiple layered controls including device intelligence are essential. As merchants extend more services online and allow customers to store payment information or get more convenient checkout via logged in vs. guest access, we’ll continue to see fraud migrating deeper into the e-commerce ecosystem. The account takeover problem will continue as consumers share usernames and passwords across dozens of online profiles and e-commerce logins, opening the door for attackers to access multiple accounts through a single compromised credential. Most of the account portals used by e-commerce merchants and loyalty programs were not built with the same level of security that their online transaction and fraud management systems have in place. So it’s a bit of a new risk, but fraudsters are aggressively exploiting the security gaps around things like simple username/password authentication. What can consumers and organizations do to protect themselves? Our recommendation for consumers is that they have unique username and password combinations for every online profile. This protects against attackers compromising one site and leveraging the same credentials to access all of the victim’s accounts and online profiles across the web. For businesses, we recommend implementing technology solutions that increase visibility to and recognition of devices for every online interaction so the organization can differentiate attackers from legitimate consumers. Some businesses believe that their products, services and loyalty offerings do not require the same level of protection as online bank accounts, so they leave them exposed to cyber criminals via simple authentication controls. As we’ve seen fraudsters will migrate to the path of least resistance and exploit the fact that most consumers re-use credentials out of convenience. In the digital age where consumers are increasingly represented by their devices the ability to know when there are authentication discrepancies between the data presented by the user and the device presenting those credentials is absolutely important to effectively controlling the threat. The authentication process will shift from a single view to a layered, risk-based authentication approach that will include comprehensive and real-time updates of consumer information. Conversations around the fact that the password is dead or dying have been circulating in the industry recently. What we don’t want is consumers getting tired of constantly changing passwords and giving up trying to protect themselves online. That is the worst case scenario that is becoming more of a reality as the days pass. Educated and aware consumers are still the best way to identify fraudulent attacks, and to keep identity data safe from hackers and devices free of malware. Increased adoption of biometrics, device intelligence and the sharing of authenticated and credentialed identities across industries will become commonplace to help combat account takeovers as they increase. Until then we need to find a password replacement. Learn more about 41st Parameter fraud detection and prevention solutions here.

While automotive loan originations grew 15 percent year over year in Q1 2014, a recent Experian Automotive study found that more consumers are continuing to drive older-model vehicles.

In our most recent webinar, I had the pleasure of moderating a panel session with four fraud experts spanning across many diverse backgrounds. The consistent theme throughout was that cyber criminals have become quite proficient at stealing data or account credentials. Once a cyber criminal has valid account data, they have incredible access to a broad range of possibilities. How an account is used; a real-time view of deposit and withdrawal patterns and what types of alerts and notification settings are in place. A determined fraudster may observe accounts for long periods to ensure they are able to make their move at the optimal time. One of the biggest issues is being able to tell “friend from foe”, particularly in light of the endless supply of perfect, disposable data. I posed this scenario to our panel and asked what organizations can do now to protect themselves: SCENARIO – Telling friend from foe Credit card companies encourage travellers to alert them in advance of unusual travel to avoid red flags or declines while out of town. This can be a double-edged sword. A fraudster with appropriate credentials can contact a credit card company a few weeks before a “trip” to alert them of planned travel. At the start of the “trip” the distraught fraudster can then contact the credit card company to report a stolen card and request a replacement be expedited to them at their “destination.” The result is a fraudster armed with a completely legitimate card they can use at their leisure and with little risk of detection. There were three key take-aways the expert panel recommended: Enhance your visibility. Without this important tactic, you won’t know what hit you. Fraudsters are armed with pristine identity data so they will look and act more like your best customers. Employee multiple security layers. You may be focused on ensuring that you know your customer, but does the transaction pattern fit normal behavior for the user? Malware could be embedded on the device. Are items such as language and other settings consistent with what you’d expect for your legitimate customers? Protect profile setups / online enrolment and reward programs the way you protect transactions. While the financial risk to your business may be limited, the potential regulatory exposure and brand reputation hit can be significant. It takes years to build your reputation with your best customers – but only seconds to destroy it. Undermining their trust in online or mobile interactions with your business has an immediate and destructive impact on loyalty. What do you think? Let us know.

  Residential real estate lending was the leading component of the Great Recession of 2007-2009.  Could it happen again?  Let’s analyze our Intelliview data  to see where U.S. lending trends are headed with HELOCs. A large portion of Home Equity Lines of Credit (HELOCs) were originated from 2004 to 2007.  The term structure of these HELOCs will soon result in larger monthly payments, which could potentially promote consumer debt burden troubles.  Additionally, with as much as 13% of all first mortgage customers having balances greater than the value of homes, many HELOCs wallow underwater. HELOCs typically have a ten year draw followed by a twenty-year repayment period. However, there are variations in the term structures.  HELOCs can have as little as a five year draw, while others have a fifteen year repayment period.  During the draw period, customers only pay interest on the balance.  In the repayment period, the account functions like a loan, customers pay principal and interest. In 2012, the Office of Comptroller of the Currency (OCC, the primary banking regulator) reported that 58% of all bank HELOC balances would enter the repayment period and begin to amortize between 2014 and 2017 (OCC, Semiannual Risk Perspective, Spring 2012).  This report renewed fears that the increase in payments would lead to higher delinquencies and foreclosures, limit consumer spend and provide a drag on the U.S. economy. Paradoxically, the OCC estimates of the HELOC balances entering the repayment period may be low.  The OCC has accounted only for $392 billion of HELOC balances among banks.  Experian’s review of all HELOC trades shows a significantly higher level of balances.  Additionally, American Banker estimates the top 200 banks and thrifts had more than $477 billion in HELOC outstanding as of the end of 2013, with the top three lenders (Bank of America, Wells Fargo and JP Morgan Chase) comprising nearly $300 billion. Experian examined HELOCs in the four states with the greatest surges in home values and lending prior to the Great Recession.  California comprises nearly 19% of all HELOC balances and lines.  With averaging HELOC balances of 53% above the national mean, Arizona, Florida and Nevada are the three highest utilization rates by state.  Nevada has the highest 30+ day delinquency rate in the country at 2.92%, while the national average is 1.64%.           According to CoreLogic’s most recent home price index report, Nevada, Florida and Arizona home prices remain 30-39% below their peak real estate values.  California’s prices are down 17%, and the national average home value is still 14% below its highest value. Refinancing HELOCs may be difficult due to the significant number of second liens still underwater.  Compounding this difficulty, lending standards also have tightened, with regard to loan-to-value, debt ratios and credit quality. The average HELOC was examined at a 4.5% interest rate and a 20 year repayment period.  The average monthly payment increases almost 69% when the account leaves the draw period and requires paying principal balance as well as interest. This payment increase accounts for approximately 2.6% of the median U.S. household gross annual income. It is estimated that the increase in HELOC payments will comprise $1 billion in additional annual payments during 2014, and an additional $9 billion between 2015 through 2017.   However, it is important to remember that not all HELOCs will reach repayment. HELOCs are priced based on the prime rate.  That rate has been 3.25% for more than five years, a historical low.  When prime rate reached this level in December 2008, the rate was at its lowest in 53 years.  Only 18 months prior to reaching 3.25%, the prime rate had been 8%. If the prime rate increases by 1% to 4.25%, the average payment of accounts in the draw period would increase 22%, affecting just about every HELOC, with a national increase in annual payments of about $5 billion. The volume of HELOCs that are beginning to enter the repayment period may eventually increase delinquency rates.  However, no such increase is yet evident.  As shown below, delinquency rates are steady after a long decline.  In the past three years, 90+ days delinquency has declined 41%.     The Majority of HELOCs are second mortgages.   Successful completion of a foreclosure would involve making the customer’s monthly first mortgage payment in addition to all other expenses incurred in foreclosure and the sale of the property.   Very often foreclosing from a second lien does not make financial sense unless the financial institution also holds the first mortgage on the property. As a large portion of HELOCs enter the repayment period in the next four years, the payments that customers must make will increase considerably.  With interest rates as low as they are, the prime rate will eventually rise, and increase debt service ratios.  These payment increases will have implications on consumers, lenders and the economy.  Having grown 10.5% in the last year,  home values continue to recover from the recession.  It is yet to be determined whether this payment increase will have a broader or more isolated impact. In the meantime, HELOCs will continue to see their resurgence. For more insight like this from Experian Decision Analytics, watch our 2014 Q1 Experian–Oliver Wyman Market Intelligence Report presentation.    

Are you sure you are making the best consumer credit decisions? Given the constantly evolving market conditions, it is a challenge to keep informed. In order to confidently grow and manage the bottom line, organizations need to avoid these four basic risks of making credit decisions with limited trend visibility. Competitive Risk - With limited visibility to industry trends, organizations cannot understand their position relative to peers. Product Risk - Organizations without access to the latest consumer behaviors cannot identify and capitalize on emerging trends. Market Risk - Decisions suffer when made without considering market trends in the context of the economy. Resource Risk - Extracting useful insights from vast market data requires abundant resources and comprehensive expertise. Get more information on the business risks of navigating credit decisions with limited trend visibility.

A recent study conducted by the Ponemon Institute found that a data breach is among the top three occurrences that affect brand reputation, along with poor customer service and an environmental incident.

Universe expansion is key to any lender's growth strategy. Sophisticated, advanced risk models, such as the VantageScore®3.0 model, allow lenders to score up to 35 million more consumers than other risk models.

According to Experian Marketing Services’ Q1 2014 Email Benchmark Report, personalized abandoned cart emails that dynamically show the actual customer cart had 25 percent higher transaction rates than reminder emails that just linked back to the brand’s Website.

Data breach notification letters serve multiple purposes. They ensure a breached company is compliant with data breach notification laws, they alert consumers to the breach and their involvement in it, they can warn customers of potential identity theft risks and educate them on how to cope with those risks. The one thing no company wants its notification letter to do, however, is make the recipients any more upset than they already are. Yet that’s the reaction many consumers reported upon having received data breach notification letters, according to the study “The Aftermath of a Mega Data Breach: Consumer Sentiment.” Conducted by the Ponemon Institute on behalf of Experian Data Breach Resolution, the study provides some eye-opening insights into how consumers feel and what they do after receiving a breach notification letter. To put consumer sentiment in perspective, consider these revelations from the study: Among those polled, 63% said they felt the breached company should offer consumers identity theft protection by way of compensation, yet just 25% of people who had received a notification letter said were offered identity theft protection in that letter. The financial impact of the data breach was less significant for consumers than the emotional aspects. 81% of data breach victims said they had not out-of-pocket costs because of the breach. Conversely, 76% said they experienced stress as a result of the breach. Consumers ranked a data breach as the third-most damaging event for a company’s reputation. Only poor customer service and an environmental incident (e.g. an oil spill or pollution) were seen as more damaging. Other than getting stressed, what, then, do consumers do after they’ve received a data breach notification letter? Most do little or nothing at all, which should be just as concerning to companies as the customers who end their business relationship with a company in the wake of a data breach. More than half (55%) said they did nothing to protect their identities after receiving a notification letter, and 32% ignored the notifications and did nothing at all. This may seem counter-intuitive considering that the majority (77%) were at least somewhat to very concerned about becoming an identity theft victim because of the breach. Perhaps if these customers had been offered free identity theft protection in the notification letter, they would have accepted the offer. These survey results underscore the need for companies to send strong, informative and compassionate data breach notification letters – and to offer consumers identity theft protection as part of the company’s data breach response. Learn more about our Data Breach solutions

A recent Experian Consumer Services survey focusing on the most important attributes in a prospective spouse found that married adults value financial responsibility more than physical attractiveness.

It’s no secret that e-commerce merchants, retailers, and financial institutions are prime targets for these digital ghosts as they look to quickly monetize their recent data heist. Unfortunately, many organizations are still scrambling to deploy proper defenses. So how do you defend against an unregulated, networked enemy intent on inciting chaos and filling their bank accounts? Following any data breach, it is essential that organizations gain complete visibility of their customers and transactions across channels. Once a breach has occurred, it is critical for organizations to perform a forensic review of the attack to identify and understand all of the potential points of vulnerability, what data was stolen and how that data was transmitted back to the attackers. What can be more concerning is that the initial scope may quickly expand into something much larger. This makes it essential that retailers and financial institutions rapidly gain complete visibility of their customer data and transactions across channels and keep drilling-down until the root cause can be identified and protected against a repeat attack. Unfortunately, that type of consolidated view does not exist in most companies. Organizations need to ask themselves some serious questions. Do you really know who is logging into your customers’ accounts? Without realizing their data has been compromised, consumers can fall prey to personalized phishing attacks and “give away the keys” to their accounts. How can you be certain a VIP customer is really behind a high-dollar transaction being rushed to an overseas address? No one wants to decline legitimate orders from loyal customers; but with revenue, reputation and brand equity at stake, no one can afford to ignore the potential risk. What controls are in-place to ensure that a fraudster in Malaysia isn’t using legitimate identity data and an anonymous proxy to submit credit card applications that are a perfect match to credit bureau data? Or to alert when a long-standing offline banking relationship suddenly enrolls online? Once access is established, address and other data can be updated and sold to the highest bidder in underground forums. All of these questions can be addressed through the combination of complex device intelligence, a powerful risk engine and support from industry-leading experts in fraud and risk management. Even after a breach has occurred, the risk can be managed. First, consumers need to be informed on how to protect themselves from sophisticated use of their data. Second, arm your organization with a layered security strategy that includes device intelligence. This will prepare you for the onslaught of compromised card usage, fraudulent enrollments, phishing attacks and attempted account takeovers that follow in the wake of a data breach.

With the cost of new vehicles continuing to increase, consumers are opting for longer loan terms.

There are some definite misunderstandings about the lifecycle of fraud. The very first phase is infection – and regardless of HOW it happens, the victim’s machine has been compromised. You may have no knowledge of this fact and no control. All of that compromised data is off in the ether and has been sold. The next phase is to make sure that the next set of fraudsters can validate those compromised accounts and make sure they got their money’s worth. It’s only at the last phase – theft – that any money movement occurs. We call this out because there are a lot of organizations out there who have built their entire solution on this last phase. We would say you are about two weeks too late as the crime actually began much earlier. So how can you protect your organization? Here are five take-aways to consider: User / device trust. Do this user and device share a history? Has this user seen of been associated with this device historically? It may not be fraud but it is something we watch for. User / device compatibility. Does the user align with devices they’ve used in the past? What are the attributes of the device with respect to user preferences, profile and so on. Device hostility. Look at its behavior across your ecosystem. How many identities has it been associating with? Is it associated with a number of personal attributes or focused on risky activities? Malware. Does this device configuration suggest malware? Because we have information about the device itself, we can show that it’s been infected. Device reputation. Has this device been associated with previous crimes? There are some organizations who have built their entire solution around device reputation. We believe this is interesting to include but it’s more important to look at everything in the context across your entire ecosystem rather that focus on just one area. Want to learn more? Listen to this on-demand webinar “Where the WWW..wild things are – when good data is exploited for fraudulent gain”.

FICO, a leading predictive analytics and decision management software company, has partnered with 41st Parameter®, a part of Experian® and a leader in securing online relationships, to fight fraud on card-not-present (CNP) transactions, the top source of payment card fraud today, while letting more genuine transactions proceed in real time. FICO is integrating 41st Parameter’s TrustInsight™ with the FICO® Falcon® Platform, which protects 2.5 billion card accounts and is used by more than 9,000 financial institutions worldwide. Authenticating the device being used in a transaction provides yet another layer of detection to the Falcon Platform, which includes proprietary analytics based on more than 30 patents. 41st Parameter’s TrustInsight™ solution provides a real-time analysis of a transaction, crowd-sourced from a network of merchants, that produces a TrustScore™ indicating whether the transaction is likely to be genuine and should be approved. TrustInsight helps reduce the number of “false positives,” or good transactions that are declined or investigated by the card issuer. The TrustScore, integrated with the FICO Falcon Fraud Manager Platform, provides a link between data the merchant knows and data the issuer knows to enable issuers to utilize additional information that is not currently available in their fraud detection process, including the identification of a cardholder’s “trusted devices.” Read the entire release here.