All posts by Guest Contributor

By: Kari Michel Credit bureau data has been used for many years to develop credit risk models, bankruptcy scores,  profitability models, and response models to name a few. For the utility industry (water and power companies), a new score is available to help them administer more efficiently their internal low-income assistance programs. One challenge that utility companies face is to identify those consumers who clearly qualify for low-income assistance in a more automated process in order to reduce the number of applications that require manual intervention. Utility companies are starting to use scoring models to help them determine the likelihood that a customer will qualify for low-income assistance from their local utility. In a recent Experian case study, a medium-sized municipal utility company in California conducted a test using Experian’s Financial Assistance Checker to understand the benefit of using this score in their recertification process. The test showed a reduction of manual review of about 40% of the test file and they expect a 40-50% reduction in manual review in the future. The inclusion of the score in the recertification process will reduce costs and make their low income assistance program more efficient and provide an excellent example of the utility’s efforts to make a positive impact on the community.

By: Wendy Greenawalt US interest rates are at historically low levels, and while many Americans are taking advantage of the low interest rates and refinancing their mortgages, a great deal more are struggling to find jobs, and unable to take advantage of the rate- friendly lending environment. This market however, continues to be complex as lenders try to competitively price products while balancing dynamic consumer risk levels, multiple product options and minimize the cost of acquisition. Due to this, lenders need to implement advanced risk-based pricing strategies that will balance the uncertain risk profiles of consumers while closely monitoring long-term profitability as re-pricing may not be an option given recent regulatory guidelines. Risk-based pricing has been a hot topic recently with the Credit Card Act and Risk-Based Pricing Rule regulation and pending deadline. For lenders who have not performed a new applicant scorecard validation or detailed portfolio analysis in the last few years now is the time to review pricing strategies and portfolio mix. This analysis will aid in maintaining an acceptable risk level as the portfolio evolves with new consumers and risk tiers while ensuring short and long-term profitability and on-going regulatory compliance. At its core, risk-based pricing is a methodology that is used to determine the what interest rate should be charged to a consumer based on the inherent risk and profitability present within a defined pricing tier. By utilizing risk-based pricing, organizations can ensure the overall portfolio is profitable while providing competitive rates to each unique portfolio segment. Consistent review and strategy modification is crucial to success in today’s lending environment. Competition for the lowest risk consumers will continue to increase as qualified candidate pools shrink given the slow economic recovery.  By reviewing your portfolio on a regular basis and monitoring portfolio pricing strategies closely an organization can achieve portfolio growth and revenue objectives while monitoring population stability, portfolio performance and future losses.

By: Staci Baker On September 12, 2010, the new Basel III rules were passed in Basel, Switzerland. These new rules aim to increase the liquidity of banks over the next decade, thereby mitigating the risk of bank failures and mergers that transpired during the recent financial crisis. Currently, banks must maintain capital reserves of 4% on their balance sheet to account for enterprise risk. Starting January 1, 2013, banks will be required to progressively increase their capital reserves, known as tier 1 capital, to 4.5%. By the end of 2019, this reserve will need to be 6%.  Banks will also be required to keep an emergency reserve, or “conservation buffer,” of 2.5%. What does this mean for banks? And, what are some tools that banks can use in assessing credit risk? By increasing capital reserves, banks will be more stable in times of economic hardship. The conservation buffer is meant to help absorb losses during times of economic stress, which means banks will be in a better position to maintain economic progress in the most challenging economic circumstances. The capital reserve designated by the Group of Governors and Heads of Supervision is the minimum requirement each bank will be held to. Each bank will need to assess their current risk levels, and run stress tests to ensure they are in a good financial position, and are able to sustain strong financial health during a failing economy. Stress tests should be run for different time intervals, which will allow lenders to assess future losses and to plan capital satisfactoriness accordingly. This type of credit risk analysis is possible through applications such as Moody’s CreditCycle Plus, powered by Experian, that allow for stress testing, and profit and loss forecasting.  These applications will measure future performance of consumer credit portfolios under various economic scenarios, measured against industry benchmarks. ______________ Bank for International Settlements, 9/12/10, http://bis.org/press/p100912.htm

Anyone keeping tabs on the legal scene would think data breaches are something new, given all of the legislation hitting the floor of Congress, when in reality they have been happening since businesses began saving data. The truth is the average consumer didn’t really think about it until they started to hear about data breaches and fraud trends when California blazed a trail with what is considered to be the “grandma” of data breach laws back in 2002. The California law (CA SB 1386) required entities to report data breaches if a California resident was a record in the breach that included personally identifiable information and met the state’s criteria for breach. One might say that law started it all: data breach reporting, the ability for watchdog tracking, and media coverage – before CA SB 1386 we only saw the tip of the iceberg. There are currently four bills worth watching in Congress right now that could have some significant impact to data breach notification requirements: Senate Bill 139, sponsored by California Sen. Diane Feinstein. The Data Breach Notification Act would cover any agency or business that uses or stores personal identifiable information and make it mandatory that if a breach occurred, the victims would be informed Senate Bill 3579, the Carper-Bennett legislation, entitled the Data Security Act of 2010 applies to financial institutions, retailers and government agencies, and would require these entities to safeguard sensitive information, investigate security breaches and notify consumers when there is a substantial risk of identity theft or account fraud. This bill is aimed to protect consumers and businesses from identity theft and account fraud. Senate Bill 3742, entitled The Data Security and Breach Notification Act of 2010, sponsored by Senators Mark Pryor and Jay Rockefeller would cross industries and requires special requirements for data brokers. It was referred this month to the Committee on Commerce, Science and Technology, which Rockefeller chairs. Senate Bill 1490, entitled the Personal Data Privacy and Security Act, designates as fraud unauthorized access of personally identifiable information and allows the act to lead to racketeering charges. Sponsored by Senate Judiciary Committee Chairman, Patrick Leahy, it would also prohibit concealment of security breaches involved in fraud and prohibit the dismissal of a Chapter 7 bankruptcy case if the debtor is an identity-theft victim. Many organizations already provide for data breach and the security of personally identifiable information as part of an Identity Theft Prevention Program or Red Flags Rule compliance. I’m happy to say that many rely on Experian tools (https://www.experian.com/data-breach/data-breach-resources.html) for data breach or Enterprise Risk Management solutions. However, any of these bills could change the game for many businesses not already regulated by the Gramm-Leach-Bliley Act (GLB), the Fair Credit Reporting Act (FCRA) or Fair and Accurate Credit Transactions Act (FACTA). In fact, two of the bills would essentially subject data brokers to the same kinds of legislation that financial institutions have under FCRA. The reasoning behind it is that fraud trends continue to show risk levels are the same to the consumer, regardless of where the information is stored. The financial industry and credit bureau data have been regulated for years so, in a sense, I think it’s just “more of the same” unless you happen to be in an industry not regulated as stringently. Still… it’s worth keeping those “tabs” and RSS feeds alive.

Working with clients in the financial sector means keeping an eye toward compliance and regulations like the Gramm-Leach-Bliley Act (GLB), the Fair Credit Reporting Act (FCRA) or Fair and Accurate Credit Transactions Act (FACTA). It doesn’t really matter what kind of product it is, if a client is a financial institution (FI) of some kind, one of these three pieces of legislation is probably going to apply. The good part is, these clients know it and typically have staff dedicated to these functions. In my experience, where most clients need help is in understanding which regulations apply or what might be allowed under each. The truth is, a product designed to minimize fraud, like knowledge based authentication, will function the same whether using FCRA regulated or non-FCRA regulated data. The differences will be in the fraud models used with the product, the decisioning strategies set-up, the questions asked and the data sources of those questions. Under GLB it is acceptable to use fraud analytics for detection purposes, as fraud detection is an approved GLB exception. However, under FCRA rules, fraud detection is not a recognized permissible purpose (for accessing a consumer’s data). Instead, written instructions (of the consumer) may be used as the permissible purpose, or another permissible purpose permitted under FCRA; such as legitimate business need due to risk of financial loss. Fraud best practices dictate engaging with clients, and their compliance teams, to ensure the correct product has been selected based on client fraud trends and client needs. A risk based authentication approach, using all available data and appropriately decisioning on that data, whether or not it includes out of wallet questions, provides the most efficient management of risk for clients and best experience for consumers.

By: Kennis Wong   In the last post, I emphasized the importance of fraud detection even after an account has been approved. If information gathered later indicates an application was fraudulent, credit issuers can still take action on the account to minimize fraud losses. Monitoring your internal systems to find suspicious activities is one way to do it. If the account holder has unusual purchase patterns, such as spending $2000 at a dry cleaner, you may want to stop and have a closer look. But more revealing would be the bigger picture – Is the account holder developing other financial relationships? Do these other applications indicate high identity theft risk? Are there any unusual patterns across the multiple financial relationships? The tricky part is finding the related applications. If you are looking for applications that use the same SSN, name, DOB, address and phone number, you may be missing information that helps detect fraud. Fraudsters often mutate elements of the PIIs when they use stolen identities to hide their fraudulent activity.  If you link related applications together, you can then look for unusual patterns collectively. Find that the same social security number was used 10 times, with different addresses, all in the same week? Bad sign. Individual signs may help very little. False-positives and fraud referral rates may be too high if your action is based on just one or two signs. That’s why Experian recommends using a risk-based method for minimizing fraud instead of a rule-based method. You need fraud analytics to put all signs together in a way that is predictive of identity theft. Timeliness is the key to successful fraud account management. If the identity fraudster has already used all available credit on a credit line, then it is too late to minimize fraud and action on the account. The only benefit at that point -- saving time by telling your collection department not to waste effort attempting to collect on the account.

By: Kennis Wong Most lenders authenticate applicants before they extend credit. With identity theft so prevalent today, not ensuring you are dealing with the real consumer before starting a customer relationship is like playing Russian roulette. Especially for installment loans, when the goods are out, the chance of recouping the money in the case of identity theft is slim. Even for secured loans like car loans, fraudsters can always cash out the car in Mexico, and you will never see the shadow of it again. No wonder lenders place a lot of emphasis on checking people’s identities at application. For many cases, this is really the key point where identity fraud can be stopped. But it is not necessarily true for all type of lenders. For revolving loans, lenders could still minimize fraud losses after credit application is approved, as long as available credit still exists. You can imagine that once a fraudster gets hold of someone’s identity, s/he is likely to maximize its value by using it again and again. Therefore, there should be more credit activities, hence more evidence of misuse, by Day 7 than on Day 1. In the unfortunate event that a fraudster passes authentication on Day 1, it is still possible that you discover the fraud on Day 7 if you have new information. If you are a credit card issuer, it means you can still stop the action before the credit card gets to the fraudster’s hand and gets activated. Unfortunately for a lot of smaller lenders, the due diligence stops at the point of application. Even larger lenders only start their “account management” fraud detection at the point of high-risk transaction or payment. By not watching the new customer relationship closer and studying fraud trends, they are missing out fraud loss reduction opportunity.

By: Kristan Frend It seems as though desperate times call for desperate measures- with revenues down and business loans tougher than ever to get, “shelf” and “shell” companies appear to be on the rise. First let’s look at the difference between the two: Shelf companies are defined as corporations formed in a low-tax, low-regulation state in order to be sold off for its excellent credit rating. According to the Better Business Bureau, off-the-shelf structures were historically used to streamline a start-up, but selling them as a way to get around credit guidelines is new, making them unethical and possibly illegal. Shell companies are characterized as fictitious entities created for the sole purpose of committing fraud. They often provide a convenient method for money laundering because they are easy and inexpensive to form and operate. These companies typically do not have a physical presence, although some may set up a storefront. According to the U.S. Department of the Treasury’s Financial Crimes Enforcement Network, shell companies may even purchase corporate office “service packages” in order to appear to have established a more significant local presence. These packages often include a state business license, a local street address, an office that is staffed during business hours, a local telephone listing with a receptionist and 24-hour personalized voice mail. In one recent bust out fraud scenario, a shell company operated out of an office building and signed up for service with a voice over Internet protocol (VoIP) provider. While the VoIP provider typically conducts on-site visits to all new accounts, this step was skipped because the account was acquired through a channel partner. During months one and two, the account maintained normal usage patterns and invoices were paid promptly. In month three, the account’s international toll activity spiked, causing the provider to question the unusual account activity. The customer responded with a seemingly legitimate business explanation of activity and offered additional documentation. However, the following month the account contact and business disappeared, leaving the VoIP provider with a substantial five figure loss. A follow-up visit to the business showed a vacant office suite. While it’s unrealistic to think all shelf and shell companies can be identified, there are some tools that can help you verify businesses, identify repeat offenders, and minimize fraud losses. In the example mention above, post-loss account review through Experian’s BizID identified an obvious address discrepancy - 12 businesses all listed at the same address, suggesting that the perpetrator set up numerous businesses and victimized multiple organizations. The moral of the story? Avoid being the next victim and refine and revisit your fraud best practices today. Click here for more information on Experian's BizID

By: Kristan Frend As if business owners need one more thing to worry about — according to the Javelin Strategy & Research’s 2010 Identity Fraud Survey Report, respondents who defined themselves as “self-employed” or “small business owners” were one-and-a-half times more likely to be victims of identity theft. Intuitively this makes sense- business owners exposure would be higher than the average consumer as their information is viewed more often due to the broad array of business service needs. Also consider the fact that until recently, multiple states had public records containing proprietors social security numbers as tax identification numbers readily accessible on-line. What a perfect storm this has all created! Javelin’s report also explained that while the average fraud incidence for business owners was lower than the average consumers, small business owner’s consumer costs were higher.  In other words the small business owner suffered more out of pocket costs for identity theft losses than the average consumer. Experts believe this is due to the fact that commercial accounts often do not receive the same fraud guarantee protections that consumer accounts are afforded. While compliance regulations such as Red Flags Rules will enhance consumer safety, institutions must further develop their prevention and protection methods beyond what is legally required to sufficiently protect their small business customers from future fraud attacks. Small business owner fraud and the challenges organizations face in identifying and mitigating these losses are frequently overlooked and overshadowed by consumer fraud. Simply put, fraud is prevented because fraud is detected- verifying that the business owners is who they say they are using multiple data sources is critical to identifying applicant irregularities and protecting small business owners. A well-executed fraud strategy is more than just good business – it helps reduce small business customer acquisition costs and ultimately allows you to make better business decisions, creating a mutually beneficial relationship between your organization and the small business owner.  

There are a number of people within the industry heralding the death of knowledge based authentication. To those people I would say, “In my humble opinion you are as wrong as those recent tweets proclaiming the death of Bill Cosby.” Before anyone’s head spins around, let me explain. When I talk about knowledge based authentication and out of wallet questions, I mean it in the truest sense, a la dynamic questions presented as a pop quiz and not the secret questions you answered when you set-up an account. Dynamic knowledge based authentication presents questions are generated from information known about the consumer, concerning things the true consumer would know and a fraudster wouldn’t. The key to success, and the key to good questions, is the data, which I have said many, many times before. The truth is every tool will let some fraud through; otherwise, you’re keeping too many good customers away. But if knowledge based authentication truly fails, there are two places to look: Data: There are knowledge based authentication providers who rely solely on public record data for their KBA solutions. In my opinion, that data is a higher data risk segment for compromise. Experian’s knowledge based authentication practice is disciplined and includes a mix of data. Our research has shown us that a question set should, ideally, include questions that are proprietary, non-credit, credit and innovative. Yes, it may make sense to include some public record data in a question set, but should it be the basis for the entire question set? Providers who can rely on their own data, or a strategic combination of data sources, rather than purchasing it from one of the large data aggregators are, in my opinion, at an advantage because fraudsters would need to compromise multiple sources in order to “game the system.” Actual KBA use: Knowledge based authentication works best as part of a risk management strategy where risk based authentication is a component within the framework and not the single, determining factor for passing a consumer. Our research has shown that clients who combine fraud analytics and a score with knowledge based authentication can increase authentication performance from 20% - 30% or more, depending on the portfolio and type of fraud (ID Fraud vs. First Party, etc.)… and adding a score has the obvious benefit of increasing fraud detection, but it also allows organizations to prioritize review rates efficiently while protecting the consumer experience. So before we write the obituary of KBA, let’s challenge those who tinker with out of wallet products, building lists of meaningless questions that a 5th grader could answer. Embrace optimized decisions with risk based authentication and employ fraud best practices in your use of KBA.

A few days ago I saw an article about hackers working from Russia, while committing check fraud in the United States. In what those investigating are calling a brilliant operation, the fraudsters compromised companies that archive and store records of check images or checks themselves. They then downloaded those check images and all available information. By printing new checks and using an old Internet “money mule” scheme, the fraudsters were able to send the bogus checks to ”the mule”, often as a payment, and have the check cashed at the mule’s bank to get the balance of the funds wired to an off-shore bank account. That article made me think about new breakthroughs in technology. What if those fraudsters had been a little savvier? What if they had the most recent smart phone application installed and didn’t need a mule to wire the money? They could have simply written checks and uploaded them for deposit to an account to which they had gained access with the hottest application du jour – deposit via photo image uploaded from a smart phone. That application would have allowed the fraudsters to cash the bogus check, gain access to the funds and move them to the next account at will. Or would it? Given the move toward mobile banking, it isn’t really a stretch to see this kind of thing happening. Probably not, but if organizations offering this kind of service use a risk based authentication approach it is more likely they use fraud models and decisioning strategies to minimize fraud and protect consumers while pushing out the latest technology. For those reasons, risk management solutions and enterprise fraud vendors need to not only keep pace with technology but also stay ahead of the curve in order to provide optimized decisions and the most relevant fraud analytics. Considering recent fraud trends and my love affair with mobile everything, I know I want the organizations I do business with to do everything they can to prevent fraud…and I’m positive I want my smart phone to be as smart as possible.

By: Kari Michel What are your acquisition strategies to increase consumer lending and gain market share? This blog will discuss new approaches to create segment-based targeting campaigns and the ability to precisely time the offer delivery with consumer needs. The most aggressive and successful banks are using need and attitudinal segmentation, coupled with models that identify consumers in the market for loan products. The return on marketing investment from these refined marketing efforts often exceed 350%, measured on a net of control basis, after all marketing costs. Here is a case study, using Experian tools, showing how one marketer used segment-based targeting, tailoring and timing to increase their response rate 145% over a competitor’s product. In the highly competitive credit card arena, a new business model is emerging that is dependent on acquiring new accounts from consumers that are grouped into specific behavior segments (Credit Hungry Card Switchers and Case Oriented Skeptics) and looking at consumers that were in the market, as well as had the highest likelihood of opening a bankcard account within the next 1 – 4 months. Test Results Total   Competitor Experian Experian lift Quantity      624,000      623,953 Response Rate % 2.09% 3.03% 145% Actual Responses        13,035 18,902 Booked Rate % 1.64% 2.24% 137% Actual Booked        10,208 13,989 Approval Rate % 78.30% 74.01% 95% In addition to a 145% lift in response rate, over 3,700 more accounts were booked over the competition. These same tools, “In The Market Models” (developed using credit bureau data) and “Financial Personalities®”, can help your organization have a greater return on your direct marketing investment by increasing acquisition rates.  

By: Tom Hannagan An article in American Banker* today discusses how many community banks are now discouraging new deposit gathering. We have seen many headlines in the past couple of years about how banks are not lending. Loan origination has been trending downward for many months. Now, they aren’t seeking deposits either. You would think this is the ultimate way to lower risk, but that’s not necessarily so. There are many different reasons why banks have or may be reducing their balance sheets. Tighter credit standards, and relatively low loan demand are chief among them. This is largely a reaction, on the part of banks and borrowers, to the economic contraction and painfully slow recovery. The softness in real estate is still a large overhanging problem – for consumers, businesses, governments and the banks. Banks are still working on loss provisioning in an attempt to deal with the embedded credit risk from the last recession. Even though they may be shrinking, or very slowly growing their loan portfolio, all of the forward risk management considerations are still there. That is true for the lending business and for managing the overall balance sheet. Most apparent among all these considerations is that the entire existing loan portfolio is steadily coming up for renewal consideration. That is as much of an opportunity for reconsidering a loan’s risk and return characteristics as is considering a new loan. It is also an opportunity to review the relationship management strategy, including the value of other relationship services or the time to sell new services to that client. All these sales situations involve risk and return considerations. Not least among them are the deposit services – existing and potential – associated with the relationship. The main point in the American Banker article was that banks can have trouble putting new deposit funds to work profitably. That makes sense. Deposits involve operating risk and operating costs. The costs include both fixed and variable costs. There are four or five major types of deposits. Each of them has very different operating cost profiles, balance behavior and levels of interest expense. They also involve market risk in that their loyalty or likely duration varies. So, it is important to take both the risk and return factors of new/renewed loans into account AND to take the risk and return factors of new/existing deposit balances into account as part of ongoing relationship management – and the bank’s resulting balance sheet direction. This is a lot to consider. A good risk-based profitability regimen is as critical as ever. *American Banker, Tuesday, July 27, 2010. In Cash Glut, Banks Try to Discourage New Deposits. By, Paul Davis

By: Wendy Greenawalt The final provisions included in The Credit Card Act will go into effect on August 22, 2010. Most lenders began preparing for these changes some time ago, and may have already begun adhering to the guidelines. However, I would like to talk about the provisions included and discuss the implications they will have on credit card lenders. The first provision is the implementation of penalty fee guidelines. This clause prohibits card issuers from charging fees that exceed the consumer’s violation of the account terms. For example, if a consumer’s minimum monthly payment on a credit card account was $15, and the lender charges a $39 late fee, this would be considered excessive as the penalty is greater than the consumers’ obligation on that account. Going forward, the maximum fee a lender could charge in this example would be $15 or equal to the consumers obligation. In addition to late fee limitations, lenders can no longer charge multiple penalty fees based on a single late payment,  other account term violations or fees for account inactivity.  These limitations will have a dramatic impact on portfolio profitability, and lenders will need to account for this with all accounts going forward. The second major provision mandates that if a lender increased a consumer’s annual interest rate after January 1, 2009 due to credit risk, market conditions, or other factors, then the lender must maintain reasonable methodologies and perform account reviews no less than every 6 months. If during the account review, the credit risk, market conditions or other factors that resulted in the interest rate increase have changed, the lender must adjust the interest rate down if warranted. This provision only affects interest rate increases and does not supply specific terms on the amount of the interest rate reduction required; so lenders must assess this independently to determine their individual compliance requirements on covered accounts. The Credit Card Act was a measure to create better policies for consumers related to credit card accounts and overall will provide greater visibility and fair account practices for all consumers. However, The Credit Card Act  places more pressure on lenders to find other revenue streams to make up for revenue that was previously received when accounts were not paid by the due date, fees and additional interest rate income were generated. Over the next few years, lenders will have to find ways to make up this shortcoming and generate revenue through acquisition strategies and/or new business channels in order to maintain a profitable portfolio. http://www.federalreserve.gov/newsevents/press/bcreg/20100303a.htm

In “An ounce of prevention is worth a pound of cure” Kristan Frend touched on the vulnerabilities faced by members of our Armed Services. That post made me think about recent fraud trends.  Over the course of this spring and summer, I attended a few conferences and at one of these events something a bit disturbing occurred – a staff member for one of the exhibitors was victimized during the event. The individual’s wallet, containing cash and credit cards, was stolen along with the person’s passport and the victim didn’t realize it until they received their wake-up call the next morning. The few people who heard about it wondered “How could this happen at an event of industry professionals?” The answer is simple.  Even industry professionals are every-day consumers, vulnerable to attack. As part of our Knowledge Based Authentication practice, Experian engages in blind focus group interviews with “every-day consumers” facilitated by an independent consulting group on Experian’s behalf. What we learn during those sessions informs our best practices for many of the fraud products and guides our process for new question generation in Knowledge Based Authentication. It is also an eye-opening experience. Through our research we have learned that participant consumers are now more aware and accepting of Knowledge Based Authentication than in past years. Knowledge Based Authentication has become a bellwether, consumers expect it. They also expect organizations they deal with to have an Identity Theft Prevention Program – and the ability to recognize when something “just isn’t right” about a situation. However, few participants cited a comprehensive strategy to protect themselves against identity theft, and even fewer actually demonstrated a commitment to follow a strategy, even when they had one. During open and honest conversation in a relaxed setting, participants revealed their true behavior. Many admitted they still use the same password for all their accounts, write their passwords down, and keep copies of their passwords in easily accessible places, such as a purse or a wallet, a desk drawer or an online application. The bottom line is this: Most people will attempt to do what they think they should to protect themselves from identity theft, including shredding or tearing up mail offers, selectively using credit cards and/or monitoring their garbage. However, if the process is too cumbersome or if it requires that they remember too much, they will default to old habits. As Kristan pointed out, thieves may increasingly rely on computer attacks to gather data, but many still resort to low-tech methods like dumpster diving, mail tampering, and purse and wallet theft to obtain privacy sensitive information. When that purse or wallet contains not only personally identifiable information, but also account passwords, the risk levels are significantly higher. Cyber attacks are a threat, but a consumer’s own behavior may be just as risky. As for the victim in this story… a very sharp desk clerk at a neighboring hotel thought it strange that someone was checking-in for a number of days without a reservation at full rate and without luggage, which started the ball rolling and led to the perpetrator being caught and the victim getting everything back except for some cash that had been spent at a coffee merchant. Clearly, this close call didn’t turn-out as badly as it could have.