Identity fraud

Fighting ID fraud

May 2007

Revelations about banks dumping customer information in waste bins outside their premises sends out signals that identity (ID) fraud is not something the financial services industry takes seriously. However, these misadventures were taken seriously by the Information Commissioner's Office (ICO) when it found 11 banks and other financial institutions in breach of the Data Protection Act. They have been asked to sign a formal undertaking to comply with the Data Protection Act, and if they do not they could be prosecuted by the ICO.

Just as worrying was the announcement from the Home Office saying that 10,000 British passports were obtained fraudulently in 2006. While crooks might get the impression that stealing IDs and impersonating people to obtain loans and credit cards is a lucrative career-move, this of course isn't the intention.

The growth of ID fraud partly stems from the success of the chip-and-PIN (personal identity number) plastic card security system, which was rolled out nationally by banks and retailers from 14 February 2006. During 2006 total plastic card fraud losses fell by 3 per cent, representing £80 million, to £428 million as a result of the new security scheme.

As chip-and-PIN succeeded in reducing card fraud, thieves have had to find new income streams, and ID fraud is their latest business venture. In February 2006, the Home Office said that identity fraud cost the UK £1.7 billion a year, up from £1.3 billion in 2002, although it is thought to be much more.

Rich pickings

ID fraud is much more attractive to crooks than credit card fraud because they are restrained by the limit on a credit card, whereas with ID fraud they can apply for personal loans up to £25,000 or mortgages; if this is done professionally, rich pickings can be had. This is part of the reason why ID fraud has grown from a cottage industry into crime on a global scale. It is a growing menace and is not confined just to the financial services industry - it cuts across into a number of sectors such as mail order and retailing and is cross-border, often involving international criminal gangs, middle men, hackers and techies.

ID fraud is also a particularly distressing crime for consumers, who often only find out when they receive a demand for a mortgage or loan they have not applied for. They then have to prove that it is fraud and have to repair their credit record, which can all take months.

Indeed, the National Consumer Council is campaigning for a national ID theft support centre for victims, similar to the support system set up in the US. It is currently holding talks with business and is confident that its vision of a one-stop ID fraud support centre for victims will be set up in the near future.

There are a number of different types of ID fraud. Crooks can hijack or take over a person's bank account or credit card and impersonate them to misuse their accounts. Or they can steal someone's identity by gathering enough information about them from utility bills, passports and bank statements to apply for loans, credit cards or mortgages.

Wealthy targets

Recent research from global information and solution provider Experian found that fraudsters tend to target wealthier individuals aged between 30 and 50, such as high-flying graduates or very wealthy households. It also revealed that London is the identity fraud capital of the UK, and the most common form of ID fraud is to misuse someone's previous address. The hardest hit businesses were mail order businesses and credit card companies.

CIFAS, the UK's fraud prevention service, said that while the number of victims of impersonation rose by almost 20 per cent in 2006 against the year before to 67,406, the number identified by its 250 members had risen by 21.57 per cent. But the number of account takeovers, although much smaller than other types of identity fraud at 4,665 in 2006, had increased by almost 64 per cent against the previous year.

CNP fraud growing

While chip-and-PIN has prevented fraud in retail settings where the PIN is used by the cardholder, thieves have still been able to use stolen cards to buy goods and services via the internet, phone and mail order where a PIN is not required. This is known as card not present (CNP) fraud. It now represents almost half of card losses but more recently has been growing more slowly. It grew by only 16 per cent in 2006 to £212.6 million, against 29 per cent between 2004 and 2005. During the same year, card ID theft grew by 5 per cent to £31.9 million, down from £36.9 in 2004.

Weak spots

Fighting ID fraud is similar to mending a leaky ship - as soon as one hole is plugged another quickly appears. At the moment the weak areas include:

• Lack of data sharing between public-sector organisations and the private sector
• Passports and driving licences are the main documents used for verifying a client's identity and can be forged or tampered with
• There is no universal identity system in the UK
• Limited background checks into applicants by financial companies and lenders
• The theft of identities from the deceased is increasing quickly;
• Lenders are not required to double-check new applicants against the deceased registry
• Data produced by the General Registry Offices is not up to date
• Criminals are increasingly finding new ways of obtaining personal details from victims through online activities such as hacking and 'phishing'.

However, many of these weak spots are in the process of being strengthened through a number of developments in the public sector and law-enforcement agencies and via new initiatives undertaken by businesses.

Biometric ID

Until there is a definitive way of proving people are who they say they are, ID fraud will become more and more of a public nuisance. However, steps are being taken by the recently formed Identity & Passport Service (IPS) to introduce biometric identification, which would make this sort of crime much more difficult for criminals. It is currently working on a National Identity Scheme using biometric technology and will issue ID cards from 2008/09.

IPS has also started to use facial biometrics on new e-passports and plans to use fingerprints as well in the future. In addition, the security of new passports has been strengthened by the introduction of a number of new initiatives such as interviewing applicants and introducing more background checks.

New legislation

The battle against ID fraud also hinges on the introduction of several new pieces of legislation including the Serious Crime Bill and the Police and Justice Bill. The former aims to tackle serious crime such as ID fraud by improving data sharing within the public sector and between the public and the private sectors and creating new offences. The Police and Justice Bill aims to improve policing standards across the country and equip police forces to deal with serious crime.

In addition, the Financial Services Authority (FSA) launched its new Financial Crime and Intelligence Division at the beginning of this year. This new body is working alongside the financial services industry and law-enforcement agencies to examine the risks facing consumers from high-tech crime, ID fraud, online hacking and money laundering.

'Deceased' ID fraud

One of the fastest growing areas of ID fraud comes from stealing identities from the deceased; this is said to be increasing at the rate of around 60 per cent a year, according to figures from CIFAS (2006). It believes that around 70,000 families a year are affected by this crime. Part of the reason why it has been difficult to close off this avenue for crooks is that information provided by the General Registry Offices, which records births, deaths and marriages, is sometimes months old.

But this is likely to be speeded up in the future. The three Registrars General for England and Wales, Northern Ireland and Scotland recently issued a joint consultation paper aimed at stopping fraudsters from using the identities of dead people. The paper proposes that a new system be introduced to provide more timely information on a weekly basis to credit reference agencies, the Police and other law-enforcement agencies. It is hoped to have this in place by around mid year.

More data sharing

Neil Munroe, external affairs director of credit information provider Equifax, says that increasingly lenders are doing more extensive checks at the application stage and new tools have been developed to make more data available at the front end.

To facilitate more sharing of information, Equifax developed SIRAN, an online fraud detection system that uses data from a variety of sources including financial service companies, mobile telecommunications and retailers. This allows applicants' details to be cross-referenced, highlighting any suspicious patterns to expose fraud rings.

Experian, too, has increased the amount of data available to cross-check through the recent integration of its fraud detection systems Hunter II and Detect. Now more than 500 million records can be cross-referenced, increasing the chance of potential frauds being flagged up. Gary Wood, managing director of Experian's Fraud and Identity Solutions Business, said that the merger of the databases had resulted in a 20 per cent increase in fraud detection and a more accurate prediction of fraud.

Electronic verification

At a time when consumers expect faster and more efficient services, the growth of ID fraud means that financial service companies now have to conduct more and more identity verification checks. However, after electronic verification of ID was validated by the FSA in 2005 many lenders have found that even though more checks are required, the introduction of new automated verification systems has improved rather than hindered the account opening process.

Specialist electronic ID verification company GB Group said that its ID3 verification technology, recently implemented by Beacon Homeloans for its packagers, has been able to reduce fraud by up to 70 per cent and increase customer acquisition by 40 per cent.

A number of building societies including Manchester, Kent Reliance and Britannia recently installed CallCredit's electronic ID verification system CallML. Manchester Building Society said that the move to electronic verification had speeded up the account opening experience and had done away with the need to rely on documentary evidence of identity such as passports and driving licences. Britannia has installed CallML in its network of 250 branches to verify the identity of new customers and said its account opening process had become more efficient.

More background checking

In the past, lenders have been criticised for not checking customers' records further back into their past to investigate employment records and old addresses. But this is something many are now doing.

Last year Experian bought Backgroundchecking.com, which provides a pre-and post-employment verification service covering qualifications, employment records, criminal records and directors' reports.

Steve Bailey, managing director of Backgroundchecking.com, explained that credit information from Experian can be combined with the checks made by his company to build up a more complete picture of a person. A background check on a customer can only be conducted if the client gives permission, and as 15 per cent of applicants disappear, this is clearly making it a deterrent for criminals.

He continued that it is just as important for lenders to investigate permanent and temporary staff as well as clients: “Temporary staff are often taken on at short notice and organisations sometimes then give them immediate access to extensive customer information, which is risky.”

Backgroundchecking.com also offers an overnight service, which does not include a criminal records search, which could be used for checking temporary staff or applications for express money services. Bailey pointed out that it is important to run a check on staff and not just when they apply for a job but at other key stages such as when they are promoted or transferred to make certain that their records haven't changed. With an increase in immigration, Backgroundchecking.com is also able to conduct checks internationally.

Public still at risk

Meanwhile, the battle against ID fraud continues to rage on the front line between crooks and consumers. While much has been done and is planned for the future behind the scenes, the credit reference agencies believe that more still needs to be done to make consumers aware of new techniques employed by crooks.

In particular, the industry-backed annual National Identity Fraud Week campaign, started in 2005, has successfully made the public aware of how to take care of their identity, but several credit information agencies believe that this needs to be stepped up. Neil Munroe of Equifax said : “It is important to continue work on public relations campaigns to prevent the public from giving out their information online and by phone. The public are aware of shredding documents containing personal details but do not realise that they should not be giving out information over the phone and that more and more crooks are trying to get information online.”

Experian, too, said that awareness of certain risks such as bin raiding by fraudsters to obtain personal details is widely recognised by the public but they are less prepared for attacks by online hackers and 'phishers'.

Karen Murray is a freelance journalist