Sisyphus
By Neal O’Farrell

We can claim to be winning a few battles here and there. ACH fraud does appear to be down, as does check fraud. But a handful of successful skirmishes doesn’t win a war. After more than a decade of growing consumer awareness, a barrage of new laws and regulations, and impressive advancements in security, the bad guys still appear to be gaining ground.

The most recent study from Javelin Research seems to support this, concluding that more than 12 million Americans fell victim to identity theft in 2012 – one of the worst years on record. And it’s important to put that in perspective. If you compare the number of identity theft victims to reports of other crimes, that means there are more victims of identity theft than there are reported burglaries, attempted burglaries, auto thefts, arsons, purse snatchings, pick pocketing, and shoplifting – combined.

Of course, it’s easy to win when the other side just walks off the field. I’ve identified a dozen compelling reasons why after so much progress in the fight against identity theft, that fight is still steeply uphill.

1. Zero liability has convinced consumers they have absolutely nothing to lose. The notion of zero liability came from a blend of federal law (the FACT Act or FACTA) and marketing savvy by financial institutions, to shift identity theft losses from consumers and victims to the financial industry and merchants.

The financial industry often absorbs identity theft and fraud losses as the cost of doing business and keeping customers happy, but that comes with an unfortunate side effect: Consumers have come to believe that zero liability means zero responsibility or loss. In reality, many victims face months or even years of emotional and financial costs, often with no help.

2. Law enforcement has simply given up the fight. The number one complaint I hear from victims is the indifference from law enforcement to identity theft and its victims. And most police departments I work with admit that at best they investigate less than one percent of identity theft cases. Most police departments don’t have the resources to investigate identity theft. There are too many jurisdiction issues, too little cooperation from other agencies and financial institutions, too few skilled financial crimes investigators, and too few prosecutors willing to prosecute identity theft.

But many in law enforcement don’t understand that they need to be more sympathetic to victims who arrive on their doorstep desperately looking for help. The indifference to identity theft by law enforcement in California prompted the unprecedented action by lawmakers who passed legislation that required law enforcement to take identity theft reports.

And one of the unintended consequences of the failure of law enforcement to take identity theft seriously is the emergence of the super thief – identity thieves who started at a very low level like mail theft or check fraud, found it was easy to get away with and so kept doing it. With every crime they learned more and got better, and all the time staying off law enforcement radars because there were no reports.

By the time the police actually notice these super thieves, their crimes are very advanced, sophisticated, and costly, and the thieves are uncatchable because they know how to hide their tracks. And these thieves then become Fagin-like, educating, supervising, and profiting from hordes of underlings.

3. Consumers think we’re winning the battle. Consumers have become increasingly apathetic to identity theft in the last few years, either because they believe they have little to lose (or zero liability will take care of everything) or because they think the enemy is on the retreat. This increase in apathy has led to a decrease in vigilance as consumers continue to keep their guard down.

4. Organized crime gave cybercrime and identity theft a whole new lease on life. Criminal gangs have pumped millions of dollars into sophisticated and well organized scams, hiring some of the most talented hackers and thieves in the world, creating some of the most sophisticated new kinds of malware, and operating in regions where law enforcement can’t, or won’t, reach them.

Organized crime gangs around the world have upped the stakes, turning identity theft into a global business that they have no intention of abandoning any time soon. And criminals hold the winning card – motivation. One of the greatest motivators is profit, and cybercrime pays. Those on the other end, the CEOs and CISOs responsible for protecting much of our personal information, see security as a painful expense and a drain on profits. Not much of a motivation with that attitude.

5. Financial institutions refuse to talk to their customers about identity theft. In the ten years I was with one of America’s top banks, I don’t recall once receiving any advice, tips, or warnings on any identity theft or security issue. Apart from the occasional and usually cryptic notification that a credit card would have to be cancelled and reissued because of a security breach, I never heard a word about security from my bank. What message does that send to consumers like me? That identity theft is nothing to worry about, or that financial institutions don’t think I have any role to play in protecting myself? And in spite of the devastating impact of banking Trojans, my bank has still always remained silent.

Financial Institutions not only need to educate their customers about identity theft and other security risks, they have the biggest opportunity to do so. They have a captive audience and direct line of communications. If only they chose to use it. If done right, talking to customers more often about identity theft can also create a powerful marketing and brand building opportunity. Now there’s your motivation.

6. The small business community is still ignoring its security responsibilities. I’m a small business owner and have worked with small businesses and Chambers of Commerce for years. The small business community represents a major vulnerability both to identity theft and national cyber security, yet most small business owners don’t consider data and customer protection a priority.

Small businesses in America employ an estimated 60 million workers, many of them computer users. That means tens of millions of Internet-connected computers with little security are being used by employees with little security awareness or training. These unprotected computers and employees are not just an easy target for the spread of viruses, Trojans, and phishing emails; they are also very vulnerable to bots that can enlist these computers in attacks on other computers and networks – even targets of national security importance.

And if you don’t believe me, talk to web security firm SiteLock. SiteLock reports finding up to 5,000 new small business web sites every single day that have already been compromised with malware.

7. Thieves are emboldened because they know they’re unlikely to be caught. Some studies have suggested that one in every 700 cases of identity theft is ever prosecuted. The punishments for identity theft are now very severe, with stiff prison sentences for the worst offenders. But when the vast majority of identity theft cases go uninvestigated, unprosecuted, and unpunished, thieves know this is a criminal career worth pursuing.

8. Consumers are still not protecting their computers and phones or changing their habits. In spite of repeated advice and warnings, most consumers are still not checking their credit reports often enough, not changing their passwords often enough, and not updating their security software often enough. And they’re still not as cautious and vigilant as they should be, especially with their online habits and mobile security.

9. Check verification still has too many loopholes. While retailers have the option to use affordable technologies to instantly verify that a check being presented in a store is legitimate, many don’t bother using them.

Identity thieves are very aware of this, which is why so many thieves trawl through phone books, pick names and addresses at random, and use home computers to create fake checks with random account numbers and routing numbers. If the store doesn’t verify that the account number is genuine, the check is presumed authentic and the thief wins every time.

10. Most financial institutions are still failing on security. Many if not most financial institutions are still not using all the authentication and verification options available because they think more security challenges will just annoy customers. Banks still fear that the more steps they require a customer to take to verify their identity for security purposes, the more likely they are to frustrate or even lose that customer.

And of course banks and credit unions still refuse to engage their customers in a common fight against identity theft, especially through education and communications.

11. Consumers are giving away too much personal information. Study after study has shown that consumers are literally giving their information away to thieves, especially on sites like Facebook and Twitter. Information like date of birth, employer, family names and photos, friend connections, interests and hobbies are all immensely valuable to identity thieves who need this information to piece together a cloned identity.

12. Businesses and consumers are becoming immune to data breaches. I call it breach fatigue. There are now so many publicized data breaches – an average of one reported breach every single day for the last five years – that consumers are becoming indifferent to them.

For example, the highly publicized data breach at retail giant TJX in early 2007 was one of the worst on record, affecting more than 45 million customers and threatening the financial future of a chain of stores that includes TJ Maxx, Marshalls, and Home Goods.

Many experts, myself included, speculated that TJX would pay dearly for the incident. Customers would abandon the brand for fear their personal information would be exposed, and investors would avoid the brand because of the crippling fines and costs faced by the company.

Yet in the 12 months that immediately followed the announcement of the breach, TJX never looked better. Revenues increased, profits increased, and their share price increased. It seems like customers and investors were at least forgiving, but more likely just indifferent. And it was a clear but dangerous message to TJX and other businesses that not only is a data breach no big deal any more, it may, like its close cousin identity theft, just be another acceptable cost of doing business.

This article originally appeared on This Week: Insecurity.

Neal O’Farrell is a leading consumer security advocate who has been fighting cybercrime and identity theft for 30 years.

Leave a Reply