Javelin Study Shows Increased Credit Card Fraud Risk

Consumers, businesses, retailers, and even the media are becoming numb to news about data breaches. Not a week goes by when we don’t hear of another major breach affecting thousands or even millions of customer accounts.

Criminal hackers are getting smarter and savvier all the time, and they often have better technology than the banks and retailers tasked with protecting your data.

Time reported on a recent Javelin Strategy and Research survey in which Javelin analyzed 23 of the biggest credit card issuers’ online security practices. When companies were graded on a 100-point scale, the average result was just 59. Javelin head of security and risk analyst Phil Blank, who authored the study, explained, “The good news is issuers are doing a better job overall of resolution, but that’s the easiest thing to do. Prevention is the hardest to do but it’s got the biggest payback.”

The report also found that for a full year after your bank account information has been hacked, there is a strong chance that you will be a victim of credit card fraud. So even though you may be getting a little hardened to data breach warnings, you still need to watch your credit card statements closely. As long as you dispute unauthorized credit card charges within 60 days, federal laws limit liability to $50. Unauthorized debit card charges must be reported within two days, or liability jumps to $500.

One of the FFIEC’s recommendations for financial institutions involves using complex device identification. iovation, an Oregon-based security firm, offers an advanced device identification service that incorporates real-time risk assessments, the history of fraud on linked devices (such as chargebacks, identity theft and credit application fraud) and exposes fraudsters working together to steal from online businesses.

“Complex device identification” involves the creation of a digital fingerprint based on several characteristics of the device including hardware and software configuration, Internet protocol addresses, and geolocation. Unfortunately, complex device ID by itself only increases the strength of identification; it does little to increase the efficacy of an overall anti-fraud strategy.

“Device reputation” offers all of the security measures that complex device ID does, but it also strategically incorporates velocity, anomalies, proxy busting, webs of associations (linking devices and accounts), and fraud and abuse histories. Device reputation moves from a micro to a macro view of transactions which takes into account how particular devices behave or have behaved beyond its activities with a financial institution, its usage by a current user or other users, and/or its relationship to other devices.  This chart explains what is involved with each:

Leading financial institutions aren’t merely complying with the FFIEC’s security recommendations, but are going beyond it by incorporating device reputation and other authentication and anti-fraud tools into their layered security approach.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit and debit card fraud on CNBC. Disclosures