Credit Strategy sought the views of John Marsden, head of fraud and identity at Equifax, in regards to cyber security, the modus operandi of hackers and how creditors are protecting customers’ data.
MLG: In preventing systemic risk against cyber attacks, what are the toughest challenges for the largest creditors?
JM: “The scale and complexity of cyber crime is by far the toughest challenge for organisations today. Computing power and personal connections facilitate both the tools and the methodology of sharing that fraudsters need. Another key issue is the availability of personal ID data that often proliferates from data breaches. This means increased risks of impersonation fraud; the scale of which continues to rise each year.”
MLG: From Equifax’s experience of working with clients, what vulnerabilities in systems are being exploited by those committing identity theft?
JM: “One of the challenges our clients face is the drive to achieve a digital ‘happy path’ journey for good customers. To create this, a balance between good customer experience and protection of your systems and customer information needs to be established. However, this alone is not the reason for successful fraud attempts. The fraudster is often well educated on the processes of the specific lender, either through online forums discussing these aspects or more formal ‘cookbooks’. Essentially, this is the same as talking to other fraudsters in a pub, but on a global scale.”
MLG: What can you tell us about some of the typical, specific techniques used against individuals to commit identity theft?
JM: “The hacker is seldom the perpetrator of fraud, they sell the ‘hacked’ data via online forums to fraudsters who then commit the actual attacks. This has created a marketplace where richer identity data is sold for more than the bare bones data, which in itself generates a value in researching identities to create a richer data set for resale.
“Estimates indicate that around 20 million individual records on UK citizens are up for sale, of which three to five million are unique IDs, so the scale of the issue is vast. The people committing the fraud may be some distance away from the hacker, and only virtually connected. The information can be used for application fraud, account takeover or simply card fraud, depending on the data provided or the knowledge of the perpetrator.”
MLG: To what extent are large creditors deploying biometric verification to protect consumers data? Is this having the desired effect?
JM: “The key issue to grapple with for biometrics is the need to establish trust between the biometric and the identity. This is being used to good effect by the likes of HSBC and some of the new start-up banks to effectively drive better conversion for those individuals who do not have a longstanding credit history.
“To keep up with continuously developing fraud technologies and techniques, authentication needs to be multi-factored and layered. Any unusual behaviour from the customer should raise signals that the transaction/log in needs further checks.”
MLG: As part of preparations for GDPR, companies across this industry will be appointing or have appointed data protection officers. What level of responsibility will be given to this role to ensure protection against identity theft?
JM: “The primary role of the data protection officer (DPO) is to inform and advise a firm on all of its obligations pursuant to the GDPR, including the security of processing personal data, but also privacy by design and default. By the regulation requiring the DPO to have a direct reporting line into the highest level of management (typically the board of directors), the opportunity will exist for any relevant weakness in a firm’s policies or processes to be flagged to the ultimate decision makers.”
MLG: Who has the greater role to play in protecting customers’ information, the consumer or creditor?
JM: “Both parties have a role to play here. Consumers need to heed the advice of ‘prevention is better than cure’ which means that we should all protect the data which ties us to our legal identity. In the UK this is name, address and date of birth, the latter being about the only constant and also the most sensitive and protectable. Nowadays we see social networking as part of our lives and we enjoy the fact our friends wish us happy birthday, we should be mindful of the implications of opening up this personal attribute.
“Increasingly, it’s not the individual who is responsible for the release of data - it’s often hacked. While legislation is offering us solutions through raising the financial implications of data breaches for businesses, the scale and technology in use by the hackers is way beyond the comprehension of many IT departments.”
MLG: In which repositories of consumer information do you think there are the most serious risks of identity theft? For example, would it be media and communications providers such as Yahoo? High street banks or retail sites such as Amazon?
JM: “It’s not about the scale of the operation, but the capability and strategic understanding of the data assets at top to bottom throughout an organisation. GDPR will help by increasing focus and providing consumer rights to be forgotten, and this needs to be exercised. While the bigger breaches will be publicised, the smaller targets are often easier targets. Then you need to consider whether the hacker just wants headlines or wishes to make money without much interest from law enforcement. The big hacks get kudos and headlines. So depending upon motivation, the better-defended systems become targets. To answer the question as to who is vulnerable, every repository is vulnerable and no complacency should ever be present.”
MLG: Do you believe another cyber attack on the same scale of the recent attack on the NHS is imminent and inevitable?
JM: “Cyber attacks are inevitable. The scale of attempts is beyond belief with millions of attempted breaches and phishing emails every minute. The WannaCry attack on the NHS would not have been targeted; it was random ransomware which could affect any system that did not have adequate protection. This too is inevitable. Looking ahead, the diversity, technology and ingenuity of the cyber criminal will continue to cause concern.”