It happened without warning. As she was going through her divorce, Jane (whose name has been changed for anonymity) found out that her husband had applied for an American Express Card as her. Not for her. As her.
Knowing that her soon-to-be ex-husband had taken out fifteen or twenty credit cards during their last year of marriage to finance his lifestyle and girlfriend, Jane wasn’t too shocked to see an American Express card bill come to her door. But she was perplexed by the fact that it was 1) a collection notice and 2) in her name only. She immediately called the credit card company and was asked by the customer service representative for her name, social security number and the answer to a security question: her mother’s maiden name. When the rep told her that she gave the wrong name in response to that last question, Jane’s frustration reached its limit. “That’s because the person who applied for this card is not ME!” she said. She explained her situation and was told that the credit card was applied for online approximately eight months earlier. Her husband had been intercepting the mail at their home, but a recent overseas trip had caused a break in his intervention, which led to her discovery.
For Jane, the story has a happy ending. American Express immediately cancelled the card and held her harmless for the remaining balance. For many other people, however, the story runs more toward horror novel than fairy tale.
The advent of technological capabilities that allow complex financial transactions to be conducted in an online environment has raised several questions in the ethical arena, particularly regarding credit card applications.
In the past, potential credit applicants would meet with an individual at a bank or finance center (in the case of retail establishments) to determine their financial stability and apply for credit. Slowly over the years, a direct marketing technique was singled out as the best way to entice consumers with sweet credit deals, so credit card companies and even large retailers started presenting their offers via the postal service. You’d get an application in the mail, fill it out with pertinent information, sign it, and (hopefully) get approved. However, today’s wide availability of internet access has added a new dimension to the ubiquitous credit card application—now you can just point, click and send, and in no time, you can be approved.
In the first scenario, credit applicants are meeting with a person who is able to verify they have the correct information at hand and that they can produce a driver’s license or other identification to prove their identity. In the second scenario, featuring snail mail, applicants are at least required to produce a signature on the document. If there is a dispute over a false application, a signature can be an important piece of evidence.
But enter the online credit application. There is no evidence that you are in any way associated with the name you are applying for credit under. All you need is access to a few, easily acquired pieces of information. The website creditcardchaser.com publishes a list of what you will need to complete an online loan application, as follows:
- Basic personal information (full name, address, phone number, date of birth
- Social Security number
- Employer and personal income information
- Household income
- Bank account information for all accounts
- Whether you own or rent your home
- Monthly rent or mortgage payment amount
Any close personal relationship could garner access to all the above information. All one would have to do is fill out the information online, click and send. In fact, attorney Chad Johnson of the Johnson & Bryan law firm in Houston, Texas says that most cases of credit card identity fraud he sees are between an adult child and their parent or grandparent. This complicates the cases infinitely, since a police report and investigation is required to pursue identity fraud and hold the victim harmless of the credit charges. Most parents or grandparents are hesitant to take this type of action against their own child or grandchild, so they just pay the credit charges and move on.
Credit card companies that operate online are expected to implement a vulnerability management program, which gives a blueprint of how they intend to deal with credit card security threats and manage these issues if they arise. The problem is they don’t have reason to put money and effort into a system like this. As Johnson notes, “These credit companies simply sell uncollected debt to third party debt agencies like Portfolio Recovery Associates (PRA). American Express may sell a bulk package of charged off 'bad' credit card debt representing $99 million dollars in charges, interest and fees for $1 million to PRA and write off the difference. Then every penny PRA makes over the $1 million that they paid is pure profit, and American Express gets a nice write-off on their taxes.”
When they are set up correctly and working, vulnerability management programs include ways for the credit card companies to test and protect their extensive digital networks. Strong programs usually include access control measures, such as setting limits for the number of employees with access to sensitive data and providing secure passwords for system users that are authorized. But this does nothing to prevent an online application from being completed by an applicant who is operating under a fraudulent identity.
So what can payday loan organizations do to anticipate and impede online fraudulent applications? There are several companies that offer fraud detection and prevention software that attempt to foil online fraudsters by searching for patterns of unusual behavior online. In fact, one company, iovation, suggests that instead of verifying the identification information of applicants, the reputation of the device (computer, cell phone or other internet access device) they are using should be verified instead, for greater security. Additional online technologies include geolocation by IP address, which can identify the exact location from which the person is applying. However, this only works if the fraudster is operating at a significant distance from the address of the victim, not if they are co-habiting. An application made from a free or anonymous email address should also trigger a fraud alert. An anonymous proxy server can allow internet users to hide their actual IP address, and a proxy server is usually used only to avoid being detected, so this makes it a big red flag for fraud. A mailing address on an online application that is a P.O. box or a drop shipment forwarding address should also be flagged for investigation before credit approval.
Once a red flag is flown, it is up to the credit card company to follow through with appropriate blocks such as:
- Contacting the applicant by telephone to request voice verification. (This would have worked particularly well for Jane, since the applicant was male).
- Placing a hold on an application that may be fraudulent.
- Refusing applications originating from free or anonymous emails and proxy servers.
- Refusing applications that don’t provide a valid street address.
- Authenticating the application using questions on historical personal data easily retrieved by credit card companies, such as: At which of these addresses did you reside in 1996? Which of the following people is related to you?
Recently there have been many cases of data and identity loss associated with hacking and poor security practices. Allowing creation of a credit card identity without proof positive of the applicant’s identity most definitely represents a security risk. Also, when providing personal data online, credit card companies should be liable for fraud that occurs as a result of tech support or other employees having access to the data on applications.
WISCO, a company that provides business and education software, sites simple customer callback as an effective way of preventing online credit application fraud. If the phone number given is the actual number of the individual whose identity is being undermined, calling will outwit the fraudster and alert the victim. If it is a bogus number, it will be disconnected, changed or non-existent and, if the fraudster uses their own phone number, companies can determine if the gender is the same as the applicant’s and also ask personal “security” questions.
Industry analysts feel that credit card companies have not fully come to grips with the size of the problem. An article by Ross Kerber notes that 4.46 cents was lost to fraud worldwide for every $100 of credit and debit transactions in 2010. Apparently, U.S. banks and merchants have been resistant to new protective technologies so the United States leads the pack in losses, accounting for nearly 47 percent of global fraud losses. According a LexisNexis study, The True Cost of Fraud, retailers lose over $100 billion in fraud each year, most of which is due to identity fraud.
Since identity fraud seems to be at the crux of the worldwide fraud loss scene and is certainly a huge problem for credit card companies, it seems logical to remedy the situation by intervention at the first point of contact: the credit card application. Since an online application is not only most prevalent but the most risky, this is where credit card agencies should focus their vulnerability management efforts.
Currently, many retailers are joining the push to online credit applications. Infinite Prospects, a company that helps car dealerships maximize their online presence, advocates the use of video credit applications to walk prospective car buyers through the credit process. If we take this a step further, perhaps credit card companies could supplement applications with Skype, FaceTime or other video identification of the applicant.
Companies such as Jumio now offer programs for retailers like netverify™ that allow identification to be scanned into a smartphone or other terminal to verify identity. This lets a photo ID, like a driver’s license, be scanned by an off-the-shelf webcam or smartphone camera, transmitted and verified online. Citi Group has invested an undisclosed amount in the company—one can only hope they intend to use the technology to support their own online application process for subsidiary lending institutions.
In summary, credit card companies recognize and understand the security risks of online applications and are aware of remedies extant that would mitigate the number of fraudulent applications made online. The problem is, with third party debt buyers standing by to purchase bad debt and identity fraud victims shouldering the losses, there is little impetus for credit card companies to tighten up their online security.