Blog article
See all stories »

An article relating to this blog post on Finextra:

ID fraudsters switch tactics

The credit crisis has made it more difficult for fraudsters to set up fake accounts so they are increasingly targeting existing bank accounts instead, according to a report from a group of MPs.

See article

Phishing and cards are not the only frauds

The All Party Parliamentary Group's report on bank and credit account fraud highlights the growing threat to existing accounts. Equally concerning is the misuse of accounts through Direct Debit fraud, which is recognised by banks and corporate organisations as a growing problem.

These threats highlight the importance of establishing bank customers' identities and the relationship they have to an existing account by not only validating their bank details, but also additional information such as their name and address. Only by being able to make the link between these pieces of information is it possible to ensure that payments data is correct at the point of input and this will minimise the risk of fraud.

Banks and corporates need to ensure they have the systems in place to check the accuracy of customer-supplied personal and bank account information. It is only when the appropriate systems have been implemented that the supplied name and address can be checked against a reliable reference. Linking these key pieces of information is a vital measure in preventing criminals from hijacking accounts that do not belong to them. 

Jonathan Williams
Director of Communication and Product Strategy, Experian Payments


Comments: (4)

A Finextra member
A Finextra member 12 October, 2008, 01:49Be the first to give this comment the thumbs up 0 likes

I believe that Marcus Agius (Barclays) and Andy Hornby (HBOS) went through some such 'procedure' prior to either of them being appointed heads of their respective institutions.

It didn't stop them being defrauded.

I note the similarity in the business models employed by credit refererence agencies charging consumers for 'ID protection' and that of the Russian mafia protection rackets.

It is another example of the general lack of ethics and moral fibre across the financial industry which got us into the present mess.

Credit references are certainly worthless at the institutional level and no doubt will be equally worthless at the consumer level if the current industry stance is maintained.

How about a little leadership?

The share price of google is seriously undermined, not only by the crisis, but by their lack of ethics towards customer privacy, something shared by the behavioural marketing outfits who are now going out of business on a daily basis due to consumer revolt and the attention of legislators.

I predict a similar future for others of the same ilk. Perhaps Experian could show a little leadership?

Of course legislation could provide the answer - I did hear a whisper...

A Finextra member
A Finextra member 13 October, 2008, 09:25Be the first to give this comment the thumbs up 0 likes

Actually, I think the core of the problem of identity fraud is that the subject (you and me) is not seen as the 'owner' of that data.  Credit reference agencies should have a duty of care to ensure that the data they hold is correct, by checking with the subject first.  Equally, any activity that requires them to give a reference should only be done when they have received separate sanction to do so by the subject, i.e., it is not good enough for them to rely on a signatuire on a form, obtained by a bank or other institution - they should have to independently verify with the registered owner of the record (which should be me and you) that the request is valid and a response can be given.

This would stop identity fraud in its tracks.  Oh, and reference agencies should not be able to charge you and me for access to the data they hold, as it should be our data, not theirs.

A Finextra member
A Finextra member 15 October, 2008, 09:18Be the first to give this comment the thumbs up 0 likes

I've always wondered how DD fraud works.  The DD guarentee requires my bank to give me the money back, before it heads off and does the investigation (which is not the same as with standing orders).  If the DD is fraudulent, the responsibility rests with the originating bank.  It is their responsibility because they have failed to confirm the status and identity of THEIR customer. 

Is there really such a thing as DD fraud, and if there is, who is the victim?  If the victim is the originating bank, they should be more careful!

It seems to me that fraud loopholes are created by corner-cutting beaurocrats and shoestring implementors.  They are not inherent in the technology.

A Finextra member
A Finextra member 20 October, 2008, 12:34Be the first to give this comment the thumbs up 0 likes

Direct Debit fraud is, in our experience, like an iceberg in that only 10% of what actually goes on is visible - to banks, scheme managers and the industry in general. According to a survey we ran earlier this year with corporates, payment fraud is generally treated as if it were simple theft.

The principle of Direct Debit fraud is that I use someone else’s account to pay my bills. So typically, I would sign up for an account, say a consumer credit or a mobile telecom account and give identity information and to pay the recurring bills, give the details to a second identity’s a bank account. I then disappear with the funds or phone and in an optimistic case, the account is closed or doesn’t exist; in a pessimistic case, the real owner of the account does not notice for several months, perhaps incurring bank charges or lost interest and then claiming against the Direct Debit Guarantee. In both cases the company who supplied the service is out of pocket at the end of the transaction, leading to higher consumer prices as it makes up the loss out of its profits. Jeremy Clarkson was a famous victim of such a fraud when his bank details were used to set up a Direct Debit to make contributions to a charity.

There are many examples in the UK media but it’s not just a UK issue: At International Payments 2004 reported that some of its large billers had fallen victim to such schemes. Typically these frauds go unreported by the companies and the financial impact is treated as an operational loss.  But the fact remains that the real victims are the companies who rely on the Direct Debit scheme to collect from their customers.

I agree that the technology is not at fault, but additional techniques can help to manage the problem – that of ensuring that the individual is who they claim to be an that they are related to the account they propose to use.

You say that responsibility rests with the originating bank – I disagree. How can the originating bank verify that the individual with whom they have no contact is related to an account at yet another bank about which they can, for competitive and data protection reasons, know nothing? Ultimately, the liability sits with the company who signs up the consumer and it is their  customer acquisition processes which are placed under test by this fraud.

Until last year, there was nothing much the acquiring business could do about it. Many businesses came to us to ask us what they could do to prove the link between a customer’s presented ID and the bank account they were intending to use to make their payments. Experian has information to help establish this link and has been working with banks to obtain permission to use this data to reduce the fraud for their retail customers.

Finally, the Payment Services Directive will cause Direct Debit Guarantee periods for EU member states to be reviewed and must be at least 8 weeks – how many of us review our banks statements that frequently for fraudulent transactions, and if we do not today, should we start doing so?

Now hiring