UniverseComplex

The

ofIdentityTheft

Effective, thoroughprotection is morethan just “locking” upyour data...

Identity Theft is a broadly-used termthat has achieved consumer awareness,but the term itself does very little toimpart the vast ways individuals are atrisk on a daily basis. To have the mostthorough and effective protectionagainst Identity Theft, consumersshould employ a combination ofservices to address each of their areas of risk. Affinion has assembledall of these components with its world-class suite of Identity Theftprotection services.

YOUR PERSONAL INFORMATION –the very key to your identity – is likelyto be compromised in the coming year.Estimates calculated in 2007 suggestthat approximately 264 million piecesof other people’s personal informationwere exposed by identity theft orfraud1 – that’s almost as high anumber as the 2007 U.S. population of301,139,947.2 You may not necessarilybecome a victim of identity theft, butwith your personal information readilyavailable for anyone to use, thelikelihood of becoming a victimincreases exponentially. But, that’s thebad news.

The good news is our government hastaken a reasonably proactive stance on

See “Universe,” Page 2

By Frank W. Abagnale

• Consumers must now be notified bythe responsible party (that possessespersonal data) in the event theirpersonal data has been, or is suspectedto have been, exposed in a data breach(currently a law in 39 states).

A Fraud Alert is Not EnoughFraud Alerts are a free service forconsumers. When a Fraud Alert isplaced on your credit file, creditgrantors are required to take additionalsteps to verify that the creditapplication is not fraudulent. TheFraud Alert includes the consumer’sphone number, and creditors generallycall the consumer, as this is the fastestand most secure method to verify thatthe consumer is the one requestingcredit, not an impostor. Sometimes,creditors use alternative methods,

including challenging questions orrequesting additional identification,to verify the application.

Fraud Alerts are getting a lot of pressthese days, perhaps driven by LifelockIncorporated’s advertising campaign.Viewers watch in awe as Lifelock’s CEOdoles out his Social Security number tothe general public, confident in itssecurity. Unfortunately, this creates afalse sense of security as fraud alertsprevent only one of the three majoridentity theft attacks commonly wagedagainst consumers.

Lifelock’s business – like othersproviding undifferentiated services – isfocused on setting Fraud Alerts. Theselimited service providers take this free,government-provided service andcharge the consumer for it.

Affinion Group agrees that FraudAlerts are effective and can be animportant part of a complete identitytheft solution. However, simply settinga Fraud Alert is not enough.

Debix – A ComplementarySolution Inside AffinionAffinion has entered into a partnershipwith Debix, the creator of the world’s

The Complex Universe ofIdentity TheftEffective, thorough protection is more thanjust locking up your data.

identity theft and fraud. In 2003,Congress passed the Fair and AccurateCredit Transactions Act, whichamended the Fair Credit Reporting Actto provide potential victims of identitytheft with certain rights andprotections. At the state level,additional laws have been enacted toprevent identity theft. The keycomponents of such legislation includethe following:

• Consumers are allowed one freecredit report from each of the threemain credit bureaus (Equifax,TransUnion, and Experian) each year.(Fair Credit Reporting Act, § 612; 15U.S.C. 1681j)

• Consumers who have a good-faithsuspicion they have been – or areabout to become – the victim ofidentity theft, can place a “fraud alert”on their credit file. A fraud alert stayson the consumer’s credit file for atleast 90 days, and requires anypotential creditor to contact theconsumer at the phone numberprovided or take other reasonablesteps to verify the identity of theperson applying for credit. (FairCredit Reporting Act, § 605A; 15 U.S.C.§ 1681c-1)

From “Universe,” Page 1

2

Figure 1: Debix in Action - Actual Crime Prevented

3

first and only electronic IdentityProtection Network. This IdentityProtection Network utilizes FraudAlerts to allow banks to send anInstant Authorization to any consumerin the network.

Figure 1 illustrates the core capabilityof the Network. The white dotsrepresent approved transactions wherea creditor sent an instant authorizationcall, and the consumer approved it byverifying their VoiceKey after enteringtheir 4-digit PIN into their pre-registered phone. In security jargon,this is called multi-band, multi-factorauthentication. The red dots representattacks where the consumer declinedthe account and reported it as fraud.The instant this report occurs, theconsumer is transferred to a Debix callcenter to assess the situation anddetermine the proper course of actionwith law enforcement while the thief isstill active. The network also providesan audit trail of the incident tosupport the case.

Never before have consumers, banks,and law enforcement been able tocommunicate in real time to preventidentity theft and pursue the criminalswhile the trail is hot. In the fourthquarter of 2007, Debix subscribersresponded to 30,618 instantauthorization calls from banks andalso stopped 380 fraudulent accountsfrom being opened by reporting themas fraud. Of these, Debix escalated 29hot cases to law enforcement ashighlighted in Figure 2.

Limited service providers take theinformation from customers who wantFraud Alerts issued, and send theinformation to the credit bureaus.Their only follow-up activity is to re-send the information after 90 days,which is how long initial Fraud Alertsremain active.

Debix is the only company that isactually with the consumer during an actual account opening –fraudulent or not. The competitionhas no idea what is happening withthe consumer’s identity.

Affinion’s Complete Suite of ServicesAffinion Group feels that Fraud Alertscan help combat identity theft, but theyare not a complete solution becausethey address only one of the threecommon categories of attacks. Forconsumers wanting to take all possiblesteps to prevent identity theft, FraudAlerts only help keep new fraudulentcredit from being issued. They areuseless when it comes to the other,more prevalent varieties of identitytheft and fraud.

In November 2007, the Federal TradeCommission (FTC) published theirannual report on identity theft.Through a survey of actual identitytheft victims performed by SynovateCorporation, the FTC was able todetermine three main categories ofidentity theft: New Accounts & OtherFraud, Misuse of Existing Non-CreditCard Account or Account Number,and Misuse of Existing Credit Card orCredit Card Number.

The Numbers Aren’t Pretty – and They Don’t LieFraud Alerts do stop new fraudulentcredit from being issued, which is themost damaging form of identity theft,but new account fraud is onlyestimated to be 22% of the identitytheft problem. Non-credit accountmisuse and existing account misusetogether represent nearly 78% ofidentity theft as reported by actual victims.3

Identity thieves will sometimes changethe billing or mailing address on anexisting account. They may also try toget new cards issued in their name orsome other name. This is commonlyreferred to as “account takeover.” In

their report on identity theft, the FTC writes:

Account takeover was reported by 9% ofvictims who experienced existing creditcard misuse, and 11% of victims whoexperienced existing non-credit cardaccount misuse. Because new accountfraud involves the creation of an entirelynew account rather than the misuse ofan existing one, account takeover doesnot apply to that type of identity theft.4

It is important to note here thatlimited Fraud Alert service providersdo absolutely nothing to stop – ornotify – a consumer that an existingaccount has been compromised.Currently, the only available means todetect account takeover is throughregular monitoring of all yourstatements and credit monitoring.

Non-credit account fraud refers tofraudulent activities that do notinvolve the misuse of an existing ornew financial account. In fact, 12% ofvictims reported non-account misuse –the most common form being aperson’s name and/or personalinformation being given to the policewhen a thief was stopped or chargedwith a crime.3

Once again, limited fraud alert serviceproviders like Lifelock will do nothingto protect or alert an individual of thistype of identity theft. Detecting thistype of fraud can only beaccomplished through publicinformation review and monitoring.There are hundreds, perhapsthousands, of identity thieves whowon’t actually use your compromised

See “Universe,” Page 4

Figure 2: ID Theft Attacks Stopped and Reported to Law Enforcement

personal information to steal youridentity – they’ll just sell it all tosomeone else who will. The sale ofpersonal information generally takesplace in underground Internet chatrooms. In fact, the President’s IdentityTheft Task Force and the U.S. SecretService estimate there are 20,000 usersof those underground chat rooms and“carding sites.” Limited fraud alertservice providers can’t alert you if yourpersonal information is exposed inthese chat rooms. To date, the onlyreliable method of detection is real-time chat room monitoring.

Every Consumer Needs MoreThorough ProtectionThere have been a number ofgovernmental data breaches recentlywhere state and federal governmentshave lost constituents’ personalinformation. Despite the recentproactive federal legislation, theseorganizations have provided only partof the solution to help consumersprotect themselves. While severalgovernment organizations haveselected Debix to protect theseconsumers from new credit fraud, it isnoteworthy that these organizationshave not provided any form ofmonitoring for account takeover,public exposure of data, or non-financial account misuse. This is aparticularly vital component when thecompromised data includesconstituents’ credit card numbers,payment processing information, andother data that could be manipulatedfor account takeover or misuse.Remember, the FTC estimates thesetypes of fraud make up nearly 78% ofidentity theft.3

To have the most thorough andeffective protection available, consumersshould employ a combination of dailycredit monitoring, public informationmonitoring and reporting, real-timechat room monitoring, and the Debixsolution. Affinion has assembled all of these components with its world-class suite of Identity Theft protection services.

1Privacy Rights Clearinghouse estimates 218 million records

were exposed in 2007. This number does not include the TJX

customer breach in which information from at least 45.7

million credit and debit cards was stolen.2https://www.cia.gov/library/publications/the-world-

factbook/print/us.html (July 2007 est.)3Consumer Fraud and Identity Theft Complaint Data,

January – December 2006, Federal Trade Commission,

February 20074Federal Trade Commission – 2006 Identity Theft Survey

Report, November 2007 5Combating Identity Theft, a Strategic Plan. The President’s

Identity Theft Task Force,April 2007

For consumerswanting to take all possible steps to prevent identitytheft, fraud alerts alone are not enough.

From “Universe,” Page 3

4

The three main forms of identity theft and their frequency, asdetermined by the Federal Trade Commission, through a surveyof actual identity theft victims.

38%

22%

40%

Figure 3: Percentages of Identity Theft by Type