Last week's post by my colleague Doug King described the check fraud that took place after someone burglarized his wife's car and stole her wallet, including her driver's license and credit and debit cards. The frequency and magnitude of data breaches and constantly reading and researching payments fraud as part of my job have probably numbed me to the personal impact of fraud. When discussing the likelihood of becoming victims of some sort of identity theft fraud, we jokingly paraphrase the slogan in the South about termite infestations: "It's not a matter of if, it's a matter of when." Given the data breaches and information available through public records, we operate under the assumption that the criminal element has all the information they need to perpetrate fraud against us and, for those of us who haven't already been victimized, it is likely to happen in the near future. A pessimistic outlook for sure, but one I fear is realistic.
I still get frustrated when I see the many studies that show that, despite consumers' concern about the security and privacy of their transaction and personal information, the vast majority do not adopt strong security practices. They use easy-to-guess passwords or PINs and often use the same user ID and password for their various online accounts, from social media to online banking access. I believe that many financial institutions (FI) and ecommerce providers have passively supported this environment in that they often do not require customers to use stronger practices because they don't want to incur the customer service cost associated with password resets or customer abandonment. The lack of consistent password formatting structures adds to the confusion (some require special characters and others don't allow them).
I certainly don't hold myself out as the poster child for strong security, but our family has adopted a number of the recommended stronger security practices. These include using a simple compound password structure that creates a separate password for each application, creating a more complex password structure for financial applications, establishing filter rules designed to spot spam and phishing emails, and conducting a frequent review of financial accounts to spot unauthorized transactions.
While liability protection laws and regulations generally hold a consumer financially harmless, there clearly is a social and individual cost associated with fraud from the time spent dealing with law enforcement and FI representatives to the issue of not being able to access the funds fraudulently taken until reimbursement is made. Perhaps Doug's wife's requirement for her FI to provide a stronger level of authentication reflects a changing sense of the need by the general public for stronger security practices. I certainly hope so.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed