When an identity is stolen, the damage can extend far beyond the credit report of the victim. When the identity is used to procure credit or services, the companies that do business with the stolen identity are secondary victims. In lawsuit settlements, it is rare for a victim to recover more than 10% of the goods and services stolen by the time one considers the legal fees and the frequent inability of the defendant to pay. For Small to Medium Businesses (SMBs), these costs can become crippling and are always detrimental.
There is no way to ensure that every person who interacts with your business is who they say they are, but being knowledgeable about how identity theft can impact your business and preventing losses from identity theft is essential to doing business in the 21st century. Below you will find a primer on the basics of preventing identity theft to protect you and your customers.
What Is An Identity?
The concept of an identity in terms of business world interaction is primarily showing the connection between various points of data to establish that a person is the unique individual that they claim to be. At any point, a lack of some portions of the data or a significant collection of data by another individual can cause the “identity” to be shared, much to the detriment of the true owner of the identity and any actors involved with the fraudulent person.
The standard form of verification used is a government issued photo identification, and common supplemental forms include Social Security cards, pay stubs, official post to an address with a matching name on it, and birth certificates.
How Do Bad Actors Obtain an Identity Illicitly?
In the modern era, those people using a stolen identity are more than likely to have bought the information and the matching documents than to have stolen any of the data themselves. Large, professionally run marketplaces now exist, online, where criminals can go to buy identity data, including passwords, social security numbers, secret question answers, and other data that may have been hacked from corporate servers. These so-called "dark-markets" steadily purchase information from hacking groups until enough is held that they can assemble a "full" - a complete profile with enough information to produce very accurate ID documents. What determines the level of data that is considered to be sufficient depends on the institutions the criminal is attempting to defraud. Opening up an email account or signing up for a free magazine subscription could take little more than a name and an address, but signing up for a bank account or credit card in that name would require more documentation.
Competition among service providers, such as banks and mortgage companies, is so steep that they often attempt to seize market share by making their application processes as simple and user-friendly as possible. This creates the need for a certain level of customer trust and accessibility for business to be conducted. This, in turn, creates vulnerabilities that savvy criminals using hacked data can capitalize.
A number of governmental agencies have established regulations and guidelines on how to handle sensitive customer data. The list that the average, privately-owned SMB who does business online should be concerned with is:
- Payment Card Industry Data Security Standard (PCI DSS) – This set of regulations is applicable to any business who uses credit card information, the credit card companies themselves, and retail stores.
- Electronic Fund Transfer Act (EFT) – The EFT was created in 1978 to establish guidelines for liability and reporting for lost payment data information.
- Fair Credit Reporting Act (FCRA) – This act concerns how customer credit information is managed and distributed.
- Fair and Accurate Credit Transaction Act (FACTA) – An amendment to the FCRA, it provides a guaranteed free credit report for all consumers and codifies the rights of identity theft victims.
The comprehensive list of identity theft prevention and litigation guidelines that apply to your specific business should be discussed with both security and legal professionals who can accurately describe the contents of relevant sets of rules and how to comply with them. Even a tenuous link to personally identifying financial or health data can impose more regulations than you anticipate, and there are regional variances to consider for companies in specific areas or looking to expand into multiple states or countries.
The methods for preventing identity theft are similar to the methods used in preventing other crime: increase physical and digital security, social engineering training, reporting incidents of crime to authorities, and continued review of all activity and security procedures.
The largest repositories of information are now stored in digital format and accessible through a network of physically separated computers. Many of the methods used to secure a system with identifying information that can be accessed by a multitude of users are commonly used throughout businesses today, including antivirus software, firewalls, and access control. Best IT security practices are necessary to prevent identity theft and required by regulatory standards, as the swathes of consumer data kept by a company are much more valuable than targeting each victim individually.
Social Engineering Training
The weakest link in any security practice is the user, whether that’s the company executive or employees with various levels of access. Social engineering is the practice of deliberately using a person to person contact to trick the user with privileged access into divulging information, and there is no substitute for comprehensive education for every certified user.
With the focus on digital security, some companies may find the concept of physically securing the location of the data to be irrelevant. The prevailing and misguided thought is that if it’s encrypted and password protected, then it can’t be used. Old-fashioned dumpster diving for discarded documents containing information is still a viable method of identity theft, and a stolen hard drive can eventually be cracked by a skilled technician even if it has encryption.
Even if your front desk staff happens to be a retired Secret Service or FBI agent, it is unlikely that they can tell whether a passport or driver's license is authentic at a glance. There are seemingly endless variations on documents that validate an identity, so having a streamlined method of fraud detection is essential.
A great example of real-time document verification is the Fraud Fighter Identity Authentication systems. The devices can create and compare a digital copy of an ID card or other documents to a comprehensive database, detecting forgeries with the accuracy of a seasoned veteran.
Additionally, the company has models available with the ability to detect counterfeits of the most important document: Cash. The slim detectors pass a burst of UV light, allowing a fast enough check for any business that deals frequently with currency, including gas stations, bars, banks, casinos, and any store with a cash register.
Security is like cleaning; it requires constant upkeep, and sometimes you have to revisit the same area over and over to ensure that processes and rules are being followed by employees, and that the appropriate control-measures are, in fact, in place. In many cases, it may be necessary to constantly perfrom updates or upgrades to your system to keep it current.
Reporting Incidents of Identity Theft
Several of the regulations require that any detected breach of identity, whether it originated from within your company or not, is reported to the agency in question. Identity verification software can be configured to send in a report automatically or provide you with the details to file it yourself, but it is critical that you do not assume that it does - for your own protection.
Awareness, Knowledge, and Proactive Security Are the Keys
Absolutely verifying an identity on every interaction with a customer online is implausible at best, but the usage of electronic security measures and identity theft detection software can reduce the potential harm to businesses and consumers. Hopefully, this article has illuminated you to these risks and will encourage you to seek out further consultation and aid for preventing identity theft.