he Federal Trade Commission (FTC) and the Better Business Bureau (BBB) have both estimated that more than 9 million American consumers fall victim to identity theft each year.

In its annual report on consumer fraud, "National and State Trends in Fraud and Identity Theft," released Feb. 1, 2005, the FTC reported that Americans lost nearly $548 million to identity theft and consumer fraud in 2004, with the Internet providing new ways for consumers to fall victim to age-old scams.

The median monetary loss reported was $259, although 41 consumers reported losses of $1 million or more.

Most likely, consumers lost significantly more than the amount reported because fewer than half could pin an actual dollar figure on their losses, and the losses probably continued after the initial report to the FTC.

The FTC also stated that it received more than 635,000 consumer complaints in 2004. Identity theft topped the list with nearly 247,000 complaints, up 15% from the previous year.

Beware of the Internet?

More than half of the complaints (53%) were Internet-related. Criminals selling nonexistent products through online auction sites; shopping with stolen credit card account numbers; using fraudulent Web sites; or "phishing" through unsolicited e-mail contributed to the problems. ("Beware the 'Phishermen,'" by David H. Press, The Green Sheet, July 12, 2004, issue 04:07:01).

However, the "2005 Identity Fraud Survey Report," released on Jan. 26 by the BBB, shows that more cases of identity theft actually result from crimes that occur offline or with "paper" than from crimes that occur online.

Internet-related fraud problems are less severe and less costly than losses resulting from lost or stolen wallets and checkbooks, dumpster diving, mail theft, etc. The BBB reported that these paper-based losses were eight times greater than Internet-based losses.

Regardless, consumers and merchants should still show caution when using the Internet. Fraudsters are developing insidious techniques for tricking users into providing account information and other personal data.

One method involves the use of spam and phishing, where fraudsters hoodwink prospective victims into clicking their way to their phony sites. Fortunately, consumers are quickly catching on to this trick.

Another and more devious method involves "domain name system (DNS) poisoning" or domain hijacks to redirect users to fraudulent Web sites.

The hoax is called "pharming" and it supersedes the need to coax users into responding to junk e-mail alerts. The attacks also occur across a broader front, potentially misdirecting all e-mail and Web traffic away from victims.

Now reports exist of "evil twin attacks," which occur when a "cracker" sets up an attack computer as a duplicate public access point in a cafe or airport, mirroring the actual settings but with a much stronger signal.

An unsuspecting patron then simply accesses the Internet using the stronger but fraudulent signal. The user still connects to the Internet, but through the cracker's system. This allows the cracker to sniff or read any data that the victim sends via the Internet, such as a login ID and password for an online bank account.

People who surf the Web only to look for sports scores or news aren't at too much of a risk. However, individuals who purchase goods or services or balance their checkbooks online might fall victim to identity theft.

Acquirers, ISOs and MLSs Are at Risk, Too

Identity theft is not only a problem for card issuers; it also affects acquirers/ISOs and merchant level salespeople (MLSs) where it hurts them the most: the bottom line. For example, acquirers are responsible for the risk of loss in the following scenarios:

Fooled by the "Bust-out Merchants"

These types of fraudulent merchants use a person's stolen name and then run credit card numbers either obtained through the practice of phishing or compromised through other means such as at the point of sale.

Terminals are portable and "bust-out" merchants can use them almost anywhere. When they finally close their merchant accounts, the fraudsters simply take the money and run.

Acquirers make this easy for the criminals by using the Web to conduct such business as submitting online merchant applications and granting instant approvals. ISOs/MLSs are then stuck with the chargebacks. Even ISOs/MLSs who don't take this risk could get stuck with the loss through the indemnity clause of their merchant program/marketing agreement or agent agreement.

Attack of the Chargebacks

Using a list of stolen cardholder account numbers, these criminals attack legitimate online merchants (or mail order/telephone order merchants) who are selling a product in high demand.

Unless ISOs/MLSs have provided merchants with all the protection tools available, the crooks can bombard merchants with the stolen account numbers. The result to the merchants is an administrative nightmare with a load of chargebacks, fees and potential fines from the card Associations.

In a worst case scenario, merchants are faced with all the problems above, plus the loss of valuable product that they've already shipped to the fraudsters. This forces them out of business, and ISOs/MLSs are stuck with a huge loss, too.

These two scenarios can be very costly to merchants and ISOs/MLSs as well. ISOs/MLSs need to protect themselves and their businesses with proper underwriting and the use of the appropriate fraud and risk tools.

A New Security Standard

Since I submitted my last article concerning CISP and SDP ("A Must for 2005: CISP and SDP Compliance Reviews," The Green Sheet, Jan. 10, 2005, issue 05:01:01), the card Associations have made their long anticipated announcement regarding the alignment of their cardholder data programs, which help protect their customers' account information.

Visa U.S.A. and MasterCard International announced their endorsement of a new Payment Card Industry (PCI) Data Security Standard ("PCI: Card Associations Unite to Fight Fraud With Collaborative Standard," The Green Sheet, Feb. 14, 2005, issue 05:02:01), and other major card brands are expected to adopt the standard as well.

The standard is a result of cooperation between the card Associations to create common security requirements for the industry. While each Association will continue to have its own program, all will abide by the same 12 agreed upon requirements.

View a list of the requirements at: http://usa.visa.com/download/business/accepting_visa/ops_risk_management/cisp_PCI_Data_Security_Standard.pdf?it=il|/business/accepting_visa/ops_risk_management/cisp.html|PCI%20Data%20Security%20Standard

Remember, Visa members as well as their merchants must use service providers that are CISP compliant. For more information, visit: http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp_service_providers.html?it=l2|/business/accepting_visa/ops_risk_management/cisp%2Ehtml|Service%20Providers

Also visit the following Web sites for more information:

• Visa's CISP Program (A URL listed on ETA's Web site): www.electran.org/docs/cisp-flyer-v4.pdf
• MasterCard's SDP Program: https://sdp.mastercardintl.com
• Discover's DISC Program: www.discoverbiz.com/merchant/resources/data/security_features.html

David H. Press is Principal and President of Integrity Bankcard Consultants. Phone him at 630-637-4010, e-mail him at dhp@integritybankcard.net or visit www.integritybankcard.net .