Shostack + Friends Blog Archive


Debix Publishes Data on Identity Theft

Finally, we have some real hard data on how often identity theft occurs. Today, Debix (full disclosure, I have a small financial interest) published the largest study ever on identity theft. Debix combed though the 2007 Q4 data on over 250 thousand of their subscribers and found that there was approximately a 1% attempted fraud rate (380 attempts out of 30,618 authorizations). This is well in-line with the 1.05% fraud rate for new bank accounts. Now as I’ve mention in the past, one of the cool things about Debix is that if you are a subscriber, then all credit requests have to be authorized by you. As a result all 380 fraud attempts were correctly identified as such and were blocked. Pretty damn cool eh? I highly encourage you to read the report as it has lots of other interesting data in it, including some interesting ways in which your identity can be stolen even if you have a fraud report set on your accounts (hint: interesting things can happen if you have have a spouse and they don’t have fraud reports set.)
[Image is Identity Theft!! by Else Madsen]

6 comments on "Debix Publishes Data on Identity Theft"

  • Toby says:

    Are you saying that Debix combed through their data and deterined that they detected 100% of the frauds that they had detected?
    If fraud was not detected in the first place, then how on Earth could it have been detected later on that it was missed?
    What am I missing?

  • Adam says:

    A draft of the report mentioned 4 cases detected later, when customers called to complain.

  • Chris says:

    As I understand it, Debix arranges for calls to be made to people when credit requests are made.
    So, for there to be a successful fraud, you need:
    1. A request without such a call, or
    2. An authorization by an acct holder when the request is not legit.
    We do not know how many instances of 1) occur. To the extent that we do not hear griping about people getting defrauded despite Debix, we can infer the rate of such screw-ups is low. I have no non-anecdotal data on this, but I haven’t sought it, either. Perhaps someone has benchmarked this?
    I suspect that instances of 2) are rare, but could be interesting in the case of joint accounts, etc.

  • Arthur says:

    @Toby Sorry for the confusion. There was no point at which people later called and reported fraud that should have been caught by the system. The system works so well because the customer si part of the interaction. As the CEO of Debix likes to say, it’s easy for me to convince someone else I’m you. It’s really hard for me to convince you I’m you. As Adam mentioned, there were four reported cases of identity theft by customers. Each was the result of circumstances that fall outside of the FCRA and fraud alert freezes for instance opening bank accounts isn’t covered, nor are business accounts. Additionally, if your partner doesn’t have a fraud alert set and they are the first person on the acccount, your name can be added even if you have a fraud alert set. The full report has more details.

  • Lyger says:

    I have a question about the claim that “(t)his is the largest identity theft study ever published with 259,761 consumers participating.”:
    Were all of the consumers actually aware that they were participating in a study before the report was made public (i.e. acknowledgement and authorization to participate)?
    If so, somewhat impressive. If not, the term “data mining” comes to mind.

  • Chris says:

    I haven’t read the report because I don’t want to provide grist for their sales lead capture system, but the use of the term “participating” is, I hope, marketing hyperbole. Just as I don’t care if my bank writes a paper that says “Our average retail customer checking balance is $786.12, with more withdrawals occurring in December than in any other month”, I wouldn’t care if Debix says that for 250,000 customers, there were 30,000 attempted credit authorizations. I’m somewhat surprised that the rate (.5 per customer-year) is that low. Given that 1% of those are Evil, does this mean that “the average customer” would suffer an attempted fraud once every 200 years?

Comments are closed.