IE 11 is not supported. For an optimal experience visit our site on another browser.

Hackers scored more Social Security numbers than stolen credit card numbers in 2017

Smarter criminals are finding new ways to commit cyber fraud.
Image: Credit Card Reform Legislation Would Tighten Rules On Rates And Fees
Yera Dominguez uses a credit card reader to charge a credit card from a customer for payment at Lorenzo's Italian Market on May 20, 2009 in Miami.Joe Raedle / Getty Images file
By Herb Weisbaum

Fighting digital fraud has always been a game of wack-a-mole, but those pesky moles keep getting smarter — finding new ways to use stolen information to commit lucrative scams. And despite increasing efforts to stop them, the bad guys are winning.

The “disease of identity fraud” has now reached “the level of an epidemic,” according to the just-released 2018 Identity Fraud Study from Javelin Strategy & Research. Last year was the best year ever for fraudsters, with more victims and more money stolen. The numbers reported by Javelin are eye-opening:

  • Identity fraud hit another record high in 2017. An estimated 16.7 million Americans were victimized last year, a jump of eight percent from 2016 or 1.3 million more victims.
  • The fraudsters successfully stole $16.8 billion in 2017, the highest amount in four years. They’re shopping online with stolen credit card numbers, draining money from bank accounts, taking control of mobile phone accounts, even stealing loyalty rewards points.
  • For the first time ever, data breaches compromised more Social Security numbers (35 percent) than credit card numbers (30 percent). The Equifax breach was largely responsible for that.
Fraud victims and losses continue three-year rise
Fraud victims and losses continue three-year rise.Javelin Strategy & Research

Al Pascual, Javelin’s research director and head of fraud and security, expects 2018 to be another record year for identity fraud because thieves have adapted to new security measures.

“They’re smarter now. They have all the data they need to commit fraud and they know exactly how to use it,” Pascual told NBC News. “They're getting more sophisticated faster than we can respond — and that's the big problem.”

There is one bit of good news in the Javelin report: The switch to chip-based EMV cards, which are nearly impossible to counterfeit, has dramatically reduced fraud at the point-of-sale. Visa recently reported that merchants with chip-reader payment terminals saw counterfeit card fraud losses drop 66 percent in June 2017 compared to June 2015.

The crooks are responding to EMV cards by changing things up and moving from physical locations to digital channels. They’re using stolen credit and debit card numbers to shop online or over the phone — where they don’t need a physical card, just the stolen account information.

Card-not-present fraud (CNP) is now 81 percent more likely than point-of-sale fraud (POS), the greatest gap Javelin has ever observed. Last year, nearly twice as many consumers had their cards misused in a CNP transaction than at the cash register.

The changing nature of fraud

Armed with your personal information, such as Social Security number, date of birth, and password, criminals can take over your existing financial accounts — to steal money or go shopping — or open new accounts in your name for their nefarious purposes.

New-account fraud skyrocketed 70 percent in 2017, Javelin found, as fraudsters used stolen information to open new mobile phone accounts, online payment accounts, and e-commerce accounts.

Account takeover (ATO) losses hit $5.1 billion last year, a 120 percent increase from 2016. ATO fraud continues to be “one of the most challenging fraud types,” with victims paying an average of $290 in out-of-pocket costs and spending an average of 16 hours to resolve.

Creative criminals have figured out a new way to hide what they’re doing. The “cross-account takeover scheme” involves compromising two of the same victim’s accounts — a financial account and a mobile phone or email account where password change instructions or one-time passwords are sent. This makes it easier to beat anti-fraud safeguards, such as two-factor authentication, and drain money from the targeted account.

“Online retailers have gotten good at spotting fraud,” said DJ Murphy, editor-in-chief of CardNotPresent.com. “But they are scared to death of attacks resulting from the creation of new accounts and the takeover of existing accounts because it’s much harder to tell whether a transaction is legitimate or not. The crooks have the credentials they need to fool them.”

During the holiday shopping period, cybercrime attacks accounted for more than 10 percent of all network traffic, according to a new report from ThreatMetrix. “It is likely fraudsters had cultivated a number of test accounts prior to this period, choosing to attack under the cover of high transaction volumes and larger basket sizes, hoping that their behavior is less likely to flag as high risk,” the report noted.

“The environment has gotten riskier” with attack rates up 44 percent in 2017 and increasingly coming from mobile devices, Vanita Pandey, vice president for product marketing and strategy at ThreatMetrix told NBC News. “At the same time, it’s getting harder for businesses to differentiate between a good customer and a bad one, because the cybercriminals are able to stitch together proper identities and mimic the patterns of trusted users to evade detection.”

Breaches and hacks are taking their toll

The never-ending wave of data breaches is causing American consumers to lose trust in the institutions that collect and store their personal data.

The public is also growing skeptical about how data breaches are handled, Javelin found. People increasingly believe breach notifications “principally serve to protect the interests of the breached company” and do little to protect them. Slightly more than half (53 percent) of all consumers and 64 percent of breach victims feel this way.

“Consumers are clearly concerned and they no longer feel that they can be successful in protecting themselves — and that's problematic,” Javelin’s Pascual told NBC News. “Consumers play a very central role in protecting their own identities. It seems like a lot of them feel pretty helpless and they’ve shifted the perceived responsibility for preventing fraud from themselves to other entities, such as their financial institution.”

However, there are things everyone can do to reduce their chances of getting burned or victimized again. Javelin suggests:

  1. Turn on two-factor authentication wherever possible: Requiring a separate action after providing a user name and password to access an account makes it significantly more difficult for fraudsters to take over your accounts.
  2. Secure all of your devices: Criminals have shifted their focus to mobile devices for access to accounts and the information they store or transmit. Secure online and mobile devices with a screen lock, encrypt data stored on these devices, install security software and avoid public Wi-Fi unless you use a Virtual Private Network (VPN).
  3. Place a security freeze or lock on your credit files: This will help prevent anyone from opening a new financial account in your name. There may be a small fee to freeze your account at Experian and TransUnion. Equifax will do it for free until June 30. Both Equifax and TransUnion offer a free locking service.
  4. Sign up for account alerts: Most financial institutions and credit card companies make it possible for customers to receive notifications by text or email about a variety of transactions. These alerts, which include ATM withdrawals, foreign transactions, and card-not-present purchases, give you real-time updates that make it easy to quickly spot suspicious activity.

Herb Weisbaum is The ConsumerMan. Follow him on Facebook and Twitter or visit The ConsumerMan website.