One of my biggest annoyances in the industry is the lack of good metrics for making informed decisions, and the overuse of crappy metrics (like ROI) that drive poor decisions. Of those valid metrics that wistfully dance with rainbows, unicorns, and pony-unicorns in my happiest dreams, those that correlate real-world fraud with real-world incidents stand alone on the peak of the rainbow bridge to metrics nirvana. I’ve written about our need for fraud statistics, not breach statistics, but often feel like I’m just banging my head against the hard, thick walls of big money.

Thanks to Debix, today there’s a bit of rainbow light at the end of the turn el (have I killed that analogy yet? Really? Even with the unicorns?). As many of you know, since they sponsored a contest here at Securosis, Debix is an identity theft prevention company. They place credit locks with the credit agencies for you, and route all new account requests through their call center for routing to you for approval or disapproval.

Today they released some very interesting statistics. Since they pass a lot of credit query traffic through their call center, they closely track new account fraud attempts against their client base. Many of their clients enroll as a protective measure after data breaches, so for those customers they an also track at least of the breach origins (nothing says that’s the only time they’ve been a victim). Some of this information is based on my briefing with them, and is not available in the report.

  • According to this report from the Identity Theft Resource Center, new credit account fraud is 57% of financial identity theft.
  • Many of the 259,761 accounts included in the study were the result of major incidents involving lost backup tapes.
  • There were 30,618 authorization attempts for new credit lines.
  • Of those, 380 were fraudulent (and stopped).
  • There were 4 incidents of new account creation that circumvented the Debix controls (all detailed in the report).

This gives us a bit of meat to work with. The fraud rate is about 1.25% of new accounts, which is about the average. Since most of the participants were exposed due to lost backup tapes, it shows either that those losses are not resulting in increased fraud, or that the bad guys are holding onto the information for greater than the (public) 1 year of protection.

Debix also added a new feature recently that may lead to more interesting results. When you decline to open a new account, you have the option to immediately route your case to a private investigator on their staff, who collects the information and engages law enforcement. While I doubt we’ll get hard numbers out of that, we might get some good anecdotes on the fraud origins.

On our call Debix committed to providing more statistics down the road (all anonymized of course). We gave them a few suggestions, including some ways to add controls to their analysis, and I’m really looking forward to seeing what numbers pop out in the coming years. Ideally we’ll see more stats like this coming out of the credit agencies and financial institutions, but I’m not holding my breath.

(Full disclosure: I have no business relationship with Debix, but am currently enrolled with them with a free press/pundit account).