18-2052j-fm-2018 identity protection service provider ... · 2018 identity protection service...

2018 IDENTITY PROTECTION SERVICE PROVIDER SCORECARD

DECEMBER 2018

Licensed by:

© 2018 GA Javelin LLC, a Greenwich Associates LLC company. All rights reserved. This report is licensed for use by Javelin EZShield only. No portion of these materials may be copied, reproduced, distributed or transmitted, electronically or otherwise, to external parties or publicly without the permission of GA Javelin LLC. Licensors may display or print the content for their internal use only, and may not sell, publish, distribute, re-transmit or otherwise provide access to the content of this report without permission. 2


Executive Summary ............................................................................................................................................................................. 4 Key Findings ............................................................................................................................................................................ 4

Recommendations ................................................................................................................................................................................ 6 Addressing Today’s Fraud Threats ................................................................................................................................................. 7 Four Types of IDPS Subscribers .................................................................................................................................................... 10 Key threats to the Identity Protection Market .......................................................................................................................... 12

Core Focus — Apathy and Lack of ROI ....................................................................................................................... 12 Consumer Credit Safeguards: Freezes, Locks, and Alerts .................................................................................... 14 Monitoring Focus — Aggressive Free Competition ................................................................................................ 15 Data Protection Focus ....................................................................................................................................................... 17

Scorecard Results ................................................................................................................................................................................ 19 Prevention ............................................................................................................................................................................................. 20

Data Security Tools ............................................................................................................................................................. 21 Authentication ...................................................................................................................................................................... 22

Detection ............................................................................................................................................................................................... 24 Child Identity Monitoring .................................................................................................................................................. 25 Existing Account Monitoring .......................................................................................................................................... 26

Resolution .............................................................................................................................................................................................. 27 Digital Resolution Tracking ............................................................................................................................................. 28

Appendix ................................................................................................................................................................................................ 29 Methodology ........................................................................................................................................................................................ 30 Endnotes ................................................................................................................................................................................................ 30

TABLE OF CONTENTS

Figure 1: Mean Fraud Amount and Resolution Hours, 2008-17 ............................................................................................ 7 Figure 2: Perceived Impact of Fraud, 2008-17 ........................................................................................................................... 8 Figure 3: IDPS Net Promoter Categories, 2015-18 ................................................................................................................... 8 Figure 4: Reasons for Canceling Subscriptions, 2015-2018 ................................................................................................... 9 Figure 5: IDPS Subscriber Segments ........................................................................................................................................... 10 Figure 6. Reasons for Cancellation, by Subscriber Focus .................................................................................................... 12 Figure 7: Reasons for Canceling Subscriptions, 2015-18 ...................................................................................................... 13 Figure 8: Source of Most Recent Credit Score, IDPS Subscribers and Other Consumers ....................................... 16 Figure 9: Most Important IDPS Features, by Age ................................................................................................................... 17 Figure 10: Prevention Category Rankings ................................................................................................................................. 20 Figure 11: Data Protection Capabilities at Evaluated Providers ........................................................................................ 22 Figure 12: Password Reset Authentication at Evaluated Providers ................................................................................ 23 Figure 13: Detection Category Rankings ................................................................................................................................... 24 Figure 14: Child Identity Protection Capabilities at Evaluated Providers ..................................................................... 25 Figure 15: Alert Types Offered at Evaluated Providers ........................................................................................................ 26 Figure 16: Resolution Category Rankings ................................................................................................................................. 27 Figure 17: Digital Resolution Tracker Availability at Evaluated Providers .................................................................... 28 Figure 18. Percentage of Fraud Victims Affected by Each Fraud Type ........................................................................ 29 Figure 19. Number of Financial Relationships Among Banked Consumers ................................................................. 29

TABLE OF FIGURES



ABOUT JAVELIN: Javelin Strategy & Research, a Greenwich Associates LLC company, provides strategic insights into customer transactions, increasing sustainable profits for financial institutions, government, payments companies, merchants and technology providers.

AUDIENCE: Identity protection service providers, digital security solution providers, financial

institutions, credit card issuers, credit bureaus, investment firms, and government regulatory agencies

AUTHORS: Kyle Marchini – Senior Analyst, Fraud Management Al Pascual – SVP, Research, Head of Fraud & Security CONTRIBUTORS: Ian Benton – Senior Analyst, Digital Banking & Payments Crystal Mendoza – Production Manager Sean Sposito – Analyst, Cybersecurity EDITOR: Mark Stevenson PUBLICATION DATE: December 2018

OVERVIEW In the wake of some of the most destructive data breaches and dramatic changes to the US payments landscape with the adoption of EMV, the intensity and diversity of fraud schemes continue to increase. These growing threats reinforce the relevance of identity protection services in facilitating victims’ ability to prevent, detect, and resolve fraud. But other headwinds are emerging. The breadth of features offered by leading identity protection providers means they are exposed to competitive pressure on many fronts. Consumers have plenty of options when it comes to free credit monitoring. Newer feature sets such as data protection tools bring identity service providers into competition against data security companies who have established reputations in the space. In Javelin’s eleventh Identity Protection Service Provider Scorecard, we evaluate twenty leading products for the features they offer to help victims Prevent, Detect, and Resolve fraud against the backdrop of the threats facing consumers. PRIMARY QUESTIONS

How do current fraud and financial service trends impact consumers demands on and expectations for the IDPS industry?

How should providers adjust product offerings to best meet the challenges posed by the changing nature of fraud and the competitive landscape?

What identity protection service providers offer the widest array of capabilities suited to addressing current and emerging fraud threats?



EZShield takes Best in Class in the 2018 Identity Protection Service Provider Scorecard. As the only provider to emerge as a leader in all three categories, EZShield distinguished itself through its breadth of capabilities, providing both robust core functionality around credit, black market, and existing account monitoring and emerging features, such as mobile data protection tools and digital fraud resolution capabilities. EZShield, ID Watchdog, IdentityForce, and Norton LifeLock distinguished themselves as leaders in prevention. These products all offer a wide array of features aimed at blocking threats to subscribers’ identities. Notably, all these providers integrate digital security features into either their desktop or mobile offerings, such as secure browsing tools and anti-malware partnerships. EZShield, ID Watchdog, and LegalShield distinguished themselves as leaders in detection, narrowly leading a competitive field. Each of these providers offers a robust set of alerts for core monitoring services while also integrating newer features such as existing account and social media monitoring. EZShield, IdentityForce, and Norton LifeLock distinguished themselves as leaders in resolution. Not only do these providers offer accessible resolution services, they moved ahead of the pack by digitizing parts of the resolution process. All three providers enable victims to report fraud from within their mobile apps and online portals. Subscriber satisfaction is on the rise. After several years of lackluster user satisfaction, the IDPS industry’s Net Promoter Score rose to 22.6 in 2018 from 6.6 in 2017. With just under half (45%) of customers saying they would be likely to

recommend their subscription, there is still a long way to go, but the industry is moving quickly in the right direction. Regulatory backlash is behind the industry for now. After repeatedly being pummeled by regulatory agencies for deceptive and abusive sales practices, the IDPS industry has had three years clear from fines, and it’s showing. Poor industry reputation as a driver for attrition has steadily declined since 2015 and this year became the least prevalent reason for subscribers to cancel their services. Intensifying fraud attacks reinforce the value of identity protection services. With fraudsters diversifying the types of organizations they target, the amount of time victims have to spend resolving fraud has risen notably since hitting a low in 2015. As fraud moves to other industries, many of the targeted companies have not had nearly as much experience in resolving fraud as financial institutions. On top of that, the proportion of fraud victims who say the incident had a severe impact on their life jumped from 8% in 2017 to 24% in 2018, undoing a decade of declines. This establishes additional value for resolution services that help guide victims through restoration processes that may not be well-defined. But other headwinds are emerging. The breadth of features offered by leading identity protection providers means they are exposed to competitive pressure on many fronts. Consumers have plenty of options when it comes to free credit monitoring. Newer feature sets such as data protection tools bring identity service providers into competition against data security companies who have established reputations in the space.

EXECUTIVE SUMMARY



Fraud and breach fatigue is setting in. In spite of the increasing intensity of fraud, in terms of both real and perceived impact, customers discontinuing subscriptions because they are now less worried about fraud jumped dramatically in 2018 to become the third most prevalent reason for attrition, just behind the subscription’s being too expensive and expired free periods. Free credit freezes chip away at the value of identity protection services. For consumers who do not plan to open new financial products or apply for other accounts that may require a credit inquiry (e.g., opening a new mobile phone account), credit freezes can obviate essentially all the credit-related safeguards offered by identity protection. Not only does a credit freeze ensure there will be no new credit activity for monitoring products to detect, it means the identity protection service will also be unable to access the information contained within the credit report — effectively shutting down those features.

More than half of evaluated IDPS plans rely on PII or knowledge-based authentication to verify customers’ identity during the password reset process. Not only do these authentication methods provide only a nominal level of assurance given the past five years of data breaches, they condition users to be willing to provide their sensitive data for day-to-day activities, increasing the risk associated with phishing and other social engineering schemes. Child identity protection features tend to mirror capabilities for adults, to the detriment of robust products. The most widely available child identity theft protection feature is the ability to monitor for the sale of the minor’s personal information on black markets, currently offered by 65% of evaluated providers. This functions in a very similar manner to the same feature for adults. Unfortunately, monitoring for the establishment of a new credit report in the child’s name or attached to the child’s SSN, a somewhat stronger safeguard against both synthetic identity and familiar fraud, is the least prevalent child identity protection feature, provided by just 40% of evaluated providers.



RECOMMENDATIONS Use data security partnerships to expand fraud prevention capabilities. Features such as screening for data-stealing malware, identifying phishing pages, and boosting the security of users’ logins can directly counter many of the threats that lead to subscribers’ data being compromised — stopping the attack prior to the information’s winding up in the criminal marketplace. Consequently, data protection features can turn identity protection service providers into active players in mitigating fraud risk, rather than sideline observers that detect fraud when it occurs. Enable subscribers to customize existing account monitoring alerts. Specific alert customizability enables identity protection providers to act as a supplement to card protection features at the subscriber’s financial institution. The basic transaction risk assessments provided with the card are likely to render existing account monitoring without customizability largely redundant. Conversely, providing the subscriber with a more robustly configurable set of alerts can enable the identity protection service to function well in tandem with pre-existing card safeguards. Aim to make digital channels self-sufficient. While only peripheral to the identity protection space, free competitors such as Credit Karma are raising the bar for digital capabilities with tools such as being able to submit disputes on TransUnion credit report entries entirely within their webpage. These kinds of features help the service move away from being a “concierge-style” offering that assists but can take only limited action to one that actually puts tools into consumers’ hands that they did not have before.

Digitize the resolution process. Enabling victims to initiate fraud claims from within the online portal can facilitate more timely detection and jump-start the resolution process. While these features are unlikely to eliminate the need for direct contact with victims, it can reduce the amount of time spent gathering basic information, enabling resolution specialists to focus on helping victims identify the most effective next steps. Use online portals to track next steps and follow-up needs. Integrating a digital resolution tracker into the IDPS platform’s online and mobile portals can help remind victims of the steps already taken and recommend the best steps to take next, potentially including links to key forms or contact information for organizations to reach out to. Unfortunately, only 20% of evaluated providers offer this capability through their web platform, and only 15% offer it through their mobile app.



ADDRESSING TODAY’S FRAUD THREATS In the aftermath of one of the most critical data breaches of all time, fraud hit record highs in 2017 as fraudsters broadened their focus to target a wider array of account types and organizations. The combined increased intensity and diversity of fraud schemes have reinforced the relevance of identity protection services in facilitating victims’ ability to prevent, detect, and resolve fraud. Following the formal switch to EMV chip cards in late 2015, with fewer opportunities for fraud at the point of sale due to the difficulty of counterfeiting cards, fraudsters have instead turned their attention to fraudulent new accounts and attacks on digital portals at financial institutions, merchants, and even other digital accounts such as email and social media. Because financial institutions have conventionally been the “first responders” when fraud occurs, they have developed fairly streamlined resolution flows

that remove much of the burden from the victim — in part because federal regulations and card network rules have almost entirely shielded victims from liability for fraud. However, as fraud moves to other industries, many of the targeted companies have not had nearly as much experience in resolving fraud as financial institutions. Consequently, along with the increased complexity of fraud has come a corresponding increase in the amount of time victims need to spend resolving each incident. In 2017, fraud victims spent an average of 8.7 hours of their own time resolving fraud, up from the record low of 5.2 hours in 2015 (Figure 1). This reinforces the value of identity protection providers in helping to coordinate victims’ efforts in restoring their identity, directing them to the best parties to contact and advising on the ideal next steps for fraud resolution.

Resolution Times Climb as Fraud Amounts Continue to Decline Figure 1: Mean Fraud Amount and Resolution Hours, 2008-17

Source: Javelin Strategy & Research, 2019



As fraud amounts steadily decline and fewer and fewer victims pay any amount out of pocket to resolve fraud, the amount of time victims have to invest in restoring their identity has become a good metric for how burdensome fraud resolution is for victims, and victims’ perception of the impact of fraud on their life bears that out. After a decade of slowly declining severity of fraud, in 2017 the proportion of fraud victims who reported that fraud had a severe impact on their life jumped back up to 24%, the same level as in 2008 (Figure 2). At a high level, the identity protection market appears to be in good shape in 2018. Overall satisfaction increased notably from 2017, with the industry’s Net Promoter Score rising from 6.6 in 2017 to 22.6 in 2018, with both a steep increase in promoters, to 45% from 38%, and a corresponding decrease in detractors, to 22% in 2018 from 31% in 2017 (Figure 3).

Severity of Fraud Spikes, Undoing a Decade of Progress Figure 2: Perceived Impact of Fraud, 2008-17

Industry NPS Rises Notably From 2017 Figure 3: IDPS Net Promoter Categories, 2015-18





Along with a rise in subscriber satisfaction came more good news for the identity protection service industry. The proportion of subscribers canceling their subscription due to poor industry reputation continued its three-year decline to become the least prevalent reason for canceled subscriptions in 2018 (Figure 4). This suggests that IDPS providers have largely been able to put a rash of regulatory actions behind them. These penalties, largely imposed by the Consumer Financial Protection Bureau and the Federal Trade Commission, hit IDPS providers and their financial institution clients for $2.4 billion in fines between 2012 and 2016, due to unethical marketing and sales practices, such as charging users who had not been fully enrolled and consequently could not access the full benefits of the product.

The lack of regulatory action since 2015 can be attributed to two factors. First, heavy penalties have made IDPS resellers particularly averse to regulatory risk, with many financial institutions withdrawing identity protection add-on services. The number of identity protection subscriptions obtained through a financial institution, the main target of regulatory action, declined from 28 million in 2015 to 23 million in 2017.1 Those that remained in the market have prioritized compliance transparency in potential partnerships. Additionally, the Trump administration’s efforts to restrict the power of the CFPB have resulted in a general decline in regulatory actions. However, providers should be wary of a potential for increased regulatory scrutiny in the future with the Democrats’ resurgence in the House of Representatives.

Identity Protection Industry Reputation Recovers From Regulatory Blows Figure 4: Reasons for Canceling Subscriptions, 2015-2018




While the intensifying fraud landscape means that consumers do have a need for the kinds of services offered by IDPS providers, that doesn’t mean the market is not facing headwinds. One of the greatest challenges facing the industry is the perennial criticism that these products largely function as a combination of services that consumers can find elsewhere, and to a certain extent this is valid. The breadth of features offered by leading identity protection providers means they are exposed to competitive pressure on many fronts. Consumers have plenty of options when it comes to free credit monitoring. Newer feature sets such data protection tools bring identity protection service providers into competition against data security companies which have established reputations in

the space. The mark of a leader in the identity protection market is a product that is able to effectively combine these disparate features into a cohesive product that justifies customers’ going to them, rather than assembling their own set of tools from those available in the market. To more clearly identify the threats to the identity protection service industry, we can break subscribers into four segments based on the types of features that matter most to them in the IDPS subscription:

Core focus: Two in five (41%) subscribers care most about what could be described as “core” IDPS features such as resolution assistance, fraud insurance, dark web monitoring, and credit freezes.

Customers’ Focuses Dictate the Competitive Threats Facing IDPS Providers Figure 5: IDPS Subscriber Segments

FOUR TYPES OF IDPS SUBSCRIBERS




Monitoring focus: Accounting for just under a third (29%) of IDPS subscribers, these users care most about features that monitor for suspicious activity on their credit report or existing accounts.

Data protection focus: A notably smaller group than users with a core focus, 13% of subscribers care most about data protection features, tools such as password managers, anti-malware, and VPNs.

Other focuses: A fairly small, but not negligible, set of subscribers (17%) report they care most about features that are typically seen as ancillary IDPS features such as educational material, breach notifications, and the service’s mobile app.



CORE FOCUS — APATHY AND LACK OF ROI Since many of the features that core-oriented subscribers care about are relevant only when fraud occurs or is about to occur, IDPS providers can struggle to provide relevance to this set of users. After six months or a year have gone by with no signs of fraud and no subscriber data being picked up in the dark web, it becomes difficult to convince users that the $10 to $30 per month expense of an IDPS subscription is worth it. This manifests in a particularly high rate of cost-related attrition. More than a third (34%) of core-oriented subscribers who canceled a subscription within the past year did so because the subscription

was too expensive, notably higher than the rate for those with a monitoring focus (24%) and twice as high as for users with a data protection focus (17%) (Figure 6). The high rate of cost-related attrition should be a driver for identity protection services to implement more active tools and emphasize the ones they currently offer. In addition to the fraud protection benefits of tools such as existing account monitoring through aggregation and data protection tools such as anti-malware and password managers, these tools offer capabilities that are relevant to daily browsing and financial management, minimizing “dead air” that can occur between credit report refreshes and other monitoring updates.

IDPS Providers Fail to Justify Value to Core Subscribers Figure 6. Reasons for Cancellation, by Subscriber Focus

KEY THREATS TO THE IDENTITY PROTECTION MARKET




Elevated concern about cost is also exacerbated by a general decline in concern about fraud among identity protection service subscribers, in spite of the growing intensity of fraud affecting consumers. This driver broke into the three most prevalent reasons for cancellation in each of the primary customer categories and contributed to a quarter (26%) of cancellations by core feature users (Figure 6). This factor becomes even more significant when placed in context with the past few years. In 2015 and 2017, lessened concern about fraud was a comparatively minor driver for user attrition, ranking as the second least prevalent reason for users to cancel their subscriptions in both years. In 2018, this leaped to near the top of the chart as the third most prevalent reason for users to cancel their subscriptions, behind the service’s being too expensive and expired free subscriptions.

Decreased concern about fraud is certainly not a bad thing in and of itself. In fact, one would hope that as financial services and other industries make progress in establishing robust identity safeguards, consumers will have more confidence that their identities and accounts are secure. However, the identity protection industry necessarily needs to be able to cope with consumer attitudes around fraud that will ebb and flow as consumers grow inured to breach headlines and most users do not personally experience fraud in any given year. This requires implementing features that continue to have relevance for the user outside of directly addressing fraud. This year, a new threat emerged to the credit-oriented identity protection service providers in the form of free credit freezes. As of Sept. 21, consumers nationwide became able to freeze and unfreeze their credit report for free with each of the three main credit bureaus. Previously, fees were determined by each state and ranged from free to around $15.

Lessened Fraud Concern Leaps in Prominence as an Attrition Driver Figure 7: Reasons for Canceling Subscriptions, 2015-18




For consumers who do not plan to open new financial products or apply for other accounts that may require a credit inquiry (e.g., opening a new mobile phone account), credit freezes can obviate essentially all the credit-related safeguards offered by identity protection. Not only does a credit freeze ensure there will be no new credit activity for monitoring products to detect, it means the identity protection service will also be unable to access the information contained within the credit report — effectively shutting down those features.

Even though this can chip away at the value proposition offered by many identity protection service providers, it may work to the advantage of plans offered by the credit bureaus. These have responded to the mandate of free credit freezes by building into their identity protection products the ability to immediately lock a credit report, a subtly different feature from a credit freeze. Although credit report “on/off switches” predate free credit freezes, these new offerings give them a higher profile and highlight a differentiator of the credit bureaus’ products.

CONSUMER CREDIT SAFEGUARDS: FREEZES, LOCKS, AND ALERTS Fraud-conscious consumers have a few options when it comes to securing their records held with the major credit reporting agencies (CRAs), Equifax, Experian, and TransUnion. Each of these approaches has its own advantages and drawbacks: Credit freezes are the strongest safeguard consumers can place around their credit report. With a freeze in place, the CRA with the freeze is legally obligated to block essentially all requests by new creditors to view the credit report (law enforcement, government agencies, and existing creditors can still gain access). This effectively prevents new credit-oriented accounts from being opened in the consumer’s name. However, credit freezes still need to be placed individually with each of the bureaus and can be inconvenient to place and lift, since they typically require contacting the bureaus by phone or mail whenever there is a change to the freeze. Credit locks function similarly to credit freezes but offer somewhat lighter protections in exchange for greater convenience, since they are contractual arrangements between the consumer and the CRA rather than the legal framework provided by credit freezes. Crucially, this means the ability to lock and unlock a credit report applies only as long as the consumer has an open account with the credit lock products offered by each bureau. Equifax and TransUnion currently offer free lock products, but Experian charges $5 for the first month and $25 thereafter. Notably, while freezes can take up to a day to place, locking and unlocking the credit report is typically done instantly from within a smartphone app or online portal. This potentially makes locks preferable for users who anticipate they will need to be regularly locking and unlocking their credit report, such as renters who may have multiple credit inquiries while applying for a new apartment. Finally, the third major credit report safeguard available to consumers is fraud alerts. Unlike credit freezes and locks, alerts do not restrict new creditors’ ability to pull credit information on the user. Instead, an alert indicates that this individual is at heightened risk for identity fraud and that the creditor should take additional identity verification steps prior to approving a new account. Unfortunately, these additional identity verification steps are not prescribed by law and consequently offer only moderate protection against fraudulent new accounts. Previously, basic fraud alerts lasted for only 90 days, though fraud victims could place extended alerts that would last for up to seven years. Under the same legislation establishing free credit freezes, all consumers are now able to place year-long fraud alerts for free.2



MONITORING FOCUS — AGGRESSIVE FREE COMPETITION Identity protection services arguably face the most competition when trying to appeal to subscribers who care primarily about credit report or existing account monitoring. Credit monitoring services like Credit Sesame and Credit Karma are widely known among consumers, easy to sign up for, and — more important — free. Of these two services, Credit Sesame has made the most aggressive moves into the identity protection service space with a free identity protection module that offers $50,000 in identity fraud insurance coverage along with resolution assistance. If users are willing to upgrade to a paid plan, they have access to a broader set of traditional IDPS features, such as Social Security number monitoring, higher insurance coverage (up to $1 million), and 24/7 access to resolution assistance. Since this product both brands itself as an identity protection service and offers a feature set consistent with this market, the paid version of Credit Sesame’s product is evaluated within the scorecard. Even without directly offering an “identity protection” product that is labeled as such, Credit Karma provides some features that help it cross over into fraud protection territory. In addition to monitoring for new activity on users’ credit report, Credit Karma has partnered with TransUnion to enable users to dispute credit report records directly from their Credit Karma portal, rather than having to leave the site and file the dispute separately with the credit bureau. Crucially, this feature adds an air of self-sufficiency to the product that is lacking from many identity protection platforms. Rather than simply providing a window into the subscriber’s financial life, being able to address fraudulent or erroneous credit

records from within the Credit Karma user portal empowers users to initiate, and potentially complete, the fraud resolution process entirely within the platform’s digital portal, ideally eliminating time-consuming calls to customer service. However, Credit Karma’s credit record dispute feature does have some limitations. Users are not able to submit documentation, such as police reports or other proof that the account is fraudulent, from within the Credit Karma portal, so any complex fraud cases are likely to still require the user to directly interact with TransUnion. Also, this feature is not currently available for records on the subscriber’s Equifax credit report, the other credit bureau from which Credit Karma provides information. Additionally, Credit Karma provides free “identity monitoring” to see if the user’s email address and other unspecified pieces of personal information can be found in dark web marketplaces or public dumps of breached data. While it is nice to see this kind of feature paired with a free credit monitoring service, it lacks the depth of other dark web monitoring services provided through traditional identity protection services. Users do not have any visibility into the types of data monitored through the service and lack the ability to enroll additional identifiers, such as ID card numbers or other email addresses that are not associated with the Credit Karma account. While users who are looking for full-featured identity protection services will inevitably be disappointed if they attempt to use free credit monitoring services as IDPS surrogates, IDPS services are losing a crucial part of the battle with credit-oriented competitors. Only 13% of subscribers reported that their identity protection service was the most recent place they went to



check their credit score, behind their financial institutions (29% for primary bank/credit union, 15% for card issuer), credit bureaus (15%), and online credit monitoring services (16%). This indicates that not only do many identity protection service subscribers hold IDPS and credit monitoring accounts but also that the identity protection service is losing “top of wallet” status when it comes to where subscribers go first to manage their credit information. Similarly, existing account monitoring is an important feature since it enables identity protection services to extend their coverage to card fraud, which accounts for more than 80% of fraud victims (compared with 20% for new-account fraud) (Appendix, Figure 18). Without the ability to provide some degree of card fraud management, IDPS providers will frequently find themselves in the position of having customers detecting and

resolving fraud entirely outside their platform, which directly undermines the value they purport to provide. However, here as well, IDPS providers face strong competition from free services, not the least of which originates from the users’ own financial institution. IDPS providers cannot directly compete with financial institutions’ ability to screen, approve, and decline transactions and consequently must focus on detecting fraud that slipped through financial institutions’ nets. Conventionally, the unique advantage that IDPS providers bring in combating card fraud is the ability to aggregate information on accounts at multiple institutions, offering a single portal where subscribers can keep tabs on all their accounts, rather than having to regularly visit multiple banks’ websites or apps. With 60% of banked consumers holding accounts at two or more institutions and

5 in 6 IDPS Subscribers Check Their Credit Score at Another Organization Figure 8: Source of Most Recent Credit Score, IDPS Subscribers and Other Consumers




20% of banked consumers holding accounts at four or more institutions, this is not an insignificant advantage (Appendix, Figure 19), but it is being eroded as a differentiator as more organizations offer similar capabilities. As of Javelin’s 2018 Mobile Banking Scorecard, a quarter of the top 30 FIs in the U.S. offer the ability to aggregate information on accounts held at other institutions within their mobile app.3 Non-bank services such as Mint also offer the ability to aggregate account information within a single portal. Although they typically lack features specifically aimed at mitigating fraud, some of their capabilities can provide ancillary benefits in alerting the victim to card fraud schemes in progress, such as large transaction alerts.

DATA PROTECTION FOCUS A newer area of competition for identity protection services that Javelin has tracked closely over the past few years are data security products that are blurring the lines with the IDPS industry. The most high-profile case for the blurring of these markets, of course, was the Symantec acquisition of LifeLock, which was completed in early 2017. Since then, other data protection companies have made moves into the space, with McAfee offering its own identity protection service and Dashlane, one of the leading password managers, adding dark web features and a credit monitoring partnership with TransUnion to its premium product. In Javelin’s view, data protection features such as anti-malware services, password managers, and secure browsing tools have a crucial place in

Data Security Tools Grow in Value to IDPS Subscribers Figure 9: Most Important IDPS Features, by Age




identity protection services’ product offerings. Actual fraud prevention tools have always been one of the weakest aspects of an industry that was largely focused on detecting suspicious activity and guiding users through the resolution process. Conventionally, assistance with setting up credit freezes and security alerts was as far as identity protection providers went, and for most companies, that really meant directing customers to the credit bureaus. By screening for data-stealing malware, identifying phishing pages, and boosting the security of users’ logins, these kinds of features can directly counter many of the threats that lead to subscribers’ data being compromised — stopping the attack prior to the information’s winding up in the criminal marketplace. Consequently, data protection features can turn identity protection service providers into active players in mitigating fraud risk,

rather than sideline observers that detect fraud when it occurs. Data protection features have a growing appeal among subscribers, especially users 25-54. While they still rank below some major identity protection features such as credit report and existing account monitoring, data security tools do rank above black market PII monitoring. Unfortunately, many of the IDPS implementations of these features are still nascent and in need of further development. Among users who care most about data protection tools in their identity protection subscriptions, the second most frequent reason for attrition was that the product did not provide all the features they desired, accounting for 29% of canceled subscriptions, a much higher rate than for users who focus on core features (18%) or monitoring (15%) (Figure 6).



EZShield returned to the top of the pack in Javelin’s 2018 Identity Protection Service Provider Scorecard. As the only provider to emerge as a leader in all three categories, EZShield distinguished itself through its breadth of

capabilities, providing both robust core functionality around credit, black market, and existing account monitoring and emerging features, such as mobile data protection tools and digital fraud resolution capabilities.

SCORECARD RESULTS

2018 IDENTITY PROTECTION SERVICE PROVIDER AWARD

BEST IN CLASS

EZShield Platinum Protection



As has been a recurring theme in Javelin’s Identity Protection Service Provider Scorecard, prevention continues to be one of the most challenging tasks for IDPS providers but fortunately one that is moving in the right direction. The growing adoption of data protection tools and emergence of digital on/off switches for credit reports help to answer one of the key criticisms of the industry — that these services help victims address fraud when it occurs but offer few tools that can actually stop fraud before it happens.

EZShield, ID Watchdog, and Norton LifeLock distinguished themselves as leaders in prevention, offering a variety of features aimed at blocking threats to subscribers’ identities. Notably, all these providers integrate digital security features into either their desktop or mobile offerings, such as secure browsing tools and anti-malware partnerships.

PREVENTION

EZShield, ID Watchdog, and Norton LifeLock Lead in Prevention Figure 10: Prevention Category Rankings

EZShield Inc. Platinum Protection

ID Watchdog Platinum

Norton LifeLock Norton 360 with LifeLock Ultimate Plus

Affinion Group PrivacyGuard - Total Protection

Experian IdentityWorks

Finastra MyIdentityAssist

ID Experts MyIDCare

IdentityForce UltraSecure packages

LegalShield IDShield

TransUnion True Identity Premium

Credit Sesame Platinum Protection

Equifax Equifax Complete Family Plan

Intelius IdentityProtect

Intersections Identity Guard

Lookout Personal

ReliaShield ReliaShield Elite

True ID Pro Platinum Membership

FICO FICO Ultimate 3B

McAfee Identity Theft Protection

ScoreSense ScoreSense

PREVENTION

Lead

ers

Co

nten

der

s F

ollo

wer

s La

gg

ard

s

* Providers in each category are listed alphabetically Source: Javelin Strategy & Research, 2018



DATA SECURITY TOOLS One of the perennial problems facing the identity protection service industry is that, for an industry that purports to protect customers from identity fraud, there are a comparatively small number of features that actually serve to reduce subscribers’ risk of identity fraud. Conventionally, this has been limited to assisting subscribers in placing credit safeguards such as freezes and fraud alerts. Fortunately, the blurring of lines between the identity protection and consumer data security markets is making strides in addressing this criticism. There are four main types of capabilities that can help address several of the main methods that fraudsters use to compromise consumers’ data. Malware: While ransomware and cryptominers

are the strains du jour, keyloggers and Trojans continue to be a threat to consumers as fraudsters demand data for card-not-present fraud and account takeover, with counterfeit card fraud steeply declining in the wake of the EMV shift.

Addressed by: desktop and mobile anti-malware services and man-in-the-browser protection products.

Password reuse: One of the more pernicious

threats posed by password breaches is that they open up vulnerabilities at any organization where victims used the same login information. If consumers reused their login information for core accounts such as their email, that single compromised account can provide a window for fraudsters to intercept password reset emails and gain access to otherwise secure accounts.

Addressed by: password managers. With the ability to generate and autofill strong passwords, users are relieved of much of the burden of managing unique passwords across a plethora of online accounts.

Phishing: Lookalike sites harboring malware or

attempting to steal passwords, card data, or other PII have grown more sophisticated, with many leveraging SSL certificates to provide HTTPS and the padlock security icon next to their domain name to provide a patina of legitimacy.

Addressed by: secure browsers, anti-phishing apps, and browsing extensions. Automated tools are frequently much more effective than human eyes at detecting that a purportedly legitimate site is actually missing a character from its URL or harboring malicious code.

Data interception in transit: Through

compromised Wi-Fi or lookalike networks set up in public locations, fraudsters can intercept key pieces of consumer data such as passwords and card numbers that are transmitted though unencrypted connections.

Addressed by: VPN services. By automatically encrypting traffic and routing activity through the provider’s network, VPN services can provide a layer of protection against malicious networks and routers that attempt to snatch up sensitive information.

As valuable as these features are, there is one caveat that should be mentioned with regard to their value in identity protection services. Most of these features are aimed at protecting data on or in transit from consumers’ personal devices but do



little to nothing to protect data from being compromised at third parties (password managers being something of an exception). While it is hard to precisely quantify the proportion of data used in fraud that is taken from large-scale breaches of third parties and how much is captured from consumers’ devices. Fortunately, this gap is compensated for with tools such as black market monitoring, enabling customers to be alerted when their data is being sold on criminal markets and take steps to render that data meaningless.

AUTHENTICATION The authentication measures in place around each identity protection platform constitute a comparatively large portion of the criteria in the prevention portion of the scorecard. While these features tend to not to be the most exciting identity protection capabilities, in Javelin’s view, strong authentication is crucial on two levels.

First, while there are few ways for fraudsters to directly monetize a compromised account with an identity protection service — there is no way to make an outbound transfer or purchase resalable goods, for instance — these portals have nearly unrestricted access to sensitive customer data. With access to a customer’s credit report, address, and basic PII, fraudsters have a robust tool set to overcome KBA challenges at a victim’s financial institution, deceive the victim into divulging further personal information through social engineering schemes, or open new accounts in the victim’s name. Features such as document lockers, transaction monitoring, and social media screening can provide even more rich insight into a victim’s life. Putting all this in one place makes an identity protection service a treasure trove for fraudsters intending to perpetrate targeted attacks against a high-value victim.

Less Than a Third of Providers Offer Data Protection Tools Figure 11: Data Protection Capabilities at Evaluated Providers




Second, IDPS providers should be cognizant that subscribers already believe themselves to be at an elevated risk for fraud, which is why they subscribed in the first place. Building confidence with these users requires demonstrating that the platform can be trusted with their most sensitive financial information. Enabling users to opt into strong authentication is an effective way to build trust among concerned users. Unfortunately, only a quarter of evaluated IDPS plans in this year’s scorecard offer any authentication method besides usernames and passwords that customers can use to log in on a regular basis.

In addition to strong login authentication, providers should ensure that other high-risk touch points are secured as well. In particular, password reset security is one area where the industry could use some work. More than half of evaluated IDPS plans rely on PII (Social Security number, date of birth, etc.) or knowledge-based authentication to verify customers’ identity during the password reset process. Not only do these authentication methods provide only a nominal level of assurance given the past five years of data breaches, they condition users to be willing to provide their sensitive data for day-to-day activities, increasing the risk associated with phishing and other social engineering schemes.

PII-Based Authentication Continues to Be Central to Password Resets Figure 12: Password Reset Authentication at Evaluated Providers




The detection category covers capabilities that help victims identify active or emerging threats to their identities such as credit, existing account, and black market monitoring. With the continually broadening array of data sources monitored by identity protection services, this category had the largest number of criteria, though it still received less weight in the overall score than prevention.

EZShield, ID Watchdog, and LegalShield distinguished themselves as leaders in detection, narrowly leading a competitive field. Each of these providers offers a robust set of alerts for core monitoring services while also integrating newer features such as existing account and social media monitoring.

DETECTION

EZShield, ID Watchdog, and LegalShield Lead in Detection Figure 13: Detection Category Rankings





ID Experts MyIDCare










Lookout Personal





ScoreSense ScoreSense Lag

gar

ds

Fo

llow

ers

Co

nten

der

s Le

ader

s

DETECTION




CHILD IDENTITY MONITORING For the first time in this year’s Identity Protection Service Scorecard, Javelin included features aimed at protecting the identities of minors. Since parents know that legitimate credit accounts could not be opened in their child’s name, it is tempting to assume that fraudulent ones are not a major risk, but the blank slate provided by a child’s identity can provide a major opportunity to fraudsters who use it as the foundation for synthetic identity fraud. This makes monitoring for the establishment of a new credit report in the child’s name or attached to the child’s Social Security number an especially valuable tool in early detection of child identity fraud. Unfortunately, this is the least prevalent child

identity protection feature, provided by just 40% of evaluated providers. The most widely available child identity theft protection feature is the ability to monitor for the sale of the minor’s personal information on black markets, currently offered by 65% of evaluated providers. This, along with public records monitoring, the second most prevalent feature, at 60% of providers, functions in a very similar manner to the same and can provide similar security benefits without requiring significant new technology investments or partnerships beyond what a provider is already offering for its adult subscribers.

Child Protection Capabilities Mirror Features for Adults Figure 14: Child Identity Protection Capabilities at Evaluated Providers




EXISTING ACCOUNT MONITORING The ability to detect fraud on existing accounts continues to be a distinguishing feature for leading identity protection services. While just more than half (60%) of evaluated identity protection service providers offer some manner of existing account monitoring, a significantly smaller number of providers offer more specific alerts for suspicious activity such as large transactions (35%) and foreign transactions (20%).

Specific alert customizability in particular is important because this enables the identity protection provider to act as a supplement to card protection features at the subscriber’s financial institution. The basic transaction risk assessments provided with the card are likely to render existing account monitoring without customizability largely redundant. Conversely, providing the subscriber with a more robustly configurable set of alerts can enable the identity protection service to function well in tandem with pre-existing card controls.

Existing Account Monitoring Still Lacks Granular Alerts Figure 15: Alert Types Offered at Evaluated Providers




Resolution services cover the features available to assist victims in quickly and easily containing fraud that has already occurred, minimizing the financial and emotional burden on victims and restoring the state of their identity. This was one of the earliest competencies of the identity protection industry and continues to be relevant but is also one of the most difficult areas to turn into a competitive advantage, since many of the capabilities operate behind the scenes for most users.

EZShield, IdentityForce, and Norton LifeLock distinguished themselves as leaders in resolution, with all three providers not only providing accessible resolution services but also moving ahead of the pack by digitizing parts of the resolution process. All three providers enable victims to report fraud from within their mobile apps and online portals.

RESOLUTION

EZShield, IdentityForce, and Norton LifeLock Lead in Resolution Figure 16: Resolution Category Rankings








ID Experts MyIDCare



Lookout Personal









ScoreSense ScoreSense


Lead

ers

Co

nten

der

s F

ollo

wer

s La

gg

ard

s

RESOLUTION



DIGITAL RESOLUTION TRACKING Identity protection services particularly shine when assisting victims with addressing high-complexity fraud schemes in which the path to restoring victims’ identity is not obvious. These incidents are also likely to require multiple calls to the IDPS providers’ resolution specialists for advice regarding the best next steps.

Integrating a digital resolution tracker into the IDPS platform’s online and mobile portals can help remind victims of the steps already taken and recommend the best steps to take next, potentially including links to key forms or contact information for organizations to reach out to. Unfortunately, only 20% of evaluated providers offer this capability through their web platform, and only 15% offer it through their mobile app.

1 in 5 Providers Offer Digital Resolution Trackers Figure 17: Digital Resolution Tracker Availability at Evaluated Providers




APPENDIX Card Fraud Maintains Dominance as Other Fraud Types Continue to Climb

Figure 18. Percentage of Fraud Victims Affected by Each Fraud Type

6 in 10 Consumers Hold Accounts at Multiple Financial Institutions Figure 19. Number of Financial Relationships Among Banked Consumers





In 2013, Javelin departed from its traditional scorecard data collection methodology by allowing executives to answer questions about their product in a survey format. The rationale behind this change was to solicit input from providers beyond the binary criteria that constitute the Identity Protection Services Scorecard to understand not only what services they provide but also how they are provided. For all scorecard surveys submitted by executives, Javelin conducted spot checks using traditional scorecard methodology. This methodology was continued in 2018. To calculate the overall score, Javelin assessed each provider’s performance across all three categories with the following weightings: prevention is worth 40% of the overall score, detection is worth 35%, and resolution is worth 25%. Some providers declined to participate in the executive survey. In these cases, Javelin employed traditional data collection methodology to complete the scorecard, using accounts held at each of the providers. These accounts were also used by Javelin employees to answer questions about the products, conduct quality checks, and collect screenshots. Consumer data in this report is based primarily on information collected in a panel of 2000 consumers in an online survey conducted in August 2018. The margin of sampling error is +/- 2.19 percentage points at the 95% level for questions answered by all 2000 respondents. Margin of error is higher for questions answered by smaller segments. Identity Protection Service Providers evaluated:

METHODOLOGY

Affinion Group Credit Sesame* Equifax Experian EZShield Inc.

FICO* Finastra ID Experts ID Watchdog IdentityForce

Intelius* Intersections* LegalShield Lookout* McAfee*

Norton LifeLock ReliaShield ScoreSense* TransUnion True ID Pro

* Identity Protection Service Providers who chose not to participate in the executive survey

1. 2018 Identity Protection Service Market Report: Building Engagement to Deepen Customer Relationships, Javelin Strategy & Research, April 2018

2. https://www.consumer.ftc.gov/blog/2017/12/fraud-alert-freeze-or-lock-after-equifax-faqs, accessed Nov. 11, 2018.

3. 2018 Mobile Banking Scorecard: Tactical Tweaks Take Priority Over Strategic Enhancements, Javelin Strategy & Research, October 2018.

ENDNOTES

18-2052j-fm-2018 identity protection service provider ... · 2018 identity protection service...

Documents