Volunteering for Fraud

identity-theftOur Chapter has a member who has just completed work on an interesting identity theft case.  It seems the victim provided various items of highly specific, identifiable personal information to a local, specialty retailer in exchange for a verbal agreement to provide a discount card and store credit.  Whether the information was subsequently hacked or just carelessly shared, sold or handled by the retailer is still unclear but what is certain is that this identical information was used by fraudsters, with other meta data, to build two different, highly credible, loan applications, one of which was approved by a financial institution.

Our member’s case is an example of the all too real risk posed by voluntarily shared information. In our desire to use services of various kinds – for efficiency, productivity, profit or just for fun – we all seem to find ourselves agreeing to terms and conditions that we may not even see or read or, if we read them, not fully comprehend. A moments reflection would lead any knowledgeable auditor to the conclusion that this amounts to contractual sharing of data even though the “contract” might not even refer to any direct exchange for consideration between the company and the patron, but rather is just for the use of the offeror’s infrastructure; this practice results in trillions of elements of data that the owner of the infrastructure controls, aggregates and uses for its own economic gain.  While simple transactional data associated with the payment process have a definite cycle, voluntarily supplied personal data becomes perpetual. The intentions behind the former are usually tacitly articulated and apply within the realm of the specific payment arrangements between the agreeing parties. In contrast, voluntarily supplied personal data are generally timeless, can be “sliced and diced” using data mining, and can be further masked and shared for the economic gain of the infrastructure owner and of its business partners and, possibly, its customers.

We can think of data volunteerism as the act of volunteering personal information on the part of a user when, in fact, that user might not necessarily want or mean to do so. It’s not so much consent to share personal data, but rather lack of dissent in sharing data. Passivity or inertia on the part of the personal data sharer plays an important role in one’s attraction to data volunteerism. Immediate perceived benefits of seeking the offered services and, thus, benefiting from them, outweigh anything that the user vaguely understands as the costs of doing so under the service provider’s terms and conditions agreed to by the user.

Before clicking the “I agree” button on an agreement of use, how often have we all paused and analyzed the contents of the agreement? Such agreements are generally long, filled with legalese and we feel like we’re wasting time in getting to the services provided by that company or app that just popped the agreement on our screen. According to ACFE, under the prospect theory of decision-making behavior, losses are weighted more heavily than gains. And now here we are, delaying the immediate gratification of using some cool phone service. And so we all fall into the vulnerability of allowing an apparently harmless verbal or written agreement stand in the way of doing something we want to do right now. As with the case of our member’s client, people willingly share personal information when they are nudged by a sales clerk or by a new app on their phone to do so. The perceived immediate benefits seem to outweigh any remotely noticed costs of volunteering the information.

All of this has broad implications for fraud examination and for law enforcement.  Every non-cash payment transaction involves the exchange of personal identifying information on some level.   Bank checks, written contracts, account passwords, phone numbers and a host of other identifying information are both the life blood of the financial system and the continuous targets of every type of thief.  Nothing financial happens until personal data are exchanged and the more aggregated elements of data fraudsters have about anyone at their command the easier their job becomes.

As fraud examiners we should strive to make our clients aware of the general ground rules for the sharing of personal data propagated by the ACFE and others:

  1. The giver must have knowingly consented to the collection, use or disclosure of personal information.
  2. Consent must be obtained in a meaningful way, generally requiring that organizations communicate the purposes for collection, so that the giver will reasonably know and understand how the information will be collected, used or disclosed.
  3. Organizations must create a higher threshold for consent by contemplating different forms of consent depending on the nature of information and its sensitivity.
  4. In a giver-receiver relationship, consent is dynamic and ongoing. It is implied all the time that the giver grants the privilege of use to the information receiver and that the privilege is only good as long as the giver’s consent is not withdrawn.
  5. The receiver has a duty to adequately safeguard the personal data entrusted to it.

A legal definition of consent is hard to find. The common law context suggests that consent is a “freely given agreement.” An agreement, contractual or by choice, implies a particular aim or object. While it is clear that the force of laws and regulations is necessary, in the end, what equally matters is the behavior of the user. Concepts and paradigms such as bounded rationality and prospect theory point to the vulnerability of human users in exercising consent. If that is where the failure occurs, privacy issues will only propagate, not get better. Finally, remember that privacy solutions embedded in the technology to empower users to protect their privacy are only as good as the motivation, knowledge and determination of the user.

As fraud examiners and assurance professionals we have to face the fact that not all our user/clients are equally technology savvy; not all users consider it worth their time to navigate through privacy monitors in a retail store or in an on-line app to feel safe. And generally, all users, indeed all of us, are creatures of bounded rationality.

Costs of cyber crime in 2015 were an estimated US $1.52 billion in the US alone and US $221 billion globally. These criminals find a bonanza if they can successfully perpetrate a data breach in which they break into a system and/or database to steal personally identifiable information (e.g., addresses, social security numbers, financial account numbers), or better yet, data on credit/debit cards.

Data volunteerism nudges people to share more and more personal information. This results in a huge pool of data across companies and institutions. If hard surveillance, such as the use of a camera watching over a parking lot, is concretely vivid, soft surveillance remains buried in the technology, allowing it to work freely on available data and metadata. As this use of data by app providers and others becomes wider and stronger and related frauds proliferate, the public could lose trust in these providers and the loss of trust would translate into loss of sales for the provider. The best way for CFE’s to address these issues for all stakeholders is through client education on the ACFE’s ground rules for self-protection in the sharing of personal information.

Comments are closed.