Wow! On January 3 of this year, ID Insight celebrated its 15-year anniversary. Fifteen years ago, identity theft was not quite front-page news, the U.S. had not yet invaded Iraq and President Bush was just completing his second year in office.
I was in my mid-thirties and embarking on a journey that I could never have imagined. Through the first 13 years of my career, I followed the corporate route, progressing from a computer programmer to a data scientist (before we called it that) to running an information-based analytics business. While I enjoyed that period of my career, by 2002 I was ready for a change. I had always wanted to start my own business and the need to scratch that entrepreneurial itch was growing. I didn’t realize how badly I wanted to scratch that itch.
People told me I was crazy; in hindsight, I think they were right.
Over the next few weeks and months, an idea took shape: creating a fraud detection engine that could stop identity theft in its tracks. On January 3, 2003, ID Insight incorporated with a few bucks in the bank and an optimism that we were on to the right thing.
During the next two years, it was the proverbial “two guys in a garage,” building ID Insight by day and consulting by night, all the while trying to convince somebody, anybody to buy the solution we were selling. We had a blueprint for how to build the engine, but the engine was just that – a blueprint.
Those early days were both exciting and maddening – extreme optimism countered with a realization that I still had to pay the bills. I had never felt that vulnerable and exposed – yet never so excited and happy with my work life.
Whether it was divine intervention or just persistence, we finally got a prospective customer to say “yes” in late 2005. They bought our blueprint! While this was terribly exciting, they said it needed to be up and running in six weeks. We had no idea how to do that, nor did we have the money to do it. Thankfully, with help from our technology partners and sacrifices from all of us, we pulled it together and somehow brought our first satisfied customer aboard.
This created a new problem. Now that we had our first large customer, we needed capital to build a data center. Never having raised capital before, I remember asking people “how do you raise money.” The response I got was “just start calling everyone you know.” Over the next few weeks and months, we had raised enough capital to fund the data center expense as well as hire our first employees.
Things progressed, albeit slowly, until 2007 when the FACTA Red Flag mandate was finally published. The new FACTA regulations required financial institutions to screen address changes and new account address discrepancies for the likelihood of identity theft. That was it! This is what we had invented; this was our patent. Our special sauce. With this news that our solution would be mandated by November 1, 2008, the window was now wide open.
We needed to get the word on the street. ID Insight was the company that invented the technology to optimize the screening of address changes and address discrepancies. To do this, we would have to raise capital again. We went back to the well and raised a second round of capital. Per our plan, we quickly built the team to run for the finish line. The only problem was (hindsight 20/20) we only had 12 months to do it. So we began to sprint.
Over those next 12 months, we went from a handful of clients to over 300. While we were happy to add all of these clients, they were mostly smaller institutions that did not generate a lot of volume. I vividly remember November 1, 2008 – two things happened almost simultaneously around that date. First – all financial institutions had carved out their FACTA plans and on that day – our sales “flat-lined” as all financial institutions had made their plans. Second – there was this pesky thing called the “economic collapse.” I remember calling on prospective customers only to be told “Adam – we will be lucky to have the doors open at the bank over the next few months.”
By 2010, this “never say die” attitude and culture resulted in establishing our base. We had become a battle-tested group of fighters that believed they could withstand any storm and anything thrown their way. We had pulled every rabbit out of every hat. We had created new ideas that brought in revenue. And now, financial institutions were coming out of the economic collapse of 2007-2008. They were spending money again and realizing that our solutions were needed to stamp out identity theft.
Over the next seven years, we began to grow and expand our solutions and customer base. Suddenly, we were finding success in other markets such as e-commerce, health care and mortgages. Today, we are serving more than 2,500 customers and recognized as a leader in identity theft detections solutions – especially in the retail banking industry. We serve customers ranging from the top five banks in the country to one-branch credit unions in some of the smallest towns in America.
What I am most proud of is our employees, our shareholders and our board members. While we faced our share of adversity over the years, no one ever lost hope and never stopped believing. We never gave up. We all hung in there and kept on fighting. We are still innovating and still fighting!
I do believe in the adage that “what doesn’t kill you makes you stronger.” That persistence and the culture that has emerged continues to impress me. It makes me realize how fortunate we all are to have been a part of this great experiment.
As Ralph Waldo Emerson once famously said “it’s not about the destination – it’s about the journey.” And what a journey it’s been – here’s to the next 15 years!
The energy of innovation crackled throughout the WeWork co-working space at Capella Tower last night as ID Insight joined 49 other Twin Cities companies being recognized for high growth in AmericanInno’s inaugural 50 on Fire awards.
50 on Fire recognizes companies, organizations and people having a banner year across a variety of categories, including technology, agriculture, civic engagement and more. ID Insight’s year included business growth, new product development, staff expansion and multiple awards and honors, including a Eureka! Award for Innovation from the Minneapolis/St. Paul Business Journal.
The Twin Cities is home to hundreds of hard-working startups and technology companies. Being recognized as one of the most innovative is a testament to ID Insight’s never-ending pursuit of new technology solutions to help banks prevent fraud. We’re proud of the recognition, but even more proud of our customers who challenge us every day to solve their most pressing problems.
Here’s to another year of incendiary innovation!
During the turn of the century, account takeover became front-page news and a particular scheme ultimately led to the development of the Fair and Accurate Transactions Act (FACTA) Red Flags Guidelines in 2008. The scheme, which created the fallout, was simple and relatively slow; fraudsters were committing takeover by changing a legitimate accountholder’s mailing address to an address they controlled and then following up soon afterwards with a new credit or debit card request. This was a slow-moving (but effective) scheme that forced banks to put fraud controls in place to try to ensure that cards were being shipped to the legitimate customers.
Because the scheme took time to unfold and the issuer had to produce the physical card, the procedures put in place to prevent fraud losses had to be actionable before the card was in the hands of the fraudster — typically 3-5 days. Manual procedures and batch processing fit the bill and satisfied the regulators because the “speed” was not an issue.
New Schemes are Faster
With the advent and proliferation of online banking, account takeover schemes have emerged where the victim’s accounts are drained in a quicker, tighter timeframe than ever before. After the fraudster compromises the victim’s online banking credentials, they can move funds in near real-time. Unlike changing the address and requesting a new card, once the fraudster begins an online banking session, they can transfer tens of thousands of dollars immediately from the victim’s account to an account the criminal controls.
The scenario above seems very straightforward: the fraudster gets the online credentials, logs in and moves the money. Thankfully, the process is not quite that simple. As an example, let’s say the fraudster logged in and attempted to transfer $40,000 to an account at a different financial institution. The bank would typically flag this as a “high risk” transaction, and reach out to the customer to make sure they really wanted to move that much money. Of course, the fraudster understands that the bank will try to reach out to their customer. To fulfill their fraudulent money movement, they will first change the phone number on the account and then move the funds. That way, when the transaction request trips a flag, the bank ends up contacting the fraudster (not the victim) to confirm the transfer of funds. In a similar way, the fraudster will change the email addresson file, and then request the funds ensuring that all email notifications go to the fraudster and not the victim.
Scrutinize Non-Monetary Transactions
Much like address changes, the reason fraudsters change phone numbers and email addresses on the customer file is to intercept any and all communications by the bank to their legitimate customer. By taking over the communication channel, they can effectively carry out the account takeover. To combat account takeover fraud, financial institutions need to screen various non-monetary transactions, specifically those that involve changing customer communications credentials such as mailing address, phone number and email address. By scrutinizing these changes as they happen, banks can thwart potential account takeover attempts. As a simple thought exercise, consider the following questions:
- Why is my customer moving 1,500 miles away to a mail-forwarding facility in a high-crime area?
- Why is my customer changing their phone to a prepaid line whose area code is 100 miles away?
- Why is my customer changing their email address to an email address whose server domain is located in Belarus?
These simple questions have an obvious answer: if you knew these were actual cases associated with a large funds withdrawal, you’d want to make sure the customer and the request were legit.
While extraction of the funds can happen over a matter of days, or as soon as real-time, financial institutions need to manage to the lowest common denominator of real-time. Years ago, when the predominant account takeover scheme was an address change followed up with a card request, the bank had days before the funds left the institution. Given the new and varied paths to commit account takeover – and the increased complexity – it is paramount that you now look to screen these non-monetary events in real-time.
When you go back in time to the original FACTA language, banks were instructed to take action on certain high-risk events. Specifically, banks needed to screen address changes for the likelihood of identity theft, which all banks are now doing in some fashion. However, there is also a provision that states that if banks understand there are other observed events indicative of identity theft, then the bank must document and specify how they are addressing these events in their plan. We have spoken with many bankers who recognize that phone changes are a significant leading indicator of account takeover; however, it is rare to find financial institutions that have made this a part of their FACTA plan.
Screening changes to customer contact information is a critical element in a comprehensive enterprise account takeover prevention program – especially these days when it can happen in real-time. Essentially, the speed of fraud prevention and detection must match or exceed the accelerated speed of fraud today.