[BreachExchange] How Fraud Victims 'Punish' Their Banks

[Audrey McNeil]

http://www.databreachtoday.com/how-fraud-victims-punish-their-banks-a-9734

Would you leave a bank after an unauthorized charge on a credit card or a
strange debit from an account? It's a question for financial institutions
evaluating the impact of a security breach.

A new study by Carnegie Mellon University researchers suggests that some
customers will, in fact, leave even if they receive quick refunds of losses
due to fraud. The study is one of only a few correlating the impact of a
fraud incident on customer loyalty.

The stock price of a financial institution often takes a hit after a data
breach. But it wasn't known to what extent customers may take action after
an information security lapse, writes Rahul Telang, a professor of
information systems and management, and Sriram Somachi, a Ph.D. candidate
in information systems and public policy.

They found that a user is three percentage points more likely to move their
money elsewhere within six months of a fraud incident.

"Our research highlights that users, when being aware of the fraud, do take
expected actions," they write. "That is, they are willing to punish the
firm leading to possibly larger security investments by the firm."

Part of the importance of the study is that it points to the effectiveness
of mandatory data breach disclosures laws, which are on the books in 47
U.S. states.

Of course, changing banks doesn't necessarily make someone's money more
secure. Financial institutions closely guard information related to their
security defenses. It can be difficult even for experts to gauge from the
outside how well an institution is defended, and lapses in policies or
procedures from the inside are opaque.

Rich Data

The researchers drew on a rich data set that came from a U.S. bank. The
bank was not named but has a large presence in Allegheny County,
Pennsylvania, according to their research paper.

The data came from 500,000 customer records between 2008 and 2013. It
included details on all customer accounts, debit and credit card
transactions and calls to customer care numbers. The data was anonymized
and represented a "full geographic stratified sample" of the U.S., they
write.

Their research focused on those customers who called the bank to report
fraud on their accounts. In all cases, the bank refunded any money lost to
the customers within 10 days. Most of the incidents financial information
that had been stolen and re-used.

Trigger Point: $500

Attribution for a loss would appear to play a role. The study also looked
at customer churn rates after losses that could not be attributed to
another party but later could be traced, such as to a merchant problem or
to a legitimate transaction mistakenly at first thought to be fraud.

There were no significant quit rates among customers who had contested a
charge but had either been made whole by a merchant or later realized that
a transaction was indeed valid. "In the case of unauthorized transactions,
since the matter remains unresolved, it is likely that users may hold a
bank indirectly responsible and it may adversely affect their
relationship," they write.

The lingering doubt may leave customers with the impression that fraud
could happen again, they write. Unsurprisingly, the larger the loss, the
greater the churn rate. The average loss was about $125, but customers who
lost more than $500 were more likely to leave.

For banks, customer churn due to fraud and breaches is another cost to
calculate in a rapidly changing computer security landscape, they write.
The findings would point to mandatory data breach disclosure regulations as
having some effect.

"Our research seems to confirm the efficacy of some of the regulations
whose goal is to highlight firms' security and data protection practices,"
they say.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170220/778a6436/attachment.html>