2018 IDENTITY PROTECTION SERVICE PROVIDER SCORECARD - DECEMBER 2018 Licensed by: EZShield
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
2018 IDENTITY PROTECTION SERVICE PROVIDER SCORECARD DECEMBER 2018 Licensed by:
2018 IDENTITY PROTECTION SERVICE PROVIDER SCORECARD
TABLE OF CONTENTS
Executive Summary ............................................................................................................................................................................. 4
Key Findings ............................................................................................................................................................................ 4
Recommendations ................................................................................................................................................................................6
Addressing Today’s Fraud Threats ................................................................................................................................................. 7
Four Types of IDPS Subscribers .................................................................................................................................................... 10
Key threats to the Identity Protection Market.......................................................................................................................... 12
Core Focus — Apathy and Lack of ROI ....................................................................................................................... 12
Consumer Credit Safeguards: Freezes, Locks, and Alerts.................................................................................... 14
Monitoring Focus — Aggressive Free Competition ................................................................................................ 15
Data Protection Focus ....................................................................................................................................................... 17
Scorecard Results ................................................................................................................................................................................ 19
Prevention ............................................................................................................................................................................................. 20
Data Security Tools ............................................................................................................................................................. 21
Authentication ...................................................................................................................................................................... 22
Detection ............................................................................................................................................................................................... 24
Child Identity Monitoring.................................................................................................................................................. 25
Existing Account Monitoring .......................................................................................................................................... 26
Resolution .............................................................................................................................................................................................. 27
Digital Resolution Tracking ............................................................................................................................................. 28
Appendix................................................................................................................................................................................................ 29
Methodology ........................................................................................................................................................................................ 30
Endnotes ................................................................................................................................................................................................ 30
TABLE OF FIGURES
Figure 1: Mean Fraud Amount and Resolution Hours, 2008-17 ............................................................................................ 7
Figure 2: Perceived Impact of Fraud, 2008-17 ........................................................................................................................... 8
Figure 3: IDPS Net Promoter Categories, 2015-18 ................................................................................................................... 8
Figure 4: Reasons for Canceling Subscriptions, 2015-2018 ................................................................................................... 9
Figure 5: IDPS Subscriber Segments ........................................................................................................................................... 10
Figure 6. Reasons for Cancellation, by Subscriber Focus.................................................................................................... 12
Figure 7: Reasons for Canceling Subscriptions, 2015-18 ...................................................................................................... 13
Figure 8: Source of Most Recent Credit Score, IDPS Subscribers and Other Consumers....................................... 16
Figure 9: Most Important IDPS Features, by Age ................................................................................................................... 17
Figure 10: Prevention Category Rankings ................................................................................................................................. 20
Figure 11: Data Protection Capabilities at Evaluated Providers ........................................................................................ 22
Figure 12: Password Reset Authentication at Evaluated Providers ................................................................................ 23
Figure 13: Detection Category Rankings ................................................................................................................................... 24
Figure 14: Child Identity Protection Capabilities at Evaluated Providers ..................................................................... 25
Figure 15: Alert Types Offered at Evaluated Providers........................................................................................................ 26
Figure 16: Resolution Category Rankings ................................................................................................................................. 27
Figure 17: Digital Resolution Tracker Availability at Evaluated Providers .................................................................... 28
Figure 18. Percentage of Fraud Victims Affected by Each Fraud Type ........................................................................ 29
Figure 19. Number of Financial Relationships Among Banked Consumers ................................................................. 29
© 2018 GA Javelin LLC, a Greenwich Associates LLC company. All rights reserved. This report is licensed for use by Javelin EZShield only. No portion of
these materials may be copied, reproduced, distributed or transmitted, electronically or otherwise, to external parties or publicly without the permission of
GA Javelin LLC. Licensors may display or print the content for their internal use only, and may not sell, publish, distribute, re-transmit or otherwise
provide access to the content of this report without permission. 2
2018 IDENTITY PROTECTION SERVICE PROVIDER SCORECARD
ABOUT JAVELIN: Javelin Strategy & Research, a Greenwich Associates LLC company, provides
strategic insights into customer transactions, increasing sustainable profits for
financial institutions, government, payments companies, merchants and technology
providers.
AUDIENCE: Identity protection service providers, digital security solution providers, financial
institutions, credit card issuers, credit bureaus, investment firms, and government
regulatory agencies
AUTHORS: Kyle Marchini – Senior Analyst, Fraud Management
Al Pascual – SVP, Research, Head of Fraud & Security
CONTRIBUTORS: Ian Benton – Senior Analyst, Digital Banking & Payments
Crystal Mendoza – Production Manager
Sean Sposito – Analyst, Cybersecurity
EDITOR: Mark Stevenson
PUBLICATION DATE: December 2018
OVERVIEW
In the wake of some of the most destructive data breaches and dramatic changes to the US payments
landscape with the adoption of EMV, the intensity and diversity of fraud schemes continue to increase.
These growing threats reinforce the relevance of identity protection services in facilitating victims’ ability to
prevent, detect, and resolve fraud. But other headwinds are emerging. The breadth of features offered by
leading identity protection providers means they are exposed to competitive pressure on many fronts.
Consumers have plenty of options when it comes to free credit monitoring. Newer feature sets such as data
protection tools bring identity service providers into competition against data security companies who have
established reputations in the space.
In Javelin’s eleventh Identity Protection Service Provider Scorecard, we evaluate twenty leading products
for the features they offer to help victims Prevent, Detect, and Resolve fraud against the backdrop of the
threats facing consumers.
PRIMARY QUESTIONS
How do current fraud and financial service trends impact consumers demands on and expectations for
the IDPS industry?
How should providers adjust product offerings to best meet the challenges posed by the changing
nature of fraud and the competitive landscape?
What identity protection service providers offer the widest array of capabilities suited to addressing
current and emerging fraud threats?
© 2018 GA Javelin LLC, a Greenwich Associates LLC company. All rights reserved. This report is licensed for use by Javelin EZShield only. No portion of
these materials may be copied, reproduced, distributed or transmitted, electronically or otherwise, to external parties or publicly without the permission of
GA Javelin LLC. Licensors may display or print the content for their internal use only, and may not sell, publish, distribute, re-transmit or otherwise
provide access to the content of this report without permission. 3
2018 IDENTITY PROTECTION SERVICE PROVIDER SCORECARD
EXECUTIVE SUMMARY
EZShield takes Best in Class in the 2018 Identity recommend their subscription, there is still a long
Protection Service Provider Scorecard. As the only way to go, but the industry is moving quickly in the
provider to emerge as a leader in all three right direction.
categories, EZShield distinguished itself through its
breadth of capabilities, providing both robust core Regulatory backlash is behind the industry for
functionality around credit, black market, and now. After repeatedly being pummeled by
existing account monitoring and emerging features, regulatory agencies for deceptive and abusive sales
such as mobile data protection tools and digital practices, the IDPS industry has had three years
fraud resolution capabilities. clear from fines, and it’s showing. Poor industry
reputation as a driver for attrition has steadily
EZShield, ID Watchdog, IdentityForce, and Norton declined since 2015 and this year became the least
LifeLock distinguished themselves as leaders in prevalent reason for subscribers to cancel their
prevention. These products all offer a wide array of services.
features aimed at blocking threats to subscribers’
identities. Notably, all these providers integrate Intensifying fraud attacks reinforce the value of
digital security features into either their desktop or identity protection services. With fraudsters
mobile offerings, such as secure browsing tools and diversifying the types of organizations they target,
anti-malware partnerships. the amount of time victims have to spend resolving
fraud has risen notably since hitting a low in 2015.
EZShield, ID Watchdog, and LegalShield As fraud moves to other industries, many of the
distinguished themselves as leaders in detection, targeted companies have not had nearly as much
narrowly leading a competitive field. Each of these experience in resolving fraud as financial
providers offers a robust set of alerts for core institutions. On top of that, the proportion of fraud
monitoring services while also integrating newer victims who say the incident had a severe impact
features such as existing account and social media on their life jumped from 8% in 2017 to 24% in 2018,
monitoring. undoing a decade of declines. This establishes
additional value for resolution services that help
EZShield, IdentityForce, and Norton LifeLock guide victims through restoration processes that
distinguished themselves as leaders in resolution. may not be well-defined.
Not only do these providers offer accessible
resolution services, they moved ahead of the pack But other headwinds are emerging. The breadth of
by digitizing parts of the resolution process. All features offered by leading identity protection
three providers enable victims to report fraud from providers means they are exposed to competitive
within their mobile apps and online portals. pressure on many fronts. Consumers have plenty of
options when it comes to free credit monitoring.
Subscriber satisfaction is on the rise. After several Newer feature sets such as data protection tools
years of lackluster user satisfaction, the IDPS bring identity service providers into competition
industry’s Net Promoter Score rose to 22.6 in 2018 against data security companies who have
from 6.6 in 2017. With just under half (45%) of established reputations in the space.
customers saying they would be likely to
© 2018 GA Javelin LLC, a Greenwich Associates LLC company. All rights reserved. This report is licensed for use by Javelin EZShield only. No portion of
these materials may be copied, reproduced, distributed or transmitted, electronically or otherwise, to external parties or publicly without the permission of
GA Javelin LLC. Licensors may display or print the content for their internal use only, and may not sell, publish, distribute, re-transmit or otherwise
provide access to the content of this report without permission. 4
2018 IDENTITY PROTECTION SERVICE PROVIDER SCORECARD
Fraud and breach fatigue is setting in. In spite of More than half of evaluated IDPS plans rely on PII
the increasing intensity of fraud, in terms of both or knowledge-based authentication to verify
real and perceived impact, customers discontinuing customers’ identity during the password reset
subscriptions because they are now less worried process. Not only do these authentication methods
about fraud jumped dramatically in 2018 to become provide only a nominal level of assurance given the
the third most prevalent reason for attrition, just past five years of data breaches, they condition
behind the subscription’s being too expensive and users to be willing to provide their sensitive data for
expired free periods. day-to-day activities, increasing the risk associated
with phishing and other social engineering
Free credit freezes chip away at the value of schemes.
identity protection services. For consumers who do
not plan to open new financial products or apply Child identity protection features tend to mirror
for other accounts that may require a credit inquiry capabilities for adults, to the detriment of robust
(e.g., opening a new mobile phone account), credit products. The most widely available child identity
freezes can obviate essentially all the credit-related theft protection feature is the ability to monitor for
safeguards offered by identity protection. Not only the sale of the minor’s personal information on
does a credit freeze ensure there will be no new black markets, currently offered by 65% of
credit activity for monitoring products to detect, it evaluated providers. This functions in a very similar
means the identity protection service will also be manner to the same feature for adults.
unable to access the information contained within Unfortunately, monitoring for the establishment of
the credit report — effectively shutting down those a new credit report in the child’s name or attached
features. to the child’s SSN, a somewhat stronger safeguard
against both synthetic identity and familiar fraud, is
the least prevalent child identity protection feature,
provided by just 40% of evaluated providers.
© 2018 GA Javelin LLC, a Greenwich Associates LLC company. All rights reserved. This report is licensed for use by Javelin EZShield only. No portion of
these materials may be copied, reproduced, distributed or transmitted, electronically or otherwise, to external parties or publicly without the permission of
GA Javelin LLC. Licensors may display or print the content for their internal use only, and may not sell, publish, distribute, re-transmit or otherwise
provide access to the content of this report without permission. 5
2018 IDENTITY PROTECTION SERVICE PROVIDER SCORECARD
RECOMMENDATIONS
Use data security partnerships to expand fraud Digitize the resolution process. Enabling victims to
prevention capabilities. Features such as screening initiate fraud claims from within the online portal
for data-stealing malware, identifying phishing can facilitate more timely detection and jump-start
pages, and boosting the security of users’ logins the resolution process. While these features are
can directly counter many of the threats that lead unlikely to eliminate the need for direct contact
to subscribers’ data being compromised — with victims, it can reduce the amount of time spent
stopping the attack prior to the information’s gathering basic information, enabling resolution
winding up in the criminal marketplace. specialists to focus on helping victims identify the
Consequently, data protection features can turn most effective next steps.
identity protection service providers into active
players in mitigating fraud risk, rather than sideline Use online portals to track next steps and follow-
observers that detect fraud when it occurs. up needs. Integrating a digital resolution tracker
into the IDPS platform’s online and mobile portals
Enable subscribers to customize existing account can help remind victims of the steps already taken
monitoring alerts. Specific alert customizability and recommend the best steps to take next,
enables identity protection providers to act as a potentially including links to key forms or contact
supplement to card protection features at the information for organizations to reach out to.
subscriber’s financial institution. The basic Unfortunately, only 20% of evaluated providers
transaction risk assessments provided with the card offer this capability through their web platform, and
are likely to render existing account monitoring only 15% offer it through their mobile app.
without customizability largely redundant.
Conversely, providing the subscriber with a more
robustly configurable set of alerts can enable the
identity protection service to function well in
tandem with pre-existing card safeguards.
Aim to make digital channels self-sufficient. While
only peripheral to the identity protection space,
free competitors such as Credit Karma are raising
the bar for digital capabilities with tools such as
being able to submit disputes on TransUnion credit
report entries entirely within their webpage. These
kinds of features help the service move away from
being a “concierge-style” offering that assists but
can take only limited action to one that actually
puts tools into consumers’ hands that they did not
have before.
© 2018 GA Javelin LLC, a Greenwich Associates LLC company. All rights reserved. This report is licensed for use by Javelin EZShield only. No portion of
these materials may be copied, reproduced, distributed or transmitted, electronically or otherwise, to external parties or publicly without the permission of
GA Javelin LLC. Licensors may display or print the content for their internal use only, and may not sell, publish, distribute, re-transmit or otherwise
provide access to the content of this report without permission. 6
2018 IDENTITY PROTECTION SERVICE PROVIDER SCORECARD
ADDRESSING TODAY’S FRAUD THREATS
In the aftermath of one of the most critical data that remove much of the burden from the victim —
breaches of all time, fraud hit record highs in 2017 in part because federal regulations and card
as fraudsters broadened their focus to target a network rules have almost entirely shielded victims
wider array of account types and organizations. The from liability for fraud. However, as fraud moves to
combined increased intensity and diversity of fraud other industries, many of the targeted companies
schemes have reinforced the relevance of identity have not had nearly as much experience in
protection services in facilitating victims’ ability to resolving fraud as financial institutions.
prevent, detect, and resolve fraud.
Consequently, along with the increased complexity
Following the formal switch to EMV chip cards in of fraud has come a corresponding increase in the
late 2015, with fewer opportunities for fraud at the amount of time victims need to spend resolving
point of sale due to the difficulty of counterfeiting each incident. In 2017, fraud victims spent an
cards, fraudsters have instead turned their attention average of 8.7 hours of their own time resolving
to fraudulent new accounts and attacks on digital fraud, up from the record low of 5.2 hours in 2015
portals at financial institutions, merchants, and even (Figure 1). This reinforces the value of identity
other digital accounts such as email and social protection providers in helping to coordinate
media. victims’ efforts in restoring their identity, directing
them to the best parties to contact and advising on
Because financial institutions have conventionally the ideal next steps for fraud resolution.
been the “first responders” when fraud occurs, they
have developed fairly streamlined resolution flows
Resolution Times Climb as Fraud Amounts Continue to Decline
Figure 1: Mean Fraud Amount and Resolution Hours, 2008-17
Source: Javelin Strategy & Research, 2019
© 2018 GA Javelin LLC, a Greenwich Associates LLC company. All rights reserved. This report is licensed for use by Javelin EZShield only. No portion of
these materials may be copied, reproduced, distributed or transmitted, electronically or otherwise, to external parties or publicly without the permission of
GA Javelin LLC. Licensors may display or print the content for their internal use only, and may not sell, publish, distribute, re-transmit or otherwise
provide access to the content of this report without permission. 7
2018 IDENTITY PROTECTION SERVICE PROVIDER SCORECARD
As fraud amounts steadily decline and fewer and
Industry NPS Rises Notably From 2017
fewer victims pay any amount out of pocket to
Figure 3: IDPS Net Promoter Categories, 2015-18
resolve fraud, the amount of time victims have to
invest in restoring their identity has become a good
metric for how burdensome fraud resolution is for
victims, and victims’ perception of the impact of
fraud on their life bears that out.
After a decade of slowly declining severity of fraud,
in 2017 the proportion of fraud victims who
reported that fraud had a severe impact on their life
jumped back up to 24%, the same level as in 2008
(Figure 2).
At a high level, the identity protection market
appears to be in good shape in 2018. Overall
satisfaction increased notably from 2017, with the
industry’s Net Promoter Score rising from 6.6 in
2017 to 22.6 in 2018, with both a steep increase in
Source: Javelin Strategy & Research, 2019
promoters, to 45% from 38%, and a corresponding
decrease in detractors, to 22% in 2018 from 31% in
2017 (Figure 3).
Severity of Fraud Spikes, Undoing a Decade of Progress
Figure 2: Perceived Impact of Fraud, 2008-17
Source: Javelin Strategy & Research, 2019
© 2018 GA Javelin LLC, a Greenwich Associates LLC company. All rights reserved. This report is licensed for use by Javelin EZShield only. No portion of
these materials may be copied, reproduced, distributed or transmitted, electronically or otherwise, to external parties or publicly without the permission of
GA Javelin LLC. Licensors may display or print the content for their internal use only, and may not sell, publish, distribute, re-transmit or otherwise
provide access to the content of this report without permission. 8
2018 IDENTITY PROTECTION SERVICE PROVIDER SCORECARD
Along with a rise in subscriber satisfaction came The lack of regulatory action since 2015 can be
more good news for the identity protection service attributed to two factors. First, heavy penalties
industry. The proportion of subscribers canceling have made IDPS resellers particularly averse to
their subscription due to poor industry reputation regulatory risk, with many financial institutions
continued its three-year decline to become the withdrawing identity protection add-on services.
least prevalent reason for canceled subscriptions in The number of identity protection subscriptions
2018 (Figure 4). obtained through a financial institution, the main
target of regulatory action, declined from 28 million
This suggests that IDPS providers have largely been in 2015 to 23 million in 2017.1 Those that remained in
able to put a rash of regulatory actions behind the market have prioritized compliance
them. These penalties, largely imposed by the transparency in potential partnerships.
Consumer Financial Protection Bureau and the
Federal Trade Commission, hit IDPS providers and Additionally, the Trump administration’s efforts to
their financial institution clients for $2.4 billion in restrict the power of the CFPB have resulted in a
fines between 2012 and 2016, due to unethical general decline in regulatory actions. However,
marketing and sales practices, such as charging providers should be wary of a potential for
users who had not been fully enrolled and increased regulatory scrutiny in the future with the
consequently could not access the full benefits of Democrats’ resurgence in the House of
the product. Representatives.
Identity Protection Industry Reputation Recovers From Regulatory Blows
Figure 4: Reasons for Canceling Subscriptions, 2015-2018
Source: Javelin Strategy & Research, 2019
© 2018 GA Javelin LLC, a Greenwich Associates LLC company. All rights reserved. This report is licensed for use by Javelin EZShield only. No portion of
these materials may be copied, reproduced, distributed or transmitted, electronically or otherwise, to external parties or publicly without the permission of
GA Javelin LLC. Licensors may display or print the content for their internal use only, and may not sell, publish, distribute, re-transmit or otherwise
provide access to the content of this report without permission. 9
2018 IDENTITY PROTECTION SERVICE PROVIDER SCORECARD
FOUR TYPES OF IDPS SUBSCRIBERS
While the intensifying fraud landscape means that the space. The mark of a leader in the identity
consumers do have a need for the kinds of services protection market is a product that is able to
offered by IDPS providers, that doesn’t mean the effectively combine these disparate features into a
market is not facing headwinds. One of the greatest cohesive product that justifies customers’ going to
challenges facing the industry is the perennial them, rather than assembling their own set of tools
criticism that these products largely function as a from those available in the market.
combination of services that consumers can find
elsewhere, and to a certain extent this is valid. To more clearly identify the threats to the identity
protection service industry, we can break
The breadth of features offered by leading identity subscribers into four segments based on the types
protection providers means they are exposed to of features that matter most to them in the IDPS
competitive pressure on many fronts. Consumers subscription:
have plenty of options when it comes to free credit
Core focus: Two in five (41%) subscribers care
monitoring. Newer feature sets such data most about what could be described as “core”
protection tools bring identity protection service IDPS features such as resolution assistance,
providers into competition against data security fraud insurance, dark web monitoring, and
credit freezes.
companies which have established reputations in
Customers’ Focuses Dictate the Competitive Threats Facing IDPS Providers
Figure 5: IDPS Subscriber Segments
Source: Javelin Strategy & Research, 2019
© 2018 GA Javelin LLC, a Greenwich Associates LLC company. All rights reserved. This report is licensed for use by Javelin EZShield only. No portion of
these materials may be copied, reproduced, distributed or transmitted, electronically or otherwise, to external parties or publicly without the permission of
GA Javelin LLC. Licensors may display or print the content for their internal use only, and may not sell, publish, distribute, re-transmit or otherwise
provide access to the content of this report without permission. 102018 IDENTITY PROTECTION SERVICE PROVIDER SCORECARD
Monitoring focus: Accounting for just under a Other focuses: A fairly small, but not negligible,
third (29%) of IDPS subscribers, these users set of subscribers (17%) report they care most
care most about features that monitor for about features that are typically seen as
suspicious activity on their credit report or ancillary IDPS features such as educational
existing accounts. material, breach notifications, and the service’s
Data protection focus: A notably smaller group mobile app.
than users with a core focus, 13% of subscribers
care most about data protection features, tools
such as password managers, anti-malware, and
VPNs.
© 2018 GA Javelin LLC, a Greenwich Associates LLC company. All rights reserved. This report is licensed for use by Javelin EZShield only. No portion of
these materials may be copied, reproduced, distributed or transmitted, electronically or otherwise, to external parties or publicly without the permission of
GA Javelin LLC. Licensors may display or print the content for their internal use only, and may not sell, publish, distribute, re-transmit or otherwise
provide access to the content of this report without permission. 112018 IDENTITY PROTECTION SERVICE PROVIDER SCORECARD
KEY THREATS TO THE IDENTITY
PROTECTION MARKET
CORE FOCUS — was too expensive, notably higher than the rate for
APATHY AND LACK OF ROI those with a monitoring focus (24%) and twice as
high as for users with a data protection focus (17%)
Since many of the features that core-oriented
(Figure 6).
subscribers care about are relevant only when fraud
occurs or is about to occur, IDPS providers can
The high rate of cost-related attrition should be a
struggle to provide relevance to this set of users.
driver for identity protection services to implement
After six months or a year have gone by with no
more active tools and emphasize the ones they
signs of fraud and no subscriber data being picked
currently offer. In addition to the fraud protection
up in the dark web, it becomes difficult to convince
benefits of tools such as existing account
users that the $10 to $30 per month expense of an
monitoring through aggregation and data
IDPS subscription is worth it.
protection tools such as anti-malware and
password managers, these tools offer capabilities
This manifests in a particularly high rate of cost-
that are relevant to daily browsing and financial
related attrition. More than a third (34%) of core-
management, minimizing “dead air” that can occur
oriented subscribers who canceled a subscription
between credit report refreshes and other
within the past year did so because the subscription
monitoring updates.
IDPS Providers Fail to Justify Value to Core Subscribers
Figure 6. Reasons for Cancellation, by Subscriber Focus
Source: Javelin Strategy & Research, 2019
© 2018 GA Javelin LLC, a Greenwich Associates LLC company. All rights reserved. This report is licensed for use by Javelin EZShield only. No portion of
these materials may be copied, reproduced, distributed or transmitted, electronically or otherwise, to external parties or publicly without the permission of
GA Javelin LLC. Licensors may display or print the content for their internal use only, and may not sell, publish, distribute, re-transmit or otherwise
provide access to the content of this report without permission. 122018 IDENTITY PROTECTION SERVICE PROVIDER SCORECARD
Elevated concern about cost is also exacerbated by Decreased concern about fraud is certainly not a
a general decline in concern about fraud among bad thing in and of itself. In fact, one would hope
identity protection service subscribers, in spite of that as financial services and other industries make
the growing intensity of fraud affecting consumers. progress in establishing robust identity safeguards,
This driver broke into the three most prevalent consumers will have more confidence that their
reasons for cancellation in each of the primary identities and accounts are secure. However, the
customer categories and contributed to a quarter identity protection industry necessarily needs to be
(26%) of cancellations by core feature users (Figure able to cope with consumer attitudes around fraud
6). that will ebb and flow as consumers grow inured to
breach headlines and most users do not personally
This factor becomes even more significant when experience fraud in any given year. This requires
placed in context with the past few years. In 2015 implementing features that continue to have
and 2017, lessened concern about fraud was a relevance for the user outside of directly
comparatively minor driver for user attrition, addressing fraud.
ranking as the second least prevalent reason for
users to cancel their subscriptions in both years. In This year, a new threat emerged to the credit-
2018, this leaped to near the top of the chart as the oriented identity protection service providers in the
third most prevalent reason for users to cancel their form of free credit freezes. As of Sept. 21,
subscriptions, behind the service’s being too consumers nationwide became able to freeze and
expensive and expired free subscriptions. unfreeze their credit report for free with each of the
three main credit bureaus. Previously, fees were
determined by each state and ranged from free to
around $15.
Lessened Fraud Concern Leaps in Prominence as an Attrition Driver
Figure 7: Reasons for Canceling Subscriptions, 2015-18
Source: Javelin Strategy & Research, 2019
© 2018 GA Javelin LLC, a Greenwich Associates LLC company. All rights reserved. This report is licensed for use by Javelin EZShield only. No portion of
these materials may be copied, reproduced, distributed or transmitted, electronically or otherwise, to external parties or publicly without the permission of
GA Javelin LLC. Licensors may display or print the content for their internal use only, and may not sell, publish, distribute, re-transmit or otherwise
provide access to the content of this report without permission. 132018 IDENTITY PROTECTION SERVICE PROVIDER SCORECARD
For consumers who do not plan to open new Even though this can chip away at the value
financial products or apply for other accounts that proposition offered by many identity protection
may require a credit inquiry (e.g., opening a new service providers, it may work to the advantage of
mobile phone account), credit freezes can obviate plans offered by the credit bureaus. These have
essentially all the credit-related safeguards offered responded to the mandate of free credit freezes by
by identity protection. Not only does a credit freeze building into their identity protection products the
ensure there will be no new credit activity for ability to immediately lock a credit report, a subtly
monitoring products to detect, it means the identity different feature from a credit freeze. Although
protection service will also be unable to access the credit report “on/off switches” predate free credit
information contained within the credit report — freezes, these new offerings give them a higher
effectively shutting down those features. profile and highlight a differentiator of the credit
bureaus’ products.
CONSUMER CREDIT SAFEGUARDS: FREEZES, LOCKS, AND ALERTS
Fraud-conscious consumers have a few options when it comes to securing their records held with the
major credit reporting agencies (CRAs), Equifax, Experian, and TransUnion. Each of these approaches
has its own advantages and drawbacks:
Credit freezes are the strongest safeguard consumers can place around their credit report. With a
freeze in place, the CRA with the freeze is legally obligated to block essentially all requests by new
creditors to view the credit report (law enforcement, government agencies, and existing creditors can
still gain access). This effectively prevents new credit-oriented accounts from being opened in the
consumer’s name. However, credit freezes still need to be placed individually with each of the bureaus
and can be inconvenient to place and lift, since they typically require contacting the bureaus by phone
or mail whenever there is a change to the freeze.
Credit locks function similarly to credit freezes but offer somewhat lighter protections in exchange for
greater convenience, since they are contractual arrangements between the consumer and the CRA
rather than the legal framework provided by credit freezes. Crucially, this means the ability to lock and
unlock a credit report applies only as long as the consumer has an open account with the credit lock
products offered by each bureau. Equifax and TransUnion currently offer free lock products, but
Experian charges $5 for the first month and $25 thereafter. Notably, while freezes can take up to a day
to place, locking and unlocking the credit report is typically done instantly from within a smartphone
app or online portal. This potentially makes locks preferable for users who anticipate they will need to
be regularly locking and unlocking their credit report, such as renters who may have multiple credit
inquiries while applying for a new apartment.
Finally, the third major credit report safeguard available to consumers is fraud alerts. Unlike credit
freezes and locks, alerts do not restrict new creditors’ ability to pull credit information on the user.
Instead, an alert indicates that this individual is at heightened risk for identity fraud and that the
creditor should take additional identity verification steps prior to approving a new account.
Unfortunately, these additional identity verification steps are not prescribed by law and consequently
offer only moderate protection against fraudulent new accounts. Previously, basic fraud alerts lasted
for only 90 days, though fraud victims could place extended alerts that would last for up to seven
years. Under the same legislation establishing free credit freezes, all consumers are now able to place
year-long fraud alerts for free.2
© 2018 GA Javelin LLC, a Greenwich Associates LLC company. All rights reserved. This report is licensed for use by Javelin EZShield only. No portion of
these materials may be copied, reproduced, distributed or transmitted, electronically or otherwise, to external parties or publicly without the permission of
GA Javelin LLC. Licensors may display or print the content for their internal use only, and may not sell, publish, distribute, re-transmit or otherwise
provide access to the content of this report without permission. 142018 IDENTITY PROTECTION SERVICE PROVIDER SCORECARD
MONITORING FOCUS — records from within the Credit Karma user portal
AGGRESSIVE FREE COMPETITION empowers users to initiate, and potentially
complete, the fraud resolution process entirely
Identity protection services arguably face the most
within the platform’s digital portal, ideally
competition when trying to appeal to subscribers
eliminating time-consuming calls to customer
who care primarily about credit report or existing
service.
account monitoring. Credit monitoring services like
Credit Sesame and Credit Karma are widely known
However, Credit Karma’s credit record dispute
among consumers, easy to sign up for, and — more
feature does have some limitations. Users are not
important — free.
able to submit documentation, such as police
reports or other proof that the account is
Of these two services, Credit Sesame has made the
fraudulent, from within the Credit Karma portal, so
most aggressive moves into the identity protection
any complex fraud cases are likely to still require
service space with a free identity protection
the user to directly interact with TransUnion. Also,
module that offers $50,000 in identity fraud
this feature is not currently available for records on
insurance coverage along with resolution
the subscriber’s Equifax credit report, the other
assistance. If users are willing to upgrade to a paid
credit bureau from which Credit Karma provides
plan, they have access to a broader set of
information.
traditional IDPS features, such as Social Security
number monitoring, higher insurance coverage (up
Additionally, Credit Karma provides free “identity
to $1 million), and 24/7 access to resolution
monitoring” to see if the user’s email address and
assistance. Since this product both brands itself as
other unspecified pieces of personal information
an identity protection service and offers a feature
can be found in dark web marketplaces or public
set consistent with this market, the paid version of
dumps of breached data. While it is nice to see this
Credit Sesame’s product is evaluated within the
kind of feature paired with a free credit monitoring
scorecard.
service, it lacks the depth of other dark web
monitoring services provided through traditional
Even without directly offering an “identity
identity protection services. Users do not have any
protection” product that is labeled as such, Credit
visibility into the types of data monitored through
Karma provides some features that help it cross
the service and lack the ability to enroll additional
over into fraud protection territory. In addition to
identifiers, such as ID card numbers or other email
monitoring for new activity on users’ credit report,
addresses that are not associated with the Credit
Credit Karma has partnered with TransUnion to
Karma account.
enable users to dispute credit report records
directly from their Credit Karma portal, rather than
While users who are looking for full-featured
having to leave the site and file the dispute
identity protection services will inevitably be
separately with the credit bureau.
disappointed if they attempt to use free credit
monitoring services as IDPS surrogates, IDPS
Crucially, this feature adds an air of self-sufficiency
services are losing a crucial part of the battle with
to the product that is lacking from many identity
credit-oriented competitors. Only 13% of
protection platforms. Rather than simply providing
subscribers reported that their identity protection
a window into the subscriber’s financial life, being
service was the most recent place they went to
able to address fraudulent or erroneous credit
© 2018 GA Javelin LLC, a Greenwich Associates LLC company. All rights reserved. This report is licensed for use by Javelin EZShield only. No portion of
these materials may be copied, reproduced, distributed or transmitted, electronically or otherwise, to external parties or publicly without the permission of
GA Javelin LLC. Licensors may display or print the content for their internal use only, and may not sell, publish, distribute, re-transmit or otherwise
provide access to the content of this report without permission. 152018 IDENTITY PROTECTION SERVICE PROVIDER SCORECARD
check their credit score, behind their financial resolving fraud entirely outside their platform,
institutions (29% for primary bank/credit union, 15% which directly undermines the value they purport to
for card issuer), credit bureaus (15%), and online provide.
credit monitoring services (16%).
However, here as well, IDPS providers face strong
This indicates that not only do many identity competition from free services, not the least of
protection service subscribers hold IDPS and credit which originates from the users’ own financial
monitoring accounts but also that the identity institution. IDPS providers cannot directly compete
protection service is losing “top of wallet” status with financial institutions’ ability to screen, approve,
when it comes to where subscribers go first to and decline transactions and consequently must
manage their credit information. focus on detecting fraud that slipped through
financial institutions’ nets.
Similarly, existing account monitoring is an
important feature since it enables identity Conventionally, the unique advantage that IDPS
protection services to extend their coverage to providers bring in combating card fraud is the
card fraud, which accounts for more than 80% of ability to aggregate information on accounts at
fraud victims (compared with 20% for new-account multiple institutions, offering a single portal where
fraud) (Appendix, Figure 18). Without the ability to subscribers can keep tabs on all their accounts,
provide some degree of card fraud management, rather than having to regularly visit multiple banks’
IDPS providers will frequently find themselves in websites or apps. With 60% of banked consumers
the position of having customers detecting and holding accounts at two or more institutions and
5 in 6 IDPS Subscribers Check Their Credit Score at Another Organization
Figure 8: Source of Most Recent Credit Score, IDPS Subscribers and Other Consumers
Source: Javelin Strategy & Research, 2019
© 2018 GA Javelin LLC, a Greenwich Associates LLC company. All rights reserved. This report is licensed for use by Javelin EZShield only. No portion of
these materials may be copied, reproduced, distributed or transmitted, electronically or otherwise, to external parties or publicly without the permission of
GA Javelin LLC. Licensors may display or print the content for their internal use only, and may not sell, publish, distribute, re-transmit or otherwise
provide access to the content of this report without permission. 162018 IDENTITY PROTECTION SERVICE PROVIDER SCORECARD
20% of banked consumers holding accounts at four DATA PROTECTION FOCUS
or more institutions, this is not an insignificant
A newer area of competition for identity protection
advantage (Appendix, Figure 19), but it is being
services that Javelin has tracked closely over the
eroded as a differentiator as more organizations
past few years are data security products that are
offer similar capabilities.
blurring the lines with the IDPS industry. The most
high-profile case for the blurring of these markets,
As of Javelin’s 2018 Mobile Banking Scorecard, a
of course, was the Symantec acquisition of
quarter of the top 30 FIs in the U.S. offer the ability
LifeLock, which was completed in early 2017. Since
to aggregate information on accounts held at other
then, other data protection companies have made
institutions within their mobile app.3 Non-bank
moves into the space, with McAfee offering its own
services such as Mint also offer the ability to
identity protection service and Dashlane, one of the
aggregate account information within a single
leading password managers, adding dark web
portal. Although they typically lack features
features and a credit monitoring partnership with
specifically aimed at mitigating fraud, some of their
TransUnion to its premium product.
capabilities can provide ancillary benefits in alerting
the victim to card fraud schemes in progress, such
In Javelin’s view, data protection features such as
as large transaction alerts.
anti-malware services, password managers, and
secure browsing tools have a crucial place in
Data Security Tools Grow in Value to IDPS Subscribers
Figure 9: Most Important IDPS Features, by Age
Source: Javelin Strategy & Research, 2019
© 2018 GA Javelin LLC, a Greenwich Associates LLC company. All rights reserved. This report is licensed for use by Javelin EZShield only. No portion of
these materials may be copied, reproduced, distributed or transmitted, electronically or otherwise, to external parties or publicly without the permission of
GA Javelin LLC. Licensors may display or print the content for their internal use only, and may not sell, publish, distribute, re-transmit or otherwise
provide access to the content of this report without permission. 172018 IDENTITY PROTECTION SERVICE PROVIDER SCORECARD
identity protection services’ product offerings. rather than sideline observers that detect fraud
Actual fraud prevention tools have always been one when it occurs.
of the weakest aspects of an industry that was
largely focused on detecting suspicious activity and Data protection features have a growing appeal
guiding users through the resolution process. among subscribers, especially users 25-54. While
Conventionally, assistance with setting up credit they still rank below some major identity protection
freezes and security alerts was as far as identity features such as credit report and existing account
protection providers went, and for most companies, monitoring, data security tools do rank above black
that really meant directing customers to the credit market PII monitoring.
bureaus.
Unfortunately, many of the IDPS implementations
By screening for data-stealing malware, identifying of these features are still nascent and in need of
phishing pages, and boosting the security of users’ further development. Among users who care most
logins, these kinds of features can directly counter about data protection tools in their identity
many of the threats that lead to subscribers’ data protection subscriptions, the second most frequent
being compromised — stopping the attack prior to reason for attrition was that the product did not
the information’s winding up in the criminal provide all the features they desired, accounting for
marketplace. Consequently, data protection 29% of canceled subscriptions, a much higher rate
features can turn identity protection service than for users who focus on core features (18%) or
providers into active players in mitigating fraud risk, monitoring (15%) (Figure 6).
© 2018 GA Javelin LLC, a Greenwich Associates LLC company. All rights reserved. This report is licensed for use by Javelin EZShield only. No portion of
these materials may be copied, reproduced, distributed or transmitted, electronically or otherwise, to external parties or publicly without the permission of
GA Javelin LLC. Licensors may display or print the content for their internal use only, and may not sell, publish, distribute, re-transmit or otherwise
provide access to the content of this report without permission. 182018 IDENTITY PROTECTION SERVICE PROVIDER SCORECARD
SCORECARD RESULTS
2018 IDENTITY PROTECTION
SERVICE PROVIDER AWARD
BEST IN CLASS
EZShield Platinum Protection
EZShield returned to the top of the pack in Javelin’s capabilities, providing both robust core
2018 Identity Protection Service Provider functionality around credit, black market, and
Scorecard. As the only provider to emerge as a existing account monitoring and emerging features,
leader in all three categories, EZShield such as mobile data protection tools and digital
distinguished itself through its breadth of fraud resolution capabilities.
© 2018 GA Javelin LLC, a Greenwich Associates LLC company. All rights reserved. This report is licensed for use by Javelin EZShield only. No portion of
these materials may be copied, reproduced, distributed or transmitted, electronically or otherwise, to external parties or publicly without the permission of
GA Javelin LLC. Licensors may display or print the content for their internal use only, and may not sell, publish, distribute, re-transmit or otherwise
provide access to the content of this report without permission. 192018 IDENTITY PROTECTION SERVICE PROVIDER SCORECARD
PREVENTION
As has been a recurring theme in Javelin’s Identity EZShield, ID Watchdog, and Norton LifeLock
Protection Service Provider Scorecard, prevention distinguished themselves as leaders in prevention,
continues to be one of the most challenging tasks offering a variety of features aimed at blocking
for IDPS providers but fortunately one that is threats to subscribers’ identities. Notably, all these
moving in the right direction. The growing adoption providers integrate digital security features into
of data protection tools and emergence of digital either their desktop or mobile offerings, such as
on/off switches for credit reports help to answer secure browsing tools and anti-malware
one of the key criticisms of the industry — that partnerships.
these services help victims address fraud when it
occurs but offer few tools that can actually stop
fraud before it happens.
EZShield, ID Watchdog, and Norton LifeLock Lead in Prevention
Figure 10: Prevention Category Rankings
PREVENTION
EZShield Inc. Platinum Protection
Leaders
ID Watchdog Platinum
Norton LifeLock Norton 360 with LifeLock Ultimate Plus
Affinion Group PrivacyGuard - Total Protection
Experian IdentityWorks
Contenders
Finastra MyIdentityAssist
ID Experts MyIDCare
IdentityForce UltraSecure packages
LegalShield IDShield
TransUnion True Identity Premium
Credit Sesame Platinum Protection
Equifax Equifax Complete Family Plan
Followers
Intelius IdentityProtect
Intersections Identity Guard
Lookout Personal
ReliaShield ReliaShield Elite
True ID Pro Platinum Membership
Laggards
FICO FICO Ultimate 3B
McAfee Identity Theft Protection
ScoreSense ScoreSense
* Providers in each category are listed alphabetically
Source: Javelin Strategy & Research, 2018
© 2018 GA Javelin LLC, a Greenwich Associates LLC company. All rights reserved. This report is licensed for use by Javelin EZShield only. No portion of
these materials may be copied, reproduced, distributed or transmitted, electronically or otherwise, to external parties or publicly without the permission of
GA Javelin LLC. Licensors may display or print the content for their internal use only, and may not sell, publish, distribute, re-transmit or otherwise
provide access to the content of this report without permission. 202018 IDENTITY PROTECTION SERVICE PROVIDER SCORECARD
DATA SECURITY TOOLS Addressed by: password managers. With the
ability to generate and autofill strong
One of the perennial problems facing the identity
passwords, users are relieved of much of the
protection service industry is that, for an industry
burden of managing unique passwords across a
that purports to protect customers from identity
plethora of online accounts.
fraud, there are a comparatively small number of
features that actually serve to reduce subscribers’
Phishing: Lookalike sites harboring malware or
risk of identity fraud. Conventionally, this has been
attempting to steal passwords, card data, or
limited to assisting subscribers in placing credit
other PII have grown more sophisticated, with
safeguards such as freezes and fraud alerts.
many leveraging SSL certificates to provide
HTTPS and the padlock security icon next to
Fortunately, the blurring of lines between the
their domain name to provide a patina of
identity protection and consumer data security
legitimacy.
markets is making strides in addressing this
criticism. There are four main types of capabilities Addressed by: secure browsers, anti-phishing
that can help address several of the main methods apps, and browsing extensions. Automated
that fraudsters use to compromise consumers’ data. tools are frequently much more effective than
human eyes at detecting that a purportedly
Malware: While ransomware and cryptominers legitimate site is actually missing a character
are the strains du jour, keyloggers and Trojans from its URL or harboring malicious code.
continue to be a threat to consumers as
fraudsters demand data for card-not-present Data interception in transit: Through
fraud and account takeover, with counterfeit compromised Wi-Fi or lookalike networks set
card fraud steeply declining in the wake of the up in public locations, fraudsters can intercept
EMV shift. key pieces of consumer data such as passwords
and card numbers that are transmitted though
Addressed by: desktop and mobile anti-
unencrypted connections.
malware services and man-in-the-browser
protection products.
Addressed by: VPN services. By automatically
encrypting traffic and routing activity through
Password reuse: One of the more pernicious
the provider’s network, VPN services can
threats posed by password breaches is that
provide a layer of protection against malicious
they open up vulnerabilities at any organization
networks and routers that attempt to snatch up
where victims used the same login information.
sensitive information.
If consumers reused their login information for
core accounts such as their email, that single
As valuable as these features are, there is one
compromised account can provide a window
caveat that should be mentioned with regard to
for fraudsters to intercept password reset
their value in identity protection services. Most of
emails and gain access to otherwise secure
these features are aimed at protecting data on or in
accounts.
transit from consumers’ personal devices but do
© 2018 GA Javelin LLC, a Greenwich Associates LLC company. All rights reserved. This report is licensed for use by Javelin EZShield only. No portion of
these materials may be copied, reproduced, distributed or transmitted, electronically or otherwise, to external parties or publicly without the permission of
GA Javelin LLC. Licensors may display or print the content for their internal use only, and may not sell, publish, distribute, re-transmit or otherwise
provide access to the content of this report without permission. 21You can also read
