Fraud Mobility Ken Meiser VP- Identity Solutions

LifeLock: Layers Of Protection DETECT Stopping Fraud Before Financial Harm to Consumer or Company ALERT Providing Consumers with visibility into how and where their identity is being used RESTORE Trained experts to assist you when compromise occurs Education Security Technology

Two Critical Areas of Focus for ID Analytics 1 Enable better fraud, identity and risk decisions for leading U.S. organizations 300+ Companies, including most Top Credit Card Issuers, Banks and Wireless Carriers 2 Protect consumers from fraud by generating unique alerts, innovations and insights As part of LifeLock, ID Analytics is heavily focused on protecting consumers from fraud and identity theft. We approach this in two distinct and critical ways. We work with leading financial institutions, lenders, and businesses to stop fraud attempts before new accounts are booked. We send new account opening alerts directly to consumers through LifeLock. This combined approach enables ID Analytics to stop some fraud before it happens and empower consumers to protect themselves if it gets through.

An ecosystem to protect consumers & enterprises 1 2 3 Name SSN Date of Birth Address Phone Email Application ID Analytics’ Client ID Analytics sends back risk assessment Alert 5 4 Consumer Alert To help our clients control fraud, they send application data to ID Analytics for evaluation nearly a million times a day. We return a risk assessment of the application to the client. Consumers cannot be declined credit based on fraud risk, but the lenders are able to investigate the application more carefully to ensure it is legitimate. This is critical to protecting at risk populations, such as the elderly. In addition, clients ask us to notify LifeLock members of all applications matching their identity.

Study Goals and Methodology Q: Do fraudsters follow a pattern within and across industries? What behavior does a victim’s identity exhibit before and after a fraudulent event? What are the long-term implications for a consumer with a compromised identity? Extract from four industries: Telecom Bank Card Retail Card Auto & Consumer Seen at least twice between: SSNs 68M 2.9M Fraudulent Events Extract from telecom, Credit Card, Retail Card, Auto Consumer lending 68million SSNs seen AT LEAST twice between July 2010 and July 2015 2.9M fraudulent events

Normal Application Cadence Non-Compromised Identity Retail Retail Retail Telco Bankcard 2004 2006 2008 2010 2012 2014 2016 - Tony has been seen in the ID Network five times over eleven years with an overall application rate of roughly one application every two years Tony’s SSN was never associated with a client-confirmed fraud The event of Tony’s non-compromised application (randomly chosen from all the non-compromised applications) was seen in December 2008 on a retail credit-card application Prior to this event, Tony was seen submitting two applications, approximately one every two and a half years (both seen in the retail credit card industry) After the 2008 event, Tony’s behavior remained consistent, submitting two more applications over the next six years at an average rate one new application every three years. These subsequent applications crossed multiple industries (e.g., one telecommunications, one bankcard)

Fraudulent Application Cadence Compromised Identity Bankcard Telco Retail March 12, 2006 July 7, 2011 February 21, 2014 February 22, 2014 October 18, 2014 - Applications with Fred’s SSN were seen in the ID Network without any associations to fraud for 11 years averaging roughly one new application every five years. During this time Fred was seen applying to two bankcard enterprises In February 2014, Fred’s SSN was first reported by a telecommunications client as being associated with a fraudulent application Later that same day, Fred’s SSN was seen in a new account application that went on to be confirmed as a fraudulent event in the retail credit card industry and there were three additional new-account applications with three different telecommunication enterprises (one of which resulted in a third instance of confirmed fraud) The following day, Fred’s SSN was seen on an application for a retail credit card October 2014, two new applications with Fred’s SSN are submitted to retail card issuers and later confirmed as associated with fraud by the enterprises

Aggregated Cadence Comparison Once a SSN has been compromised, it remains at risk Pre and Post Application Velocity for a Compromised Application vs a Non-Compromised Application Compromised identity 6xs higher within the first day Compromised identity 5xs higher after 360 days Compromised SSN Non-Compromised SSN Compromised SSN Non-Compromised SSN Similar behavior seen until 10 days prior to the event Blue line 180-360 before and after as examples of a pretty symmetrical line Increase in traffic toward the end is partially explained by growth of the network In general, transactions cluster Orange line higher than blue because fraud behavior begets a higher overall volume over the entire window Blue l Compromised identities are seen 7xs 10 days after the event 46% of the 0-10 day events happen in the first 24 hours A second spike in the non-compromised identities is seen after 180 days

Market concentration patterns suggest fraud specialization Victims Remain Vulnerable within Specific Markets in the Short-Term Probability of Crossing Industry 0% 10% 20% 30% 40% 50% 60% 70% 0-10 10-30 30-90 90-180 180-360 360+ Days 21% 48% 53% 55% 57% 62% 63% Compromised SSN Non-Compromised SSN Compromised SSN 23% 7% 13% 16% Non-Compromised SSN During the first 10 days, 93% of multiple fraud occurrences took place within the same industry