Home > Consumer Protection > Consumer Resources > Putting an End to Account-Hijacking Identity Theft Study Supplement |
|||
Putting an End to Account-Hijacking Identity Theft Study Supplement Previous | Table of Contents | Next Part 2: More-Recent Trends In Identity Theft As the attention paid to the problem of identity theft has grown, additional analyses have been published that shed more light on the size of the problem, the manner in which identity theft is perpetrated, indirect costs, the reactions of banks, the adoption rates and consumer acceptance of various methods of authentication, and public deployment of two-factor authentication. Size of the Problem
The FDIC Study noted phishing as a primary means by which account hijacking is perpetrated. Although some observers are reporting that the number of phishing cases continues to increase and note that response rates to phishing e-mails are consistent with those reported in the Study;4 other observers are now estimating that phishing is directed at smaller institutions, with response rates at between 1 and 2 percent and declining over time.5 Manner of Perpetration Two recent studies explore how identity theft is perpetrated. Data from one study do not support the conclusion that “most thieves still obtain personal information through traditional rather than electronic means.” 7 As noted above, victims of sophisticated electronic fraud are unlikely to understand how the fraud was perpetrated, so estimates of means of access to confidential information must be interpreted cautiously. Another study sheds light on a narrow range of identity theft: cases that resulted in arrest or conviction. Although the sample underrepresents the more sophisticated types of electronic fraud as well as crimes that cross legal jurisdictions and all those that are never prosecuted, even for this limited sample it is noteworthy how often the alleged or actual perpetrators acted with others and used the identities of one or more businesses or created bogus businesses to effectuate the fraud.8 Indirect Costs Measuring the concerns of consumers is one way of understanding the indirect costs of identity theft. Without question, retail consumers are concerned about identity theft and about the misuse of their personal information. Between one-half and three-quarters of U.S. households report that identity theft is a concern for them or that they are concerned about e-mail fraud. Internationally, some 80 percent of online adults worry about their online identity being stolen and used to access online bank accounts.12 Although consumers are worried about phishing and the trustworthiness of e-mail messages from their banks, they are also concerned about the security of their personal information more generally. Seventy-five percent of the respondents to one 2004 survey cited identity theft resulting from a security breakdown at the bank as a concern, up from 58 percent in 2003.13 Consumers who bank online have expressed less confidence in the security of their personal information. When asked the question, ‘are you as confident about the protection of your personal information when banking online as when you bank in a branch office,’ consumers report a significant decline in confidence (from 74 percent in 2003 compared to 64 percent in 2004).14 Concerns about fraud are subsumed within retail customers’ varying levels of concern about how financial firms handle their personal information,15 and merchants are concerned as well.16 Consumers are indicating that they may stop using or may refuse to adopt online banking because of their security concerns. Online consumers report that they agree with the statements that they will stop using (14 percent) or not enroll (20 percent) in online banking or bill paying because of concerns about phishing. Small business owners’ reactions are similar.17 Security remains a critical factor when a consumer is choosing a retail bank, and one-quarter of international consumers will be very likely to switch banks if, by doing so, they will have better identity protection.18 One study revealed that two-thirds of respondents said they will switch banks if their bank fails to secure their personal information.19 A small percentage of consumers—close to 6 percent—have even admitted to having already switched banks to reduce their risk of becoming a victim of identity theft.20 Although the costs to banks of consumer concern about security are substantial, the benefits of improved security are likely to be substantial as well. Improved security may open up new customer markets. Almost three-quarters of current Internet users who do not use online banking report that they will be likely to do so if identity security is improved. Of those that do use online banking, the vast majority report being willing to use more, higher-value services if their identities are better protected.21 These issues have a far-reaching effect on the business of banking. The Reactions of Banks Layered Mitigation Approach In the first stage, fraudsters must set up their apparatus, including the creation of illegitimate collection Web sites, writing of malicious code, or infiltrating open e-mail proxies. Controls from a financial institution can be directed at detecting the signs of set-up, and preventing (internally) open e-mail proxies. Scanning tools and services can help detect the signs of set-up by reviewing domain registrations and Web site spoofing. In the second stage, consumers are targeted or fooled into providing their password or other sensitive information with malicious software, misleading e-mail, or illegitimate Web sites. Consumer education is a first line of defense to mitigate this stage. Consumers who understand the risk of installing untrusted software, and who use anti-virus, anti-spyware and firewall controls are less likely to be infected with many of the malicious tools used by criminals. Financial institutions can help by educating their customers about proper computer habits. Additionally, financial institutions can help mitigate the threat at this stage by authenticating their Web sites to differentiate themselves from illegitimate sites. Lastly, the Internet industry is working to reduce the potential of spoofed e-mails through infrastructure changes such as authenticated e-mail. Various services are available to detect and track the dissemination of spoofed e-mails, and other services and techniques can be used to track and take down offending data collection Web sites. Data collection sites and spoofed bank Web sites tend to be short-lived because of these efforts. However, the collected credentials live on to the next stage. In the last stage, collected credentials are used to access the victim’s account. Financial institutions can mitigate this threat with a variety of tools to better identify who is accessing the account. This includes authentication methods which cannot be collected by the fraudster. Financial institutions can also place controls on higher risk account features such as bill payment and account transfers. Consumer Acceptance of Stronger Authentication What is known is that within the banking environment, the authentication methods used by corporate banking customers have been stronger and more sophisticated than the methods used by retail customers. The reasons, of course, are the higher account balances—the higher dollar volume of risk—and the more frequent transfer of funds to accounts belonging to third parties. As a result of the authentication methods used, fewer instances of corporate online fraud than of retail online fraud have been reported. A brief look at the authentication methods used by corporate customers may be useful for banks that are considering applying stronger authentication for retail customers. A small sample of large banks shows that these institutions are using a variety of authentication techniques for corporate banking.24 Five out of seven global banks and four out of seven North American banks use a single sign-on, with North American respondents generally limiting single sign-on to cash management services. The small sample of large banks uses some combination of user identification, user password, company identification, and company password. Access to trade services, foreign exchange, and investments generally require a separate login and security method for each product.25 Digital certificates are more often used by large global banks compared to their North American counterparts, primarily to support the nonrepudiation of transactions. Most of these large banks use tokens. Six out of seven North American and global banks included in this sample use tokens to access corporate electronic banking applications, to approve payment transactions, or both. Digital certificates are used by about half the sampled institutions. These large banks have shown little reported interest in using biometrics to authenticate corporate customers. Online merchants are using, and plan to increase their use of, nonintrusive Internet protocol address filtering methods. Current online merchants are already using a variety of tools, with 33 percent using Internet protocol address filtering and another 22 percent planning to implement that method in 2005.26 When banks consider authentication methods for retail customers, they should be aware that these customers value security and the protection of confidential information and may be prepared to use enhanced authentication methods to access their accounts. But there are privacy implications associated with authentication. Consumers report the greatest concerns with biometrics. Consumers will require a clear explanation of any security mechanism and the use of any personal information required to implement that security mechanism. Consumers will need to understand how the additional information will be used and stored. Overly burdensome authentication systems may lower consumer participation, thereby lowering the effectiveness of the entire system. Consumers are also concerned about the risk associated with large databases of personal information and the potential for the information that is used by authentication methods to be compromised, copied, or imitated.27 Some conceptual acceptance by consumers of additional authentication methods has been reported concerning biometrics and the willingness of consumers to provide additional information for authentication. Limitations on the use of personal information and the existence of privacy safeguards are important elements of consumer acceptance.28 Convenience is another element, for convenience plus security may be more important to customers than security alone. In a more recent study, among approximately two-thirds of respondents who found biometrics generally acceptable, voice recognition and finger prints were the most widely accepted biometric types, and convenience was the overwhelming benefit along with security and speeding up the transaction. The one-third who were unsure or opposed to biometrics indicated concerns about how biometrics works and its accuracy.29 To an extent, consumers appear to be willing to provide additional pieces of information for authentication (with 29 percent agreeing to provide one additional data item and 41 percent suggesting two).30 One-fifth of online U.S. households claim that because of their concerns about privacy or security, they would be willing to have an in-home credit card reader.31 At least one vendor reports interest in two-factor authentication for the accessing of on-line bank accounts.32 The challenge facing banks that offer online banking services is significant. New authentication methods must be reliable, cost-effective, and convenient while meeting the security and privacy needs of customers. Cost, reliability, performance, and ease of enrollment are expected to improve in the near term but will still vary by technology and by product within the technology. Examples of Two-Factor Authentication
2 Javelin (2005). The Javelin study attempts to replicate many aspects of the 2003 Federal Trade Commission report cited in the Study. However, differences in methodology preclude longitudinal comparisons of incidence rates. Both studies attempt to measure the following three forms of identity theft fraud: new account and other fraud, misuse of existing non-credit card account or account number fraud, and misuse of existing credit card or credit card number fraud. 3 FTC (2005). Internet-related is defined as a fraud that concerns an Internet product or service, the company initially contacts the consumer via the Internet, or the consumer responds via the Internet. For Internet-related fraud, 15 percent of complainants reported the method of payment. 4 Department of Homeland Security (2005). 7 Javelin (2005). Less than half of respondents in the survey reported how they believe the fraudster obtained their personal information. 9 For example, Robertson (2004) and Gould (2004). 10 See Penn et al. (2005) and RSA Security (2003). 12 Louvel (2005), Penn et al. (2005), Graeber et al. (2004), Entrust (2005). 13 Ponemon Institute cited in Nock (2005). 15 See Penn et al. (2005), Graeber et al. (2004), and Entrust (2005). 16 Almost half of online merchants are more concerned than in the past about online payment fraud, and two-thirds say that a higher incidence of identity theft is increasing the amount of online fraud. See CyberSource Corporation (2005). 17 Penn at al. (2005). See also Graeber et al. (2004). 19 Ponemon Institute cited in Nock (2005). 24 This section relies on Feinberg (2005) which is a supplement to Feinberg (2004). Feinberg (2004) reports on responses of 10 institutions out of 17 large institutions surveyed that are headquartered in North America or with a corporate electronic banking application managed by a North American subsidiary. The 10 respondents were: ABN AMRO, Bank of America, Bank of Montreal, Citibank, Citizens Bank, Mellon Bank, PNC Bank, Royal Bank of Canada, SunTrust, and an unnamed major European bank with a U.S.-managed banking product. Feinberg (2005) discusses the results from those 10 plus 4 more institutions categorized as either global banks (i.e., ABN AMRO, BNP Paribas, Bank of America, Citibank, HSBC, Royal Bank of Scotland, and an unnamed bank headquartered in Europe) or North American banks (Bank of Montreal, Bank of New York, Citizens Bank (a subsidiary of Royal Bank of Scotland), Mellon Bank, PNC Bank, Royal Bank of Canada, and SunTrust). 26 Cybersource (2005). This source uses the term “geo-location” to identify the technology that this Supplement refers to as Internet protocol address location. 27 National Association of State Chief Information Officers (2004, 2005). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Last Updated 6/23/2005 |
consumeralerts@fdic.gov |
Home Contact Us Search Help SiteMap Forms Freedom of Information Act (FOIA) Service Center Website Policies USA.gov |
FDIC Office of Inspector General |