FDIC: Putting an End to Account-Hijacking Identity Theft Study Supplement

FDIC Home - Federal Deposit Insurance Corporation

Advanced Search

Home

Deposit Insurance

Consumer Protection

Industry Analysis

Regulations & Examinations

Asset Sales

News & Events

About FDIC


		Home > Consumer Protection > Consumer Resources > Putting an End to Account-Hijacking Identity Theft Study Supplement

Putting an End to Account-Hijacking Identity Theft Study Supplement

Previous | Table of Contents | Next

Part 2: More-Recent Trends In Identity Theft

As the attention paid to the problem of identity theft has grown, additional analyses have been published that shed more light on the size of the problem, the manner in which identity theft is perpetrated, indirect costs, the reactions of banks, the adoption rates and consumer acceptance of various methods of authentication, and public deployment of two-factor authentication.

Size of the Problem
Identity theft is a continuing problem. A recent 2005 study estimates that 1.15 percent of the U.S. adult population experienced a misuse of existing non-credit card accounts or account numbers in the last year, estimates which would include deposit accounts, and another 2.36 percent experienced different forms of identity theft.² The Federal Trade Commission reports a slight increase in 2004 in the percentage of bank fraud complaints associated with existing-account fraud and a solid increase in the percentage of complaints involving electronic fund transfers (see table 1). Between 2002 and 2004, the percentage of complaints about electronic fund transfers more than doubled. In addition, for all Internet-related fraud complaints received in 2004, 19 percent of cases in which the complainant reported the method of payment involved a bank account debit, and 13 percent involved a wire transfer³.

	2002		2003		2004
Table 1: How Victims' Information Is Misused
Bank Fraud*	Percentage	Number of Complaints	Percentage	Number of Complaints	Percentage	Number of Complaints
Existing Accounts	8.1		8.3		8.5
Electronic Fund Transfers	3.1		4.8		6.6
New Accounts	3.7		3.8		3.6
Unspecified	2.0		0.5		0.1
Total Bank Fraud	16.0		17.0		18.0
Total Identity-Theft Complaints		161,896		215,093		246,570
*Bank fraud includes fraud involving checking and savings accounts and electronic fund transfers.
Source: Source: FTC (2005) p. 10.

The FDIC Study noted phishing as a primary means by which account hijacking is perpetrated. Although some observers are reporting that the number of phishing cases continues to increase and note that response rates to phishing e-mails are consistent with those reported in the Study;⁴ other observers are now estimating that phishing is directed at smaller institutions, with response rates at between 1 and 2 percent and declining over time.⁵

Manner of Perpetration
Understanding exactly how identity theft is perpetrated can help regulators, institutions, and consumers identify ways to stop this form of fraud. All identity theft begins with a security compromise of confidential personal data, but linking the security compromise of personal data with the identity theft perpetrator and/or the perpetrator’s means of access is difficult and often impossible. These crimes are often unreported and not prosecuted, and they often cross geographic and legal jurisdictions. Victims are unlikely to know that third parties or insiders have stolen their confidential information, or unlikely to be aware that computer spyware, a virus, a hacker, or even phishing is the direct cause of their problem.⁶ The more technologically challenging the case, the less likely it is that the victim will understand the means of access.

Two recent studies explore how identity theft is perpetrated. Data from one study do not support the conclusion that “most thieves still obtain personal information through traditional rather than electronic means.” ⁷ As noted above, victims of sophisticated electronic fraud are unlikely to understand how the fraud was perpetrated, so estimates of means of access to confidential information must be interpreted cautiously.

Another study sheds light on a narrow range of identity theft: cases that resulted in arrest or conviction. Although the sample underrepresents the more sophisticated types of electronic fraud as well as crimes that cross legal jurisdictions and all those that are never prosecuted, even for this limited sample it is noteworthy how often the alleged or actual perpetrators acted with others and used the identities of one or more businesses or created bogus businesses to effectuate the fraud.⁸

Indirect Costs
Direct cost estimates of identity theft have been criticized by some researchers as being too high,⁹ but the indirect costs are widely considered to be undervalued. Indirect costs include slower adoption rates for online banking and bill paying and therefore a greater use of more-costly banking channels; less effective Internet marketing efforts; loss of consumer confidence in online transactions inside and outside of banking; loss of faith in brand names; and increased concern about financial institution security more generally.¹⁰ Costs resulting from publicity about identity-related security breaches include loss of brand equity, customer defections, lost business opportunities, costly litigation, and the cost of implementing better security.¹¹

Measuring the concerns of consumers is one way of understanding the indirect costs of identity theft. Without question, retail consumers are concerned about identity theft and about the misuse of their personal information. Between one-half and three-quarters of U.S. households report that identity theft is a concern for them or that they are concerned about e-mail fraud. Internationally, some 80 percent of online adults worry about their online identity being stolen and used to access online bank accounts.¹²

Although consumers are worried about phishing and the trustworthiness of e-mail messages from their banks, they are also concerned about the security of their personal information more generally. Seventy-five percent of the respondents to one 2004 survey cited identity theft resulting from a security breakdown at the bank as a concern, up from 58 percent in 2003.¹³ Consumers who bank online have expressed less confidence in the security of their personal information. When asked the question, ‘are you as confident about the protection of your personal information when banking online as when you bank in a branch office,’ consumers report a significant decline in confidence (from 74 percent in 2003 compared to 64 percent in 2004).¹⁴ Concerns about fraud are subsumed within retail customers’ varying levels of concern about how financial firms handle their personal information,¹⁵ and merchants are concerned as well.¹⁶

Consumers are indicating that they may stop using or may refuse to adopt online banking because of their security concerns. Online consumers report that they agree with the statements that they will stop using (14 percent) or not enroll (20 percent) in online banking or bill paying because of concerns about phishing. Small business owners’ reactions are similar.¹⁷ Security remains a critical factor when a consumer is choosing a retail bank, and one-quarter of international consumers will be very likely to switch banks if, by doing so, they will have better identity protection.¹⁸ One study revealed that two-thirds of respondents said they will switch banks if their bank fails to secure their personal information.¹⁹ A small percentage of consumers—close to 6 percent—have even admitted to having already switched banks to reduce their risk of becoming a victim of identity theft.²⁰

Although the costs to banks of consumer concern about security are substantial, the benefits of improved security are likely to be substantial as well. Improved security may open up new customer markets. Almost three-quarters of current Internet users who do not use online banking report that they will be likely to do so if identity security is improved. Of those that do use online banking, the vast majority report being willing to use more, higher-value services if their identities are better protected.²¹ These issues have a far-reaching effect on the business of banking.

The Reactions of Banks
In most cases, financial institutions have a legal responsibility to their online consumers to restore funds (within limits) when they are victims of phishing attacks or of other forms of unauthorized electronic account access. Most banks appear to be taking such responsibility. Some banks appear to be falling short in meeting that responsibility or are making it hard for customer-victims to recover misappropriated account funds.²² In an attempt to allay consumer concerns about identity theft, some banks have begun advertising a guarantee associated with their online banking. In some cases the wording of the guarantee may be unclear or misleading, and at least one major bank has reportedly been communicating incorrect information to consumers about the bank’s security guarantees or the role of the FDIC’s deposit insurance in online fraud.²³ Banks should review their procedures for dealing with consumers who become victims of unauthorized access to deposit accounts and should clearly communicate to consumers the precise meaning of any advertised guarantees.

Layered Mitigation Approach
On-line account fraud is usually implemented in various stages and the controls to mitigate the threat can be directed at those stages.

In the first stage, fraudsters must set up their apparatus, including the creation of illegitimate collection Web sites, writing of malicious code, or infiltrating open e-mail proxies. Controls from a financial institution can be directed at detecting the signs of set-up, and preventing (internally) open e-mail proxies. Scanning tools and services can help detect the signs of set-up by reviewing domain registrations and Web site spoofing.

In the second stage, consumers are targeted or fooled into providing their password or other sensitive information with malicious software, misleading e-mail, or illegitimate Web sites. Consumer education is a first line of defense to mitigate this stage. Consumers who understand the risk of installing untrusted software, and who use anti-virus, anti-spyware and firewall controls are less likely to be infected with many of the malicious tools used by criminals. Financial institutions can help by educating their customers about proper computer habits. Additionally, financial institutions can help mitigate the threat at this stage by authenticating their Web sites to differentiate themselves from illegitimate sites. Lastly, the Internet industry is working to reduce the potential of spoofed e-mails through infrastructure changes such as authenticated e-mail. Various services are available to detect and track the dissemination of spoofed e-mails, and other services and techniques can be used to track and take down offending data collection Web sites. Data collection sites and spoofed bank Web sites tend to be short-lived because of these efforts. However, the collected credentials live on to the next stage.

In the last stage, collected credentials are used to access the victim’s account. Financial institutions can mitigate this threat with a variety of tools to better identify who is accessing the account. This includes authentication methods which cannot be collected by the fraudster. Financial institutions can also place controls on higher risk account features such as bill payment and account transfers.

Consumer Acceptance of Stronger Authentication
The combination of increased identity theft and intensified focus on preventing terrorism and ensuring business and border security has renewed everyone’s interest in methods of authentication. New methods have been developed, and research to create or improve others has been proceeding. Partly because security methods are cloaked in secrecy and partly because the environment has been changing so fast, limited information is available about financial institutions’ use of various authentication methods and their effectiveness.

What is known is that within the banking environment, the authentication methods used by corporate banking customers have been stronger and more sophisticated than the methods used by retail customers. The reasons, of course, are the higher account balances—the higher dollar volume of risk—and the more frequent transfer of funds to accounts belonging to third parties. As a result of the authentication methods used, fewer instances of corporate online fraud than of retail online fraud have been reported. A brief look at the authentication methods used by corporate customers may be useful for banks that are considering applying stronger authentication for retail customers.

A small sample of large banks shows that these institutions are using a variety of authentication techniques for corporate banking.²⁴ Five out of seven global banks and four out of seven North American banks use a single sign-on, with North American respondents generally limiting single sign-on to cash management services. The small sample of large banks uses some combination of user identification, user password, company identification, and company password. Access to trade services, foreign exchange, and investments generally require a separate login and security method for each product.²⁵ Digital certificates are more often used by large global banks compared to their North American counterparts, primarily to support the nonrepudiation of transactions.

Most of these large banks use tokens. Six out of seven North American and global banks included in this sample use tokens to access corporate electronic banking applications, to approve payment transactions, or both. Digital certificates are used by about half the sampled institutions. These large banks have shown little reported interest in using biometrics to authenticate corporate customers.

Online merchants are using, and plan to increase their use of, nonintrusive Internet protocol address filtering methods. Current online merchants are already using a variety of tools, with 33 percent using Internet protocol address filtering and another 22 percent planning to implement that method in 2005.²⁶

When banks consider authentication methods for retail customers, they should be aware that these customers value security and the protection of confidential information and may be prepared to use enhanced authentication methods to access their accounts. But there are privacy implications associated with authentication. Consumers report the greatest concerns with biometrics. Consumers will require a clear explanation of any security mechanism and the use of any personal information required to implement that security mechanism. Consumers will need to understand how the additional information will be used and stored. Overly burdensome authentication systems may lower consumer participation, thereby lowering the effectiveness of the entire system. Consumers are also concerned about the risk associated with large databases of personal information and the potential for the information that is used by authentication methods to be compromised, copied, or imitated.²⁷

Some conceptual acceptance by consumers of additional authentication methods has been reported concerning biometrics and the willingness of consumers to provide additional information for authentication. Limitations on the use of personal information and the existence of privacy safeguards are important elements of consumer acceptance.²⁸ Convenience is another element, for convenience plus security may be more important to customers than security alone. In a more recent study, among approximately two-thirds of respondents who found biometrics generally acceptable, voice recognition and finger prints were the most widely accepted biometric types, and convenience was the overwhelming benefit along with security and speeding up the transaction. The one-third who were unsure or opposed to biometrics indicated concerns about how biometrics works and its accuracy.²⁹

To an extent, consumers appear to be willing to provide additional pieces of information for authentication (with 29 percent agreeing to provide one additional data item and 41 percent suggesting two).³⁰ One-fifth of online U.S. households claim that because of their concerns about privacy or security, they would be willing to have an in-home credit card reader.³¹ At least one vendor reports interest in two-factor authentication for the accessing of on-line bank accounts.³²

The challenge facing banks that offer online banking services is significant. New authentication methods must be reliable, cost-effective, and convenient while meeting the security and privacy needs of customers. Cost, reliability, performance, and ease of enrollment are expected to improve in the near term but will still vary by technology and by product within the technology.

Examples of Two-Factor Authentication
At the time the FDIC Study was published, the FDIC knew of several financial institutions that were using two-factor authentication, and contacted them. Each institution asked that its name not be used in the Study. Since then, the FDIC has become aware of additional institutions that have begun using such technologies, and the names of the participating financial institutions have been made public. There may be more institutions becoming interested at least in piloting two-factor authentication programs. A number of institutions have put such programs into production. For two groups, domestic and international financial institutions, tables 2 and 3 list the technology, its application, and the deployment stage as of the date this Supplement was published. Although these tables are not intended to be an exhaustive list of institutions using two-factor authentication, they do suggest that the use of such technology is becoming more common.

Institution	Technology	Application	Deployment Stage
Table 2. Domestic Interest in Two-Factor Authentication Programs
E-Trade Bank	One-time-password hardware token	Internet banking	Pilot
Bank of America	Various two-factor technologies	Internet access for employees and corporate customers	Internal—summer 2005; Corporate customers—fall/winter 2005
Sovereign Bank	One-time-password hardware token	Business banking: corporate and institutional customers	Production
ABN AMRO	One-time-password hardware token	On-line treasury management	Production
ING Direct	Rotating shared secret	Internet banking	Production
Stanford Federal Credit Union	Device authentication	Internet banking	Production
Purdue Employees Federal Credit Union	Biometric (fingerprint)	Automated service centers	Production
San Antonio City Employees Federal Credit Union	Biometric (palm geometry and keystroke)	Safe deposit box access; employee network access	Production
Commerce Bank	One-time-password hardware token	Internet banking for corporate customers	Production
Wachovia	One-time-password hardware token	Internet banking	Under consideration
Dollar Bank	One-time-password hardware token	Internet banking for corporate customers	Production

Institution	Technology	Application	Deployment Stage
Table 3. International Interest in Two-Factor Authentication Programs
Australian Bankers Association*	Various two-factor technologies	Internet Banking	Proposed and pilot programs
Bank of Valletta	One-time-password hardware token	Internet banking, telephone banking, customer service center, mobile banking	Production
Rabobank	One-time-password hardware token	Internet banking	Production
SEB Bank	One-time-password hardware token	Internet banking	Production
SwedBank	One-time-password hardware token	Internet banking	Production
Bank of Tokyo–Mitsubishi	Biometric (palm geometry)	ATM	March 2006
Surugo Bank Shizuoka Prefecture	Biometric (palm geometry)	ATM	Production
Mizuho Bank	Biometric (palm geometry)	ATM	Research
Sumitomo Mitsui Bank	Biometric (palm geometry)	ATM	March 2006
Citibank, UK Division	On-screen virtual keyboard	Internet banking	Production
First National Bank of South Africa	One-time-password hardware token	Internet banking	Production
Royal Bank of Scotland	One-time-password hardware token	Internet banking	Production
Loyal Bank	One-time-password hardware token	Internet banking	Production
Fortis, NV	One-time-password hardware token	Internet banking	Production
Grupo Aval	Device authentication	Internet banking July 2005	Production
Barclays	On-screen virtual keyboard Out of band	Internet banking Internet banking	Production Under Consideration
*According to CEO David Bell, an industry standard requiring all banks in Australia to use two methods of authentication for Internet customers will be introduced in 2005.

² Javelin (2005). The Javelin study attempts to replicate many aspects of the 2003 Federal Trade Commission report cited in the Study. However, differences in methodology preclude longitudinal comparisons of incidence rates. Both studies attempt to measure the following three forms of identity theft fraud: new account and other fraud, misuse of existing non-credit card account or account number fraud, and misuse of existing credit card or credit card number fraud.

³ FTC (2005). Internet-related is defined as a fraud that concerns an Internet product or service, the company initially contacts the consumer via the Internet, or the consumer responds via the Internet. For Internet-related fraud, 15 percent of complainants reported the method of payment.

⁴ Department of Homeland Security (2005).

⁵ Robertson (2004).

⁶ See ibid.

⁷ Javelin (2005). Less than half of respondents in the survey reported how they believe the fraudster obtained their personal information.

⁸ Collins and Hoffman (2004).

⁹ For example, Robertson (2004) and Gould (2004).

¹⁰ See Penn et al. (2005) and RSA Security (2003).

¹¹ RSA Security (2003).

¹² Louvel (2005), Penn et al. (2005), Graeber et al. (2004), Entrust (2005).

¹³ Ponemon Institute cited in Nock (2005).

¹⁴ Ponemon Institute (2005).

¹⁵ See Penn et al. (2005), Graeber et al. (2004), and Entrust (2005).

¹⁶ Almost half of online merchants are more concerned than in the past about online payment fraud, and two-thirds say that a higher incidence of identity theft is increasing the amount of online fraud. See CyberSource Corporation (2005).

¹⁷ Penn at al. (2005). See also Graeber et al. (2004).

¹⁸ Entrust (2005).

¹⁹ Ponemon Institute cited in Nock (2005).

²⁰ Louvel (2005).

²¹ Entrust (2005).

²² Penn et al. (2004).

²³ Graeber et al. (2004).

²⁴ This section relies on Feinberg (2005) which is a supplement to Feinberg (2004). Feinberg (2004) reports on responses of 10 institutions out of 17 large institutions surveyed that are headquartered in North America or with a corporate electronic banking application managed by a North American subsidiary. The 10 respondents were: ABN AMRO, Bank of America, Bank of Montreal, Citibank, Citizens Bank, Mellon Bank, PNC Bank, Royal Bank of Canada, SunTrust, and an unnamed major European bank with a U.S.-managed banking product. Feinberg (2005) discusses the results from those 10 plus 4 more institutions categorized as either global banks (i.e., ABN AMRO, BNP Paribas, Bank of America, Citibank, HSBC, Royal Bank of Scotland, and an unnamed bank headquartered in Europe) or North American banks (Bank of Montreal, Bank of New York, Citizens Bank (a subsidiary of Royal Bank of Scotland), Mellon Bank, PNC Bank, Royal Bank of Canada, and SunTrust).

²⁵ Feinberg (2004).

²⁶ Cybersource (2005). This source uses the term “geo-location” to identify the technology that this Supplement refers to as Internet protocol address location.

²⁷ National Association of State Chief Information Officers (2004, 2005).

²⁸ Privacy & American Business (2003).

²⁹ Magnuson and Reid (2004).

³⁰ Ibid.

³¹ Penn et al. (2005).

³² Entrust (2005).

Last Updated 6/23/2005

consumeralerts@fdic.gov

Home Contact Us Search Help SiteMap Forms
Freedom of Information Act (FOIA) Service Center Website Policies USA.gov

FDIC Office of Inspector General