Identity theft is one of the fastest growing types of consumer fraud.1 With just a few key pieces of personal information (e.g., an individual's name, address, social security number, financial institution account number, computer log on ID, or password), a criminal can access a consumer's existing asset and credit accounts, create fraudulent new accounts in a consumer's name, or create synthetic identities2 that can be used to obtain services and credit fraudulently. During 2003, almost ten million Americans discovered they were the victims of identity theft, with a total cost to businesses and consumers approaching $50 billion.3
The term “identity theft” is generally defined as the use of personal identifying information to commit some form of fraud. Although the range of consumer frauds and criminal acts coming under that definition is quite broad, this study focuses on the subset of identity theft that is of particular concern to financial institutions insured by the FDIC and to the institutions' customers: unauthorized access to and misuse of existing financial institution asset accounts primarily through phishing and hacking.4 This form of identity theft is referred to here as “account hijacking.” The present study examines how technology is used to commit account hijacking and the methods available to help prevent it.
The rest of this section surveys the various legal (and other) definitions of identity theft and defines the problem of account hijacking: how is it perpetrated, how prevalent is it, what is its financial effect, and how the industry and the public perceive it. The subsequent sections review the legislative and regulatory responses to identity theft, the financial industry's responses to it, and the use of technology to mitigate account-hijacking identity theft. The final section presents the FDIC staff's conclusions and recommendations.
Definition of Identity Theft The definition of identity theft was first codified in 1998 as part of the Identity Theft and Assumption Deterrence Act of 1998 (ID Theft Act).5 The ID Theft Act made identity theft a stand-alone crime. More specifically, it amended the federal criminal code to make it a crime for anyone to
knowingly transfer or use, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law.6
In 2003, the Fair and Accurate Credit Transactions Act of 2003 (FACTA) amended the Fair Credit Reporting Act (FCRA) to include a civil definition of identity theft:
The term “identity theft” means a fraud committed using the identifying information of another person, subject to such further definition as the [Federal Trade Commission] may prescribe, by regulation.7
Pursuant to FACTA, the Federal Trade Commission (FTC) has recently proposed a more specific definition of identity theft which describes what is meant by the term “identifying information”:
(a) The term “identity theft” means a fraud committed or attempted using the identifying information of another person without lawful authority.
(b) The term “identifying information” means any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual, including any-
(1) Name, social security number, date of birth, official State or government issued driver's license or identification number, alien registration number, government passport number, employer or taxpayer identification number;
(2) Unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation;
(3) Unique electronic identification number, address, or routing code; or
(4) Telecommunication identifying information or access device. . . .8
Although the FTC's proposed definition refines the statute, both of them cover existing as well as newly created accounts, asset as well as credit accounts, and masquerading as someone else as well as creating a synthetic identity in an effort to obtain services or other benefits fraudulently. As noted above, the scope of this study is more narrowly defined, being limited to existing (but not newly created) accounts, asset (but not credit) accounts, and masquerading as someone else (but not creating a synthetic identity).
In its Identity Theft Survey Report, the FTC included a category of identity theft described as the “misuse of existing non-credit card account or account number.”9 At least one organization within the financial services industry has created its own definition of identity theft specific to that industry and similar to the FTC's category: the Identity Theft Assistance Center defines identity theft as either “account takeover” or the creation of a “fraudulent account.”10 Account takeover—what the present study calls “account hijacking”—is further defined as the “assumption of a customer's identity on a valid existing account.”11 Once again, this study focuses on the unauthorized access to and misuse of existing asset accounts through phishing and hacking.
Survey of the Problem of Account Hijacking The expansion of electronic payment systems plays a part in account hijacking, since greater numbers of financial institution customers have access to electronic banking and bill-pay services, and formerly-wholesale automated clearing house (ACH) payments have become a vehicle for retail payments.12 New forms of ACH transactions include Internet-authorized payments, debits authorized over the telephone, and check-to-ACH conversions at the point of purchase. With Internet banking almost universally available, ACH transactions have increased 15 percent from 1991 to 2001,13 and in the second quarter of 2004 more than 2.2 billion ACH transactions were processed, compared to 1.85 billion in the second quarter of 2003.14 However, financial institutions’ wider adoption of different forms of electronic payment systems, as well as the increasing number of customers using these services, have produced greater opportunities for electronic fraud.
Thus, although the problem of account hijacking is as yet relatively small, it is nonetheless serious for customers (both retail and commercial) and for financial institutions. The increasing access to alternative electronic payment systems means an increasing number of access points to financial institution systems, with each access point representing a pathway for a potential security breach. The increasing number of access points, coupled with the potential for anonymity afforded by electronic payment systems, facilitates electronic banking fraud.15 Yet customers expect financial institutions to ensure the safety and security of their financial transactions however those transactions are effectuated. Public confidence in the financial system is predicated on this type of trust. The FDIC anticipates that as customers become more aware of actual instances of, or the potential for, account hijacking, they will expect financial institutions to implement solutions that protect their funds and their identities, while maintaining or increasing the level of convenience for them in accessing financial services.
The following sections of this study explain the ways of perpetrating account hijacking, its prevalence, its financial impact, and the industry’s and the public’s perceptions of it.
Ways of Perpetrating Account Hijacking There are a limited number of ways to hijack deposit accounts. Each of them—and they may be used in concert with one another—relies on the misuse of information. The ways are phishing, hacking, retrieving hard-copy documents or looking over someone’s shoulder, using insiders, and loading malicious software onto a computer used by consumers.
Phishing is easy to implement, and financial service companies are the most frequent targets of phishing attacks.16 In phishing, consumers are deceived—normally via deceptive e-mails, fake (spoofed) Web sites, or both—into providing fraudsters with their user names, passwords, and perhaps account numbers.17 (Telephone-based phishing is used much less often because it is a more expensive and less efficient information-gathering technique.) The classic phishing attack involves a deceptive e-mail that purports to be from a legitimate financial institution. The e-mail typically tells the customer that there is some sort of problem with the customer’s account. The e-mail usually includes a hyperlink to a spoofed Web site that looks exactly like the site of a legitimate financial institution with which the consumer does business. The e-mail typically instructs the recipient to click on the included hyperlink, go to the financial institution Web site, and log in using the customer’s user name and password in order to “fix” the problem. In reality, the spoofed Web site is simply collecting customer user names and passwords in order to hijack accounts. The following is an example of an actual phishing e-mail:
Phishing relies on some customers’ being vulnerable to each step in the ploy: the content of the deceptive e-mail, the directions in that e-mail to go to a spoofed Web site, the content of the spoofed site, and the instructions to provide user names and passwords. Phishing has become the most common technique for stealing the information necessary to hijack an account.18
Phishing e-mails can be sent either to a large number of people in the hope that a certain percentage of recipients will be actual customers of the spoofed financial institution (usually a large financial institution with a significant online customer base) or to actual known customers of a particular financial institution. This second method is generally more effective, but it is also harder to perpetrate because the fraudster needs to acquire some sort of customer list in order to target the deceptive e-mail. The FDIC has been the subject of six separate phishing attacks within the past year. The most recent attack occurred in September 2004, while this study was being written. From a fraudster’s point of view, such an attack has the potential to be effective since it can reasonably be assumed that the majority of recipients maintain at least one FDIC insured account. A phishing e-mail targeting the FDIC is illustrated below:
Federal Deposit Insurance Corporation
As use of the Internet continues to expand, more banks and thrifts are using the Web to offer products and services or otherwise enhance communications with consumers.
The internet offers the potential for safe, convenient new ways to shop for financial services and conduct banking business, any day, any time. However, safe banking online involves making good choices – decisions that will help you avoid costly surprises or even scams.
Due to concerns, for the safety and integrity of the FDIC community we have issued this warning message.
It has come to our attention that your account information needs to be updated due to inactive accounts, frauds and spoof reports. If you could please take 5-10 minutes out of your online experience and renew your records you will not run into any future problems with the online service. However, failure to update your records will result in Bank account deletion. This notification expires on September 15th 2004.
Please follow the link below and renew your account information.
Fraudsters either use the user names, passwords, and account numbers themselves or, more commonly, sell the information to other fraudsters who will perpetrate the actual account hijacking. Up to 5 percent of the recipients of spoofed e-mails respond to them.19 An estimated 19 percent of “those attacked” have clicked on the link in a phishing e-mail.20 Most, if not all, large financial institutions and electronic bill-paying services (such as PayPal) have been hit with phishing attacks.21 Because many phishing attacks originate overseas and because the average life span of a phishing Web site is 2.25 days,22 the sites are hard to shut down.
The second method of account hijacking mentioned above is to hack into financial institution or service provider computer systems and databases and steal confidential customer information. One industry source mentioned that financial institution sites are frequently targeted by hackers because financial institutions maintain so much valuable confidential information about their customers.
The third method of obtaining account information is far more labor-intensive: retrieving hard-copy documents that include customer names, account numbers, user names and/or passwords, or surreptitiously observing a customer accessing his or her account. Retrieving confidential documents from trash receptacles is called “dumpster diving.” Watching someone fill out personal information or input his or her password at an automated teller machine (ATM) is called “shoulder surfing.” It is hard to get large quantities of confidential information this way.
The fourth method of acquiring the confidential information necessary to hijack accounts is to use insiders. Some industry analysts and security professionals estimate that 65 to 70 percent of identity theft is committed with confidential information stolen by employees or participants in transactions or services.23 In a survey conducted in 2003, an estimated half of all workers and managers who had access to customer information said that it would be either “easy” or “extremely easy” for workers to remove sensitive data from corporate databases. Two-thirds of the respondents believed that their coworkers, not hackers, posed the greatest risk to consumer privacy.24 Insiders can sell the information or use it directly to commit identity theft. Because of the increased networking of internal operations and pervasiveness of huge customer databases, financial institution employees have access to more customer information than ever before. The exact size of the problem is unknown, but fraud is sometimes perpetrated by financial institution insiders, often in ways that require little technical sophistication.25
The fifth method of acquiring the information necessary to hijack accounts is by inserting malicious software (such as a keystroke logger26), often referred to as “spyware,” on a consumer’s personal computer at home or on a computer used by many consumers in a public facility like an Internet café.27 Spyware can be surreptitiously loaded when a user opens a seemingly innocuous e-mail attachment or clicks on a pop-up advertisement. The spyware collects selected information (e.g., user names, passwords, and account numbers) from customers of certain financial institutions and forwards that information to the fraudster. Although one source asserts that keystroke loggers are not used much to commit traditional forms of identity theft,28 the FTC held a forum in Washington, DC on April 19, 2004 devoted to the increasing popularity and effectiveness of monitoring software and the difficulty in defending against it.29
Regardless of the method used to steal confidential information, once the necessary information is in hand, the fraudster’s goal is to gain access to a consumer or business account from which fund transfers can be executed. In the case of Internet banking, the fraudster, armed with both a valid user name and a valid password, can access the system by posing as a legitimate customer and can initiate one or more fund transfers to a fraudulent payee controlled by the fraudster that the fraudster has added to the customer’s approved payee list. In the case of ACH debit fraud, a fraudster would initiate an unauthorized payment, using the fraudulently obtained account number to authorize the debit.
The Prevalence of Account Hijacking There is a large body of literature on credit and credit card fraud, but researchers have devoted little attention to account hijacking. Some information can be gleaned from recent work on the broader aspects of identity theft. The largest identity theft study to date, conducted by the FTC in March and April 2003, was based on information collected from over 4,000 adults in the United States.30 It attempted to quantify the incidence of identity theft in the United States, focusing on credit theft. It reported that 19 percent of the estimated 9.91 million identity theft victims—that is, 1.8 million adults—said their existing checking or savings accounts had been misused alone or in combination with other forms of identity theft. As the “most serious problem the victim reported,” 2 percent of U.S. adults had experienced a “misuse of existing non-credit card accounts or account numbers,” including utility and cell phone accounts, within the previous five years, and 0.7 percent of adults experienced that form of identity theft within the preceding year. However, these numbers are of limited value for estimating the incidence of account hijacking because the methodology does not report response rate or weighting of results.
A recent study of unauthorized transfers from checking accounts indicates that an estimated 1.98 million U.S. adult Internet users had experienced this crime ending April 2004, and another 2.48 million had experienced it during the 12 months before that. Of five types of consumer fraud in that study,31 unauthorized access to checking accounts was the fastest growing and the second most prevalent. Only 13 percent of consumers had discovered this fraud as the result of a notification by their financial institution. Of those who experienced this type of identity theft, 70 percent do their banking or pay their bills online. Over half of the victims believed they received a phishing e-mail, and 5 percent recalled providing sensitive information in response to such e-mails. The author of the study concludes that most of these thefts, if not perpetrated by an insider, were the result of a fraudster’s obtaining account numbers or passwords or both and then accessing checking accounts through online payments, online banking transactions, or telephone banking services.32 Since the study does not specify its methodology, it is of limited value for estimating the incidence of unauthorized checking-account access.
Another study estimates that illegal checking-account transfers will increase. Today they affect 1.4 percent of U.S. adult Internet users, but they are expected to rise to 2 percent by the end of 2006.33
In 2002, the FTC began a voluntary data collection effort to gather information on the number and types of identity theft being perpetrated against consumers. Table 1 shows the number and percentage of identity theft complaints associated with bank fraud. In 2003, the most recent year reported, over 17,000 complaints were received about the misuse of existing bank accounts; the majority of such misuse was probably check fraud. More than 10,000 complaints were also received about unauthorized electronic fund transfers from existing bank accounts—more than twice the number of complaints received the previous year.34 These numbers, too, are of limited value for estimating the incidence of account hijacking because the system relies on the voluntary reporting of complaints by consumers who are aware of the service. Thus, these numbers must be seen as underestimating the magnitude of deposit account hijacking.
How Victims' Information Is Misused
Percentage of Complaints
Number of Complaints
Percentage of Complaints
Number of Complaints
Percentage of Complaints
Number of Complaints
Electronic Fund Transfers
Total Bank Fraud
Total Identity-Theft Complaints
Source: FTC, Identity Theft Data Clearinghouse.
Other, less formal studies have indicated that identity theft, measured in ways that would include account hijacking, exists in small but persistent numbers. In a telephone survey of 2,000 U.S. adults conducted in 2000, approximately 1 percent of the respondents reported that they had been the victim of identity theft and that the person who had assumed their identity “took over [their] currently existing bank account.”35 In an online survey of over 3,000 U.S. adults, 7 percent of the respondents said that “someone opened a bank account in their name or forged checks and obtained money from their account.”36
The Financial Impact of Identity Theft The FTC has estimated the cost of all forms of identity theft in 2002 at $47.6 billion to businesses and financial institutions, and $5.0 billion to consumer victims.37 By way of comparison, identity theft-related losses due to credit card account takeovers at the two largest credit card-issuing organizations totaled $46.1 million in 200038, and total check fraud-related losses against commercial banks totaled $698 million in 2001.39 Direct fraud losses associated with new-account fraud, check forgery, unauthorized access to checking accounts, illegal credit card purchases, and fraudulent cash advances on credit cards, collectively, were estimated to total $2.4 billion over the 12 months ending April 2004, or $1,200 per victim.40 Direct fraud losses associated only with account hijacking are believed to be a very small portion of those totals, but no known estimates exist.
According to the American Bankers Association, “the vast majority of banks have instituted a policy of making the customer whole in phishing attacks associated with credit cards.”41 Litan finds that banks usually refund to customers the amounts lost because of fraud, especially if the customers report the fraud within 60 days.42
Industry and Public Perceptions The paucity of publicly available information on the financial impact of account hijacking does not mean that the industry is not concerned about this form of identity theft. Identity-theft fraud is the top concern among financial institutions of all sizes (see table 2). Among online consumers who were victims of new-account fraud, check forgery, unauthorized access to checking accounts, illegal credit card purchases, or fraudulent cash advances on credit cards, 17 percent believed their personal information had been stolen off the Internet, whereas 10 percent thought the crime happened because their wallets had been stolen.43 Consumers are thus attributing risk to their use of the Internet to conduct financial transactions, and many experts believe that electronic fraud, specifically account hijacking, will slow the growth of online banking and commerce.44
Leading Threats against Deposit Accounts, by Bank Size Group (Percentage of Banks)
Bank Asset Size
Community Banks (<$500 million)
Midsize ($500 million to $4.9 billion)
Regional ($5 to $49.9 billion)
Super Regional, Money-Center Banks ($50 billion plus)
Source: American Bankers Association, Deposit Account Fraud Survey 2002.
Financial institutions are concerned about adverse consumer reactions to real or perceived security problems at their institutions. Financial institutions do not typically release information on computer security breaches, largely because they believe that negative publicity would hurt their image;45 industry representatives and security experts assert that the indirect financial losses and public relations problems associated with a publicized security breach would be worse than the direct financial loss.46 Some analysts, however, have suggested that the rapid rise in phishing attacks is threatening consumer confidence and that diminished consumer trust in online transactions will hurt all participants in Internet commerce.47
Summary Account hijacking commences with the theft of information by phishing, hacking, dumpster-diving, insider abuse, or monitoring software. While identity theft, in a broad sense, affects millions of Americans, less is know about the account hijacking subset of identity theft. Studies suggest that account hijacking is now a small but growing problem for financial institutions and consumers, and that conducting financial transactions online may place consumers at more risk.
1 FTC (2004a).
2 Unlike typical identity theft fraud where a fraudster steals the identity of a real person and uses it to commit fraud, a synthetic identity is a completely fabricated identity that does not correspond to any actual person.
3 FTC (2003).
4 Phishing attacks use fraudulent or “spoofed” e-mails and Web sites to fool recipients into divulging confidential information, such as account user names and passwords, to criminals. Hacking is the unauthorized intrusion, perpetrated remotely, into a computer or network.
5 Pub. L. 105-318.
618 U.S.C. §1028.
715 U.S.C. §1681a(q)(3).
8 FTC (2004b).
9 FTC (2003).
10 ITAC (2004). See Article I, 19.
11 Ibid. See Article I, 1.
12An ACH transaction is an electronic fund transfer between accounts. ACH transactions are governed by NACHA, the National Automated Clearing House Association. Typically, an ACH debit transaction is initiated when a payor gives permission to a third party (the payee) to debit its (the payor's) checking or savings account using only a payor routing number and payor bank account number. The payee enters the ACH transaction at his or her own bank and instructs the Federal Reserve to clear the payment through the payor's bank against the payor's account. See also Sauerman and Corkill (2003).
13 NACHA (2002).
14 NACHA (2004).
15 Tuthill (2002) estimates that 8 percent of e-commerce transactions coming from anonymous e-mail addresses are fraudulent.
17 Early spoofing was partly facilitated by a flaw in Microsoft's Internet Explorer program. That flaw allowed fraudsters to hide the actual Internet address of a spoofed page and thereby fool users. The flaw has since been patched. See Chipman (2004) for more information.
18 O'Sullivan (2003).
19 Anti-Phishing Working Group (2004); Loftesness (2004). Litan (2004a) cites 3 percent.
20 Litan (2004a).
21 Loftesness (2004).
22 Anti-Phishing Working Group (2004).
23 For example, Chamberlain (2004), Ferchau (2004), Krebsbach (2004), and Sullivan (2004).
24 Harris Interactive Market Research (2003).
25 Randazzo et al. (2004).
26 A keystroke logger is a program that records what the user types on the computer keyboard and sends that information to the person who installed the program.
27 Litan et al. (2004).
28 Chipman (2004).
29 FTC (2004c).
30 FTC (2003).
31 Litan (2004b). Unauthorized access to checking accounts, new-account fraud, check forgery, illegal credit card purchases, and fraudulent cash advances on credit cards.
33 Litan (forthcoming).
34 It is unclear how much of this surge in complaints is due to increased awareness of the data collection effort and how much is a true increase in the number of such occurrences.
35 Star Systems (2002); no response rate was reported for this survey.
36 Privacy and American Business (2003).
37 FTC (2003).
38 U.S. GAO (2002).
40 Litan (2004b).
41 O'Sullivan (2003).
42 Litan (2004b).
43 Litan (2004b).
44 See Litan (2004b), for example.
45 Gordon et al. (2004); Randazzo et al. (2004).
46 Tuthill (2002); O'Sullivan (2003); Randazzo et al. (2004).