Industry Responses to Identity Theft
Successful frauds tend to be replicated until they no longer work. Financial institutions can help reduce identity theft, including account hijacking, by encouraging information sharing so that identity theft frauds are thwarted sooner. A number of such information-sharing efforts are noteworthy including those sponsored by the Financial Services Information Sharing and Analysis Center (FS-ISAC), the Anti-Phishing Working Group (APWG), the Identity Theft Assistance Corporation (ITAC), and Infragard, in addition to individual financial institution Web sites.
Financial Services Information Sharing and Analysis Center
The FS/ISAC, under the auspices of the President's Commission on Critical Infrastructure Protection, is a private partnership of major banks, brokerages, insurance companies, and utilities and is managed by a board of managers elected by the FS/ISAC membership.52 The FS/ISAC has access to a secure database, analytic tools, and information-gathering and distribution facilities designed to allow authorized people to submit either anonymous or attributed reports about cyber and physical security threats, vulnerabilities, incidents, and recommended solutions. Members have access to information and analysis relating to information provided by other members and obtained from other sources, such as federal law enforcement agencies, technology providers, and security associations. Through FS/ISAC, some of the nation's leading experts in the financial services sector share and assess threat intelligence provided by its membership and by the National Infrastructure Protection Center (NIPC), an arm of the Department of Homeland Security, and other public and commercial sources. They help the NIPC prepare warnings of threats against the financial services infrastructure. Through the FS/ISAC, the financial service companies pass and receive incident information to and from the federal agencies that are responsible for seeking patterns that may indicate pending threats. The secure FS/ISAC Web site offers security information on the latest physical and cyber vulnerabilities, threats, and incidents related to the banking and finance industries. Physical-security, such as regional intelligence, travel advisories, benchmarking, and best practices, are also addressed. In December 2003, the FS/ISAC began devoting a $2 million award from the U.S. Department of the Treasury to programs designed to enhance security awareness for all financial institutions, including providing members with secure collaboration, additional feeds for threats and vulnerabilities, confirmation of alerts, and new analytical capabilities.
Anti-Phishing Working Group
The APWG is an industry association focused on eliminating the identity theft and fraud that result from the growing problem of phishing and e-mail spoofing. The APWG is composed of financial institutions, e-commerce providers, Internet service providers (ISPs), and vendors of e-mail services and software. The group's goal is to provide resources, technology, vision, and expertise to facilitate the rapid deployment of a solution to e-mail phishing scams. The APWG has over 630 members, including eight of the top ten U.S. banks and four of the top five ISPs.
A December 12, 2003, APWG white paper titled "Proposed Solutions to Address the Threat of E-mail Spoofing Scams" provides a brief overview of e-mail spoofing scams and offers four solutions:
The APWG and the Financial Services Technology Consortium (FSTC)-a consortium of leading North American-based banks and other financial institutions that sponsors collaborative technology development-have agreed to work together to identify and evaluate solutions to phishing.
- Strong Web site authentication
- Mail server authentication
- Digitally signed e-mail with desktop verification
- Digitally signed e-mail with gateway verification.
Identity Theft Assistance Corporation
On October 28, 2003, the Financial Services Roundtable (Roundtable) and the Banking Information Technology Secretariat (BITS)53 announced formation of the ITAC. ITAC is a resource to help victims of identity theft recover their financial identities and restore their credit ratings. ITAC's mission involves streamlining the recovery process and providing a simplified, consumer-friendly means to address the consequences of identity theft (including account hijacking). Equally important, ITAC will work with the FTC and law enforcement agencies, and the information it collects will be used to help prevent such crimes in the future.
ITAC builds on the "Fraud Reduction Guidelines: Strategies for Identity Theft Prevention and Victim Assistance," announced by the Roundtable and BITS in July 2003. The guidelines provide for (1) a single point of contact at financial service companies to whom victims can report cases of identity theft, and (2) the use of a uniform affidavit to record information about the fraud. Thus, victims report the particulars of their cases only once, to their primary financial institution, and then the information is sent on to ITAC, if the customer consents. From this point forward, ITAC contacts all other companies where the victim has an account and where additional fraud may have occurred. Such a process will benefit consumers by relieving them of the stress and wasted hours of reporting their fraud cases to multiple institutions where they maintain accounts.
ITAC is currently conducting a pilot program to test its procedures and processes. Until the conclusion of the pilot, only members of the Roundtable and BITS are eligible to become members of ITAC. If the pilot is successful, ITAC plans to make its services available to other institutions.54 ITAC, BITS, FTC, and law enforcement agencies are developing procedures for uploading data into the FTC's Identity Theft Data Clearinghouse so that law enforcement agencies will have direct access to the information collected by ITAC.
Infragard, an FBI program with private sector partners that began in 1996, is another effort to share information about cyber crime. It is an information-sharing and analysis resource serving the interests and combining the knowledge base of a wide range of members. Members include businesses, academic institutions, state and local law enforcement agencies, and others dedicated to sharing information and intelligence to prevent hostile acts against the United States. Each Infragard Chapter has an FBI special agent coordinator assigned to it, coordinating with the Cyber Division at FBI headquarters. Government organizations and their representatives are eligible for Infragard membership, and several FDIC regional offices participate. Infragard chapters are located across the United States and are linked with FBI field office territories.
Financial Institution Web Site Alerts
Financial institutions are communicating directly with consumers to make them more aware of identity theft and phishing attacks and offering customers the means to report attacks quickly. Educating customers to be aware of the scams to which they may be exposed is one of the most effective ways to deter identity theft. Financial institutions that have been the target of spoofing seem to be more proactive in making information available to their customers than financial institutions that have not been targeted. FDIC staff reviewed the Web sites of several of the nation's largest banks and found that banks are displaying the following:
- Specific graphical examples of spoofed e-mails
- Examples of spoofed e-mail subject lines to watch for
- Toll-free numbers for reporting details about identity theft
- E-mail address for communicating information about identity theft
- Links to the FTC and other agencies for additional help
- Consumer alerts related to new developments
- Advice for preventing and reacting to identity theft.
The financial services industry has taken a number of recent steps to help prevent identity theft and mitigate the inconvenience experienced by consumers when it does occur. Consumer education and information sharing appear to be the cornerstones of these efforts.
52The President's Commission on Critical Infrastructure Protection was created on July 15, 1996, by Executive Order 13010 to bring the public and private sectors together to assess and develop strategies to address infrastructure vulnerabilities. The banking and finance sector was identified as one of eight critical infrastructures requiring review and assurance strategies, and in 1999, the banking and finance sector established FS/ISAC.
53The Financial Services Roundtable represents 100 of the largest integrated financial service companies providing banking, insurance, and investment products and services to the U.S. consumer. Member companies participate through their chief executive officers and other senior executives nominated by the Chief Executive Officers. BITS is a nonprofit industry consortium that shares membership with the Financial Services Roundtable. BITS seeks to sustain consumer confidence and trust by ensuring the security, privacy, and integrity of financial transactions. The BITS board of directors is made up of the CEOs of 20 of the largest U.S. financial service companies, as well as representatives of the American Bankers Association and the Independent Community Bankers of America.