Putting an End to Account-Hijacking Identity Theft Study Supplement
Federal Deposit Insurance Corporation Division of Supervision and Consumer Protection Technology Supervision Branch June 17, 2005
This publication supplements the FDICs study Putting an End to Account-Hijacking Identity Theft published on December 14, 2004.
Executive Summary and Findings
Focus of Supplement
Identity theft in general and account hijacking in particular continue to be significant problems for the financial services industry and consumers. Recent studies indicate that identity theft is evolving in more complicated ways that make it more difficult for consumers to protect themselves. Recent studies also indicate that consumers are concerned about online security and may be receptive to using two-factor authentication if they perceive it as offering improved safety and convenience.
This Supplement discusses seven additional technologies that were not discussed in the Study. These technologies, as well as those considered in the Study, have the potential to substantially reduce the level of account hijacking (and other forms of identity theft) currently being experienced.
Different financial institutions may choose different solutions, or a variety of solutions, based on the complexity of the institution and the nature and scope of its activities. The FDIC does not intend to propose one solution for all, but the evidence examined here and in the Study indicates that more can and should be done to protect the security and confidentiality of sensitive customer information in order to prevent account hijacking.
Thus, the FDIC presents the following updated findings:
- risk assessment that financial institutions are currently required to perform should include an analysis to determine (a) whether the institution needs to implement more secure customer authentication methods and, if it does, (b) what method or methods make most sense in view of the nature of the institutions business and customer base.
- If an institution offers retail customers remote access to Internet banking or any similar product that allows access to sensitive customer information, the institution has a responsibility to secure that delivery channel. More specifically, the widespread use of user ID and password for remote authentication should be supplemented with a reliable form of multifactor authentication or other layered security so that the security and confidentiality of customer accounts and sensitive customer information are adequately protected.