Putting an End to Account-Hijacking Identity Theft Study Supplement
Part 2: More-Recent Trends In Identity Theft
As the attention paid to the problem of identity theft has grown, additional analyses have been published that shed more light on the size of the problem, the manner in which identity theft is perpetrated, indirect costs, the reactions of banks, the adoption rates and consumer acceptance of various methods of authentication, and public deployment of two-factor authentication.
Identity theft is a continuing problem. A recent 2005 study estimates that 1.15 percent of the U.S. adult population experienced a misuse of existing non-credit card accounts or account numbers in the last year, estimates which would include deposit accounts, and another 2.36 percent experienced different forms of identity theft.2 The Federal Trade Commission reports a slight increase in 2004 in the percentage of bank fraud complaints associated with existing-account fraud and a solid increase in the percentage of complaints involving electronic fund transfers (see table 1). Between 2002 and 2004, the percentage of complaints about electronic fund transfers more than doubled. In addition, for all Internet-related fraud complaints received in 2004, 19 percent of cases in which the complainant reported the method of payment involved a bank account debit, and 13 percent involved a wire transfer3.
Table 1. How Victims' Information is Misused
|Bank Fraud*||Percentage||Number of Complaints||Percentage||Number of Complaints||Percentage||Number of Complaints|
|Electronic Fund Transfers||3.1||4.8||6.6|
|Total Bank Fraud||16.0||17.0||18.0|
|Total identity-Theft Complaints||161,896||215,093||246,570|
|*Bank fraud includes fraud involving checking and savings accounts and electronic fund transfers.|
|Source: Source: FTC (2005) p. 10.|
The FDIC Study noted phishing as a primary means by which account hijacking is perpetrated. Although some observers are reporting that the number of phishing cases continues to increase and note that response rates to phishing e-mails are consistent with those reported in the Study;4 other observers are now estimating that phishing is directed at smaller institutions, with response rates at between 1 and 2 percent and declining over time.5
Understanding exactly how identity theft is perpetrated can help regulators, institutions, and consumers identify ways to stop this form of fraud. All identity theft begins with a security compromise of confidential personal data, but linking the security compromise of personal data with the identity theft perpetrator and/or the perpetrators means of access is difficult and often impossible. These crimes are often unreported and not prosecuted, and they often cross geographic and legal jurisdictions. Victims are unlikely to know that third parties or insiders have stolen their confidential information, or unlikely to be aware that computer spyware, a virus, a hacker, or even phishing is the direct cause of their problem.6 The more technologically challenging the case, the less likely it is that the victim will understand the means of access.
Two recent studies explore how identity theft is perpetrated. Data from one study do not support the conclusion that most thieves still obtain personal information through traditional rather than electronic means. 7 As noted above, victims of sophisticated electronic fraud are unlikely to understand how the fraud was perpetrated, so estimates of means of access to confidential information must be interpreted cautiously.
Another study sheds light on a narrow range of identity theft: cases that resulted in arrest or conviction. Although the sample underrepresents the more sophisticated types of electronic fraud as well as crimes that cross legal jurisdictions and all those that are never prosecuted, even for this limited sample it is noteworthy how often the alleged or actual perpetrators acted with others and used the identities of one or more businesses or created bogus businesses to effectuate the fraud.
Direct cost estimates of identity theft have been criticized by some researchers as being too high,9 but the indirect costs are widely considered to be undervalued. Indirect costs include slower adoption rates for online banking and bill paying and therefore a greater use of more-costly banking channels; less effective Internet marketing efforts; loss of consumer confidence in online transactions inside and outside of banking; loss of faith in brand names; and increased concern about financial institution security more generally.10 Costs resulting from publicity about identity-related security breaches include loss of brand equity, customer defections, lost business opportunities, costly litigation, and the cost of implementing better security.11
Measuring the concerns of consumers is one way of understanding the indirect costs of identity theft. Without question, retail consumers are concerned about identity theft and about the misuse of their personal information. Between one-half and three-quarters of U.S. households report that identity theft is a concern for them or that they are concerned about e-mail fraud. Internationally, some 80 percent of online adults worry about their online identity being stolen and used to access online bank accounts.12
Although consumers are worried about phishing and the trustworthiness of e-mail messages from their banks, they are also concerned about the security of their personal information more generally. Seventy-five percent of the respondents to one 2004 survey cited identity theft resulting from a security breakdown at the bank as a concern, up from 58 percent in 2003.13 Consumers who bank online have expressed less confidence in the security of their personal information. When asked the question, are you as confident about the protection of your personal information when banking online as when you bank in a branch office, consumers report a significant decline in confidence (from 74 percent in 2003 compared to 64 percent in 2004).14 Concerns about fraud are subsumed within retail customers varying levels of concern about how financial firms handle their personal information,15 and merchants are concerned as well.16
Consumers are indicating that they may stop using or may refuse to adopt online banking because of their security concerns. Online consumers report that they agree with the statements that they will stop using (14 percent) or not enroll (20 percent) in online banking or bill paying because of concerns about phishing. Small business owners reactions are similar.17 Security remains a critical factor when a consumer is choosing a retail bank, and one-quarter of international consumers will be very likely to switch banks if, by doing so, they will have better identity protection.18 One study revealed that two-thirds of respondents said they will switch banks if their bank fails to secure their personal information.19 A small percentage of consumersclose to 6 percenthave even admitted to having already switched banks to reduce their risk of becoming a victim of identity theft.20
Although the costs to banks of consumer concern about security are substantial, the benefits of improved security are likely to be substantial as well. Improved security may open up new customer markets. Almost three-quarters of current Internet users who do not use online banking report that they will be likely to do so if identity security is improved. Of those that do use online banking, the vast majority report being willing to use more, higher-value services if their identities are better protected.21 These issues have a far-reaching effect on the business of banking.
In most cases, financial institutions have a legal responsibility to their online consumers to restore funds (within limits) when they are victims of phishing attacks or of other forms of unauthorized electronic account access. Most banks appear to be taking such responsibility. Some banks appear to be falling short in meeting that responsibility or are making it hard for customer-victims to recover misappropriated account funds.22 In an attempt to allay consumer concerns about identity theft, some banks have begun advertising a guarantee associated with their online banking. In some cases the wording of the guarantee may be unclear or misleading, and at least one major bank has reportedly been communicating incorrect information to consumers about the banks security guarantees or the role of the FDICs deposit insurance in online fraud.23 Banks should review their procedures for dealing with consumers who become victims of unauthorized access to deposit accounts and should clearly communicate to consumers the precise meaning of any advertised guarantees.
On-line account fraud is usually implemented in various stages and the controls to mitigate the threat can be directed at those stages.
In the first stage, fraudsters must set up their apparatus, including the creation of illegitimate collection Web sites, writing of malicious code, or infiltrating open e-mail proxies. Controls from a financial institution can be directed at detecting the signs of set-up, and preventing (internally) open e-mail proxies. Scanning tools and services can help detect the signs of set-up by reviewing domain registrations and Web site spoofing.
In the second stage, consumers are targeted or fooled into providing their password or other sensitive information with malicious software, misleading e-mail, or illegitimate Web sites. Consumer education is a first line of defense to mitigate this stage. Consumers who understand the risk of installing untrusted software, and who use anti-virus, anti-spyware and firewall controls are less likely to be infected with many of the malicious tools used by criminals. Financial institutions can help by educating their customers about proper computer habits. Additionally, financial institutions can help mitigate the threat at this stage by authenticating their Web sites to differentiate themselves from illegitimate sites. Lastly, the Internet industry is working to reduce the potential of spoofed e-mails through infrastructure changes such as authenticated e-mail. Various services are available to detect and track the dissemination of spoofed e-mails, and other services and techniques can be used to track and take down offending data collection Web sites. Data collection sites and spoofed bank Web sites tend to be short-lived because of these efforts. However, the collected credentials live on to the next stage.
In the last stage, collected credentials are used to access the victims account. Financial institutions can mitigate this threat with a variety of tools to better identify who is accessing the account. This includes authentication methods which cannot be collected by the fraudster. Financial institutions can also place controls on higher risk account features such as bill payment and account transfers.
The combination of increased identity theft and intensified focus on preventing terrorism and ensuring business and border security has renewed everyones interest in methods of authentication. New methods have been developed, and research to create or improve others has been proceeding. Partly because security methods are cloaked in secrecy and partly because the environment has been changing so fast, limited information is available about financial institutions use of various authentication methods and their effectiveness.
What is known is that within the banking environment, the authentication methods used by corporate banking customers have been stronger and more sophisticated than the methods used by retail customers. The reasons, of course, are the higher account balancesthe higher dollar volume of riskand the more frequent transfer of funds to accounts belonging to third parties. As a result of the authentication methods used, fewer instances of corporate online fraud than of retail online fraud have been reported. A brief look at the authentication methods used by corporate customers may be useful for banks that are considering applying stronger authentication for retail customers.
A small sample of large banks shows that these institutions are using a variety of authentication techniques for corporate banking.24 Five out of seven global banks and four out of seven North American banks use a single sign-on, with North American respondents generally limiting single sign-on to cash management services. The small sample of large banks uses some combination of user identification, user password, company identification, and company password. Access to trade services, foreign exchange, and investments generally require a separate login and security method for each product.25 Digital certificates are more often used by large global banks compared to their North American counterparts, primarily to support the nonrepudiation of transactions.
Most of these large banks use tokens. Six out of seven North American and global banks included in this sample use tokens to access corporate electronic banking applications, to approve payment transactions, or both. Digital certificates are used by about half the sampled institutions. These large banks have shown little reported interest in using biometrics to authenticate corporate customers.
Online merchants are using, and plan to increase their use of, nonintrusive Internet protocol address filtering methods. Current online merchants are already using a variety of tools, with 33 percent using Internet protocol address filtering and another 22 percent planning to implement that method in 2005.26
When banks consider authentication methods for retail customers, they should be aware that these customers value security and the protection of confidential information and may be prepared to use enhanced authentication methods to access their accounts. But there are privacy implications associated with authentication. Consumers report the greatest concerns with biometrics. Consumers will require a clear explanation of any security mechanism and the use of any personal information required to implement that security mechanism. Consumers will need to understand how the additional information will be used and stored. Overly burdensome authentication systems may lower consumer participation, thereby lowering the effectiveness of the entire system. Consumers are also concerned about the risk associated with large databases of personal information and the potential for the information that is used by authentication methods to be compromised, copied, or imitated.27
Some conceptual acceptance by consumers of additional authentication methods has been reported concerning biometrics and the willingness of consumers to provide additional information for authentication. Limitations on the use of personal information and the existence of privacy safeguards are important elements of consumer acceptance.28 Convenience is another element, for convenience plus security may be more important to customers than security alone. In a more recent study, among approximately two-thirds of respondents who found biometrics generally acceptable, voice recognition and finger prints were the most widely accepted biometric types, and convenience was the overwhelming benefit along with security and speeding up the transaction. The one-third who were unsure or opposed to biometrics indicated concerns about how biometrics works and its accuracy.29
To an extent, consumers appear to be willing to provide additional pieces of information for authentication (with 29 percent agreeing to provide one additional data item and 41 percent suggesting two).30 One-fifth of online U.S. households claim that because of their concerns about privacy or security, they would be willing to have an in-home credit card reader.31 At least one vendor reports interest in two-factor authentication for the accessing of on-line bank accounts.32
The challenge facing banks that offer online banking services is significant. New authentication methods must be reliable, cost-effective, and convenient while meeting the security and privacy needs of customers. Cost, reliability, performance, and ease of enrollment are expected to improve in the near term but will still vary by technology and by product within the technology.
At the time the FDIC Study was published, the FDIC knew of several financial institutions that were using two-factor authentication, and contacted them. Each institution asked that its name not be used in the Study. Since then, the FDIC has become aware of additional institutions that have begun using such technologies, and the names of the participating financial institutions have been made public. There may be more institutions becoming interested at least in piloting two-factor authentication programs. A number of institutions have put such programs into production. For two groups, domestic and international financial institutions, tables 2 and 3 list the technology, its application, and the deployment stage as of the date this Supplement was published. Although these tables are not intended to be an exhaustive list of institutions using two-factor authentication, they do suggest that the use of such technology is becoming more common.
Table 2. Domestic Interest in Two-Factor Authentication Programs
|E-Trade Bank||One-time-password hardware token||Internet banking||Pilot|
|Bank of America||Various two-factor technologies||Internet access for employees and corporate customers||Internalsummer 2005; Corporate customersfall/winter 2005|
|Sovereign Bank||One-time-password hardware token||Business banking: corporate and institutional customers||Production|
|ABN AMRO||One-time-password hardware token||On-line treasury management||Production|
|ING Direct||Rotating shared secret||Internet banking||Production|
|Stanford Federal Credit Union||Device authentication||Internet banking||Production|
|Purdue Employees Federal Credit Union||Biometric (fingerprint)||Automated service centers||Production|
|San Antonio City Employees Federal Credit Union||Biometric (palm geometry and keystroke)||Safe deposit box access; employee network access||Production|
|Commerce Bank||One-time-password hardware token||Internet banking for corporate customers||Production|
|Wachovia||One-time-password hardware token||Internet banking||Under consideration|
|Dollar Bank||One-time-password hardware token||Internet banking for corporate customers||Production|
Table 3. International Interest in Two-Factor Authentication Programs
|Australian Bankers Association*||Various two-factor technologies||Internet Banking||Proposed and pilot programs|
|Bank of Valletta||One-time-password hardware token||Internet banking, telephone banking, customer service center, mobile banking||Production|
|Rabobank||One-time-password hardware token||Internet banking||Production|
|SEB Bank||One-time-password hardware token||Internet banking||Production|
|SwedBank||One-time-password hardware token||Internet banking||Production|
|Bank of TokyoMitsubishi||Biometric (palm geometry)||ATM||March 2006|
|Surugo Bank Shizuoka Prefecture||Biometric (palm geometry)||ATM||Production|
|Mizuho Bank||Biometric (palm geometry)||ATM||Research|
|Sumitomo Mitsui Bank||Biometric (palm geometry)||ATM||March 2006|
|Citibank, UK Division||On-screen virtual keyboard||Internet banking||Production|
|First National Bank of South Africa||One-time-password hardware token||Internet banking||Production|
|Royal Bank of Scotland||One-time-password hardware token||Internet banking||Production|
|Loyal Bank||One-time-password hardware token||Internet banking||Production|
|Fortis, NV||One-time-password hardware token||Internet banking||Production|
|Grupo Aval||Device authentication||Internet banking July 2005||Production|
|Barclays||On-screen virtual keyboard
Out of band
|*According to CEO David Bell, an industry standard requiring all banks in Australia to use two methods of authentication for Internet customers will be introduced in 2005.|
2 Javelin (2005). The Javelin study attempts to replicate many aspects of the 2003 Federal Trade Commission report cited in the Study. However, differences in methodology preclude longitudinal comparisons of incidence rates. Both studies attempt to measure the following three forms of identity theft fraud: new account and other fraud, misuse of existing non-credit card account or account number fraud, and misuse of existing credit card or credit card number fraud.
3 FTC (2005). Internet-related is defined as a fraud that concerns an Internet product or service, the company initially contacts the consumer via the Internet, or the consumer responds via the Internet. For Internet-related fraud, 15 percent of complainants reported the method of payment.
16 Almost half of online merchants are more concerned than in the past about online payment fraud, and two-thirds say that a higher incidence of identity theft is increasing the amount of online fraud. See CyberSource Corporation (2005).
24 This section relies on Feinberg (2005) which is a supplement to Feinberg (2004). Feinberg (2004) reports on responses of 10 institutions out of 17 large institutions surveyed that are headquartered in North America or with a corporate electronic banking application managed by a North American subsidiary. The 10 respondents were: ABN AMRO, Bank of America, Bank of Montreal, Citibank, Citizens Bank, Mellon Bank, PNC Bank, Royal Bank of Canada, SunTrust, and an unnamed major European bank with a U.S.-managed banking product. Feinberg (2005) discusses the results from those 10 plus 4 more institutions categorized as either global banks (i.e., ABN AMRO, BNP Paribas, Bank of America, Citibank, HSBC, Royal Bank of Scotland, and an unnamed bank headquartered in Europe) or North American banks (Bank of Montreal, Bank of New York, Citizens Bank (a subsidiary of Royal Bank of Scotland), Mellon Bank, PNC Bank, Royal Bank of Canada, and SunTrust).