Putting an End to Account-Hijacking Identity Theft Study Supplement
Part 4: Findings
The FDIC Study generated a considerable amount of interest, discussion, and comment. After reviewing the public comments, further surveying the most recent trends in this area, and researching additional authentication technologies, the FDIC is of the opinion that the findings contained in the Study are sound and supportable.
The Study and Supplement illustrate that identity theft continues to be a growing problem for the industry and consumers. These two publications also show that a wide variety of technologies are available to help mitigate the risk of identity theft. The technologies vary in terms of their maturity, cost, ease of use, and effectiveness. However, many of them have the potential to substantially reduce the level of account hijacking (and other forms of identity theft) currently being experienced. The technologies discussed in this Supplement are for the most part less expensive and more customer friendly than those discussed in the Study and merit consideration as cost-effective ways to address the problem.
Different financial institutions may choose different solutions, or a variety of solutions, based on the complexity of the institution and the nature and scope of its activities. The FDIC does not intend to propose one solution for all, but the evidence examined here and in the Study indicates that more can and should be done to protect the security and confidentiality of sensitive customer information in order to prevent account hijacking.
Thus, the FDIC presents the following updated findings:
- The information security risk assessment that financial institutions are currently required to perform should include an analysis to determine (a) whether the institution needs to implement more secure customer authentication methods and, if it does, (b) what method or methods make most sense in view of the nature of the institution's business and customer base.
- If an institution offers retail customers remote access to Internet banking or any similar product that allows access to sensitive customer information, the institution has a responsibility to secure that delivery channel. More specifically, the widespread use of user ID and password for remote authentication should be supplemented with a reliable form of multifactor authentication or other layered security so that the security and confidentiality of customer accounts and sensitive customer information are adequately protected.