Each depositor insured to at least $250,000 per insured bank



Home > News & Events > Financial Institution Letters




Financial Institution Letters

Identity Theft
Study on "Account-Hijacking" Identity Theft and Suggestions for Reducing Online Fraud
FIL-132-2004
December 14, 2004


Summary: The FDIC has issued a study on "account-hijacking" identity theft, which outlines the problem and suggests steps to reduce online fraud for both bank and regulatory agency consideration. The FDIC hopes to use the study to formulate guidance to bankers next year. Comments on the study are due on February 11, 2005.

Highlights:
  • The FDIC's study Putting an End to Account-Hijacking Identity Theft is now available.
  • Account hijacking is the unauthorized access to and misuse of existing asset accounts and it occurs primarily through phishing and hacking. At this time, account hijacking is the fastest growing form of identity theft.
  • Fraudsters are taking advantage of (1) bank reliance on single-factor authentication (i.e., using only one type of credential, such as a single password) for remote access to online banking, and (2) the lack of e-mail and Web site authentication to perpetrate account hijacking identity theft.
  • Four suggested steps for reducing online fraud are offered, including:
    • Upgrading existing password-based single-factor customer authentication to two-factor customer authentication;
    • Using scanning software to identify and defend against phishing attacks;
    • Strengthening consumer educational programs; and
    • Continuing to emphasize information-sharing among the financial services industry, government agencies and technology providers.
  • The FDIC study can be found on the Web at http://www.fdic.gov/consumers/consumer/idtheftstudy/index.html; comments on the study are due by February 11, 2005, via e-mail to IDTheftStudy@fdic.gov.
Continuation of FIL-132-2004

Distribution:
FDIC-Supervised Banks (Commercial and Savings)

Suggested Routing:
Chief Executive Officer
Chief Technology Officer
Chief Information Officer

Related Topics:
FFIEC Examination Handbook, E-Banking Booklet
FFIEC Examination Handbook, Information Security Booklet
Internet Banking Fraud, issued in FIL-113-2004 on September 13, 2004

Attachment:
None

Contacts:
Jeffrey M. Kopchik, Senior Policy Analyst at jkopchik@fdic.gov or 202-898-3872

Send comments through February 11, 2005, via email to: IDTheftStudy@fdic.gov.

Printable Format:
FIL-132-2004 - PDF 64k (PDF Help)

Note:
FDIC Financial Institution Letters (FILs) may be accessed from the FDIC's Web site at www.fdic.gov/news/news/financial/2004/index.html.

To receive FILs electronically, please visit http://www.fdic.gov/about/subscriptions/fil.html.

Paper copies of FDIC FILs may be obtained through the FDIC's Public Information Center, 801 17th Street, NW, Room 100, Washington, DC 20434 (1-877-275-3342 or (703) 562-2200).



Financial Institution Letter
FIL-132-2004
December 14, 2004

Identity Theft
Study on "Account-Hijacking" Identity Theft and Suggestions for Reducing Online Fraud

The FDIC has issued a study on "account-hijacking" identity theft, which outlines the problem and suggests steps to reduce online fraud for both bank and regulatory agency consideration. The FDIC hopes to use the study to formulate guidance to bankers next year. Comments on the study are due on February 11, 2005.

The Federal Deposit Insurance Corporation (FDIC) has produced the study Putting an End to Account-Hijacking Identity Theft, which outlines this form of identity theft and offers steps to reduce online fraud for both bank and regulatory agency consideration. The FDIC hopes to use the study to formulate guidance to bankers next year. The FDIC is seeking comments on the study by February 11, 2005.

Background and Focus of Study
Identity theft is one of the fastest growing types of consumer fraud. The Federal Trade Commission (FTC) has estimated that, during 2003, almost ten million Americans discovered that they were the victims of identity theft, with a total cost to businesses and consumers of over $50 billion. This study focuses on a subset of identity theft that is of particular concern to FDIC-insured financial institutions and to their customers: the unauthorized access to and misuse of existing asset accounts primarily through phishing (which is the use of fraudulent e-mails to trick consumers into divulging confidential information) and hacking (which is the unauthorized remote access to a computer), hereinafter referred to as "account hijacking."

Prevalence and Impact of Account Hijacking
While precise statistics on the prevalence of account hijacking are difficult to obtain, recent studies indicate that unauthorized access to checking accounts is the fastest growing form of identity theft. Another recent study has estimated that almost 2 million U.S. adult Internet users experienced this type of fraud during the 12 months ending in April 2004. Of those, 70 percent did their banking or paid their bills online and over half believed that they had received a phishing e-mail. Consumers are beginning to consider that their use of the Internet to conduct financial transactions may bring an increasing degree of risk, and many experts believe that electronic fraud, especially account hijacking, will slow the growth of online banking and commerce.

Findings
Fraudsters are taking advantage of the reliance on single-factor authentication for remote access to online banking, and the lack of e-mail and Web site authentication, to perpetrate account hijacking. Financial institutions and government agencies should consider a number of steps to reduce online fraud, including:
  • Upgrading existing password-based single-factor customer authentication systems to two-factor authentication systems.
  • Using scanning software to proactively identify and defend against phishing attacks. The further development and use of fraud detection software to identify account hijacking, similar to existing software that detects credit card fraud, could also help to reduce account hijacking.
  • Strengthening educational programs to help consumers avoid online scams, such as phishing, that can lead to account hijacking and other forms of identity theft and taking appropriate action to limit their liability.
  • Placing a continuing emphasis on information-sharing among the financial services industry, government agencies and technology providers.
The FDIC study can be found on the Web at http://www.fdic.gov/consumers/consumer/idtheftstudy/index.html; comments may be submitted via e-mail to IDTheftStudy@fdic.gov.
Michael J. Zamorski
Director
Division of Supervision and Consumer Protection



Last Updated 12/15/2004 communications@fdic.gov