BankInfoSecurity.com - Information Security News, Regulations, & Education

Just Released: Our Online Webinar Catalog

Bank Information Security Articles

Top Banks Named in New Identity Theft Study

Credit
EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

Report Examines Incidents at Major U.S. Financial Institutions

February 29, 2008 - Patrik Jonsson

This article was originally created for BankInfoSecurity.com, and contains information that should interest our GovInfoSecurity.com readers.

Save

Digg

Delicious

Please login or register to save this article.

Comment on this article

Shockwaves rumbled through the US banking industry this week with the release of a new report estimating the annual incidents of Identity Theft associated with the nation's top banks.

The study, published by the Center for Law and Technology at the University of California, Berkeley, draws from thousands of consumer complaints to the Federal Trade Commission over a three-month period in 2006 - reports obtained by the study's author through Freedom of Information Act requests -- and lists the number of incidents reported not just at banks, but also at top utilities and retail merchants.

Bank of America is named as the institution with the highest frequency of Identity Theft complaints, followed by AT&T, Sprint/Nextel, JPMorgan Chase and Capital One in the top five.

The top five financial institutions listed are Bank of America, JPMorgan Chase, Capital One, Citibank and American Express. Washington Mutual, Wells Fargo, Discover, HSBC and Wachovia round out the top 10 institutions listed. No credit unions are listed among the top 25.

But while the release of this study comes with caveats -- the data is two years old, drawn from a small sample in one year, and relies solely on consumers' perception of where/how Identity Theft incidents occurred - consumer advocates nevertheless hope this first-of-its-kind report turns up the heat on financial institutions to better educate and protect their customers from the threat.

"I still don't think this information is really actionable for consumers, but it is actionable for banks," says the study's author, Chris Hoofnagle, a consumer privacy attorney and senior fellow at the Center. "A lot of people in the banking industry are already writing to me and saying, 'Hey, look at this.' For now, the goal is to get banks talking, because currently they're not. Instead, they're using proxies to engage in the debate in the form of commercials that don't inform the consumer."

Click to Get Updates on the Latest Information Security News

Company*

Title*

Email*

Subscription Type:

Healthcare Enews

General Healthcare Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Government Enews

General Government Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Banking Enews

General Banking Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Credit Union Enews

General Credit Union Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Need Help?

Inside the Numbers
Hoofnagle's research began in May 2007, when he filed a Freedom of Information Act request with the FTC for the names of companies and institutions identified in consumer Identity Theft complaints over the previous two years. In light of the sheer number of complaints in 2006 alone - 246,035 - Hoofnagle settled for receiving data from 88,560 complaints from the randomly-selected months of January, March and September 2006. Of those complaints, 42,262 named institutions identified by victims re: fraudulent accounts established in their names or current accounts hijacked by thieves.

In all, Hoofnagle found that the top 25 institutions - banks, utilities and retailers -- account for 50% of the identity theft complaints lodged with the FTC.

Diving deeper, looking solely at banks, Hoofnagle divided the estimated number of incidents by each bank's total deposits to arrive at an estimated rate of Identity Theft per $1 billion in deposits.[See chart.]

By raw count, Bank of America leads the pack of all institutions with 1,117 complaints per month in 2006. When projected annually and divided by per billion of deposits, however, HSBC fares the worst, with 21 incidents per billion annually (BoA has 18). ING, in contrast, has less than one incident per billion annually.

Banks Respond
Once Hoofnagle's research went public, banks quickly fired back, saying the study is flawed. Bank of America representative Betty Reiss says the study doesn't jibe with independent surveys that have shown Bank of America as one of the top banks when it comes to protecting consumers from ID theft.

What's more, says Reiss, "if somebody who is a customer of Bank of America is a victim of Identity Theft, it doesn't necessarily mean that the theft, or compromise, originated at Bank of America. A lot of times consumers don't know how the identity theft originated or where it originated."

Hoofnagle's approach may even be counter-productive, says Doug Johnson, vice president for risk management policy at the American Bankers Association in Washington, D.C. Today, he says, banks cooperate through institutions like the Financial Services Information Sharing and Analysis Center to combat fraud -- a system that could be undermined by making Identity Theft protection a competitive factor among banks. "Institutions have every motivation already [to combat ID fraud] in order to protect not only their customer, but their institution," Johnson says.

The FTC reluctantly complied with the FOIA request, says agency ID theft expert Betsy Broder, fearing consumers might misinterpret the data. There's already evidence that consumers are drawing errant conclusions based on the Berkeley study, she says.

1 | 2

View On 1 Page

Next Related Article:

How to Protect Consumers from ID Theft

What's your reaction to this new report on Identity Theft incidents at top banks?

Here's your chance to be a part of the dialogue and engage with your peers! Just enter your comment to the right, click submit to send it to our Editor. All entries are posted anonymously.

Please login if you would like to post a comment on this question.

Security should be given top priority, for nothing is safe as long as vulnerabilities exist. Certainly hackers are ahead, and we need to catch up with them if not overtake

A study of Identity Theft is published at the Utica College Center for Identity Management and Information Protection, http://www.utica.edu/academic/institutes/ecii/publications/media/cimip_id_theft_study_oct_22_noon.pdf

This study excluded classic credit card misuse but provides excellent insight on what entitlements were gained by criminals based on identity - the median loss was $31,356; most victims did NOT know the offenders; 1/3 of the cases originated at or through the offender's job; 1/2 used the Internet while the other half used traditional acquistion methods like dumpster diving/mail theft.

I can't tell from this report what is a bank fault or consumer fault. It raises a lot of concerns but I am not sure what to focus on. This report without further qualification of the data is of little value.

I think it is alarming. One huge way that customer's fall into the identity theft for our bank is by phishing scams. It is so important that customers know that banks will not send you an email directing you to their website to enter their personal information, debit card numbers, pin numbers, account numbers etc. I think we need to make customers aware of the pitfalls. As with education comes awareness.

I think it is useful as a gauge of consumer perception.

Given people have a different definition of Identity Theft, and they usually have no concept of what caused it (but they do have an opinion of it), it isn't entirely fair to point fingers at the institution level.

Correlaries between data breaches and incidents would need to be established I think - and even then it's not entirely fair...

For example -

If an institution loses a report of 1,000,000 SSN's... that doesn't mean someone found it and is using it improperly. But a theft of 1,000 records which are used to perpetrate crimes is a different story.

Maybe banks (and more importantly credit card companies) will be forced to take some responsibility for the mess identity theft has become. Right now, their profits are sacrosanct and losses get passed on to consumers no matter how careless the institution is with records.

I find it hard to believe that banks are at fault for most of these reports. Banks have been overwhelmed over the past few years with regulations that, if implemented properly, help detect ID theft. With the new Red Flag Guidelines, it goes even further. Amazingly, there are still consumers out there that do nothing to protect their identity, including disclosing information over the Internet or telephone.

It really doesn't clarify where the thefts occurred.

Topics of Interest

Leadership & Management

How to Earn a Master's in Business Continuity: John Orlando, Norwich University
Information Security Education: Expanding Career Opportunities Through Advanced Education at Regis University

Payments

Heartland's Bob Carr on Leadership in a Crisis
FDIC on Top Fraud Threats to Banks

ITIL

Facing an IT Audit - How would your institution fare?

Encryption

Protecting Enterprise Data with Proofpoint Encryption
Achieving Compliance with Massachusetts Data Protection Act

PCAOB

NCUA - Supervisory Committee Audits
Sarbanes-Oxley Act - Consideration of Key Principles Needed in Addressing Implementation for Smaller Public Companies

Phishing

Online Transaction Origination: Ensuring Customer Confidence & Trust
Man-in-the-Middle Attacks: Helping to Eliminate the Threat Without Impacting the Business

Latest Tweets & Mentions

Recent Content
Most Popular

1Heartland, Discover Settle at $5 Million
2How to Protect Consumers from ID Theft
3The Mobile Mandate
4Church Latest Victim of ACH Fraud
5Video: Why Cyber Challenge is Needed
6FDIC: 829 Troubled Banks
7ID Theft: Courts Cracking Down
810 Tips to Thwart Skimming
9Skimming: Old Crime, New Tools
10Key Elements of Risk Management

1Failed Banks and Credit Unions, 2010
22010 Data Breach Timeline
3Pay-At-The-Pump Skimming on the Rise
4Account Takeover: The New Wrinkle
5Tapping the Power of Social Media
6ATM Skimming: How Effective is Jitter?
741 Banking Breaches So far in 2010
8New Fraud Spree Investigated
9Social Media Policy - The 6 Essentials
10FDIC: Top 5 Fraud Threats

BankInfoSecurity.com Research

Podcast:Mortgage Fraud: Compliance to be a Challenge
Webinar:Electronic Evidence & e-Discovery: What You Need to Know & Protect
Handbook:2010 Webinar Catalog
White Paper:Understanding Man-in-the-Browser Attacks and Addressing the Problem
Regulation:FHFA: Issues Subpoenas for PLS Documents

Recent Blog Entries

Be Mindful of Insider Fraud Against Seniors

California's Financial Abuse Reporting Act, SB 1018, which r…

Read The Agency Insider by Linda McGlasson

Vendor Solutions

Lumension

Solutions For:

Mobile Encryption, Patch / Configuration Management, Security Configuration Management
3i Infotech

Solutions For:

Anti-Money Laundering, Fraud Detection

Marketplace

Information Security Media Group - Family of Websites

Banking

BankInfoSecurity.com
Careers
Blogs

Credit Unions

CUInfoSecurity.com
Careers
Blogs

Government

GovInfoSecurity.com
Careers
Blogs

Healthcare

HealthcareInfoSecurity.com
Careers
Blogs

About Us
Contact Us
Site Map
Terms of Service
Advertise
RSS

BankInfoSecurity NewsGet the RSS Feed
Agency ReleasesGet the RSS Feed
Latest ArticlesGet the RSS Feed
WebinarsGet the RSS Feed
BankInfoSecurity.com BlogGet the RSS Feed

Home
Training
Resources
Content Library
- Agency Releases
- Articles
- Handbooks
- Podcasts
- Surveys
- Webinars | Calendar
- White Papers
Careers
Blog

Advanced Search

Browse Topics

Agencies

Federal Deposit Insurance Corp
Federal Reserve Board
Federal Trade Commission
FFIEC
FHFA
FinCEN
Government Accountability Office
National Credit Union Admin.
NIST
Office Comptroller of Currency
Office of Thrift Supervision

Anti-Money Laundering

Banking Today

Confidence In Banking

Business Continuity & Disaster Recovery

Pandemic Preparation

Compliance

Bank Secrecy Act
Basel II
CA Bill 1386
E-SIGN Act
FACTA
Gramm-Leach-Bliley Act
Guidance
Identity Theft Red Flags Rule
NCUA Part 748
Patriot Act
PCI DSS
Sarbanes-Oxley Act

Emerging Technology

Application Security
Authentication
Cloud Computing
Data Loss
Encryption
GRC
ID Access & Management
Messaging
Mobile Banking
Network/Perimeter
Remote Capture
SIM/SEM
Social Media
Storage
Web Security

Fraud

ACH
ATM
Check
Debit, Credit, Prepaid Cards
First Party
Insider
Mortgage
Payments
Wire

Governance & Standards

BITS
Cobit
COSO
FFIEC Handbook
ISO
ITGI
ITIL
PCAOB

Identity Theft

Pharming
Phishing
Skimming

Leadership & Management

Physical Security

Biometrics

Risk Management

HR
Incident Response
Information Security Compliance
Insider Threat
IT Audit
Privacy
Risk Assessment
Social Engineering
Vendor Management

Training & Education

FHFA: Issues Subpoenas for PLS Documents..Next Topic
The Electronic Funds Transfer (EFT) Act - Regulation E..Next Topic
The Electronic Funds Transfer (EFT) Act - Regulation E..Next Topic
DoJ: Report to Congress on Implementation of Section 1001 of the USA PATRIOT Act..Next Topic
FFIEC Issues 2009 Mortgage Fraud White Paper:The Detection and Deterrence of Mortgage..Next Topic
FDIC: Fraudulent Work-at-Home Funds Transfer Agent Schemes..Next Topic
Joint Statement by Education Secretary Duncan, Homeland Security Secretary Napolitano and..Next Topic
Obama's Cyberspace Policy Review: Assuring a Trusted and Resilient Information and..Next Topic
Obama's Cyberspace Policy Review: Assuring a Trusted and Resilient Information and..Next Topic
NIST: PIV Card Application and Middleware Interface Test Guidelines, SP800-85A-1..Next Topic

A-
A
A+