Slashdot Mirror
Identity Theft Rates Among Top Banks
Hugh Pickens writes "Consumers, regulators, and businesses lack objective tools to compare the incidence of identity theft across financial institutions and without such tools, consumers cannot 'vote with their feet' and choose safer institutions. Now a study by Chris Hoofnagle has analyzed 88,000 complaints submitted by victims to the FTC over a three month period in 2006 and found that Bank of America ranked highest of all firms in the study, with an average of 1,117 incidents over a three-month period. AT&T had 763 incidents, followed by Sprint Nextel, JP Morgan, Chase and its Chase and Bank One, and Capital One. When the estimated events are divided by the total deposits, the data show that HSBC, Washington Mutual, and Bank of America have the highest rates of identity theft. Hoofnagle said lending institutions should publicly report information about identity theft events such as the rate of identity theft; the form of identity theft attempted; whether it was a mortgage loan or credit card; and the amount of loss suffered as a result. would help consumers choose safer financial institutions. The full study(PDF) is available from the Berkeley Center for Law and Technology."
Comment removed based on user account deletion
Isn't the rate of identity theft per bank mainly related to how bad the customers of that bank are with their security.
It would depend on the type of business, no?
- Online banking
- ATM access
- Point of sale transactions
- Brokerage Transactions
etc, etc.
My strategy has always been to spread my risk - make all point of sale transactions with a publically exposed credit card, which I pay off monthly from a completely separate checking account, which is totally divorced from my investment accounts. Each account is at a different bank, which i use different logins and passwords for.
If any one is compromised, I have at least a marginal degree of separation from all the others.
Voting with your feet will not help if the underlying cause is not the practices of the institution. If people are not careful with their own info they can switch banks all day long and still be at risk. There is a huge assumption here that it is the bank that is the cause of the problem. It may be the customer or other institutions.
I honestly had no idea Bank of America actually existed. I thought it was another one of those made-up company names spammers use, like Prime Staadslotterij, Commercial Trust or Coventry Promotions. I mean, it doesn't even sound like a believable name.
Trust the Computer. The Computer is your friend.
When I stupidly signed up with Sprint again after a few years of using Cingular, I had trouble activating my phone. I call customer service and the lady asked me for my password. I was initially very hesitant about it. I couldn't believe that she had my password in plaintext in front of her. She couldn't reset the password or anything like that, instead she just have it in front of her screen. After going through a few non-financially related password (weaker passwords), I decided to give up and told her I couldn't think of it. At that point, she tried to verify me through my mailing address. I tried it a few but that didn't work until I tried my parent's address. It turns out that when I gave her my social security number initially (stupid me, I know), she pulled up my old account from 8 years ago before I switched to Cingular. Since both the new and old accounts were keyed by my SSN, she got my old account, along with my parent's address, and my old password. How insane is that? Sprint kept all my information for 8 years along with the password in plaintext.
EvilCON - Made Famous by
That hardly implies that if I choose to use AOL I will run a greater risk of having my identity theft. It shows that AOL users are more likely to be computer naieve and stupidly type their info into random phishing sites. Determining what banks have the highest rates of identity theft is useless unless from a security standpoint unless you determine WHY they have it.
In particular did anyone else notice that the highest rates of identity theft seemed to occur at the largest banks who likely had the most customers? This suggests to me that it's not bad IT practices that account for these results but the make up of their customer bases. I suspect that while many financially and technologically savy people (such as me) have accounts at these banks their success at appealing to the largest possible market means they have a larger percent of non-savy customers. On the other hand another good hypothesis is just that more phising attacks attacks target the institution with the most customers. But if you are confident of your ability to avoid those then this shouldn't worry you much.
In either case this seems like a totally useless statistic and not a result of poor security as the write up suggests.
If you liked this thought maybe you would find my blog nice too:
I have heard rumours about fraudulent bank employees selling confidential information about customers to third parties.
I heard about this through a friend who never lost or misplaced their HSBC credit card, and who suddenly received entries in their monthly bills that did not correspond to past activity. But since this friend was very cautious about using the credit card and it was used very rarely indeed, it was virtually impossible for someone to steal this information physically.
If this is true then banks should definitely improve their in-house security.
Canada's Royal Bank just sent around an amended customer agreement for people who bank on-line. They've refused to accept responsibility for quite a range of problems in this area, even if those problems are caused by the bank's negligence. Your choice, of course, is to quit using on-line banking. If you haven't already got an account there or some compelling reason to open one, I'd advise you to avoid this bank like the plague.
Some security problems aren't all that high on the big boys' lists, even in that "post-9-11 world" they love to talk about when they're stripping away another civil liberty.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
IANABanker but I suspect the last thing a financial regulator would want is a massive "voting with one's feet". Anything that has a slight chance of starting a bank run is seen as a danger. That can be one reason there are so little (public and detailed, comparative) data about data theft, card fraud etc. (Which is sad but rather a problem of the system not of the regulators).
Isn't it the role of supervisors to regulate banks, and NOT the consumer?
I mean isn't the whole point of being able to call yourself a bank is that you apply to prudential rules set by the government and therefore the consumer doesn't have to ask himself questions whether the bank is safe or not?
Quite frankly identity theft is a detail compared to other risks the banks are facing, this is why the whole financial market is divided between the banking system (black box supervised by the government) and the markets (where the government just guarantees transparency and it's up to the consumer to make his choices based on the information he is given).
The problem with disclosing this kind of information is that it sets doubt on the banking system, and the whole banking system relies on trust to function (hence the tight regulation of the banking sector).
We're not going to ask consumers to assess the risk exposure of banks are we?
and...I didn't read your post or the article fully, summary should say divided by the total deposited amounts. Statistics before coffee is apparently a bad idea.
Another thing that bugs me about this is there's no notion of how much on-line activity is involved.
As an example, one of the reasons I have a Bank of America account is that you can do just about anything from their web site. I routinely move money around between accounts, pay bills, all sorts of stuff. Now, probably because of this, as well as their wide customer base, I regularly see phishing attacks aimed at BoA, with plenty of them e-mailed to me over the years. I've seen some pretty sophisticated replicas of their site aimed just at getting people to think they're at the real deal so they put their passwords in. The fact that many of their customers get scammed by such things is no surprise to me. Is that the bank's fault?
Chase and Citibank have pretty good on-line features as well so I'd expect them to be near the top as they are. What really bothers me about this study is how miserably the phone carriers did; it's not like they're doing anything as sophisticated as the banks are.
It probably has a lot to do with their clients more than their banking system. I remember hearing that ING had very low identity theft rates, and people chalked it up to their convoluted login system. I would say it has more to do with the fact that they are only online, and scare away a lot of web-savvy people. Also, because they mostly only for savings accounts, their clients pass the automatic IQ test by actually saving some money.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
The parent was correct - they pointed out how the statistic you cite is flawed. You didn't even read the comment you were responding to.
The findings presented (in the summary, the linked article, and the original paper) were based on total incidents per institution (favoring small institutions), and incidents in relation to total deposits (favoring institutions having large average deposits).
Since the study was meant to "meaningfully compare institutions on their performance in avoiding identity theft," it would have been desireable to look at the number of incidents in relation to the number of depositers. That is the metric which would give the best indication of how likely an individual depositer is to encounter an identity theft problem with that institution.
"National Security is the chief cause of national insecurity." - Celine's First Law
I was hit with identity theft as a WaMu customer last year. I don't know how it happened, I pay for most things in cash and I don't use my card on small/disreputable websites, I use Firefox with NoScript, don't click links in e-mail even when they look legit (always type the URL myself), etc.
However, I have to say that my experience with WaMu was really bad:
* They canceled my card while I was displaced during the California wildfires
* If you call the number on the back of your bank card it's actually extremely hard to work out how to get through to an actual person to talk about card fraud
* When I did get through to an actual person, using an alternative number they provided me at an actual bank, they tried to forward me to their fraud department. I sat on hold for an hour before deciding to give up and call back later
* The would not reverse fraudulent charges to my account. They told me that they would send me an affidavit that I would have to sign before they would refund the charges, and then it would take 30 days or more to process. This affidavit never arrived.
* I had much better luck calling the numbers listed on my statement and getting merchants to refund fraudulent charges
* WaMu did refund one fraudulent charge eventually
Short story: If you're a fraud victim at WaMu don't expect them to go out of their way to help you as a customer. You may have better luck taking care of it yourself.
More recently, I tried to pay off a loan with my WaMu debit card. Big mistake. According to my statement there was a double-charge pending for thousands of dollars. I called WaMu immediately, here is how that conversation went:
Me: I'm looking at my statement, it looks like there is a double charge for several thousand dollars
Them: Yes, we do see that, we see one charge has cleared and another pending
Me: That's an unauthorized charge, and clearly a mistake
Them: Well, the good news is that it that the money hasn't left your account yet, it is still pending
Me: Okay, can you stop the charge?
Them: No. But after it gets charged you could file a dispute with the merchant
Me: But you just said that the money hasn't left my account yet, and I'm telling you it's unauthorized, so why don't you stop it?
Them: We can't do that.
Me: Well that's completely useless then, isn't it?
Them: Yes, I understand, sorry about that..
It's not identity theft, per-say, but more indicitive of my experiences with WaMu so far. They don't exactly go out of their way to help you out during a bad situation.
So, yes, I believe this information should be published, and not only that, each and every customer affected should be questioned as to how well they feel their bank dealt with the situation and as to how secure they feel at their bank. WaMu would not be getting a very high rating from me at all.
As the large banks have the most customers (re: first post) this would be the obvious conclusion - more potential victims.
... UNLESS you're the type of person that love paperwork - The hassle to change banks is phenomenal!
HOWEVER
I understand the problem differently - the TYPE of people at the bigger banks are MORE likely to be victims because of the mindset they have - they're unwilling to take the difficult steps of preserving personal information!
In canada, we have a different banking system, there are only five (or six, depending on what you consider as BIG) banks that most everyone uses. Several of these banks have high service fees, others have high monthly fees, some have both. Most of the people I know have been with the same bank since they were children, regardless of the fees or rates, very few people will change a bank
If someone cannot be bothered to a better bank for the sake of paperwork... then they're probably not going to safeguard their banking information either! Both take work, and BOTH benefit the customer, but very few people actually DO it.
Additionally, people seldom change banks unless there is a good motivating reason, and the potential for identity theft is not a very good motivating factor. Identity theft, which is usually the fault of the person for improperly disposing of information is also viewed as a PERSONAL problem, and people believe all banks to be the same.
In a system where there are many banks (like the american system), people assume that they're all regulated in the same manner, and the differences in banks are ONLY in customer service and service fees/rates of interest.
Yes, banks have a role to play in preventing identity theft. But the key to prevention, in many (if not most) cases is personal awareness, and proper information disposal.
Of course there are exceptions, but the majority of identity theft victims are NOT the cause of these exceptions!
As a Sprint customer I have to guess that not only is their billing system UN-auditable but that Sprint doesn't have clear understanding of exactly what monies they collect and from whom. In the 4 years I've been a Sprint subscriber I've thrashed through at least 3 dozen billing errors. If someone wanted to steal identities it couldn't be that hard given the absolute anarchy and dysfunction of their billing system and its interaction with customer service.
Source: S.F. Chronicle
So let me tell you how soon I'll be dealing with BoA. Cash a check, go to jail? No thank you.
DT
Is this thing on? Hello?
Agreed. This was written by a Senior Fellow, yet has the look and feel of a Statistics undergraduate term project. In defense, the quality of the data probably was poor. However, the analysis was poor as well. Most likely there is additional data available. Good luck getting a hold of it.
But you ar all mussung a point...These banks and lending institutions would not want to publish any such figures. Why? Because if they are not the safest, or in the top 3, it would cause their customers to go elsewhere. This hurts profits. Banks are big businesses. They care more about profits than they do customers! The most extreme examples of big businesses that care more about profits than customers are :
Microsoft
RIAA members
MPAA members
Microsoft
The article title could be more accurate.
This sounds to me like a measure of the average customer's IQ, not of banking security. Things like phishing scams are almost entirely outside the bank's control. BTW, this would also explain why Bank of America did so badly. I can't imagine anyone who is capable of doing math would open an account at that place.
Personally I find this whole focus on "web safety" is overrated. I still see lots of people giving their credit card with signature and photo ID (with DL#, DOB, address, etc.) to minimum wage workers at stores across america every day.
- davevr
The vast majority of identity thefts come in the form of phishing attacks sent directly to the end-user pointing them to a fake site. This type of ID theft is outside the control of the banks themselves.
Showing the largest numbers of incidents is more akin to showing the relative perceived popularity of the bank in Romania, Ukrain and other places that originate the attacks and the relative stupidity of the banks customers.
"Voting with your feet" based on that data is probably not the best idea..
I've had an identity theft after I paid off a Mastercard that I had thru Capitol One.Fortunately for me,I had closed the account and had a letter stating that the account had a 0 balance and was closed.Turned out that some of their employees had reactivated the account and purchased about $6000 worth of stuff.I took Capitol One to court and forced them to investigate.The culprits were caught and the account was ordered cleared.I also collected punitive damages.
I do not have a credit card now nor do I want one.Too much trouble.I froze my credit report so another identity theft would have a very hard time of getting thru the system.
Geek Hillbilly
Anyone else find it funny that the biggest names on the identity fraud list are the same large financial institutions found on Lou Dobb's "Exporting America" list?
Are we simply getting our financial information ripped off from our cheapo call centers in India?
Two years ago I was shopping for a mortgage and contacted BofA. Their rates were high and I passed them by. Then a set of checks arrived from BofA from an account I had not asked them to set up. I called and was told it was a mistake. Then a statement for a saving account appeared and I kept on the phone until I found their security head in my area. It turns out I worked with one of her kids and knew where she lived. I did not state that as a threat but until the veil of anonymity was lift, she was not will to do anything to help me.
The guy tried to sell a pair of bikes for 600 dollars, then received a check for 2000 dollars, and tried to cash it in. He then claims he found that suspicious and all, sure he did AFTER THE FACT! It wouldn't look good in court to say "I thought it was my lucky day receiving more then TRIPLE the amount we agreed".
WHOOOP, WHOOOP, WHOOOP! Red FLAG!
The article explains that this is part of a scam and you can't scam an honest person. What honest person would believe that someone sends more then 200% of the price to cover transport and as a bonus? Isn't the whole point of buying second hand to SAVE costs? How much are these bikes worth in the first place?
No the guy got greedy, and paid for it with being arrested. The bank itself did nothing wrong, they behaved EXACTLY as they should have. So did the police.
Sadly this guy was a victim of scammers, and partly his own greed. The scammers were the ones who send him the check that got him arrested. His own greed helped because without this particulair scam wouldn't have worked (the article explains the scam) but if the scammer had wanted the bikes without paying he would still have been arrested, if the check had been for a single dollar, he would stillhave been arrested.
Blame the scammers, not the bank or the police.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
What percentage of the identity theft cases were done by conning the customer to give their account information to the thief, either by phishing or keyloggers.
What percentage of the identity theft cases were done by social engineering the banks.
What percentage of the identity theft cases were done by stealing the date from a 3rd party.
Without that information the data is pretty much meaningless and usable only for trending analysis by just looking at the number of total cases.
In Soviet Russia, I ruled you
AT&T is now a bank? Sprint Nextel?
I don't insist that the article titles (or summaries) be perfect, but could they at least have SOME relation to the story itself?
Interested in a Flash-based MAME front end? Visit mame.danzbb.com
The article says that Banks don't give out the numbers of customers. instead compared the complaints to dollars in investments (which they assume correlates to numbers of investors). So you're right. These statistics can't even hope to accurate in terms of consumer risk.
The difference between truth and fiction is that fiction has to be plausible.
I was with B of A for many years until this happened to me (when I switched to WaMU :\ ):
I had a check stolen out of my mailbox and, being a college student, they stole all $40 out of my account. After spending the requisite bazillion years on the phone with several shell companies to get the fraud itself straightened out, I visited my friendly B of A.
"I recently had fraud on my checking account," I told them. "Here's the paperwork proving that this is what happened."
"Okay," they said, "we first recommend that you close this account since it's been compromised."
"That sounds great, let's do that." Since most of my money had been siphoned out already, they gave me the remaining $12 or so back in cash.
"Okay," they said, "now would you like to open a new account?"
"Sure thing," I said.
"Alright, you're going to need a minimum balance of $100 to start a new account."
Seriously? Obviously I didn't have it; if I had, it would have been stolen already. I walked out.
When did the future switch from being a promise to a threat? -C. Palahniuk
The bottom line here is that the big financial organizations just don't care enough to fix their problems. Admittedly there's no way to be completely free of identity theft, but the worst offenders aren't even trying.
Look at TD Ameritrade last year, it took them an unknown length of time to discover that somebody was able to access one of the servers they had with personal information. It was fairly well known before they admitted it that they had been loose with customer data. I was personally receiving personalized spam for nearly 2 months before they fessed up to it. Complete with name and address. They didn't have all my information otherwise they would have known that I have no need for male enhancement.
With that sort of pitiful security, why should I have any meaningful confidence that they aren't missing similar vulnerabilities in the servers which store my SSN and actual monetary records?
It's painfully obvious that they aren't going to clean up until they've been publicly shamed into doing so. The real solution is to require that they perform continual audits and disclose the results.
There's just no excuse for most of the breaches. For instance when laptops with account information go missing, nobody ever seems to ask why they've put personal account information on the laptops in the first place. Laptops always are subject to theft, and that's without having valuable information on them.
That was the first thing I thought of, since Bank of America is the largest bank in the country. Another thing that they must be struggling with is their growth. They've grown by acquiring other banks. Those events could offer lots of opportunities for identity theft, since it would mean information gets moved around. And getting acquired banks all working under the same process and procedures isn't a small effort.
I've been working in the banking industry for the last couple of years, and it's a very complicated one. You want to satisfy the customer, while safeguarding their money at the same time... and as a business, you need to make money in the process. It's also hard to be as agile and nimble as the thieves when you are as large as a Bank of America or Chase.
My beliefs do not require that you agree with them.
Comment removed based on user account deletion
Comment removed based on user account deletion
I used to work at Bank of America. It's run by idiots. So no surprise they come out on top.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
They went to bat for us against two fraudulent merchants. There was no identity theft involved, but hey, they were there for us.
Even better would be *dollars* stolen versus *dollars* handled