Slashdot Mirror
Identity Theft Rates Among Top Banks
Hugh Pickens writes "Consumers, regulators, and businesses lack objective tools to compare the incidence of identity theft across financial institutions and without such tools, consumers cannot 'vote with their feet' and choose safer institutions. Now a study by Chris Hoofnagle has analyzed 88,000 complaints submitted by victims to the FTC over a three month period in 2006 and found that Bank of America ranked highest of all firms in the study, with an average of 1,117 incidents over a three-month period. AT&T had 763 incidents, followed by Sprint Nextel, JP Morgan, Chase and its Chase and Bank One, and Capital One. When the estimated events are divided by the total deposits, the data show that HSBC, Washington Mutual, and Bank of America have the highest rates of identity theft. Hoofnagle said lending institutions should publicly report information about identity theft events such as the rate of identity theft; the form of identity theft attempted; whether it was a mortgage loan or credit card; and the amount of loss suffered as a result. would help consumers choose safer financial institutions. The full study(PDF) is available from the Berkeley Center for Law and Technology."
Voting with your feet will not help if the underlying cause is not the practices of the institution. If people are not careful with their own info they can switch banks all day long and still be at risk. There is a huge assumption here that it is the bank that is the cause of the problem. It may be the customer or other institutions.
hrmph. surely they only need to break into one of them.
note that we're talking about stealing your identity here, not your money (though I guess that is likely to be the ultimate objective). Once they have your identity, they can likely open an account of their (or your) own - likely a credit account, of course - at some other institution.
perhaps I missed something...
Max.
Completely agree with the point about companies holding onto personal information far longer than they should. Playing devil's advocate though, they may need to protect themselves from people complaining about misdeeds from the distant past. Or receiving a bill in the mail that was posted 10 years prior. This seems a reasonable excuse to hold on to records. However, I think they should move this data "offline" so that it can be called up as a special measure in case of a dispute, but will be non-existent for day-to-day activities.
As for passwords, well, this is why you should use a different password for every company you do business with, and for every website you have an account on. Yes it's a pain, but the fact is they need to be able to identify you as the real you despite the fact that whoever you're interacting with has no personal knowledge of you whatsoever. A shared password is the easiest way, and having the operator be able to just read the password and compare it to the one you say is much faster than them having to type it in precisely, and doesn't make it your interaction with the operator any more secure. The only potential security gain is if the information is obtained by unauthorised people -- but if you're using a unique password then it won't do them very much good.
There has to be a certain amount of trust between you and the people you're doing business with. If you don't trust them enough to have your name, address, SSN, and so on, then you shouldn't be using their services.
The parent was correct - they pointed out how the statistic you cite is flawed. You didn't even read the comment you were responding to.
The findings presented (in the summary, the linked article, and the original paper) were based on total incidents per institution (favoring small institutions), and incidents in relation to total deposits (favoring institutions having large average deposits).
Since the study was meant to "meaningfully compare institutions on their performance in avoiding identity theft," it would have been desireable to look at the number of incidents in relation to the number of depositers. That is the metric which would give the best indication of how likely an individual depositer is to encounter an identity theft problem with that institution.
"National Security is the chief cause of national insecurity." - Celine's First Law
They should have explained things a little better. When a card is charged, it's a two-step process: authorization and capture. At authorization, they've told the merchant "yes, this transaction can go through and we'll hold the money for you". A merchant can't undo an authorization. The money doesn't get sent until capture, usually a nightly process. If a charge isn't captured within a certain amount of time (24 hours to a few days), the bank rescinds the authorization automatically.
They should have explained that there was a chance the merchant realized their mistake and wasn't going to capture the funds. If you contacted the merchant and let them know the situation, they probably could have prevented capture too. But, if the charge ended up being captured, you would need to file a dispute.
As a merchant, this is the way I want things to work. If an authorization goes through, I don't need to wait until I have the money in my account to ship someone their order. If they could back out of an authorization before capture, the authorization would be meaningless and I'd probably see a lot more fraud.