Slashdot Mirror

← Back to Stories (view on slashdot.org)

Identity Theft Rates Among Top Banks

Posted by kdawson on from the naming-names dept.

Hugh Pickens writes "Consumers, regulators, and businesses lack objective tools to compare the incidence of identity theft across financial institutions and without such tools, consumers cannot 'vote with their feet' and choose safer institutions. Now a study by Chris Hoofnagle has analyzed 88,000 complaints submitted by victims to the FTC over a three month period in 2006 and found that Bank of America ranked highest of all firms in the study, with an average of 1,117 incidents over a three-month period. AT&T had 763 incidents, followed by Sprint Nextel, JP Morgan, Chase and its Chase and Bank One, and Capital One. When the estimated events are divided by the total deposits, the data show that HSBC, Washington Mutual, and Bank of America have the highest rates of identity theft. Hoofnagle said lending institutions should publicly report information about identity theft events such as the rate of identity theft; the form of identity theft attempted; whether it was a mortgage loan or credit card; and the amount of loss suffered as a result. would help consumers choose safer financial institutions. The full study(PDF) is available from the Berkeley Center for Law and Technology."

22 of 85 comments (clear)

  1. Comment removed by account_deleted · · Score: 5, Insightful

    Comment removed based on user account deletion

  2. It would depend on the type of business, no? by chevman · · Score: 4, Insightful

    It would depend on the type of business, no?

    - Online banking
    - ATM access
    - Point of sale transactions
    - Brokerage Transactions

    etc, etc.

    My strategy has always been to spread my risk - make all point of sale transactions with a publically exposed credit card, which I pay off monthly from a completely separate checking account, which is totally divorced from my investment accounts. Each account is at a different bank, which i use different logins and passwords for.

    If any one is compromised, I have at least a marginal degree of separation from all the others.

    1. Re:It would depend on the type of business, no? by dwater · · Score: 3, Informative

      hrmph. surely they only need to break into one of them.

      note that we're talking about stealing your identity here, not your money (though I guess that is likely to be the ultimate objective). Once they have your identity, they can likely open an account of their (or your) own - likely a credit account, of course - at some other institution.

      perhaps I missed something...

      --
      Max.
  3. Assumes a Cause by jschnack975 · · Score: 4, Informative

    Voting with your feet will not help if the underlying cause is not the practices of the institution. If people are not careful with their own info they can switch banks all day long and still be at risk. There is a huge assumption here that it is the bank that is the cause of the problem. It may be the customer or other institutions.

  4. "Bank of America" is an actual bank? by JanneM · · Score: 3, Funny

    I honestly had no idea Bank of America actually existed. I thought it was another one of those made-up company names spammers use, like Prime Staadslotterij, Commercial Trust or Coventry Promotions. I mean, it doesn't even sound like a believable name.

    --
    Trust the Computer. The Computer is your friend.
  5. Not a Bit Surprised About Sprint by Comatose51 · · Score: 3, Interesting

    When I stupidly signed up with Sprint again after a few years of using Cingular, I had trouble activating my phone. I call customer service and the lady asked me for my password. I was initially very hesitant about it. I couldn't believe that she had my password in plaintext in front of her. She couldn't reset the password or anything like that, instead she just have it in front of her screen. After going through a few non-financially related password (weaker passwords), I decided to give up and told her I couldn't think of it. At that point, she tried to verify me through my mailing address. I tried it a few but that didn't work until I tried my parent's address. It turns out that when I gave her my social security number initially (stupid me, I know), she pulled up my old account from 8 years ago before I switched to Cingular. Since both the new and old accounts were keyed by my SSN, she got my old account, along with my parent's address, and my old password. How insane is that? Sprint kept all my information for 8 years along with the password in plaintext.

    --
    EvilCON - Made Famous by /.
    1. Re:Not a Bit Surprised About Sprint by totally+bogus+dude · · Score: 2, Informative

      Completely agree with the point about companies holding onto personal information far longer than they should. Playing devil's advocate though, they may need to protect themselves from people complaining about misdeeds from the distant past. Or receiving a bill in the mail that was posted 10 years prior. This seems a reasonable excuse to hold on to records. However, I think they should move this data "offline" so that it can be called up as a special measure in case of a dispute, but will be non-existent for day-to-day activities.

      As for passwords, well, this is why you should use a different password for every company you do business with, and for every website you have an account on. Yes it's a pain, but the fact is they need to be able to identify you as the real you despite the fact that whoever you're interacting with has no personal knowledge of you whatsoever. A shared password is the easiest way, and having the operator be able to just read the password and compare it to the one you say is much faster than them having to type it in precisely, and doesn't make it your interaction with the operator any more secure. The only potential security gain is if the information is obtained by unauthorised people -- but if you're using a unique password then it won't do them very much good.

      There has to be a certain amount of trust between you and the people you're doing business with. If you don't trust them enough to have your name, address, SSN, and so on, then you shouldn't be using their services.

  6. I bet AOL users are more likely to be phised too by logicnazi · · Score: 2, Insightful

    That hardly implies that if I choose to use AOL I will run a greater risk of having my identity theft. It shows that AOL users are more likely to be computer naieve and stupidly type their info into random phishing sites. Determining what banks have the highest rates of identity theft is useless unless from a security standpoint unless you determine WHY they have it.

    In particular did anyone else notice that the highest rates of identity theft seemed to occur at the largest banks who likely had the most customers? This suggests to me that it's not bad IT practices that account for these results but the make up of their customer bases. I suspect that while many financially and technologically savy people (such as me) have accounts at these banks their success at appealing to the largest possible market means they have a larger percent of non-savy customers. On the other hand another good hypothesis is just that more phising attacks attacks target the institution with the most customers. But if you are confident of your ability to avoid those then this shouldn't worry you much.

    In either case this seems like a totally useless statistic and not a result of poor security as the write up suggests.

    --

    If you liked this thought maybe you would find my blog nice too:

  7. Re:If you ever wondered... by gsslay · · Score: 5, Interesting

    You've missed the subtle twist in the process.

    It used to be that if a bank lost money because someone defrauded them by pretending to be a customer of theirs it was their problem. But now, with the wonderful new term "identity theft", it's your identity that's been stolen and therefore your money. You may appear to still have your identity, and they may appear to have lost their money, but that's just looking at it too simplistically.

    So remember; fraud = their money, identity theft = your money. Change the way you describe the crime and magically you change who's the victim. Isn't that clever?

  8. Banks != Market by WaZiX · · Score: 2, Insightful

    Isn't it the role of supervisors to regulate banks, and NOT the consumer?

    I mean isn't the whole point of being able to call yourself a bank is that you apply to prudential rules set by the government and therefore the consumer doesn't have to ask himself questions whether the bank is safe or not?

    Quite frankly identity theft is a detail compared to other risks the banks are facing, this is why the whole financial market is divided between the banking system (black box supervised by the government) and the markets (where the government just guarantees transparency and it's up to the consumer to make his choices based on the information he is given).

    The problem with disclosing this kind of information is that it sets doubt on the banking system, and the whole banking system relies on trust to function (hence the tight regulation of the banking sector).

    We're not going to ask consumers to assess the risk exposure of banks are we?

  9. Re:But they're huge... by Faylone · · Score: 3, Informative
    No, you didn't even read the summary properly.

    When the estimated events are divided by the total deposits, the data show that HSBC, Washington Mutual, and Bank of America have the highest rates of identity theft.
  10. Re:But they're huge... by greg1104 · · Score: 2, Interesting

    Another thing that bugs me about this is there's no notion of how much on-line activity is involved.

    As an example, one of the reasons I have a Bank of America account is that you can do just about anything from their web site. I routinely move money around between accounts, pay bills, all sorts of stuff. Now, probably because of this, as well as their wide customer base, I regularly see phishing attacks aimed at BoA, with plenty of them e-mailed to me over the years. I've seen some pretty sophisticated replicas of their site aimed just at getting people to think they're at the real deal so they put their passwords in. The fact that many of their customers get scammed by such things is no surprise to me. Is that the bank's fault?

    Chase and Citibank have pretty good on-line features as well so I'd expect them to be near the top as they are. What really bothers me about this study is how miserably the phone carriers did; it's not like they're doing anything as sophisticated as the banks are.

  11. Re:Voting with your feet is "dangerous" by WaZiX · · Score: 2, Interesting

    and that's why the financial sector is so expensive. To the public at least and in almost all countries. A big knowitall aganecy telling the little dumb citizen whom to trust, and even if they fail there is always the (knowitall) government to pay the bill - from the pocket of the little citizen.
    The catch is that you have to trust the regulators who are appointed by a government/president elected by representatives/electors elected through a sometimes complicated process by you. Too many leverages there. Actually, most of the regulations are set by the Basel Committee (The Basel accords), which theoretically should guarantee that there is at any point 99.7% chance that the bank doesn't go bankrupt. What you have to trust are the agencies supervising the applications of those accords. Either way, the banks are the first wishing those rules to be enforced, because failure of on bank usually means crisis in the sector, and problems for every bank. But indeed, risk management is a very costly aspect of banking, not only in terms of overhead, but also in terms of return banks can make, so ironically it's in the interest of every bank to both follow and try to circumvent regulations at the same time (hence all the securitising that is taking place).
  12. Re:But they're huge... by CastrTroy · · Score: 2, Interesting

    It probably has a lot to do with their clients more than their banking system. I remember hearing that ING had very low identity theft rates, and people chalked it up to their convoluted login system. I would say it has more to do with the fact that they are only online, and scare away a lot of web-savvy people. Also, because they mostly only for savings accounts, their clients pass the automatic IQ test by actually saving some money.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  13. Uh, no... by msauve · · Score: 2, Informative

    The parent was correct - they pointed out how the statistic you cite is flawed. You didn't even read the comment you were responding to.

    The findings presented (in the summary, the linked article, and the original paper) were based on total incidents per institution (favoring small institutions), and incidents in relation to total deposits (favoring institutions having large average deposits).

    Since the study was meant to "meaningfully compare institutions on their performance in avoiding identity theft," it would have been desireable to look at the number of incidents in relation to the number of depositers. That is the metric which would give the best indication of how likely an individual depositer is to encounter an identity theft problem with that institution.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
    1. Re:Uh, no... by Zeinfeld · · Score: 2, Insightful
      I am not at all sure what the paper shows, or even what definition of 'identity theft' is being used. Do the authors mean taking out fraudulent loans in the victim's name or fraudulent use of a credit card they hold?

      The difference is pretty important as the number of customers of a bank is not going to make it more or less attractive as a place to take a fraudulent loan out at. That is going to be determined by the fraud measures in place and how well known the brand is. If we are talking about loan frauds then why don't we see sub-prime bucket shop operations like DiTech represented?

      I suspect that the majority of these cases are actually credit card fraud and they scale to the number of cards issued. MBNA is the issuer of a vast number of affinity cards. So I would expect a high fraud rate.

      Another bias is that this is FTC complaints. So what is being measured is people complaining about a loss which is not the same as theft rates. The people complaining to the FTC are probably people who have lost money because the bank refuses to reimburse them.

      So yet another academic study that presents a corpus of information that is superficially interesting but does not really tell us very much at all.

      --
      Looking for an Information Security student project suggestion?
      Try http://dotcrimeManifesto.com/
  14. WaMu victim here by DigitAl56K · · Score: 4, Interesting

    I was hit with identity theft as a WaMu customer last year. I don't know how it happened, I pay for most things in cash and I don't use my card on small/disreputable websites, I use Firefox with NoScript, don't click links in e-mail even when they look legit (always type the URL myself), etc.

    However, I have to say that my experience with WaMu was really bad:

    * They canceled my card while I was displaced during the California wildfires
    * If you call the number on the back of your bank card it's actually extremely hard to work out how to get through to an actual person to talk about card fraud
    * When I did get through to an actual person, using an alternative number they provided me at an actual bank, they tried to forward me to their fraud department. I sat on hold for an hour before deciding to give up and call back later
    * The would not reverse fraudulent charges to my account. They told me that they would send me an affidavit that I would have to sign before they would refund the charges, and then it would take 30 days or more to process. This affidavit never arrived.
    * I had much better luck calling the numbers listed on my statement and getting merchants to refund fraudulent charges
    * WaMu did refund one fraudulent charge eventually

    Short story: If you're a fraud victim at WaMu don't expect them to go out of their way to help you as a customer. You may have better luck taking care of it yourself.

    More recently, I tried to pay off a loan with my WaMu debit card. Big mistake. According to my statement there was a double-charge pending for thousands of dollars. I called WaMu immediately, here is how that conversation went:

    Me: I'm looking at my statement, it looks like there is a double charge for several thousand dollars
    Them: Yes, we do see that, we see one charge has cleared and another pending
    Me: That's an unauthorized charge, and clearly a mistake
    Them: Well, the good news is that it that the money hasn't left your account yet, it is still pending
    Me: Okay, can you stop the charge?
    Them: No. But after it gets charged you could file a dispute with the merchant
    Me: But you just said that the money hasn't left my account yet, and I'm telling you it's unauthorized, so why don't you stop it?
    Them: We can't do that.
    Me: Well that's completely useless then, isn't it?
    Them: Yes, I understand, sorry about that..

    It's not identity theft, per-say, but more indicitive of my experiences with WaMu so far. They don't exactly go out of their way to help you out during a bad situation.

    So, yes, I believe this information should be published, and not only that, each and every customer affected should be questioned as to how well they feel their bank dealt with the situation and as to how secure they feel at their bank. WaMu would not be getting a very high rating from me at all.

    1. Re:WaMu victim here by IL-CSIXTY4 · · Score: 5, Informative

      Them: Yes, we do see that, we see one charge has cleared and another pending

      They should have explained things a little better. When a card is charged, it's a two-step process: authorization and capture. At authorization, they've told the merchant "yes, this transaction can go through and we'll hold the money for you". A merchant can't undo an authorization. The money doesn't get sent until capture, usually a nightly process. If a charge isn't captured within a certain amount of time (24 hours to a few days), the bank rescinds the authorization automatically.

      They should have explained that there was a chance the merchant realized their mistake and wasn't going to capture the funds. If you contacted the merchant and let them know the situation, they probably could have prevented capture too. But, if the charge ended up being captured, you would need to file a dispute.

      As a merchant, this is the way I want things to work. If an authorization goes through, I don't need to wait until I have the money in my account to ship someone their order. If they could back out of an authorization before capture, the authorization would be meaningless and I'd probably see a lot more fraud.

    2. Re:WaMu victim here by DigitAl56K · · Score: 2, Interesting

      Thank you, that is a much clearer explanation than WaMu was able to muster.

      However, even given that explanation, it does appear that simply having a debit card is a severe security risk for any customer - the bank seems to be unwilling to prevent the capture of funds when an account holder flags an authorization as false, and refunding fraudulent transactions may take well over a month. I've never seen any of my debit card transactions blocked for security purposes either - I have only ever received calls questioning certain transactions 24-28 hours after the fact, and the transaction that I mentioned in the grandparent post was an international transaction for thousands of dollars which was authorized immediately without the card CVC code (accurately reflected in my account statement as a "Debit without PIN" transaction).

      It is no wonder to me that identity theft is so easy to perform and so hard to recover from. As a customer, you have very little protection and nearly no power to resolve the matter beyond the effort the bank is willing to expend on its own accord.

  15. Further correction by jrexilius · · Score: 2

    The vast majority of identity thefts come in the form of phishing attacks sent directly to the end-user pointing them to a fake site. This type of ID theft is outside the control of the banks themselves.

    Showing the largest numbers of incidents is more akin to showing the relative perceived popularity of the bank in Romania, Ukrain and other places that originate the attacks and the relative stupidity of the banks customers.

    "Voting with your feet" based on that data is probably not the best idea..

  16. BofA Stinks by psychobiker · · Score: 2, Interesting

    Two years ago I was shopping for a mortgage and contacted BofA. Their rates were high and I passed them by. Then a set of checks arrived from BofA from an account I had not asked them to set up. I called and was told it was a mistake. Then a statement for a saving account appeared and I kept on the phone until I found their security head in my area. It turns out I worked with one of her kids and knew where she lived. I did not state that as a threat but until the veil of anonymity was lift, she was not will to do anything to help me.

  17. Re:Identity Theft by vertinox · · Score: 2, Insightful

    Identity theft, which is usually the fault of the person for improperly disposing of information is also viewed as a PERSONAL problem, and people believe all banks to be the same.

    I've had to write nasty letters to employers, brokers, and banks because they constantly put SSN on statements. Mail theft isn't that uncommon in larger cities (happened to my room mate once and sometimes I get important mail that appears to have been opened) so even though one could shred everything you cannot prevent someone from getting into your mail.

    It also appeared that someone at the USPS was actually the one doing since the mailboxes are locked. How can you protect yourself against that?

    --
    "I am the king of the Romans, and am superior to rules of grammar!"
    -Sigismund, Holy Roman Emperor (1368-1437)