Late last month, four servers containing names, addresses and Social Security numbers of thousands of Wells Fargo & Co. mortgage and student-loan customers were stolen from an Atlanta company that prints loan statements. There's no indication the information has been misused, the bank says, but it's advising affected customers to monitor their accounts for suspicious activity. It's also offering a free one-year credit-protection program and has established a toll-free hotline.
The incident was the latest reminder of how pervasive the threat of identity theft has become, as well as how much of a risk it is for banks and credit-card issuers and their customers. According to the Federal Trade Commission, 9.9 million Americans were identity-theft victims last year. Of those, 6.6 million reported fraudulent use of existing accounts while more than 3 million reported new accounts opened in their names. That cost businesses $48 billion and consumers $5 billion in economic losses.
Mounting concerns over stolen identities are prompting banks to review account-access policies and implement sophisticated fraud-detection systems. Banks have unleashed a panoply of technology against the problem, such as pattern-recognition software to flag suspicious transactions or new accounts. They're also requiring customers at times to verify online credit-card purchases with IDs and passwords, equipping customers with anti-spam software to thwart phishing, and setting up shared databases for reporting and exchanging information about ID crimes. One London bank recently began using pattern-recognition software that monitors its e-mail system to spot phishing attacks and alerts Scotland Yard's Criminal Investigation Division when it does, according to Autonomy Corp., which supplied the application.
But do banks really have a handle on the problem? A study released last week by Unisys Corp. found disparities between the way consumers see their bank's role in preventing ID theft and the way the banks themselves view it. A majority of consumers (84 percent) say their banks are doing all they can to prevent ID theft. But branch reps tell a different story: 15 percent say their banks don't do anything special, and 62 percent say any bank employee can access customer data.
Banks are trying to thwart ID thieves with two main tools: consumer education and IT. Using statement mailings and alerts on their Web sites and at branches, banks have stepped up warnings not to divulge sensitive information over the phone and in e-mail. The issue is one of personal accountability, says Larry Brown, senior VP and head of risk management at Citizens First Bank. "It means not giving out confidential information to an untrusted party," he says. The problem "will get worse until we do a better job of educating customers," he adds.
Some banks are working directly with security-software vendors such as McAfee Inc. and Symantec Corp. to improve customer security. BMO Financial, formerly the Bank of Montreal, is considering funding a program to give online banking customers tools to scan their PCs for malicious code, says Vivek Khindria, senior manager of security practices and technology information security.
Some banks promote their anti-ID theft strategy as a competitive advantage. Earlier this year, Washington Mutual Inc. began offering customers a service to monitor credit accounts called ID Theft Inspect and another to provide credit-report alerts for identity-theft victims.
But banks tend to be secretive about specific security technologies they've deployed behind their walls. To prevent employees from stealing data, ATB Financial, an Edmonton, Alberta-based bank, is considering using a mix of passwords, personal-ID numbers, and encryption devices such as key fobs for its employees. "The challenge then is to make sure those authorization methods can't be compromised," says Ken Casey, senior VP and head of retail banking. The main challenges of access control are making sure lists of authorized users are up to date and setting up a hierarchy of security levels, Casey says.
ATB is experimenting with more exotic forms of authentication, such as a dynamic signature-recognition system, which captures distinct characteristics of how people sign their names, including shape, speed, and pen pressure. The bank has built triple-DES (Data Encryption Standard) encryption capabilities into its automated teller machines to safeguard customer data as it moves across third-party networks, in part to meet guidelines imposed by MasterCard International, to whose debit-processing network ATB belongs. ATB also has enhanced its ATM control software to enable customers to change passwords at the machines.
Debit cards remain a source of concern for ATB. Unlike those issued by U.S. banks, most debit cards issued in Canada bear only the bank's brand, and aren't tied to the fraud-detection systems of major card associations such as MasterCard, Visa or American Express, Casey says. "We consider debit cards a higher risk than credit cards because they lack a secure system for detecting fraudulent patterns," he says.
Visa USA is trying to get merchants to be closer partners in the battle against fraud. It has developed a multifaceted effort to deter fraudulent card use. It includes Verified by Visa, a 3-year-old program revamped last year to make it more appealing to merchants and customers, which provides password protection for online purchases. It's also using pattern-recognition software that analyzes accounts for unusual spending patterns to detect fraud. When a transaction is flagged, Visa alerts the cardholder's bank, which in turn checks with the cardholder to see if the transaction is genuine, says Jean Bruesewitz, Visa's senior VP of risk services.
Since card-association rules largely absolve consumers of liability for card-related fraud losses, the financial institutions themselves have the most incentive for stemming ID-theft crimes. Yet merchants have a stake as well, since they assume a portion of the liability. Since deploying Verified by Visa two years ago, CompUSA has practically eliminated fraud-related losses from online sales, says Steve Javery, director of E-commerce for development and integration. The program not only has reduced fraud, it has increased sales by making consumers feel safer shopping online and improved order-processing efficiency.
To combat the phishing threat, banks have created a counter-phishing initiative under the auspices of the Financial Services Technology Consortium. The initiative's first phase, which wraps up this week, includes compiling a list of known phishing threats and vulnerabilities and developing a test plan for solutions.
The second phase, which will start in January, will involve a large-scale pilot and deployment of "quick-hit" solutions, says project manager Chuck Wade. Those include banks testing their systems via simulated phishing attacks and creating a process for quickly shutting down phishers' Web sites. These efforts aim to take the anti-phishing campaign beyond stopping spam e-mail, since instant messages, search engines, and mobile hot-spots all are vulnerable, Wade says. "If you turn off the spam spigot, phishers will pop up in other attack vectors and already have," he says.
Federal law-enforcement agencies also are taking identity theft more seriously. Late last month, the U.S. Secret Service arrested 28 suspected cybercrime gangsters in eight states and six countries on charges of identity theft, computer fraud, and credit-card fraud. And a federal law signed by President Bush earlier this year increases the penalties for ID-fraud-related crimes.
But law-enforcement authorities are hard pressed to divert many resources away from fighting terrorism and violent crime. Says Arif Alikhan, chief of the computer-crimes section with the U.S. attorney's office in Los Angeles, "As with most crimes, the best way to deal with it is prevention."
-- With Thomas Claburn
Article courtesy InformationWeek, Nov. 15, 2004