Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Identity Theft Rates Among Top Banks

Posted by kdawson on Tue Mar 04, 2008 03:38 AM
from the naming-names dept.
Security The Almighty Buck
Hugh Pickens writes "Consumers, regulators, and businesses lack objective tools to compare the incidence of identity theft across financial institutions and without such tools, consumers cannot 'vote with their feet' and choose safer institutions. Now a study by Chris Hoofnagle has analyzed 88,000 complaints submitted by victims to the FTC over a three month period in 2006 and found that Bank of America ranked highest of all firms in the study, with an average of 1,117 incidents over a three-month period. AT&T had 763 incidents, followed by Sprint Nextel, JP Morgan, Chase and its Chase and Bank One, and Capital One. When the estimated events are divided by the total deposits, the data show that HSBC, Washington Mutual, and Bank of America have the highest rates of identity theft. Hoofnagle said lending institutions should publicly report information about identity theft events such as the rate of identity theft; the form of identity theft attempted; whether it was a mortgage loan or credit card; and the amount of loss suffered as a result. would help consumers choose safer financial institutions. The full study(PDF) is available from the Berkeley Center for Law and Technology."
+ -
story

Related Stories

Submission: Measuring Identity Theft Rates Among Top Banks by pickens (49171)
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Identity Theft Rates Among Top Banks 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • But they're huge... (Score:5, Insightful)

    by 404 Clue Not Found (763556) * on Tuesday March 04 2008, @03:42AM (#22633302) Homepage
    Correct me if I'm wrong, but the Slashdot summary seems to be missing an obvious connection: The top institutions also have the most customers. Simply getting the number of incidents isn't enough; what would be far more interesting is the rate of identity theft (incidences per 1000 customers or such). The study itself addresses this issue:

    For purposes of determining relative incidence of fraud, the size of institutions was assessed by total deposits, according to the FDIC SDI database.

    [...]

    A better measure would be number of customers, or number of accounts, however, that information is not publicly available.


    "Incidences per billion dollars" isn't good enough because that would favor banks with a low number of high-value deposits over consumer-oriented banks (which many of us presumably care more about) that deal with large numbers of low-value deposits.

    Not only, that, but:

    At present, we lack a reliable method to assess the size of the telecommunications carriers, and this is problematic because these institutions ranked so highly in overall number of complaints.

    and

    Similar ambiguities are present when a victim identifies a retailer, such as Target as the institution involved in the fraud. The victim could mean that Target issued a credit card in the victim's name, that the victim's Target credit card was used fraudulently, that a different credit card was used for fraudulent charges at Target, or that their account on Target.com was phished.


    So they don't know how many total customers these organizations are dealing with (meaning we can't get a rate) and they're not even sure what victims meant when they identified an organization as related to their incident. That leaves the only interesting question, "Which institution is the riskiest one to do business with in terms of potential identity theft?" unanswered.

    Anyone know if better data/a better analysis is available?

    • Re: (Score:3, Informative)

      by Faylone (880739)
      No, you didn't even read the summary properly.

      When the estimated events are divided by the total deposits, the data show that HSBC, Washington Mutual, and Bank of America have the highest rates of identity theft.
      • and...I didn't read your post or the article fully, summary should say divided by the total deposited amounts. Statistics before coffee is apparently a bad idea.

      • Uh, no... (Score:3, Informative)

        by msauve (701917)
        The parent was correct - they pointed out how the statistic you cite is flawed. You didn't even read the comment you were responding to.

        The findings presented (in the summary, the linked article, and the original paper) were based on total incidents per institution (favoring small institutions), and incidents in relation to total deposits (favoring institutions having large average deposits).

        Since the study was meant to "meaningfully compare institutions on their performance in avoiding identity theft,

        • Re: (Score:3, Insightful)

          by Zeinfeld (263942)
          I am not at all sure what the paper shows, or even what definition of 'identity theft' is being used. Do the authors mean taking out fraudulent loans in the victim's name or fraudulent use of a credit card they hold?

          The difference is pretty important as the number of customers of a bank is not going to make it more or less attractive as a place to take a fraudulent loan out at. That is going to be determined by the fraud measures in place and how well known the brand is. If we are talking about loan fraud

        • The bottom line here is that the big financial organizations just don't care enough to fix their problems. Admittedly there's no way to be completely free of identity theft, but the worst offenders aren't even trying.

          Look at TD Ameritrade last year, it took them an unknown length of time to discover that somebody was able to access one of the servers they had with personal information. It was fairly well known before they admitted it that they had been loose with customer data. I was personally receiving pe

    • Re: (Score:3, Interesting)

      by greg1104 (461138)
      Another thing that bugs me about this is there's no notion of how much on-line activity is involved.

      As an example, one of the reasons I have a Bank of America account is that you can do just about anything from their web site. I routinely move money around between accounts, pay bills, all sorts of stuff. Now, probably because of this, as well as their wide customer base, I regularly see phishing attacks aimed at BoA, with plenty of them e-mailed to me over the years. I've seen some pretty sophisticated r

      • Re: (Score:3, Interesting)

        by CastrTroy (595695)
        It probably has a lot to do with their clients more than their banking system. I remember hearing that ING had very low identity theft rates, and people chalked it up to their convoluted login system. I would say it has more to do with the fact that they are only online, and scare away a lot of web-savvy people. Also, because they mostly only for savings accounts, their clients pass the automatic IQ test by actually saving some money.
    • The vast majority of identity thefts come in the form of phishing attacks sent directly to the end-user pointing them to a fake site. This type of ID theft is outside the control of the banks themselves.

      Showing the largest numbers of incidents is more akin to showing the relative perceived popularity of the bank in Romania, Ukrain and other places that originate the attacks and the relative stupidity of the banks customers.

      "Voting with your feet" based on that data is probably not the best idea..
    • Correct me if I'm wrong, but the Slashdot summary seems to be missing an obvious connection: The top institutions also have the most customers. Simply getting the number of incidents isn't enough; what would be far more interesting is the rate of identity theft (incidences per 1000 customers or such).

      That was the first thing I thought of, since Bank of America is the largest bank in the country. Another thing that they must be struggling with is their growth. They've grown by acquiring other banks. Tho

  • It would depend on the type of business, no? (Score:4, Insightful)

    by chevman (786211) on Tuesday March 04 2008, @03:56AM (#22633348)
    It would depend on the type of business, no?

    - Online banking
    - ATM access
    - Point of sale transactions
    - Brokerage Transactions

    etc, etc.

    My strategy has always been to spread my risk - make all point of sale transactions with a publically exposed credit card, which I pay off monthly from a completely separate checking account, which is totally divorced from my investment accounts. Each account is at a different bank, which i use different logins and passwords for.

    If any one is compromised, I have at least a marginal degree of separation from all the others.

    • Re:It would depend on the type of business, no? (Score:4, Informative)

      by dwater (72834) on Tuesday March 04 2008, @05:12AM (#22633592)
      hrmph. surely they only need to break into one of them.

      note that we're talking about stealing your identity here, not your money (though I guess that is likely to be the ultimate objective). Once they have your identity, they can likely open an account of their (or your) own - likely a credit account, of course - at some other institution.

      perhaps I missed something...

  • Assumes a Cause (Score:4, Informative)

    by jschnack975 (1099001) on Tuesday March 04 2008, @03:56AM (#22633350)
    Voting with your feet will not help if the underlying cause is not the practices of the institution. If people are not careful with their own info they can switch banks all day long and still be at risk. There is a huge assumption here that it is the bank that is the cause of the problem. It may be the customer or other institutions.

  • "Bank of America" is an actual bank? (Score:3, Funny)

    by JanneM (7445) on Tuesday March 04 2008, @04:01AM (#22633366) Homepage
    I honestly had no idea Bank of America actually existed. I thought it was another one of those made-up company names spammers use, like Prime Staadslotterij, Commercial Trust or Coventry Promotions. I mean, it doesn't even sound like a believable name.

    • Re: (Score:1, Insightful)

      by Anonymous Coward
      Yes, and they're evil incarnate. Although at least they have the decency to close your account when it hits a zero inactive balance, rather than using monthly charges to drive you under zero and then charge overdrafts on top of that...

  • Not a Bit Surprised About Sprint (Score:4, Interesting)

    by Comatose51 (687974) on Tuesday March 04 2008, @04:28AM (#22633474) Homepage
    When I stupidly signed up with Sprint again after a few years of using Cingular, I had trouble activating my phone. I call customer service and the lady asked me for my password. I was initially very hesitant about it. I couldn't believe that she had my password in plaintext in front of her. She couldn't reset the password or anything like that, instead she just have it in front of her screen. After going through a few non-financially related password (weaker passwords), I decided to give up and told her I couldn't think of it. At that point, she tried to verify me through my mailing address. I tried it a few but that didn't work until I tried my parent's address. It turns out that when I gave her my social security number initially (stupid me, I know), she pulled up my old account from 8 years ago before I switched to Cingular. Since both the new and old accounts were keyed by my SSN, she got my old account, along with my parent's address, and my old password. How insane is that? Sprint kept all my information for 8 years along with the password in plaintext.

    • Completely agree with the point about companies holding onto personal information far longer than they should. Playing devil's advocate though, they may need to protect themselves from people complaining about misdeeds from the distant past. Or receiving a bill in the mail that was posted 10 years prior. This seems a reasonable excuse to hold on to records. However, I think they should move this data "offline" so that it can be called up as a special measure in case of a dispute, but will be non-existent fo

      • I don't know about this PIN you're referring to, but I too have had Sprint agents read me my password (the one used to log into the main sprint.com website) over the phone in the clear, without me even asking them to. Yes, they can see it in plain text. The only PIN they couldn't read me was the one to get into the pictures website. That had to be sent to my phone.

        Considering the account password gives access to very sensitive info and the pictures website PIN doesn't, that seems totally backwards. I've m

  • That hardly implies that if I choose to use AOL I will run a greater risk of having my identity theft. It shows that AOL users are more likely to be computer naieve and stupidly type their info into random phishing sites. Determining what banks have the highest rates of identity theft is useless unless from a security standpoint unless you determine WHY they have it.

    In particular did anyone else notice that the highest rates of identity theft seemed to occur at the largest banks who likely had the most customers? This suggests to me that it's not bad IT practices that account for these results but the make up of their customer bases. I suspect that while many financially and technologically savy people (such as me) have accounts at these banks their success at appealing to the largest possible market means they have a larger percent of non-savy customers. On the other hand another good hypothesis is just that more phising attacks attacks target the institution with the most customers. But if you are confident of your ability to avoid those then this shouldn't worry you much.

    In either case this seems like a totally useless statistic and not a result of poor security as the write up suggests.

  • I have heard rumours about fraudulent bank employees selling confidential information about customers to third parties.

    I heard about this through a friend who never lost or misplaced their HSBC credit card, and who suddenly received entries in their monthly bills that did not correspond to past activity. But since this friend was very cautious about using the credit card and it was used very rarely indeed, it was virtually impossible for someone to steal this information physically.

    If this is true then ba

  • ...who makes law on this side of the planet, all you need do is take an objective look at how indifferent governments and financial institutions are to identity theft. If somebody gets hold of your personal information, no matter whose fault it was, good luck if you expect a lot of help fixing the damage.

    Canada's Royal Bank just sent around an amended customer agreement for people who bank on-line. They've refused to accept responsibility for quite a range of problems in this area, even if those proble

    • Re:If you ever wondered... (Score:5, Interesting)

      by gsslay (807818) on Tuesday March 04 2008, @04:56AM (#22633546)
      You've missed the subtle twist in the process.

      It used to be that if a bank lost money because someone defrauded them by pretending to be a customer of theirs it was their problem. But now, with the wonderful new term "identity theft", it's your identity that's been stolen and therefore your money. You may appear to still have your identity, and they may appear to have lost their money, but that's just looking at it too simplistically.

      So remember; fraud = their money, identity theft = your money. Change the way you describe the crime and magically you change who's the victim. Isn't that clever?
      • You've also forgotten that any very large bank will be bailed out by the Fed, so they don't really care !
      • Maybe that is YOUR perception, but I assure you, that isn't the law. The law doesn't distinguish between identity theft and fraud. There is only fraud. The law judges what is and isn't fraud and the extents of liability based on whether you were a good guardian of your card/account information, the method of the transaction (credit card vs. debit card pin transaction vs. check), and whether or not there were unauthorized transactions.
        • Yes, I realise the law hasn't changed any. But that isn't going to stop financial institutions trying to change people's perception of what is happening. As long as they can convince their customers that the problem is theirs, rather than the banks, they can offload responsibility.
    • The government is indifferent to the problem because the banks lob gobs of money at lobbyists who in turn line the pockets of the politicians in the form of perks and outright "contributions." The banks are indifferent because they simply pass along the cost of fraud to their customer in the form of higher fees and reduced services. You can bet your behind that if the banks suffered actual financial losses as a result of fraud the lobbying sailboat would do an immediate tack into "prevention" mode and the
  • IANABanker but I suspect the last thing a financial regulator would want is a massive "voting with one's feet". Anything that has a slight chance of starting a bank run is seen as a danger. That can be one reason there are so little (public and detailed, comparative) data about data theft, card fraud etc. (Which is sad but rather a problem of the system not of the regulators).

    • IANABanker but I suspect the last thing a financial regulator would want is a massive "voting with one's feet". Anything that has a slight chance of starting a bank run is seen as a danger. That can be one reason there are so little (public and detailed, comparative) data about data theft, card fraud etc. (Which is sad but rather a problem of the system not of the regulators).

      Exactly, it's the role of supervisors to deal with such problems, and unless you force every person in the society to have a PhD in statistics and access to the whole financial structure of every bank, it's impossible for the average consumer to take proper decisions on which bank is more exposed to risk then another. Asking consumers to make their decisions on identity theft is like asking car buyers to make their decisions solely based on the quality of the cars wipers, ID theft is just one minor aspect

      • and that's why the financial sector is so expensive. To the public at least and in almost all countries. A big knowitall aganecy telling the little dumb citizen whom to trust, and even if they fail there is always the (knowitall) government to pay the bill - from the pocket of the little citizen.
        The catch is that you have to trust the regulators who are appointed by a government/president elected by representatives/electors elected through a sometimes complicated process by you. Too many leverages there.

        • Re: (Score:3, Interesting)

          by WaZiX (766733)

          and that's why the financial sector is so expensive. To the public at least and in almost all countries. A big knowitall aganecy telling the little dumb citizen whom to trust, and even if they fail there is always the (knowitall) government to pay the bill - from the pocket of the little citizen.
          The catch is that you have to trust the regulators who are appointed by a government/president elected by representatives/electors elected through a sometimes complicated process by you. Too many leverages there.

          Actually, most of the regulations are set by the Basel Committee (The Basel accords), which theoretically should guarantee that there is at any point 99.7% chance that the bank doesn't go bankrupt. What you have to trust are the agencies supervising the applications of those accords. Either way, the banks are the first wishing those rules to be enforced, because failure of on bank usually means crisis in the sector, and problems for every bank. But indeed, risk management is a very costly aspect of banking

  • Banks != Market (Score:3, Insightful)

    by WaZiX (766733) on Tuesday March 04 2008, @04:56AM (#22633550)
    Isn't it the role of supervisors to regulate banks, and NOT the consumer?

    I mean isn't the whole point of being able to call yourself a bank is that you apply to prudential rules set by the government and therefore the consumer doesn't have to ask himself questions whether the bank is safe or not?

    Quite frankly identity theft is a detail compared to other risks the banks are facing, this is why the whole financial market is divided between the banking system (black box supervised by the government) and the markets (where the government just guarantees transparency and it's up to the consumer to make his choices based on the information he is given).

    The problem with disclosing this kind of information is that it sets doubt on the banking system, and the whole banking system relies on trust to function (hence the tight regulation of the banking sector).

    We're not going to ask consumers to assess the risk exposure of banks are we?

  • WaMu victim here (Score:5, Interesting)

    by DigitAl56K (805623) on Tuesday March 04 2008, @07:09AM (#22634120)
    I was hit with identity theft as a WaMu customer last year. I don't know how it happened, I pay for most things in cash and I don't use my card on small/disreputable websites, I use Firefox with NoScript, don't click links in e-mail even when they look legit (always type the URL myself), etc.

    However, I have to say that my experience with WaMu was really bad:

    * They canceled my card while I was displaced during the California wildfires
    * If you call the number on the back of your bank card it's actually extremely hard to work out how to get through to an actual person to talk about card fraud
    * When I did get through to an actual person, using an alternative number they provided me at an actual bank, they tried to forward me to their fraud department. I sat on hold for an hour before deciding to give up and call back later
    * The would not reverse fraudulent charges to my account. They told me that they would send me an affidavit that I would have to sign before they would refund the charges, and then it would take 30 days or more to process. This affidavit never arrived.
    * I had much better luck calling the numbers listed on my statement and getting merchants to refund fraudulent charges
    * WaMu did refund one fraudulent charge eventually

    Short story: If you're a fraud victim at WaMu don't expect them to go out of their way to help you as a customer. You may have better luck taking care of it yourself.

    More recently, I tried to pay off a loan with my WaMu debit card. Big mistake. According to my statement there was a double-charge pending for thousands of dollars. I called WaMu immediately, here is how that conversation went:

    Me: I'm looking at my statement, it looks like there is a double charge for several thousand dollars
    Them: Yes, we do see that, we see one charge has cleared and another pending
    Me: That's an unauthorized charge, and clearly a mistake
    Them: Well, the good news is that it that the money hasn't left your account yet, it is still pending
    Me: Okay, can you stop the charge?
    Them: No. But after it gets charged you could file a dispute with the merchant
    Me: But you just said that the money hasn't left my account yet, and I'm telling you it's unauthorized, so why don't you stop it?
    Them: We can't do that.
    Me: Well that's completely useless then, isn't it?
    Them: Yes, I understand, sorry about that..

    It's not identity theft, per-say, but more indicitive of my experiences with WaMu so far. They don't exactly go out of their way to help you out during a bad situation.

    So, yes, I believe this information should be published, and not only that, each and every customer affected should be questioned as to how well they feel their bank dealt with the situation and as to how secure they feel at their bank. WaMu would not be getting a very high rating from me at all.

    • Re:WaMu victim here (Score:5, Informative)

      by IL-CSIXTY4 (801087) on Tuesday March 04 2008, @08:49AM (#22634730) Homepage

      Them: Yes, we do see that, we see one charge has cleared and another pending

      They should have explained things a little better. When a card is charged, it's a two-step process: authorization and capture. At authorization, they've told the merchant "yes, this transaction can go through and we'll hold the money for you". A merchant can't undo an authorization. The money doesn't get sent until capture, usually a nightly process. If a charge isn't captured within a certain amount of time (24 hours to a few days), the bank rescinds the authorization automatically.

      They should have explained that there was a chance the merchant realized their mistake and wasn't going to capture the funds. If you contacted the merchant and let them know the situation, they probably could have prevented capture too. But, if the charge ended up being captured, you would need to file a dispute.

      As a merchant, this is the way I want things to work. If an authorization goes through, I don't need to wait until I have the money in my account to ship someone their order. If they could back out of an authorization before capture, the authorization would be meaningless and I'd probably see a lot more fraud.

      • Re: (Score:3, Interesting)

        by DigitAl56K (805623)
        Thank you, that is a much clearer explanation than WaMu was able to muster.

        However, even given that explanation, it does appear that simply having a debit card is a severe security risk for any customer - the bank seems to be unwilling to prevent the capture of funds when an account holder flags an authorization as false, and refunding fraudulent transactions may take well over a month. I've never seen any of my debit card transactions blocked for security purposes either - I have only ever received calls q
    • I was with B of A for many years until this happened to me (when I switched to WaMU :\ ):

      I had a check stolen out of my mailbox and, being a college student, they stole all $40 out of my account. After spending the requisite bazillion years on the phone with several shell companies to get the fraud itself straightened out, I visited my friendly B of A.

      "I recently had fraud on my checking account," I told them. "Here's the paperwork proving that this is what happened."
      "Okay," they said, "we first recommend

    • There's a problem with banks and credit cards: with many online merchants, all you need to make a purchase is the card number and expiry date. That wouldn't be too bad, except that most banks issue credit cards in contiguous blocks with the same expiry date. So if you start with a known-good credit card, you can increment or decrement the card number (modulo the Luhn algorithm [wikipedia.org]), keeping the expiry date the same, and get a lot of hits.

      You could keep your card in a lead-sealed box buried under your house a

  • As the large banks have the most customers (re: first post) this would be the obvious conclusion - more potential victims.

    HOWEVER

    I understand the problem differently - the TYPE of people at the bigger banks are MORE likely to be victims because of the mindset they have - they're unwilling to take the difficult steps of preserving personal information!

    In canada, we have a different banking system, there are only five (or six, depending on what you consider as BIG) banks that most everyone uses. Several of
  • As a Sprint customer I have to guess that not only is their billing system UN-auditable but that Sprint doesn't have clear understanding of exactly what monies they collect and from whom. In the 4 years I've been a Sprint subscriber I've thrashed through at least 3 dozen billing errors. If someone wanted to steal identities it couldn't be that hard given the absolute anarchy and dysfunction of their billing system and its interaction with customer service.
  • This sounds to me like a measure of the average customer's IQ, not of banking security. Things like phishing scams are almost entirely outside the bank's control. BTW, this would also explain why Bank of America did so badly. I can't imagine anyone who is capable of doing math would open an account at that place.

    Personally I find this whole focus on "web safety" is overrated. I still see lots of people giving their credit card with signature and photo ID (with DL#, DOB, address, etc.) to minimum wage wo
  • Two years ago I was shopping for a mortgage and contacted BofA. Their rates were high and I passed them by. Then a set of checks arrived from BofA from an account I had not asked them to set up. I called and was told it was a mistake. Then a statement for a saving account appeared and I kept on the phone until I found their security head in my area. It turns out I worked with one of her kids and knew where she lived. I did not state that as a threat but until the veil of anonymity was lift, she was no
  • What percentage of the identity theft cases were done by conning the customer to give their account information to the thief, either by phishing or keyloggers.

    What percentage of the identity theft cases were done by social engineering the banks.

    What percentage of the identity theft cases were done by stealing the date from a 3rd party.

    Without that information the data is pretty much meaningless and usable only for trending analysis by just looking at the number of total cases.
  • AT&T is now a bank? Sprint Nextel?

    I don't insist that the article titles (or summaries) be perfect, but could they at least have SOME relation to the story itself?
  • I used to work at Bank of America. It's run by idiots. So no surprise they come out on top.

    • The guy tried to sell a pair of bikes for 600 dollars, then received a check for 2000 dollars, and tried to cash it in. He then claims he found that suspicious and all, sure he did AFTER THE FACT! It wouldn't look good in court to say "I thought it was my lucky day receiving more then TRIPLE the amount we agreed".

      WHOOOP, WHOOOP, WHOOOP! Red FLAG!

      The article explains that this is part of a scam and you can't scam an honest person. What honest person would believe that someone sends more then 200% of the pr

    • As a Bank of America customer of several years, I wanted to share my experience:
      • I get phished pretty regularly by spam that tries to look like it's from the Bank. The spam doesn't identify me personally. As far as I can tell, this has never resulted in an actual theft or problem -- almost all of it goes straight into my Gmail spam box anyway.
      • ShopSafe is great, but BofA only got it when they merged with MBNA. Citi offers it for certain credit cards, and Paypal has virtual card numbers.

        Back when MBNA was s

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.