How to Curb ID TheftBanks Must Play a Role in Identity Protection
Now, however, fraudsters have perfected ID theft by connecting dots of consumer information from numerous sources, such as Facebook profiles, cell phone records, snail-mail addresses and e-mail accounts.
As a bonus, many cyberfraudsters have made connecting dots even easier by socially engineering information out of consumers and employees at banks and cell phone companies. Once account and log-in details are revealed, fraudsters have all they need to assume new identities, perpetrate fraud and snag thousands upon millions of dollars. It's child's play ... well, sort of.
We can only make assumptions, since most victims have no clue where they lost control.
I read last week that even Sean Combs, better known as simply P Diddy, took a hit from the ID theft bug. The rapper has now reportedly hired a team of so-called ID theft experts to help track down the identity-snatchers who have subsequently launched a full force assault against his rep and his network of close contacts - a network, by the way, the attackers gained access to after hacking into P Diddy's phone.
Ah, it's a classic tale. And, like most victims of ID theft, neither the victim nor any of his affiliates, such as the cell phone carrier or the bank, has any idea whom to blame. Chances are, they'll never know.
Law enforcement is taking ID theft crimes seriously. And this month's takedown in New York of a well-orchestrated international skimming ring proves that international collaboration and attention from domestic enforcement agencies are helping narrow the gap between ID theft and prosecution. [See Biggest ID Theft Bust in History.]
But the chasm remains wide, and most industry pundits say we're only investigating and catching a handful of the fraud events and incidents that ultimately result in ID theft.
This week the Identity Theft Assistance Center issued results from an informal consumer study it conducted among its membership. About 2,700 U.S. victims of ID theft participated in the survey, and the most striking trend ITAC gleaned from the results is that the vast majority, nearly 70 percent, has no idea how their identities were stolen.
Of the 760 or so victims who did know how their identities were taken, more than 25 percent linked their compromises to a cyberattack or socially engineered scheme, such as phishing.
Here's a breakdown of the known cases:
- Computer hacker/ virus/ phishing: 26.95%
- Other: 25.23%
- Lost or stolen wallet, checkbook or credit card: 16.64%
- Data Breach: 10.04%
- Friends, relatives, in-home employees: 7.66%
- Mail [stolen or fraudulent address change]: 4.89%
- Corrupt business or employee: 4.62%
Cyberattacks, not surprisingly, are identified by most victims as being the culprits. But that is only among victims who knew how they were compromised.
Low-tech schemes, like snail-mail fraud, are more often the links that trace victims back to identity compromises. But we can only make assumptions, since most victims have no clue where they lost control.
In the ITAC survey, most aren't sure if their phones had been hacked, their bank account credentials compromised or if neighbors or family members somehow gained access to their Social Security numbers. With no idea where the trail began, it's challenging, at best, for law enforcement to trace the steps.
This is where banks and credit unions have a role to play: They must provide more customer education about the lures fraudsters use to compromise bank accounts, and ultimately identities.
The need for stronger customer and member education campaigns is one of the tenets of the Federal Financial Institutions Examination Council's new online authentication guidance.
As financial institutions work to develop their compliance strategies between now and the end of the year, they should focus customer and member education efforts on retail and commercial accounts.
The FFIEC notes five areas where banks and credit unions can improve accountholder education:
- Provide an explanation of protections provided, and not provided, for bank accounts under Reg E;
- Tell customers and members under what circumstances and through what means they will be asked by their financial institutions to provide banking details credentials;
- Suggest that commercial customers perform internal risk assessments;
- Provide a list of alternative risk control mechanisms that customers may consider to mitigate their own risk, or give customers and members resources, such as information about groups like the ITAC, where they can find more information;
- Give customers and members lists of institutional contacts they can reach out to in the event suspicious account activity is noticed or if security is known to have been breached.
The industry cannot ignore the trends. In fact, financial institutions have been mandated to take a stand here. Most financial fraud links back, in one way or another, to ID theft, and that makes it a problem every financial-services provider and institution needs to worry about.