Banks take on the ID theft challenge: financial institutions are stepping up their efforts to protect customer identity and account information, trying to stay ahead of criminals who are using new technologies as well as old techniques to defraud banks and their customers

RMA Journal, The, Oct, 2004 by Phillip J. Britt

Zachary Keith Hill used fake e-mails and Web sites to steal 473 credit card numbers and 152 sets of bank account and bank routing numbers. Using that information, he stole $47,000 in goods and services. The case was settled earlier this year, and Hill received a 46-month prison sentence.

John Smith (not his real name) knows some of the workers for a large employer. One payday, Smith tells one of the workers that he's doing a study on checks and asks to have the check "for a minute," offering the car he's driving as security.

Smith copies the check using a handheld scanner. The next day Smith and his cohorts cash copies of the check at several of a bank's branches, taking between $10,000 and $30,000 in the scare. By the afternoon, Smith's check ring is flying to another city to perpetrate the same fraud.

The preceding anecdotes are just two examples of how scam artists are targeting banks and their customers to steal untold billions of dollars annually.

Identity theft is growing at an estimated 25% annually, according to Financial Insights, and accounts for more than 40% of consumer complaints to the Federal Trade Commission. The FDIC is compiling its own report on identity theft and fraud. The report should be finalized in the fourth quarter, says Sandra L. Thompson, deputy director of the FDIC's Division of Supervision and Consumer Protection.

Identity theft is usually the first step for a fraudster attempting to defraud banks and their customers through check kiting, check forgery, bogus credit and debit card charges, and a host of other schemes.

"Never has the financial services industry faced as prominent or widespread a fraud threat to its customers as identity theft," says Catherine A. Allen, CEO of BITS, the technology group for The Financial Services Roundtable. According to Celent Communications, identity theft is projected to cost U.S. financial institutions as much as $8 billion annually by 2005, and 48% of that amount will likely be from direct loss from fraud.

In late summer 2004, BITS and The Financial Services Roundtable launched the Identity Theft Assistance Center (ITAC) to help victims of identity theft. The nation's 48 largest financial institutions--there were 50 before recent mergers--were invited to join the effort.

Actual losses are probably much higher than the Celent Communications estimate, according to Bob Cofod, president of BANKDetect, which sells transaction analysis software that attempts to help users detect fraud attempts. Automated pattern analysis can quickly detect indications of most fraud scares. But many banks are still living in the past and think that write-offs for fraud losses are just a cost of doing business. This "acceptance" attitude helps perpetuate vulnerabilities that are pretty high risk in today's environment, Cofod says.

Beyond actual monetary losses, there are reputation risks to banks that become victims of identity theft. "An attack on any one bank can erode trust in other financial institutions," says Brian McGinley, head of loss management for $418 billion Wachovia Corp. "A large number of major banks have been victims of phishing and Web spoofs," he says.

Banks are one of the largest targets of phishing schemes, which, like the opening example of Zachary Hill, use seemingly legitimate e-mail messages and Web sites to deceive consumers into disclosing sensitive data, such as bank account information, Social Security numbers, credit card numbers, passwords, and personal identification numbers.

In most phishing schemes, the fraudulent e-mail message will request that recipients "update" or "validate" their financial or personal information in order to maintain their accounts, then direct them to a fraudulent Web site that may look very similar to the Web site of the legitimate business. These Web sites may include "spoofed" pages from legitimate Web sites to further trick consumers into thinking they are responding to a bona fide request.

For example, a phishing attack that targeted U.S. Bank customers in May consisted of an e-mail with an official-looking U.S. Bank logo and the following message: "During our regular update and verification of Internet Banking Accounts, we could not verify your current information. Either your information has been changed or it is incomplete. As a result, access to our services has been limited. Please update your information."

The e-mail then provides the unsuspecting user with a link that, like the logo, looks legitimate but is operated by the criminal, not the bank.

U.S. Bank isn't alone in attempting to ward off these attacks. While a relatively new type of fraud, phishing has grown quickly, both in actual cases and in capturing national attention.

While large banks tend to be the targets of many of these scams, they also have the most sophisticated defenses, Cofod says, adding that ever-smaller banks are contacting his company because they are finding themselves battling fraud challenges that earlier targeted only larger financial institutions.