By Jonathan Stempel
Even as banks and regulators step up efforts to thwart identity theft
over the Internet, the worry that fraudsters remain one step ahead is
convincing many Americans that banking online is too risky.
At an identity theft forum in New York on Tuesday, security and policy
experts said banks are taking appropriate steps to stop online
criminals, but that their best efforts -- and consumers' own vigilance
-- may not be enough.
"Consumers can do everything right -- not give out passwords or
financial information -- and still become victims," said Susanna
Montezemolo, a policy analyst at Consumers Union, in an interview.
An October survey commissioned by Internet security company Entrust
Inc. and released at the forum found that 18 percent of Americans who
have banked online now do so less, or not at all, because of security
concerns. Ninety-four percent say they're willing to accept extra
online security protections.
The survey was conducted around the time the Federal Financial
Institutions Examination Council ordered banks to tighten online
access by late 2006.
The council, composed of U.S. regulators including the Federal Reserve
and Federal Deposit Insurance Corp., expects banks to require at least
two forms of authentication when the risks of online breaches are too
high. The second form can include smart cards, tokens that generate
random passwords, or biometrics that identify fingerprints or
Some 10 million Americans are ID theft victims each year, the Federal Trade
Congress is considering national standards to fight ID theft. Michael
Oxley (R-Ohio), chairman of the House Financial Services Committee,
said victims of ID theft spend an average 90 hours and $1,700
resolving the problem.
ID THEFT METHODS PROLIFERATE
Perhaps the best known form of online theft is "phishing." This is
where criminals send e-mails asking prospective victims to verify
personal information through links to real-looking Web sites. There
were 13,776 distinct phishing attacks in August, according to the
Anti-Phishing Working Group. "Not only do they ask you to 'confirm'
your identity, but they also offer you bogus, fake 'banks' to use if
you do fall for their deception."
Fraudsters soon graduated to spyware and keylogging, where they
monitor prospective victims' Web use and keystrokes.
This year, security experts have seen a surge in "pharming." This is
where criminals redirect user traffic at legitimate Web sites to
fraudulent sites or proxy servers, without any overt indication they
are doing so.
"Spyware, keyloggers and pharming are really growing," said Michael Jackson,
associate director of technology supervision at the FDIC, in an interview.
"Banks could step it up a notch in terms of security, which is why we have
Still, in banking, traditional forms of theft such as check fraud
remain more prevalent than online theft.
Consumers, moreover, complain about cumbersome security procedures.
Tuesday's survey showed 81 percent don't want to pay for extra online
Consumers Union's Montezemolo said computer users should make sure
their online connections are secure, vary the identifying information
they use on accounts, and not work with their accounts on shared
She also urged banks not to share client information among affiliates,
and not assign such obvious data as Social Security numbers as default
"They'll never have 100 percent control," she said. "But we need to
empower consumers to opt out on whether information is used, and give
them tools to take more control."
InfoSurv Inc. conducted the online survey of 710 people for Addison,
Texas-based Entrust during the week of October 17. The margin of error
is plus or minus 3 percentage points.
Copyright 2005 Reuters Limited.
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
[TELECOM Digest Editor's Note: One of the major banks, Bank of
America, has considered having a picture (a .jpg perhaps?) of the
customer on line to help 'prove his identity', so that if a phisherman
comes along asking you to do something allegedly for BOA, _your_
picture will have to be part of whatever _authentic_ request is made
by the bank. All well and good, I suppose, but what prevents the
phisherman from adding the same .jpg files to his pitch letters? PAT]