While conducting a study on identity theft and bank account hijacking schemes, the Federal Deposit Insurance Corp., better known as FDIC, was being targeted by an Internet phishing attack last fall. The FDIC said it has been the subject of six separate phishing attacks, which use sham Web sites and e-mail to steal financial account information, in the past year.
In a recent study, “Putting an End to Account-Hijacking Identity Theft,” the FDIC examined identity theft, now one of the fastest growing types of consumer fraud, and the ways perpetrators gain access to existing financial accounts. The Federal Trade Commission estimates that in 2003, nearly 10 million Americans discovered they were victims of identity theft.
The FDIC focused on methods used to hijack existing bank accounts, and noted the growing problem of phishing, which happens when people are tricked into giving up personal financial data, such as credit card numbers, bank account information, passwords or Social Security numbers.
Phishing scams use e-mail and fraudulent Web sites to fool victims into thinking their bank or another legitimate business is asking them to update account information online. Phishing Web sites are difficult to shut down because many of the attacks originate overseas and the average life span of a phishing Web site is 2.25 days, according to FDIC.
Analysts have suggested that the rapid rise in Internet phishing attacks poses a threat to consumer confidence, and diminished trust in online transactions will harm all participants in Internet commerce, the study noted.
“Consumers are attributing risk to their use of the Internet to conduct financial transactions, and many experts believe that electronic fraud, especially account hijacking, will have the effect of slowing the growth of online banking and commerce,” the FDIC wrote.
Just as fraud may slow development in online banking and commerce, increased use of online services has helped fraud to proliferate because there are more opportunities for security flaws.
“The increasing access to alternative electronic payment systems means an increasing number of access points to financial institution systems, with each access point representing a pathway for a potential security breach,” the FDIC wrote.
A second method of account hijacking occurs when perpetrators hack into financial institution or service provider computer systems and steal confidential consumer information. The FDIC cited a third method, “dumpster diving” or “shoulder surfing,” in which hard-copy documents are retrieved from the trash or consumers’ passwords are taken by watching over their shoulders at bank machines.
Financial account hijackers also use company insiders to get the confidential information they need to access existing accounts. Spyware is another method used when fraudsters install malicious software on a consumer’s personal computer to collect information such as passwords, user names and account numbers.
“Regardless of the method used to steal confidential information, once the necessary information is in hand, the fraudster’s goal is to gain access to a consumer or business account from which fund transfers can be executed,” the FDIC wrote.
The FDIC cited a recent study of unauthorized transfers from checking accounts, estimating that 1.98 million U.S. adult Internet users had experienced financial account hijacking during the 12 months ending April 2004, and 2.48 million had experienced it prior to that time.
“Another study estimates that illegal checking-account transfers will increase,” the FDIC noted. The illegal transfers affect 1.4 percent of U.S. adult Internet users, but some anticipate that number to rise to 2 percent by the end of 2006.
The FDIC study examined legislative and regulatory responses to the growing problem of identity theft, including the Gramm-Leach-Bliley Act, which established guidelines and standards for safeguarding customer information, and the Fair and Accurate Credit Transactions Act of 2003, which requires shortened account numbers on credit card receipts, that financial companies institute red-flag programs to detect patterns on consumer accounts and that the three major credit-reporting agencies provide consumers with one free copy of their credit report once every 12 months, among other things.
The Identity Theft Act established identity theft as a federal crime with penalties of up to 15 years’ imprisonment and a maximum fine of $250,000.
The financial services industry has responded to the increase in identity theft by establishing several groups designed to help the industry share fraud information and educate consumers. These include the Financial Services Information Sharing Analysis Center, the Anti-Phishing Working Group, Identity Theft Assistance Corp. and Infragard.
The FDIC also found that several large bank Web sites displayed examples of spoofed e-mails for consumers, toll-free numbers for reporting details of identity theft, links to the FTC and other agencies for help, consumer alerts related to new developments and advice for preventing identity theft.
To mitigate risk associated with account hijacking, the FDIC suggested financial institutions and the government should consider:
- Upgrading existing password-based customer authentication systems that use a single factor to a two-factor authentication;
- Using scanning software to proactively identify and defend against phishing attacks;
- Strengthening educational programs to help consumers avoid online scams, such as phishing, that can lead to account hijacking and other forms of identity theft and take appropriate action to limit their ability;
- Placing a continuing emphasis on information sharing among the financial services industry, government and technology providers.
Send tips or a Letter to the Editor to firstname.lastname@example.org or call (510) 658-9252, ext. 133.