Despite incidents such as the US$22 million (NZ$33 million) in losses suffered by E-Trade Financial and TD Ameritrade from online identity fraudsters, the problem of online identity theft is vastly overhyped when compared with its more prevalent offline equivalent, according to one analyst group.
The two leading US-based online stock brokerages have admitted that overseas hackers used software to steal personal customer data to access and create trading accounts as part of a stock fraud scheme.
While keylogging software, phishing emails and hackers who break into customer databases may dominate headlines, more than 90% of identity fraud starts off conventionally, with stolen bank statements, misplaced passwords or other similar means, according to Javelin Strategy & Research.
“An insignificant portion of identity fraud actually starts with the internet,” says James Van Dyke, president of Javelin, who points out that many firms still rely on simple security questions such as one’s mother’s maiden name. “The internet always grabs the headlines, but it is individuals who are close to the victims, such as family and friends, who are doing most of it.”
Javelin has polled 5,000 consumers by telephone for the past three years. Extrapolating from that sample, it estimates that identity fraud in all its forms resulted in US$56.6 billion in losses last year.
While fraudsters often use the internet to access existing bank, phone or brokerage accounts or to create new ones using stolen details, in only one out of ten of those incidents did the actual theft of the personal data take place through email, the web or somewhere else on the internet, according to Javelin.
“No matter how you slice the data, it’s really hard to arrive at a scenario where the internet could be the source of the majority of identity fraud,” Van Dyke says.
Neither are US bank customers the most frequent global targets of the most common form of online identity theft, phishing attacks. Statistics from McAfee show that more than half of all recent phishing attacks involve emails masquerading as VolksBank, a German bank, with another quarter targeting customers of UK bank, Barclays.
Van Dyke says US financial institutions, by and large, are taking the right steps to protect themselves and customers from identity fraud.
According to a report released this month, more than half of the 24 leading US financial institutions surveyed met Javelin’s criteria for good policies for detecting identity fraud. That’s up from a third who won praise for their efforts in 2005.
Policies that “deputise the customer”, such as letting customers set email or phone alerts when their account status or personal information changes, or allowing them to opt out of paper statements sent by mail, aid in customer self-detection and reduce proven risks, Van Dyke says.
Bank of America was ranked the safest bank, followed closely by JP Morgan Chase & Co Washington Mutual, according to Javelin’s “Banking Identity Safety Scorecard”.
E-Trade, which says it has lost US$18 million to fraud, was ranked 17th. TD Ameritrade, which lost US$4 million to ID fraud, was not ranked.
TD Ameritrade’s CIO, Jerry Bartlett, agrees that eliminating risk on the consumer side is paramount. The online brokerage offers free downloadable software so customers can scan for and eliminate data-snooping programs. It also lets customers set email alerts when money transfers are requested or personal account details are changed.
But Bartlett is unsure whether conventional identity theft really is a much bigger problem than online fraud.
“We know from experience that there is a lot of sharing of user IDs and passwords. And once you begin sharing them and writing them down, you lose control of them,” Bartlett says. “But I’m not sure if regular fraud is an order of magnitude larger than online fraud.”