I. INTRODUCTION
The FDIC's study on account-hijacking identity theft, entitled Putting an End to Account-Hijacking Identity Theft (FIL-132-2004) was released on December 14, 2004. The study, which presents the FDIC’s findings on unauthorized access to financial institution accounts and how the financial industry and its regulators can mitigate these risks, may be accessed at the following address: http://www.fdic.gov/consumers/consumer/idtheftstudy/index.html.
The FDIC study focused on one area of identity theft that presents particular concern to financial institutions and their customers, i.e., unauthorized access to and misuse of existing asset accounts primarily through “phishing” and “hacking.” The study refers generically to phishing and hacking as “account hijacking.” Part of the study was devoted to developing an understanding of the extent, breadth and impact of account hijacking and to what extent consumers were attributing risk to their use of the Internet to conduct financial transactions. Unmitigated, the FDIC study suggested that account hijacking would have the effect of slowing the growth of online banking and commerce.
II. STUDY FINDINGS
The common practice of financial institution reliance on single-factor authentication for remote access to online banking, coupled with the lack of e-mail and Web site authentication, are vulnerabilities that fraudsters may take advantage of in order to perpetrate account hijacking. To counter these weaknesses, the FDIC study suggested that financial institutions and government agencies should consider several changes to reduce online fraud. The list of changes include:
1. Upgrading existing password-based single-factor customer authentication systems to two-factor authentication;
2. Using scanning software to proactively identify and defend against phishing attacks. Further development and use of fraud detection software to identify account hijacking, similar to existing software that detects credit card fraud, may also help to reduce account hijacking;
3. Strengthening educational programs to help consumers avoid online scams, e.g., phishing, that can lead to account hijacking and other forms of identity theft and take appropriate action to limit their liability; and
4. Placing a continuing emphasis on information sharing among the financial services industry, government and technology providers.
III. STUDY SUPPLEMENT
The FDIC’s study supplement on account-hijacking identity theft (FIL-59-2005) serves to supplement its December 14, 2004, study on account-hijacking identity theft. The supplemental study is found at www.fdic.gov/consumers/consumer/idtheftstudysupp/index.html. The supplement serves as: (1) a review and response to public comments on the original study (See, Part 1); (2) a survey of recent trends in identity theft and account hijacking (See, Part 2); and (3) a discussion of authentication technologies not covered in the original study (See, Part 3).
Two updated findings were made in the supplement:
1. Information security risk assessment should include an analysis to determine whether a financial institution should implement more secure customer authentication methods and the most appropriate methods available, in view of the nature of the institution's business and customer base; and
2. If a financial institution offers Internet banking or any similar product that allows access to sensitive customer information to its retail customers, such institution is responsible for securing the delivery channel with a reliable form of multifactor authentication or other layered securityso that the security and confidentiality of customer accounts and sensitive customer information are adequately protected.
The Guidance does not propose one solution for all financial institutions, but recognizes that each institution may choose a different solution to address account-hijacking identity theft or may choose a variety of solutions based on the institution’s complexity and the nature and scope of its activities. It notes that study results show that institutions should do more to protect customer security and confidentiality of sensitive information to prevent account hijacking.
Part 2, entitled More-Recent Trends in Identity Theft, discusses, generally, the following topics:
Size of the Problem; Manner of Perpetration; Indirect Costs; Reaction of Banks; Layered Mitigation Approach; Consumer Acceptance of Stronger Authentication; and Examples of Two-Factor Authentication.
Technologies to Mitigate Account Hijackingcovered, in particular, throughout Part 3, include:
Internet Protocol Address (IPA) Location and Geo-Location; Mutual Authentication; Device Authentication; Non-Hardware-Based One-Time-Password Scratch Card; Trusted Platform Module (TPM) Chip; User-Based Software to Detect Phishing and Fraudulent Web Sites; and Out-of-Band Authentication.
IV. CONCLUSION
As technologies may be improved to mitigate account hijacking and the schemes that fraudsters employ to perpetrate illegal activities, the likelihood of a “fraud free” electronic banking environment remained elusive. Therefore, financial institutions are advised to continue to remain diligent and be willing and able to continually update systems and technologies to minimize both risks to themselves and their customers.