Judging by their marketing, banks’ IT firewalls are as impregnable as the thick lead that lines their vaults. But
in reality, banks fight a constant war against identity theft.
Unfortunately, they don’t win every battle. So your personal vigilance is by far the bank’s best safeguard against a security breach.
“Identity thieves are constantly looking for new ways to steal money. Since banks are where the money is, they are, and probably always will be, the primary targets of thieves,” said Baker & Daniels LLP partner Joan Antokol, who chairs her firm’s privacy and data management group. “Because identity thieves are increasingly organized and sophisticated, it is likely that they will look for and continue to find new ways to exploit security vulnerabilities to allow them access to bank accounts.”
About 2 million Americans annually are victims of bank fraud, Antokol said. Their average loss is $1,200. And because most businesses hold larger balances than individuals, they’re increasingly the target.
In Indiana, there were 4,598 identity theft complaints last year, according to the Federal Trade Commission. Of those, 822 involved credit card fraud. Another 487 were for checking and savings account or electronic fund transfer fraud. And 176 involved fraudulent loans.
When it comes to identity theft, the old adage about an ounce of prevention being worth a pound of cure truly applies. Banks spend millions to establish data safeguards that ensure their servers will be nothing but big electronic bricks if they’re ever physically stolen.
But only customer education can completely thwart crooks, said Reagan Rick, regional president of Milwaukee-based M&I Bank. That’s because many scams trick bank customers into unwittingly giving away the electronic keys to their accounts.
Rick and his colleagues regularly hold security seminars for bank clients or speak to neighborhood groups about why it’s important to shred bank statements. It’s good business, and not just for customers. Identity theft raises banking costs for everyone—not only its victims.
“It’s one of those issues where, if everybody is conscious of it and works to prevent people from [fraudulently] obtaining information, you keep a lot of unnecessary cost from the system,” Rick said. “It’s one of those costs where you don’t think it will hit you [individually], but it hits you broadly because it’s passed back broadly.”
To understand why banks get a better bang for their buck by emphasizing prevention over prosecution, consider Indiana’s recent decision to step up its efforts against identity theft.
This spring, the General Assembly enacted Public Law 137, which formally established an identity theft unit in the Indiana Attorney General’s Office. Its challenge—and results so far—show what banks are up against.
The identity theft unit was formed internally in 2008. Since its resources include just two attorneys and a pair of paralegals, much of its work focuses on coordinating collaboration among federal authorities, postal inspectors, local police and county prosecutors. Indiana’s new law granted the unit subpoena authority to help it gather information more quickly.
In 2008, the identity theft unit opened 359 case files, all originated by consumer complaints, said Deputy Attorney General Chuck Taylor, who oversees the unit. Another 261 were opened between January and July this year. The unit has enjoyed most of its success helping victims clean up their credit, closing 226 cases last year and another 228 this year.
But only about 20 percent resulted in a suspect’s being identified. Just 15 led to arrests.
That’s why much of the identity theft unit’s mission is educational. It counsels banks to take extra steps confirming the identity of patrons. And it guides consumers to be extraordinarily careful with personal information, like Social Security numbers.
“Protect [personal information] as if it was a $1,000 bill. Don’t just give it to anybody,” Taylor said. “Make sure it’s something they really need.”
Personal attention is even more necessary than most consumers realize. That’s because banks don’t protect depositors nearly as much as most people assume, Antokol said. The FDIC’s $250,000 protection applies in the event of a bank’s insolvency, she said, but doesn’t cover fraud.
And identity theft scams can occur anywhere. Antokol pointed to the DefCon security conference in August at the Riviera Casino Hotel in Las Vegas, attended annually by 8,000 security industry leaders. During the conference, she said, an attendant noticed a suspicious ATM in a portion of the hotel not monitored by security cameras. Turns out the ATM had been installed by thieves who allowed unsuspecting users to withdraw cash. Meanwhile, the ATM was copying their account and personal identification number for plundering later.
Antokol is particularly concerned about the risk of identity thieves’ secretly installing key-logging spyware on individual computers that obtains passwords when users log on to bank Web sites. Other scams involve “phishing” solicitations for personal information via e-mail, or “vishing” scams over the telephone.
Citing figures from Bedford, Mass.-based electronic security firm RSA, she noted that the largest amount of identity theft—up to 50 percent—occurs at regional banks. Credit unions endure the lowest amount of fraud.
“Thieves work day and night to steal identities and account information, as well as any other credentials that they can monetize,” she said.
The best defense is personal vigilance. Antokol counsels bank customers to never share personal information, even if the request seems to originate from your bank. That sort of verification is only legitimate in response to a banking request you’ve initiated yourself.
She also advises never to use public computers to conduct online banking, and to use credit cards rather than debit cards at gas stations, or pay cash. Whenever possible, she said, use ATMs at banks rather than in public locations. And both businesses and consumers should review all banking statements for accuracy. Any improprieties should be reported to the bank at once.
Taylor, the deputy attorney general, has similar advice.
“Typically, if you’re talking about how information becomes compromised, it could be a lost wallet or someone who’s careless with giving out information on the Internet or … over the telephone,” Taylor said. “When that happens, the bank’s not at fault. The consumer needs to be more prudent.”•