Banks work to protect electronic records from identity theft

  • Comments
  • Print

Judging by their marketing, banks’ IT firewalls are as impregnable as the thick lead that lines their vaults. But
in reality, banks fight a constant war against identity theft.

Unfortunately, they don’t win every battle.
So your personal vigilance is by far the bank’s best safeguard against a security breach.

thieves are constantly looking for new ways to steal money. Since banks are where the money is, they are, and probably always
will be, the primary targets of thieves,” said Baker & Daniels LLP partner Joan Antokol, who chairs her firm’s
privacy and data management group. “Because identity thieves are increasingly organized and sophisticated, it is likely
that they will look for and continue to find new ways to exploit security vulnerabilities to allow them access to bank accounts.”

About 2 million Americans annually are victims of bank fraud, Antokol said. Their average loss is $1,200. And because
most businesses hold larger balances than individuals, they’re increasingly the target.

In Indiana, there
were 4,598 identity theft complaints last year, according to the Federal Trade Commission. Of those, 822 involved credit card
fraud. Another 487 were for checking and savings account or electronic fund transfer fraud. And 176 involved fraudulent loans.

When it comes to identity theft, the old adage about an ounce of prevention being worth a pound of cure truly applies.
Banks spend millions to establish data safeguards that ensure their servers will be nothing but big electronic bricks if they’re
ever physically stolen.

But only customer education can completely thwart crooks, said Reagan Rick, regional president
of Milwaukee-based M&I Bank. That’s because many scams trick bank customers into unwittingly giving away the electronic
keys to their accounts.

Rick and his colleagues regularly hold security seminars for bank clients or speak to neighborhood
groups about why it’s important to shred bank statements. It’s good business, and not just for customers. Identity
theft raises banking costs for everyone—not only its victims.

“It’s one of those issues where,
if everybody is conscious of it and works to prevent people from [fraudulently] obtaining information, you keep a lot of unnecessary
cost from the system,” Rick said. “It’s one of those costs where you don’t think it will hit you [individually],
but it hits you broadly because it’s passed back broadly.”

To understand why banks get a better bang
for their buck by emphasizing prevention over prosecution, consider Indiana’s recent decision to step up its efforts
against identity theft.

This spring, the General Assembly enacted Public Law 137, which formally established an
identity theft unit in the Indiana Attorney General’s Office. Its challenge—and results so far—show what
banks are up against.

The identity theft unit was formed internally in 2008. Since its resources include just two
attorneys and a pair of paralegals, much of its work focuses on coordinating collaboration among federal authorities, postal
inspectors, local police and county prosecutors. Indiana’s new law granted the unit subpoena authority to help it gather
information more quickly.

In 2008, the identity theft unit opened 359 case files, all originated by consumer complaints,
said Deputy Attorney General Chuck Taylor, who oversees the unit. Another 261 were opened between January and July this year.
The unit has enjoyed most of its success helping victims clean up their credit, closing 226 cases last year and another 228
this year.

But only about 20 percent resulted in a suspect’s being identified. Just 15 led to arrests.

That’s why much of the identity theft unit’s mission is educational. It counsels banks to take extra steps
confirming the identity of patrons. And it guides consumers to be extraordinarily careful with personal information, like
Social Security numbers.

“Protect [personal information] as if it was a $1,000 bill. Don’t just give
it to anybody,” Taylor said. “Make sure it’s something they really need.”

Personal attention
is even more necessary than most consumers realize. That’s because banks don’t protect depositors nearly as much
as most people assume, Antokol said. The FDIC’s $250,000 protection applies in the event of a bank’s insolvency,
she said, but doesn’t cover fraud.

And identity theft scams can occur anywhere. Antokol pointed to the DefCon
security conference in August at the Riviera Casino Hotel in Las Vegas, attended annually by 8,000 security industry leaders.
During the conference, she said, an attendant noticed a suspicious ATM in a portion of the hotel not monitored by security
cameras. Turns out the ATM had been installed by thieves who allowed unsuspecting users to withdraw cash. Meanwhile, the ATM
was copying their account and personal identification number for plundering later.

Antokol is particularly concerned
about the risk of identity thieves’ secretly installing key-logging spyware on individual computers that obtains passwords
when users log on to bank Web sites. Other scams involve “phishing” solicitations for personal information via
e-mail, or “vishing” scams over the telephone.

Citing figures from Bedford, Mass.-based electronic
security firm RSA, she noted that the largest amount of identity theft—up to 50 percent—occurs at regional banks.
Credit unions endure the lowest amount of fraud.

“Thieves work day and night to steal identities and account
information, as well as any other credentials that they can monetize,” she said.

The best defense is personal
vigilance. Antokol counsels bank customers to never share personal information, even if the request seems to originate from
your bank. That sort of verification is only legitimate in response to a banking request you’ve initiated yourself.

She also advises never to use public computers to conduct online banking, and to use credit cards rather than debit
cards at gas stations, or pay cash. Whenever possible, she said, use ATMs at banks rather than in public locations. And both
businesses and consumers should review all banking statements for accuracy. Any improprieties should be reported to the bank
at once.

Taylor, the deputy attorney general, has similar advice.

“Typically, if you’re
talking about how information becomes compromised, it could be a lost wallet or someone who’s careless with giving out
information on the Internet or … over the telephone,” Taylor said. “When that happens, the bank’s
not at fault. The consumer needs to be more prudent.”•

Please enable JavaScript to view this content.

Story Continues Below

Editor's note: You can comment on IBJ stories by signing in to your IBJ account. If you have not registered, please sign up for a free account now. Please note our updated comment policy that will govern how comments are moderated.