Identity Theft Study Supplement on "Account-Hijacking" Identity Theft The Federal Deposit Insurance Corporation (FDIC) has published a supplement to its December 14, 2004, study Putting an End to Account-Hijacking Identity Theft (see FIL-132-2004). Background and Focus of Supplement The supplement was published to review and respond to public comments received about the original study, to survey the most recent trends in identity theft, to discuss authentication technologies that were not discussed in the original study, and to present two updated findings. Prevalence and Impact of Account Hijacking The supplement concludes that identity theft and account hijacking continue to be significant problems for the financial services industry and consumers. Consumers are having more difficulty protecting themselves from identity theft as it continues to evolve in complex ways. Consumers are concerned about online security and may be receptive to using two-factor authentication if they perceive that this method offers improved safety and convenience. Findings Each financial institution may choose a different solution to address account-hijacking identity theft, or each may choose a variety of solutions based on the institution's complexity and the nature and scope of its activities. The FDIC does not intend to propose one solution for all. However, the evidence examined in the supplement and in the study indicates that more can – and should – be done to protect the security and confidentiality of sensitive customer information in order to prevent account hijacking: - The information security risk assessment that financial institutions are currently required to perform should include an analysis to determine:
- whether the institution needs to implement more secure customer authentication methods, and if it does,
- which method or methods make the most sense in view of the nature of the institution's business and customer base.
- If an institution offers retail customers remote access to Internet banking or any similar product that allows access to sensitive customer information, the institution has a responsibility to secure that delivery channel. More specifically, the widespread use of a user ID and a password for remote authentication should be supplemented with a reliable form of multifactor authentication or other layered security so that the security and confidentiality of customer accounts and sensitive customer information are adequately protected.
The FDIC supplement can be found on the Web at: www.fdic.gov/consumers/consumer/idtheftstudysupp/index.html . Michael J. Zamorski Director Division of Supervision and Consumer Protection |