Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official. 
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
Https
The site is secure. 
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
Financial Institution Letter

Identity Theft Study Supplement on "Account-Hijacking" Identity Theft

July 5, 2005
Notes
 
Summary: The FDIC has issued a supplement to its December 14, 2004, study on account-hijacking identity theft (see FIL-132-2004). 

Highlights: 

  • The FDIC's study supplement on account-hijacking identity theft is now available.
  • The supplement reviews and responds to public comments on the original study.
  • The supplement surveys the most recent trends in identity theft in general and account hijacking in particular.
  • The supplement discusses authentication technologies that were not discussed in the study.
  • The supplement presents two updated findings:
    • Information security risk assessment should include an analysis to determine whether the institution needs to implement more secure customer authentication methods and, if so, which methods are the most appropriate; and
    • If an institution offers retail customers access to Internet banking or any similar product that allows access to sensitive customer information, the institution has a responsibility to secure that delivery channel with a reliable form of multifactor authentication or other layered security.
  • The FDIC study supplement can be found on the Web at: www.fdic.gov/consumers/consumer/idtheftstudysupp/index.html .

Continuation of FIL-59-2005 

Distribution: 
FDIC-Supervised Banks (Commercial and Savings) 

Suggested Routing: 
Chief Executive Officer 
Chief Technology Officer 
Chief Information Officer 

Note: 
FDIC Financial Institution Letters (FILs) may be accessed from the FDIC's Web site at www.fdic.gov/news/financial-institution-letters/2005/index.html

To receive FILs electronically, please visit http://www.fdic.gov/about/subscriptions/fil.html

Paper copies of FDIC FILs may be obtained through the FDIC's Public Information Center, 801 17th Street, NW, Room 100, Washington, DC 20434 (1-877-275-3342 or (703) 562-2200).

Financial Institution Letters 
FIL-59-2005 
July 5, 2005 

Identity Theft 
Study Supplement on "Account-Hijacking" Identity Theft 

The Federal Deposit Insurance Corporation (FDIC) has published a supplement to its December 14, 2004, study Putting an End to Account-Hijacking Identity Theft (see FIL-132-2004).

Background and Focus of Supplement 
The supplement was published to review and respond to public comments received about the original study, to survey the most recent trends in identity theft, to discuss authentication technologies that were not discussed in the original study, and to present two updated findings.

Prevalence and Impact of Account Hijacking 
The supplement concludes that identity theft and account hijacking continue to be significant problems for the financial services industry and consumers. Consumers are having more difficulty protecting themselves from identity theft as it continues to evolve in complex ways. Consumers are concerned about online security and may be receptive to using two-factor authentication if they perceive that this method offers improved safety and convenience.

Findings 
Each financial institution may choose a different solution to address account-hijacking identity theft, or each may choose a variety of solutions based on the institution's complexity and the nature and scope of its activities. The FDIC does not intend to propose one solution for all. However, the evidence examined in the supplement and in the study indicates that more can – and should – be done to protect the security and confidentiality of sensitive customer information in order to prevent account hijacking:

  • The information security risk assessment that financial institutions are currently required to perform should include an analysis to determine:
    1. whether the institution needs to implement more secure customer authentication methods, and if it does,
    2. which method or methods make the most sense in view of the nature of the institution's business and customer base.
  • If an institution offers retail customers remote access to Internet banking or any similar product that allows access to sensitive customer information, the institution has a responsibility to secure that delivery channel. More specifically, the widespread use of a user ID and a password for remote authentication should be supplemented with a reliable form of multifactor authentication or other layered security so that the security and confidentiality of customer accounts and sensitive customer information are adequately protected.

The FDIC supplement can be found on the Web at: www.fdic.gov/consumers/consumer/idtheftstudysupp/index.html .

Michael J. Zamorski

Director

Division of Supervision and Consumer Protection

Additional Related Topics:

  • FFIEC Examination Handbook, E-Banking Booklet
  • FFIEC Examination Handbook, Information
  • Security Booklet
  • Internet Banking Fraud, issued in FIL-113-2004 on September 13, 2004
FIL-59-2005
Attachment(s)

Last Updated: July 5, 2005