|Banking industry needs to tackle
The increasing number of people
migrating to the Internet to bank and pay bills has helped spur
the growth of account hijacking, a subset of identity theft that
involves unauthorized access to checking accounts. Gartner Inc.,
a research and advisory firm, calls it the fastest-growing type
of financial consumer fraud in the United States, robbing nearly
two million people of an estimated $2.4 billion in a recent 12-month
The problem of account hijacking may seem relatively small when
compared to overall identity theft, which victimizes 10 million
Americans and steals $50 billion from businesses and consumers annually.
But the speed at which account hijacking is growing could threaten
to undermine whatever faith consumers have in handling banking and
other financial transactions online.
Much of account hijacking is accomplished through
phishing and hacking. Phishing e-mails are fraudulent e-mails that
purport to be from your bank and require you to click on a link
and then enter personal information that enables the scammer to
access your account.
But thanks to fraud tactics such as Trojan horses and keystroke
logging, some phishing scams don't require you to click on a link;
just opening the e-mail can trigger a virus that directs your computer
to a fake page when you type the bank's Internet address. You then
type in your credentials and the bad guy steals them.
"We're seeing more cross-phishing e-mails and Web sites that
actually use parts of the bank's Web site," says David Jevans,
chairman of the Anti-Phishing Working Group. "It looks completely
legitimate. It's disturbing. They're scanning the banks' Web sites
for vulnerabilities and exploiting them."
The Anti-Phishing Working Group keeps track of attacks and says
that the average monthly growth rate in phishing sites from July
2004 through November 2004 was 28 percent. Tracking down the fraudsters
and catching them isn't easy. The average amount of time those sites
stayed online was 6.2 days.
The Federal Deposit Insurance Corporation, which has been the subject
of multiple phishing attacks, says the banking industry's response
to phishing and hacking has been fragmented, and that needs to change.
"Different levels of banks have done different levels of things
to combat this as it arises in the institution," says Michael
Jackson, associate director of consumer protection at the FDIC.
"It's time for the industry as a whole to step up to the plate.
Technology has continued to evolve and the whole industry has not
adjusted to the problem as we'd like to see it. Let's push to another
level. Be proactive, if possible.
"It would be nice to see what works and what works well instead
of some banks may not be doing anything while some do something
and some do more."
However, American Bankers Association spokesman John Hall says
the industry is united in trying to stop account hijacking, and
that institutions of all sizes are working on the problem.
"I understand the FDIC wanting us to get together. We are.
It's hard with 6,000 institutions. As far as one entity trying to
stop it, it's frustrating. It's the same as with bank robberies.
Unfortunately there are people who will try to do this.
"The best thing institutions can do is educate people about
phishing so they don't fall for it. Banks don't look at fraud as
a competitive issue; they work together. We have peer groups on
fraud that share information. All banks are doing something."