INDUSTRY REPORT
Financial Institutions Unwitting Accomplices of ID Thieves

Financial services companies might be unwitting contributors to the nation's identity theft problem, according to a report from Forrester Research in Cambridge, Massachusetts.

The Federal Trade Commission (FTC) estimates that identity theft costs American businesses US$50 billion to $60 billion a year. "Despite this clear threat to their business, firm efforts to fight these scams are anemic," Forrester analyst Jonathan Penn wrote in a summary of the report obtained by TechNewsWorld.

According to the FTC, 56 percent of identity theft incidents are related to banking activities. "Financial firms have yet to learn that their current practices actually contribute to the effectiveness of identity theft and fraud scams," Penn points out.

"Phishing attacks are successful because the messages look like they're from legitimate companies," he continued. "And they contain what seem like plausible requests."

Penn argued that if financial services companies never asked for personal information in unsolicited communications, then consumers would be suspicious when receiving them and phishing attacks would be far less successful.

He maintained that financial services firms are in denial over their role in the identity theft problem.

Victims Jump Through Hoops

"When it comes to custodianship of data, financial firms continue to let shortsighted self-interest guide business decisions that have long-term effects on the protection of accounts and on customers' perception of the firm's brand," Penn wrote. "Financial institutions simply do not own up to their role in enabling identity theft."

The Forrester analyst also was critical of the treatment of ID theft victims by financial institutions.

While some banks are setting up fraud hotlines and helping consumers report identity theft to law enforcement and credit authorities, he noted, others have stopped assuming responsibility for fraud resulting from identity theft or making victims jump through hoops to recoup their losses in a timely manner.

"Assisting identity theft victims with reporting is commendable," Penn observed, "but ends up being of little comfort if remuneration isn't forthcoming."

Those issues have less to do with security than customer satisfaction, observed Jahan Moreh, chief security architect for Sigaba in San Mateo, California.

"Every bank has to make a decision on that," he told TechNewsWorld. "It's a business decision. If my bank stopped assuming such responsibility, would I be pissed off? Probably."

Small Part of Problem

Some information security experts argued that Forrester's report was focusing on only a small part of the identity theft problem.

"The majority of identity theft doesn't occur through e-mails that are phishing related," Prat Moghe, founder and CEO of Tizor Systems in Boston, told TechNewsWorld.

"The majority of identity theft is really about stored information," he said. "There are terabytes and terabytes of information at risk."

"This report paints one part of the picture, but there's a lot more," he continued. "And if you look at it in terms of the amount of risk, the other parts contribute significantly more to the problem of identity theft."

Behind the Curve

Jim Melvin, president and CEO of Mazu Networks in Cambridge, Massachusetts, had even stronger criticism of the Forrester analysis.

"I think they're behind the curve on this," he told TechNewsWorld. "There's no question that the issues pointed out in the report are real, but we're seeing the high end of the market, and even some of the mid-tier market players, responding to this pretty aggressively."

"A lot has changed in the last two to four quarters with regards to the technologies available to counter these problems," he said. "And we've seen a dramatic uptick in our business to protect mission-critical or customer data on these financial networks."

"People are taking this very seriously right now," he added. "There's a lot of budget flowing with regards to solving these problems and that's being met with technologies that help customers really get their arms around this problem."

But Forrester contends that back-office efforts alone aren't enough.

"You cannot fight identity theft effectively through a security effort alone," Penn wrote. "It requires cooperation at a systematic level and can't be an isolated endeavor of back-office security staffers."