This lack of information means that customers cannot compare security concerns among banking institutions, says the study, conducted by Chris Hoofnagle, a senior fellow with the Berkeley Center for Law and Technology in California.
By eliminating that type of competition, financial institutions do not feel marketing pressure to devise methods to better protect their customers from fraud, the study determines.
Hoofnagle said he decided to research this issue so customers would be able to consider a bank based on its data security.
“I'm interested in fostering competition among banks for the prevention of identity theft,” he said. “Currently, banks compete through commercials, which do not provide meaningful information about which institutions are most vulnerable to the crime.”
Hoffnagle used the Freedom of Information Act to obtain data submitted by victims in 2006 to the Federal Trade Commission, Hoofnagle said in the report. He found that some banks have a far greater incidence of identity theft than other types of businesses.
“Phishing attacks are out for financial gain, making any e-commerce site attractive for phishers,” said Chenxi Wang, principal analyst for security and risk management at Forrester Research.
But Wang said a select few stand out. She cited the Anti-Phishing Working Group's recent findings that 80 percent of phishing attacks target just 12 brand names, and at the top of the list are some of the biggest financial institutions.
According to Hoofnagle's report, HSBC ranked first with 21.3 incidents of ID theft per billion in deposits, followed by Bank of America, Washington Mutual, Wells Fargo and JP Morgan/Chase. Telecommunications giants AT&T and Sprint/Nextel also ranked high in the list.
“The criminals keep finding new ways to rob consumer bank accounts by stealing their account credentials using increasingly surreptitious methods,” said Avivah Litan of Gartner. “They have moved beyond relatively-easy-to-spot phishing attacks, and developed attack methods that use malware planted on user PCs, which most consumers are unaware of. This malware captures consumer keystrokes, giving criminals their user IDs and passwords, and sometimes even their bank account numbers.”
Banks and other businesses can do more to protect their customers from identity fraud, experts agree. How to protect customers depends on when the fraud takes place.
“In new account fraud, attention should focus on customer authentication, that is, providing that the customer is who she says she is,” said Hoofnagle. “In account takeovers, such as a credit card fraud, there needs to be a better way to prove that the person in possession of the card has authority to use it. Adding a PIN to a credit card would be one way of doing this.”
Customers should also look out for themselves, said Wang.
“When using a banking site, look at the certificate to make sure the site is authentic, and keep virus protection up-to-date,” she said.