At last, some light has been shed on the shadowy subject of identity theft and how the finance industry and its regulators can fight it. Last December's report into countering identity theft by the Federal Deposit Insurance Corporation (FDIC) provides much-needed guidance for the finance industry, at a time when it is more in need of advice than ever.
But its key stipulation – two-factor authentication will provide a security panacea in the face of phishing, hacking attacks and people searching through garbage cans – still leaves a full solution to the problem waiting in the wings.
On December 14, 2004, the FDIC released its report into unauthorized access to financial institution accounts, and how the financial industry and its regulators can mitigate these risks. Putting an End to Account-Hijacking Identity Theft comes at a time when virtually every financial institution is rethinking its requirements for remote customer authentication. The industry is starved for guidance in this area.
The promise of two-factor security
The report explains the types of attacks that are occurring, gives background from various sources as well as citing statistics on the likelihood of attacks, and provides a summary of technologies that can help prevent account-hijacking attacks.
While it is hard to distill a 41-page report, we believe its key findings can be condensed to a few basic points.
First, single-factor, password-based authentication methods might no longer be sufficiently secure for customer remote access to online banking systems.
Second, as customers become more aware of actual instances of, or the potential for, account hijacking, they will expect financial institutions to protect their funds and identities, while maintaining or increasing convenience for them in accessing financial services.
Finally, following this assessment, the FDIC's primary recommendation is that two-factor authentication should be considered as a new security baseline for remote access to computer systems.
One of the problems with this report is that it does not address the business or practical issues of implementing two-factor authentication solutions.
Compared to today's username and password authentication approach, two-factor authentication mechanisms are expensive to deploy, expensive to maintain, and inconvenient to use. Financial institutions wishing to follow the FDIC's advice will need to fully understand the costs and user problems associated with these authentication mechanisms before implementing the FDIC's recommendation.
The $50 billion problem
The Federal Trade Commission (FTC) has estimated that almost ten million Americans were victims of identity theft in 2003, with a total cost to businesses and consumers approaching $50 billion. Identity theft is one of the fastest growing types of consumer fraud.
Identity theft is a sizeable area, though. The FDIC study focuses on a subset of identity theft – unauthorized access to and misuse of existing asset accounts primarily through phishing and hacking. The study uses the term "account-hijacking" to describe this particular form of identity theft.
The study points out that precise statistics on account hijacking are not available. But it states that unauthorized access to checking accounts is the fastest-growing form of identity theft.
What's more, the FTC estimates that around two million U.S. adult internet users experienced this fraud during the year ending April 2004. More than half believed that responding to a phishing email was the cause.
According to a 2002 survey from the American Bankers Association, listed in the FDIC report, identity theft fraud is the top concern among financial institutions of all sizes.
The term identity theft is fairly new. The definition of the phrase was first codified as part of the Identity Theft and Assumption Deterrence Act of 1998 (the ID Theft Act).
This law made identity theft a federal crime. Later, the Fair and Accurate Credit Transactions Act of 2003 (FACTA) amended the Fair Credit Reporting Act (FCRA) to include a civil definition of identity theft.
Under FACTA, the Federal Trade Commission was charged with further refining the definition, and it has addressed a prior deficiency by specifying what constitutes "identifying information."
There are several ways to hijack deposit accounts. Each method relies on the misuse of information, and ranges from what is called phishing – collecting identity information by directing users to fraudulent websites via email requests – through to retrieving hard copy documents (dumpster diving) or looking over someone's shoulder.
Somewhere in between lie other modes of attack, such as: hacking – direct cyber attacks on websites, transactions with websites, or systems housing personal information; insider data gathering – attacks from inside organizations entrusted with personal information; and keystroke logging – a particular form of hacking that attacks the client system and records user names, passwords, and other personal identifying data for use by the attacker.
The FDIC's study notes that 70 percent of identity theft is committed with confidential data stolen by insiders. It also notes that phishing is easy to implement and produces higher-volume results than the other techniques.
The FDIC report makes the point that financial institutions can help to reduce identity theft, including account hijacking, by encouraging information sharing so that identity theft frauds are thwarted sooner.
What can the finance industry do?
The FDIC describes a number of information-sharing efforts, including the Financial Services Information Sharing and Analysis Center, the Anti-Phishing Working Group (APWG), the Identity Theft Assistance Corporation, and the Infragard program set up by the FBI (www.infragard.net). Of these, let's look at two in particular.
The APWG is an industry association with 630 members, including financial institutions, e-commerce providers, internet service providers and vendors of email services and software. As its name implies, its purpose is to eliminate identity theft and fraud resulting from phishing and email spoofing.
It seeks to provide resources, technology, vision and expertise to facilitate the rapid deployment of a solution to email phishing scams.
At the end of 2003, the APWG published a white paper, Proposed Solutions to Address the Threat of Email Spoofing Scams. The white paper offers four solutions: strong website authentication; mail server authentication; digitally signed email with desktop verification; and digitally signed email with gateway verification.
However, although these are good solutions, they require industry cooperation and user adoption to be effective. Realistically, these solutions are a long way off.
Another industry initiative has been the establishment of the Identity Theft Assistance Corporation (ITAC).
Formed under the auspices of the Financial Services Roundtable and the Banking Information Technology Secretariat (BITS), ITAC's purpose is to help victims of identity theft to recover their financial identities and restore their credit ratings.
Blended threats, blended solutions
Approximately half of the FDIC report is dedicated to a survey of technologies that may be effective against account hijacking. The FDIC staff evaluated technologies falling into three categories – scanning tools, email authentication, and user authentication.
They then applied relative ratings based on ease of implementation, portability, effectiveness, and ease of use.
The technologies evaluated included scanning tools to find websites with text that matched specific alert patterns, server log analysis software, email authentication (Sender ID), user authentication to verify the identity of a person or entity, shared secrets, USB tokens, smartcards, password-generating tokens, biometric systems, fingerprint recognition, face recognition, voice recognition, and keystroke recognition.
The report recognized that choosing a technology to deliver an effective two-factor authentication system for financial institutions presents unique challenges. Customers expect to have immediate and unobstructed access to their accounts, regardless of where they happen to be or what time it is.
Currently, as long as a user remembers a password, this access is delivered reliably. Two-factor authentication must be capable of providing that same level of dependable access while satisfying requirements for reliability, security, value, and ease of use.
The FDIC found that there are two major reasons why the frequency of phishing and other types of attacks has been increasing and why they have become more effective at perpetrating account hijacking. The first is that user authentication by the financial services industry for remote customer access is insufficiently strong. The second is that the internet lacks email and website authentication.
To deal with these key problems, it recommends financial institutions and government should take steps to reduce online fraud, upgrading their existing password-based single-factor customer authentication systems to two-factor authentication.
While this might be both difficult and expensive, it states plainly that this is the future of combating hacking and phishing. Firms also need to use scanning software first to identify and then to defend against phishing attacks.
Further development and use of fraud-detection software to identify account hijacking, similar to existing software that detects credit card fraud, could also help to reduce account hijacking. In tandem, strengthening educational programs to help consumers avoid online scams, such as phishing, that can lead to account hijacking and other forms of identity theft needs to take place, but this must be done while limiting consumers' liability.
Finally, firms need to place a continuing emphasis on sharing information between the financial services industry, government and technology providers.
The bottom line
We applaud the FDIC for taking a stand on this important issue. The information provided in the report will help financial institutions and consumers to better understand the problem, potential mitigation approaches, and the limitations of those solutions.
But without addressing the practical issues of deploying two-factor authentication systems on a large scale, or the numerous ways account hijacking can still occur even when using it, we believe the report's finding that two-factor authentication is the only solution is both exaggerated and premature.
Jonathan G. Gossels is president and Richard E. Mackey Jr is principal of consulting firm SystemExperts