2
How Safe is Personal and Financial Data with
Financial Institutions and Banks?
Kyle C. Reischmann and Fielding Thurston Miller
Introduction____________________________________________________
The convenience of online banking has made managing our
personal finances easier than ever. With the growing acceptance of
credit cards amongst retailers, plastic is slowly replacing cash as the
preferred payment method. People are signing up for and carrying
credit cards at a progressively younger age. However, with this new
financial freedom comes risk. Identity theft and financial fraud have
become an increased concern, forcing the financial institutions and their
customers to take action. These new concerns have led to the question:
how safe is personal and financial data with banks and other financial
institutions? Furthermore, what can be done to increase the protection
of this information?
For over a century Americans have entrusted their assets to
financial institutions and banks. As of June 30, 2007, a total of 8,615
banks and financial institutions reported to the FDIC (Federal Deposit
Insurance Corporation). In total, these banks and financial institutions
were responsible for a combined $12,261,029,490 in customer assets. As
a customer of a bank or financial institution one assumes that their
assets and their personal information are safe. However, this is
increasingly not the case as customers’ personal and financial
information is often at risk with these financial institutions. The loss of
this sensitive personal information often stems from internal and
external sources, and in many cases leads to identity theft.
In describing identity theft, the Federal Trade Commission
(FTC) states, “Identity theft occurs when someone uses your personally
identifying information, like your name, Social Security number, or
credit card number, without your permission, to commit fraud or other
crimes” (About Identity Theft, p. 1). According to the FBI, identity theft
is the fastest growing crime to plague our nation (About Identity Theft,
1). According to the FTC’s report “Consumer Fraud and Identity Theft
Complaint Data” which was published in February 7, 2007, over 670,000
complaints of fraud and identity theft were filed the previous year.
However, one can infer that the true number is much higher, taking into
account that many instances do not get reported or the victim is not
aware that she has become the target of identity theft.
This reported fraud and identity theft led to an estimate of
consumer losses in excess of $1.1 billion (Consumer Fraud and Identity
Theft Complaint Data, 6). Of the over 670,000 complaints of fraud and
identity theft, the leading type was credit card fraud at 25%. Tied for
second were bank fraud and phone or utilities fraud, both at 16%. The
leading type of bank fraud, according to the FTC report, was fraud
related to the electronic transfer of funds from account to account
making up about 50% of bank fraud (Consumer Fraud and Identity
Theft Complaint Data, 3). These statistics reveal the prevalence of
banking and credit fraud, and further enforce why this should be of
significant concern to the users of these services.
Traditional Forms of Identity Theft and Bank Fraud
Traditionally, the means of acquiring somebody’s personal and
account information have been by physical theft. Physical identity theft
and account fraud have been problems since the birth of the banking
industry. These types of theft and fraud range from simply looking
over someone’s shoulder to acquire their account information, to the
writing of fraudulent checks. Personal information theft can also stem
from offenders searching through people’s mail, stealing credit cards
from purses and wallets, and simply stumbling across somebody’s
information and using it dishonestly. Furthermore, the use of insiders
in identity and account information abuse schemes has become a
problem in the industry.
Theft of Financial Statements, Information, and Other
Hard-Copy Financial Documents
The first way in which customers’ financial information has
been traditionally compromised is through basic document theft. This
is a very simple way for criminals to obtain the identity and account
information they seek. The most basic form of theft does not actually
require them to physically obtain a document containing a customer’s
sensitive information. Rather, the perpetrator simply looks over a
victim’s shoulder while they have their account information in front of
them. This can be done in public settings such as at the bank while a
person fills out an account slip or at the grocery store while a customer writes a check. Another form of this fraud is the stealing of account
information from a person’s mailbox or trash. Once thieves have
obtained this information they are free to access victim’s accounts and
write faulty checks from those accounts. If this type of fraud goes
unnoticed, a thief can essentially bleed the victim’s bank account dry.
Furthermore, it is common for identity thieves to steal credit cards and
use them to make fraudulent purchases. In many instances, by the time
the victim notices that his or her card has been lost or stolen many
fraudulent charges have already been made. Another way of acquiring
this personal information can result from pre-approved credit card
offers found in mail and garbage receptacles searching. Once a thief has
obtained these offers, he can use them to open credit card accounts in
victim’s names. According to the FTC’s 2007 report About Identity Theft:
They may open new credit card accounts in your name. When
they use the cards and don’t pay the bills, the delinquent
accounts appear on your credit report. They may change the
billing address on your credit card so that you no longer
receive bills, and then run up charges on your account.
Because your bills are now sent to a different address, it may
be sometime before you realize there’s a problem. (About
Identity Theft, 1)
Fraud on existing accounts makes up approximately 40% of all
credit card fraud while fraud on new accounts makes up approximately
60% of this fraudulent activity (Consumer Fraud and Identity Theft
Complaint Data, 3). It is clear to see that theft of financial statements
and other hard-copy financial documents is a very real risk to customers
of financial institutions. Although these forms of identity and account
fraud seem primitive, they pose a very real threat to consumers. Robert
Lemos, author of the article Defending Your Identity, in reference to a
2005 study performed by Javelin Research states, “According to the
Javelin study, only 11.6 percent of identity theft occurred online. Users
who monitored their accounts online suffered an average of $451 in
losses, far less than the average of $4,543 for cases detected by paper
statements” (Lemos, 143).
Despite the risks that come along with the use of paper
statements and financial documents, it is up to the consumer to keep his
or her financial statements protected. Taking simple steps such as being
aware of who is around when statements are visible can greatly reduce
these risks. People must also get into the habit of shredding all
documents that contain any sort of account or personal information.
The simple act of shredding all credit card offers and bank statements
takes mere seconds and virtually guarantees that sensitive information
cannot be recovered from those documents. Finally, the regular
checking of one’s credit score and history will allow customers to bank
safer. Checking this score at least once every four months is strongly
advised.
Information Leaks By Insiders
Another traditional form of identity theft stems from banks’
own employees. This form of bank fraud takes advantage of people’s
trust in the safety of the bank, as well as in his or her banker. Insider
fraud consists of bank employees acquiring your financial information
and using it for purposes other than those agreed by you and your
bank. This can range from approving questionable transactions and
loans to giving out customer information for the direct transfer of funds
to either themselves or others. The perpetrators committing this insider
fraud range from personal opportunists to people with ties to organized
crime and gangs. Many banking customers are unaware of the threat
posed by insider fraud. However, insider fraud is a real concern and
according to Jane Croft of the Financial Times newspaper, it now
accounts for over 60% off all financial institution fraud in London
(Croft, 3). Moreover, according to the FDIC, insider fraud and
embezzlement accounts for over 50% of cases settled by the FBI in
America over the past few years (Bank Fraud and Insider Abuse, 1). It
is evident that insider fraud is a serious risk to customers and it is on
the rise at an alarming rate. Many factors have led to this increase in
insider fraud, such as agency crackdowns and security measures
making outsider fraud more difficult and the high turnover rate of bank
employees leading to less thorough employee screening and training.
In regards to this problem, both the customer and financial
institution must take action to prevent insider fraud. The bank itself
must enforce stricter screening processes when hiring employees who
will have access to sensitive customer information. Furthermore, banks
must pay close attention to employee transactions and follow up
thoroughly on any suspicious activity. As a customer, one must
demand that their bank take the appropriate measures to ensure that
their employee’s act in an ethical manner at all times. Personal and
financial information are both too important to put in the hands of a
bank that cannot be fully trusted.
Contemporary Forms of Identity Theft and Bank Fraud
Computers and the Internet have become an integral part of
people’s personal and professional lives. Industries have begun
conducting more and more business via the Internet and have begun
storing vast amounts of data on servers as opposed to in filing cabinets.
This switch from pen and paper to mouse and keyboard has greatly
reduced transaction times and increased convenience for every bank
customer. While this new technology has greatly increased industry
productivity, it has also exposed the industry to new types of digital
security threats. Among these new concerns are phishing, skimming,
hacking, and data outsourcing. Using these new digital methods,
criminals have been able to successfully adapt to the growing digital
integration in banking.
Phishing
Phishing is the act of attempting to acquire a person’s private
information under false pretences. The criminals committing these
crimes typically seek credit card numbers, social security numbers,
usernames and passwords. Commonly, someone will write an email to
a potential victim posing as a trustworthy source requesting this
sensitive information. Phishing has gained notoriety as of late,
primarily due to extensive coverage in the media. The skill these so
called “phishers” have been able to develop is the ability to mask their
true identity. Their emails look official enough to the untrained eye to
con even the most conservative customer into giving away their
personal account information. These emails often times contain official
looking seals and company logos to make them look more authentic.
Furthermore, these scam emails often contain links to websites that
greatly resemble the real website they want the customer to believe they
are visiting. These fake websites are designed to look and function
nearly identically to the actual website they are impersonating.
Typically the domain name is spelled slightly differently causing the
average victim to not notice. Phishing has been rising steadily in the
U.S., which has the most active phishing websites in the world.
According the FBI, phishing has recently become, “the hottest and most
troubling new scam on the Internet” (When Internet Scam Artists, 1).
With a 104% increase in the amount of phishing scams from the
previous year and 980 known phishing websites targeting banks, it is
apparent that phishing is going to be a continuing problem that must be
dealt with in the future (Ecker, p. 14).
Despite efforts from the government and financial institutions
to crack down on phishing, ultimately it is up to the consumer to ensure
he doesn’t fall victim to one of these scams. Simple steps can be taken
by consumers to ensure their safety. To start, never give out financial
information via email or in response to unsolicited communication.
Banks will never write a customer an email asking for personal or
account information. Also, check credit card and bank statements
regularly for suspicious transactions. Finally, if an email appears to
solicit personal information and its authenticity is uncertain, immediate
contact with the issuing bank is necessary to determine its authenticity.
Skimming
Another technique of stealing one’s financial information is
through skimming. Skimming is the act of using a device similar in size
to a beeper to swipe and store the information stored on the magnetic
strip of a credit card. Once this information has been obtained, the
perpetrator can use it to make purchases online as well as sell it to
criminal organizations with the resources to create new, fully functional
credit cards linked to the account from which the card information was
originally “skimmed”. Skimming is a growing problem, particularly in
the hospitality industry. It is estimated that 70% of all skimming occurs
at restaurants (Drummond, 28). Restaurants have increased risk
stemming from the relative ease with which the crime can be executed.
It is common practice for patrons of a restaurant to allow servers to
walk-off with their credit card to process it to pay for the meal. It is easy for dishonest servers to conceal skimming devices beneath clothing
and obtain all your credit card information with a simple swipe of the
wrist.
Recently, an organized crime ring focused on skimming was
uncovered in New York City that involved over forty restaurants.
Servers were being paid a flat fee for every credit card skimmed. The
information was then being used to make fraudulent credit cards
responsible for $3 million in fraudulent charges (Drummond, 28).
Another form of skimming involves altering ATM machines. This can
be done by simply attaching a discreet device to the front of the ATM
that records your card information. Someone can put one of these
devices on an ATM and record dozens of people’s credit card numbers
without their knowledge. In more extreme cases, there have been
reports of entirely fake ATM machines being planted by thieves. These
ATM machines look just like a real ATM however their sole function is
to steal credit card information. Once a victim swipes their card and
enters their pin, the machine has all the necessary information and does
not dispense money like a real ATM. Once again, this information can
be used to make fraudulent credit cards and make ATM withdrawals
from the victims account.
One way that restaurant skimming is being addressed, is
through the development of new point of sale or POS devices that allow
you to pay for meals at restaurants at your table. This makes it so
servers have no chance to be alone with customer’s cards and therefore
reduces the risk of skimming. These particular POS devices are
handheld credit card machines that every server carries and uses for all
credit card transactions. Another action that can be taken is increased
awareness on the customer’s behalf. If an ATM looks suspicious or out
of place, there is a chance it is a skimming device and it should be
avoided. Also, if it looks like there is something out of place on or near
the swiping device, a different ATM should be used.
Hacking
Hacking is another means by which potential identity thieves
may obtain a persons’ personal and financial information from their
bank. Hacking is a growing problem, with attacks on banks up 81% in
2007 from the previous year (Gaudin, 17). Along with the increased
attacks on banks, attacks on credit unions are up 62% from the previous
year. According to SecureWorks Inc., an Atlanta based security
provider for banks and credit unions, their clients received an average
of 808 attacks per month (Gaudin, 17). There are two main forms of
hacking: conventional hacking and the use of malicious software.
Conventional hacking consists of attempting to bypass the security
measures, such as firewalls and passwords most financial institutions
have in place on their online banking system to gain access to
customers’ accounts. This conventional form of hacking has become
more difficult as of late due to the increased amount of encrypting and
security measures banks have added to their websites. However,
through skill and the use of underground hacking programs, customers’
data and personal information is still at risk to conventional hackers.
Malicious software of “Malware” programs, like hacking programs, is
illegal. However, malware programs are still readily available on the black market. Malware is loaded into a computer and is programmed
to remember certain things people enter in to websites such as user
names and passwords. For example, a hacker may load a program into
a computer that is activated and remembers login information from
Bank X’s website. The hacker may return a week later and check on the
program. If a customer of Bank X has looked at her online financial
statements in that week, the hacker will have their login information.
Once they have this information, they can transfer funds and open
credit cards linked to the account.
Hacking is a real threat to customers trusting their financial
information to financial institutions. It is up to the banks to stay one
step ahead of hackers to prevent the leak of sensitive account
information. One should never use an online banking feature that is not
encrypted to protect it from hackers. Also, only personal computers
should be used to access financial information. People should never
access their bank websites from public computers that may be infected
with malware.
Data and Task Outsourcing
The final major risk to customers’ personal and financial
information is the widespread use of data and task outsourcing. Data
outsourcing is the storage of data and information on servers owned by
other companies that are not under the bank’s direct control. Often, the
sheer volume of data and information that a financial institution stores
is too overwhelming for their servers and infrastructure to handle. To
combat this, they entrust the storage of this data to companies, both
domestic and foreign, whose only business is the storing of data for
other companies. This leads to many security issues. In addition to
storing the data, there are other tasks being entrusted into the hands of
third parties. Amongst these are technology, research, analysis, and
functions other than cash handling (Bradford, p. 12). With the majority
of data and tasks being outsourced to India and Russia, it raises a whole
new set of security issues. When a bank entrusts customers’ data to a
company they have no direct control over, it is obvious they are putting
the information at risk. The safety of customers’ data and essentially
their identity is in the hands of someone thousands of miles away that
neither they nor their bank have ever met. Furthermore, the security of
the servers and online infrastructure of the company holding the
information is not easily controlled. For all a customer knows, his or
her financial and personal data could be sitting on a server in a
warehouse in Bangladesh with virtually no security. Also, the
outsourcing of tasks is a risk to your financial security. When you
entrust research and analysis to a third party, quality control is difficult
to manage. It is unknown how well the research and analysis
customers are receiving from these third parties back can be trusted.
Despite all these risks, outsourcing of data and tasks is going
to continue to rise. It is up to the banks and financial institutions to
reduce the risk of data breaches and information loss due to
outsourcing. Banks must be able to exert some degree of control over
the companies with whom they are entrusting your information. Legal
requirements and efforts must be put in place to ensure the safety of your information. Without these steps, not only is your bank’s
reputation on the line, but your identity and financial security is as well.
Primary Research
Survey
To gain access to additional research material, we
administered a survey aimed at compiling demographic data, gauging
the perceptions of personal and financial information safety, and
collecting information regarding peoples’ general knowledge of the
dangers of banking. We received back 40 filled out surveys from people
ranging in age from 20-77.
From this survey, we believe that several important facts
become clear. The first is the high number of customers who bank
online as opposed to traditional pen and paper banking. The trend to
move toward more secure online banking appears to be very strong.
However, of the eight people who filled out the survey who said they
do not bank online, all of them were above the age of 30 and five of the
eight were between the ages of 55 and 77. This trend shows how the
older generation is lagging behind in the new trend of online banking.
Despite new threats from criminals using hacking and phishing to
access customer accounts online, online banking is still more secure
than traditional pen and paper banking. By completing all transactions
and bill-payments online, customers can virtually eliminate the paper
trail of statements, checks, and credit card bills sought by criminals. By
doing all of their banking online, customers can take a huge step toward
securing their personal and financial information with their bank.
Another revealing statistic is that 55% of the respondents do
not shred their account statements or credit card offers. Although many
people occasionally shred documents when they remember, it is crucial
to take this step every single time. This is a very simple step that can be
taken to virtually eliminate the threat of identity thieves searching
through your trash receptacles to retrieve sensitive financial and
personal information.
Another revealing statistic is that only 42.5% of those polled
check their bank statements daily. Even worse, only 25% check them
once a month and 7.5% never check them at all. Checking bank
statements daily is an extremely simple step one can take to ensure that
no fraud is taking place on their account. With online banking,
checking statements takes no more than one minute per day. When
statements are checked daily and fraud is detected, it is almost
immediate and the damage to the person’s account and credit can be
kept to a minimum.
Finally, it is interesting to note that 90% of people feel safe with
their financial institution, despite the many ways in which a person’s
personal and financial information may be compromised. They range
from the very high-tech to the extremely low-tech. It can be debated as
to the true danger posed by each of these methods for committing
identity theft. However, it is undeniable that the danger is present.
This statistic shows that the public is generally uninformed about the
risks associated with banking. The best way to increase their safety is
through the education of the customers about these risks.
Interview
We sat down with a business banking specialist, who will
remain anonymous for privacy reasons, at the Wells Fargo branch on
Walnut St. in Boulder and asked her several questions. The main
question we confronted her with was how safe is account and personal
information with the bank? And as a follow up, we asked if, in her
opinion, online or traditional banking was safer? She told us, as one
would expect from a banker, that the information was safe with them.
She did however give several suggestions as to how consumers’ can
take certain measures to increase their safety. The primary suggestion
she had was to do your banking online. Security features for online
banking include password protection, encryption, timed log-off,
firewalls, and constant surveillance by IT professionals. After further
research, we found that most banks offer similar online protection.
Furthermore, she suggested limiting your paper trail. This means doing
all banking online and eliminating paper account statements. Although
it is possible to greatly reduce the paper trail, she admitted sometimes it
can be hard. If you do get anything in the mail containing personal
information you should shred regardless of the source. The insight of
an industry insider can be very helpful and following her suggestions
can greatly increase the security of customers’ personal and account
information with their bank.
Conclusion
Theft of personal and financial data is a major problem for
both financial institutions and their customers. Traditional threats have
been around since the birth of the banking industry and continue today
with no end in sight. The ever-evolving technology of the 21st
century
has led to a whole new form of identity theft and bank fraud. These
methods of fraud are constantly changing with the goal of staying one
step ahead of bank security measures. Each party has a responsibility to
ensure the safety of this information. Financial institutions are
responsible for ensuring the security of data by working with ethical
companies, hiring honest employees, and monitoring the flow of
information by using the most secure technology available. Consumers
are responsible for using common sense to protect their financial
security by only providing personal information to trusted people,
shredding their account documents, and taking an active role in
protecting their information. As the role of technology increases in
personal financial management, online banking is steadily replacing
traditional paper and pen banking as the preferred method of managing
finances. This technology has increased productivity, reduced
transaction times, and increased convenience for consumers all while
making banking safer. Online banking has cut the amount of paper
required for transactions considerably, reducing the feasibility of
traditional identity theft and fraud. As a result of this transition,
criminals have been forced to come up with much more creative ways
in which to acquire personal and financial data. Banking as we know it
has been around for centuries, and if consumers and financial institutions take an active role in insuring the safety and ease with
which banks operate, the banking industry will remain as safe as
possible for centuries to come.
Works Cited
About Identity Theft. FTC. 2007. 12 Oct. 2007
.
Bradford, Michael. "Outsourcing Considered an Emerging Risk in
Financial Serives Industry." Business Insurance 41 (2007): 12.
Consumer Fraud and Identity Theft Complaint Data. FTC. 2007. 12 Oct.
2007
Drummond, Grant. "New Technology Helps Hospitality Industry Battle
the Growing Payment Fraud Problem." Nation\'s Restauraunt
News 10 Sept. 2007: 28.
Ecker, Keith. "Internet Crime Wave." InsideCounsel 17 (2007): 14.
Gaudin, Sharon. "Hacked Up." Bank Systems & Technology 44: 17.
Lemos, Robert. "Defending Your Identiy." PC Magazine 25 (2006): 143.
United States. FDIC. Bank Fraud and Insider Abuse. 26 Apr. 2005. 12
Oct. 2007.
.
United States. FDIC. When Internet Scam Artists Go "Phishing," Don't
Take the Bait. 2004. 12 Oct. 2007
.