[Infowarrior] - Bank of America, HSBC Most Prone to I.D. Theft, Report Says

Thu Feb 28 02:37:48 UTC 2008

Bank of America, HSBC Most Prone to I.D. Theft, Report Says - Updated
By Ryan Singel EmailFebruary 27, 2008 | 1:30:42 PMCategories: Sunshine and
Secrecy  

http://blog.wired.com/27bstroke6/2008/02/bank-of-america.html

In a first ever study of which companies have the most identity theft
incidents, Bank of America, HSBC, and Washington Mutual were named as the
companies with the most incidents per billions of dollars of deposits,
according to a study released Wednesday by Berkeley Law School fellow Chris
Hoofnagle.

Among the nations' largest banks, ING Bank looks to be the safest, with only
0.085 identity theft complaints per billion dollars of insured deposits.

In terms of sheer numbers of complaints, Bank of America, AT&T and Sprint
were named most often in the complaints, followed closely by Chase, Capital
One and Citibank.

The study, entitled Measuring Identity Theft at Top Banks (Version 1.0),
looks to be the first-ever attempt to name-and-shame companies based on
their identity theft protections, or lack thereof.

Hoofnagle, who started as a privacy and consumer rights advocate at the
Electronic Privacy Information Center, says he did  the study because he
wants people to be able to choose institutions based on identity theft
statistics.

He used a open-government request to get more than 88,000 complaints filed
by individuals to the Federal Trade Commission in January, March and
September 2006.  The FTC publishes statistical data about the complaints
yearly, but does not publish the companies' names.

"In order for the market to effectively address the ongoing identity theft
epidemic, consumers need reliable information about incidence of the crime
among institutions," Hoofnagle wrote in the study.  "If data were available
on this crime, consumers could choose safer institutions, regulators could
focus attention on problem actors, and businesses themselves could compete
to protect consumers from this crime."

To get a rough tally of the number of incidents per customer, Hoofnagle
compared the number of incidents against publicly available FDIC data on the
institutions insured deposits. No similar data existed for telecoms
companies, making even rough ranking per customer impossible.

Hoofnagle admits the data is rough, but hopes the study will force better
data to come to light in the future. He also hopes the data could force
lawmakers and regulators to mandate public disclosure of identity theft
statistics from banks (.pdf).

While the FTC data is currently the best source of data on identity theft,
it relies on individuals to complain to them. It does not count police
reports filed or incidents reported to banks, cell phone companies or credit
bureaus.

For instance, the FTC data does not distinguish between fraud cases where an
impostor establishes new accounts in a persons' name from more common cases
where a person uses a stolen credit card to make purchases. The data also
does not distinguish between identity theft committed online such as through
phishing emails and identity theft done without the help of the internet.
UPDATE: Bank of America spokeswoman Betty Riess says the company hasn't seen
the study yet, but says BoA takes security seriously. "Keep in mind that if
we have a customer who reports they are a victim of identity theft that
doesn't correlate to security at BoA," Riess said, referring to the fact
that a BoA customer experiencing identity theft could have had their mail
stolen or fallen prey to a phishing attack. "Protecting customer information
is a top priority at BoA and we have multiple layers of security." Riess
added that BoA uses online security offerings from RSA and lets customers
use one-time credit card numbers for purchases from unfamiliar online
retailers.