Identity theft has plagued society for years. Long before the Internet, crooks raided trash cans and stole wallets seeking to hijack a person's line of credit. Today, the story is the same, but the setting has changed. Now, criminals have the Internet at their disposal. And an ever-increasing dependence on electronic data has raised the stakes. Fortunately, consumers finally are realizing just how vulnerable their personal information is to theft.
Although all industries are susceptible to data theft, the costs in terms of reputation and dollars are particularly steep in financial services, and most banks are taking measures to reduce the risks associated with handling consumer data. But, the key word here is "reduce."
The first step to combating ID theft may be to realize that it will not vanish any time soon. "ID theft and security breaches are crimes like any other - they won't completely go away," says Joseph Ansanelli, CEO of data monitoring solutions provider Vontu (San Francisco). "So we have to try to reduce the amount of data that's at risk."
According to Alex Berson, a director with consultancy BearingPoint (McLean, Va.), companies too often leave data exposed. He explains that information can be viewed in two ways - data in transit and data at rest. Data in transit is data moving on a network. This information typically is encrypted, Berson says. But, when the data settles in a storage area (at rest), it often is unencrypted. The protection of data at rest is a key challenge that banks often do not consider, Berson asserts. And data at rest is an especially critical issue as financial institutions increasingly connect their previously isolated legacy systems to the Internet for more-efficient communication.
"A lot of the problems are procedural rather than technical," points out Jonathan Gossels, president of Sudbury, Mass.-based security consulting firm SystemExperts. "You secure the transaction of the data rather than the actual personal information."
Further, security should not be viewed as merely a technology fix, adds Carmi Levy, a senior research analyst with Info-Tech Research in Ontario. Security also should include the people and processes associated with making data safe. "Involve everyone associated with maintaining your infrastructure," says Levy.
Need-to-Know Data Access
Banks should begin their data security efforts by examining the data itself, according to Richard Mackey, a principal with SystemExperts. "Look at the kind of data you need to use or share," he says. "Companies need to see whether this sensitive information they ask customers for is really necessary - why ask for a Social Security number? Laws require banks to have this information on hand, but having it completely accessible isn't necessary."
A clearly defined data privacy/security policy goes a long way in keeping risk down, Mackey continues. Policies should outline how the data is used and who uses it, and they should be part of a larger employee education program that drives home the importance of safeguarding customer data.
In fact, the majority of data breaches result from lapses by company insiders - whether unwittingly or intentionally, according to Vontu's Ansanelli. "Of the last 60 major data breaches, half were related to insiders," he says. "But 90 percent of the problem is honest people doing the wrong thing."
To help its tellers and call center representatives identify fraud, Bridgeport, Conn.-based People's Bank ($11 billion in assets) employs address verification technology from QAS (Boston), according to Jim Gerace, the bank's VP of IT. "We're attacking identity theft at the teller end," he relates. "We have very little in the way of erroneous data access on our Web banking site - it happens more at the teller because you're actually dealing with people and trying to be more service oriented," he explains. As a result, bank employees are more likely to allow someone without authorization to access account data, Gerace contends.
People's Bank also features a card-based identification system at its branches. As customers approach tellers, they swipe mag stripe cards that contain their personal information, Gerace relates. Customers also are asked specific authentication questions, similar to challenge questions employed by two-factor Internet log-on security solutions.
But some data theft is caused by disgruntled employees, Vontu's Ansanelli continues. "You should have an active policy of monitoring data to keep people from using it inappropriately," he says. "This is not just in the electronic world - you want things like guards and access logs."
One solution is credentialed data access. This involves permitting employees to access just the right amount of data according to their status or job function, thereby reducing the exposure of critical information within the company. Banks should keep track of workers throughout the entire length of their employment with the company, according to BearingPoint's Berson. "If a person leaves the company, you should be able to click one button to remove that person's authorization," he says.
Key to such administration is knowing exactly where the data lies and being able to provide an auditable trail of its activity, notes Steve Klebe, VP of business development with PassMark Security (Menlo Park, Calif.), a developer of a two-factor authentication solution, who says this knowledge is lacking at many banks. "It's difficult to figure out where the information was initially compromised and find the trail back to where that information was compromised," he says. "All solutions have to be tied to the back end."
Extending the Security Perimeter
But, that back end often is extended outside a bank's controls. Outsourcing inevitably increases data security risks, and the spate of recent, highly publicized breaches illustrates the importance of banks knowing who is handling their customer data and how.
"Banks need to use outside providers," observes People's Bank's Gerace. But, "They must make sure the connections are secure and contractually make sure the company that's handling the data is doing its part to protect it," he adds. "You must be smart about the companies you're dealing with - the minute the data leaves your control, you've lost the ability to protect it the way you want."
Adam Dolby, business development manager with Vasco Data Security (Oakbrook Terrace, Ill. and Wemmel, Belgium), a provider of online authentication solutions, says application service providers (ASPs) should be treated as part of the bank. "They should be considered like a branch," he asserts. "This requires additional resources from the bank, but to reap the benefits of reducing costs, you have to make an effort to make sure [outsourced data] is secure."
Of course, banks today have no choice in the matter. With the passage of OCC guidance on third-party relationships, if a bank (or any company that handles data) shares customer information with a nonaffiliated third party and the data is compromised, the company farming out the data is responsible. The ASP must be contractually obligated to adhere to the same security principles as the company that hired it, and the third parties also must be audited regularly to ensure that they are keeping up their end of the deal.
"If you're outsourcing part of your transaction work, you're responsible for making sure the provider adheres to the same security protocols you do," says Info-Tech Research's Levy. "Consumers expect this security whether a bank employee does it or a third party does."
But consumers must take an active role in securing their data, as well. Many banks now offer safety tips and privacy policies on their Web sites for customers.
People's Bank's Gerace says his bank regularly engages the community to discuss ways to keep personal information safe. "We have a series of classes aimed at senior citizens to try to make them aware of this problem," he relates. "We also have pamphlets on hand for all our customers."
From shredding credit card solicitations to actually reading the URL of a particular Web site, the measures advocated by identity experts often are common sense. However, banks can't force customers to follow safe practices all the time - unless they employ the right technology.
Doubling Security Efforts
Today, user names and passwords still are the most common forms of authentication in the online world. Unfortunately, they offer little protection from savvy thieves.
To strengthen online authentication, many financial institutions are employing two-factor or multi-factor authentication, which requires consumers to enter a user name and password, and complete a biometric scan, for example. The more layers of protection between a thief and the data, the more likely the thief is to move on to an easier target. The FDIC took this philosophy to heart when it issued recommendations last December advocating two-factor authentication.
This does, however, add a layer of complexity on the customer end. "Two-factor authentication is great," says People's Bank's Gerace. "But how much do you want to make the customer do just to make a small deposit?" he asks.
To address customer convenience, some banks offer enhanced authentication technology as an opt-in service rather than a requirement. Another option is to use greater degrees of security according to the value of the transaction or the customer's assets.
"Not all bank customers are performing operations that require two-factor authentication," contends Vasco's Dolby. "Just provide this for certain customers," he suggests.
Still, the visibility of identity theft has increased consumer demand for stronger data security, and the problem has gained the attention of government regulators. As previously noted, the OCC and FDIC both passed measures addressing data safeguards. Additionally, the Sarbanes-Oxley Act spells out clear protocols for information safety. Even state legislation, such as the California law that requires companies that even suspect a data breach to inform every customer who might have been compromised, is having an impact.
But these mandates are designed with the consumer in mind, and some think they provide security at the expense of business. "I support a national notification requirement," says Vontu's Ansanelli. "But we also need to give companies protection so that if it's obvious they are trying to keep data safe and something happens anyway, they shouldn't be subject to lawsuits."
Banks Help Clean Up ID Theft Aftermath
Financial institutions have gotten a bad rap in the press about their ability to protect customer data, leading many to believe they simply do not care. Not so, says Anne Wallace, executive director of the Washington-based Identity Theft Assistance Center (ITAC), a nonprofit financial services consortium created to make life easier for victims of identity theft.
Member firms connect customers with the ITAC when the consumers have been the targets of identity thieves. ITAC helps consumers restore their good names by digging through their credit reports and helping them identify fraudulent activities, explains Wallace. Once an incident has been spotted, ITAC will send a warning to that particular entity - whether a retailer or financial institution - indicating that the consumer was a victim of fraud and requesting the organization take appropriate action.
"ITAC was driven by [financial services] CEOs who recognized that identity theft was a huge problem for their customers and their companies," Wallace relates. "They realized they were doing a good job of helping their customers within their four walls, but also understood that identity theft goes beyond these walls to other companies. ITAC reduces the frustration and delay associated with the consumer experience [of restoring their identity]."
The service is offered free to customers of member financial institutions. The initial investigation is performed by the ITAC member firm to authenticate the consumer's identity and to verify that fraud has occurred. The financial institution then connects its customer to the ITAC victim service center.
Additionally, the ITAC shares data with law enforcement. According to Wallace, information on victims is fed into the FTC's Consumer Sentinel Database, which is accessible by 2,300 law enforcement agencies nationwide.
The ITAC began running a pilot of the program in August 2004 that was initially restricted to members of the Financial Services Roundtable. Now that the testing phase is complete, Wallace says, she intends to embark on a publicity/membership campaign this fall. ITAC "is a great customer service for banks," she says. "Identity theft is one of the top anxiety producers for consumers - [ITAC] provides them with reassurance." -M.B.