Worried bank customers logging off as online ID theft grows

NEW YORK - Even as banks and regulators step up efforts to thwart identity theft over the internet, the worry that fraudsters remain one step ahead is convincing many Americans that banking online is too risky.

At an identity theft forum in New York this week, security and policy experts said banks were taking steps to stop online criminals, but that their best efforts - and consumers' own vigilance - might not be enough.

"Consumers can do everything right - not give out passwords or financial information - and still become victims," said Susanna Montezemolo, a policy analyst at Consumers Union.

An October survey, commissioned by internet security company Entrust and released at the forum, found that 18 per cent of Americans who have banked online now do so less, or not at all, because of security concerns. Ninety-four per cent say they are willing to accept extra online security protections.

The survey was conducted around the time the Federal Financial Institutions Examination Council ordered banks to tighten online access by late 2006.

The council, composed of US regulators including the Federal Reserve and Federal Deposit Insurance, expects banks to require at least two forms of authentication when the risks of online breaches are too high.

The second form can include smart cards, tokens that generate random passwords or biometrics that identify fingerprints or handwriting. The Federal Trade Commission says that annually about 10 million Americans are victims of ID theft.

Congress is considering national standards to fight back. Michael Oxley, chairman of the House Financial Services Committee, said victims of ID theft spent an average 90 hours and US$1700 ($2473) resolving the problem. Perhaps the best known form of online theft is "phishing".

This is where criminals send emails asking prospective victims to verify personal information through links to real-looking Web sites. There were 13,776 distinct phishing attacks in August, said the Anti-Phishing Working Group.

Fraudsters soon graduated to spyware and keylogging, where they monitor prospective victims' web use and keystrokes.

This year, security experts have seen a surge in "pharming". This is where criminals redirect user traffic at legitimate websites to fraudulent sites or proxy servers, without any overt indication they are doing so.

"Spyware, keyloggers and pharming are really growing," said Michael Jackson, associate director of technology supervision at the FDIC. Still, in banking, traditional forms of theft such as cheque fraud remain more prevalent than online theft.

Consumers, moreover, complain about cumbersome security procedures. The survey showed 81 per cent did not want to pay for extra online banking protection.

Montezemolo said computer users should make sure their online connections were secure, vary the identifying information they used on accounts and not work with their accounts on shared computers.

She also urged banks not to share client information among affiliates and not assign such obvious data as Social Security numbers as default log-ins.

"We need to empower consumers to opt out on whether information is used and give them tools to take more control."

- Reuters