FDIC Study on Account-Hijacking

The FDIC has issued a study on the use of technology to mitigate account-hijacking and other forms of identity theft. The complete study and findings are issued as FIL-132-2004.

According to the FDIC, account hijacking is the fastest growing form of identity theft. Account hijacking is defined as the unauthorized access to and misuse of existing accounts. This is done primarily through phishing, the fraudulent e-mails designed to trick the consumer into providing confidential account information. The other technique is hacking into the institution's computer to steal information.

The study looks at how those committing theft are able to do so and identifies design or system weaknesses that financial institutions can and should correct. Finally, the study makes recommendations on how systems should be made less vulnerable to account hijacking.

For a long time - perhaps too long - financial institutions and their customers have relied on a single password or item of information to verify identification. In fact, all too often the single item is readily available to hackers in today's information world. The standard identification by mother's maiden name can be cracked in a few minutes on genealogy sites.

Single-item verification is not the only system weakness found in the study. Internet banking and e-mail systems may have insufficient verification systems. In the rush to get on the Internet and offer services electronically, some banks paid insufficient attention to how they could be certain that their customer and not someone else was at the other end of the connection.

FDIC makes several recommendations on ways to strengthen information security and reduce account hijacking. These include:

Upgrade password-based single factor customer authentication to more complex systems.
Use scanning software to identify and defend against phishing.
Use fraud-detection software to identify hacking and account hijacking.
Provide information and education to customers - and guidelines on how to identify genuine communications from the institution.
Comply with BSA and information sharing to prevent or minimize fraud.

FDIC is accepting comments on the study until February 11, 2005. This is an opportunity to share any fraud activities or techniques that your institution has identified so that the information can be added to the study.