Customers of HSBC, Bank of America, and Washington Mutual suffer the highest rates of identity theft in the banking industry, according to an investigative study released Wednesday by a UC Berkeley Law School researcher.
The Federal Trade Commission received over 245,000 reports of identity theft in 2006, but does not typically publish the names of the financial firms and companies listed in the reports. Through an extensive Freedom of Information Act request, Chris Hoofnagle, a staff attorney at UC Berkeley's Boalt School of Law, was able to get detailed records on the individual consumer complaints.
Hoofnagle received detailed information for three randomly chosen months in 2006: January, March, and September. These months included data from 88,560 complaints, with 46,262 names of institutions identified by victims.
Estimated Annual Incidents Per Billion in Deposits Among Largest US Banks (2006)
(Credit: With permission from Chris Hoofnagle)Once he crunched the numbers, Hoofnagle discovered that HSBC has the highest rates of reported identity theft in the financial industry during 2006, when adjusted for billions of dollars in deposits. Bank of America and Washington Mutual came in a close second and third. According to Hoofnagle's stats, HSBC had 21 incidents of identity theft per billion dollars in deposits, Bank of America/MBNA had about 17, while Washington Mutual had 16. Online banking leader ING had the lowest rates in the industry, with just a single reported incident.
Technically, American Express and Capital One lead the pack--with 485 and 242 respective incidents per billion dollars in deposits. However, Hoofnagle excluded them from the graph due to the small scale of each company's banking operation (Amex's 7 billion in deposits compared with Bank of America's nearly 760 billion).
Outside of the financial services sector, telecom giants AT&T and Sprint suffered from more than 9,100 and 8,300 estimated reported cases of identity theft. As the firms do not publish the numbers of customers they serve, it was impossible for Hoofnagle to break these numbers down further.
While the FTC incidents that Hoofnagle examined were from 2006, a number of recent reports indicate that HSBC has recently been overwhelmed with a "a wave of banking fraud." Real numbers to back up these reports will not be available from the FTC for some time.
The levels of theft described by Hoofnagle's match up nicely with a 2007 report released by Cambridge University researchers, which revealed that Bank of America and Washington Mutual took the longest time to shut down phishing sites targeting the banks. Sites masquerading as BofA and Wamu typically stayed online for more than 100 hours, compared with less than two days for Chase and PayPal.
Finally, while the FTC publishes an annual identity theft report, it is not required to break down its figures and reveal the names of the most frequently victimized banks. While states like California have been able to pass significant pro-consumer data breach legislation, this is one area where states have little power. Incidents of identity theft are primarily reported to the FTC, and not to state attorneys general. To force the FTC to voluntarily publish such data, federal legislation will be required--something that is unlikely to happen.
Hoofnagle's 16-page study, with detailed numbers and graphs, can be found here.
Update: This blog post has been modified since it was first published. Click here for more details, or scroll to the bottom to see the original text.
A pro-consumer, bipartisan data-breach bill was stripped of most its provisions before its feeble remains were finally passed by an Indiana Senate committee on Tuesday.
This came after two weeks of intensive lobbying by AT&T, Verizon, Microsoft, and LexisNexis, all of which wanted to kill the bill. For the most part, they were successful.
In a blog post last week, I explained how I had worked with my state Rep. Matt Pierce (D-Bloomington) to draft and submit a data-breach bill. The bill fixed a number of major loopholes in the existing laws and borrowed heavily from existing laws in pro-consumer states such as New York, California, and New Hampshire.
It also broke new legal ground and would have made Indiana the first state in the country to require that all data breach reports impacting state residents be put online at the state attorney general's Web site. This is something that the New Hampshire Department of Justice already does, but out of a voluntary effort to help consumers and not due to a legal mandate.
Indiana's existing data-breach statute has a number of major loopholes. The most critical of these is that companies are not required to disclose a data loss/theft incident, as long as the device in question is protected with a password. The law does not require encryption of all confidential user data, but instead lets companies off the hook as long as they employ a Windows log-in password. These passwords do little to protect data, as they can be broken in a matter of seconds using free tools--or an attacker can use a Linux boot CD to read the data directly off the drive.
In a committee meeting Tuesday morning, Republican committee members successfully eviscerated the bill, reducing it to a mere 17 lines of text from the original 72. The Web site report provision and the requirement that companies notify the state attorney general whenever a data breach is discovered were stripped. A section of the bill that created incentives for companies to follow encryption and key management practices "in a manner consistent with the best practices common in the industry" was also removed.
Thankfully, the most important part of the bill (which requires real encryption and not just a Windows log-in password) remains, for now.
It only took six votes to completely gut the bill--as the other five members of the committee failed to show up for the vote. On Tuesday afternoon, I spoke with state Sen. Tim Lanane, one of the two Democrats who voted on the bill.
"I certainly didn't support the amendment," he told me, "but I also heard Rep. Pierce (the author of the bill) say that he preferred to have a bill pass, as opposed to it dying in committee."
Lanane told me that his vote was strategic, as he knew that "the (Republican) chairman was not likely to pass the bill (as originally written). Rep. Pierce knew that too." In the end, he added, it was "better to have something come out of committee rather than nothing."
Lanane told me that it is still possible to have the original pro-consumer provisions added back into the bill once it reaches the full Senate, and later if it comes up in a House/Senate conference committee.
The bill sailed through the House of Representatives a few weeks ago, passing 94-0. Unfortunately, when I drove up to the state capital last week to testify in front of a Senate committee, I discovered that big business was gunning after the bill.
At least 10 lobbyists were waiting at the committee meeting, many having flown in from Washington D.C., and were going to do their best to have the bill eviscerated. The lobbyists represented household names such as AT&T, Microsoft, Verizon, Comcast, and LexisNexis.
The lobbyists claimed that consumers could be easily confused by online breach reports, that such reports could be misused by evil phishers and fraudsters as a way of adding authenticity to their attacks, and finally that the reports could act as an unfair scarlet letter for companies that make mild data-breach mistakes.
The New Hampshire Department of Justice has posted data breach reports to its Web site for over two years. In order to learn more about the site, I recently spoke with Lauren Noether, the bureau chief of the New Hampshire DOJ's Consumer Protection Office. She told me, "I think it's important for the public to know that there are these types of breaches." She added that "any information that helps a consumer to make decisions about with whom they want to do business is helpful."
With regard to the reports, she stated that "we have them online so that anyone--the media, the public--can look at them, just to see what's out there in the world of security problems."
She also noted that the reports have been useful for businesses that have recently suffered a breach. "People have called me and asked do I have a form?" She said that she is able to tell them that "you may want to take a look at the ways that other companies have reported it to us."
Noether told me that that she hasn't heard a single complaint about the Web site and that she hasn't received any information to suggest that criminals were using the site to add credibility to their phishing attacks.
So much for the claims of the lobbyists. It's worth noting, however, that LexisNexis, one of the firms that flew a Washington D.C. lobbyist to Indianapolis to testify against the bill, has three different data breaches from 2007 listed on the New Hampshire DOJ site. Perhaps the company should spend more resources on protecting its customers' data, and less on lobbying?
Update: The text below was deleted from the post on February 18th. More details on its removal can be seen here. The original text has now been put back.
AT&T donated over $170,000 to Indiana state legislators in the 2006 election cycle while Verizon donated $48,000. Furthermore, while I'm sure that all 11 of the senators on the committee are all upstanding and honest legislators, I think it's worth mentioning that only one senator (Arnold) has not received thousands of dollars from AT&T in the past. The rest have all taken Ma Bell's money: Steele (R), Bray (R), Drozda (R), Zakas (R), Waltz (R), Waterman (R), Howard (D) Young (D), Tallian (D), Lanane (D).
I'm sure this in no way influenced their votes on Tuesday, but it sure does give you food for thought.
Update 2: When I wrote that original blog post back in February, detailing which members of the committee had received donations from AT&T, I neglected to do a bit of research. My efforts had been focused on just the members of the Senate Committee. I completely forgot to look up the donation history of Senator Brandt Hershman, the Republican Majority Whip, Senate "sponsor" of HB 1197, and the author of the amendment that stripped away 3/4 of the provisions in the original bill.
It turns out that while the senators on the committee each received $2000 from AT&T over the past few years, Senator Hershman has received even more love from Ma' Bell. He received $4000 from AT&T in 2004, and another $2500 in 2006 -- AT&T was his top contributor that year.
Again, just as with the other senators, I'm in no way claiming that Senator Hershman's actions were motivated by the big fat checks he received from AT&T. I am sure that he amended the bill to strip out the parts hated by lobbyists only after carefully considering the issues, and coming to the conclusion that Indiana consumers do not need an easy way to find out about companies that lose their personal data.
UPDATE: See below for TSA's response.
A scathing congressional report released Friday confirms that security flaws in a Transportation Security Administration site put thousands of Americans at risk of identity theft.
The report (PDF) also reveals that a no-bid contract to create the site was awarded to an outside company by a TSA employee who had previously worked for that company. Was this just business as usual at TSA?
TSA: Security ain't its forte
(Credit: CNET)In October 2006, the TSA launched a Web site to help travelers whose names were erroneously listed on airline watch lists. This site had a number of security vulnerabilities: it was not hosted on a government domain; its home page was not encrypted; one of its data submission pages was not encrypted; and its encrypted pages were not properly certified. Furthermore, the site was filled with typos and other errors, causing some to wonder whether TSA's site had been taken over by phishers.
The report notes that TSA's chief information security officer conducted a detailed security accreditation review of the traveler redress site before it went live. He/she did not notice any of the glaring holes that I highlighted in my initial blog post on the subject. The report does not note whether the chief information security officer was ever punished for this failure to detect obvious flaws.
For the four months that the site was up, thousands of people visited it, and 247 travelers submitted highly personal information (including their Social Security number and place of birth) through an insecure, non-SSL encrypted form. TSA's lax security practices resulted in thousands of Americans being put at a direct risk of identity theft.
The site was only taken down after I discovered it in February 2007 and posted something to my blog. Shortly after, Wired and a number of other sites picked up the story, and TSA was shamed into pulling down the site.
In addition to noting the security problems on the site, I also expressed significant skepticism regarding Desyne Web Services, the Virginia-based Web site design firm that was running and operating the site. In my original blog post, I wrote:
"This begs the question: Who are these guys, why don't they know how to use SSL and how were they awarded this sweet contract? Why can't TSA do a simple form submission themselves?"
My initial concern seems to be well founded, as the newly released report reveals. The TSA official in charge of the project awarded the contract--without competition--to one of his former employers, a company owned by one of his high school buddies.
Proving that this is just business as usual for TSA, the report notes that "neither Desyne nor the technical lead on the traveler redress Web site have been sanctioned by TSA for their roles in the deployment of an insecure Web site. TSA continues to pay Desyne to host and maintain two major Web-based information systems. TSA has taken no steps to discipline the technical lead, who still holds a senior program management position at TSA."
UPDATE: When reached for comment, TSA spokesman Christopher White stated that "every issue that the committee brought up has been addressed many months ago. We are not interested in rehashing last year's issues."
When asked whether TSA is concerned with the ethical concerns that surrounded the no-bid sweetheart contract, he stated that there are "no ethical issues (to be) brought up. We hold ourselves to very high ethical standards. It is useless for the American public to rehash this old garbage that doesn't exist today."
He also stated that "many many months ago, when this was a legitimate issue, TSA did notify each person who may have been affected." However, he said, TSA "did not offer to pay for credit monitoring" for those passengers. He stressed that, "we have absolutely no indication that anyone's identity has been misused as a result of this incident."
White could not immediately answer questions related to the complete lack of sanctions for the TSA employee managing the contract and promised to get back to me after looking into the issue.
For those readers who are not aware, the FBI conducted a 2 a.m. raid of my home back in October 2006, after I created a Web site demonstrating the ease with which passengers could create fake boarding passes. After the FBI dropped its investigation, the TSA investigated me for six months and threatened me with tens of thousands of dollars in civil fines. No charges were ever filed.
I discovered the initial security flaws in TSA's redress Web site, and the congressional investigation is a direct result of a blog post that I wrote in February 2007. I'd be lying if I said that I wasn't grinning from ear to ear with the news of this report.
It's poetic justice, if you will, for the unpleasantness that TSA put me through.
Desyne, the firm that created the Web site, could not be immediately reached for comment.
A British TV presenter has learned the hard way that identity theft is serious, and in the process, become the joke of the moment for privacy bloggers. More importantly, this is the second time in just one year that such a thing has happened. This blog post explores the latest incident, looks back to the past, and then concludes with a more broad analysis.
Jeremy Clarkson, host of the BBC show Top Gear, recently wrote an article for the U.K.'s Sunday Times in which he ridiculed the uproar that had occurred after the British government admitted to losing two compact discs containing the personal information on 25 million people. To prove his point that there was no risk of financial fraud for those consumers, he published his bank account details, and instructions on how to locate his address. Writing in the Times, he claimed that "All you'll be able to do with [the account numbers] is put money into my account. Not take it out. Honestly, I've never known such a [fuss] about nothing."
The following week, he changed his tune after learning that an identity thief with a sense of humor had used the details to create an automatic bank transfer to the charity Diabetes UK.
"I opened my bank statement this morning to find out that someone has set up a direct debit which automatically takes £500 from my account," he said. "The bank cannot find out who did this because of the Data Protection Act and they cannot stop it from happening again.
Admitting the error of his previous article dismissing identity theft concerns, he wrote that, "I was wrong and I have been punished for my mistake." The incident seems to have changed his opinion about the risks to which the 25 million Brits have been exposed. "Contrary to what I said at the time, we must go after the idiots who lost the discs and stick cocktail sticks in their eyes until they beg for mercy."
While news of Mr. Clarkson's woes has been mentioned around the blogosphere in the past few days, no one seems to have connected the dots to another similar event from 2006.
Todd Davis is the CEO of LifeLock, a company that offers a mostly useless $10 per month identity theft protection service. In an effort to eat his own dogfood, and promote his company's service, Mr. Davis includes his social security number in all of the company's advertisements--see here. A full page ad in this week's USA Today had his SSN listed in big letters.
Making a mockery of LifeLock's identity theft protections, a Texas man in 2006 was able to secure a $500 payday loan with Mr. Davis' social security number.
While the BBC's Clarkson can be forgiven for not hearing about the woes of LifeLock's CEO, I think an important lesson can be drawn from these two incidents: Identity theft is real, and easy to commit with just a few bits of personal information.
I've been mildly jealous of Mike Godwin and Prof. Ed Felten for sometime--as they both have 'laws' named after them. I think it's time for my own.
Thus, I now introduce Soghoian's Law of Identity Theft Stupidity: Anyone who publishes their own private financial details in a public discussion of identity theft will eventually find that information used for fraud.
Why were US airlines able to stop checking IDs at the gate less than a year after 9/11, while European and Asian airlines still to this day check identity documents. Has this resulted in a lower level of flight security in the US? Do US airlines know something the Europeans don't, or do they just have more lobbying power with their government. This blog post analyzes the economic reasons behind the US airlines decision to stop checking IDs, and exposes the fact that US Passenger Name Record (PNR) data is for the most part, unreliable and worthless.
This blog post is a more formal writeup of part of my talk at the IDMAN 07 workshop in Rotterdam yesterday, which goes hand-in-hand with my soon to be published research paper: Insecure Flight: Broken Boarding Passes and Ineffective Terrorist Watch Lists.
The airlines have designed a complex system of price discrimination for their tickets. This sounds worse than it really is though. Simply put, the airlines try and charge each passenger as much as that passenger will be willing to pay. Students get special discounts, those who plan their trips a few months in advance get cheaper prices, while business travelers purchasing tickets the day before their flight pay through the nose. This is by no means a strategy solely used by the airlines - five cent coffee for the elderly at McDonald's, AAA discounts at hotels, and early bird breakfast specials are all a form of price discrimination.
Seguridad
(Credit: Daquella manera / Flickr)For price discrimination to be effective, the airlines need to restrict the ability of passengers to resell tickets. Otherwise, passengers would resell unwanted tickets on eBay. This system is primarily enforced by requiring passengers to show ID when they check-in. The airlines will not permit someone to fly using a ticket purchased in someone else's name.
Not every passenger has to check-in at an airline counter as print at home boarding passes allow passengers with just carry-on bags to skip the check-in counter at the airport and go straight to the security checkpoint. Luckily for the airlines, the Transportation Security Administration also checks passenger ID, and compares each passenger's identity documents to his or her boarding pass. If your ID and boarding pass do not match, TSA will not let you past their checkpoint.
TSA's ID checks are not enough to make sure that only the "right" people get on airplanes. Two passengers flying to different destinations (domestic or foreign) can swap boarding passes once they've successfully walked through the security checkpoint. A passenger can purchase a fully refundable ticket for a flight to San Francisco, go through security, and then travel to New York on a ticket purchased in someone else's name (after calling up the airline to cancel the first ticket, and get his money back, of course). Finally, passengers can simply refuse to show ID to TSA officials, get patted down at the checkpoint, and then board a flight using a ticket purchased in any name he wishes.
Terrorist Boarding Pass
(Credit: Fred Beneson / Flickr)All of these techniques for evading the name/boarding pass checks are possible primarily because the airlines do not compare a passenger's ID to the name in their computer at the time the passenger boards the flight. This mandatory check was introduced shortly after 9/11, but less than one year later, the airlines had managed to petition the government allow them to stop the checks. The airlines companied that the additional ID checks were expensive and slow to do, and as a result, were causing flights to be late. Compare this to Europe and Asia where pre-boarding ID checks are mandatory in most countries. The European airlines still seem to turn a profit, and are no later than their American peers.
And now for the second economics lessons of the day:
In economics, an externality occurs when a the participants in an economic transaction do not shoulder all of the costs or reap all of the benefits of the transaction. For example, manufacturing that causes air pollution imposes costs on the general public and not just on the manufacturing companies that fill the air with soot.
Now lets apply this new term to the world of airplane tickets and ID. The airlines have designed a complex system of price discrimination for the sale of their tickets in which two passengers sitting next to each other on a flight could have paid vastly different sums for the same ticket. The current system of ID checks is not actually sufficient to restrict the use of airplane tickets to those whose names are printed on them. Furthermore, the airlines in the US are not willing to shoulder the financial cost of enforcing the ID/boarding pass restrictions which would stop people from evading their discriminatory price controls.
An important question that must then be answered is: how is the price discrimination still working? If anyone can get on an airplane on a ticket in someone else's name, and there is such a large difference in the price of tickets between students and businessmen, why are more students not selling their plane tickets on ebay?
The answer to this question comes down to externalities. TSA performs an ID check at the security checkpoint. Anyone showing false ID to a TSA employee is breaking a federal law. Furthermore, attempts to travel with someone else's boarding pass are also potentially illegal - although the law here is a little bit more unclear. TSA's checks, and the threat of federal punishment are enough to stop the vast majority of would-be airline ticket ebayers from attempting to fly on someone else's ticket.
As I mentioned before, there are several methods of evading the ID/boarding pass checks. While these may be illegal, they are all more than likely to lead in a succesful flight for the passenger.
For the airlines, their decision to not check IDs at the gate is simple and logical: The additional staff labor required to check every passenger's ID at the gate would cost more than any revenue lost due to the small minority of passengers who are willing to face federal prosecution for attempting to travel using a ticket purchased in someone else's name. The threat of TSA action against a passenger who bought their ticket from ebay is enough to keep 99% of passengers "honest".
The airlines do not feel the financial need to check ID (and thus enforce their system of price discrimination) because TSA does it for them, albeit in a way that can be evaded by motivated passengers willing to risk legal action.
TSA's Data Vaccum
(Credit: Unsecureflight.com)TSA has made a big deal about acquiring Passenger Name Records (PNRs), the databases of passengers on each flight, and the usefulness of the data in fighting terrorism. This information is especially valuable for passengers coming in from Europe and other parts of the world, as it means TSA or other government agencies can tell an airplane to turn around if we do not like the name of a passenger who is onboard.
The problem with PNR data, is that at least for any flights originating in the US, the data is completely useless. As I've discussed above, there are a handful of ways through which a passenger could get on a flight without the airline (and thus the government) knowing who they are. If the airlines can't be sure who is on their flight, then their passenger data is worthless. For the purposes of giving out frequent flier miles, it is sufficient, but if you want to use the data to search for bad guys, enforce a national dragnet, or create a creepy surveillance state, the data is no good.
How do we fix this?
Personally, I'd prefer to live in a world where records of our travel were not kept, and where people who no longer wished to go to Hawaii for spring break could resell their plane tickets on ebay. However, that is not likely to be the same world in which most of the Homeland Security establishment wish for us to live. As an exercise in system security design, lets at least try and "fix" things in such a way that the US government is able to get an accurate list of who is flying. Furthermore, lets be realitic, and recognize that the airlines have massive political power in Washington DC, and thus we cannot depend on Congress passing a law requiring the airlines to check passenger IDs at time of boarding.
I propose a slightly unconventional solution: TSA should no longer require that passengers have a valid boarding pass to get past the security checkpoint. Just as passengers can currently decline to show ID - and get subjected to a more stringent security search - passengers should equally be able to decline to show a boarding pass. Passengers refusing to show a boarding pass would simply be given the SSSS treatment (a pat down, a carry-on bag search, and perhaps a few questions). Flight security would in no way be put at risk, as TSA would be sure to verify that such passengers would not have any dangerous items on them.
TSA would also need to make it clear that it is not a federal offense to fly on someone else's ticket, and make a public commitment not to harass any passengers for attempting to do so. With such a change in TSA policy, the airlines would not longer be able to depend on TSA enforcing their discriminatory price controls for tickets. TSA's job would be scaled back to making sure that bombs, knives and other weapons are kept off airplanes, and the airlines would then have to shoulder the cost of matching passenger ID to reservations. If faced with the threat of thousands of resold and traded airplane tickets, it is quite likely that the airlines would quickly follow their European peers, and begin to perform checks before flight boarding.
The benefits of such an action, other than a sharp reduction in TSA workload (and thus staffing needs), would be a huge increase in the reliability of airline PNR database records. Simply put, the airlines would then be able to confirm with some accuracy the identities of each passenger on an airplane. For those of you who believe that the government knowing the identify and location of your fellow citizens will make you safer, then such an action by the airlines would result in a safer flying experience. How strange....
Caveat: Passengers using fake ID would still be able to evade the airline's checks, but using a fake ID is already illegal. People willing to do this cannot be stopped by TSA currently.
- prev
- 1
- next
