By Jonathan Stempel
Even as banks and regulators step up efforts to thwart identity theft over the Internet, the worry that fraudsters remain one step ahead is convincing many Americans that banking online is too risky.
At an identity theft forum in New York on Tuesday, security and policy experts said banks are taking appropriate steps to stop online criminals, but that their best efforts -- and consumers' own vigilance -- may not be enough.
"Consumers can do everything right -- not give out passwords or financial information -- and still become victims," said Susanna Montezemolo, a policy analyst at Consumers Union, in an interview.
An October survey commissioned by Internet security company Entrust Inc. and released at the forum found that 18 percent of Americans who have banked online now do so less, or not at all, because of security concerns. Ninety-four percent say they're willing to accept extra online security protections.
The survey was conducted around the time the Federal Financial Institutions Examination Council ordered banks to tighten online access by late 2006.
The council, composed of U.S. regulators including the Federal Reserve and Federal Deposit Insurance Corp., expects banks to require at least two forms of authentication when the risks of online breaches are too high. The second form can include smart cards, tokens that generate random passwords, or biometrics that identify fingerprints or handwriting.
Some 10 million Americans are ID theft victims each year, the Federal Trade Commission estimates.
Congress is considering national standards to fight ID theft. Michael Oxley (R-Ohio), chairman of the House Financial Services Committee, said victims of ID theft spend an average 90 hours and $1,700 resolving the problem.
ID THEFT METHODS PROLIFERATE
Perhaps the best known form of online theft is "phishing." This is where criminals send e-mails asking prospective victims to verify personal information through links to real-looking Web sites. There were 13,776 distinct phishing attacks in August, according to the Anti-Phishing Working Group. "Not only do they ask you to 'confirm' your identity, but they also offer you bogus, fake 'banks' to use if you do fall for their deception."
Fraudsters soon graduated to spyware and keylogging, where they monitor prospective victims' Web use and keystrokes.
This year, security experts have seen a surge in "pharming." This is where criminals redirect user traffic at legitimate Web sites to fraudulent sites or proxy servers, without any overt indication they are doing so.
"Spyware, keyloggers and pharming are really growing," said Michael Jackson, associate director of technology supervision at the FDIC, in an interview. "Banks could step it up a notch in terms of security, which is why we have the guidance."
Still, in banking, traditional forms of theft such as check fraud remain more prevalent than online theft.
Consumers, moreover, complain about cumbersome security procedures. Tuesday's survey showed 81 percent don't want to pay for extra online banking protection.
Consumers Union's Montezemolo said computer users should make sure their online connections are secure, vary the identifying information they use on accounts, and not work with their accounts on shared computers.
She also urged banks not to share client information among affiliates, and not assign such obvious data as Social Security numbers as default log-ins.
"They'll never have 100 percent control," she said. "But we need to empower consumers to opt out on whether information is used, and give them tools to take more control."
InfoSurv Inc. conducted the online survey of 710 people for Addison, Texas-based Entrust during the week of October 17. The margin of error is plus or minus 3 percentage points.
Copyright 2005 Reuters Limited.
NOTE: For more telecom/internet/networking/computer news from the daily media, check out our feature 'Telecom Digest Extra' each day at. Hundreds of new articles daily. [TELECOM Digest Editor's Note: One of the major banks, Bank of America, has considered having a picture (a .jpg perhaps?) of the customer on line to help 'prove his identity', so that if a phisherman comes along asking you to do something allegedly for BOA, _your_ picture will have to be part of whatever _authentic_ request is made by the bank. All well and good, I suppose, but what prevents the phisherman from adding the same .jpg files to his pitch letters? PAT]