I think you've missed the point. In spite of what the banks may tell you, there is no reason for the information required by an entity to verify your identity to also be sufficient for that entity to impersonate you. The attitude of, 'we need to know all about you so we can be sure who you are' (and consumers' acceptance of that attitude) is exactly the problem.
As I said, there are technical solutions. Biometrics (and fingerprints in particular) are probably not among them. Most such systems depend on giving the bank yet another set of information that is just as useful for impersonation as it is for authentication. I realize that biometric systems seem flashy (and banks would undoubtedly like to use them to defeat consumers' claims of fraud--at least until some scammer demonstrates how easy they are to defeat) but they are really just more hoops for the consumer and they lack provable nonrepudiation characteristics.
A system where neither the authentication information provided by the consumer in a transaction _nor_ the information held by the bank is sufficient to later impersonate the consumer would solve most of the problem without flashy fingerprint readers. Combined with mutual authentication it would solve almost all of the problem. (You still can't do much about simple duress.) The technology to achieve this solution has been around for decades.
As I said, there are procedural solutions. Laws to protect "privacy" are probably not among them. Keeping information "secret" while sharing it within an entire industry is a hard (and unnecessary) problem. The goal should be to make the information useless by itself. Credit inquiry locks are a simple procedural approach, but unfortunately credit agencies are opposed to them.
I can't tell whether you are being sarcastic or whether you really believe that banks deserve this privileged position in the authentication hierarchy. Either way, I would point out that (a) it isn't the banks' money and (b) in the long run the fraud is going to cost the banks more than any benefit from such privilege can be worth.
Again, you have missed the point. (Or else you just aren't reading what I wrote at all.) The minicams were installed by the scammers. They had nothing to do with identifying the perpetrator. They were used *by* the perpetrators to commit the fraud!
Hmm. I think you've just provided a great example of the problem of unquestioningly assuming that any high-tech security gadget must be working on behalf of the bank ...
Dan Lanciani ddl@danlan.*com