Shostack + Friends Blog Archive

 

US Banks Rated for Identity Theft

Chris Hoofnagle has completed a paper which ranks US financial institutions according to their relative incidence of ID theft, based on reports to the FTC by consumers who named an institution.
Chris (like another Chris I know) would like to see more complete information on ID theft available to consumers, so they can make informed decisions about with whom to do business. In an earlier paper [link to http://jolt.law.harvard.edu/articles/pdf/v21/HOOFNAGLE_Identity_Theft.pdf no longer works], he argued that banks should publicly disclose identity theft statistics.
From the current paper’s abstract:

There is no reliable way for consumers, regulators, and businesses to assess the relative incidence of identity fraud at major financial institutions. This lack of information prevents more vigorous competition among institutions to protect accountholders from identity theft. As part of a multiple strategy approach to obtaining more actionable data on identity theft, the Freedom of Information Act was used to obtain complaint data submitted by victims in 2006 to the Federal Trade Commission. This complaint data identifies the institution where impostors established fraudulent accounts or affected existing accounts in the name of the victim. The data show that some institutions have a far greater incidence of identity theft than others. The data further show that the major telecommunications companies had numerous identity theft events, but a metric is lacking to compare this industry with the financial institutions.

This is an area fraught with methodological challenges, many of which are due to sparse (or, as I have intimated with regard to ID Analytics for example) proprietary data. Chris’ paper simultaneously shows what can be done with what we have, and why we’d be better off if we had more.

One comment on "US Banks Rated for Identity Theft"

  • Alexandre Carmel-Veilleux says:

    Whenever comparing data like this, the biggest challenge is to normalize the data in useful ways.

    Fraud per billion $ in deposit for example will likely over-represents retail banks (BoA/MBNA, the largest MasterCard issuer, being the poster child) and under-represents banks that cater to smaller markets and/or market segments with few wealthier customers.

    Clearly the Fraud per billion $ in deposit metric attempts to factor in the financial impacts of the banks by assuming some proportionality in fraud size vs. bank size. Without accounting for mean/median customer size, financial impact is not modeled very accurately.

Comments are closed.