Comments to the Federal Deposit Insurance Corporation
From the National Consumers League
Concerning the FDIC Study “Putting an End to Account-Hijacking and Identity Theft”
February 17, 2005

Introduction

The National Consumers League (NCL) is a nonprofit organization that was established in 1899 to protect and promote social and economic justice for consumers and workers in the United States and abroad. Since it was founded, NCL has used research, advocacy, and education to advance those goals.

Recognizing the serious economic and social impact of fraud, NCL created the National Fraud Information Center (NFIC) in 1992 to provide advice to consumers about telemarketing fraud and enable them to report scams to law enforcement agencies through us. In 1996 NCL created a companion program, the Internet Fraud Watch (IFW), to assist consumers with questions and problems concerning fraudulent online solicitations. Consumers can get advice and report suspected telemarketing and Internet fraud through the toll-free NFIC/IFW hotline, 800-876-7060 or via the Web site, www.fraud.org.

While the NFIC/IFW does not generally take complaints about identity theft, in December 2003 we added a new category for “phishing” to our fraud database. Since then, this has become one of the problems we hear about most. In 2004 it ranked as the #4 Internet fraud and the #10 telemarketing fraud reported to the NFIC/IFW. In most cases in which consumers gave their personal information in response to a phishing attempt, they had not yet experienced any loss or other problem at the point that they reported the incident to the NFIC/IFW. What prompted them to contact us? It is because they had a lingering suspicion that the request for their personal information might have been fraudulent. This suspicion presents a good opportunity for public education.

NCL has already begun work to educate the public about phishing. There are tips about the scam in both the telemarketing and Internet fraud sections of www.fraud.org. In addition, in August 2003 NCL launched a major public awareness campaign with an educational grant from the Star ATM and Debit Network. This included creating a new Web site, www.phishinginfo.org, and print, radio, and television public service advertisements to drive people to the site. We also produced a brochure about phishing, which is available in PDF form on the Web site and in hard-copy form from NCL.

NCL also provides tips about identity theft in a section of its parent Web site entitled “Invasion of the ID Snatchers,” which can be found at www.nclnet.org/privacy. Much more needs to be done to continue and expand our educational efforts. Our partnership with Star shows how diverse organizations can work together on this issue.

Comments on the FDIC Study 

For example, while biometrics may be highly effective in verifying a customer’s identity, many people are very concerned about having to provide extremely sensitive personal information such as fingerprints for commercial purposes. How secure would this information be? The consequences if it is obtained and used by identity thieves would be even more serious than the potential problem that the consumer and business were seeking to avoid. Who would have access to that information? If it was used for secondary purposes, such as to identify illegal aliens or for other law enforcement investigations, that could have a very chilling effect on the use of banking and other basic consumer services.

Another example of a technical solution that raises social concerns is email sender authentication. What effect would this have on people’s ability to communicate by email? Whistle-blowers and others who have a need to remain anonymous could be significantly impacted. Small organizations and individuals might find it burdensome and costly to comply with sender authentication requirements. And publishing one’s sender address might result in a deluge of spam, already a huge problem, on the receiving end.

Rather than focusing on whether there should be one-factor authentication, or two-factor, or more, the FDIC should encourage smart authentication. Our definition of smart authentication would be techniques that are adequately effective to identify individuals for the intended purpose, that will be used for that purpose only, that are the least privacy-intrusive possible, that are easy and inexpensive for people to use, and that can be adequately secured from unauthorized access or other abuses.

We agree with the FDIC that institutions should use scanning software and other technologies to proactively identify phishing and account hijacking. Often the burden is placed on consumers to defend against identity theft, when it is at least as important, if not more, for businesses to prevent identity theft by protecting their own brands and customers.

The study calls for strengthening educational programs to help consumers avoid scams such as phishing. While the text specifically refers to “online scams,” we urge the FDIC to think more broadly, since scammers also obtain personal information via the telephone and other means in order to hijack consumers’ accounts.

Finally, information sharing should be broader than the FDIC recommends in the study, to include, where appropriate, consumer organizations and other groups. It is essential for organizations such as NCL to understand the problems in the marketplace and the solutions that are being contemplated in order to ensure that the consumer perspective is taken into account and to collaborate on public education in that regard.

We appreciate the opportunity to provide comments on this study and look forward to working with the FDIC and others in the ongoing battle against identity theft.

Respectfully submitted,

Susan Grant
Vice President for Public Policy
Director, National Fraud Information Center/Internet Fraud Watch
National Consumers League
1701 K Street NW, Suite 1200
Washington, DC 20006
(202) 835-3323