The Biweekly Newspaper of
the American Bankers Association
Volume 8, Issue 16 – August
8, 2000
By Patrick
Dalton
have documented the
growing number of information brokers and identity thieves who have been making
fraudulent pretext calls to banks to obtain personal financial information. In
recent years, an increasing number of them have been marketing that information
on the Internet. ABA Bankers News asked Rob Douglas, CEO of American Privacy
Consultants, Alexandria, Va., to talk about the burgeoning problem and what
banks can do to combat it.
Douglas, one of the nation’s foremost experts on preventing identity theft, has testified before Congress, participated in ABA conferences and authored the employee training section of ABA’s Financial Privacy Toolbox. Douglas can be reached at douglas@privacytoday.com. He also will participate in the ABA telephone briefing on the new privacy regulations, Aug. 23, 2-4 p.m. EDT. For more information, call 1-800-BANKERS.
Q. How extensive is the sale of personal financial information on the Internet?
A. Personal financial information is bought, sold and traded on the Internet at a growing rate. Two years ago ... about 200 companies were doing it. We have not seen a decline in that activity since the passage of Gramm-Leach-Bliley, which made using pretext calling to illegally gain access to financial institutions’ customer information a felony. These Web sites sell bank account numbers, bank account balances, credit card numbers and individual credit card transactions.
Q. Could you give us an example of how these companies operate?
A. FTC [Federal Trade Commission] just settled the prosecution of a company in Colorado. It was just one information broker company run by a husband and wife team with six or seven employees. But they had 1,500 private investigator-information broker clients. Their employees were working the phones full time running pretext [calls]. Every day of every business week they were sitting there dialing for dollars. This is not an imaginary problem. This is a very substantial problem.
Q. Is all this personal banking information on the Web gleaned from pretext calling?
A. Overwhelmingly. I would say 90 percent or more.
Q. What makes financial institutions so vulnerable to pretext calling and identity theft?
A. The pretexters, information thieves, and identity thieves prey on the fact that the banking system is a customer service-oriented business. If you can’t provide a customer’s own information to them, they’re not going to bank with you. If you make it too difficult for them to access what is their own you’re going to have hostile customers on your hands.
Q. Is there a type of employee who is particularly susceptible to pretext calling?
A. The identity thief preys upon your willingness to help. That’s why some of your best employees, the ones that get employee of the month awards ... because the customers rave about how helpful they are, are sometimes the most susceptible to being conned out of the information. That’s not to say that everybody should become draconian, that everybody should not be helpful. What’s most important — what I really tried to emphasize in the ABA Privacy Toolbox — is balance.
Q. What should banks do to combat pretext calling?
A. Employees need to be educated about the problem and they need to understand how to spot a potential pretext call. I go over some of that in the Privacy Toolbox. Equally important, institutions need to test their own systems. If you look at the banking regulators’ advisory letter 98-98, they say you need to be aware of this problem and you also should consider internal or external audits of your system.
Q. When bankers assess their own security systems, what is their top concern?
A. The most frequent question I get from bankers ... is whether the mother’s maiden name is secure enough as a password.
Q. How would an information broker research the mother’s maiden name?
A. Database technology today can cross-reference a lot of information on an individual. There are several proprietary databases ... [that] can determine who your relatives are. They have an extensive history of the addresses where you’ve lived and they cross-reference anybody who lived with you at those addresses at the same time period or who has a common match on a name.
Q. Are there other methods of finding out the mother’s maiden name?
A. Yes. The mother’s maiden name is a very common security checkoff both to institutions and to consumers and for many years consumers have been used to giving out the maiden name as a checkoff point. I can pull a pretext where I call the customer of an institution and say that I have a potential problem with your account that I need to discuss with you. But just so I can verify that I’m speaking with the right person, what is your mother’s maiden name. And people reflexively give it out because they’re used to doing it and know it’s a check off point.
Q. What is the alternative to using the mother’s maiden name?
A. We’ve done a better job in our society of saying never give your PIN [personal identification number] to anyone. People know they’re not supposed to give that out. You’re also not going to find it in the [public record] database. If banks would use PIN numbers and/or passwords separate and distinct from the PIN numbers they use for the ATM — if possible — it would be a good way to get away from the mother’s maiden name approach.
Q. Is it worth the hassle?
A. It could be a substantial undertaking to begin with, but I think it’s a worthwhile investment. We know there are 500,000 to 600,000 cases of identity theft each year in the United States that we’re aware of, and that’s likely to grow. The Secret Service estimates that there’s an average loss of $17,000 per incident. And all the problems that we’re seeing are being exacerbated by the World Wide Web.
(Douglas’ new Web site, Privacytoday.com, will become active around Aug. 15. It will contain the latest techniques that pretext callers are using to obtain information.)
(Reprinted with permission of the American Bankers Association)