Feb. 29, 2008 at 8:00 AM ET
Who's to blame for the ID theft epidemic? Surprisingly, given all the attention the subject receives, we know strikingly little about the root causes of the problem. ID theft is often called the fastest-growing crime in America, but there's precious little research into which companies have the worst security measures and which suffer the most data leaks.
Researcher Chris Hoofnagle thinks it's high time we started pointing fingers.
Hoofnagle recently undertook a laborious task: He scoured thousands of ID theft complaints filed with the Federal Trade Commission, looking for company names. His simple question: How often do people tell the FTC that their accounts or information have been stolen from particular companies, and which companies are named most often?
The answer to his query is Bank of America, which averaged 1,117 complaints in the three months he surveyed. Two cell phone companies -- AT&T Wireless and Sprint -- were second and third on the list.
Since BofA is America's biggest bank, and an obvious target for fraud, it's no surprise that it ranked high on the list. Ditto for the large cell phone firms. In fact, Hoofnagle freely admits that his results need to be taken with a big grain of salt.
"The results suffer from a lot of weaknesses," Hoofnagle said. "But it's a start."
Because the data is self-reported, it's likely full of mistakes, he conceded. Also, just because a consumer says their Bank of America account was compromised does not mean the crime began with the bank. It could have started when the customer filled out a phishing e-mail, for example. And it's not fair to compare banks of different sizes, because largest banks would naturally be expected to be named more often.
Hoofnagle tried to normalize the data in a variety of ways, to account for the varying size of the institutions. Eventually he settled on comparing only banks by using total deposits and dividing the number of incidents by a dollar amount.
From another angle, HSBC is No. 1
Even using that trick, Bank of America still ranked high – no. 2 on the list -- with 17 incidents per $1 billion. But using that formula, HSBC ranked first, with 21 incidents per $1 billion.
Betty Reiss of Bank of America said the firm hadn't yet fully analyzed the study, but she pointed to its high potential for errors.
"We take identity theft very seriously, and we provide consumers with tools to fight it," she said.
HSBC declined to be interviewed for this story, but it did issue a statement to MSNBC.com criticizing the study’s methodology.
“We can say that customer protection around identity theft is of paramount importance to HSBC. We take fraud of any kind very seriously,” the statement read. “We have a range of robust fraud detection and monitoring systems in place for the early identification and prevention of fraud to protect our customers and their accounts.”
One could criticize Hoofnagle's list as being basically a list of America's largest companies. As such, perhaps it isn’t very useful.
But it’s not because Hoofnagle didn't try. A year ago, he began a campaign to get banks to disclose more information about fraud and security. Banks "wouldn't engage on the issue" he said.
Hoofnagle released the study partly in an attempt to goad banks into releasing more data. Consumers have a right to know about fraud rates at banks, he said, because without this information they can't make intelligent decisions about their financial institutions.
"Currently the issue is mediated by commercials, with banks portraying themselves as being more effective against ID theft than other banks," he said. "But none of that is based in reality. It's all based on public relations. And that's not fair to consumers."
Hoofnagle, who is a senior fellow with the Center for Law & Technology at UC-Berkeley, says his goal is to create a real marketplace for identity theft protection.
"I think the disclosure of these problems will drive some competition among banks," he said.
Consumers 'flying in the dark'
Avivah Litan, a researcher with consulting firm Gartner, is equally frustrated by the lack of fraud information from banks. In the past, she has released studies that estimate the losses from identity theft and phishing based on consumer telephone surveys -- another attempt to read the tea leaves of fraud in the absence of real data.
"(Hoofnagle) is frustrated as any researcher or policy influencer would be,” she said. “You can't get any data out of the banks. And consumers are flying in the dark right now."
Other results from Hoofnagle’s survey:
• Small credit unions barely register in the FTC data, suggesting credit union customers might be at a lower risk of identity theft.
• While great attention is paid to bank ID fraud, wireless firms also suffer from high fraud rates. According to the FTC data, 8 percent of all new account fraud involved telecommunications firms. That's an area which deserves added attention, Hoofnagle said.
• Many consumers blame collection agencies for their bouts with ID theft, probably because often their first indication of the crime is a call from an agency. The AFNI Inc. collection agency cracked the top 20 companies in the FTC data, receiving more complaints than eBay or PayPal. To Hoofnagle, that represents an opportunity. "The collection agencies could act as an early warning sign for identity theft," he said.