US banks are stepping up anti-fraud controls after the data breach at credit checking group Equifax put about half the country’s population at risk of identity theft.
Executives at banks including Citigroup and Wells Fargo said customers would face new checks because of the increased risk of identity fraud, a problem that already costs an estimated $16bn a year in the US.
While many companies from Yahoo to Deloitte have been targeted in cyber raids, the attack on Equifax earlier this year is particularly worrying for banks both because of its scale and the type of information that was compromised.
Hackers stole records on as many as 146m Americans, including personal details such as social security numbers that consumer finance companies typically use to verify customers.
“You’ve got to put on some additional screening to make sure that you really are dealing with the person who they purport to be,” said John Gerspach, chief financial officer at Citigroup.
“We’ve got other techniques, and other questions we can ask that are not part of the database that’s been breached.”
Companies that provide alternative authentication technology said banks were taking more interest as a direct result of the Equifax breach.
“A lot the banks are saying it’s a lightbulb moment for them,” said Vijay Balasubramaniyan, co-founder of Pindrop, which analyses voices to prevent phone fraud. “If you look at the information that got out, it’s everything banks use to identify you.”
John Shrewsberry, chief financial officer at Wells Fargo, said “there will have to be incremental precautions” following the Equifax data loss. He added that the additional steps could “mean a little bit more inconvenience” for legitimate consumers.
Financial security professionals said it was particularly tricky for banks to confirm the identities of prospective customers applying for new accounts. Techniques to verify existing ones, such as “two-step authentication”, were also vulnerable in part because fraudsters can claim to have forgotten the passwords or lost the devices.
“That can all be bypassed by providing information such as birthday and social security number,” said Alex Heid, chief research officer at SecurityScorecard. “That’s where the core of the problem is.”
Banks are starting to gather more sophisticated data on how consumers interact with their devices — typing speed, force or accuracy, for example — to learn user behaviour and spot fraudsters.
Analysts have been quizzing banks about the impact of the Equifax hack on banks’ bottom lines as more consumers order credit freezes on their accounts, preventing companies checking financial histories.
However, executives said not enough individuals had put the restrictions in place to have much of an impact.
“While the number of locks and freezes has grown a lot [after the Equifax hack], it is still a relatively small percentage of the overall credit population,” said Citigroup’s Mr Gerspach. “So it really hasn’t had a significant impact as yet on our ability to acquire customers.”
Identity fraudsters stole $16bn from 15.4m victims in the US last year, $2m more than 2015, according to a study by Javelin Strategy & Research.