Schneier on Security
A blog covering security and security technology.
« Microsoft Builds In Security Bypasses |
| Encrypted VOIP Phone »
July 27, 2005
How Banks Profit from ID Theft
Wells Fargo is profiting because its customers are afraid of identity theft:
The San Francisco bank, in conjunction with marketing behemoth Trilegiant, is offering a new service called Wells Fargo Select Identity Theft Protection. For $12.99 a month, this includes daily monitoring of one's credit files and assistance in dealing with cases of fraud.
It's reprehensible that Wells Fargo doesn't offer this service for free.
Actually, that's not true. It's smart business for Wells Fargo to charge for this service. It's reprehensible that the regulatory landscape is such that Wells Fargo does not feel it's in its best interest to offer this service for free. Wells Fargo is a for-profit enterprise, and they react to the realities of the market. We need those realities to better serve the people.
Posted on July 27, 2005 at 7:42 AM
• 51 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
This sounds like my credit card company's offer for fraud protection services, to the tune of something like $50 a year. What do I get for my $50/year? Things like "no liability for fraudulent transactions", in other words nothing which isn't already guaranteed to me by law.
It's possible that this is a similar service, selling what they already do give away for free, just because some of their customers don't realize it.
I turned this offer down, but it's actually not too terrible. They would monitor your entire credit report for unusual patterns and practices, not just your WF accounts and cards.
Finally, it would be way out of character for Wells Fargo to offer any service for free, so of course it's not free.
Full Disclosure: I work for Wells Fargo
Lazarus is a mad dog when it comes to financial institutions, and his mouth foam gets particularly thick and viscous when he talks about Wells Fargo. But let that bide for a moment.
As you say, Wells Fargo is a for-profit company. Like every one of its peers it offers (re-sells actually) credit monitoring/ID theft protection service for a price. I have no insight into the details of this particular arrangement but something tells me that $12.95 isn’t exactly a cash cow. I may be wrong.
Turn that math around: For just over $.40 a day an individual can exercise a little personal responsibility and try to protect his personal information. The bank is not your mom, nor is it a babysitter. Individuals could buy this service through any number of other outlets. Odds are that they would not if the bank didn’t make it so convenient. Again, it’s the nature of the beast: we’re in business to make money.
All the incidents pointed out in the article are examples of where someone stole WF equipment with data on it, not incidents where WF was negligent in handling or processing customer data. Splitting hairs? WF locked the doors and still got robbed. ChoicePoint, Citibank, CardSystems, UPS, Iron Mountain, etc., etc. got robbed but they left the front and vault doors open. Who really deserves derision?
This is funny... So instead of taking the risk of having some of your money stolen, you ensure that you give that money to someone else... For what, for nothing... they do not seem to garantee you anything and will not probably not give you any stolen money back if you pay for the service!
One can easily monitor his own account daily in less than a minute.
This is not a service... this is a garanteed way of being stolen.
Given that the banks (amongst others) have largely created this situation, by going the easy route and using personal information as both an authentication and authorisation system, it seems like any protection services should come for free.
Issuing one-time-pad-like devices for authentication would solve most of this problem, and these devices could be as simple as a pad of scratch off numbers.
Anyway - the current system is untennable - the more personal information you hand to strangers - the more 'authenticated' you get.
No wonder we have a privacy and security problem.
That is what we call conflict of interest.
One of there service (anti-identity theft) depends on the poornest of the other (security).
A chance there is still law to protect the consummer, but what if it happens that it is more difficult and complicated to obtain justice than to buy the 13$ "services"...
Feel free to help me if I sound a bit confused.
Liability for fraudulent credit card purchases are the responsibility of the credit company (after the first $50), right? So, the protection you purchase from WF *should* already be provided by each individual creditor?
If so, I'll take my chances with my $50 liability.
And - I'm probably splitting hairs, but identity theft is not necessarily credit card fraud. Sure - identity theft can lead to credit card fraud, but are the services of WF really preventing identity theft?
Clarification / Correction -
In reading the article again, I notice that they don't claim the service will "prevent" identity theft - only "monitor" and "assist." Big difference between prevent and detect.
Still - it sounds like WF wants customers to pay for what they should already receive for free.
In response to those arguing that this sort of thing is worthless: I pay $9/month to Discover for their credit monitoring service and am quite satisfied with it. They don't just monitor my Discover card purchases, as it sounds like Wells Fargo isn't just monitoring one's bank account. They notify me whenever anything is done in my name that would show up on a credit report. In the past six months they've notified me that I'm being reported to live at a new address, and that somebody has financed a car and signed up for a cellular plan in my name. None of these were fraudulent, but it's nice to have someone looking out for me.
@Emmanuel Pirsch: If you could tell me how to get this kind of monitoring for free, in less than one minute a day, I'd be much obliged.
An old business strategy: create a problem, then sell the solution. Granted, Wells Fargo is (probably) not involved with identity theft itself, but I think failing to implement any basic precautions and security measures does count as creating a problem, too.
Of course, it is understandable from a business perspective that they charge for it. But then, pretty much *anything* is understandable from a business perspective as long as you make money off of it.
Every organization that defends the current wild west landscape of credit reporting (we HAVE to have instant credit! customers want it!) is involved in identity theft. They may not pull the metaphorical trigger but they spend huge amounts of time and money defending the situation that makes it possible.
I don’t disagree that firms of all types have taken the easy route WRT personal info and authentication. That everyone I know of in this industry is working towards systems that avoid this in the future is a sign of progress. It isn’t perfect and it will never be as timely as everyone wants, but this is a business, and decisions that bring in the most business have a way of trumping security (which is often viewed as an impediment to bringing in business).
$50 liability for fraudulent cc purchases is right, but that is just one cost. If someone is opening accounts in your name you may or may not be liable (at least until things get sorted out) but you will certainly be responsible for the time, effort, and cost of restoring your good name. The service offered doesn’t insulate you, but it does help make you aware of shady activity so that you can hopefully nip it in the bud.
Let’s also remember that the people visiting this site are waaaay more attuned to security and privacy issues. We can talk about OTPs and fobs and such all day but we’re licking our own ice cream cones. We’re not Joe Consumer, who thinks nothing of using the same pwd on a dozen accounts, gives away his personal information for a %10 discount on honeydew melons, and leaves his always-on Internet connection unprotected (or with AV signatures that are 18 months old). I’d be willing to bet that most will never buy the service, and most of those that do will forget they have it a week later.
Find someone who works for a bank in compu-/info-security that isn’t trying to address these problems (they’ll be scared from many battles lost, but the war isn’t over) and I’ll show you a bank you should take your money out of. . .
. . . and given the interest rates on savings accounts, you might as well stuff your cash in a mattress.
Essentially Wells Fargo is offering insurance against identity theft, therefore if you feel the risk is great enough to insure against you take out a policy....
The cost of this should not be on the consumer! Any institution that handles other peoples' money/data/whatever should be (at least partially) responsible for any misuse.
I suppose loads of people will sign up for this now out of fear, due to the 'security hype' that seems to control every aspect of American life these days.
...from a business point of view though - it's a great idea!
"$12.95 isn't exactly a cash cow"
And $8.67 to replace a card is not exactly getting bled dry, but you'd think it was if you listen to bankers complain about it.
(That $8.67 comes from "Data Breaches: Liability Fight Sharpens", American Banker, July 26, 2005)
I wonder if you are in a position to talk about the costs of this program @ Wells Fargo? Is it essentially a software program the bank runs? Did it require new staff to implement and maintain? Is this something the bank was already doing - and the notification part is really the only new thing? Is it a natural by-product of California's 1386?
Actually I would love to hear from anyone with knowledge of such programs at any financial institution. The jury's still out until we know more about the effort & costs that go into programs like this but if the costs are low enough, I do think the first one who gives this away at no added cost to the customer is going to score a big PR win!
"We’re not Joe Consumer, who thinks nothing of using the same pwd on a dozen accounts, gives away his personal information for a %10 discount on honeydew melons, and leaves his always-on Internet connection unprotected (or with AV signatures that are 18 months old)."
Right, we should all just blame the user. Those idiots will probably even be dumb enough to pay $12.99 a month for security even if it is just false hope.
Does it really matter to Wells Fargo so long as another revenue stream is able to off-set the cost of their security overhead/department? Remember how ATMs were said to reduce the overall cost of banking so they self-justified? And then, lo and behold, they added huge costs to operations which had to be offset by fees to consumers...
Maybe Wells Fargo will soon offer to charge you $1 a month to check if your shoes are untied when you come into the branch to offset the cost of insuring themselves against accidents in the lobby. Just another cost of doing business, and it's cheaper than the ATM fee, right?
Credit Card companies have been offering both free and fee-based services like this for decades and look where it has gotten them...I do not disagree that users are susceptible to being misled about security but I do not think this program sets a positive example for how to manage security in the financial industry. The biggest problem is that it does not fix the source of the problem, just creates revenue to offset operating costs, as Bruce rightly points out.
Incidentally, I find accounting and fee errors are woefully common in US banking. In fact, they are so common that customer support is often not surprised that they are asked to remove or rectify accidental charges. My worst experience with Wells Fargo was when a teller "accidentally" deposited my check into someone else's account. My second worst example was when Wells Fargo gave me an unsigned cashier's check and repeatedly assured me that it was fine. If that indicates the level of security awareness within the organization, it is no surprise that Wells Fargo is desperate for ways to recoup their escalating costs of fraud detection.
There is no way that this 'service' will not be paid by the consumer. Even if the regulators will create a situation where the bank has to do it, all the costs will go to the consumer. Why? Because the consumer pays for all of the bank's operations, the bank doesn't have any other source of income.
The only console a regulator-mandated service such as this may provide is that because it will be used for all of the banks' customers, the operational cost per customer will be lower than the exorbitant sum mentioned above.
Those that don't pay get thier info sold off or put in the public/non secure database?
Everyone, this is the same concept as insurance. You are paying out of your pocket today for the assurance that you (and your family) will be protected tomorrow.
There is nothing wrong with them providing the service. I do wish that this was provided by the government, but now that businesses are doing it, I do not see that happening.
"the bank doesn't have any other source of income"
Not true. Fees to customers certainly revenue millions for them, but they make zillions on all sorts of interest payments, investments and playing the market(s), etc.. Consider, for example, that all of the money in your account at night is invested while the markets are open overseas and then transferred back (with the profits skimmed) before your branch lets you in the door. Trust me, banks have many many ways of making boatloads of income totally independent of consumer fees.
"Everyone, this is the same concept as insurance."
True, but what is the "cause" of disaster?
If you actually bother to calculate the risk based on "threat" and "vulnerability", you should get a very different picture than with hurricanes, traffic accidents, work injuries, etc.
The threat seems to be fraud schemes mainly perpetrated by organized crime and/or perhaps even corrupt staff within the financial data companies themselves (like Wells Fargo), and the vulnerability is weak security practices by personal data management companies (like Wells Fargo)...
It looks like is time for me to seek for an another bank!
"It looks like is time for me to seek for an another bank!"
I don't think that other banks will be much better. All banks are playing on the same economic field.
"I don't think that other banks will be much better. All banks are playing on the same economic field."
Not in europe. One of the best things I did in a while was to move my bank accounts to Austria.
Bank Of America has the same type of plan. I called them to stop the service after the free period (I believe their service was $80 a year). The service rep told me of all the horrible things that would happen if someone stole my ID. And when I still refused to pay to renew he said : "I sure hope it does not happen to you!".
"In response to the OCC memo, Wells' Tunis stressed that "there continues to be no indication that customer information on the stolen computers has been misused." "
OK, it's not been misused, so obviously there's nothing wrong with the fact that it's been stolen...
Is this really insurance? Its seems like a monitoring service, not insurance, so if something goes wrong, they won't pay to make it better. I'm not sure how much assistance they will give you, but I suspect it won't be much.
Is this any different, though, than MSFT selling anti-virus software or spyware removal software?
Insurance is one thing, and may be acceptable. But being found to cause security nightmares repeatedly, and then charge to help detect such security nightmares is too much for me.
Why not just check Equifax in January, Experian in May, and Trans Union in September. This way you'll get fairly up-to-date credit reports for free, even if you open yourself up to 4-month windows before any odd thing is found.
It always amuses me when some people object to anything that someone asks money of. I got the impression it's more like an insurance, that is, if someone uses your information to commit a fraud (take a loan, order a credit card, etc.) they'll cover the costs and clean up the mess for you. If it's normal transaction monitoring (I got the impression it's not) then it's useless, as the banks already have AI programs monitoring your transactions and are liable for any fraudulent ones.
As with anything that costs money (such as an insurance) check their terms and decide if it's worth the cash.
@ Davi O
"Maybe Wells Fargo will soon offer to charge you $1 a month to check if your shoes are untied"
Your analogy is incomplete. A more accurate analogy would be:
There exists a group of thieves who prey on people who trip up, robbing them in the confusion. In full knowledge of this, Wells Fargo and other financial institutions conspire to undo your shoe laces. They do this because they know that with your laces undone you will walk past their offices more slowly and they can sell you more. As a direct result, you and millions of other people trip up and suffer robberies. The banks deny any liability. You are incensed and in surveys over 90% of you want to outlaw the banks interfering with your shoes. A responsive CA politician designs a pair of shoes that do not have laces but the banks lobby Congress to outlaw these shoes. They then try to charge you, not for retying your shoes, not for promising not to undo them again, not even for warning you that your laces are undone again, but rather for providing an incomplete witness statement for the next time you are robbed.
many banks and CRAs and other financial services organizations
have been selling these or similar
services for years ; they call
them under the names of "prevention" and "protection" turn out to be nothing more
than monitoring of credit reports and customer assistance on the phone
many other banks and CRAs and other financial services organizations and/or data brokers have been selling
these or similar services for years ; they call them under the names of "prevention" and "protection" and
IMO turn out to be nothing more
than monitoring of credit reports and customer assistance on the phone
Bryan: Wells is reselling the service Trilegiant provides. Many other banks do the same thing. I don’t know any more details other than that.
Davi: I’m not blaming the consumer; I’m pointing out the futility of folks like us thinking that we’ll just solve the world’s privacy ills by making every one read Applied Cryptography and assuming they’ll behave like us. If it were only that simple.
And while banks, schools, governments, stores, etc. all bear some responsibility here, it is ultimately up to you to look out for yourself. If someone wants to do that on their own dime and time and not cough up the $12 bucks, fair enough.
If anyone can tell me how to opt out of the credit system in the U.S., I am all ears.... Waiting....
Look, children, dead people, and family pets are subject to "identity theft." Probably all those voting sheep and graves, too. People _who don't exist_ can be used as fraudulent identities. The credit system is really, really messed up and banks desperately want it to stay that way; that's why the banks charging for Privacy Guard and other credit monitoring services are so evil. Wells Fargo isn't anything special in this regard (in fact, the degree of disclosure they've undergone makes me trust them rather _more_ than other banks, because it means that they notice when they lose the data and are being hoenst about it). But the system is evil.
"If anyone can tell me how to opt out of the credit system in the U.S., I am all ears.... Waiting...."
The only thing I can think of is to get a credit card from another country. But the exchange-conversion fees will be expensive.
"The only thing I can think of is to get a credit card from another country. But the exchange-conversion fees will be expensive."
I'm in the credit bureau files; that won't prevent someone from opening new accounts in my name.
FWIW, since Wells Fargo doesn't have access to your credit reports for free (and can't monitor them for free), I don't think it is unreasonable for them to offer this as a charged service.
Banks and credit card companies bear a large burden of responsibility for the existing identity fraud problem, but remember that the credit reporting agencies are also part of the problem, and you can't blame some subset of the financial industry for the entire overall screwed up mess.
That was excellent, btw.
Disclaimer: I work for a bank, in information security.
This is a piece of security theatre, in the parlance of Bruce.
But it's a necessary one. Why?
Okay, all banks take precautions to prevent unauthorised transactions. We've taken some innovative ones that have allowed us to reduce our fraudulent transactions to two orders of magnitude less than the European average as a percentage of transaction value.
This has not led to a concordant increase in the use of our financial instruments, such as credit cards, online direct payments or checks, even though these methods can save our users a lot of time.
We also monitor - as does every bank - patterns of use across our accounts and with the credit bureaus. This allows us to search for anomalies and investigate them more thoroughly.
The principle drivers behind the low rate of fraud have been difficult to understand technical innovations, such as chip-and-pin for credit card or 4P for online and voice verification.
Explaining why these make it safer to conduct your business conveniently is hard; although the effort has been made, understanding is slow in coming and limited to the type of people who read this blog.
Extracting the anti-fraud information relevant to a specific user account, collating the feeds from the various anti-fraud systems (we have fifteen or so), organising the print jobs, standing up the call centre to handle the calls, re-tooling our back end support process to handle individual requests pertaining to the information and paying for postage all cost something - and at £7 a month I highly doubt Wells Fargo is making much cash profit.
Where they are hoping they will make their profit - as are we - is in goodwill.
By subscribing to this service, customers will understand that, yes, we are working to keep their money safe, and here's a bit of how we do it, the bit that's easy enough for you to understand.
Once you understand that you're relatively safe, you'll use more of our services. This will allow you to save some time and cost you very little. You're better off and so are we.
Yes, everything you buy through this service we already do and more. No, we don't charge you for it. But you don't know what that is, and getting the information to you will cost us £7 a month. For a bit of value add, we'll extract what we can about accounts you hold at other institutions, so long as they share it with us.
Now, that having been said, the folks inside Wells Fargo who design services and create the business cases for never had control over marketing and didn't name the service. Some marketing weenie did that. This service is badly named. Blame marketers, who really are evil.
Wells Fargo - and every other American bank - could do more to pressure Congress to force them to adopt the European Chips and Pin standard. You, as enlightened consumers, should lobby your bank to support and industry initiative and simultaneously lobby Congress. You're about a decade behind. Good luck.
You should also lobby your bank to adopt 4P or similar authentication for your online banking.
There are additional challenges - for example, endpoint security to ensure that customers aren't trojaned or infected with a session hijacking virus, phishing attacks, protection against DDoS attacks and protection against bespoke viruses and trojans that target us.
We have solutions for all of these. Some are already silently in place. Some were solved by policy. Our customers never receive email from us, for example, and never have.
But the biggest problem for us is the customers and customer education and comfort level.
We'd love to roll out chip and pin readers that worked via USB so that you could purchase online without revealing your credit card information. We'd love to roll our a multi-platform integrity verification agent that would check your machine for trojans or man-in-the-middle attacks.
But customers dislike the inconvenience of a USB dongle and are prepared to sue us if their PC malfunctions as a result of the anti-trojan software.
The banking industries biggest challenge is now - and probably always will be - uncooperative, ill-educated customers.
Finally, if you don't like Wells Fargo's offering, don't buy it. It's voluntary.
@ some guy in Europe
Agreed; this is necessary. My objection is the legal system that permits Wells Fargo to profit from it.
I don't think there is anything you can do to try to opt out of the system unless you've already been a victim. If I have any problems, I'm going to see if I can change my fraud statement on my credit report to say that all applications are fraudulent.
Another approach I'd like to try is to take the creditors to court. I'd like to see how a civil case would go holding the companies liable as a willing participant in fraud perpetrated against me. I suspect a lot of juries could be convinced that the creditors are culpable as well. I just need someone to grant credit in my name without my permission and I'll be all set.
Bank's shouldn't charge to protect your money. But if the methods of protecting your money are sufficiently complicated and diverse that telling you about it is expensive, it's fair to ask you to pay for some of that.
It's not as if Wells Fargo doesn't protect your money if you don't buy this service, they just don't go to the considerable trouble of telling you about it.
@ some guy in Europe
"I highly doubt Wells Fargo is making much cash profit."
You doubt wrong. I worked for Wells for a long period; they don't do anything for free unless they get a huge benefit.
And they don't sell services at cost or below cost. You can't do that and be as strong as Wells
(Now, prior to being bought by Norwest, Wells did give services away (online banking), but Norwest fixed that when they bought Wells and took over.)
Much appreciated and beautifully done.
If only you had somehow tied in a marketing campaign with men sitting on a stagecoach wearing tall leather boots...
@some guy in Europe
"if the methods of protecting your money are sufficiently complicated and diverse that telling you about it is expensive, it's fair to ask you to pay for some of that"
Why? I do not follow that logic at all. What makes it so complicated to explain, how can it be so expensive to tell a consumer, and why is it fair to charge the consumer?
@ some guy in Europe
Just remember that banks are the cause of identity theft because they wants to be the feudalist of our age and translate security into their control. Here I include credit card companies as mere commercial man-in-the-middle attacks on outdated payment systems.
Control the money and you control the people.
More news on the subject...
"By failing to scan security codes in the magnetic strips on ATM and debit cards, many banks are letting thieves get away with an increasingly common fraud at a cost of several billion dollars a year. A report Tuesday from Gartner Inc., a technology analyst firm, estimates that 3 million U.S. consumers were victims of ATM and debit-card fraud in the past year."
I don't understand why anyone would pay for something that they can get for free but if someone would pay for such a service why pay $.40 per day when you can gey the same or better service for $.14 per day through MyFICO.com. In fact I believe the benefits are better with MYFICO.com, like the insurance benefit of $25,000.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.