The Bankwatch

Tracking the consumer evolution of financial services

Javelin | Will The FFIEC Mandate Change Identity Fraud?

 This is a great question asked at Javelin.  The issue is the Regulatory bodies push for two factor authentication, and what impact that will have on phishing, and identity theft.

Its a good question, because its inherently wrong for a regulatory body to define a solution (two factor) when in fact what they mean is “solve identity theft”.  Of course that would be too broad, but that is the real question.

Its worth noting that FFIEC were deliberately open about the solution, mentioning the inadequacy of single factor, but its largely banks’ interpretation of the rules that landed us on two factor as the only solution.

The more important question is: Will this improvement in security reduce identity fraud in America?

Sadly, the answer is no. Most identity fraud is committed the old-fashioned way – through lost or stolen articles or what I affectionately call the ‘friends and family fraud plan.’ Yes, friends and family members committing fraudulent activities against you. Device recognition won’t stop this. In addition, of the few true online fraud cases that are taking place, well, they will just migrate to other areas (online brokerage, eBay, PayPal, MySpace, Yahoo) or modify their attacks to pick off weaker banks and credit unions.

So while we may see decreases at a number of security progressive FI’s, little will change with respect to the number of victims and dollar amount of identify fraud in the U.S.

Source: Javelin Strategy and Research » Will The FFIEC Mandate Change Identity Fraud?

One thing we know, is that the criminals are smart and resourceful. No matter what protective controls are implemented, they will continue to pursue identity theft at the weakest link.  Referring to Javelins notes above, and what they call the friends and family plan, this is a good example of why FFIEC is wrong to regulate a solution.  If you wanted to present a solution for that, it should be estatements, to eliminate mail to the home.

Anyhow, and despite all that, the effort to implement two factor will help Banks least, even though that will migrate some fraud to other easier avenues.


Written by Colin Henderson

October 21, 2006 at 16:08

2 Responses

Subscribe to comments with RSS.

  1. Found this service called MyPW its a OneTime Password Token (OTP) Service that is about 10x cheaper then SecureID and I was able to get it working with my software within a couple of hours.

    You should check it out at

    I bet banks would love it because that same token works anywhere that MyPW is also used so you only need to carry one token.


    November 28, 2006 at 23:43

  2. The fact that the same token can be reused accross different sites is more a liability than a feature. This render more probable unwanted capture of one time password and reuse for an unwanted purpose.

    As an alternative to mypw , you may have a look to kerpass ( ) , their approach allow to use a Java enabled mobile phone as a security token. Additionally to one time passwords , they will soon allow for on phone electronic signature.


    December 2, 2006 at 06:21

Comments are closed.

%d bloggers like this: