Measuring Identity Theft at Top Banks (Version 1.0)

I’ve been AWOL from Denialism Blog because one of my UC-Berkeley projects has become all-consuming.

I’m interested in sparking a market for identity theft protection. A real one. One where consumers can actually make choices among banks based on their actual ability to address security attacks. Last year, I published Identity Theft: Making the Unknown Knowns Known, (PDF) an article making a legal and policy argument in favor of mandated public disclosure of identity theft statistics by banks.

In this vein, today, I’m releasing “Measuring Identity Theft at Top Banks (Version 1.0),” my first attempt to rank the top 25 US banks according to their relative incidence of identity theft. It is based on consumer-submitted complaints to the FTC where the victim identified an institution. The data show that some institutions have a far greater incidence of identity theft than others. If you don’t want to open the PDF, check out the Times coverage and peek at this chart!



  1. I’m at work so I’m just referring to the chart here but those averages might not be quite as significant as you think. The bigger banks seem to have the most problems but if you think about it they are probably the most targeted because of their larger numbers of customers.

    To compare, look at the difference between the number of viruses for Windows computers as opposed to Apple. Windows seems to have a larger number but the biggest reason for that is because you have more users, thus, a larger chance at succeeding. I could be wrong though as I have not read the .pdf.

  2. Mr. Hoofnagle admitted as much both in the methods section and in the conclusion.

    That does not mean that the data are not valuable as the only measure available to us and perhaps the study will cause companies to start reporting this stuff rather than forcing researchers to look for back-door, imperfect measures in order to acquire the data in the first place.

    Lucky, lucky me–I have business with two of the worst offenders. I guess it pays to have crappy credit! LOL

  3. @llDayo, yes, bigger banks are probably bigger targets, but one of the interesting things about that is that in seeking to become so big (they needed regulatory changes to do this), these banks claimed that their size would help them fight fraud more efficiently.

    The measure I used–total deposits–actually makes the big banks look better than they are, because this measure includes non-consumer accounts. Big banks have huge corporate accounts that make their ratio of fraud event to deposits look better.

  4. Ah, I see now. Hopefully, I’ll get a chance to read the report at home sometime this week. Thanks for giving a quick summary! Glad I use a credit union though. They care more about their customers than the big banks do.

  5. One problem with the market approach is that you can’t always control where some of your accounts are — in particular, mortgages get bought/sold all the time. So, even in that case, even if you try to be a “smart shopper”, you can still get screwed.

  6. I was recently mailed a notice from my credit union that my debit card was probably compromised by a Merchant. The Merchant (which WAS capitalized like that) was not named. They said I could replace my debit card if I saw anything funny happening on my account. So far, nothing. So, it is not just banks – it is also the Merchants with whom you do business. Their behavior in this matter should be researched also.

  7. Hi

    It’s an interesting article, but I can’t help feel you’ve not quite pushed your paper to the logical next step, which would be to normalize the data according to the numbers of personal and business accounts held, rather than the crude “per billion” measure. A business-focussed firm like Merrill Lynch is bound to have less cases if it has less personal customers (and I’d imagine business customers are more loath to publicly report cases). Meanwhile HSBC is predictably top as one of the world’s largest personal bankers, thus attracting more attention from fraudsters.

  8. @mjrobbins,

    Unfortunately, all I had is the crude total deposits/assets metric, but since publishing a few days ago, a few new metrics became available to me. The next version of the report will employ those metrics.

    But…I’m still lacking a reliable way to count customers–the regulators do not track that, and the disclosures on the “about us” section of a bank’s website is unverifiable and not trustworthy.

  9. Jim Baerg

    Now I’m wondering if anyone is doing similar studies in other countries. Especially the one I’m living in.

  10. I’m still waiting for some data on actual costs to actual people of identity theft. Everything in the press always talks about people “at risk”, and that could mean anything. So far it seems the little brother of the Y2K scare. Anyone?

  11. A common mistake of people writing blogs out there is forgetting to introduce your story or subject in the first paragraph. We don’t runescape money take enough time to explain the story or we just runescape accounts cover to much in four sentences. Keeping it simple and easy to understand will keep readers going, don’t tell the whole story. Start by introducing your topic with a few sentences. Now use different runescape gold ideas that explain or relate to the main topic, write 2 or 3 paragraphs in this area. You will wrap everything up in the last paragraph, concluding the topic

Leave a Reply

Your email address will not be published. Required fields are marked *