Home / Crime / There is no such thing as identity theft

There is no such thing as identity theft

So I just had a meeting with a couple of heavyweights in the cybersecurity field.

These guys are bank defenders, and very good at their jobs.

Their mission: to keep cyberattacks to an acceptable level.

Acceptable is a few basis points of total credit, let’s say under 0.7%.


But it’s getting harder every day, when attacks come from all levels.

They therefore issue tokens, keys and software to make sure that customers are protected.

The only thing is that the tokens, keys and software aren’t liked by most customers as they are unwieldy, difficult to use and hard to remember.

Why is that?

Because most bank systems were built for the branch era, when the internet was just a wee idea in the back of someone’s head.

Now that all this crap is out there offering remote access that’s convenient, it’s creating a real headache for everyone.

So the result is an overlay of bulky security processes that no-one likes, but the sticking plaster works (albeit with effort).

Then we get into a dialogue about how security has changed as, just a few years ago, 80% of the threat was from physical attack and 20% virtual; now it’s switcheroo’d with 80% remote and 20% direct, ignoring the internal attacks of course.

This is well illustrated by the latest stats from Symantec, who announced that there were over 5.5 billion malicious attacks on systems last year – an increase of 81% – with over 403 million different versions of 'malware' out there.

Times are hard.

We got into a chat about the fact that, with so many events that could compromise out there, how do you protect the bank.

They said that they knew the bank would get compromised on an irregular basis – you cannot predict every attack – but it depends on what the attack is and how you handle it.

A denial of service attack that brings down the website is far easier to deal with than one that compromises customer data or funds.

Equally, the key for the bank is not the compromise risk but the reputational risk: get hacked once, and no-one hears about it is far more desirable than get hacked and customers know about it.  Even worse, if you get hacked more than once and customers know about it.

True, true.

So it’s all about minimising risk, managing compromises and ensuring everything is kept at a nice level below the eyeline of the client.

I finished the chat by asking why it was that we no longer hear much about identity theft anymore, as that was a big topic just a few years ago.

“Oh that”, they said, “that’s those darned yanks stirring up the pot”.


“There is no such thing as identity theft”, they said.


“The yanks call everything identity theft, whether it’s a card not present card issue for a singular transaction or an account takeover”.


“So we only refer to account takeover as identity theft, which is when someone gets hold of the bank access of a customer and uses that for their own purposes.”


“And that’s where the issue arises”, they said.


“Well, if we have a totally new customer to the bank, never seen before, we have three groups who start to look at the customer onboarding: risk, compliance and security:

  • Risk are typically looking at whether the person is bankable and appropriate to the account offer (credit and market risk);
  • Compliance are looking to ensure that all the regulatory tick boxes are ticked (AML, KYC); and
  • Security are trying to ensure that the person is not setting off security alarms when they are onboarded (fraud, cybercrime, terrorism, etc).”


“And the challenge is to make sure that all three groups work in tandem, as often the cogs can be out of kilter.”

Oh dear.

I guess that tells you why cybercrime, bank security and all the layers of keys, tokens and passwords, AML and KYC processes are so darned annoying but necessary.

C’est la vie.

Roll on biometrics.




About Chris M Skinner

Chris M Skinner
Chris Skinner is best known as an independent commentator on the financial markets through his blog, the Finanser.com, as author of the bestselling book Digital Bank, and Chair of the European networking forum the Financial Services Club. He has been voted one of the most influential people in banking by The Financial Brand (as well as one of the best blogs), a FinTech Titan (Next Bank), one of the Fintech Leaders you need to follow (City AM, Deluxe and Jax Finance), as well as one of the Top 40 most influential people in financial technology by the Wall Street Journal’s Financial News. To learn more click here...

Check Also


URGENT: Open this attachment or your account will be suspended

I wake up today with the usual massive dump of emails, two of which looked …

One comment

  1. Even with layers of rigorous protection, fraudsters can still find relatively simple ways to bypass security measures. I recently attended an industry presentation on fraud and summed up the key points in a blog post, “Your Data is Not as Safe as You Think It Is”:
    Additionally, like you mentioned, there is a distinction between account takeover and identity theft. You also briefly touched on one more group that we cannot forget–fraudsters who apply for credit under another person’s name. This group has reduced true theft because they can buy fabricated identities online–complete with social security number, banking history, and address–and use this to appear like a legitimate, responsible consumer. This kind of fraud is appealing because it is cheaper and less likely to result in jail time than account takeover and identity theft. Once the fraudster has been approved for credit under the false identity, they use the accounts then simply do not pay back the funds. These are less likely to be caught at first because they are not directly affecting another person’s account, like during identity theft.

Click on a tab to select how you'd like to leave your comment

Leave a Reply

Your email address will not be published. Required fields are marked *