HSBC Is The Most Identity-Theft Prone Bank

If you’re a customer with Bank of America or HSBC, you’re more likely to be a victim of identity theft, according to a new report. Chris Hoofnagle, a senior fellow at the Berkeley Center for Law and Technology at the University of California at Berkeley, compiled a list of all the banks mentioned in identity theft complaints filed with the FTC for January, March and September of 2006. Bigger banks obviously have more incidents, so Hoofnagle factored in their total number of deposits.”I’ve been working for years to try to spark a market, a true market, for competition on preventing fraud,” Hoofnagle told the NYT. “Some of these institutions have attempted to compete based on advertisements, but I’m a real believer in the idea that if you give consumers information, they can make better decisions.” This is only a fraction of the banks included, showing the worst offenders. Full graphs, inside…

It should be noted that the conclusions are less than perfect. What would be ideal is if the number of incidents were ranked by the number of accounts at the bank, not the total number of deposits. However, banks closely guard the number of their depositors and so for now, this is the best we have.incidentspermonth.jpgestimatedannual.jpgTAKEAWAY: HSBC, Bank of America: not safe. ING: safe.


Edit Your Comment

  1. Nakko says:

    Oh dammit. I have an account with them.

  2. Nakko says:

    I have a loan through them… not a big one. Better pay it off fast!

  3. Aphex242 says:

    …looks like Providian/WaMu is right up there too.

  4. TPK says:

    Does this say more about the banks, or their customers?

  5. B says:

    @TPK: The banks. Banks with good, solid security and identity theft prevention procedures that the employees actually follow can do a lot more to prevent identity theft than an individual customer can.

  6. Illusio26 says:

    Super. The 2 banks I bank with. Now I REALLY wish bank of america didn’t buy out LaSalle bank.

  7. MissTic says:

    Lovely! Looks like I’m biting the bullet and switching.

  8. punkrawka says:

    @B: That’s true for true identity theft, but in the author’s abstract he indicates that he’s including credit card theft and other things that the banks can’t do anything to prevent.

  9. noi56u says:

    Not to take the side of banks, but 21 incidents per Billion in deposits is not exactly a large number. I think the first graph actually skews the data by not having a truly representative x/y axis setup…

    Like my Stats 120 prof would say – you can make graphs show whatever you want.

  10. Fatty Shcock says:

    See, this is why I’m sticking to my local credit union. Booyah!

  11. CuriousO says:

    WACHOVIA Rules!!!!

  12. Tank says:

    At least HSBC can say they’re #1 for something.

  13. B says:

    @punkrawka: There are lots of things banks can do to prevent credit card theft. Like, for example, not allowing purchases to be made with non-activated cards.

  14. savvy999 says:

    Rate per $ in deposits? That’s absurdly uncorrelated to safety. Just because one institution has a more literally ‘in the bank’ than another– thus driving down its rate– doesn’t make sense.

    How about theft incident rate per #s of customers. That’s the true measure of relative safety for you as a depositor.


    Bank A has 1000 customers with total deposits of $100Bn
    Bank B has 500 customers with total deposits of $100Bn

    If Bank A has 10 incidents and Bank B has 20, by this study bank B is more ‘dangerous’, but I’d rather keep my money in Bank A– the chance of me getting ripped off because of some institutional safety flaw is 10/1000 not 20/500.

  15. bobert says:

    It’s not clear in the Consumerist article what this is measuring.

    In the original paper, it’s the number of complaints the FTC got from consumers saying that, at X institution, somebody either opened a bogus account in their name, or hijacked an existing account.

    It would be tempting to say this is an indication that these institutions are lax in checking the ID of people futzing with accounts. But in the case of hijackings, it could be the consumer gave all the necessary information in a phishing scam, and it’s not the institution’s fault at all.

    Since BofA is big and famous, their bad rating could just be because phishers impersonate them more. If this is the case, it would mean you can avoid getting phished by not banking at BofA. (I’ve gotten phishing attempts using banks I have nothing to do with…)

    Since the FTC info doesn’t break this out, there’s no way to know how much of this is because the institutions are too lax, and how much is because the consumers are chumps.

  16. vex says:

    Woohoo ING!

  17. moore850 says:

    @Nakko: Now I have your account with them too! heh heh, just kidding, but I guess some people are having that experience… how insecure could a bank be to accept a loan without checking who it’s for? Isn’t that a huge liability for them?

  18. rmz says:

    Who is Suntrust Bank?

  19. JohnMc says:

    I am with Savvy999 here, Ben needs to take a stats class. I am not disputing the reporting only the application. incidents per deposit have no correlation. You could have 5 depositors with with $5b apiece and 99,995 other with $1000. Raw numbers by chance will say more of the $1000 depositors will have incidents.

    The relevant number best I can tell is the number of complaints. Which would put MBNA on the masthead not HSBC.

  20. krom says:

    That data is already stale, and for BoA is likely inflated by that one incident in the Northeast that year.

    Question one is: how did BoA handle that incident? How many customers had permanent negative outcomes?

    2006 is also before BoA implemented picture cards and their new online security-picture login system.

  21. jeff says:

    E*trade isn’t on there. So who knows about that. But as far as money being stolen. If the bank replaces the money quick, then I would not worry. But from the previous story’s its taking way to long.

  22. forgottenpassword says:

    And to think I almost opened up a high-yield savings account with them a while back. Glad I didnt.

  23. UpsetPanda says:

    I know these are all national banks, but I’ve never even heard of comerica or regions or lasalle. Are they just smaller than banks such as BoA? If so, it might make sense as to why they report fewer incidents. I know it’s by the billion, but they might break 1 billion whereas BoA routinely carries billions in transactions.


    I didn’t actually read this post, but wanted to share that HSBC actually processed fradulent purchases on my CLOSED account.

    I guess they just hope that whatever ends up on there, you won’t notice, and you’ll just blindly pay back what you think you owe…

  25. rhombopteryx says:

    @JohnMc & Savvy99:
    As Ben (and TFA) sez:

    What would be ideal is if the number of incidents were ranked by the number of accounts at the bank, not the total number of deposits. However, banks closely guard the number of their depositors and so for now, this is the best we have.

    As in, “we don’t have the best measure because the banks play ‘hide the ball,’ so we’ll use the second best measure.”
    Saying who has the most incidents is meaningless on its own. What’s best is incidents/account, and incidents/$$$ is a better approximation than just “incidents.” Just “incidents” means the biggest bank is always #1, even if it’s 5x safer than a smaller bank with 1/10th the customers.

  26. sleze69 says:

    I love quoting Bob Schram: “There are lies, there are damn lies, and there are statistics.”

  27. jaydez says:

    I always wondered why when I was a B of A customer they would try to sell me identity theft protection EVERY TIME I SIGNED IN. I’m glad I dumped them.

    I’m also proud to say I’m a long term (11 years)Wachovia customer with ZERO complaints.

  28. HaloZero says:

    I think you can’t just assume this is all from the handling of the bank. I mean Bank of America and ING have different customer bases, and that might affect the outcome of their banks.

  29. Chris H says:

    All, I’m the author of the report (and a consumerist fan). Most of the methods problems identified in the comment thread are explained in the paper, under a heading called “challenges in measuring frequency and rates of fraud.” Here are the big ones:

    1) Relying on consumer complaints results in undercounting, because not all consumers file complaints. This report samples from 46,262 events, so it’s safe to say that it is representative.

    2) There is no publicly-available, reliable measure of # of accounts or # of customers.

  30. ebm says:

    I’d say the statistics are skewed to say the least. If credit card fraud is included, that may very well be a major reason Bank of America’s number is so high. Most people are not aware that Bank of America (aka FIA Card Services) services many other credit cards other than cards under the name Bank of America or MBNA. Quick example, Wachovia credit cards. You may be able to access your Wachovia credit card through Wachovia’s online banking but it’s not actually serviced through Wachovia.

  31. Ragman says:

    Cingular/AT&T concerns me – I am a Cingular customer, so now I can’t use my secure single use credit card numbers . They get checked as AT&T, but charge through as Cingular, then get denied b/c it’s a different company charging.

  32. Skankingmike says:

    I have to say that Wachovia and CITI were both extremely nice and helpful when it came to Identity theft.

    Wachovia helped me out twice.

    both times it was my Check card (which is where i keep 99% of my money yes i know it’s bad)

    They were extremely helpful and credited my account at the moment of my call.

    The first time was internet (2000) and the second time was at a gas station, living in NJ you can’t pump your own gas, so some places still use old school pumps where they take your card and to the office and swipe it on their computer.. well they made a copy of my card with carbon paper, then bought stuff in Brazil with it .. i know weird.

  33. freedom69 says:

    @RGISMYFAVORITECANADIANMORMON: if the account was closed then how did that happen. The activity probably happened before hand use common sense before you speak stupid if its closed that is not POSSIBLE you thought if was closed because you did not use it or you requested it to be. Next time confirm with written paperwork. DUH