Identity Theft: A Personal Risk Management Approach (Part 1)

July 2005

Identity theft is the fastest growing crime in the United States, according to the Federal Trade Commission (FTC). The odds of having an identity stolen are comparable to having a piece of personal property stolen—pretty amazing for a crime that was nearly nonexistent in the late 1970s. This crime has grown so rapidly that nearly every person in the United States has experienced some type of identity theft or personally knows an identity theft victim.

by Robin Olson
IRMI

This challenge facing individuals and families needs to be tackled with a comprehensive personal risk management approach. Risk management is, by definition, a system for treating pure risk—identification and analysis of exposures, selection of appropriate risk management techniques to handle exposures, implementation of chosen techniques, and monitoring results.

A key step in this process is to define and analyze the loss exposure. Identity theft or fraud generally involves the taking of another's identity. Why? There are many reasons, such as to use the other person's credit or to hide the perpetrator's own identity. This first step also involves a close examination of a person's loss exposure level. For example, a person with numerous credit cards has a higher loss exposure than a person with only one credit card. Reviewing the multiple ways that identity theft occurs also facilitates the analysis of the exposure.

There is no consensus among law enforcement agencies, governmental bodies, banks, insurance companies, and security professionals concerning this burgeoning problem. Reviewing this issue from various angles with a risk management approach is essential in developing solutions. This article focuses on the identification and analysis of the identity theft loss exposure. Part two will deal with risk control techniques, and part three will discuss available insurance and protection plans, current laws, and the need for reform.

Identifying and Analyzing the Identity Theft Loss Exposure

Not only is identity theft the fastest growing crime in the United States, it is one of the fastest changing as well. Criminals keep developing new ways to steal an innocent person's identity.

Statistics

The FTC conducted a 5-year study revealing that approximately 27.3 million Americans experienced identity theft during this timeframe. Javelin Strategy and Research published a survey in 2005 indicating that within the last 12 months, 9.3 million American adults were victims of identity fraud, resulting in an annual cost to the individuals, businesses, and government of $52.6 billion.

Another FTC study published in 2005 indicated a 52 percent increase in the number of identity thefts reported to this agency between 2002 and 2004. Credit card, phone, and bank fraud were some of the most common complaints. The percentage of complaints about electronic fund transfer-related identity theft more than doubled between 2002 and 2004. According to the FTC survey, victims reported $5 billion in annual out-of-pocket expenses. The survey also indicated that individual victims lost an average of $1,280 in identity theft cases. Sixty-seven percent of these victims reported that existing credit card accounts were misused, and 19 percent reported abuse of checking or savings accounts.

In July 2005, the Chubb Group of Insurance Companies released the results of its survey of 1,850 Americans, revealing that 20 percent of respondents had been victims of identity theft. Ninety-five percent reported being concerned about the possibility that someone might fraudulently impersonate them to ruin their credit, a statistic that rose almost 20 percent from 2000. In addition, 87 percent believe companies fail to adequately protect their customers' confidential information and should be required to pay to restore consumers' credit ratings.

According to a study conducted by the Identity Theft Resource Center, fraudulent charges now average more than $90,000 per name used, and the average time victims spend to clear their name is approximately 600 hours, a 250 percent increase over previous studies. In addition, victims may be unable to get jobs, buy houses, or obtain passports until the problem is resolved.

The FTC survey revealed that 51 percent of the victims knew how their personal information was obtained. Nearly 25 percent claimed that the identity theft involved lost or stolen credit cards, checkbooks, or social security cards. Many of these incidents, over 400,000 in one year alone, involved stolen mail. According to the Social Security Administration (SSA) Inspector General's analysis of their Fraud Hotline data, more than 80 percent of SSN misuse allegations arose from identity theft.

In a June 6, 2005, Dallas Morning News article, Privacy Rights Clearinghouse Director Beth Givens said that this crime has grown so rapidly that it now "passes the someone-you-know test." She indicates that "most people have been a victim or know somebody who has been a victim."

These studies indicate a crime that is spinning out of control. One of the key reasons behind this disturbing phenomenon is the stunning growth of information technology. Computers allow immediate access to records and information from a remote location. So, not only is more data available faster, but the crime can often be committed by anyone with a home computer and the thief is unlikely to be caught. The Gartner Group, a research organization, speculates that fewer than 1 in 700 identity crimes lead to a conviction.

Technology has clearly eliminated, to a large extent, an individual's privacy. Consider, for example, that over 600 U.S. insurance companies can access a person's medical records via a central database.

Loss Exposure Assessment

An individual's exposure to identity theft must be assessed to be properly handled. Individuals who allow numerous people access to their homes, such as housekeepers, gardeners, security personnel, and nannies, are particularly susceptible. Those who spend hours on the computer are also vulnerable, particularly young adults and teens who are more likely to divulge personal information over the Web. Business Week reported that one Web site designed for college students, with over 2.5 million users from 650 schools, posted personal information including the students' full names, hometowns, and class schedules. In fact, 35 percent of members even listed their cell numbers, which thieves can use in lieu of Social Security numbers to access personal records.

Senior citizens are also at higher risk. Numerous cases involve elderly and incapacitated persons victimized by caretakers, who are often members of their own family. One study [Welsh] indicated that a family member is the perpetrator of approximately 10 percent of all identity thefts. This same research also indicated that people in large cities are at greater risk. Also, having a common name can add to a person's vulnerability. People with family names such as Smith, Williams, and Johnson and those with common first names are at greater risk.

Types of Identity Theft

There are several ways to categorize identity theft. According to the Identity Theft Resource Center, there are three major types of identity theft.

• Financial—involves the criminal's use of personal information, such as an SSN to establish new credit lines in the victim's name.
• Criminal—occurs when a thief gives the victim's personal identifying information rather than the thief's own information to law enforcement personnel. This event often results in major legal and criminal problems for the unsuspecting victim.
• Identity cloning—using the victim's information to establish a new persona for the thief. Identity cloning can also include financial and criminal identity theft.

In contrast, the Better Business Bureau delineates the types of identity theft based on what is stolen. These types include the following.

• Social Security Number (SSN)—this identifier is the most important piece of an individual's personal information because the SSN is the primary number for tracking and monitoring employment, tax reporting, and credit history.
• Credit cards—thieves steal credit cards in many ways, ranging from the stealing of a wallet to illegally gaining computer access to an unprotected card number.
• Check fraud—thieves can drain a person's checking account by stealing checks and forging the victim's signature or by developing counterfeit checks using a home computer and a state-of-the-art printer.
• Cellular telephone service—criminals can establish cellular telephone service in the victim's name and make unauthorized calls that appear to emanate from, and are charged to, that person's cell phone.

Methods Used

Criminals use a variety of methods to steal identities. Contrary to popular belief, the majority of identity crimes are not performed by computer pros. Instead, low tech methods are used. Some of the most common methods include the following.

• Theft of a wallet or purse—access to a checkbook alone can provide a competent thief with the means to acquire driver's licenses and birth certificates, even without having the victims' SSNs.
• Shoulder surfing—involves looking over a person's shoulder to see his/her phone credit card number and PIN, for example. More sophisticated versions utilize a video camera with a zoom lens to record the punching of the numbers. Commonly done in public places, such as train stations, and around ATM machines.
• Postal theft—Many house mailboxes contain small red flags that, when raised, tell the postal worker that there is outgoing mail. They also serve as a dangerous invitation to criminals to abscond with the victim's mail. Thieves often look for the unsuspecting person's written checks and then perform a process known as "check washing," where the name of the payee and the check amount are removed and the check rewritten to the thief. Incoming mail to standard residential mailboxes is also at risk, since thieves can steal boxes of checks and credit card bills. These types of records allow criminals to easily gain control over a person's accounts and assume his or her identity.
• Dumpster diving—involves a criminal foraging through trash bins and dumpsters looking for unshredded credit card and loan applications, canceled checks, and documents containing SSNs. Simply changing the address on a credit card application can result in in a treasure trove for the thief and often takes weeks or months for the unsuspecting individual to realize what happened.
• Skimming—criminals may utilize skimmers, which are devices that read the magnetized strip from a credit card or bank card for account numbers, balances, and verification codes. The thief, such as a sales clerk or waitperson, first reads the credit card through the regular card reader and then through the skimmer without the customer's knowledge. This data is later downloaded onto the thief's personal computer.
• Accessing computer records—Personal identification information is increasingly accessible through the Internet as more people conduct transactions via computer. Internet-based companies do not always properly secure or encrypt this vital information. In many cases, dishonest employees gain access to this information for illegal purposes, especially employees of financial institutions.

"Hacking" is also becoming a more common technique used to commit identity theft. A hacker can easily slip by security and password barriers to access a server where all types of personal information can be copied. On June 18, 2005, MasterCard International reported that more than 40 million credit card accounts of all brands were exposed to fraud through a computer security breach, perhaps the largest case of stolen consumer data at that time. According to the Privacy Rights Clearinghouse, other companies and universities have exposed personal information about clients or students to thieves. Some of the breach incidents besides hacking include lost backup tapes, passwords compromised, stolen laptops and desktop computers, and dishonest insider actions. The Dallas Morning News reported that during the first half of 2005, nearly 50 companies or universities announced cases of mass exposure of financial information, resulting in an estimated 50 million identities compromised. This stolen information is then often sold.

"Phishing" is a more recent phenomenon in the cyber crime arena. With this scam, identity thieves attempt to make Internet users believe they are receiving legitimate e-mails or are connected to a secure Web site when in fact they are not. Banks customers are frequent targets. The latest phishing mutation, "pharming," is an even greater threat. Pharming is basically domain spoofing, where a bogus Web site looks like a legitimate one. Accessed from e-mail or a fake link, these counterfeit sites request identification information which the unsuspecting victim enters believing it to be safe.

And finally, one of the most common—but commonly overlooked—identity theft villain is a member of the victim's own family. Dishonest family members rely on the premise that they will not get caught, and if they do, they believe the affected family member will not press charges. In many cases, this is a correct assumption. Tragically, these thieves often steal the identity or financial information from the most vulnerable in their families, such as elderly parents or grandparents.

---

Part 2 of this article appeared in August, and Part 3 will be published in September.

---

References

Allen, George B. The Fraud Identification Handbook. 1st ed. Highlands Ranch, Colorado: Preventive Press, 1999, p. 57.

Arata, Michael. Preventing Identity Theft for Dummies. Hoboken, New Jersey: Wiley Publishing, 2004, p. 107.

Augstums, Ieva. "Demand for Stolen Data Puts Risk in Every Swipe." Dallas Morning News, June 23, 2005: 1A, 2A.

Better Business Bureau. Identity Theft. 2004. Available from URL: www.bbb.org [June 18, 2005].

Beucke, Dan and Jessica Thacher. "The Young are Wide Open for Cyber Thieves." Business Week, no. 3935 (May 30, 2005).

Claimsguide.com. "Survey: One in Five Americans Have Been Victims of Identity Fraud." July 2005. Available from URL: http://www.claimsguides.com [July 11, 2005].

Dash, Eric and Tom Zeller Jr. "Millions of Credit Cards at Risk of Fraud." New York Times, June 18, 2005: 1A.

Federal Trade Commission. "FTC Releases Survey of Identity Theft in U.S. 27.3 Million Victims in Past 5 Years, Billions in Losses for Businesses and Consumers." Sept. 2003. Available from URL: http://www.ftc.gov [June 12, 2005].

Federal Trade Commission. National and State Trends in Fraud and Identity Theft: January-December, 2004. Feb. 2005. Available from URL: http://www.consumer.gov [June 12, 2005].

Frank, Mari J. From Victim to Victor. Laguna Niguel, California: Porpoise Press, 1998.

Garmhausen, Steve. "As Phishers Refocus, Small Banks Regroup." American Banker 170 (May 3, 2005): 84.

Harrison, Crayton. "By Hooks or Crooks." Dallas Morning News, June 6, 2005: 1D.

Identity Theft Resource Center. Identity Theft: The Aftermath 2003. Sept. 2003. Available from URL: http://www.ospirg.org [June 15, 2005].

International Risk Management Institute. Glossary of Insurance and Risk Management Terms. 9th ed. Dallas, Texas: 2004.

Javelin Strategy and Research. 2005 Identity Fraud Survey Report. Jan. 2005.

Jones, Karen. "Pharming Your Identity." PC Magazine 24 (May 8, 2005): 20.

Levy, Steven and Brad Stone. "Grand Theft Identity." Newsweek CXLVI (July 4, 2005):1.

Lewis, Peter. "Taking a Bite Out of Identity Theft." Fortune. 151 (May 2, 2005): 9.

May, Johnny. Johnny May's Guide to Preventing Identity Theft. Bloomfield Hills, Michigan: Security Resources Unlimited, LLC, 2004.

Privacy Rights Clearinghouse. "Fact Sheet 17: Reducing the Risk of Identity Theft." San Diego, California: Privacy Rights Clearinghouse, 2003.

Silver Lake Editors. Identity Theft. 1st ed. Los Angeles: Silver Lake Editors, 2004.

Weisman, Steve. 50 Ways to Protect Your Identity and Your Credit. Upper Saddle River, New Jersey: Prentice Hall, 2005.

Welsh, Amanda. The Identity Theft Protection Guide. New York: St. Martin's Griffin, 2004.

---

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author’s employer or IRMI. This article does not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.