Identity Theft: A Personal Risk Management Approach (Part 1)

Identifying and Analyzing the Identity Theft Loss Exposure

Not only is identity theft the fastest growing crime in the United States, it is one of the fastest changing as well. Criminals keep developing new ways to steal an innocent person's identity.

The FTC conducted a 5-year study revealing that approximately 27.3 million Americans experienced identity theft during this timeframe. Javelin Strategy and Research published a survey in 2005 indicating that within the last 12 months, 9.3 million American adults were victims of identity fraud, resulting in an annual cost to the individuals, businesses, and government of $52.6 billion.

Another FTC study published in 2005 indicated a 52 percent increase in the number of identity thefts reported to this agency between 2002 and 2004. Credit card, phone, and bank fraud were some of the most common complaints. The percentage of complaints about electronic fund transfer-related identity theft more than doubled between 2002 and 2004. According to the FTC survey, victims reported $5 billion in annual out-of-pocket expenses. The survey also indicated that individual victims lost an average of $1,280 in identity theft cases. Sixty-seven percent of these victims reported that existing credit card accounts were misused, and 19 percent reported abuse of checking or savings accounts.

In July 2005, the Chubb Group of Insurance Companies released the results of its survey of 1,850 Americans, revealing that 20 percent of respondents had been victims of identity theft. Ninety-five percent reported being concerned about the possibility that someone might fraudulently impersonate them to ruin their credit, a statistic that rose almost 20 percent from 2000. In addition, 87 percent believe companies fail to adequately protect their customers' confidential information and should be required to pay to restore consumers' credit ratings.

According to a study conducted by the Identity Theft Resource Center, fraudulent charges now average more than $90,000 per name used, and the average time victims spend to clear their name is approximately 600 hours, a 250 percent increase over previous studies. In addition, victims may be unable to get jobs, buy houses, or obtain passports until the problem is resolved.

The FTC survey revealed that 51 percent of the victims knew how their personal information was obtained. Nearly 25 percent claimed that the identity theft involved lost or stolen credit cards, checkbooks, or social security cards. Many of these incidents, over 400,000 in one year alone, involved stolen mail. According to the Social Security Administration (SSA) Inspector General's analysis of their Fraud Hotline data, more than 80 percent of SSN misuse allegations arose from identity theft.

In a June 6, 2005, Dallas Morning News article, Privacy Rights Clearinghouse Director Beth Givens said that this crime has grown so rapidly that it now "passes the someone-you-know test." She indicates that "most people have been a victim or know somebody who has been a victim."

These studies indicate a crime that is spinning out of control. One of the key reasons behind this disturbing phenomenon is the stunning growth of information technology. Computers allow immediate access to records and information from a remote location. So, not only is more data available faster, but the crime can often be committed by anyone with a home computer and the thief is unlikely to be caught. The Gartner Group, a research organization, speculates that fewer than 1 in 700 identity crimes lead to a conviction.

Technology has clearly eliminated, to a large extent, an individual's privacy. Consider, for example, that over 600 US insurance companies can access a person's medical records via a central database.

An individual's exposure to identity theft must be assessed to be properly handled. Individuals who allow numerous people access to their homes, such as housekeepers, gardeners, security personnel, and nannies, are particularly susceptible. Those who spend hours on the computer are also vulnerable, particularly young adults and teens who are more likely to divulge personal information over the Web. Business Week reported that one website designed for college students, with over 2.5 million users from 650 schools, posted personal information including the students' full names, hometowns, and class schedules. In fact, 35 percent of members even listed their cell numbers, which thieves can use in lieu of Social Security numbers to access personal records.

Senior citizens are also at higher risk. Numerous cases involve elderly and incapacitated persons victimized by caretakers, who are often members of their own family. One study [Welsh] indicated that a family member is the perpetrator of approximately 10 percent of all identity thefts. This same research also indicated that people in large cities are at greater risk. Also, having a common name can add to a person's vulnerability. People with family names such as Smith, Williams, and Johnson and those with common first names are at greater risk.

There are several ways to categorize identity theft. According to the Identity Theft Resource Center, there are three major types of identity theft.

• Financial—involves the criminal's use of personal information, such as an SSN to establish new credit lines in the victim's name.
• Criminal—occurs when a thief gives the victim's personal identifying information rather than the thief's own information to law enforcement personnel. This event often results in major legal and criminal problems for the unsuspecting victim.
• Identity cloning—using the victim's information to establish a new persona for the thief. Identity cloning can also include financial and criminal identity theft.

In contrast, the Better Business Bureau delineates the types of identity theft based on what is stolen. These types include the following.

• Social Security Number (SSN)—this identifier is the most important piece of an individual's personal information because the SSN is the primary number for tracking and monitoring employment, tax reporting, and credit history.
• Credit cards—thieves steal credit cards in many ways, ranging from the stealing of a wallet to illegally gaining computer access to an unprotected card number.
• Check fraud—thieves can drain a person's checking account by stealing checks and forging the victim's signature or by developing counterfeit checks using a home computer and a state-of-the-art printer.
• Cellular telephone service—criminals can establish cellular telephone service in the victim's name and make unauthorized calls that appear to emanate from, and are charged to, that person's cell phone.

Criminals use a variety of methods to steal identities. Contrary to popular belief, the majority of identity crimes are not performed by computer pros. Instead, low tech methods are used. Some of the most common methods include the following.

• Theft of a wallet or purse—access to a checkbook alone can provide a competent thief with the means to acquire driver's licenses and birth certificates, even without having the victims' SSNs.
• Shoulder surfing—involves looking over a person's shoulder to see his/her phone credit card number and PIN, for example. More sophisticated versions utilize a video camera with a zoom lens to record the punching of the numbers. Commonly done in public places, such as train stations, and around ATM machines.
• Postal theft—Many house mailboxes contain small red flags that, when raised, tell the postal worker that there is outgoing mail. They also serve as a dangerous invitation to criminals to abscond with the victim's mail. Thieves often look for the unsuspecting person's written checks and then perform a process known as "check washing," where the name of the payee and the check amount are removed and the check rewritten to the thief. Incoming mail to standard residential mailboxes is also at risk, since thieves can steal boxes of checks and credit card bills. These types of records allow criminals to easily gain control over a person's accounts and assume his or her identity.
• Dumpster diving—involves a criminal foraging through trash bins and dumpsters looking for unshredded credit card and loan applications, canceled checks, and documents containing SSNs. Simply changing the address on a credit card application can result in in a treasure trove for the thief and often takes weeks or months for the unsuspecting individual to realize what happened.
• Skimming—criminals may utilize skimmers, which are devices that read the magnetized strip from a credit card or bank card for account numbers, balances, and verification codes. The thief, such as a sales clerk or waitperson, first reads the credit card through the regular card reader and then through the skimmer without the customer's knowledge. This data is later downloaded onto the thief's personal computer.
• Accessing computer records—Personal identification information is increasingly accessible through the Internet as more people conduct transactions via computer. Internet-based companies do not always properly secure or encrypt this vital information. In many cases, dishonest employees gain access to this information for illegal purposes, especially employees of financial institutions.

"Hacking" is also becoming a more common technique used to commit identity theft. A hacker can easily slip by security and password barriers to access a server where all types of personal information can be copied. On June 18, 2005, MasterCard International reported that more than 40 million credit card accounts of all brands were exposed to fraud through a computer security breach, perhaps the largest case of stolen consumer data at that time. According to the Privacy Rights Clearinghouse, other companies and universities have exposed personal information about clients or students to thieves. Some of the breach incidents besides hacking include lost backup tapes, passwords compromised, stolen laptops and desktop computers, and dishonest insider actions. The Dallas Morning News reported that during the first half of 2005, nearly 50 companies or universities announced cases of mass exposure of financial information, resulting in an estimated 50 million identities compromised. This stolen information is then often sold.

"Phishing" is a more recent phenomenon in the cyber crime arena. With this scam, identity thieves attempt to make Internet users believe they are receiving legitimate emails or are connected to a secure website when in fact they are not. Banks customers are frequent targets. The latest phishing mutation, "pharming," is an even greater threat. Pharming is basically domain spoofing, where a bogus website looks like a legitimate one. Accessed from email or a fake link, these counterfeit sites request identification information which the unsuspecting victim enters believing it to be safe.

And finally, one of the most common—but commonly overlooked—identity theft villain is a member of the victim's own family. Dishonest family members rely on the premise that they will not get caught, and if they do, they believe the affected family member will not press charges. In many cases, this is a correct assumption. Tragically, these thieves often steal the identity or financial information from the most vulnerable in their families, such as elderly parents or grandparents.

See Part 2 and Part 3 of this article.