Identity Theft

Abstract

This research paper will examine what is known about identity theft. The paper begins with defining the crime and its background, followed by a review of the patterns and incidences of identity theft. This review will include data on the extent and costs of this crime. Discussion will then focus on victims and perpetrators of identity theft. Common techniques used by identity thieves will be explored along with tips to protect consumers and businesses from having their identities stolen or data breached. Legislation in place to prevent and prosecute identity theft will be discussed. How to report identity theft is also explained.

Defining Identity Theft

The U.S. Department of Justice defines identity theft, also called identity fraud, as “all types of crime in which someone wrongfully obtains and uses another person’s personal data in some way that involves fraud or deception, typically for economic gain” (U.S. Department of Justice, 2015). Identity thieves use personal data such as Social Security numbers, bank account or credit card numbers to personally profit at the victim’s expense. These breaches allow thieves to take funds out of bank accounts or in the worst cases, take over a victim’s identity completely, running up huge debts and committing crimes using the victim’s name. Victims not only suffer the out-of-pocket financial losses, but they may have to rebuild their reputation in the community due to the perpetrator’s actions (U.S. Department of Justice, 2015). Identity theft is expected to surpass traditional theft as the leading form of property crime. Security analysts state everyone should prepare to be a victim of identity theft at some time in their lives (Anderson, 2013). Identity theft is a three stage process: acquisition, use, and discovery (Office of Justice Programs, 2011). The crime can begin with a lost or stolen purse or wallet. Perhaps a data breach or the credit information was stolen during a transaction. Thieves use stolen personal data to commit medical identity theft, tax fraud, and to receive governmental benefits due the victim (Office of Justice Programs, 2011).
Background
One of the first notorious cases occurred circa 1998 (U.S. Department of Justice, 2015). A convicted felon obtained personal information and charged over $100,000 to his victim’s credit cards. He bought a home, motorcycles and guns in the victim’s name and then filed for bankruptcy (U.S. Department of Justice, 2015). In response to this case and others like it, Congress passed legislation making identity theft a federal offense with the Identity Theft and Assumption Deterrence Act (ITADA) of 1998. Since then, most states have passed their own legislation towards fighting identity fraud (U.S. Department of Justice, 2015). The Federal Government defines identity theft under three behaviors: 1) unauthorized or attempted use of existing credit cards, 2) unauthorized or attempted use of other existing accounts, for example, a checking account, and 3) unauthorized use of personal information to open new accounts, obtain loans, or to commit a crime in the victim’s name (BJS, 2006).
Data Collection on Identity Theft A number of organizations/agencies gather data in regard to identity theft. These include government agencies, nonprofit organizations, popular media sources and credit reporting companies. Data collection amongst these groups offer varying estimates as to the extent of identity theft and its costs to society (Office of Justice Programs, 2011). As a result of the Identity Theft Assumption and Deterrence Act of 1998, the Federal Trade Commission (FTC) started collecting consumer complaints involving identity theft in 1999 (BJS, 2006). Information is obtained from the victims via telephone or the FTC website and stored in a database. This database is available to all law enforcement agencies to help with identity theft cases (Office of Justice Programs, 2011). Another source of data in regard to identity theft is the Internet Crime Complaint Center (IC3). This agency is a result of collaboration between the National White Collar Crime Center and the Federal Bureau of Investigation (Office of Justice Programs, 2011). The IC3 deals with complaints related to all Internet crime, including identity theft. Information is collected on the “victim and offender by state, demographic characteristics, monetary losses, and law enforcement contact” (Office of Justice Programs, 2011). Complaints are taken directly from the alleged victim or a third party representative (Office of Justice Programs, 2011). The Federal Trade Commission’s (FTC) Consumer Sentinel Network (CSN) compiles information about identity theft and consumer fraud from the FTC and other agencies, including the Federal Bureau of Investigation, United States Secret Service, Attorney Generals Offices, and local law enforcement agencies. According to the FTC’s Consumer Sentinel Network Data Book for January – December 2013 (published in 2014), the CSN received over 2 million consumer complaints in 2013 (Federal Trade Commission, 2014).
Statistics
The Bureau of Justice Statistics (BJS) published a 2012 study on Victims of Identity Theft. The study found that approximately 16.6 million people, or 7% of all U.S. citizens 16 years of age or older, had reported one or more incidents of identity theft (BJS, 2013). Approximately 85% of reported identity theft incidents involved the fraudulent use of existing account information, such as credit card or bank account information (BJS, 2013). About 14% of identity theft victims experienced out-of-pocket losses of $1 or more, and half of those suffered losses of $100 or less. Victims who experienced the most significant financial, credit and relationship problems and severe emotional distress were those whose information was used to open a new account (BJS, 2013). About 36% of all identity theft victims reported moderate or severe emotional distress as a result of an incident (BJS, 2013). Losses, both direct and indirect, cost Americans $24.7 billion (BJS, 2013). The study found that the higher a household’s annual income, the more likely someone in that household would be victimized by identity theft. Households with incomes in excess of $75,000 had a higher prevalence of identity theft than those in other income brackets (BJS, 2013). There were no significant differences in prevalence of bank account misuse amongst whites, blacks, and Hispanics. However, in regard to existing credit card accounts, more white-non-Hispanics were victimized than both Hispanic and black non-Hispanics. Rates of victimization did not vary significantly by sex in either category (BJS, 2013). The study reports that the majority of identity theft victims weren’t aware of how their account information was obtained. About 32% of victims knew how their account information was obtained (BJS, 2013). Overall, about 91% of identity theft victims did not know who perpetrated against them (BJS, 2013) . Although depending on the type of identity theft, a victim may or may not be more likely to know the identity of the offender. Victims who had personal information used to open a new account were more likely to know their offender than victims of fraudulent use of an existing account (BJS, 2013). Credit card data theft increased 50% from 2005 – 2010, according to the U.S. Department of Justice (Anderson, 2013). Single credit card numbers can be sold anywhere from $10 - $50, and there are millions for sale (Anderson, 2013). In 2007, there were approximately 1 million programs written to steal one’s credit card information (Anderson, 2013). By the writing of Anderson’s article in 2013, the number of programs had grown to approximately 130 million (Anderson, 2013). However, identity thieves know it’s most profitable to hack into businesses where card numbers can be stolen by the thousands or even millions (Anderson, 2013).
The following table, provided by the Consumer Sentinel Network, shows the total number of fraud complaints and amount paid for calendar years 2011 – 2013:
Total Number of Fraud Complaints & Amount Paid CY | Complaint Count | Percentage Reporting Amount Paid | Amount Paid | | Total | Reporting Amount Paid | | Reported | Average | Median | 2011 | 1,040,439 | 673,694 | 65% | $1,547,435,639 | $2,297 | $538 | 2012 | 1,111,119 | 658,013 | 59% | $1,412,308,747 | $2,146 | $500 | 2013 | 1,165,090 | 707,382 | 61% | $1,622,784,979 | $2,294 | $400 |
(Consumer Sentinel Network, 2014) Further analysis of the data tells us that of all complaints received by CSN in 2013, identity theft complaints accounted for 14% of all complaints (Federal Trade Commission, 2014). The most common type of identity theft was government documents/benefits fraud (34%), followed by credit card fraud (17%), phone or utilities fraud (17%), and bank fraud (8%) (Federal Trade Commission, 2014).
Vulnerable Victims A 2012 study by the Identity Theft Assistance Center found that child identity theft is the most difficult to discover and resolve than that of adult identity theft (Mason, 2012). The issue is the child typically doesn’t find out until years later that their personal identity information was stolen and their credit histories most likely damaged. Most disturbing about child identity fraud is the perpetrator is likely a family friend or relative—many times the child’s own parents—who steals the child’s identity to open credit accounts or obtain loans. This type of fraudulent activity is defined as “friendly fraud”. According to the study, more than 70% of reported child identity fraud is friendly fraud (Mason, 2012). Issues with reporting on child identity fraud is that it is reported later in the child’s life, typically long after it has occurred. Seniors are also vulnerable to identity theft. They are commonly duped by telemarketing scams where they are asked to provide personal information such as their social security number, birthday or Medicaid ID number (Identity Theft Resource Center, 2007). Seniors can also fall victim to phony tax preparers who sell their social security numbers to scammers. Offenders may also read obituaries so they can file a fraudulent tax return in the deceased person’s name. This causes big problems for the surviving spouse when they try to file taxes later (Identity Theft Resource Center, 2007). Medical ID theft is also problematic for seniors. Because they have more frequent contact with medical personnel, providers can gain access to insurance information in order to falsely claim medical services, then issue fraudulent billing to the senior and their insurance carrier (Identity Theft Resource Center, 2007). Employees at nursing homes and long-term care facilities have access to seniors’ information and can misuse their finances. This kind of fraud is typically reported to a long-term care ombudsman in the state in which it occurred. Military personnel are also at special risk of identity fraud. Military veterans report the most incidents involving identity fraud than any other group (Identity Theft Resource Center, 2007). The problem is so prevalent the Federal Trade Commission confirmed July 17th as “Military Consumer Protection Day” to inform military personnel about the threats of identity theft (Identity Theft Resource Center, 2007). According to the Identity Theft Resource Center (2007), military personnel are prime targets because they are “conditioned” to offer any personal information asked of them throughout their service to the country. Once they leave the service, this personal information is out there, leaving them vulnerable to ID theft. They also fall victim to “data grabbers” who target veterans by offering some small perk due to their veteran status. They then sell the personal data provided by the veteran to the highest bidder (Identity Theft Resource Center, 2007)
What Thieves are Seeking
According to cybersecurity expert Mark Pribish, identity thieves want specific information from their victims (Anderson, 2013): * User names, passwords and PIN numbers * Social Security numbers and birthdates * Phone, utility, bank and credit account numbers * Employment and student identification numbers * Driver’s license and passport numbers * Professional license numbers * Insurance identification numbers * College or university financial aid form information
Offenders of Identity Theft The scarcity of research on identity theft along with the low clearance rate doesn’t allow for a clear picture of what the offenders are like. From what is known about offenders, they are diverse in terms of race, age, gender, and criminal background. In attempt to understand the kind of person who commits identity theft, a study was done by evaluating U.S. Secret Service’s closed cases of identity theft from 2000 – 2006 by Gordon, Rebovich, Choo and Gordon (Gordon, 2007). They found approximately 42.5% of offenders were between the age of 25 and 34 when the case became open for investigation (Gordon, 2007). In terms of offender race, Gordon and his team found that 54% of the offenders were black, 38% were white, and less than 5% were Hispanic (Gordon, 2007). The study found that nearly 75% of offenders were male. Gordon and his team found that nearly 25% of the offenders in the study were foreign born (Gordon, 2007). The top five countries represented by offenders were, in order from most to least, Mexico, Nigeria, the United Kingdom, Cuba and Israel (Gordon, 2007). The majority of offenders, as reported by Gordon and his team of researchers, had no prior arrests. Those who did have criminal histories tended to commit fraud and theft-related offenses (Gordon, 2007).
Techniques
Many people have no idea how easy it is for criminals to get their personal information without breaking into their homes. To commit identity theft, offenders must obtain identifying information and use it to acquire goods or cash. Thieves have created a number of strategies to accomplish this. Researchers, along with law enforcement agencies, have gathered data primarily from victim surveys and interviews with actual offenders to learn the techniques they employ to obtain the information (Gordon, 2007). The first step when committing identity theft is to get personal information on the victim. Perpetrators obtain this information from wallets, purses, homes, cars, offices and businesses or institutions that maintain customer, employee, patient, or student records (Office of Justice Programs, 2011). Social security numbers are prevalently used for identification and account numbers by insurance companies, universities, cable companies, the military and banks (Office of Justice Programs, 2011). The offender may steal a purse or wallet, work at a job that provides him/her access to a victim’s personal and account information, or they may buy the information from someone who does. Offenders may also steal a victim’s mail, dig through their trash, or by doing a search on the Internet (Office of Justice Programs, 2011). The most common way identity theft is perpetrated is by getting access to a person’s credit card information (Federal Trade Commission, 2014). Another technique researchers discovered happening was organized groups planting a person as an employee at a mortgage lender’s office. These groups are also reported to bribe bank employees, car dealership employees, government and hospital staff to obtain personal information in order to steal it and use it for personal gain (Federal Trade Commission, 2014). Offenders are reported to obtain credit card numbers by using fake emails or what is called “shoulder surfing”, which is when the offender peeks over a person’s shoulder as they type in a credit card number (Federal Trade Commission, 2014). According to the FTC, many victims knew how their information was obtained and some say they knew the person who stole it (Federal Trade Commission, 2014). After getting access to a person’s private information, offenders often use it to get a driver’s license or another state identity card so they can obtain cash or goods. Offenders will use the information to apply for credit cards, open bank accounts and deposit counterfeit checks, to withdraw funds from an existing account, apply for loans, obtain utility or phone accounts, or to apply for government assistance programs (Federal Trade Commission, 2014). Another method used by offenders is setting up fake Wi-fi “hotspots” at public Wi-fi hotspots, such as hotels, airports and restaurants (Prevent and Report Identity Theft, n.d.). Users are safe if they log into the company’s official Wi-fi hotspot, generally speaking, but must be aware of hotspots that appear to be from the business they are patronizing (Prevent and Report Identity Theft, n.d.). A number of identity theft criminals are not computer savvy. These criminals hope people are unaware and trusting enough to leave their wallet, filled with cash, credit cards and personal identification inside an unlocked vehicle. This technique is hard to trace and prosecute, thus preferable to perpetrators of identity fraud.
Legislation Relating to Identity Theft The most substantial attempts to stop identity theft have been in the form of federally enacted laws. There are a number of federal laws to address identity theft, including social security fraud, welfare fraud, computer fraud, wire fraud, and financial institution fraud (Office of Justice Programs, 2011). These laws focus on criminalizing identity theft. The first federal law enacted to fight identity theft was in 1998 with the Identity Theft Assumption and Deterrence Act (18 USC, 1028). This law allows law enforcement to thoroughly investigate a complaint and for victims to recoup any financial losses from the theft. It also extended the range of the crime to include unlawful use of information and documents with punishment of up to 15 years and a fine of up to $250,000 (National Criminal Justice Reference Service). This legislation established the Federal Trade Commission (FTC) as the Federal Government’s central point for reporting identity theft by creating the Identity Theft Data Clearinghouse (National Criminal Justice Reference Service). It eliminated legal loopholes to include not only crimes to produce or possess false identity documents, but also made it illegal to steal another person’s personal information (National Criminal Justice Reference Service). Congress enacted the Fair and Accurate Credit Transactions Act (FACTA) in 2003 (Federal Trade Commission, 2014). This law allows consumers to access one credit report for free once per year. The law requires merchants to leave all but the last five digits of a credit card number off store receipts (Office of Justice Programs, 2011). It requires a nation-wide system of fraud alerts to increase the chance of offenders being caught; requires fraud alerts to be put in credit files; and requires lenders and credit agencies to take action before the victim knows they’ve been affected (Office of Justice Programs, 2011). As mentioned, FACTA allows consumers to place fraud alerts in their credit files. If a person thinks they are vulnerable to impending identity theft, they can request an “initial alert”. If a person has been a victim of identity theft and have filed charges with police, they can request an “extended alert”. Once an extended alert is in place, it will remain there for seven years and the victim has access to two free credit reports every 12 months (Office of Justice Programs, 2011). This law says that for the next five years, credit agencies must remove the victim’s name from any list utilized for prescreened credit or insurance offers (Office of Justice Programs, 2011). Finally, military personnel have the option to place an “active duty alert” in their credit files when they are away from home serving active duty (Office of Justice Programs, 2011). The Identity Theft Penalty Enhancement Act (ITPEA) was passed by Congress in 2004. It put into place a new federal crime of aggravated identity theft. This law forbids the “knowing and unlawful transfer, possession, or use of a means of identification of another person during and in relation to more than 100 felonies” (Office of Justice Programs, 2011). The law defined these felonies as any crime committed using the mail, bank, or wire for fraudulent purposes; immigration and passport fraud; and unauthorized use of another person’s social security number. This law institutes a minimum of two years in prison, served at the same time for the accompanying felony (Office of Justice Programs, 2011). States have followed the federal government in attempt to protect consumers and victims of identity theft. They continue to strengthen laws by increasing fines and penalties and broadening law enforcement’s ability to investigate (Office of Justice Programs, 2011). Some states also implemented laws specifically to help identity theft victims. Victims are protected against discrimination. They can have records expunged relating to the crime against them. There are also programs in place to help victims clear their names and settle their financial predicaments (Office of Justice Programs, 2011). These laws have given law enforcement agencies the backing needed to investigate and make arrests in regard to identity theft but it’s not yet clear if the efforts are working. Offenders will typically find ways to circumvent the laws aimed at stopping their fraudulent activities (Office of Justice Programs, 2011).
Identity Theft Prevention for Consumers Identity theft can happen to anyone, no matter how careful one is in protecting their personal information. To lessen one’s chances of becoming a victim of identity theft, consumers should consider the following tips (Identity Theft Resource Center, 2007): * Don’t carry a Social Security card in your wallet nor write it on checks. Only provide this number if absolutely necessary * Never write a PIN to a credit/debit card on a piece of paper that is kept in a wallet * Watch out for “shoulder surfers”, offenders who look over the shoulder of someone entering personal information into a telephone or computer * Collect mail promptly. Ask the post office to hold mail when gone from home for more than one or two days * If bills or financial statements don’t arrive timely, contact the company or bank * Always keep receipts * Destroy unnecessary receipts, credit offers, account statements, expired credit cards, etc. to prevent offenders from retrieving out of the trash * Store personal information in a safe place and don’t leave it lying around * Check your credit report at least once per year
Consumers should practice the following tips to prevent being victimized by online scams (Identity Theft Resource Center, 2007): * Attempt to locate an online seller’s physical address and phone number * Do an Internet search for the company name and website to determine credibility * Read monthly statements closely * Don’t wire money to strangers, to sellers who insist on wire payments, or to someone claiming to be a family friend who wants to keep the request a secret * Don’t reply to messages asking for personal or financial information. This applies to email, a phone call, text message or ad * Don’t play a foreign lottery as it’s illegal and typically they ask that one wire money to collect winnings (although there are no winnings) * Install firewalls and reputable anti-virus software on home computer
Preventing Privacy and Security for Businesses After evaluating a large number of data breaches, Daniel Solave (2014) discovered two things that can help businesses prevent data breaches: upper management must have a clear understanding of the risks, the laws, and the importance of protecting data and privacy (Solave, 2014). The second prevention tactic is for businesses to look at human behavior of employees, which studies show is the biggest risk to data security (Solave, 2014). Addressing human behavior is best accomplished through effective training. It is imperative for the workforce to be aware that internal threats, primarily human behaviors, are the leading cause of data breaches. If employees don’t receive effective training, they are prone to engage in risky data security practices (Solave, 2014). Solave’s studies found that 90% of malware infection is due to human interaction with the computer (Solave, 2014). He found that 95% of data breach incidents involved human error at some level (Solave, 2014).
How to Report Identity Theft Once a person finds their wallet has been stolen or their information was compromised in some other manner, the following steps should be taken (Identity Theft Resource Center, 2007): * Report it immediately to the corresponding financial institution * Report the theft to local police immediately * Contact the credit reporting agencies and request a flag to the compromised account
Reporting Issues Of all complaints made in 2013, only 41% contacted law enforcement. Of those victims, 74% notified a police department and 61% percent said a report was taken (Federal Trade Commission, 2014). This data indicates that identity theft is often not reported and what is reported rarely gets fully investigated. According to Mark Rasch, a cybersecurity expert specialist and former federal cybercrime prosecutor from Bethesda, Maryland, “Police don’t want to be bothered. It’s a difficult crime to investigate, and the feeling is, ‘Oh, we’re never going to catch these guys.’” (Anderson, 2013). Rasch went on to say most local law enforcement don’t have the manpower and/or expertise to investigate minor identity fraud complaints, and the FBI is “only interested in massive cases involving 100 victims or more” (Anderson, 2013). According to Phoenix police, the improbability of catching perpetrators of identity theft or related crimes makes these very difficult cases to solve (Anderson, 2013). Rasch went on to say many merchants would rather “clean up the damage from an attack than pay for better preventive measures”. Rasch believes this trend will continue unless customers put the pressure on businesses to beef up their cyber security. Financial institutions such as banks have gotten wise to identifying possible fraudulent activity and are quicker to respond appropriately. To this point, banks and other financial institutions have made it almost painless for victims by covering immediate losses. Sustaining this approach will be questionable as the problem continues to escalate (Anderson, 2013).
Conclusion
Identity theft is a nationwide problem affecting millions of people every year. It typically involves an offender who steals or buys a victim’s personal identity information from someone they know or from an agency employee with access to that information. The information is then used fraudulently to obtain a credit card, loan or other financially related scheme. The victim is likely to be between the ages of 18 and 55, has an income more than $75,000 per year and does not know his/her offender (BJS, 2013). Thieves are typically motivated because they need money. Many thieves want money to maintain a lifestyle that includes drugs and living wildly beyond their means. Identity thieves justify their actions by claiming they never caused “actual harm to actual individuals” (Identity Theft Resource Center, 2007). Federal and state legislators have addressed the problem by enacting laws defining identity theft as a crime, laying out clear consequences for offenders, and increasing protection to consumers and victims. Along with legislation, a number of non-profit agencies and other organizations have created campaigns to educate consumers on how to protect their personal data. It is suggested that additional research be conducted to find out if current legislation and law enforcement tactics are working to decrease identity theft. This research would assess and make recommendations as to future preventive strategies involving identity theft (Gordon, 2007).

References

Anderson, J. C. (2013, April 14). USA Today. Retrieved from USA Today.
BJS. (2013).
Federal Trade Commission. (2014). Retrieved from Federal Trade Commission.
Gordon, R. C. (2007, October). Center for Identity Management and Information Protection Utica College. Retrieved from http://www.utica.edu/academic/institutes/ecii/publications/media/cimip_id_theft_study_oct_22_noon.pdf
Identity Theft Resource Center. (2007). Retrieved from http://www.idtheftcenter.org
Mason, J. (2012, December 31). Identity Guard. Retrieved from http://www.identityguard.com/identity-theft-resources/child-identity-theft/study-confirms-growth-of-child-id-theft/ money.usnews.com. (2013, December 18). Retrieved April 15, 2015 money.usnews.com. (2014, July 21). Retrieved April 15, 2015
National Criminal Justice Reference Service. (n.d.). Retrieved from https://www.ncjrs.gov/whatsncjrs.html
Office of Justice Programs. (2011, October). Retrieved from Office of Justice Programs.
Prevent and Report Identity Theft. (n.d.). Retrieved from usa.gov: http://www.usa.gov/topics/money/identity-theft/prevention.shtml
Solave, D. J. (2014). Preventing Privacy and Security Disasters. Retrieved from http://www.teachprivacy.com
U.S. Department of Justice. (2015). Retrieved April 15, 2015