Identity Theft: What It Is, How It Happens & the Best Protection
Identity theft occurs when someone gains unauthorized access to your personally identifying information – such as your name, Social Security Number (SSN), or bank account information – and uses it to commit fraud or other crimes.
The crimes that an identity thief is able to commit with your personal information range from applying for a credit card under your name before subsequently racking up prodigious charges to poaching your tax refund. In some cases, identity thieves are even able to assume an unsuspecting person’s identity entirely, obtaining identification bearing their name and often committing crimes “as that person.”
Those are terrifying prospects, to say the least. It’s clear that identity theft can cost you a lot of money as well as create confusion across the breadth of your life, but despite the horror stories, you have to wonder how prevalent identity theft actually is as well as what you can do to prevent it.
We’ll answer those questions and more below.
The Federal Trade Commission estimates that as many as 9 million Americans experience some form of identity theft each year. However, that number is subject to fluctuation as both crime fighting tactics and the methods that criminals use to steal identities evolve over time. A single statistic can’t really convey the full scope of the issue either.
You may therefore be interested to know that:
- The FTC’s Consumer Sentinel Network received roughly 360,000 identity-theft related complains in 2012 – 18% of all the complaints made that year.
Most Common Identity Theft Complaints
Identity Theft Complaints by Year
- 8.6 million households (8.6%) experienced some form of identity theft in 2010, according to the FTC.
- 5% of people age 16+ (1.7 million) fell victim to identity theft in 2006 and 2007, leading to $17 billion in financial losses, according to the U.S. Bureau of Justice Statistics. In other words, each instance of identity theft carried a $10,000 price tag.
What can you infer from these statistics? Well, it’s clear that a large number of Americans are victims of identity theft each year. However, when you consider the total number of people in the U.S., it’s also obvious that identity theft isn’t all too common.
In addition, while identity theft leads to billions of dollars in losses each year, we consumers aren’t necessarily on the hook for the full tab. In fact, financial institutions assume most of the liability for spending-related fraud.
"The human imagination and creativity are endless when it comes to stealing things," says Peter Keane, dean emeritus and professor at the Golden Gate University College of Law. In other words, while the following list represents the most common means that criminals use to gain access to victims’ personal information, according to the FTC, it’s certainly not exhaustive.
- Your Trash: Dumpster divers may be able to piece together enough information from old bills, financial statements, etc. to get your name, address, account number, bank name, etc. They can then use this information to open new accounts in your name or even assume your identity entirely.
- Your Mail: By stealing your mail, criminals may be able to take advantage of a pre-approved credit card offer, open account in your name, and go on a spending spree.
- Phishing: We’ve all received those e-mails from phony financial institutions asking that you provide certain information for their records or from friends asking for help out of a financial pickle. That’s phishing in action. More specifically, cyber criminals try to deceive unsuspecting consumers into opening and/or responding to e-mails designed to capture your personal information for fraudulent purposes.
- Skimming: Thieves are sometimes able to manipulate credit card processing machines and ATMs by inserting a device that captures the account information of whoever uses it.
- Straightforward Theft: Less sophisticated criminals make take a smash-and-grab approach to identity theft, stealing purses, pickpocketing people in crowded places, or even stealing personnel records from companies.
- Conning: Anyone who has ever called a bank or retailer’s customer service number knows that you must go through certain steps to verify your identity before the person on the other end will discuss the particulars of your account. Smooth-talking criminals can sometimes charm or explain their way around these safeguards and get the company representative to provide them with the information needed to fill out financial account applications, a change-of-address form, or the paperwork needed to get a replacement driver’s license in your name.
- Address Manipulation: While you have to “verify” your identity when you change your address by providing a valid credit card or debit card that the USPS will charge $1 to as a test, that’s not an insurmountable task for identity thieves who already have access to one of your credit cards or debit cards. They might therefore be able to divert your mail and gain access to other aspects of your life.
As you might guess based on the ways in which identity thieves access your personal information, there are some commonsense steps that you can take to protect yourself. There are also a few measures that might not seem so obvious, so we’ll lay them all out below:
Mail & Other Documents
- Shred Documents: If you make it a practice to shred financial documents and other correspondence that may contain personal information, dumpster-diving identity thieves won’t find much to use in your trash.
- Put a Lock on Your Mailbox: Restricting access to your mailbox – especially when you’re out of town – will reduce the likelihood that someone is able to open pre-approved credit card offers or glean personal information from letters and account statements. Forty percent of identity thieves glean personal information from people’s mail, according to Good Housekeeping magazine.
- Limit Prescreened Offers: Limit the number of pre-approved/prescreened credit offers you get in the mail by either calling 1-888-567-8688 or filling out a form online. Keep in mind that you will be asked to provide your Social Security number, which the consumer reporting companies need to match you with your file.
- Protect your Social Security Number (SSN): Your SSN is the most attractive and valuable piece of information to an identity thief, which means you need to safeguard it most carefully. For starters, don’t carry your Social Security card in your wallet, and ask the DMV to use a different number for your driver’s license (if your state generally uses your SSN as a default driver’s license number). In addition, be aware that your SSN may be listed on your insurance card or alternative forms of identification. While organizations are gradually phasing out this practice, be proactive and make sure your cards are switched now.
- Only Enter Financial Information on Official, Secure Websites: You shouldn’t send financial information through e-mail or a website without the “https:” prefix. Those methods of communication are vulnerable to hacking.
- Protect Your PIN: You’re more likely to be held liable for a debit card or ATM transaction if your actual PIN is used. After all, it should be harder to gain access to your PIN than a physical card. It’s your job to keep it safe and make sure that no one knows it.
- Never Respond to Unsolicited Requests for Information: Whether it’s someone showing up at your door, calling you on the phone, or sending you an e-mail asking for personal information, you shouldn’t respond if you didn’t ask to be contacted. It can be difficult to verify that the person is who they say they are, and reputable companies don’t ask you to provide sensitive information.“If someone contacts you claiming to be from your credit card company, do not give out your information, but instead, call the company yourself, making sure to use a legitimate number (such as the one on the back of your credit card),” suggests Steven J. Pilloff, assistant professor of finance at George Mason University.
- Order a Free Credit Report Every Four Months: All consumers are entitled to a free copy of their Experian, Equifax, and TransUnion credit reports once every 12 months. By spacing out your orders for each one, you’ll be able to review your reports for suspicious financial accounts as well as other potential signs of identity theft once every four months.
- Lock Your Credit Reports: Certain states enable consumers to “lock” or “freeze” their credit reports. This prevents anyone that you do not have an existing relationship with – even financial institutions – from accessing your credit report without your express permission, thereby making it more difficult for identity thieves to open new accounts in your name.
Sign Up for Credit Monitoring: Credit monitoring services alert you within 24 hours of any change to your credit report. You’ll therefore know when a credit card or loan application gets submitted under your name. The sooner you know about these potential signs of identity theft, the sooner you can get the situation straightened out.
For your convenience, we've compiled a comparison of all the major credit monitoring companies' costs and services.
- Make a Credit Card Your Primary Spending Vehicle: Visa, MasterCard, Discover, and American Express all offer blanket $0 liability guarantees for unauthorized credit card purchases. In other words, if someone steals your credit card and runs up a bunch of charges, you won’t have to pay for them."I'm a strong proponent of using credit cards vs. debit cards," says John D. Farmer, an adjunct professor of criminology and criminal justice at the University of North Florida. “If your debit card gets compromised, a bad guy can drain your account. Although you’re probably going to get your money back eventually, in the meantime it’s gone. Whereas with a credit card, you don’t have any of your money tied up in the process."
- Sign for Debit Card Purchases: The four major card networks also provide liability protections to debit card users as well. However, you’re only guaranteed to be covered if a signature is used for “verification.”
- Review Your Accounts on a Regular Basis: Checking your monthly account statements for charges that you did not make or any other irregularities and bringing them to the issuer’s attention is a great way to nip fraud in the bud.“The single best practice consumers can adopt to prevent financial fraud is to balance their accounts every month. Know what is coming in and what's going out, and double check it,” says Jill Vihtelic, a professor of business at St. Mary’s College. “Credit monitoring by an outside provider is no replacement for individual due diligence.”
- Mind Your Surroundings: When you’re on the phone in a public place, it’s not hard for a cunning identity thief to figure out whether you’re talking about a Social Security Number, date of birth, credit card number, expiration date, etc. From there, they’ll be able to apply for a new account under your name, change your address, and engage in other forms of crime.
- Leave No Room For Doubt: Never leave the final amount of a transaction open for interpretation. That means, for example, making sure to always fill in the “Tip” field on a bill, even if you’re only going to write “$0.00.”
- Know Your Wallet: Simply knowing what you have in your wallet and therefore what stands to be compromised should a pickpocket swipe it from you will mitigate the potential for any corresponding fraud.David M. Cordell, a clinical professor of finance and managerial economics at the University of Texas at Dallas, recommends that you “make a photocopy of every relevant item in your wallet: credit cards, driver’s license, insurance card, etc.” That way, he says, “you can be in position to make a faster recovery.”
We’ve already discussed how thieves can steal an identity as well as what you can do to protect yourself, but what about how you should handle things if you indeed discover that you’ve fallen victim to identity theft? Who should you notify? How can you mitigate the damage? And, perhaps most importantly, how can you get both your money and your good name back?
There are established procedures for addressing identity theft, and they typically include notifying the Federal Trade Commission (FTC) as well as other relevant government agencies and financial institutions. Below you can get a general sense of the steps you might need to take, but note that the specifics differ slightly depending on whether you’re dealing with an unauthorized inquiry or an unrecognized account, employer, address, delinquency, bankruptcy, civil judgment or tax lien.
- FTC: The Identity Theft and Assumption Deterrence Act holds the FTC responsible for fielding consumer complaints, providing information to potential victims, and coordinating the response with credit bureaus and law enforcement agencies. You can submit your identity theft complaint to the FTC online, over the phone (1-877-ID THEFT), or through the mail (Consumer Response Center, FTC / 600 Pennsylvania Avenue, N.W., Washington, DC 20580). Since time is of the essence when dealing with identity theft, the best approach is probably to file a complaint online or over the phone.
- USPS Inspection Service: If you believe that an identity thief has changed your mailing address or engaged in other types of mail fraud, you should notify the Postal Inspection Service by filling out this online form.
- IRS: If you believe that your Tax Identification Number has been compromised (as might be the case if your tax refund was claimed by a fraudster), fill out and submit the Internal Revenue Service’s Identity Theft Affidavit.
- Social Security Administration: If you think your SSN has been compromised, notify the Social Security Administration by calling: 800-269-0271.
- Your Bank(s): You should also give the financial institutions that issued your credit cards, debit cards, bank accounts, etc. a heads up that you may be dealing with some identity theft. This will give them the opportunity to apply added safeguards to your accounts as well as examine them for signs of impropriety.
After you’ve notified all of the relevant authorities, you’ll need to take care of some simple logistics. For example, you may want to review all of your financial accounts as well as your personal information for evidence of identity theft, which you can provide to investigators. In addition, you may need to adjust automatic monthly payments, direct deposit procedures, etc., so the potential identity theft does not cause a domino effect of headaches across your financial life. For more tips, make sure to read our guide on what to do in the aftermath of suspected identity theft.
With more and more consumer information readily available via the Internet and criminals engaged in a continuous game of technological one-upmanship with law enforcement, it’s fair to wonder what the future holds for our financial security. Will sophisticated fraudsters be able to overcome advances in voice and fingerprint recognition once the technology ultimately becomes cost-effective for mainstream use? Will financial institutions continue to eat the losses deriving from unauthorized transactions, or will liability shift more to the consumer at some point?
We asked a number of leading personal finance, law enforcement, and information security experts what the next 5-10 years have in store for us from an identity theft standpoint, and their responses offer interesting insights into the future safety of our wallets.
- Is our personal information more or less secure now than say, 5 years ago?
- What does the future hold for the security of our personal information?
- What are the best ways for people to protect themselves?
- Julie Cromer Young
- Keith Cronk
- Anne Kohnke
- Michel Kabay
- Al Marcella
- Carolyn D’Argenio
- Chris Hoofnagle
- Cihan Varol
- Doug Jacobson
- Drew Proccacino
- Duane Dunston
- Greg White
- Kevin Tu
- Lynne Vieraitis
- Maria Sanchez
- Markus Jakobsson
- Michael McGuinness
- Nir Kshetri
- Patrick E. Corbett
- C. Peter Erlinder
- Sarah Welling
- Steffen Schmidt
- Stuart Green
- Thomas Patrick Keenan
- William Kresse
Our personal information is definitely less safe than it was ten years ago; probably less safe than it was five years ago. I say this not as a legal professional but as a repeat victim of identity theft. Last year, I learned that my information had been stolen and someone was using my social security number, tied with my birth date, tied with my last name, to open multiple credit card accounts. This year, I have been the victim of a ransomware attack. As far as I can tell, I've had four or five breaches of my information from third party companies.
What does the future hold for the security of our personal information?
Our personal information will continue to be unsafe as long as we increase our reliance on cloud computing and file sharing. These mechanisms are beneficial in several ways, but they provide a tunnel under corporate IT security structures to get to personal information. I think that for the next few years, financial companies will invest more resources in damage control rather than finding an effective solution for absolute privacy.
What are the best ways for people to protect themselves?
I've learned about protection the hard way. First, destroy any physical documents with identifying information on it as soon as they expire or are no longer necessary. Second, it's worth it to sign up with Identity Guard or a similar company to monitor your credit activity. I've signed myself and my child up. Third, be judicious about use of Dropbox, Google Docs, or other file sharing software so that someone cannot tunnel into your security. Fourth, be wary of public wireless hotspots or systems. Finally, protect your physical space, too. My identity was just as likely stolen by result of a break-in to my home as it was a mass security breach.
I think the correct answer is yes! There are some areas where information is more secure. Organizations and individuals are much more aware now of the need to protect personal information and that has helped increase the protection of information. There is still a long way to go though. But, as is always the case, those who want to grab other people's personal information become more proficient and sophisticated in extracting it from people. So, that makes it less secure. Will security be ever foolproof? Unlikely. Will people become more diligent in giving access to personal information? Most likely.
What does the future hold for the security of our personal information?
As I look ahead from a University setting, as I talk with the current students, a sense of dread comes over me. They do not seem to see the risks and dangers of losing the privacy that comes when personal information is taken or given away. It is 'part of the deal' so to speak, to them. For older people it is a confusing and dangerous world and sadly they often are easy targets. So, from that perspective it is a grim future. However, I am confident that as more work is put into security and safety, our information will become better protected. I don't know how that will unfold though. I wish I did!
What are the best ways for people to protect themselves?
The answer to this is almost the same as it has always been. We have to become diligent and super suspicious of anything out of the ordinary and resist the temptation to click on things we just do not know about. There are still phone scams that people get caught in that could have been avoided with diligence and healthy suspicion. In regards to digital information, we have to do the basics at least: keep software up to date, have reputable protection software installed and up to date, maintain as strong as possible password regime, where possible go for two factor authentication and so forth.
Inasmuch as we’d all like to think that we’re getting better at securing data, the increasing amount of breaches speaks otherwise. Historically, organizations have not invested in regularly scheduled security penetration testing, vulnerability scanning, traffic monitoring, etc. due to cost and the skills necessary to effectively perform these. There is a significant demand for individuals who know how to effectively architect and protect large networks. It has been only recently that managers realize that cyberattacks lead to revenue losses, litigation, regulatory fines, exposure of vulnerabilities to competitors, increased costs of cybersecurity protection, and most importantly, reputational damage that in some cases cannot be overcome.
What does the future hold for the security of our personal information?
With increasing amounts of information available due to Internet connectivity and cloud-based storage, the security of personal information is in the hands of the many organizations who collect it. Which is why it is important for individuals to be proactive and careful as to who and how they provide their information. Information given over the telephone or credit card number written on payment vouchers is not secure. Not every organization has the security and processes in place to protect against breaches so it is wise to be concerned and diligent.
What are the best ways for people to protect themselves?
It is important that individuals take a proactive role when it comes to protecting their information and assets. For instance, there are several things people should do:
- Only carry what you need: credit/debit cards, medical cards, identification, etc. Medical records yield higher payouts to hackers than credit card data. Do not keep your Social Security card in your wallet —keep that at home in a safe place. When traveling, wear your cash/credit/debit cards, medical/insurance cards, passport, etc. in a travel pouch that hangs around your neck so that it cannot be pickpocketed or inadvertently left behind somewhere.
- Inquire why an organization needs your personal information and how they will safeguard it, before you share it. In many instances, more information is asked for than is really necessary, so it is acceptable to also ask about the consequences if you want to decline to share your information.
- Purchase a shredder and take the time to shred old medical statements, checks, bank statements, expired credit cards, invoices, etc. Any document with your address, payment method, medical or financial information should be shredded. Also, remove the labels off of prescription bottles before you throw them out.
- Consider the social media sites you use — friends of friends can see your photos and what is written on your timeline on Facebook. If you post that you’re going on holiday or you ‘check-in’ using the GPS technology on your smartphone, you’re announcing to the world that your home may be empty and vulnerable to a robbery. Wait until you get home to share your thoughts and photos.
- Obtain a copy of your credit report from all three bureaus every year and look them over closely. Annual reports are free and it is important that you know exactly which accounts are open, closed, and active. Make sure the information reported is accurate.
Personal information is less secure:
- The increasing amount of personally identifiable information being stored online, including in cloud services creates more targets.
- Identity theft is rated the most quickly rising crime in USA by FBI.
It is getting worse:
- People are putting increasing amounts of personally identifiable information (PII) on social media, where identity thieves can collect information for answering such secondary authentication questions as "What high school did you go to?" or "What was the name of your favorite childhood pet?"
- Organizations are collecting increasing amounts of PII and thus increasing the target size.
- Organized crime rings such as the RBN (Russian Business Network) have increasingly seen identity theft as a profitable, low-risk crime.
- The number of computer-savvy people has been growing rapidly; however, ethics is still not considered an essential element of education for computer-science students.
- Software engineering still does not always include effective security as an essential element of the functional requirements. Some companies and organizations relegate security to an afterthought in the search for immediate profit.
What are the best ways for people to protect themselves?
Organizations and managers:
- Encrypt your data;
- Back up your data;
- Have the CISO report at the same level as the CIO;
- Implement effective INFOSEC policies;
- Provide constant, effective security-awareness training throughout the organization;
- Ensure that you have detailed computer-security incident-response procedures and test them;
- Be sure that your business-continuity and disaster-recovery plans are up to date and tested regularly;
- Read Kabay, M. E. (2002). "What's Important for Information Security: A Manager's Guide.";
- Use these free teaching resources for internal training and discussion.
- Run an accepted antimalware product and let it update itself as often as it wants to (many times a day).
- Encrypt your sensitive data (or just enable whole-disk encryption and be done with it).
- Back up your data -- that means on a separate device or service -- regularly (e.g., all changes daily, full copy every month).
- Use a password safe to ensure that every web site you use has a different, complex, meaningless password (no more "Rover" or "PASSWORD" strings -- use stuff like R3u%nf9!2).
- Never respond to a phone call with details of your Social Security number, birthday, bank account details, or credit-card details. Call the ostensible organization back at a documented phone number to donate.
- Never talk to anyone who phones you claiming to be from Microsoft or Apple who wants to fix a virus or a problem on your computer -- hang up at once.
- Never talk to anyone who phones you claiming that they are from the FBI / IRS / CIA / NSA and that you are going to be arrested. It's bovine fecal material -- just hang up immediately.
- Never agree to send anyone money to be able to claim (a) Millions of dollars by letting them put money in your bank account after they or a relative stole it; (b) the Spanish El Gordo Lottery because you won something without ever buying a ticket.
- Do not click on hyperlinks in email messages that do not correspond to the expected source or which are shortened (e.g., using bit.ly or tinyurl), unless you have configured these services to show you exactly where the links go.
- Do not open attachments in email messages, even if the sender seems to be a known contact, unless you are expecting the file(s). If you are not, ask your friend/contact if they sent you the file and why.
- Do not click on popup messages claiming to "clean your computer" or claiming that your computer is infected with viruses. No legitimate product makes such claims, but many "ransomware" attacks start that way -- and encrypt your entire disk.
- Buy a cross-cut shredder and destroy every paper you are throwing out if it has PII.
- Study these resources.
Consumers should expect to see continued aggressive and persistent attacks on their personally identifiable information (PII) and the systems which store and process these data.
With a five to 10 year event horizon, consumers should be prepared for significant changes in technologies that will both greatly assist in the protection of PII as well as give criminals greater capabilities to launch attacks and acquire larger amounts of data through greatly refined and more targeted attacks.
Information in general and PII in particular will continue its movement toward increasingly becoming a commodity with a recognized economic value, and the associative incentive then for criminals to attempt to liberate data owners from their data.
What does the future hold for the security of our personal information?
Our personal information will become more accessible to criminals. This is because society is becoming increasingly connected via existing and emerging technologies, in ways that did not even exist two years ago and those connections are not as well controlled or secure as consumers might want to believe.
Given the insatiable demand for newer and faster technologies and the ability to access data from virtually any spot on the planet, individuals in general, continue to be: (a) increasingly blasé of the advances in technologies that will allow both authorized and unauthorized individuals to pry into their private life, accepting this as another cost of doing business in the 21st Century; (b) less and less protective of their PII, if it means giving up elements, if not the entirety of their PII in order to obtain a free vendor discount coupon; (c) the primary point of a targeted attack, due to the fact that most individuals don’t employ a defense in depth strategy strong enough to protect their most sensitive data.
The movement of data, of all types, away from the direct control of the data owner into the hands of an external third-party e.g., cloud provider, creates new threats and exposures to the safeguarding of PII. Hardening defenses may require unpopular decisions, financial expenditures, proactive revision of existing policies and procedures and modifying the way in which one conducts daily activities, both professional and personal. Most people do not embrace change well.
What are the best ways for people to protect themselves?
In the long run, the best approach to mitigating identity theft is through ongoing, proactive training.
An awareness of current and emerging exploits designed to relieve an individual of his/her PII, regular, real-time review of purchases and financial statements for anomalies, recognizing and avoiding scams, cons, exploits, etc. and continual training and discussions with children and seniors on the dangers and risks of disclosing PII without first verifying and validating the authentication of the recipient of this information and the authorization for the collection of this data, prior to releasing the data.
Trust but, verify!!
My nine-year-old recently warned me about identity theft. He was so serious and afraid that someone would steal my identity. I asked him where he learned of the term. TV, of course. I asked him what he thought the term meant. He wasn’t sure. We talked about it, and I assured him that I would remain his mom.
The messages are out there. Television and radio spots, journal articles, mailings from financial institutions, insurance companies, trash removal services, etc. But most adults tune those things out. We don’t look at it with the literal seriousness that the messages convey. When do we actually stop to think about what identity theft means? Do we actually consider the many layers of harm that can be caused by someone stealing our identities, beyond the financial loss that some credit card companies promise protection from for an extra $9.95 a year (and does that fee cover losses due to our careless or indifferent treatment of personal information?)
The way technology is allowing consumers to make purchases is putting us at greater risk. Stores have little privacy over the number pads where costumers type their secret password. There are likely cameras with zoom powers over the registers in many stores anyway. The ability to flash a key card or even a smart phone to make purchases makes it too easy to use another person’s card. Most of the time, the cashiers never ask to see the card or look at the signatures to compare. Having online companies store your information for your convienence the next time you fill your cart is like leaving your credit card in someone else’s wallet. How do you really know they’re keeping it safe? Do we know the cybersecurity efforts of such companies toward information assurance? Do they tell consumers that when they ask them to put their information in? No. They show a cute little lock on the computer screen. How many people know what that means?
The amount of personal information that people put forth on social networking sites is incredible. Add geotagging in and it gets easier. It doesn’t take much to look over someones Facebook postings to find out information that is often used to provide replacement passwords to accounts. Mother’s maiden name, pet’s name, favorite band, etc. A savvy criminal can pick the pieces needed, add that to a number captured electronically or photographically, and have the ability to change a password and access financial documents, order replacement identification cards, etc.
The ‘go green’ initiative will also contribute to increased identity theft and consumer fraud. Statements delivered online often go without scrutiny. Each opportunity for convenience adds another source of vulnerability.
I believe that things will get worse. People know of the terms identity theft and consumer fraud, but they don’t really understand them. Nobody thinks it will happen to them. Until it does. Then, if it makes the news, people will be on heightened alert. But that won’t last either, as something new will come along. White collar crimes are incredibly complex and often span the globe. Prosecution is difficult. Conviction is difficult, particularly if jurors must pay attention to the intricacies produced by lawyers of number-swapping, codes, and other technical stuff that doesn’t make the CSI shows that they so covet. Further, there is a risk of exposure, particularly to a public company, of vulnerabilities (or opportunities, depending on who’s looking). A loss of reputation or stock value is something too risky, and often companies settle fraud cases directly with the perpetrators. Disclosure of financial records brought forth through compliance with a growing number of “post-Madoff” state and federal mandates has helped some, though this still depends on there being enough resources to detect problems and cannot address the many points of access for identity theft to occur outside of the bigger financial arenas. Simply, the scope of the problem is too big. In the grand scheme of things, only a few cases get forwarded to the proper authorities within the civil, criminal, and administrative law systems. And it is still up to those authorities to assess their feasibility before deciding whether to move forward with them.
From a classical deterrence perspective, for crimes to be deterred, there would need to be certainty, celerity, and severity. Without one of those things, we are at risk. We do not have certainty. Most instances of identity theft/consumer fraud go unnoticed or unrevealed publicly. We do not have celerity. This refers to the swiftness with which a punishment is received after the crime is done. The swifter it is, the more meaningful it is. The greater the chance for a lesson to be learned (by the offender, and if advertised properly, by others). It takes sometimes years before white collar crimes are prosecuted. And severity. How do we measure the harm caused by identity theft, consumer fraud, and other white collar financial crimes? Layers upon layers of harm. Very serious, sometimes deadly harm. And the punishments statutorily attached? Can they possibly consider all these layers and be appropriately proportional? I’m not too sure there. Of course, I am assuming they would be applied propery to the crimes convicted of and that the crimes convicted of would be the crimes that actually occurred. But…how would we manage that? Courts are crowded as is, despite our mostly bargained justice.
In the payment space, there are some very exciting new technologies that could reduce account takeover risks. For instance, mobile payments offer extra authentication options not available on cards. However, the general problem always comes back to incentives, and speed and convenience beats out good security interventions. This is one main reason why we still do not have EMV in the US.
I do think that we will see a reduction in the time it takes to detect fraud.
On new account fraud, the situation is bleak, because we have no strategy to address the ‘root document’ problem (insecurely issued birth certificates and other source identity documents), because of security breaches, because of self-revelation of personal details used in credit authentication through social networks, and because the move to make government more transparent has placed more and more personal information in the public record. For instance, about one in four young Americans has been arrested. That means that their photograph and key personal details are on the internet, forever, for anyone to repurpose. Here, like the takeover problem, the key issue is incentives and how different players in the credit market can shift risk.
Yes, private information will be exposed more to the criminals in the next decade. Digital crime conductors and those who try to prevent have been in a constant battle. Unfortunately, research departments acts as reactive instead of proactive way for digital crimes. To give you concrete examples, my research group first created a steganography algorithm to hide information in iLBC Codec for VoIP conversations, then we expect research groups to create a steganalysis for this technique. Same true with the intrusion detection, most of the techniques act like any regular antivirus software which will generate an alert if the same type of attack was seen previously. Pattern recognition (prediction) techniques do not work well because of high false positive and negative rates.
Previously, as security appliers, we were fortunate to create solutions for only a small number of technologies out there. However, with the introduction of smart phones, variety of operating system platforms, cloud, etc., the area that needs to be covered is increasing exponentially, while the number of investigating research teams is increasing linearly at best.
There are a couple of reasons why I believe that identity theft will only get more pervasive. First is the change in our culture where people are more willing to share information about themselves online. As this next generation of kids grow up and start to build net worth we will see increased attempts against them. Another problem is just the sheer number of users being added to the Internet every day. This provides both additional targets and additional attackers trying to get money. Our only hope is to change the discussion from security awareness to security literacy. We need to help the general public understand security and not just give them a list of the top ten things to do or not to do.
Despite efforts (both public and private) to inform the public, and technical and policy-based work being done to protect personal information, I expect expanded opportunities for identity thieves. Citizens will need to be ever-vigilant in protecting their personal information because of the ever-increasing ability and willingness in society to be inter-networked through devices and methods that would have been unthinkable not many years ago. These include the expansion of broadband Internet access and wireless applications through a multitude of devices, including mobile, household and vehicle-based.
People need to be more cautious on giving out personal information even if it a phone number because you were asked for it at the grocery store checkout or some store collecting information. Opt out or do business elsewhere.
Private industry should develop a standard for sharing and protecting private information with a governing body that has auditors to ensure the sharing and securing data practices are being followed. This could be similar to how PCI works. If an organization wants data from a company, then they must have specific security controls, policies, securing monitoring, training, and other best practices in place before they are considered to share data. The companies that join the consortium would have routine audits to ensure they are maintaining a strong continuous monitoring program to limit access to data.
This is in-line with what Obama described in the Privacy Bill of Rights. The consortium MUST have the ability to levy fines or other legal sanctions against a company that is not in-line with the requirements. I’m staying away from the word ‘compliance’ due to its bad connotation of creating a ‘checklist’ of what needs to be done. Evidence should be shown for a strong continuous monitoring process
Identity theft is obviously on the rise. There are several companies out there who are doing quite well helping to protect individuals from identity theft (to either protect or to lessen the impact from an incident). I don’t see this going away any time in the near future. I also think that we will see (and have already seen) increased protection for CERTAIN types of information (such as medical information). Because of fines that are assessed against entities who disclose (or who have somebody gain unauthorized access to) personal medical information, entities that maintain medical information on the whole are becoming much more concerned about protecting it.
That said, there are still many small offices where the protections are simply not in place. Some of this is simply a lack of awareness. Think about a small medical practice with a computer system used to maintain information on patients. Often they don’t think about the loss of that machine and what it would mean in terms of the information contained on it. Encryption of the hard drive is easy, but most offices in this category that I know of have not encrypted the data – why should they, the office is locked? (at least that is the attitude).
Some personal data is going to be available because of how many places have access to it – think credit cards. It doesn’t take a lot for an organization to obtain the device to use credit cards. How well do they protect the numbers? We all have heard stories of a salesperson who jots down credit card information from a customer whose card he was given to run. This is not going to change anytime in the near future – but then the damage that can be done is a lot less than full identity theft.
If history is any indication, technology will continue to outpace any legal and regulatory advances in consumer protection. Advances in technology will likely provide identity thieves and hackers with new and more sophisticated tools for gaining access to protected personal information. Unfortunately, the adoption of stronger protections is unlikely in the absence of legal and regulatory mandates to beef up security. Because, legal and regulatory changes typically react to existing problems, they necessarily lag behind the innovation of criminals. I expect that we will continue adopt increased security measures designed to prevent existing risks only to be faced with new dangers.
The ongoing presence of both identity thieves and foreign hackers will undoubtedly be a reality of the coming years. Both present very real, but different problems. On the one hand, identity thieves tend to present a more personal problem that is likely of greater interest and concern to individual consumers. On the other hand, the potential impact and disruption from foreign hackers potentially pose a much more wide spread systematic concern that should be on the forefront of the discussion by privacy and security experts and policymakers.
Some information, for example, personally identifying information kept at doctor’s offices, mortgage companies, credit card companies, etc., will continue to be at risk due to rogue employees. Although companies and businesses continue to make improvements to their privacy policies, there will always be a number of employees who will steal personal information. This is true for any organization, large or small, for-profit or non-profit.
In addition, banks and credit card companies have improved dramatically, their ability to detect and prevent consumer’s information from being used fraudulently and it is likely the trend will continue. So while offenders can still steal the information, their ability to use it repeatedly or over a long period of time has been reduced. The type of identity theft and financial fraud that involves the use of technology, i.e., phishing, hacking into databases, will also continue but businesses and organizations or working hard to increase their protections against external attacks.
Despite businesses’ and the government’s attempts to protect consumers, this is one crime that consumers must be proactive in protecting themselves against. All of the steps we are encouraged to take to protect our personally identifying information are good ones. We just need to be careful to follow them.
In the end, it is a race–can we develop strategies to prevent criminals from accessing our information and can we develop strategies to prevent them from using that information to commit fraud, before they can figure out a new way to gain access? Criminals are good at seeing opportunities for identity theft and fraud and finding new opportunities when one door closes.
I think that identity theft will continue to increase in the next 5-10 years. With the increasing use of social media and smart phones, as well as criminals constantly coming up with new ways to steal personal information, identity theft will continue to be a huge problem.
Things can really go two ways at this point. There is great support for biometric authentication (next iPhone rumored to have it, the FIDO alliance putting it in place for Android). But the key storage is insecure, and will attract malware attention, which will be a great problem — unless there are security features introduced to block this. Security vendors and OEMs are working on addressing this, but it is an infrastructure problem, and not everybody understands its importance yet. If a good solution is put in place, identity theft will be much harder to perform. But otherwise… it will not.
Personal information is less secure than it was 5 years ago.
Neiman Marcus, Target, Michaels, Coca Cola and Easton-Bell are five well controlled companies that have had recent security breaches and they are just the tip of the iceberg.
Individuals building secure systems are smart; hackers are just as smart. The illicit gains to be gotten are just too big to ignore.
I am quite pessimistic that the identity theft problem will get better in the next 5-10 years. This is due to the fact that consumer information is increasingly stored everywhere but there is a severe lack of education and awareness among a large proportion of Internet users about basic cybersecurity principles. At the same time, cybercriminals are coming up with more creative and more sophisticated ways to steal digitized information. In this context, the most significant trends are related to the rapid diffusion and adoption of cloud computing and social media.
The big cloud providers and social media companies have been, and are likely to be, potential goldmines for cybercriminals as indicated by large-scale and major data breaches involving Amazon, Yahoo, Google, Microsoft, Facebook, and LinkedIn, to name a few, in the past few years.
Unfortunately there have been no major improvements in recent years in regulatory frameworks and businesses practices to strengthen data privacy and security protection. In the absence of major initiatives from the regulators and technology and services providers, identity theft problem is likely to get worse before getting better.
An excellent resource on this question is the Federal Trade Commission’s Consumer Sentinel Network (CSN). The CSN is a ‘secure online database of millions of consumer complaints available only to law enforcement.’ Consumer Sentinel Network Data Book (January-December 2012) (page 2). The FTC has provided an annual report summarizing the CSN fraud and identity complaints for several years. To my knowledge, the 2013 report has not yet been released.
In 2008, the CSN received over 1.2 million complaints; in 2012, the CSN received over 2 million complaints. In 2008, identity theft was the number one complaint category with 26% of the overall complaints; credit card fraud (20%) was the most common form of reported identity theft. In comparison, for 2012, identity theft remained the number one complaint with 18% of the overall complaints; government documents/benefits fraud was the most common form of reported identity theft at 46%; credit card fraud was second at 13%. See Executive Summaries for both Reports (located at page 3).
What does this data mean as it pertains to your question? Regardless of the industrial and government security measures taken to prevent identity theft, it is still prevalent. People need to be guarded about what personal information they give away.
Consider that 4th amendment protects only from gov. intrusion. At that time, the idea of a non-governmental actor being able to accumulate what is possible easily on the internet now…the sphere of ‘privacy’ has/is becoming vanishingly small….what is to prevent private actors from doing what NSA does, except ‘brain-power of the geeks employed.’
The Snowden case shows this has also become a problem for government. If NSA can’t protect itself, what are you and I supposed to do? And, who will do it, and how? IT has made many legal concepts obsolete and the law (as it must be) is slow to react. Is it beyond reason to imagine a private/hacker ‘Minority Report’ scenario? This is not so different than financial controls being outstripped by the international finance tech capabilities. [How many milliseconds do you need to be ahead of the market?]
These concepts are very much connected because of the blurring of lines between many institutions and their capabilities that IT makes possible. Less private…in all ways. More likely victims of identity-theft by thieves, corporations and government. What controls can any of us imagine at this point? Tough to conceive, much less articulate.
Unlike most topics, Congress has been busy on this topic, enacting new crimes and modifying older ones when new criminal conduct pops up. To the extent criminal law works to deter crimes, it may be that Congress and the federal prosecutors will cause access to our personal information to be less attractive.
The personal and financial information of consumers worldwide will continue to be vulnerable and perhaps become more exposed to criminal abuse. However, there will come a tipping point when neither consumers nor companies will be able to tolerate the extent of security breaches. New and much more rigorous security regimes will be designed to make unauthorized intrusion more difficult. I assume that we will need to include hardware security devices to all our hardware including tablets, laptops and of course smart phones.
This is so high priority because while individual consumers are targets of identity theft, the biggest crisis lies in that authentication is the root of all security (for example access to restricted facilities, military security, the banking system, education, and medial). So while ID theft is a very serious individual problem it is at the heart of the continued functioning of our entire society. It is only when a massive intrusion occurs that puts a sizable chunk of our nation at risk that government and corporate America will invest the research necessary to create a new security paradigm. One huge problem is that government itself wants WEAKER security so that law enforcement and national security agencies can access information. That is a real dilemma.
For the foreseeable future, there will continue to be an arms race between the keepers ofidentity information, on the one hand, and identity thieves, on the other. Hacking is no longer just for sport. There is big money in it, and sophisticated criminals are now capable of causing massive losses for banks and their customers with relatively little chance of detection, apprehension, or conviction. And, presumably, more commerce than ever will be conducted online.
So in the short term, I think the situation will continue to worsen. Could it get so bad that people would stop doing business on line? It’s hard to imagine ever going back. The solution will have to be primarily a technological one rather than a legal one. I don’t think law enforcement will ever have adequate resources to deal with the problem. Nor should we want them to. Firms will have to do a better job of protecting information, through encryption technologies, and consumers will have to take more responsibility for protecting their own identity information as well.
More of the same, plus whole new things. Phishing emails will continue to arrive because they work often to be profitable for the bad guys. Even sophisticated people fall for the ‘you need to update your email information’ or ‘you’ve asked to reset your LinkenIn password.’ I just got a phishing email apparently from a senior business executive. When I told him about it, he said, Ooh yeah, there was this small message about passwords on my iPhone, and it looked legitimate so I clicked on it.” It wound up hijacking his Gmail password and spamming his entire contact list, which really embarrassed him. so the rise of mobile devices makes it harder to check things like the originating URL of messages, which is hard for the average person to do, even on a big screen.
As we put more of our credentials on line (banking, shopping info, even health info in databases like Microsoft Health Vault) we are going to see more targetted attacks. So if somebody can figure out from your purchases or information that you’ve stored that you’re a diabetic, they’ll try to steal your identity with diabetic oriented messages. We’ll also see identity theft that’s not directly trying to steal your money. Just your name, and, for example, the fact that you have a certain disease may be sold for a good price to unscrupulous of fraudulent marketers. The Competition Board of Canada did research a few years ago on fake diabetes cures and shut some of them down, but they keep springing up and if they know you’re a likely victim they will target you.
Identity theft is the crime that keeps on giving.As long as consumers and merchants seeks more convenient means for funds transfers, the identity thief will use his (or her) ingenuity to devise a way to access those funds.
What was it that bank robber Willie Sutton supposedly said? That he robbed banks because ‘that’s where the money is.’ Well, ‘the money’ is now in electronic form, and identity theft is how you rob it.
I like to say that ‘fraud never sleeps.’ And that’s why we must always be vigilant.
Over the next century, there will be a continuous tug-of-war between the fraudsters and the I.T. professionals who will have developed any number of innovations for securing identities, encrypting data, etc., etc., etc. But with each new innovation, the identity thief will be there breaking down the fire walls, cracking the codes, etc., etc., etc.
Why? Because fraud is an economic crime where the fraudsters balance the costs with the benefits. And the benefit of breaking the latest cyberlocks to access great wealth is just too much potential benefit for relatively so little cost.
So in the next 5-10 years we will see continuous changes in identification hardware and software, anti-virus systems, etc. The consumer will have to keep up, or pay up.
It’s the wave of the future. Because fraud never sleeps. And the Internet is where the money is.
Identity theft and fraud are terrifying prospects for consumers, as they can lead to financial losses and credit score damage. However, these types of crime are far less common than you might think, and you can further reduce the likelihood of falling victim to them by taking a few commonsense measures to protect your personal information.
While exercising common sense will always be your best defense against identity thieves, the hope is that advances in identity verification will also make life more difficult for criminals in the future. Take credit card transactions, for example. “A credit-card is supposed to identify the person, but it is easy to imagine the deployment of technology which uses a camera to perform facial recognition, a mic to perform voice recognition, etc.,” says Steven Myers, assistant professor of informatics and computing at the Indiana University.
“Right now those technologies are very expensive,” according to Swapnoneel Roy, assistant professor with the University of North Florida’s School of Computing, “but research is going on to bring down the cost of biometric measures, so that should bring down identity theft a lot.”
Still, we can’t expect identity theft to disappear altogether, in part because the potential payoff will always allure criminals and in part because we are increasingly putting more and more of our personal information online for the world to see. “The biggest disturbing trend in identity theft will definitely be social media,” says Vijay Kanabar, associate professor of computer science and administrative services at Boston University. There will be no privacy.”
Image: Brian A Jackson/Shutterstock