Identity theft: Difference between revisions

Identity theft (or identity fraud) is a technically incorrect term used by the media to describe a crime, tort or other harmful act by deliberately impersonating an individual. Most commonly, this term us used in relation to credit card fraud, though mortgage fraud, and also gaining access to the finances of a specified targeted person or a frame of a targeted person falls within what mass media reports of identity theft have included. Less commonly, it is to enable illegal immigration, Terrorism, and rarely for espionage, or changing identity permanently. It may also be a means of blackmail, especially if medical privacy or political privacy has been breached, and if revealing the activities undertaken by the thief under the name of the victim would have serious consequences like loss of job or marriage. While identity theft appears to cover the entire waterfront of crimes committed while pretending to be someone else, it is only used to describe those situations where the the person being impersonated has no knowledge of the person pretending to be them, or does not approve of their actions. Hence (for example) cheating on an exam or driving test is not considered identity theft.

Because identity theft is so broad a concept any discussion of it should quickly narrow down to the specific case like credit card fraud. Likewise any proposed remedy of identity theft is in actuality a remedy for a specific case of identity theft, with the unachieveable exception of 100% perfect verification. Biometrics is assumed to be such a technology, but in reality risk worsening the situation leading to reverse burden of proof problems in courtrooms as biometrics can also be spoofed as part of an attack.

Techniques for obtaining identification information range from the crude, such as stealing mail or rummaging through rubbish (dumpster diving in the USA), stealing personal information in computer databases, to infiltration of organizations that store large amounts of personal information.

Identity theft is usually the result of serious breaches of privacy. Except for the simplest credit-related cases, it is usually not possible without breakdowns in

• customer privacy, in which case the consequences may be limited to fraud on one corporation, typically the one that leaked the data in the first place, e.g. account numbers.
• consumer privacy, more serious, where credit card numbers or other generally-useful identity data are stolen and used much more widely.
• client confidentiality and political privacy, making it easy to effectively impersonate someone, by using confidential information that an ordinary impersonator would not have access to.

The term "identity theft" is inaccurate; it is merely a relativly new term for fraud where an individual is impersonated. Clearly, a person's identity is not something that can be stolen, and individuals subject to fraud do not cease being who they are.

Further, use of this term suggests that the "victim" of such crime is the individual being impersonated. While it certainly be true that this individual may be caused a certain amount of trouble (e.g. being pursued by debt collectors), the real victim is actually the creditors who are being defauded.

It should be strongly emphasised that the impersonated individual does not have liability for any crimes fraudulently carried out in their name. Some creditors may well attempt to put pressure on that person, claiming that they are liable and merely attempting claiming that their "identity has been stolen" as a ruse to get out of paying what they owe. In such cases it should be strongly borne in mind that it is for the creditor to prove that the debt is owed by the impersonated individual - and not the individual themselves.

In many parts of the world, identity theft is the fastest growing offence. However, in the USA, a longitudinal 2005 study by Javelin Strategy & Research ^[1] showed that the crime had leveled off since a 2003 study from the Federal Trade Commission ^[2] was released in 2003. The most recent US Javelin data also showed that 9.3 million individuals (or 4.25% of all adults) are victims of identity fraud on an annual basis. In the United Kingdom in 2005 the consumer group Which? issued a report claiming that one in four people had been the victim of identity theft, or knew someone who had been a victim. This misleading claim (linking victims with those who know victims in a single statistic) achieved wide publicity. The Home Office in Britain does not collate data on identity theft, but does, nonetheless, claim that the activity is reaching epidemic proportions.

It is difficult to fully quantify the extent of real personal privacy breaches, as laws requiring disclosure of such instances are just coming into existence.

Instances of identity theft have increased as the willingness of lenders like issuers of credit cards to extend credit without physical human contact, the ability to transact sales and other business at a distance (online and via telephone), and the availability of personal information, and its volume held by third parties, has increased.

In the USA much personal information, including mortgage details, social security numbers, and driving license details, are publicly available. Such sensitive information is far harder to obtain in most other countries, but it is typically held by numerous government and private sector bodies, and is consequently available to their many employees and associate organisations. Of particular concern is the comprehensive personal financial information and other related data held by credit reference agencies. The proliferation of junk mail from many of these organisations, which often includes name and address, has exacerbated the situation.

In the United Kingdom, companies such as car hire agencies, car dealerships, solicitors and banks now routinely take a copy of identity documents as a condition of doing business. Such actions are restricted by the Data Protection Act (1984) (the fifth principle, in particular), and data subjects (i.e. consumers in this context) may demand that any copies made be destroyed after a reasonable amount of time (e.g. once the vehicle has been returned, and accepted back as being in the same condition it was supplied in)

As a result of data protection legislation in the United Kingdom many organisations now require telephone callers to disclose personal details such as date of birth and mother's maiden name as a means of identification before they will enter into discussion. This allows eavesdroppers to collect this data. As a consequence more people are now giving "password responses" on being asked for such information, e.g. by telling the bank their mother's maiden name is Password rather than Smith. Though this makes no difference when being evesdropped, by using different passwords with different companies, the value of information gained though evesdropping is compartmentalised.

According to the Javelin study, identity fraud crimes in the U.S. now total $52.6B annually (up 2.3% from the previous survey), with a per-individual total of $5,686 per victim. The Javelin random-sample study further showed that individual victims in the U.S. spend an average 28 hours restoring their affairs, while the majority of their costs are reimbursed by financial providers, who in turn pass much of the cost on to merchants or other service providers.

Contrary to popular belief, illegal access to personal information often happens through traditional means such as paper financial statements, cheques or credit cards, and the perpetrator is often someone previously known to the victim, such as a "friend", family member, or acquaintance. It is rumoured that some local authorities in England have their rubbish sorted for recycling by convicts, which represents an additional risk. This friend type of identity theft suggests that privacy guard strategies will not solve the problem and that it is the promiscuous nature of transactions at a distance -- without actual physical human contact -- that enables the fraud. However, if we ban all business from being done online or by phone, then the economy will be seriously harmed, so the solution may lie in serious unbreakable encryption with randomly generated codes and a dual key system. That or a secure line plus biometric verification plus a secured unhackable database of such biometric data in a central site. ^{[citation needed]}

It seems that the prevalence of identity theft and the seriousness of typical cases is quite dependent on the country and the legal system and commercial habits there. Most countries in Continental Europe, for example, require their citizens to own ID cards which are needed to prove one's own identity on numerous occasions, such as opening (or even accessing) bank accounts, renting cars, checking in at hotels etc. As ID cards are in general as hard to counterfeit as money, and one usually has to physically show the card, it requires substantial criminal effort to commit fraud. Being used to this standard, businesses are unlikely to accept an ID verification by means of "semi-secret" personal information such as social security numbers to ascertain an identity. Maybe because of this, it is also less common to do business by phone as it is e.g. in the USA.

So, the threat posed by "simple" identity theft, which relies on obtaining "semi-secret" information such as social security or credit card numbers depends on how much can be done with this information. Is it, for example, possible to open an account using false ID in form of a stolen SSN, and so wreck the victim's credit record? Do banks accept credit card payments without signature or PIN? Differences in such legal framework may explain the large differences in damages due to identity theft in different countries.

The public fascination with impostors has long had an effect on popular culture and extends to modern literature.

The story of Michelle Brown^[3], who gave written testimony on her identity theft to a U.S. Senate Committee, has been filmed ^[4].

In Frederick Forsyth's novel The Day of the Jackal the would-be assassin of General de Gaulle steals three identities. Firstly, he assumes the identity of a dead child who would be about the same age as himself, had the child lived. This is accomplished by obtaining the child's birth certificate and using it to apply for a passport. He also steals the passports of a Danish clergyman and an American tourist, and disguises himself as each of those persons in turn so as to match the photographs in the passports. In the 1995 movie The Net (film) Sandra Bullock plays a computer consultant whose life is taken over with the help of computer assisted identity theft.

The first impersonation is often held up in the UK as an example of the need to tighten access to birth certificates. However, the fact that birth certificates are the fundamental means of identification, and are a requirement to obtain further identification means that no such controls could ever be put in place.

"Identity theft" is used to refer to impersonation for the purpose of fraud, harassment, etc. Javelin's founder James Van Dyke recommends distinct usage for the terms "identity theft" and "identity fraud", with the former applied to unauthorized access to personal records and the latter to unauthorized (fraudulent) use of such records. Identity fraud is often committed without identity theft, as in the case of relatives who have been granted access to personal records, or criminals who randomly generate credit card numbers for fraud without even knowing the name of the victim. Furthermore, data breaches or true identity theft may not always result in fraud due to diligent prevention activities on the part of individuals, financial institutions, merchants, law enforcement or other entities.

In English law, the deception offences under the Theft Act 1968 increasingly contend with identity theft situations. In R v Seward (2005) EWCA Crim 1941^[5] the defendant was acting as the "front man" in the use of stolen credit cards and other documents of identification to obtain goods. This was a role not unlike that of the "mule" in drug importation cases because the front man takes the risk of going into stores where CCTV cameras may clearly identify him. He obtained goods to the value of £10,000 for others who were unlikely ever to be identified. The Court of Appeal considered sentencing policy for deception offences involving "identity theft". The defendant had a drug problem and it was argued that a drug treatment and testing order might be the more appropriate response, but the court concluded that a prison sentence was required. Henriques J. said at para 14:

"Identity fraud is a particularly pernicious and prevalent form of dishonesty calling for, in our judgment, deterrent sentences."

This article does not cite any sources. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Identity theft" – news · newspapers · books · scholar · JSTOR (Learn how and when to remove this message)

Rigorous research has shown that the following methods will be most effective at preventing identity theft or fraud:

• Freeze your credit, if available in your state. With a credit freeze, no one can open any form of credit in your name.
• Request your own credit report each year and check the reports for inaccuracies and new lines of credit issued that you did not request. If you've been the target of identity fraud, check the data every six months. (In the United States, you are permitted a free copy of your credit report once a year from each credit reference agency. See http://www.annualcreditreport.com for further details).
• Minimize the use of mail for sending or receiving financial documents, checks, and have your name removed from junk mail lists (8% of identity fraud results from stolen mail). Mail letters from the post office. (The United States Postal Service requires mails heavier than 16 ounces (454 g) to be presented face-to-face but never dropped off in collection boxes.) Never pass your mails to strangers not in postal uniforms even if they have postal identifications. In America, where standalone mailboxes are common, install a lock on the box. Collect delivered mails as soon as possible.
• Check your bank accounts each week online or at an ATM. 70% of identity fraud is detected by the victim, and victims who do so through electronic methods suffer losses of less than 1/8th that of those who rely on paper statements for monitoring account activity. (source: Javelin)
• Use reliable ATM's at reputable sites only. Watch your surroundings for anything suspicious. If the interior of a bank is closed but an indoor ATM is still accessible with a card, refuse helping any stranger to enter. Look for any suspicious attachments to any ATM that may steal information. If in doubt, do not use the ATM but report the problem.
• Watch your surrounding when entering sensitive codes of information at an ATM or on a telephone keypad. Enter sensitive things with touch-tone but not voice entry. Hide what you type on a keypad from others.
• Do not use wireless phones or cellular phones to talk about sensitive information. Use a wired phone connected to the ground or encrypted Internet access.
• Shred credit-card receipts, used (processed) cheques/checks, junk mail and other such documents, as they may contain private information.
• Never give out personal information in response to telemarketers and delete all e-mails that claim to be from your bank (or other financial provider) and ask you to "log in" using a hyperlink embedded in the e-mail message. If in doubt as to the legitimacy of such requests, use a telephone to call marketers or financial providers back (rather than directly responding to the telemarketer or company that called or emailed you). See phishing.
• When shopping online, make sure the company is reputable and displays an approved security symbol. Also, make sure you log out of the site when finished.
• Watch your surroundings when using a credit card at any checkout counters or any similar places as some identity thieves use cell phones with cameras to steal others' credit card numbers and expiration dates. (This is why certain stores now prohibit taking pictures and videos without consent from the management.)
• If you are a target, keep copies of police reports and records of who you talked to and when, so that you can back up the claim of fraud. Individuals who consider themselves at higher risk of identity fraud should consider purchasing fee-based credit monitoring services, which will notify you of any new accounts or credit inquiries made on your behalf.
• Limit the amount of personal information you publish on the web. Small fragments here and there may be enough for someone to impersonate you in many ways. Be especially careful with information used as security keywords for banks, e.g. mother's maiden name and give your bank a different word (e.g. Password) instead of the real maiden name.
• Don't divulge personal information such as date of birth to organisations that have no need of it - nearly all commercial organisations.
• Don't routinely carry identity documents unless obliged by law to do so.
• Do not allow anyone to copy your identification documents. If commercial organizations require you to submit a copy as a condition of doing business either don't do business with them, or retrieve the copy when your business ends (a written statement that they have not taken further copies should be obtained).
• If someone calls you claiming to be from a financial institution you do business with asking for personal information - do not give it to them. Ask them why they want the information, hang up, and then call the institution (using contact information from a source other than the caller).
• As a general rule, DON'T do business with those that come to you. This could be anything ranging from tele-marketing or tele-charity-donations, to offers in E-mail-which is usually SPAM, to door-to-door solicitation, to... If you want something, you find the business or company.
• When asked for your "mothers maiden name", do not supply your mother's maiden name. Instead supply a different password for each company requesting this information, and make it clear that the information you are supplying is a password, not your mother's maiden name.

In the USA:

• Don't order checks pre-printed with your driver's license or social security number. If you can keep your address off them, do so.
• Don't carry your social security card unless absolutely needed. (For example, certain state motor vehicle offices require first-time applicants for driver licenses to show their social security cards.) Don't give out the number unless it is absolutely necessary or legally required (employers, landlords etc.). In states where your driver's license number is your social security number, be equally careful about who sees your license.

• Identity document forgery
• Phishing
• Fair Credit Reporting Act
• Fair and Accurate Credit Transactions Act
• Health Insurance Portability and Accountability Act

• Privacy Rights Clearinghouse webpages
• U.S. (FTC.gov) website devoted to ID theft
• United Kingdom Home Office Identity Theft Website