Identity theft
Identity Thief (film)Identity theft is a form of stealing someone's identity in which
someone pretends to be someone else by assuming that person's identity, usually
as a method to gain access to resources or obtain credit and other benefits in
that person's name. The victim of identity theft (here meaning the person
whose identity has been assumed by the identity thief) can suffer adverse
consequences if they are held responsible for the perpetrator's actions.
Identity theft occurs when someone uses another's personally identifying
information, like their name, identifying number, or credit card number,
without their permission, to commit fraud or other crimes.
"Determining
the link between data breaches and identity theft is challenging, primarily
because identity theft victims often do not know how their personal information
was obtained," and identity theft is not always detectable by the
individual victims, according to a report done for the FTC. Identity fraud
is often but not necessarily the consequence of identity theft. Someone can
steal or misappropriate personal information without then committing identity
theft using the information about every person, such as when a major data
breach occurs. A US Government Accountability Office study determined that
"most breaches have not resulted in detected incidents of identity
theft". The report also warned that "the full extent is
unknown". A later unpublished study by Carnegie Mellon University noted
that "Most often, the causes of identity theft is not known," but
reported that someone else concluded that "the probability of becoming a
victim to identity theft as a result of a data breach is ... around only
2%". More recently, an association of consumer data companies noted
that one of the largest data breaches ever, accounting for over four million
records, resulted in only about 1,800 instances of identity theft, according to
the company whose systems were breached.
An October 2010
article entitled “Cyber Crime Made Easy" explained the level to which
hackers are using malicious software. As one security specialist named Gunter Ollmann said,
“Interested in credit card theft? There’s an app for that.” This statement
summed up the ease with which these hackers are accessing all kinds of
information online. The new program for infecting users’ computers is
called Zeus; and the program is so hacker friendly that even
an inexperienced hacker can operate it. Although the hacking program is easy to
use, that fact does not diminish the devastating effects that Zeus (or other
software like Zeus) can do to a computer and the user. For example, the article
stated that programs like Zeus can steal credit card information, important
documents, and even documents necessary for homeland security. If the hacker
were to gain this information, it would mean identity theft or even a possible
terrorist attack.
Types
Sources such as
the non-profit Identity Theft
Resource Center sub-divide identity theft into five
categories:
·
Criminal
identity theft (posing as another person when apprehended for a crime)
·
Financial
identity theft (using another's identity to obtain credit, goods and services)
·
Identity cloning
(using another's information to assume his or her identity in daily life)
·
Medical identity
theft (using another's identity to obtain medical care or drugs)
·
Child identity
theft.
Identity theft
may be used to facilitate or fund other crimes including illegal
immigration, terrorism, phishing and espionage. There are cases of identity cloning to attack payment systems,
including online credit card processing and medical insurance.
Identity cloning and
concealment
In this
situation, the identity thief impersonates someone else in order to conceal
their own true identity. Examples might be illegal immigrants, people hiding
from creditors or other individuals, or those who simply want to become
"anonymous" for personal reasons. Another example are posers,
a label given to people who use somebody else’s photos and information through
social networking sites. Mostly, posers create believable stories involving
friends of the real person they are imitating. Unlike identity theft used to
obtain credit which usually comes to light when the debts mount, concealment
may continue indefinitely without being detected, particularly if the identity
thief is able to obtain false credentials in order to pass various
authentication tests in everyday life.
Criminal identity theft
When a criminal
fraudulently identifies himself to police as another individual at the point of
arrest, it is sometimes referred to as "Criminal Identity Theft." In
some cases criminals have previously obtained state-issued identity documents
using credentials stolen from others, or have simply presented fake ID. Provided the subterfuge works, charges may be placed under the
victim's name, letting the criminal off the hook. Victims might only learn of
such incidents by chance, for example by receiving court summons, discovering
their drivers licenses are suspended when stopped for minor traffic violations,
or through background
checks performed for employment
purposes.
It can be
difficult for the victim of a criminal identity theft to clear their record.
The steps required to clear the victim's incorrect criminal record depend in which jurisdiction the crime
occurred and whether the true identity of the criminal can be determined. The
victim might need to locate the original arresting officers and prove their own
identity by some reliable means such as fingerprinting or DNA testing, and may
need to go to a court hearing to be cleared of the charges. Obtaining an expungement of court records may also be required.
Authorities might permanently maintain the victim's name as an alias for the
criminal's true identity in their criminal records databases. One problem that
victims of criminal identity theft may encounter is that various data aggregators might still have the incorrect criminal
records in their databases even after court and police records are corrected.
Thus it is possible that a future background check will return the incorrect
criminal records. This is just one example of the kinds of impact that may
continue to affect the victims of identity theft for some months or even years
after the crime, aside from the psychological trauma that being 'cloned'
typically engenders.
Synthetic identity theft
A variation of
identity theft which has recently become more common is synthetic
identity theft, in which identities are completely or partially
fabricated. The most common technique involves combining a real social security
number with a name and
birthdate other than the ones associated with the number. Synthetic identity
theft is more difficult to track as it doesn't show on either person's credit
report directly, but may appear as an entirely new file in the credit bureau or as a subfile on one of the victim's credit
reports. Synthetic identity theft primarily harms the creditors who unwittingly
grant the fraudsters credit. Individual victims can be affected if their names
become confused with the synthetic identities, or if negative information in
their subfiles impacts their credit ratings.
Medical identity theft
Privacy
researcher Pam Dixon, founder of the World Privacy Forum, coined the term
medical identity theft and released the first major report about this issue in
2006. In the report, she defined the crime for the first time and made the
plight of victims public. The report's definition of the crime is that medical
identity theft occurs when someone seeks medical care under the identity of
another person. In addition to risks of financial harm common to all forms of
identity theft, the thief's medical history may be added to the victim's
medical records. Inaccurate information in the victim's records is difficult to
correct and may affect future insurability or cause doctors relying on the
misinformation to deliver inappropriate medical care. After the publication of
the report, which contained a recommendation that consumers receive
notifications of medical data breach incidents, California passed a law
requiring this, and then finally HIPAA was expanded to also require medical
breach notification when breaches affect 500 or more people.
Child identity theft
Child identity
theft occurs when a minor’s identity is used by another person for the
impostor’s personal gain. The impostor can be a family member, a friend, or
even a stranger who targets children. The Social Security numbers of children
are valued because they do not have any information associated with them.
Thieves can establish lines of credit, obtain driver’s licenses, or even buying
a house using a child’s identity. This fraud can go undetected for years, as
most children do not discover the problem until years later. Child identity
theft is fairly common, and studies have shown that the problem is growing. The
largest study on child identity theft, as reported by Richard Power of
the Carnegie Mellon Cylab with data supplied by AllClear ID, found that of 40,000 children 10.2% were victims
of identity theft.
Financial identity theft
The most common
type is financial identity theft, where someone wants to gain economic benefits
in someone else's name. This includes getting credits, loans, goods and
services, claiming to be someone else.
Techniques for obtaining and exploiting personal
information for identity theft
Identity thieves
typically obtain and exploit personally identifiable information about individuals, or various credentials
they use to authenticate themselves, in order to impersonate them. Examples
include:
·
Rummaging
through rubbish for personal information (dumpster diving)
·
Retrieving
personal data from redundant IT equipment and storage media including PCs,
servers, PDAs, mobile phones, USB memory sticks and hard drives that have been
disposed of carelessly at public dump sites, given away or sold on without
having been properly sanitized
·
Using public records about individual citizens, published in
official registers such as electoral rolls
·
Stealing bank or
credit cards, identification cards, passports, authentication tokens ...
typically by pickpocketing, housebreaking or mail theft
·
Common-knowledge
questioning schemes that offer account verification and compromise:
"What's your mother's maiden name?", "what was your first car
model?", or "What was your first pet's name?", etc.
·
Skimming information from bank or credit cards using
compromised or hand-held card readers, and creating clone cards
·
Using 'contactless'
credit card readers to acquire
data wirelessly from RFID-enabled passports
·
Observing users
typing their login credentials, credit/calling card numbers etc. into IT
equipment located in public places (shoulder surfing)
·
Stealing
personal information from computers using breaches in browser security or malware such as Trojan horse keystroke logging programs or other forms of spyware
·
Hacking computer networks, systems and databases to
obtain personal data, often in large quantities
·
Exploiting breaches that result in the publication or more limited disclosure of
personal information such as names, addresses, Social Security
number or credit card numbers
·
Advertising
bogus job offers in order to accumulate resumes and applications typically disclosing applicants' names, home and
email addresses, telephone numbers and sometimes their banking details
·
Exploiting
insider access and abusing the rights of privileged IT users to access personal
data on their employers' systems
·
Infiltrating
organizations that store and process large amounts or particularly valuable
personal information
·
Impersonating
trusted organizations in emails, SMS text messages, phone calls or other forms
of communication in order to dupe victims into disclosing their personal
information or login credentials, typically on a fake corporate website or data
collection form (phishing)
·
Brute-force
attacking weak passwords and using inspired guesswork to compromise weak
password reset questions
·
Obtaining
castings of fingers for falsifying fingerprint identification.
·
Browsing social
networking websites for personal
details published by users, often using this information to appear more
credible in subsequent social engineering activities
·
Diverting
victims' email or post in order to obtain personal information and credentials
such as credit cards, billing and bank/credit card statements, or to delay the
discovery of new accounts and credit agreements opened by the identity thieves
in the victims' names
·
Using false
pretenses to trick individuals, customer service representatives and help desk
workers into disclosing personal information and login details or changing user
passwords/access rights (pretexting)
·
Stealing cheques (checks) to acquire banking information, including
account numbers and bank routing
numbers
·
Guessing Social
Security numbers by using information found on Internet social networks such
as Facebook and MySpace
·
Low
security/privacy protection on photos that are easily clickable and downloaded
on social
networking sites.
·
Befriending
strangers on social networks and taking advantage of their trust until private
information is given.
Individual identity protection
The acquisition
of personal identifiers is made possible through serious breaches of privacy. For consumers, this is usually a result of them naively providing
their personal information or login credentials to the identity thieves as a
result of being duped but identity-related documents such as credit cards, bank
statements, utility bills, checkbooks etc. may also be physically stolen from
vehicles, homes and offices, or directly from victims by pickpockets and bag
snatchers. Guardianship of personal identifiers by consumers is the most common
intervention strategy recommended by the US Federal Trade
Commission, Canadian Phone Busters and most sites that address identity theft.
Such organizations offer recommendations on how individuals can prevent their
information falling into the wrong hands.
Identity theft
can be partially mitigated by not identifying oneself
unnecessarily (a form of information security control known as risk avoidance).
This implies that organizations, IT systems and procedures should not demand
excessive amounts of personal information or credentials for identification and
authentication. Requiring, storing and processing personal identifiers (such
as Social Security
number, national
identification number, driver's
license number, credit card number, etc.) increases the risks of identity theft
unless this valuable personal information is adequately secured at all times.
To protect
yourself against federal tax-identity theft, you are advised the following:
·
do not give out
personal information (and the SSN in the case of the US) on the phone, fax or
on social media platforms
·
use a shredder
to destroy tax related documents after tax time is over and keep the necessary
ones in a safe (thieves can look through the trash)
·
for taxpayers
planning to e-file their tax returns, it is recommended to use a strong
password. Afterwards, save the file to a CD or flash drive and keep it in a
secure location. Then delete the personal return information from the computer
hard drive
·
US citizens
should show employers their Social Security card at the start of a job, but
otherwise do not routinely carry the card or other documents that display their
SSN. Additionally, it is recommended not to fill the Social Security number on
medical forms and such documents (in case your wallet or purse gets stolen)
·
only use secure
websites while making online financial transactions (thieves access information
you provide to an unsecured Internet site)
·
if working with
an accountant, query him or her on what measures they take to protect your
information.
Identity thieves
sometimes impersonate dead people, using personal information obtained from
death notices, gravestones and other sources to exploit delays between the
death and the closure of the person's accounts, the inattentiveness of grieving
families and weaknesses in the processes for credit-checking. Such crimes may
continue for some time until the deceased's families or the authorities notice
and react to anomalies.[
In recent years,
commercial identity theft protection/insurance services have become available
in many countries. These services purport to help protect the individual from
identity theft or help detect that identity theft has occurred in exchange for
a monthly or annual membership fee or premium. The services typically work
either by setting fraud alerts on the individual's credit files with the three
major credit bureaus or by setting up credit report
monitoring with the credit bureaux.
While identity theft protection/insurance services have been heavily marketed,
their value has been called into question.
Identity protection by organizations
In their May
1998 testimony before the United States Senate, the Federal Trade Commission
(FTC) discussed the sale of Social Security numbers and other personal
identifiers by credit-raters and data miners. The FTC agreed to the industry's
self-regulating principles restricting access to information on credit reports. According to the industry, the restrictions
vary according to the category of customer. Credit reporting agencies gather
and disclose personal and credit information to a wide business client base.
Poor stewardship
of personal data by organizations, resulting in unauthorized access to
sensitive data, can expose individuals to the risk of identity theft. The
Privacy Rights Clearinghouse has documented over 900 individual data breaches
by US companies and government agencies since January 2005, which together have
involved over 200 million total records containing sensitive personal
information, many containing social security numbers. Poor corporate
diligence standards which can result in data breaches include:
·
failure to shred
confidential information before throwing it into dumpsters
·
failure to
ensure adequate network security
·
credit card
numbers stolen by call center agents and people with access to call
recordings
·
the theft of
laptop computers or portable media being carried off-site containing vast
amounts of personal information. The use of strong encryption on these devices can reduce the chance of
data being misused should a criminal obtain them.
·
the brokerage of
personal information to other businesses without ensuring that the purchaser
maintains adequate security controls
·
Failure of
governments, when registering sole proprietorships, partnerships, and
corporations, to determine if the officers listed in the Articles of
Incorporation are who they say they are. This potentially allows criminals
access to personal information through credit rating and data mining services.
The failure of
corporate or government organizations to protect consumer privacy, client
confidentiality and political privacy has been criticized for facilitating the
acquisition of personal identifiers by criminals.
Legal responses
International
In March 2014,
after it was learned two passengers with stolen passports were on board Malaysia
Airlines Flight 370 which went
missing on March 8, 2014, it came to light that Interpol maintains a database of 40 million lost and stolen travel
documents from 157 countries which it makes available to governments and the
public, including airlines and hotels. The Stolen and Lost Travel Documents
(SLTD) database however is little used. Big News Network which
is based in the UAE, observed that Interpol Secretary General Ronald told
a forum in Abu Dhabi the previous month this was the case.
"The bad news is that, despite being incredibly cost effective and
deployable to virtually anywhere in the world, only a handful of countries are
systematically using SLTD to screen travelers. The result is a major gap in our
global security apparatus that is left vulnerable to exploitation by criminals
and terrorists," Noble is quoted as saying.
India
Under the
Information Technology Act 2000 Chapter IX Sec 66C
“
|
SECTION 66C
PUNISHMENT FOR IDENTITY THEFT Whoever,
fraudulently or dishonestly makes use of the electronic signature, password
or any other unique identification feature of any other person, shall be
punished with imprisonment of either description for a term which may extend
to three years and shall also be liable to fine which may extend to rupees
one lakh.
|
”
|
Notification
Most states
followed California's lead and enacted mandatory data breach notification laws.
As a result, companies that report a data breach typically report it to all
their customers.
Spread and impact
Surveys in the
USA from 2003 to 2006 showed a decrease in the total number of victims and a
decrease in the total value of identity fraud from US$47.6 billion in 2003 to
$15.6 billion in 2006. The average fraud per person decreased from $4,789 in
2003 to $1,882 in 2006. A Microsoft report shows that this drop is due to
statistical problems with the methodology, that such survey-based estimates are
"hopelessly flawed" and exaggerate the true losses by orders of
magnitude.
The 2003 survey
from the Identity Theft Resource Center found that:
·
Only 15% of
victims find out about the theft through proactive action taken by a business
·
The average time
spent by victims resolving the problem is about 330 hours
·
73% of
respondents indicated the crime involved the thief acquiring a credit card
