Computing Applications Security watch

Scoping Identity Theft

The computer's role in identity theft incidents may have been misgauged through overestimates of reported losses.
  1. Article
  2. References
  3. Author

The alert that "identity theft is the fastest growing crime in the U.S." and "computer technology is right at the heart of the problem" might sound familiar to Communications readers, especially fans of Hal Berghel’s insightful "Digital Village" column, since he expressed those sentiments back in February 2000 [1]. If one uses consumer warnings as a barometer of the subject, this indicator certainly seems to be on the increase, along with press coverage of related events, such as of the occasional massive pilfering of credit card account number files. Identity theft (or, as it is also called, identity fraud) incidents have grown from a mere (but troubling) 500,000 a half-decade ago to nearly 10 million in 2005. This translates to 4.6% of the U.S. population affected annually. But some new information has begun to suggest that these statistics may fail to reveal the true scope of the problem, which, surprisingly, may be considerably less damaging than has previously been reported.

The Federal Trade Commission (FTC), from which much of the data on this subject emanates [5], broadly categorizes identity theft into: misuse of existing accounts (85% of victims), opening of new accounts (17%), and misuse of personal information (17%). (These statistics do not add to 100% because of multiple instances per victim.) Data from countries with similar socioeconomics indicates that identity theft issues are globalized. In the U.S., such activities were criminalized in 1998 through the Identity Theft and Assumption Deterrence Act, which prohibits "knowingly transfer[ring] or use[ing], without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law." Penalties can include a maximum term of 15 years in prison, fines, and confiscation of the property used to commit the offense.

So, although it may be irritating when a prankster spoofs my email address and sends messages to other people whose addresses happen to be listed on the Web sites on which my name appears, this is not generally considered to be identity theft, unless a breach of the law also occurs, such as a fraudulent financial transaction. And these transactions do seem to be adding up. Estimates of U.S. losses have stabilized (since 2003) at approximately $52.6B per year, with around 90% (or some $47.6B) of this total being carried by businesses and financial institutions, and consumers shouldering the remaining 10% (around $5B). Per incident, the average cost has been stated as $10,200 for institutions and $1,180 for individuals.

In terms of further annoyance, victims spent between 15–60 hours resolving their problems (roughly similar to the time taken in updating information due to a planned household relocation). But it should be noted that most of the effort of checking account balances and changing phone numbers, addresses and so on, can be done while multitasking (such as reading and responding to email while on hold on the phone), and consumers are shielded somewhat by $50 maximum liabilities, so it is unclear whether damages are actually substantial.

The bottom line is that where there are potential losses with a relatively low per-incident cost, the bean counters are not far behind. So a whole new breed of computerized alerting products and insurance policies have recently emerged, many priced around $100 per year, that allow folks to obsessively view their credit reports online (perhaps even increasing some identity theft risks), with guaranteed coverage (typically around $25,000) for fraud resolution and expenses (including lost wages, legal fees, document preparation, and so on). According to a July 2003 survey by Privacy and American Business (www.pandab.org/id_theftpr.html), one in six consumers have now purchased such a policy, representing an expenditure of $2.5B that year. But the study also showed that 62% of victims didn’t have any out-of-pocket losses at all, and those that did only incurred around $740 each—for a total of $1.5B per year, only a quarter of the $5B that had been estimated by the FTC, leaving a profit margin of as much as $1B for the insurers.

Further skepticism regarding the extent to which the incident figures translate to real damages was pointed out in a November 2005 article by Associated Press reporter Brian Bergstein [2], and subsequently quoted by crypto-blogger Bruce Schneier (www.schneier.com/blog/archives/2005/11/identity_theft.html), who agreed with his sentiments and added that "too many things are counted as identity theft that are just traditional fraud." Citing a 2005 study by the research firm Synovate (the organization that had performed the FTC’s 2003 identity theft survey), Bergstein revealed that nearly 38% of the thefts were never actually reported for resolution, and "half of self-described victims blamed relatives, friends, neighbors or in-home employees." He noted that such overestimates may "lead many consumers to unnecessarily shy away from Internet commerce" or "make it harder for financial firms to assess their countermeasures and trickier for law enforcement to monitor trends."

An example of the use of such statistical bloat appearing in research on e-commerce fraud was referenced (as factual) in an otherwise reasonable article about honeynets in IEEE Security and Privacy [4]. In a sidebar that cited a Wall Street Journal source, was the following paragraph: "From 1 through 7 May 2003, observers saw 2,667 credit cards on monitored channels. Assuming an intentionally modest average loss of US$500 per card, about $1.3M in associated fraud could have occurred over that week. At that rate, about $69 million per year of fraud could potentially occur. However, we know that 10 or 15 times the number of observed credit-card channels actually exist. Thus, annual losses approaching $1 billion are probably associated with this activity."

Simple back-of-the-envelope calculations using the sets of data (cited earlier here) show that Internet harvesting techniques simply cannot be to blame for this much of the credit card fraud problem. Everything in the Wall Street Journal‘s multiplied sequence, except perhaps for the initial observation, was based on assumptions and extrapolations that were each inflated, some by orders of magnitude.

Since scammers tend to take the road of least resistance, bankruptcy fraud may continue to seem a lot more attractive as a source of free buying power than identity theft.

As for the computer’s real role in identity theft, a 2005 study commissioned by the Better Business Bureau (www.javelinstrategy.com), showed that traditional methods (such as stolen wallets and theft of paper mail) were used at a rate six times that of online information gathering. Of the online methods, nearly 20% of those that resulted in identity theft were transacted through user responses to phishing attacks (email messages that appear to be from legitimate sources).

Certainly, I am not dismissing the fact that some problems pertaining to identity theft actually do exist (whether computer assisted or not). Nor am I suggesting that the matter is being intentionally magnified in order to line the pockets of service organizations that purport to abate such issues. One might recall that the computer industry was similarly inappropriately maligned following Y2K when "no major calamity happened" and it seemed that the preparations had been unnecessary, when in fact the vast majority of expenditures in that regard were legitimate. In the time leading up to the turn of this century, internal reviews were successfully used to determine whether replacement of legacy software would be more economical (in the short and long run) than repair [3]. If such cost/benefit analyses were applied to assess the merits of techniques used by computer scientists in keeping identity theft loss numbers at bay, we might generate more impact for our efforts by targeting them to the largest areas of risk. Yet these numbers are presently difficult to ascertain, since the bulk of the monetary damages are experienced by financial institutions when fraud results in non-payment of debt, but those losses are typically offset through tax write-offs, business insurance awards, and increased interest rates. This may explain why these organizations have been slow to substitute new identification methods in lieu of the still-customary "Mother’s maiden name" and "last four digits of your Social Security number" or to deploy other deterrent schemes. But there may be further reasons why the finance community does not necessarily consider identity theft as the highest-priority risk.

As it turns out, the fastest-growing crime in the U.S., in terms of monetary losses during the first half of this decade, was not identity theft but rather that of bankruptcy. According to the Administrative Office of the U.S. Courts, personal bankruptcy filings topped 1.6M in each of 2003 and 2004. (The numbers for 2005, which were not available when this column was written, may be considerably higher due to the rush to file pursuant to a federal deadline imposed prior to the enforcement of stricter limits on bankruptees’ holdings and more rigorous repayment schedules.) With an average of $21,576 per petition, this translates to a minimum annual cost of $34.5B in unrecoverable institutional losses, which is not terribly far from the $47.6B attributed to identity theft. Since scammers tend to take the road of least resistance, it seems reasonable to assume that as long as it remains easier to run up one’s own debts with the knowledge that you will not be jailed and can still keep the items purchased with no means or intention of paying, bankruptcy fraud may continue to seem a lot more attractive as a source of free buying power than identity theft. According to the FBI, up to 10% of bankruptcy filings may involve fraud, and other studies (such as www.smrresearch.com/bankruptcyfraud03.html) indicate this number may be even higher.

But personal bankruptcy is just the tip of the iceberg. The real nut is in corporate bankruptcies, whose total liabilities in the banner years of 2001 and 2002 combined reached $600B, with WorldCom alone accounting for $41B of that amount (see www.firstam.com/faf/ html/cust/jm-bankfacts.html). Except for the rare handful of executives hauled off to court in handcuffs, business bankruptcy (even when stock prices or the entire market is adversely affected) is more often glamorized as a rite of passage prior to a "comeback" or characterized as the occasional negative consequence of otherwise profitable high-stakes risk-taking. Donald Trump, for example, in 2004 filed his second Chapter 11 bankruptcy (the first a decade earlier) for his casino businesses while being simultaneously lauded on his hit reality TV show, "The Apprentice," as an iconic role model for up-and-coming industry executives.

Bankruptcy and identity theft, then, can perhaps be viewed as two sides of the same financial fraud coin. So, in redirecting the efforts of computer scientists toward detecting and deterring spending by insolvent individuals and companies, we may see greater mitigation of both risks. One way this is already being done is in the use of cost optimization models driven by financial data mining to tie personal automotive insurance coverage fees to types of FICO scores (akin to the ratings the credit reporting agencies Experian, Equifax, and TransUnion provide to lenders), since it seems that by some algorithms, the indigent and financially overextended show a propensity for more frequent or costly accidents. (FICO stands for Fair, Isaac, and Company, the organization that developed the scoring method in the late 1950s.) FICO scores are particularly vulnerable, since they are relied on for many loan decisions, and they are manipulable, both negatively and positively, via bogus transactions, identity theft, and bankruptcy. Such linking of data has privacy implications, and the extent to which this is allowed may eventually be restricted via legislative initiatives.

Yet, restrictions on certain data searches could make it more difficult to spot the type of identity fraud that occurs when an entirely bogus persona is crafted from falsified documents. Although some prefer to think of this as a so-called "victimless crime," since an existing individual’s credentials are not adversely affected, there are real risks associated with such fraud, including false eligibility for services (such as health care benefits) as well as potential impacts on national security. Some of these were detected by the Hurricane Katrina Fraud Task Force (overseen by the U.S. Department of Justice in conjunction with the FBI) which has, to date, conducted some 4,000 fraud report investigations, leading to 212 charges of various hurricane fraud-related crimes, 40 guilty pleas, and the return of over $8 million of assistance funds to the American Red Cross and FEMA (www.usdoj.gov/katrina/Katrina_Fraud/). Still, in comparison the 2.5 million applications for disaster benefits, representing billions of dollars, this fraud represents only a small fraction of losses.

At the New England Association of City and Town Clerks Conference in 2005, U.S. Department of State Passport Fraud Prevention Managers Mara Pioro and Hans Maurer described some mechanisms whereby "breeder documents" (like novelty ID cards and utility bills) are used to obtain other credentials, thus building a portfolio that can eventually be employed in seeking issuance of a valued target document (such as a Social Security card). In their opinion, authentication is most effective when paper records maintained by identity document issuers are examined in conjunction with vigilant observation and detection of natural characteristics of an applicant that seem to be amiss, such as a spoken accent or inability to quickly answer personal history questions.

But some of the biggest loopholes providing backdoors for fabricating identities continue to occur because many proofs of identity (including birth certificates, citizen identity cards, and passports) are not necessarily tied to a current address, and those that are (such as a driver’s license, credit card, voter registration card, or college course registration) often rely on the non-addressed documents for their issuance. Some states’ policies that allow open access to personal records (say for genealogy purposes) may even encourage misappropriation of identities. Increased use of biometrics has been touted as a solution, but the reality is that such techniques may affiliate a credential to a physical being without necessarily authenticating that the human is who they presume to be in all (or even any) other respects. As well, if a biometric is electronically stolen and propagated, it may later be difficult or impossible for the real owner to substitute an uncompromised one when attempting to restore identity-based privileges.

So it appears that identity theft, and related fraud, may find itself in the family of security problems whose sociological aspects present greater obstacles than can be resolved by reducing technological risks. Computers are particularly impotent in dealing with misuse situations where rewards are high, penalties may be small, attacks can be varied and numerous, and detection is difficult. Unless potential losses truly outweigh increased security costs, there is little incentive to change the status quo. Improvements in reporting methods used to keep an eye on the scope of identity theft can therefore assist in the determination of appropriate mechanisms to be applied toward curtailing its negative effects.

Back to Top

Back to Top

    1. Bergel, H. Identity theft, Social Security numbers, and the Web. Commun. ACM 43, 2 (Feb. 2000).

    2. Bergstein, B. Beware the numbers hype about ID theft. Associated Press, Nov. 13, 2005; www.usatoday.com/tech/news/techinnovations/2005-11-13-id-theft-numbers_x.htm.

    3. Kappelman, L.A., Fent, D., Keeling, K.B., and Prybutok, V. Calculating the cost of year-2000 compliance. Commun. ACM 41, 2 (Feb. 1998).

    4. McCarty, B. Automated identity theft. IEEE Security and Privacy 1, 5 (Sept./Oct. 2003).

    5. Synovate. Federal Trade Commission—Identity Theft Survey Report. Sept. 2003; www.ftc.gov/os/2003/09/synovatereport.pdf.

Join the Discussion (0)

Become a Member or Sign In to Post a Comment

The Latest from CACM

Shape the Future of Computing

ACM encourages its members to take a direct hand in shaping the future of the association. There are more ways than ever to get involved.

Get Involved

Communications of the ACM (CACM) is now a fully Open Access publication.

By opening CACM to the world, we hope to increase engagement among the broader computer science community and encourage non-members to discover the rich resources ACM has to offer.

Learn More