Identity theft

Identity theft (or identity fraud) is the deliberate assumption of another person's identity, usually to gain access to their finances or frame them for a crime. Less commonly, it is to enable illegal immigration, terrorism, espionage, or changing identity permanently. It may also be a means of blackmail, especially if medical privacy or political privacy has been breached, and if revealing the activities undertaken by the thief under the name of the victim would have serious consequences like loss of job or marriage. Assuming a false identity with the knowledge and approval of the person being impersonated, such as for cheating on an exam, is not considered to be identity theft.

Techniques for obtaining identification information range from the crude, such as stealing mail or rummaging through rubbish (dumpster diving in the USA), stealing personal information in computer databases, to infiltration of organizations that store large amounts of personal information.

Identity theft is usually the result of serious breaches of privacy. Except for the simplest credit-related cases, it is usually not possible without breakdowns in

• customer privacy, in which case the consequences may be limited to fraud on one corporation, typically the one that leaked the data in the first place, e.g. account numbers.
• consumer privacy, more serious, where credit card numbers or other generally-useful identity data are stolen and used much more widely.
• client confidentiality and political privacy, making it easy to effectively impersonate someone, by using confidential information that an ordinary impersonator would not have access to.

It seems that the prevalence of identity theft and the seriousness of typical cases is quite dependent on the country and the legal system and commercial habits there. Most countries in Continental Europe, for example, require their citizens to own ID cards which are needed to prove one's own identity on numerous occasions, such as opening (or even accessing) bank accounts, renting cars, checking in at hotels etc. As ID cards are in general as hard to counterfeit as money, and one usually has to physically show the card, it requires substantial criminal effort to commit fraud. Being used to this standard, businesses are unlikely to accept an ID verification by means of "semi-secret" personal information such as social security numbers to ascertain an identity. Maybe because of this, it is also less common to do business by phone as it is e.g. in the USA.

So, the threat posed by "simple" identity theft, which relies on obtaining "semi-secret" information such as social security or credit card numbers depends on how much can be done with this information. Is it, for example, possible to open an account using false ID in form of a stolen SSN, and so wreck the victim's credit record? Do banks accept credit card payments without signature or PIN? Differences in such legal framework may explain the large differences in damages due to identity theft in different countries.

In many parts of the world, identity theft is the fastest growing offence. However, in the USA, a longitudinal 2005 study by Javelin Strategy & Research [1] showed that the crime had leveled off since a 2003 study from the Federal Trade Commission [2] was released in 2003. The most recent US Javelin data also showed that 9.3M individuals (or 4.25% of all adults) are victims of identity fraud on an annual basis. In the United Kingdom in 2005 the consumer group Which? issued a report claiming that one in four people had been the victim of identity theft, or knew someone that had been a victim. This misleading claim (linking victims with those who know victims in a single statistic) achieved wide publicity. The Home Office in Britain does not collate data on identity theft, but does nonetheless, claim that the activity is reaching epidemic proportions.

It is difficult fully to quantify the extent of real personal privacy breaches, as laws requiring disclosure of such instances are just coming into existence.

Instances of identity theft have increased as the availability of personal information, and its volume held by third parties, has increased. In the USA much personal information, including mortgage details, social security numbers, and driving license details, are publicly available. Such sensitive information is far harder to obtain in most other countries, but it is typically held by numerous government and private sector bodies, and is consequently available to their many employees and associate organisations. Of particular concern is the comprehensive personal financial information and other related data held by credit reference agencies. The proliferation of junk mail from many of these organisations, which often includes name and address, has exacerbated the situation.

In the United Kingdom, companies such as car hire agencies, car dealerships, solicitors and banks now routinely take a copy of identity documents as a condition of doing business. This practice means that the subject is, in effect, losing control of his identity documents.

As a result of data protection legislation in the United Kingdom many organisations now require telephone callers to disclose personal details such as date of birth and mother's maiden name before they will enter into discussion. This allows eavesdroppers to collect this valuable data.

U.S. Identity fraud crimes now total $52.6B annually (up 2.3% from the previous survey), with a per-individual total of $5,686 per victim, according to the Javelin study. The Javelin random-sample study further showed that individual victims in the U.S. spend an average 28 hours restoring their affairs, while the majority of their costs are reimbursed by financial providers, who in turn pass much of the cost on to merchants or other service providers.

Contrary to popular belief, illegal access to personal information often happens through traditional means such as paper financial statements, cheques or credit cards, and the perpetrator is often someone previously known to the victim, such as a "friend", family member, or acquaintance.

Rigorous research has shown that the following methods will be most effective at preventing identity theft or fraud:

• Minimize the use of mail for sending or receiving financial documents, checks, and have your name removed from junk mail lists (8% of identity fraud results from stolen mail). Mail letters from the post office. In America, where standalone mailboxes are common, install a lock on the box.
• Check your bank accounts each week online or at an ATM. 70% of identity fraud is detected by the victim, and victims who do so through electronic methods suffer losses of less than 1/8th that of those who rely on paper statements for monitoring account activity. (source: Javelin)
• Shred credit-card receipts, junk mail and other such documents, as they may contain private information.
• Never give out personal information in response to telemarketers and delete all e-mails that claim to be from your bank (or other financial provider) and ask you to "log in" using a hyperlink embedded in the e-mail message. If in doubt as to the legitimacy of such requests, use a telephone to call marketers or financial providers back (rather than directly responding to the telemarketer or company that called or emailed you).
• When shopping online, make sure the company is reputable and displays an approved security symbol. Also, make sure you log out of the site when finished.
• Request your own credit report each year and check the reports for inaccuracies. If you've been the target of identity fraud, check the data every six months. (In the United States, you are permitted a free copy of your credit report once a year from any credit reference agency. See http://www.annualcreditreport.com for further details).
• If you are a target, keep copies of police reports and records of who you talked to and when, so that you can back up the claim of fraud. Individuals who consider themselves at higher risk of identity fraud should consider purchasing fee-based credit monitoring services, which will notify you of any new accounts or credit inquiries made on your behalf.
• Limit the amount of personal information you publish on the web. Small fragments here and there may be enough for someone to impersonate you in many ways. Be especially careful with information used as security keywords for banks, e.g. mother's maiden name.
• Don't divulge personal information such as date of birth to organisations that have no need of it - nearly all commercial organisations.
• Don't routinely carry identity documents unless obliged by law to do so.
• Do not allow anyone to copy your identification documents. If commercial organizations require you to submit a copy as a condition of doing business either don't do business with them, or retrieve the copy when your business ends (a written statement that they have not taken further copies should be obtained).
• If someone calls you claiming to be from a financial institution you do business with asking for personal information - do not give it to them. Ask them why they want the information, hang up, and then call the institution (using contact information from a source other than the caller)

In the USA:

• Don't order checks preprinted with your driver's license or social security number. If you can keep your address off them, do so.
• Don't carry your social security card. Don't give out the number unless it is absolutely necessary or legally required (employers, landlords etc.). In states where your drivers license number is your social security number, be equally careful about who sees your license.

The public fascination with impostors has long had an effect on popular culture and extends to modern literature.

One recent example is the Michelle Brown story. IMDB info on the movie: [3], and Lifetime's info on the movie: [4] This is a link to Michelle Brown's verbal testimony in front of the U.S. Senate Committee [5] and her written testimony to the U.S. Senate Committee [6].

In Frederick Forsyth's novel The Day of the Jackal the would-be assassin of General de Gaulle steals two identities. Firstly, he assumes the identity of a dead child who would be about the same age as himself, had the child lived. This is accomplished by obtaining the child's birth certificate and using it to apply for a passport. He also steals the passport of a Danish clergyman and disguises himself as that person so as to match the photograph in the passport.

The first impersonation is often held up in the UK as an example of the need to tighten access to birth certificates. However, the fact that birth certificates are the fundamental means of identification, and are a requirement to obtain further identification means that no such controls could ever be put in place.

Some people object to the term "identity theft" as identity is not something that can be stolen: victims don't cease being who they are. Rather, the phrase is used to refer to impersonation for the purpose of fraud, harassment, etc. Javelin's founder James Van Dyke recommends distinct usage for the terms "identity theft" and "identity fraud", with the former applied to unauthorized access to personal records and the latter to unauthorized (fraudulent) use of such records. Identity fraud actually is often committed without identity theft, as in the case of relatives who have been granted access to personal records, or criminals who randomly generate credit card numbers for fraud without even knowing the name of the victim. Furthermore, data breaches or true identity theft may not always result in fraud due to diligent prevention activities on the part of individuals, financial institutions, merchants, law enforcement or other entities.

• Paper shredder
• Shredder
• Fair Credit Reporting Act
• Credit report
• Identity document forgery
• Political decoy
• Phishing
• Encrypt email

• Identity Theft Resource Center
• Identity Theft Spy
• Repair Credit After Identity Theft
• Preventing Identity Theft
• UK Home Office identity theft
• Identity Theft Prevention Tips
• USA identity theft resource center
• Privacy Rights Clearinghouse webpages
• Fight Identity Theft