infosec4all.com

Interestingly enough, there is still no strong body of knowledge of the problem of identity theft or a single, well accepted definition of the problem . Instead, there is a range of different views on what identity theft is. As a result, various professionals who deal with identity theft use different terms that describe the same crime and, at the same time, describe different crimes using the same term. Here are some ideas on what should and what should not be considered identity theft, for purposes of both better understanding the problem and carrying out the project research.

First, a few words on confusing and contradicting terminology: The term identity theft itself is an oxymoron – identity is not a possession that can be acquired or lost (Schneier, 2005). Legally, theft is defined as appropriation of property belonging to other with intention of permanently depriving the other, (Webster’s, 1996) while identity is an information, combination of things we are, we know, and we have and therefore, one cannot be deprived of it once it is ‘assigned’ to her at birth. Experts suggest use of more appropriate term – identity fraud. (Schneier, 2005)

In an attempt to define the crime, Gordon et al (Gordon, 2004) define information theft as use of false identifiers, fraudulent documents, or a stolen identity in the commission of the crime. The same author distinguishes between identity fraud and identity theft, where identity fraud includes both the identity theft and cases of creating fictitious identity. The 2006 Identity Fraud Survey prepared for the Federal Trade Commission by the Javelin Strategy & Research (Johannes, 2006) distinguishes the two as well, but defines identity theft (also called true name fraud) as unauthorized use of another’s personal information to achieve illicit financial gain; and identity fraud as unauthorized access to personal information. The same report introduces the concept of synthetic identity fraud – use of fictitious identities. Since both identity theft and identity fraud are widely accepted and used interchangeably in most of the literature, I will use identity theft throughout this series of articles.

The broad classification of identity theft recognizes three different forms of the crime: financial, non-financial, and criminal record identity theft (Perl, 2003), while the Federal Trade Commission, for purposes of tracking the identity theft in the most complete existing database classifies identity theft into three categories: 1) new accounts and other fraud, 2) misuse of existing credit or account number, and 3) misuses of existing credit card or credit card number.

New accounts and other fraud
Crimes in this relatively low occurrence category represent probably the ‘purest’ cases of identity theft and include misuses of victims’ identities to escape law enforcement authorities, obtain employment or other benefits, and visa and passport fraud. These are considered to be the most serious of the three according to the Federal Trade Commission (FTC, 2003) and are characterized by high dollar amount and out of pocket cost, longer detection time, lower discovery by financial institutions and victims’ discovery when contacted by debt collector or law enforcement. (Van Dyke, 2005)

This crime is similar to what Perl described as criminal record identity theft, and is probably best known from widely publicized accounts of Kevin Mitnick’s law enforcement evasion. It is referred to as ‘the purest form of identity theft’ since it best matches academic definitions and leaves little room for questioning whether it can be confused with other crimes. Criminals use identifiers such as name, social security number, address, date of birth, and other identifying information to establish a new identity and once the crime takes place, the criminal impersonates the victim for much longer time than in case of other types of the fraud. It is possible for this type of crime to stay completely undetected since the criminals might try to keep a clean record on their ‘new identity’. New accounts are opened using criminal’s address and paid regularly in order to avoid any unnecessary attention. Criminals use this type of fraud to obtain jobs that would otherwise not be available due to their criminal history, escape criminal prosecution, and engage in illegal immigration.

Misuse of existing non credit or account number
This type of identity theft occurs when criminals get access to various existing accounts (like bank or telephone account) and try to either make money transfers to their own account or change the ownership of the account to their own name. Characteristics of this type are: low dollar loss and out of pocket cost for victims, short detection time, most frequently detected by companies, victims first find out of the crime through company notification and statements monitoring. (Van Dyke, 2005) As Van Dyke suggests, it does not take long for these crimes to be detected since shortly after they take place, victims notice unusual activities on their accounts or experience inability to access account or use the service. Once reported, the victim is released from any liability and reimbursed for possible financial damage.

This type of fraud is not always easy to classify as identity theft. If identity theft in its core represents illegal use of other people’s personal identifiers, the question is when and if getting into victims’ accounts or stealing their telephone represents a theft of identity. Most probably this can only be decided after careful investigation of each individual case and understanding the causes and consequences. As we will se later, this is where the stakeholders start to disagree.

Misuse of existing credit card or credit card number
If the stake holders might slightly disagree whether use of an existing account represents an identity theft, when it comes to misuse of credit cards, opinions differ diagonally. The crime occurs when criminal uses victim’s credit card or credit card number (the same applies to debit cards and other forms of ‘plastic’ means of payment) to make a purchase or series of purchases. The actual cards are either stolen cards or found lost cards. When only the number is used (in so called card not present transactions) they come from various sources, including thefts from company databases, through ‘sniffing’ electronic transactions, or shoulder surfing. The occurrence is easily detected by victims by simply monitoring financial statements. Many banks today successfully employ specialized software that looks for anomalies in card transactions such as payments unusual for the card holder or payments that occur at two distant points within short period of time, and are able to prevent such transactions before they take place.

The most important characteristic of this type of fraud is that once discovered it is easily to prevent it from taking place again simply by blocking the existing card and issuing a new one. This is an automatic process, the card is blocked within seconds after the crime is detected and reported, and no records are left on victims’ credit or criminal file. In the worst case scenario, the victims are hold liable for the first $50 of the stolen amount, but in most cases are fully reimbursed for any damage.

Although even the Federal Trade Commission report (FTC, 2005) agrees that these are the least serious victimizations, these frauds are still included in all reports on identity theft. They tend to negatively affect general understanding of the problem and lead to improper course of action when it comes to prevention and fight against the crime.

References:

Federal Trade Commission (FTC), Identity Theft Survey Report, Synovate, September 2003

Federal Trade Commission (FTC), National and State Trends in Fraud & Identity Theft – January – December 2004, Federal Trade Commission, February 1, 2005

Gordon, Gary R, et al, Identity Fraud: A Critical National and Global Threat, Journal of Economic Crime Institute, Volume 2, Issue 1, Winter 2004.

Johannes, Rubina, et al, 2006 Identity Fraud Survey Report, Javelin Strategy and Research, January 2006

Perl, Michael W., It’s not always about the money: Why the state identity theft laws fail to adequately address criminal record identity theft, Journal of Criminal Law and Criminology, 94(1): 169-2008, 2003

Schneier, Bruce, Mitigating Identity Theft, Crypto-Gram Newsletter, April 15, 2005 http://www.schneier.com/crypto-gram-0504.html#2

Van Dyke, James, Reading behind the Lines: How Identity Fraud Really Happens, Javelin Strategy and Research, presented at Digital ID World conference in 2005

Webster’s New College Dictionary on Power CD, Version 2.5, Zane Publishing Inc. 1994-1996