infosec4all.com

The problem of identity theft is ubiquitous, with cases being discovered every day from countries of European Union through Canada, and Australia. Without question, United States remains the most significantly affected by this crime. As a result, most of the research and publicity focuses on this country.

There is no single factor that makes identity theft possible. Not only do the factors change through time, they also differ from country to country. I call the set of specific factors and environments that create fertile ground for committing identity theft identity theft enablers or simply enablers. The most significant enablers specific to the United States are examined here in no particular order.

Credit reporting agencies
The credit reporting system in the United States is the most complete set of information on consumers in the world – far more thorough than any government census. (Sullivan, 2004) The original purpose of the system was to help lenders gather enough information about customers to assess their ability to pay off the loans. Today, the multibillion dollar industry consists of three credit reporting agencies: Equifax, TransUnion, and Experian. They sell credit history information on anyone legally living in the United States to anyone willing to pay for such information. Interestingly enough, the biggest beneficiaries from identity theft are not the criminals but the three reporting agencies, with the credit monitoring industry alone making $900 million, with 20% annual growth. (Dash, 2006)

Based on the wide range of credit information with estimated two billion records monthly growth (Sullivan, 2004) and complex formulas known only to those three companies, each consumer is assigned a credit score – a number that indicates a consumer’s credit worthiness – a number that basically decides on behalf of lenders whether consumer can get a loan and under which terms. The system is geared toward facilitating the growth of the credit industry and its own protection, and not protection of individual customers. In that regard, as long as the applicant’s credit application indicates good chances for timely repayment, the request is granted regardless of who actually submits the application and receives the money. As long as the inaccurate information does not hurt the lenders, those companies do nothing to improve the system, in spite of decades-long problems with accuracy of the reports. (Sullivan, 2004)

Social security numbers
The growth of bureaucratic state in the first half of the twentieth century created a need for a system of public records that lead to creation of the Social Security System in 1935. The system was intended to track individual employees’ earnings and therefore each citizen was assigned a unique, nine digit identifier known as Social Security Number. (Solove, 2006) Neither the social security number nor the social security card was intended to be used for identification purposes. The first cards even carried the inscription “NOT FOR IDENTIFICATION”. Contemporary social security cards do not bear picture or any other identifying information except for the name of the holder and social security number itself. Unfortunately, the importance of social security numbers and their use for identification changed significantly within a single century. According to the US Senate (Thomas, 2004) the social security number is one of the main tools used to steal identity, due to its use for purposes not intended by the original design.

Social security cards and more specifically social security numbers represent one of the main breeder identifiers that criminals use to initiate the crime of identity theft. In many instances, social security number together with birth certificate is used by various agencies to establish an initial identity and issue an identification bearing photograph or other biometric data.

US social security numbers are probably the most guarded pieces of information by individuals and at the same time widely available and frequently asked for and used in every day’s life.

Instant credits
This term was coined by the director of the Federal Trade Commission in 2002 (Sullivan, 2004) but basically describes an ability, available to millions of Americans to walk into an electronics store or a car dealership and legally walk out with goods worth tens of thousands of dollars just minutes later. When even mortgages are approved within similar time frame it is simply not possible to do better research on an applicant’s background. (Sullivan, 2004) In order to boost sales, merchants, based on credit scores provided by credit reporting agencies, approve instant credits to customers who can prove their credit worthiness, not their identity.

Convenience checks
Convenience checks are cash like instruments mailed to cardholders that allow them to transfer balances from one credit card issuer to another with a stroke of a pen. (Sullivan, 2004) Unlike cards, in most cases the use of convenience checks does not require any authorization, and the checks are not covered by a $50 liability limit. All customers are required to do is sign the check and mail it back to the issuer, or even submit it online.

Functional literacy
Organization for Economic Cooperation and Development defines functional literacy as ability to understand and employ printed information in daily life. According to the National Institute for Literacy 50% of the adult population in the United States is considered illiterate, with 44 million that cannot read a newspaper or fill out a job application (compared to 24% in the United Kingdom).  This factor facilitates growth of identity theft by impeding customers’ ability to protect themselves from daily attacks against their privacy.

Technologies
As shown in previous chapters, new technologies and specially Internet do no significantly facilitate identity theft. However, old technologies do not provide tamper proof documents (Newman, 2005) while new technologies allow production of high quality, ‘better then the originals’ documents of any kind. There are numerous cases in the United States where identifying documents produced using old technologies are easy to counterfeit.

Inadequate privacy laws
Unlike the countries of the European Union that protect privacy and individual data of their citizens, United States federal agencies can do very little to limit the potentially privacy-invading behaviors of private companies. (Sullivan, 2006) Existing U.S. privacy laws only adequately protect privacy within individual’s home. Once the person leaves this “safe heaven”, the laws do not ban collection of personal information without consumer’s permission. Furthermore, consumers have no right to review the data and correct inaccuracies; companies that process data are not required to register their activities with the government; employers can read workers’ private e-mail; and personal information can be shared by companies or across borders without express permission from the data subject.

Internet
Contrary to common belief, the emergence of the Internet is not in direct correlation with trends in identity theft. Collection of statistics on identity theft and the development of the Internet just happened to take place at the same time. Internet might facilitate exchange and sale of identity but does not really facilitate the theft itself. According to the latest research commissioned by the Federal Trade Commission, only 10 percent of data compromises take place over the Internet (Johannes, 2006) However, Internet continues to be a good source of guides on obtaining other people’s personal information. (Newman, 2004)

Identification documents
United States lacks universally accepted and secure form of identification. (Newman, 2005) An average American carries more identification documents than a citizen of any other nation, yet those documents have few security features and are not standardized. Identification documents in the United States are issued by 8,000 uncoordinated jurisdictions.

Identity documents, like driver licenses, are issued based on presentation of either social security card, birth certificate, or both. Neither social security cards nor birth certificates were ever meant to be used to identification, and neither of them contain information that can prove someone’s identity (e.g. picture or biometric information). (LoPucki, 2003) Combined with old technologies used to produce them, they remain the major breeder documents for identity thieves.

Information availability
Personal identifying information on any citizen of this country is more widely available than ever before thanks to relatively new industry of data mining. Unfortunately, many organizations have inadequate procedures for employees with access to personal information. (Newman, 2005) At the same time, about 10% of people who try to access their own records with credit reporting agencies are denied access due to incorrect information on file kept by the agencies themselves and used to identify consumers and grant access to their files. (LoPucki, 2003)

Economy of scale
Numbers talk for themselves: In the United States in 2000, there were 1.5 billion credit cards held by 158 million cardholders – an average of ten credit cards per cardholder, with over three billion solicitation letters sent in a year. (Manning, 2000)

Non-cash payment instruments
Although I continuously stress that some types of credit card and check fraud are not identity theft, at least for now they significantly distort the statistics. The number of non cash transactions in the United States alone represents more than 60% of all cash transactions in the 14 most developed countries with only 36% of population. (Humphrey, 1996) Checks in the United States account for more than 60% of consumer non cash transactions with over 15 checks being written per month per person (three to five times more than in UK and Canada, and at least 15 times more than in other European countries). Checks are the most accessible and most widely accepted forms of payment in the United States. (Chakravorti, 2002) As, by their design, they represent the least secure (and in other countries almost obsolete) form of payment, it is not surprising to learn about the volume of check related frauds.

Outsourcing
Many security experts agree that in-house data breaches pose the biggest threat to information security. As the United States is leading the way in outsourcing many internal processing functions (including data management) not only to third party service providers in the country but on other continents, this trend also exposed many weaknesses and make it harder to prevent insiders from committing identity theft. (Hurst, 2006)

The problem of identity theft is not unique for the United States. However, this country tops the list by number of cases thanks to identity theft enablers – specific factors and environments that do not exist or are different elsewhere.

Bibliography

Chakravorti, Sujit et al, Why do we use so many checks?, Federal Reserve Bank of Chicago, Economic Perspectives, Q3 2002

Dash, Eric, Protectors, Too, Gather Profits from ID Theft, The New York Times, December 12, 2006

Humphrey, David B., et al, Cash, Paper, and Electronic Payments: A Cross-Country Analysis, Journal of Money, Credit and Banking, Vol. 28, No. 4, Part 2: Payment Systems Research and Public Policy Risk, Efficiency, and Innovation. (Nov., 1996), pp. 914-939.

Hurst, Andrew, Banks Face Growing Threat of Identity Theft from Insiders, Reuters, Zurich, November 22 2006

Johannes, Rubina, et al, 2006 Identity Fraud Survey Report, Javelin Strategy and Research, January 2006

LoPucki, Lynn M., Did Privacy Cause Identity Theft?, Hastings Law Journal, Vol. 54, No. 4, April 2003

Newman, Graeme R., Identity Theft, U.S. Department of Justice, Office of Community Oriented Policing Services, June 2004

Newman, Graeme R. and Megan M. McNally, Identity Theft Literature Review, National Institute of Justice Focus Group Meeting, July 2005

Manning, Robert D., Credit Card Nation – The Consequences of America’s Addiction to Credit, Basic Books, 2000

Solove, Daniel J., A Brief History of Information Privacy Law PROSKAUER ON PRIVACY, PLI, 2006

Sullivan, Bob, Your Evil Twin, John Wiley & Sons, Inc. 2004

Sullivan, Bob Privacy Lost: EU, U.S. laws differ greatly – EU citizens well protected against corporate intrusion, but red tape is thick MSNBC, Oct 19, 2006

Thomas, Bill, Chairman, Fact Sheet: Social Security and Identity Theft, Committee on Ways and Means, Washington, DC July, 2004