There is no single factor that makes identity theft possible. Not only do the factors change through time, they also differ from country to country. I call the set of specific factors and environments that create fertile ground for committing identity theft identity theft enablers or simply enablers. The most significant enablers specific to the United States are examined here in no particular order.

Credit reporting agencies
The credit reporting system in the United States is the most complete set of information on consumers in the world – far more thorough than any government census. (Sullivan, 2004) The original purpose of the system was to help lenders gather enough information about customers to assess their ability to pay off the loans. Today, the multibillion dollar industry consists of three credit reporting agencies: Equifax, TransUnion, and Experian. They sell credit history information on anyone legally living in the United States to anyone willing to pay for such information. Interestingly enough, the biggest beneficiaries from identity theft are not the criminals but the three reporting agencies, with the credit monitoring industry alone making $900 million, with 20% annual growth. (Dash, 2006)

Based on the wide range of credit information with estimated two billion records monthly growth (Sullivan, 2004) and complex formulas known only to those three companies, each consumer is assigned a credit score – a number that indicates a consumer’s credit worthiness – a number that basically decides on behalf of lenders whether consumer can get a loan and under which terms. The system is geared toward facilitating the growth of the credit industry and its own protection, and not protection of individual customers. In that regard, as long as the applicant’s credit application indicates good chances for timely repayment, the request is granted regardless of who actually submits the application and receives the money. As long as the inaccurate information does not hurt the lenders, those companies do nothing to improve the system, in spite of decades-long problems with accuracy of the reports. (Sullivan, 2004)

Social security numbers
The growth of bureaucratic state in the first half of the twentieth century created a need for a system of public records that lead to creation of the Social Security System in 1935. The system was intended to track individual employees’ earnings and therefore each citizen was assigned a unique, nine digit identifier known as Social Security Number. (Solove, 2006) Neither the social security number nor the social security card was intended to be used for identification purposes. The first cards even carried the inscription “NOT FOR IDENTIFICATION”. Contemporary social security cards do not bear picture or any other identifying information except for the name of the holder and social security number itself. Unfortunately, the importance of social security numbers and their use for identification changed significantly within a single century. According to the US Senate (Thomas, 2004) the social security number is one of the main tools used to steal identity, due to its use for purposes not intended by the original design.

Social security cards and more specifically social security numbers represent one of the main breeder identifiers that criminals use to initiate the crime of identity theft. In many instances, social security number together with birth certificate is used by various agencies to establish an initial identity and issue an identification bearing photograph or other biometric data.

US social security numbers are probably the most guarded pieces of information by individuals and at the same time widely available and frequently asked for and used in every day’s life.

Instant credits
This term was coined by the director of the Federal Trade Commission in 2002 (Sullivan, 2004) but basically describes an ability, available to millions of Americans to walk into an electronics store or a car dealership and legally walk out with goods worth tens of thousands of dollars just minutes later. When even mortgages are approved within similar time frame it is simply not possible to do better research on an applicant’s background. (Sullivan, 2004) In order to boost sales, merchants, based on credit scores provided by credit reporting agencies, approve instant credits to customers who can prove their credit worthiness, not their identity.

Convenience checks
Convenience checks are cash like instruments mailed to cardholders that allow them to transfer balances from one credit card issuer to another with a stroke of a pen. (Sullivan, 2004) Unlike cards, in most cases the use of convenience checks does not require any authorization, and the checks are not covered by a $50 liability limit. All customers are required to do is sign the check and mail it back to the issuer, or even submit it online.

Functional literacy
Organization for Economic Cooperation and Development defines functional literacy as ability to understand and employ printed information in daily life. According to the National Institute for Literacy 50% of the adult population in the United States is considered illiterate, with 44 million that cannot read a newspaper or fill out a job application (compared to 24% in the United Kingdom).  This factor facilitates growth of identity theft by impeding customers’ ability to protect themselves from daily attacks against their privacy.

Technologies
As shown in previous chapters, new technologies and specially Internet do no significantly facilitate identity theft. However, old technologies do not provide tamper proof documents (Newman, 2005) while new technologies allow production of high quality, ‘better then the originals’ documents of any kind. There are numerous cases in the United States where identifying documents produced using old technologies are easy to counterfeit.

Inadequate privacy laws
Unlike the countries of the European Union that protect privacy and individual data of their citizens, United States federal agencies can do very little to limit the potentially privacy-invading behaviors of private companies. (Sullivan, 2006) Existing U.S. privacy laws only adequately protect privacy within individual’s home. Once the person leaves this “safe heaven”, the laws do not ban collection of personal information without consumer’s permission. Furthermore, consumers have no right to review the data and correct inaccuracies; companies that process data are not required to register their activities with the government; employers can read workers’ private e-mail; and personal information can be shared by companies or across borders without express permission from the data subject.

Internet
Contrary to common belief, the emergence of the Internet is not in direct correlation with trends in identity theft. Collection of statistics on identity theft and the development of the Internet just happened to take place at the same time. Internet might facilitate exchange and sale of identity but does not really facilitate the theft itself. According to the latest research commissioned by the Federal Trade Commission, only 10 percent of data compromises take place over the Internet (Johannes, 2006) However, Internet continues to be a good source of guides on obtaining other people’s personal information. (Newman, 2004)

Identification documents
United States lacks universally accepted and secure form of identification. (Newman, 2005) An average American carries more identification documents than a citizen of any other nation, yet those documents have few security features and are not standardized. Identification documents in the United States are issued by 8,000 uncoordinated jurisdictions.

Identity documents, like driver licenses, are issued based on presentation of either social security card, birth certificate, or both. Neither social security cards nor birth certificates were ever meant to be used to identification, and neither of them contain information that can prove someone’s identity (e.g. picture or biometric information). (LoPucki, 2003) Combined with old technologies used to produce them, they remain the major breeder documents for identity thieves.

Information availability
Personal identifying information on any citizen of this country is more widely available than ever before thanks to relatively new industry of data mining. Unfortunately, many organizations have inadequate procedures for employees with access to personal information. (Newman, 2005) At the same time, about 10% of people who try to access their own records with credit reporting agencies are denied access due to incorrect information on file kept by the agencies themselves and used to identify consumers and grant access to their files. (LoPucki, 2003)

Economy of scale
Numbers talk for themselves: In the United States in 2000, there were 1.5 billion credit cards held by 158 million cardholders – an average of ten credit cards per cardholder, with over three billion solicitation letters sent in a year. (Manning, 2000)

Non-cash payment instruments
Although I continuously stress that some types of credit card and check fraud are not identity theft, at least for now they significantly distort the statistics. The number of non cash transactions in the United States alone represents more than 60% of all cash transactions in the 14 most developed countries with only 36% of population. (Humphrey, 1996) Checks in the United States account for more than 60% of consumer non cash transactions with over 15 checks being written per month per person (three to five times more than in UK and Canada, and at least 15 times more than in other European countries). Checks are the most accessible and most widely accepted forms of payment in the United States. (Chakravorti, 2002) As, by their design, they represent the least secure (and in other countries almost obsolete) form of payment, it is not surprising to learn about the volume of check related frauds.

Outsourcing
Many security experts agree that in-house data breaches pose the biggest threat to information security. As the United States is leading the way in outsourcing many internal processing functions (including data management) not only to third party service providers in the country but on other continents, this trend also exposed many weaknesses and make it harder to prevent insiders from committing identity theft. (Hurst, 2006)

The problem of identity theft is not unique for the United States. However, this country tops the list by number of cases thanks to identity theft enablers – specific factors and environments that do not exist or are different elsewhere.

Bibliography

Chakravorti, Sujit et al, Why do we use so many checks?, Federal Reserve Bank of Chicago, Economic Perspectives, Q3 2002

Dash, Eric, Protectors, Too, Gather Profits from ID Theft, The New York Times, December 12, 2006

Humphrey, David B., et al, Cash, Paper, and Electronic Payments: A Cross-Country Analysis, Journal of Money, Credit and Banking, Vol. 28, No. 4, Part 2: Payment Systems Research and Public Policy Risk, Efficiency, and Innovation. (Nov., 1996), pp. 914-939.

Hurst, Andrew, Banks Face Growing Threat of Identity Theft from Insiders, Reuters, Zurich, November 22 2006

Johannes, Rubina, et al, 2006 Identity Fraud Survey Report, Javelin Strategy and Research, January 2006

LoPucki, Lynn M., Did Privacy Cause Identity Theft?, Hastings Law Journal, Vol. 54, No. 4, April 2003

Newman, Graeme R., Identity Theft, U.S. Department of Justice, Office of Community Oriented Policing Services, June 2004

Newman, Graeme R. and Megan M. McNally, Identity Theft Literature Review, National Institute of Justice Focus Group Meeting, July 2005

Manning, Robert D., Credit Card Nation – The Consequences of America’s Addiction to Credit, Basic Books, 2000

Solove, Daniel J., A Brief History of Information Privacy Law PROSKAUER ON PRIVACY, PLI, 2006

Sullivan, Bob, Your Evil Twin, John Wiley & Sons, Inc. 2004

Sullivan, Bob Privacy Lost: EU, U.S. laws differ greatly – EU citizens well protected against corporate intrusion, but red tape is thick MSNBC, Oct 19, 2006

Thomas, Bill, Chairman, Fact Sheet: Social Security and Identity Theft, Committee on Ways and Means, Washington, DC July, 2004

Willox et al (Willox, 2002) suggest that identity theft statistics in 2002 were just a tip of the iceberg, and conservatively estimated loss of identity theft to be at least tens of billions of dollars. According to the United States Treasury Department’s own research, cyber criminals (although it is not clear what exactly is meant by this term) made more money than illegal drug traders in 2005. (Gordon, 2006) Javelin Strategy and Research report suggests that the annual cost for consumers alone reaches $52.6 million. (Van Dyke, 2005)

The following is a crude breakdown of the costs associated with identity theft.

Individuals
Identity theft victims are faced with both tangible, financial cost and intangible costs that require a lot of time to recover from. Recovery is another indicator that differentiates the real identity theft from other crimes frequently misclassified as identity theft. When credit card or paper check fraud occurs, the victim is, in the worst case scenario, responsible for the first $50 of the total financial benefit assumed by the criminal. In most cases, US banks wave this amount, leaving a victim of credit or check fraud with virtually no tangible financial responsibility. (Sullivan, 2004) Possible frustration as non-tangible cost and time spent on reporting the incident is usually minimal. The most recent identity fraud consumer report shows that 68% of victims do not incur any out-of-pocket costs (Johannes, 2006) also indicating misclassification of credit card and check frauds.

Real identity theft on the other hand is characterized by not only direct and tangible financial loss that is relatively easily recoverable and relatively insignificant compared to intangible cost related to damage to reputation, credit worthiness, possible false criminal record, and efforts on clearing one’s name and financial and criminal history from those false records. According to Javelin’s report (Johannes, 2006), in spite of 37% decline in the last 12 months, the average out-of-pocket cost an identity theft victim has to pay is $422 (other authors like Sullivan, 2006 indicate much higher amounts – up to $1,000). An earlier report (FTC, 2003) suggest up to three times higher amounts for victims of ‘new accounts and other frauds.’ Unfortunately comparison of the amounts for the various types of frauds is not possible since the numbers for credit card and check frauds are combined with the numbers for the later fraud and show average fraud amount per victim of only $750 for the last three consecutive years. Federal Trade Commission (FTC, 2003) estimates the out-of-pocket cost for victims at $5 billion annually ($3.8 billion for ‘new accounts and other frauds’).

Sadly, the out-of-pocket cost is not the part that concerns many victims. It is the time and effort, frequently unaccounted for, that when translated in monetary terms leave a more serious impact on the victims. Schneier suggests that while some of the losses are absorbed by financial institutions – credit card companies in particular – the credit-rating damage is borne by the victim. (Schneier, 2007) No effort has been made so far to try to calculate the value of time spent, both by victims and relevant organizations, on resolving the issues resulting from identity theft. The average number of 40 hours needed by consumers to resolve the fraud (Johannes, 2006) is significantly distorted by cases of credit card and check fraud that usually take only one telephone call to financial institution to report the fraud and remove any responsibility from the victim. Federal Trade Commission’s (FTC, 2003) statement that in at least one quarter of all recorded cases it took only one day to resolve the situation indicates strong presence of other misclassified frauds (e.g. credit card fraud). At least 10% of cases took more than three months to resolve according to the same report. According to another report (Newman, 2004), the recovery time is taken to another extreme – on average, it takes about 600 hours for a victim to clear the damaged credit or clear the criminal records caused by identity theft. When combined together, the number of hours spent at national level totals 300 million out of which 194 million hours was spent by individuals on resolution of ‘new accounts and other frauds’ each year.

Other intangible costs of identity theft include harassment from debt collectors, banking problems, loan rejections, utility cutoffs and even arrest for criminal offenses. (Newman, 2004) Anecdotal accounts report resident damage to victims’ reputation even many years after identity theft case has closed. In spite of claims by credit reporting agencies victim’s information continues to be passed to solicitors, credit scores contain damaging information caused by fraudsters, and victims are arrested and re-arrested for crimes they’ve never committed. (Sullivan, 2004) The same accounts also report what Newman et al (Newman, 2006) call other personal sufferings and shock of discovery that are equally disturbing but not quantifiable.

Businesses
When talking about the loss suffered by businesses, quantification proves to be even more difficult. At first sight numbers are frightening – $33 billion in 2002 according to the Federal Trade Commission. (FTC, 2003) However, big portion of this amount appears to be considered a ‘cost of doing business’ (Newman, 2005) while some costs in the case of credit card companies are picked by the merchants. (Sullivan, 2004)

Businesses in general consider two types of financial cost (Newman, 2005): hard or easily calculated, and soft, indirect costs that are much more difficult to estimate. It is not known whether the FTC number considers both. The latter cost is definitely greater and more dangerous for business. Estimates of opportunity costs do not seem to exist, but it is clear that merchants and financial sector providers pay the bulk of the cost, directly and through productivity, systems and procedures, and reputation. (Van Dyke, 2005) The crime also reduces consumer confidence in financial infrastructure, reduces corporate productivity and leads to higher costs for consumers, and compromises economic infrastructure. Another ‘soft’ cost is the fear of identity theft. This is the fastest growing barrier to online services like electronic billing (Van Dyke, 2005)

Another reason why it is impossible to estimate the cost of identity theft in the private sector is the fact that not all businesses lose money to this crime. As seen in the previous chapter, identity theft has opened a new, potentially very profitable market for various protection services providers.

Government
Government agencies do not maintain separate statistics on identity theft and only estimates come from GAO reports. (Newman, 2005) Those estimates are divided into three groups: investigation costs, prosecution costs, and corrections costs. According to an earlier report (Newman, 2004) the investigation of each case costs law enforcement between $15,000 and $25,000, but due to significant differences in the cases, those numbers must be taken with caution. The only available data on prosecution suggest that, on average, white-collar crimes cost $11,400 per case. It is not known how much identity theft prosecution averages deviate from this number. Newman also suggests that due to the lack of proper training, law enforcement is more inclined to use their limited resources on other crimes. Finally, with regard to the cost of corrections, it is only known that, on average, white collar inmates cost government $17,400 per annum, while an average probation cost is $2,900.

Other intangible government costs of identity theft suggested by Newman include national security threats, public safety threats, burdens created by illegal immigration, costs associated with introduction of national ID system, increased public paranoia, and overall decrease in confidence in benefits of the information age.

This post shows how the lack of proper definition of identity theft affects the quantification of the problem in monetary terms and time spent on recovery. We have seen that not only individuals, but businesses and governments suffer from the crime of identity theft. Exact amounts are impossible to calculate. The chapter costs of each individual real identity theft case are much higher than published averages for customers, businesses, and government. It is also clear that due to misclassification of other crimes that cost less in out of pocket expenses and take less recovery time, total damage due to identity theft is significantly lower than initially feared.

References:

Gordon, Gary R, et al, The Ongoing Critical Threats Created by Identity Fraud: An Action Plan, Journal of Economic Crime Management, Volume 4, Issue 1, Summer 2006

Federal Trade Commission (FTC), Identity Theft Victim Complaint Data – Figures and Trends on Identity Theft January 1 – December 31, 2002, Federal Trade Commission, January 22, 2003

Johannes, Rubina, et al, 2006 Identity Fraud Survey Report, Javelin Strategy and Research, January 2006

Newman, Graeme R., Identity Theft, U.S. Department of Justice, Office of Community Oriented Policing Services, June 2004

Newman, Graeme R. and Megan M. McNally, Identity Theft Literature Review, National Institute of Justice Focus Group Meeting, July 2005

Schneier, Bruce, Security Matters – Solving Identity Theft, Forbes.com, January 22, 2007, 6:00 AM ET

Sullivan, Bob, Your Evil Twin, John Wiley & Sons, Inc. 2004

Van Dyke, James, Reading behind the Lines: How Identity Fraud Really Happens, Javelin Strategy and Research, presented at Digital ID World conference in 2005
Willox, Norman A. et al, Identity Fraud: Providing a Solution, Journal of Economic Crime Management, Volume 1, Issue 1, Summer 2002

Direct financial benefits are probably the most obvious. It occurs when a criminal directly obtains monetary instruments from the victim or in her name.

Non-financial identity theft might ultimately lead to monetary benefits but it starts with utilities frauds or obtaining of government documents or benefits in victims name that are later used for illegal border crossing or obtaining a job. Another common type of non-financial benefit is revenge.

The third reason criminals would steal identity is to evade legal sanctions and criminal records. (Perl, 2003) According to the same author, this type of crime is the worst case of identity theft. According to Newman (Newman, 2005) this is the major reason for stealing another’s identity. This category also includes growing number of cases where identity theft was used for supporting terrorist activities.

Finally, the concept of opportunity has also been used for explaining crime. Although, its relation to identity theft has not been formally researched, Newman (Newman, 2005) suggests a strong correlation, considering identity to be information that in turn can be perceived as a ‘hot product’.

How does it take place?
In order for identity crime to occur, the criminal must obtain personal identifiers of a person with a good credit or no criminal history, who later becomes a victim. The criminals use various methods including recruiting individuals with access to personal information, stealing documents from companies that store such information, dumpster diving, eavesdropping, shoulder surfing, burglary, stealing mail, phone scam, phishing, and pharming. Although, as we will see, use of technologies does not correlate with increase in identity theft, computer users are also targeted. According to one source, in the last couple of years, there has been a dramatic increase in number of collection methods, with over 65% increase only in key logging (Gordon, 2006) – method in which criminals use stealth key logging software or devices to secretly record key strokes that later reveal various personal information entered into victim’s computer. Personal identifiers can also be purchased on the street or Internet for the going rate of between $25 and $50. (Newman, 2005)

Stolen personal identifiers are then altered to reflect characteristics of the new ‘owner’. Development of desktop publishing technologies and their affordability also allow criminals to produce high quality replicas, while organized crime can use professional equipment that makes fakes ‘better’ than originals. It is also possible for criminals to obtain genuine identification documents through fraudulent methods like using ‘insiders’ at identification document issuing agencies. (Porter, 2005) The identity information bearing instruments obtained in this step are also known as ‘breeder documents’ since they allow criminals to proceed to the next step – obtaining false identification documents like birth certificate, social security card, drivers’ licenses, passports, voter registers, and badges. (Porter, 2005) These documents now allow criminals to further develop their newly assumed identities by creating new life history through rental of mail boxes, storage units, apartments, and vehicles, opening new accounts, and activation of telephone services and utilities, (Porter 2005) – all with timely and accurate payments just like any innocent citizen would do.

The next step – exploitation
Identity Theft is linked to many global crimes, including terrorism, money laundering and financial crimes, drug trafficking, alien and weapons smuggling. (Gordon, 2004) Once the criminal steals identity or creates a false identification document, he is able to create a fraudulent identity for himself which allows him to cross borders and also provides him with access to such identification documents as birth certificates, drivers’ licenses, and social security cards, that in turn create greater access by allowing him to procure employment, credit cards, residency and citizenship, etc. (Gordon, 2004)

Identity theft crimes are often facilitators for crimes that lead to money laundering, mortgage and insurance frauds, computer crimes, weapons and narcotics trafficking, homicide, terrorism, and illegal immigration, (Porter, 2005). As an example, Bruce Schneier (February 2007) suggests that criminals or terrorists could use stolen identities to avoid TSA screenings while carrying on attacks or other crimes. The magnitude of crimes committed with help of identity theft is best captured in Willox’s claim that identity theft is not a tool of a con artist anymore; it is indigenous to any criminal enterprise. (Willox, 2002)

The Other Side of Exploitation
One must not forget that it is not only criminals and terrorist who exploit identity theft. Financial institutions also benefit from various legal requirements by transferring the costs to consumers through disproportional increase in service fees. (Newman, 2005) On the other side there is a fast growing industry that legally profits from selling various services ranging from financial insurance, privacy protection, to credit monitoring. Currently, no supporting research exists that could back up this statement. Only anecdotal cases suggest the existence of this multi million dollar market niche.

Bibliography:

Clarke, Ronald V., Hot Products: understanding, anticipating and reducing demand for stolen goods, Police Research Series, UK Home Office, Research, Development, and Research Directorate, 1999

Gordon, Gary R, et al, Identity Fraud: A Critical National and Global Threat, Journal of Economic Crime Institute, Volume 2, Issue 1, Winter 2004

Gordon, Gary R, et al, The Ongoing Critical Threats Created by Identity Fraud: An Action Plan, Journal of Economic Crime Management, Volume 4, Issue 1, Summer 2006

Newman, Graeme R. and Megan M. McNally, Identity Theft Literature Review, National Institute of Justice Focus Group Meeting, July 2005

Perl, Michael W., It’s not always about the money: Why the state identity theft laws fail to adequately address criminal record identity theft, Journal of Criminal Law and Criminology, 94(1): 169-2008, 2003

Schneier, Bruce, Security Matters – Solving Identity Theft, Forbes.com, January 22, 2007

Willox, Norman A. et al, Identity Fraud: Providing a Solution, Journal of Economic Crime Management, Volume 1, Issue 1, Summer 2002

Legal definition
Acting as an umbrella, the federal law set standards for all other states. This law, with subsequent amendments defines the identity theft in the following way:

[One is guilty of identity theft if...] knowingly and without lawful authority produces an identification document, authentication feature, or a false identification document (hereafter identification document); [...] transfers an identification document,[...] knowing that such document [...] was stolen or produced without lawful authority;[...] possesses with intent to use unlawfully or transfer unlawfully five or more identification documents[...] possesses an identification document, [...] with the intent such document [...] be used to defraud the United States;[...] produces, transfers, or possesses a document-making implement [...] with the intent such document-making [...] will be used in the production of a false identification document or another document-making implement [...] which will be so used; [...] possesses an identification .. that is or appears to be an identification document [...] of the United States which is stolen or produced without lawful authority knowing that such document [...] was stolen or produced without such authority;[...] transfers, possesses, or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law; or [...] traffics in false authentication features for use in false identification documents, document-making implements, or means of identification[...]

Most definitions of identity theft, both legal and academic, can be summarized as unauthorized use of someone else’s identities. Newman at al define identity as a psychological construct used by individuals to refer to themselves as ‘a person’ and used by others to identify themselves as unique or particular individuals. (Newman, 2005) Other scholars reject the notion of identity as being no longer rationed to one per physiological specimen and adopt the term human identification as association of data with a particular human being. (Clarke, 1994) The science of information security, for purposes of dealing with authentication, or confirmation of someone’s identity defines identity as a combination of three factors – something we are, something we know, and something we have. The legal language cleverly avoids this problem by using the term identification or means of identification which, in the federal law, is defined as:

[...] any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual, including any [...] name, social security number, date of birth, official State or government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number; [...] unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation; [...]unique electronic identification number, address, or routing code; or [...] telecommunications identifying information or access device [...]

At the federal level, a separate law (Title 18, Chapter 1029 Fraud and Related Activity in Connection with Access Devices) addresses credit card fraud. The two federal laws clearly separate identity theft from credit card (access device) fraud. This clearly supports my argument that credit card fraud is not identity theft, or to be more specific, some credit card frauds can be associated with identity theft but some (if not most of them) can not not. Although it might sound as a nuance, it is credit card fraud that most seriously distorts the course of action for prevention and fight against identity theft.

The federal act defines an ‘access device’ as:

[...] any card, plate, code, account number, electronic serial number, mobile identification number, personal identification number, or other telecommunications service, equipment, or instrument identifier, or other means of account access that can be used, alone or in conjunction with another access device, to obtain money, goods, services, or any other thing of value, or that can be used to initiate a transfer of funds (other than a transfer originated solely by paper instrument); [...]

And makes it a crime to:

[...] knowingly and with intent to defraud produce, use, [...] traffic in, [...]poses[...] counterfeit access devices; knowingly and with intent to defraud effect transactions; [...] with [...]access devices issued to another person [...]receive payment [...]

State laws define identity theft in very similar way, except for two differences – the penalty for the crime, and treatment of credit card fraud. With the exception of three states that still do not have identity theft laws all other states have amended their criminal codes to recognize identity theft. Twenty four of them use the term identity theft to describe the crime, seven states call it identity fraud, while others use a range of less specific terms such as criminal impersonation, taking identity of another person, false personation, identity deception, misuse of identification, unauthorized or fraudulent use of personal identifying information, and identity crime. Only the state of Nebraska clearly differentiates between identity theft and credit card fraud while others did not follow the federal example and separated the two. Most states completely failed (or did it intentionally) to address the difference between two crimes, leaving it up to the judges to decide on treatment of the crime. Bibliography section lists state laws that address identity theft and/or credit card fraud.

Two important flaws are worth mentioning here as most of the states used federal identity theft law as a template: failure to clearly define identity at federal level, and failure to introduce separate credit card fraud laws at state levels lead to a situation where credit card frauds are confused with real identity theft cases.

This review would not be complete without mentioning the third federal law that directly addresses the issues related to identity theft is U.S. Public Law, Title 42, Chapter 408 – Fraud in Connection with the Misuse of Social Security Numbers. As the name suggests, the law focuses on the issues related to misuse of social security numbers and its terms are not relevant for this definition of the crime, but the number itself and its use is. 

Related legislation
In addition to the three laws above that directly deal with and define identity theft, there are a number of federal laws that significantly affect the combat against identity theft, and are relevant for further actions to fight this crime. In fact, according to the Identity Theft Literature Review (Newman, 2005) there are 180 federal statutes that prescribe the same conduct under the Identity Theft Act. According to Newman (Newman, 2005) the three most important ones laws are:

The Fair Credit Reporting Act (FCRA)
Originally passed in 1970 and last amended in 2003. One of the most significant provisions of this law related to identity theft prevents states from passing more stringent financial privacy rules than federal government.

The Fair and Accurate Credit Transactions Act
Passed in 2003 with sections specifically designed to combat identity theft, it protects consumers’ credits and calls for enhancements in identity authentication.

Gramm-Leach-Bliley Act (GLBA)
Enacted in 1999 it instructs financial institutions to have policies, procedures, and controls to prevent unauthorized disclosure of financial information, and allows consumers to opt-out from having financial institutions disclose their private financial information.

Bibliography

Clarke, Roger, Human Identification in Information Systems: Management Challenges and Public Policy Issues, Information Technology and People, December 1994

Newman, Graeme R. and Megan M. McNally, Identity Theft Literature Review, National Institute of Justice Focus Group Meeting, July 2005

Perl, Michael W., It’s not always about the money: Why the state identity theft laws fail to adequately address criminal record identity theft, Journal of Criminal Law and Criminology, 94(1): 169-2008, 2003

U.S. Public Law, Identity Theft Assumption and Deterrence Act of 1998, Title 18, U.S. Code, Section 1029. 1998 ed.

U.S. Public Law, Fraud and Related Activity in Relation with Access Devices Act, Title 18, U.S. Code, Section 1029. 2005 ed.

U.S. Public Law, Social Security Number Privacy and Identity Theft Prevention Act of 2003, Title 42, U.S. Code, Section 405. 2003 ed.
Additional Sources
Federal laws

U.S. Public Law, The Fair and Accurate Credit Transaction Act of 2003 (FACTA), Title 15, U.S. Code, Section 1681. 2003 ed.

U.S. Public Law, The Fair Credit Reporting Act (FCRA), Title 15 U.S. Code, Section 1681. 2001 ed.

U.S. Public Law, Gramm Leach Bliley Act, Title 12 U.S. Code, Section 1811. 1999 ed.
State laws

The Code of Alabama 1975, Section 13A-8-192- Identity theft

Alaska Statute Title 11. Criminal Law, Chapter 46. Offenses Against Property Section 565. Criminal Impersonation in the First Degree.

Arizona Revised Statutes, Title 13 Criminal Code, Chapter 20 Forgery and related offenses, 13-2008. Taking identity of another person or entity; classification

Arkansas Code, Title 5 Criminal Offences, Subtitle 4 Offences Against Property, Subchapter 2 Offences Generally, 5-37-227 Financial Identity Fraud

California Penal Code, Title 13 Of Crimes Against Property, Chapter 8 False Personation and Cheats

General Statutes of Connecticut, Volume 13, Title 53a Penal Code, Chapter 952 Offences, Section 53a-129a Identity Theft

Delaware Criminal Code, Title 11 Crimes And Criminal Procedure, Chapter 5. Specific Offenses, Subchapter III.. Offenses Involving Property, Subpart A. Arson And Related Offenses, § 854. Identity theft

District Of Columbia Official Code, Title 22. Criminal Offenses And Penalties, Chapter 32. Theft; Fraud; Stolen Property; Forgery; And Extortion, Subchapter III-C. Identity Theft, 22-3227

The Florida 2006 Statutes, Title XLVI Crimes, Chapter 817 Fraudulent Practices, Part I: False Pretenses and Frauds, Subsection 817.568 Criminal use of personal identification information

Georgia Code, Title 16 Criminal Code of Georgia, Chapter 16-9, Sections 16-9-120 – 16-9-128

Hawaii Revised Statutes, Volume 14, Chapter 708

Idaho Statutes, Title 18 Crimes And Punishments, Chapter 31 False Pretenses, Cheats And Misrepresentations, 18-3126. Misappropriation Of Personal Identifying Information.

Illinois Compiled Statutes, Chapter 720 Criminal Offenses, 720 Ilcs 5/ Criminal Code of 1961. Article 16G – Financial Identity Theft and Asset Forfeiture Law

Indiana Code, Title 35 Criminal Law and Procedure, Article 44 Offences Against Property, Chapter 4. Theft, Conversion, and Receiving Stolen Property

Iowa Code, Title XVI Criminal Law and Procedure, Subtitle 1 Crime Control and Criminal Acts, Chapter 715A Forgery and Related Fraudulent Criminal Acts, 715A.8 Identity Theft

Kansas Statutes, Chapter 21 Crimes And Punishments, Part Ii.–Prohibited Conduct, Article 40 Crimes Involving Violations Of Personal Rights, 21-4018 Identity theft; identity fraud

Kentucky Revised Statutes, Title L – Kentucky Penal Code, Chapter 514 Theft and Related Offenses, 160 Theft of Identity.
Maine Revised Statutes, Title 17a Maine Criminal Code, Part 2: Substantive Offenses, Chapter 37: Fraud, §905-A. Misuse Of Identification

Maryland Code, Criminal Laws, Title 8 Fraud and Related Crimes, Subtitle 3 Identity Fraud

The General Laws Of Massachusetts, Part Iv. Crimes, Punishments And Proceedings In Criminal Cases, Title I. Crimes And Punishments, Chapter 266. Crimes Against Property, Chapter 266: Section 37e. Use Of Personal Identification Of Another; Identity Fraud; Penalty; Restitution

Michigan Compiled Laws, Chapter 445 Trade and Commerce, Act 452 of 2004 Identity Theft Protection Act

Minnesota Statutes, Chapter 609 Criminal Code, Theft and Related Crimes, 609.527 Identity Theft

Mississippi Code, Title 97 Crimes, Chapter 19 False Pretenses and Cheats, SEC. 97-19-85. Fraudulent use of identity, social security number or other identifying information to obtain thing of value.

Missouri Revised Statutes, Title XXXVIII Crimes and Punishment; Peace Officers and Public Defenders, Chapter 570 Stealing and Related Offenses, 570.223. Identity Theft–Penalty–Restitution–Other Civil Remedies Available–Exempted Activities

Montana Code, Title 45 Crimes, Chapter 6 Offences Against Property, Part 3 Theft and Related Offences, 45-6-332 Theft of identity.

Nebraska Revised Statutes, Chapter 28 Crimes and Punishments, 28-608 Criminal Impersonation; Penalty; Restitution and 28-620 Unauthorized use of a financial transaction device; penalties; prosecution of offense.

Nevada Revised Statutes, Title 15 Crimes and Punishments, Chapter 205 Crimes Against Property, NRS 205.463 Obtaining and using personal identifying information of another person to harm person or for unlawful purpose and NRS 205.464 Obtaining, using, possessing or selling personal identifying information for unlawful purpose by public officer or public employee; penalties. And NRS 205.465 Possession or sale of document or personal identifying information to establish false status or identity; penalties.

New Hampshire Statutes, Title LXII Criminal Code, Chapter 638 Fraud, Section 638:26 Identity Fraud

New Jersey Permanent Statues, Title 2C The New Jersey Code of Criminal Justice, 2C:21-17 Impersonation; theft of identity; crime.

New Mexico Statutes and Court Rules, Chapter 30 Criminal Offences, Article 16 Larceny, 30-16-24.1. Theft of identity; obtaining identity by electronic fraud.

New York Laws, Penal, Title K Offences Involving Fraud, Article 190 Other Frauds, 190.77 Offenses involving theft of identity; definitions, and 190.78 Identity theft in the third degree, and 190.79 Identity theft in the second degree, and 190.80 Identity theft in the first degree.

North Carolina General Statutes, Chapter 14 Criminal Law, Article 19C Identity Fraud
14?113.20. Identity theft.

North Dakota Century Code, 12.1 Criminal Code, 12.1-23 Theft and Related Offences, 12.1-23-11. Unauthorized use of personal identifying information – Penalty.

Ohio Revised Code, Title XIX Crimes – Procedure, Chapter 2913 Theft and Fraud, 2913 Identity Fraud

Oklahoma Statutes, Title 21 Crimes and Punishments, 21-1533.1 Identity theft – Penalties – Civil action.

Oregon Revised Statutes, Volume 4, Chapter 165 Offenses Involving Fraud or Deception
165.800 Identity theft.

Pennsylvania Statutes, Title 18 Crimes and Offences, Chapter 41 Forgery and Fraudulent Practices, 4120. Identity theft.

State of Rhode Island General Laws, Title 11 Criminal Offences, Chapter 49.1 Impersonation and Identity Fraud

South Carolina Code Of Laws, Title 16 – Crimes and Offenses, Chapter 13 Forgery, Larceny, Embezzlement, False Pretenses and Cheats, Article 2 Personal Financial Security Act Section 16-13-510 “Financial identity fraud” and “identifying information” defined; penalty and restitution.

South Dakota Codified Laws, Title 22 Crimes, Chapter 40 Identity Crimes

Tennessee Code, Title 39 Criminal Offences, Chapter 14 Offences Against Property, Part 1 Theft, 39-14-150. Identity theft victims’ rights.

Texas Statutes, Penal Code, Chapter 32 Fraud, 32.51. Fraudulent Use or Possession of Identifying Information.

Utah Code, Title 76 Utah Criminal Code, 76-6-1101 Identity Fraud Act

Code of Virginia, Title 18.2 Crimes and Offences Generally, Chapter 6 Crimes Involving Fraud, 18.2-186.3. Identity theft; penalty; restitution; victim assistance.

Revised Code of Washington, Title 9 Crimes and Punishments, Chapter 9.35 Identity Crimes

West Virginia Code, Chapter 61 Crimes and Their Punishment, 61-3-54. Taking identity of another person; penalty.

Wisconsin Statutes, Chapter 943 Crimes Against Property, 943.201Unauthorized use of an individual’s personal identifying information or documents.

Wyoming Statutes, Title 6 Crimes and Offences, Chapter 3 Offences Against Property, Article 9 Theft of Identity, 6-3-901. Unauthorized use of personal identifying information; penalties; restitution.

New accounts and other fraud
Crimes in this relatively low occurrence category represent probably the ‘purest’ cases of identity theft and include misuses of victims’ identities to escape law enforcement authorities, obtain employment or other benefits, and visa and passport fraud. These are considered to be the most serious of the three according to the Federal Trade Commission (FTC, 2003) and are characterized by high dollar amount and out of pocket cost, longer detection time, lower discovery by financial institutions and victims’ discovery when contacted by debt collector or law enforcement. (Van Dyke, 2005)

This crime is similar to what Perl described as criminal record identity theft, and is probably best known from widely publicized accounts of Kevin Mitnick’s law enforcement evasion. It is referred to as ‘the purest form of identity theft’ since it best matches academic definitions and leaves little room for questioning whether it can be confused with other crimes. Criminals use identifiers such as name, social security number, address, date of birth, and other identifying information to establish a new identity and once the crime takes place, the criminal impersonates the victim for much longer time than in case of other types of the fraud. It is possible for this type of crime to stay completely undetected since the criminals might try to keep a clean record on their ‘new identity’. New accounts are opened using criminal’s address and paid regularly in order to avoid any unnecessary attention. Criminals use this type of fraud to obtain jobs that would otherwise not be available due to their criminal history, escape criminal prosecution, and engage in illegal immigration.

Misuse of existing non credit or account number
This type of identity theft occurs when criminals get access to various existing accounts (like bank or telephone account) and try to either make money transfers to their own account or change the ownership of the account to their own name. Characteristics of this type are: low dollar loss and out of pocket cost for victims, short detection time, most frequently detected by companies, victims first find out of the crime through company notification and statements monitoring. (Van Dyke, 2005) As Van Dyke suggests, it does not take long for these crimes to be detected since shortly after they take place, victims notice unusual activities on their accounts or experience inability to access account or use the service. Once reported, the victim is released from any liability and reimbursed for possible financial damage.

This type of fraud is not always easy to classify as identity theft. If identity theft in its core represents illegal use of other people’s personal identifiers, the question is when and if getting into victims’ accounts or stealing their telephone represents a theft of identity. Most probably this can only be decided after careful investigation of each individual case and understanding the causes and consequences. As we will se later, this is where the stakeholders start to disagree.

Misuse of existing credit card or credit card number
If the stake holders might slightly disagree whether use of an existing account represents an identity theft, when it comes to misuse of credit cards, opinions differ diagonally. The crime occurs when criminal uses victim’s credit card or credit card number (the same applies to debit cards and other forms of ‘plastic’ means of payment) to make a purchase or series of purchases. The actual cards are either stolen cards or found lost cards. When only the number is used (in so called card not present transactions) they come from various sources, including thefts from company databases, through ‘sniffing’ electronic transactions, or shoulder surfing. The occurrence is easily detected by victims by simply monitoring financial statements. Many banks today successfully employ specialized software that looks for anomalies in card transactions such as payments unusual for the card holder or payments that occur at two distant points within short period of time, and are able to prevent such transactions before they take place.

The most important characteristic of this type of fraud is that once discovered it is easily to prevent it from taking place again simply by blocking the existing card and issuing a new one. This is an automatic process, the card is blocked within seconds after the crime is detected and reported, and no records are left on victims’ credit or criminal file. In the worst case scenario, the victims are hold liable for the first $50 of the stolen amount, but in most cases are fully reimbursed for any damage.

Although even the Federal Trade Commission report (FTC, 2005) agrees that these are the least serious victimizations, these frauds are still included in all reports on identity theft. They tend to negatively affect general understanding of the problem and lead to improper course of action when it comes to prevention and fight against the crime.

References:

Federal Trade Commission (FTC), Identity Theft Survey Report, Synovate, September 2003

Federal Trade Commission (FTC), National and State Trends in Fraud & Identity Theft – January – December 2004, Federal Trade Commission, February 1, 2005

Gordon, Gary R, et al, Identity Fraud: A Critical National and Global Threat, Journal of Economic Crime Institute, Volume 2, Issue 1, Winter 2004.

Johannes, Rubina, et al, 2006 Identity Fraud Survey Report, Javelin Strategy and Research, January 2006

Perl, Michael W., It’s not always about the money: Why the state identity theft laws fail to adequately address criminal record identity theft, Journal of Criminal Law and Criminology, 94(1): 169-2008, 2003

Schneier, Bruce, Mitigating Identity Theft, Crypto-Gram Newsletter, April 15, 2005 http://www.schneier.com/crypto-gram-0504.html#2

Van Dyke, James, Reading behind the Lines: How Identity Fraud Really Happens, Javelin Strategy and Research, presented at Digital ID World conference in 2005

Webster’s New College Dictionary on Power CD, Version 2.5, Zane Publishing Inc. 1994-1996

References:

Gordon, Gary R, et al, Identity Fraud: A Critical National and Global Threat, Journal of Economic Crime Institute, Volume 2, Issue 1, Winter 2004

Johannes, Rubina, et al, 2006 Identity Fraud Survey Report, Javelin Strategy and Research, January 2006

LoPucki, Lynn M., Did Privacy Cause Identity Theft?, Hastings Law Journal, Vol. 54, No. 4, April 2003

Newman, Graeme R. and Megan M. McNally, Identity Theft Literature Review, National Institute of Justice Focus Group Meeting, July 2005

Perl, Michael W., It’s not always about the money: Why the state identity theft laws fail to adequately address criminal record identity theft, Journal of Criminal Law and Criminology, 94(1): 169-2008, 2003

Perl, Michael W., It’s not always about the money: Why the state identity theft laws fail to adequately address criminal record identity theft, Journal of Criminal Law and Criminology, 94(1): 169-2008, 2003

Schneier, Bruce, Security Matters – Solving Identity Theft, Forbes.com, January 22, 2007, 6:00 AM ET

Willox, Norman A. et al, Identity Fraud: Providing a Solution, Journal of Economic Crime Management, Volume 1, Issue 1, Summer 2002