Identity theft is the deliberate use of someone else's identity, usually as a method to gain a financial advantage or obtain credit and other benefits in the other person's name, and perhaps to the other person's disadvantage or loss. The person whose identity has been assumed may suffer adverse consequences if they are held responsible for the perpetrator's actions. Identity theft occurs when someone uses another's personally identifying information, like their name, identifying number, or credit card number, without their permission, to commit fraud or other crimes. The term identity theft was coined in 1964.
"Determining the link between data breaches and identity theft is challenging, primarily because identity theft victims often do not know how their personal information was obtained", and identity theft is not always detectable by the individual victims, according to a report done for the FTC. Identity fraud is often but not necessarily the consequence of identity theft. Someone can steal or misappropriate personal information without then committing identity theft using the information about every person, such as when a major data breach occurs. A US Government Accountability Office study determined that "most breaches have not resulted in detected incidents of identity theft". The report also warned that "the full extent is unknown". A later unpublished study by Carnegie Mellon University noted that "Most often, the causes of identity theft is not known", but reported that someone else concluded that "the probability of becoming a victim to identity theft as a result of a data breach is ... around only 2%". More recently, an association of consumer data companies noted that one of the largest data breaches ever, accounting for over four million records, resulted in only about 1,800 instances of identity theft, according to the company whose systems were breached.
An October 2010 article entitled "Cyber Crime Made Easy" explained the level to which hackers are using malicious software. As one security specialist named Gunter Ollmann said, "Interested in credit card theft? There's an app for that." This statement summed up the ease with which these hackers are accessing all kinds of information online. The new program for infecting users' computers is called Zeus; and the program is so hacker friendly that even an inexperienced hacker can operate it. Although the hacking program is easy to use, that fact does not diminish the devastating effects that Zeus (or other software like Zeus) can do to a computer and the user. For example, the article stated that programs like Zeus can steal credit card information, important documents, and even documents necessary for homeland security. If the hacker were to gain this information, it would mean identity theft or even a possible terrorist attack. The ITAC says that about 15 million Americans are having their identity stolen, in 2012.
- 1 Types
- 2 Techniques for obtaining and exploiting personal information for identity theft
- 3 Indicators that you may be a victim of identity theft
- 4 Individual identity protection
- 5 Identity protection by organizations
- 6 Legal responses
- 7 Spread and impact
- 8 See also
- 9 References
- 10 External links
- Criminal identity theft (posing as another person when apprehended for a crime)
- Financial identity theft (using another's identity to obtain credit, goods and services)
- Identity cloning (using another's information to assume his or her identity in daily life)
- Medical identity theft (using another's identity to obtain medical care or drugs)
- Child identity theft.
Identity theft may be used to facilitate or fund other crimes including illegal immigration, terrorism, phishing and espionage. There are cases of identity cloning to attack payment systems, including online credit card processing and medical insurance.
Identity cloning and concealment
In this situation, the identity thief impersonates someone else in order to conceal their own true identity. Examples might be illegal immigrants, people hiding from creditors or other individuals, or those who simply want to become "anonymous" for personal reasons. Another example are posers, a label given to people who use somebody else's photos and information through social networking sites. Mostly, posers create believable stories involving friends of the real person they are imitating. Unlike identity theft used to obtain credit which usually comes to light when the debts mount, concealment may continue indefinitely without being detected, particularly if the identity thief is able to obtain false credentials in order to pass various authentication tests in everyday life.
Criminal identity theft
When a criminal fraudulently identifies himself to police as another individual at the point of arrest, it is sometimes referred to as "Criminal Identity Theft." In some cases criminals have previously obtained state-issued identity documents using credentials stolen from others, or have simply presented fake ID. Provided the subterfuge works, charges may be placed under the victim's name, letting the criminal off the hook. Victims might only learn of such incidents by chance, for example by receiving court summons, discovering their drivers licenses are suspended when stopped for minor traffic violations, or through background checks performed for employment purposes.
It can be difficult for the victim of a criminal identity theft to clear their record. The steps required to clear the victim's incorrect criminal record depend in which jurisdiction the crime occurred and whether the true identity of the criminal can be determined. The victim might need to locate the original arresting officers and prove their own identity by some reliable means such as fingerprinting or DNA testing, and may need to go to a court hearing to be cleared of the charges. Obtaining an expungement of court records may also be required. Authorities might permanently maintain the victim's name as an alias for the criminal's true identity in their criminal records databases. One problem that victims of criminal identity theft may encounter is that various data aggregators might still have the incorrect criminal records in their databases even after court and police records are corrected. Thus it is possible that a future background check will return the incorrect criminal records. This is just one example of the kinds of impact that may continue to affect the victims of identity theft for some months or even years after the crime, aside from the psychological trauma that being 'cloned' typically engenders.
Synthetic identity theft
A variation of identity theft which has recently become more common is synthetic identity theft, in which identities are completely or partially fabricated. The most common technique involves combining a real social security number with a name and birthdate other than the ones associated with the number. Synthetic identity theft is more difficult to track as it doesn't show on either person's credit report directly, but may appear as an entirely new file in the credit bureau or as a subfile on one of the victim's credit reports. Synthetic identity theft primarily harms the creditors who unwittingly grant the fraudsters credit. Individual victims can be affected if their names become confused with the synthetic identities, or if negative information in their subfiles impacts their credit ratings.
Medical identity theft
Privacy researcher Pam Dixon, founder of the World Privacy Forum, coined the term medical identity theft and released the first major report about this issue in 2006. In the report, she defined the crime for the first time and made the plight of victims public. The report's definition of the crime is that medical identity theft occurs when someone seeks medical care under the identity of another person. Insurance theft is also very common, if a thief has your insurance information and or your insurance card, they can seek medical attention posing as yourself. In addition to risks of financial harm common to all forms of identity theft, the thief's medical history may be added to the victim's medical records. Inaccurate information in the victim's records is difficult to correct and may affect future insurability or cause doctors relying on the misinformation to deliver inappropriate medical care. After the publication of the report, which contained a recommendation that consumers receive notifications of medical data breach incidents, California passed a law requiring this, and then finally HIPAA was expanded to also require medical breach notification when breaches affect 500 or more people. Data collected and stored by hospitals and other organisations such as medical aid schemes is up to 10 times more valuable to cybercriminals than credit card information.
Child identity theft
Child identity theft occurs when a minor's identity is used by another person for the impostor's personal gain. The impostor can be a family member, a friend, or even a stranger who targets children. The Social Security numbers of children are valued because they do not have any information associated with them. Thieves can establish lines of credit, obtain driver's licenses, or even buy a house using a child's identity. This fraud can go undetected for years, as most children do not discover the problem until years later. Child identity theft is fairly common, and studies have shown that the problem is growing. The largest study on child identity theft, as reported by Richard Power of the Carnegie Mellon Cylab with data supplied by AllClear ID, found that of 40,000 children, 10.2% were victims of identity theft.
Financial identity theft
The most common type is financial identity theft, where someone wants to gain economical benefits in someone else's name. This includes getting credits, loans, goods and services, claiming to be someone else.
Techniques for obtaining and exploiting personal information for identity theft
Identity thieves typically obtain and exploit personally identifiable information about individuals, or various credentials they use to authenticate themselves, in order to impersonate them. Examples include:
- Rummaging through rubbish for personal information (dumpster diving)
- Retrieving personal data from redundant IT equipment and storage media including PCs, servers, PDAs, mobile phones, USB memory sticks and hard drives that have been disposed of carelessly at public dump sites, given away or sold on without having been properly sanitized
- Using public records about individual citizens, published in official registers such as electoral rolls
- Stealing bank or credit cards, identification cards, passports, authentication tokens ... typically by pickpocketing, housebreaking or mail theft
- Common-knowledge questioning schemes that offer account verification and compromise: "What's your mother's maiden name?", "what was your first car model?", or "What was your first pet's name?", etc.
- Skimming information from bank or credit cards using compromised or hand-held card readers, and creating clone cards
- Using 'contactless' credit card readers to acquire data wirelessly from RFID-enabled passports
- Shoulder-Surfing, involves an individual who discreetly watches or hears others providing valuable personal information. This is particularly done in crowded places because it is relatively easy to observe someone as they fill out forms, enter PIN numbers on ATM's or even type passwords on smartphones.
- Stealing personal information from computers using breaches in browser security or malware such as Trojan horse keystroke logging programs or other forms of spyware
- Hacking computer networks, systems and databases to obtain personal data, often in large quantities
- Exploiting breaches that result in the publication or more limited disclosure of personal information such as names, addresses, Social Security number or credit card numbers
- Advertising bogus job offers in order to accumulate resumes and applications typically disclosing applicants' names, home and email addresses, telephone numbers and sometimes their banking details
- Exploiting insider access and abusing the rights of privileged IT users to access personal data on their employers' systems
- Infiltrating organizations that store and process large amounts or particularly valuable personal information
- Impersonating trusted organizations in emails, SMS text messages, phone calls or other forms of communication in order to dupe victims into disclosing their personal information or login credentials, typically on a fake corporate website or data collection form (phishing)
- Brute-force attacking weak passwords and using inspired guesswork to compromise weak password reset questions
- Obtaining castings of fingers for falsifying fingerprint identification.
- Browsing social networking websites for personal details published by users, often using this information to appear more credible in subsequent social engineering activities
- Diverting victims' email or post in order to obtain personal information and credentials such as credit cards, billing and bank/credit card statements, or to delay the discovery of new accounts and credit agreements opened by the identity thieves in the victims' names
- Using false pretenses to trick individuals, customer service representatives and help desk workers into disclosing personal information and login details or changing user passwords/access rights (pretexting)
- Stealing cheques (checks) to acquire banking information, including account numbers and bank routing numbers or sort code
- Guessing Social Security numbers by using information found on Internet social networks such as Facebook and MySpace
- Low security/privacy protection on photos that are easily clickable and downloaded on social networking sites.
- Befriending strangers on social networks and taking advantage of their trust until private information is given.
Indicators that you may be a victim of identity theft
The majority of identity theft victims do not realize that they are a victim until it has negatively impacted their lives. Many people do not find out that their identities have been stolen until they are contacted by financial institutions or discover suspicious activities on their bank accounts. According to an article by Herb Weisbaum, everyone in the US should assume that their personal information has been compromised at one point. It is therefore of great importance to watch out for warning signs that your identity has been compromised. The following are ten indicators that someone else might be using your identity.
- Credit or debit card charges for goods or services you are not aware of, including unauthorized withdrawals from your account
- Receiving calls from credit or debit card fraud control department warning of possible suspicious activity on your credit card account
- Receiving credit cards that you did not apply for
- Receiving information that a credit scoring investigation was done. They are often done when a loan or phone subscription was applied for.
- Checks bouncing for lack of enough money in your account to cover the amount. This might be as a result of unauthorized withdrawals from your account
- Identity theft criminals may commit crimes with your personal information. You may not realize this until you see the police on your door arresting you for crimes that you did not commit
- Sudden changes to your credit score may indicate that someone else is using your credit cards
- Bills for services like gas, water, electricity not arriving in time. This can be an indication that your mail was stolen or redirected
- Being not approved for loans because your credit report indicates that you are not credit worthy
- Receiving notification from your post office informing you that your mails are being forwarded to another unknown address
- Your yearly tax returns indicating that you have earned more than you have actually earned. This might indicate that someone is using your national identification number e.g. SSN to report their earnings to the tax authorities
Individual identity protection
The acquisition of personal identifiers is made possible through serious breaches of privacy. For consumers, this is usually a result of them naively providing their personal information or login credentials to the identity thieves as a result of being duped but identity-related documents such as credit cards, bank statements, utility bills, checkbooks etc. may also be physically stolen from vehicles, homes, offices, and not the least letter boxes, or directly from victims by pickpockets and bag snatchers. Guardianship of personal identifiers by consumers is the most common intervention strategy recommended by the US Federal Trade Commission, Canadian Phone Busters and most sites that address identity theft. Such organizations offer recommendations on how individuals can prevent their information falling into the wrong hands.
Identity theft can be partially mitigated by not identifying oneself unnecessarily (a form of information security control known as risk avoidance). This implies that organizations, IT systems and procedures should not demand excessive amounts of personal information or credentials for identification and authentication. Requiring, storing and processing personal identifiers (such as Social Security number, national identification number, driver's license number, credit card number, etc.) increases the risks of identity theft unless this valuable personal information is adequately secured at all times. Committing personal identifiers to memory is a sound practice that can reduce the risks of a would-be identity thief from obtaining these records. To help in remembering numbers such as social security numbers and credit card numbers, it is helpful to consider using mnemonic techniques or memory aids such as the mnemonic Major System.
Identity thieves sometimes impersonate dead people, using personal information obtained from death notices, gravestones and other sources to exploit delays between the death and the closure of the person's accounts, the inattentiveness of grieving families and weaknesses in the processes for credit-checking. Such crimes may continue for some time until the deceased's families or the authorities notice and react to anomalies.
In recent years, commercial identity theft protection/insurance services have become available in many countries. These services purport to help protect the individual from identity theft or help detect that identity theft has occurred in exchange for a monthly or annual membership fee or premium. The services typically work either by setting fraud alerts on the individual's credit files with the three major credit bureaus or by setting up credit report monitoring with the credit bureaux. While identity theft protection/insurance services have been heavily marketed, their value has been called into question.
Identity protection by organizations
In their May 1998 testimony before the United States Senate, the Federal Trade Commission (FTC) discussed the sale of Social Security numbers and other personal identifiers by credit-raters and data miners. The FTC agreed to the industry's self-regulating principles restricting access to information on credit reports. According to the industry, the restrictions vary according to the category of customer. Credit reporting agencies gather and disclose personal and credit information to a wide business client base.
Poor stewardship of personal data by organizations, resulting in unauthorized access to sensitive data, can expose individuals to the risk of identity theft. The Privacy Rights Clearinghouse has documented over 900 individual data breaches by US companies and government agencies since January 2005, which together have involved over 200 million total records containing sensitive personal information, many containing social security numbers. Poor corporate diligence standards which can result in data breaches include:
- failure to shred confidential information before throwing it into dumpsters
- failure to ensure adequate network security
- credit card numbers stolen by call center agents and people with access to call recordings
- the theft of laptop computers or portable media being carried off-site containing vast amounts of personal information. The use of strong encryption on these devices can reduce the chance of data being misused should a criminal obtain them.
- the brokerage of personal information to other businesses without ensuring that the purchaser maintains adequate security controls
- Failure of governments, when registering sole proprietorships, partnerships, and corporations, to determine if the officers listed in the Articles of Incorporation are who they say they are. This potentially allows criminals access to personal information through credit rating and data mining services.
The failure of corporate or government organizations to protect consumer privacy, client confidentiality and political privacy has been criticized for facilitating the acquisition of personal identifiers by criminals.
Using various types of biometric information, such as fingerprints, for identification and authentication has been cited as a way to thwart identity thieves, however there are technological limitations and privacy concerns associated with these methods as well.
In March 2014, after it was learned two passengers with stolen passports were on board Malaysia Airlines Flight 370 which went missing on March 8, 2014, it came to light that Interpol maintains a database of 40 million lost and stolen travel documents from 157 countries which it makes available to governments and the public, including airlines and hotels. The Stolen and Lost Travel Documents (SLTD) database however is little used. Big News Network which is based in the UAE, observed that Interpol Secretary General Ronald K. Noble told a forum in Abu Dhabi the previous month this was the case. "The bad news is that, despite being incredibly cost effective and deployable to virtually anywhere in the world, only a handful of countries are systematically using SLTD to screen travelers. The result is a major gap in our global security apparatus that is left vulnerable to exploitation by criminals and terrorists," Noble is quoted as saying.
In Australia, each state has enacted laws that deal with different aspects of identity or fraud issues. Some states have now amended relevant criminal laws to reflect crimes of identity theft, such as the Criminal Law Consolidation Act 1935 (SA), Crimes Amendment (Fraud, Identity and Forgery Offences) Act 2009 and also in Queensland under the Criminal Code 1899 (QLD). Other states and territories are in states of development in respect of regulatory frameworks relating to identity theft such as Western Australia in respect of Criminal Code Amendment (Identity Crime) Bill 2009.
On the Commonwealth level, under the Criminal Code Amendment (Theft, Fraud, Bribery & Related Offences) Act 2000 which amended certain provisions within the Criminal Code Act 1995,
135.1 General dishonesty
(3) A person is guilty of an offence if a) the person does anything with the intention of dishonestly causing a loss to another person; and b) the other person is a Commonwealth entity. Penalty: Imprisonment for 5 years.
Likewise, each state has enacted their own privacy laws to prevent misuse of personal information and data. The Commonwealth Privacy Act is applicable only to Commonwealth and territory agencies, and to certain private sector bodies (where for example they deal with sensitive records, such as medical records, or they have more than $3 million turnover PA).
Under section 402.2 of the Criminal Code,
Everyone commits an offence who knowingly obtains or possesses another person's identity information in circumstances giving rise to a reasonable inference that the information is intended to be used to commit an indictable offence that includes fraud, deceit or falsehood as an element of the offence.
is guilty of an indictable offence and liable to imprisonment for a term of not more than five years; or is guilty of an offence punishable on summary conviction.
Under section 403 of the Criminal Code,
(1) Everyone commits an offence who fraudulently personates another person, living or dead,
(a) with intent to gain advantage for themselves or another person; (b) with intent to obtain any property or an interest in any property; (c) with intent to cause disadvantage to the person being personated or another person; or (d) with intent to avoid arrest or prosecution or to obstruct, pervert or defeat the course of justice. is guilty of an indictable offence and liable to imprisonment for a term of not more than 10 years; or guilty of an offence punishable on summary conviction.
In Canada, Privacy Act (federal legislation) covers only federal government, agencies and crown corporations. Each province and territory has its own privacy law and privacy commissioners to limit the storage and use of personal data. For the private sector, the purpose of the Personal Information Protection and Electronic Documents Act ( 2000, c. 5 ) (known as PIPEDA) is to establish rules to govern the collection, use and disclosure of personal information; except for the provinces of Quebec, Ontario, Alberta and British Columbia where provincial laws have been deemed substantially similar.
Under HK Laws. Chap 210 Theft Ordinance, sec. 16A Fraud
(1) If any person by any deceit (whether or not the deceit is the sole or main inducement) and with intent to defraud induces another person to commit an act or make an omission, which results either-
(a) in benefit to any person other than the second-mentioned person; or (b) in prejudice or a substantial risk of prejudice to any person other than the first-mentioned person, the first-mentioned person commits the offense of fraud and is liable on conviction upon indictment to imprisonment for 14 years.
Under the Personal Data (Privacy) Ordinance, it established the post of Privacy Commissioner for Personal Data and mandate how much personal information one can collect, retain and destruction. This legislation also provides citizens the right to request information held by businesses and government to the extent provided by this law.
Under the Information Technology Act 2000 Chapter IX Sec 66C
PUNISHMENT FOR IDENTITY THEFT Whoever, fraudulently or dishonestly makes use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.
Social networking sites are one of the most famous spreader of posers in the online community, giving the users freedom to place any information they want without any verification that the account is being used by the real person.
Philippines, which ranks eighth in the numbers of users of Facebook and other social networking sites such as Twitter, Multiply and Tumblr, has been known as source of various identity theft problems. Identities of those people who carelessly put personal information on their profiles can easily be stolen just by simple browsing. There are people who meet online, get to know each other through the free Facebook chat and exchange of messages that then leads to sharing of private information. Others get romantically involved with their online friends that they tend to give too much information such as their social security number, bank account and even personal basic information such as home address and company address.
This phenomenon lead to the creation of Senate Bill 52: Cybercrime Prevention Act of 2010. Section 2 of this bill states that it recognizes the importance of communication and multimedia for the development, exploitation and dissemination of information but violators will be punished by the law through imprisonment or a fine upwards of Php200,000, but not exceeding 1 million, or depending on the damage caused, or both (Section 7).
Sweden has had relatively few problems with identity theft. This is because only Swedish identity documents have been accepted for identity verification. Stolen documents are traceable by banks and some other institutions. The banks have the duty to check the identity of people withdrawing money or getting loans. If a bank gives money to someone using an identity document reported as stolen, the bank must take the loss. Since 2008, any EU passport is valid in Sweden for identity check, and Swedish passports are valid all over the EU. This makes it harder to detect stolen documents, but still banks in Sweden must ensure that stolen documents are not accepted.
Other types of identity theft have become more common in Sweden. One common example is ordering a credit card to someone who has an unlocked letterbox and is not home in the daytime. The thief steals the letter with the credit card and then the letter with the code which typically arrives a few days later. Usage of a stolen credit card is hard in Sweden, since an identity document or a PIN code it is normally demanded. If the shop does not demand that, it must take the loss from stolen credit cards. The method of observing someone using the credit card PIN code, stealing the card or skimming it, and then using the card, has become more common.
Legally, Sweden is an open society. The Principle of Public Access says that all information kept by public authorities must be available for anyone except in certain cases. Specifically, anyone's address, income, taxes etc. are available to anyone. This makes fraud easier (the address is restricted only for people who needs to hide).
There was until 2016 no legal ban specifically against using someone's identity, only on the indirect damage caused. To impersonate someone else for financial gain is a kind of fraud, which is described in the Criminal Code (Swedish: brottsbalken). To impersonate someone else to discredit someone by breaking into social media accounts and provoke, is libel, but that is hard to sentence someone for. A new law was introduced late 2016 which partially banned unpermitted identity usage.
In the United Kingdom personal data is protected by the Data Protection Act 1998. The Act covers all personal data which an organization may hold, including names, birthday and anniversary dates, addresses, telephone numbers, etc.
Under English law (which extends to Wales but not to Northern Ireland or Scotland), the deception offences under the Theft Act 1968 increasingly contend with identity theft situations. In R v Seward (2005) EWCA Crim 1941 the defendant was acting as the "front man" in the use of stolen credit cards and other documents to obtain goods. He obtained goods to the value of £10,000 for others who are unlikely ever to be identified. The Court of Appeal considered sentencing policy for deception offenses involving "identity theft" and concluded that a prison sentence was required. Henriques J. said at para 14:"Identity fraud is a particularly pernicious and prevalent form of dishonesty calling for, in our judgment, deterrent sentences."
Statistics released by CIFAS - The UK's Fraud Prevention Service show that there were 89,000 victims of identity theft in the UK 2010. This compared with 2009 where there were 85,000 victims. Men in their 30s and 40s are the most common UK victims and identity fraud now accounts for nearly half of all frauds recorded.
The increase in crimes of identity theft led to the drafting of the Identity Theft and Assumption Deterrence Act. In 1998, The Federal Trade Commission appeared before the United States Senate. The FTC discussed crimes which exploit consumer credit to commit loan fraud, mortgage fraud, lines-of-credit fraud, credit card fraud, commodities and services frauds. The Identity Theft Deterrence Act (2003)[ITADA] amended U.S. Code Title 18, § 1028 ("Fraud related to activity in connection with identification documents, authentication features, and information"). The statute now makes the possession of any "means of identification" to "knowingly transfer, possess, or use without lawful authority" a federal crime, alongside unlawful possession of identification documents. However, for federal jurisdiction to prosecute, the crime must include an "identification document" that either: (a) is purportedly issued by the United States, (b) is used or intended to defraud the United States, (c) is sent through the mail, or (d) is used in a manner that affects interstate or foreign commerce. See 18 U.S.C. § 1028(c). Punishment can be up to 5, 15, 20, or 30 years in federal prison, plus fines, depending on the underlying crime per 18 U.S.C. § 1028(b). In addition, punishments for the unlawful use of a "means of identification" were strengthened in § 1028A ("Aggravated Identity Theft"), allowing for a consecutive sentence under specific enumerated felony violations as defined in § 1028A(c)(1) through (11).
The Act also provides the Federal Trade Commission with authority to track the number of incidents and the dollar value of losses. Their figures relate mainly to consumer financial crimes and not the broader range of all identification-based crimes.
If charges are brought by state or local law enforcement agencies, different penalties apply depending on the state.
Six Federal agencies conducted a joint task force to increase the ability to detect identity theft. Their joint recommendation on "red flag" guidelines is a set of requirements on financial institutions and other entities which furnish credit data to credit reporting services to develop written plans for detecting identity theft. The FTC has determined that most medical practices are considered creditors and are subject to requirements to develop a plan to prevent and respond to patient identity theft. These plans must be adopted by each organization's Board of Directors and monitored by senior executives.
Identity theft complaints as a percentage of all fraud complaints decreased from 2004-2006. The Federal Trade Commission reported that fraud complaints in general were growing faster than ID theft complaints. The findings were similar in two other FTC studies done in 2003 and 2005. In 2003, 4.6 percent of the US population said they were a victim of ID theft. In 2005, that number had dropped to 3.7 percent of the population. The Commission's 2003 estimate was that identity theft accounted for some $52.6 billion of losses in the preceding year alone and affected more than 9.91 million Americans; the figure comprises $47.6 billion lost by businesses and $5 billion lost by consumers.
According to the U.S. Bureau of Justice Statistics, in 2010, 7% of US households experienced identity theft - up from 5.5% in 2005 when the figures were first assembled, but broadly flat since 2007. In 2012, approximately 16.6 million persons, or 7% of all U.S. residents age 16 or older, reported being victims of one or more incidents of identity theft.
In 2009, Indiana created an Identity Theft Unit within their Office of Attorney General to educate and assist consumers in avoiding and recovering from identity theft as well as assist law enforcement in investigating and prosecuting identity theft crimes.
In Massachusetts in 2009-2010, Governor Deval Patrick made a commitment to balance consumer protection with the needs of small business owners. His Office of Consumer Affairs and Business Regulation announced certain adjustments to Massachusetts' identity theft regulations that maintain protections and also allows flexibility in compliance. These updated regulations went into effect on March 1, 2010. The regulations are clear that their approach to data security is a risk-based approach important to small businesses and might not handle a lot of personal information about customers.
The IRS has created the IRS Identity Protection Specialized Unit to help taxpayers' who are victims of federal tax-related identity theft. Generally, the identity thief will use a stolen SSN to file a forged tax return and attempt to get a fraudulent refund early in the filing season. A taxpayer will need to fill out Form 14039, Identity Theft Affidavit.
Most states followed California's lead and enacted mandatory data breach notification laws. As a result, companies that report a data breach typically report it to all their customers.
Spread and impact
Surveys in the USA from 2003 to 2006 showed a decrease in the total number of victims and a decrease in the total value of identity fraud from US$47.6 billion in 2003 to $15.6 billion in 2006. The average fraud per person decreased from $4,789 in 2003 to $1,882 in 2006. A Microsoft report shows that this drop is due to statistical problems with the methodology, that such survey-based estimates are "hopelessly flawed" and exaggerate the true losses by orders of magnitude.
The 2003 survey from the Identity Theft Resource Center found that:
- Only 15% of victims find out about the theft through proactive action taken by a business
- The average time spent by victims resolving the problem is about 330 hours
- 73% of respondents indicated the crime involved the thief acquiring a credit card
In a widely publicized account, Michelle Brown, a victim of identity fraud, testified before a U.S. Senate Committee Hearing on Identity Theft. Ms. Brown testified that: "over a year and a half from January 1998 through July 1999, one individual impersonated me to procure over $50,000 in goods and services. Not only did she damage my credit, but she escalated her crimes to a level that I never truly expected: she engaged in drug trafficking. The crime resulted in my erroneous arrest record, a warrant out for my arrest, and eventually, a prison record when she was booked under my name as an inmate in the Chicago Federal Prison."
In the United Kingdom, the Home Office reported that identity fraud costs the UK economy £1.2 billion annually (experts believe that the real figure could be much higher) although privacy groups object to the validity of these numbers, arguing that they are being used by the government to push for introduction of national ID cards. Confusion over exactly what constitutes identity theft has led to claims that statistics may be exaggerated. An extensively reported study from Microsoft Research in 2011 finds that estimates of identity theft losses contain enormous exaggerations, writing that surveys "are so compromised and biased that no faith whatever can be placed in their findings."
- 2007 UK child benefit data misplacement
- 201 CMR 17.00 (Massachusetts personal information protection law)
- Bank fraud
- Browser security
- Capgras delusion
- Carding (fraud)
- Check fraud
- Check washing
- Civil Identity Program of the Americas
- Credit card fraud
- Fair and Accurate Credit Transactions Act
- Fair Credit Billing Act
- Fair Credit Reporting Act
- Ghosting (identity theft)
- Hijacked journal
- Identity Based Security
- Identity document forgery
- Identity fraud
- Identity score
- Immigration and Customs Enforcement
- Internet fraud prevention
- Internet security
- Lapsed lurker
- Network security
- Robert Siciliano
- United States Postal Inspection Service
- United States Secret Service
- Wireless identity theft
Notable identity thieves
- Synthetic ID Theft Cyber Space Times Archived October 9, 2015, at the Wayback Machine.
- Hoofnagle, Chris Jay, Identity Theft: Making the Known Unknowns Known. Harvard Journal of Law and Technology, Vol. 21, Fall 2007[permanent dead link]
- "Oxford English Dictionary online". Oxford University Press. September 2007. Retrieved 27 September 2010.
- Federal Trade Commission – 2006 Identity Theft Survey Report, p.4
- "Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown" (PDF). Highlights of GAO-07-737, a report to congressional requesters. gao.gov. Retrieved 22 September 2010.
- Sasha Romanosky. "Do Data Breach Disclosure Laws Reduce Identity Theft?" (PDF). Heinz First Research Paper. heinz.cmu.edu.
- Giles, Jim. "Cyber Crime Made Easy." New Scientist 205.2752 (2010): 20-21. Academic Search Premier. EBSCO. Web. 3 Oct. 2010.
- "Identity Theft Resource Center website". idtheftcenter.org.
- "Medical Identity Theft: What to Do if You are a Victim (or are concerned about it)"., World Privacy Forum
- "Privacy Rights Clearinghouse". - "Fact Sheet 17g: Criminal Identity Theft: What to Do if It Happens to You "
- In re Marie A. COLOKATHIS, Catherine Bauer, M.D., Plaintiff v. Marie Colokathis, 417 B.R. 150 (2009) Archived July 19, 2015, at the Wayback Machine.
- McFadden, Leslie (2007-05-16). "Detecting synthetic identity fraud". Bankrate.com. pp. 1–2. Retrieved 2008-09-21.
- "Get to Know These Common Types of ID Theft". iGrad. Retrieved 2016-09-29.
- "The Medical Identity Theft Information Page". World Privacy Forum. Retrieved 26 November 2012.
- "Correcting Misinformation on Medical Records". Identity Theft Resource Center.
- "What is Financial Identity Theft". ID Theft Center. Retrieved 3 December 2014.
- Loviglio, Joann (March 2012). "If Microsoft co-founder's ID isn't safe, is yours?". msnbc.com.
- "Identity Theft"., Douglas County Sheriff's Office, Washington
- Olmos, David (2009-07-06). "Social Security Numbers Can Be Guessed From Data, Study Finds". Bloomberg. Retrieved 2011-01-04.
- Weisbaum, Herb (2014-01-18). "Seven signs you're a victim of identity theft". CNBC. Retrieved 2016-11-12.
- Hoffman, Sandra K (2009). Identity Theft : A Reference Handbook. Santa Barbara, US: ABC-CLIO. pp. 42–44. ISBN 9781598841442 – via Contemporary World Issues.
- Arata, Michael J. (2010). For Dummies : Identity Theft For Dummies (1). Hoboken, US: For Dummies. pp. 43–45. ISBN 9780470622735 – via ProQuest ebrary.
- U.S. News Staff (July 7, 2015). "10 Signs You Might Be a Victim of Identity Theft". money.usnews.com. U.S. News. Retrieved November 12, 2016.
- IDtheftcenter.org Archived April 17, 2016, at the Wayback Machine., Identity Theft Resource Center Fact Sheet 117 Identity Theft and the Deceased - Prevention and Victim Tips.
- "Identity Theft Protection Services". retrieved on 2008-12-16
- "Identity-Theft Protection: What Services Can You Trust?". PC World.com, retrieved on 2008-12-16
- "Testimony before the Subcommittee on Technology, Terrorism and Government Information"., Committee of the Judiciary, United States Senate May 20, 1998 pp 5,6
- A Chronology of Data Breaches Archived June 13, 2010, at the Wayback Machine.
- Internet Identity Theft - A Tragedy for Victims Archived April 22, 2011, at the Wayback Machine., Software and Information Industry Association. Retrieved June 30, 2006.
- "Airlines and governments not checking stolen passports register". The Daily Telegraph. Retrieved September 11, 2014.
- "The Information Technology Act 2000" (PDF). Retrieved 2013-08-20.
- List Of Facebook Users By Country Wise Top Ranking 2016 Archived March 10, 2016, at the Wayback Machine.
- Full Text of Senate Bill 52 (Proposing the Cybercrime Prevention Act of 2010) Archived August 16, 2016, at the Wayback Machine.
- SFS 2016:485 Lag om ändring i brottsbalken
- "R v Seward (2005) EWCA Crim 1941".
- "CIFAS: your identity"., CIFAS
- "UK Fraud Prevention Agency Say ID Theft Increase of 32% in 2009"., Identity Theft UK Blog, 3 February 2010[unreliable source?]
- "The most likely victims of identity fraud: men in their late 30s and early 40s"., Protect MY ID Blog, 21 January 2011[unreliable source?]
- "Fraudscape: report reveals the UK's fraud landscape in 2010"., CIFAS
- "FTC.gov"., Public Law 105-318, 112 Stat. 3007 (Oct. 30, 1998)
- "Prepared Statement of the Federal Trade Commission on "Identity Theft""., May 20, 1998
- Doyle, Charles. (2013). Mandatory Minimum Sentencing: Federal Aggravated Identity Theft. Archived October 11, 2016, at the Wayback Machine. Washington, D.C.: Congressional Research Service.
- Federal Trade Commission. Retrieved June 30, 2006. Archived January 31, 2006, at the Wayback Machine.
- Michael,Sara "Getting Red Flag Ready". PhysiciansPractice.com, 2009-05-21. Retrieved July 2, 2009.
- 72 Fed. Reg. 70944 Archived February 17, 2013, at the Wayback Machine. (PDF). Retrieved 2008-01-29.
- Law Enforcement Contact1 January 1 December 31, 2001 Archived September 11, 2008, at the Wayback Machine.
-  Archived May 16, 2008, at the Wayback Machine.
- Federal Trade Commission: 2006 Identity Theft Survey Report: Prepared for the Commission by Synovate (November 2007) Archived September 11, 2008, at the Wayback Machine.
- "FTC.gov"., releases Survey of Identity Theft in U.S. 27.3 Million Victims in past 5 Years, Billions in Losses for Businesses and Consumers
- "Identity Theft Reported by Households, 2005-2010" (PDF). Bureau of Justice Statistics. 2011. Retrieved 2013-06-24.
- Harrell, Erika and Lynn Langton. (2013). Victims of Identity Theft, 2012. Archived September 7, 2016, at the Wayback Machine. Washington, D.C. U.S. Department of Justice, Bureau of Justice Statistics.
- "California Office of Identity Protection".
- "Wisconsin's Office of Privacy Protection".
- "Archived copy" (PDF). Archived (PDF) from the original on 2013-10-04. Retrieved 2013-10-03.
- "Attorney General: ID Theft Prevention". In.gov. 2013-12-06. Retrieved 2014-01-24.
- "Consumer Identity Theft". Commonwealth of Massachusetts, 2010 Archived November 5, 2011, at the Wayback Machine.
- "Frequently Asked Question Regarding 201 CMR 17.00" Archived August 11, 2011, at the Wayback Machine., Commonwealth of Massachusetts, Office of Consumer Affairs and Business Regulation, November 3, 2009
- "Taxpayer Guide to Identity Theft". IRS.gov. US Internal Revenue Service. Retrieved 2012-06-29.
- "Form 14039" (PDF). IRS website. US Internal Revenue Service. Retrieved 2012-06-29.
- "ALERT: Beware of Phishing Scam Mentioning TAS". Taxpayer Advocate. Retrieved 18 December 2014.
- "States Offer Data Breach Protection"., NAAG
- "Sex, Lies and Cybercrime Surveys" (PDF). Microsoft. 2011-06-15. Retrieved 2015-03-11.
- "Verbal Testimony by Michelle Brown"., July 2000, U.S. Senate Committee Hearing on the Judiciary Subcommittee on Technology, Terrorism and Government Information – "Identity Theft: How to Protect and Restore Your Good Name"
- Identity Crime Research and Coordination Archived December 30, 2005, at the Wayback Machine., Australasian Center for Policing Research. Retrieved June 30, 2006.
- Home Office (May 26, 2004). "What is Identity theft?". identitytheft.co.uk. Retrieved September 27, 2010.
- "Free help, tips and advice on avoiding and dealing with Identity Theft". identity-theft.weebly.com.
- Bruce Schneier. "Identity Theft Over-Reported". Retrieved June 30, 2006.
- "Hi-tech crime and sexual partner surveys 'biased'". BBC. June 10, 2011.
- "Measuring the black web". The Economist. October 15, 2011.
- Florencio, D.; Herley, C. "Sex, Lies and Cybercrime Surveys" (PDF). Proc. WEIS.
|Wikimedia Commons has media related to Identity theft.|
- Identity theft – United States Federal Trade Commission
- Identity Theft Recovery Plan FTC steps for identity theft victims.
- The President's Task Force on Identity Theft – a government task force established by US President George W. Bush to fight identity theft.
- Identity theft at DMOZ
- Identity Theft – Carnegie Mellon University
- Identity Theft: A Research Review, National Institute of Justice 2007
- Identity Theft and Fraud – United States Department of Justice
- Dateline NBC investigation 'To Catch an ID Thief'
- "Transcript of Attorney General Alberto R. Gonzales and FTC Chairman Deborah Platt Majoras Announcing the Release of the President's Identity Theft Task Force". US Department of Justice. April 23, 2007. Archived from the original on September 11, 2007. Retrieved 2007-04-24.
- Roxana, Hegeman (March 25, 2013). "Woman Gets Prison Time in 'Total Identity Theft' - ABC News". ABC News. Retrieved March 27, 2013.
- Scam on the Run - Fugitive Identity Thief Led Global Criminal Enterprise FBI