An individual’s identity is defined most simply by the set of characteristics that enable a person to be recognized or known. There are three ways of thinking about identity:
- Identity from nature: characteristics given by the birth parents to the child (fingerprints, DNA, iris pattern)
- Identity from status: characteristics assigned to individuals by other people in society (Social Security number, credit card number)
- Identity from behavior: characteristics assigned to individuals by other people based upon the individuals’ actions (marking profile, credit rating, criminal record)
Identity Theft Defined
Identity theft is the appropriation of another person’s personal information without permission in order to commit fraud, to steal the person’s assets, or to pretend to be the other person. Identity theft is the fastest-growing crime in the United States, according to the U.S. Federal Trade Commission (FTC). Between January and December 2004, Consumer Sentinel, the complaint database developed and maintained by the FTC, received over 635,000 consumer fraud and identity theft complaints. Consumers reported losses from fraud of more than $547 million. There are many types of identity theft, and many stakeholders besides the perpetrator and the victim are involved in identity theft. Identity theft affects all of society.
Identity Theft Techniques
To prevent identity theft, it is essential to understand who commits identity theft and how identity theft occurs. Typically, three types of people commit identity theft:
- Someone close to the victim, who knows the victim’s habits and movements
- Amateurs, who look for unsuspecting subjects and opportune moments
- Professionals, who work independently or as part of an organized group.
There are many ways to commit identity theft, some simple and some very sophisticated. Simple methods are used mostly by persons close to the victim and by amateurs. The most common simple methods are dumpster diving and social engineering. Dumpster diving is the practice of rummaging through garbage for a consumer’s personal information. Dumpster divers rely on the fact that people are not aware of the value of the information they possess and are careless about protecting and discarding it. Social engineering methods generally use techniques that rely on human interaction to trick people. A perpetrator might try to gain the confidence of a colleague and then ask to “borrow” their user ID and password to access a secure network, or they might impersonate a communications services representative and call an unsuspecting subscriber to “verify” the Social Security number associated with the account. There are countless examples of these simple methods, and even in today’s environment, they remain very successful. Professionals use both simple and sophisticated methods to steal identities but tend to focus on methods that can be automated since such methods can be less time-consuming and more profitable. These automated methods are usually technology-driven and include techniques such as skimming, hacking, phishing, and pharming.
• Skimming is the practice of stealing credit card information by capturing it in some form of card reader. The thief employs methods such as swiping the credit card a second time during an actual purchase or attaching a reader to an ATM machine where the card is swiped. Skimming occurs infrequently because of the technology required, but when it does occur, damages can be substantial.
• Hacking is the act of gaining illegal or unauthorized access to a computer system or network. Hacking is the most commonly used method for stealing an identity. Spyware on a computer can be considered hacking, even though the user may have authorized installation of the spyware. Spyware is defined as programs such as keystroke loggers and screen capture utilities, installed by a third party to monitor and observe online behavior or capture passwords and other information. Applications such as adware install themselves surreptitiously through “drive by” downloads or by piggybacking on other applications. They track users’ behaviors and take advantage of their Internet connection. Users often unknowingly authorize spyware to be installed by clicking on the “Yes” button at the bottom of an end user license agreement.
• Phishing is a cyber attack that directs people to a fraudulent website to collect personal information. A common phishing scam is to send an email message asking a user to update an account. The perpetrator uses an attractive lure—protecting privacy—and then asks users to verify their accounts by clicking on a convenient hyperlink. A phishing scam may also lure an individual by sending an alarming message stating that a desired service is about to be terminated. Phishers often use the services of spammers to reach the widest number of possible targets. There have been literally thousands of phishing scams on the Internet.
• Pharming is a cyber attack that involves a combination of ploys such as phishing, viruses, spyware, and domain name system (DNS) server cache-poisoning or spoofing. Pharming directs people to a fraudulent website by poisoning the DNS server so that web requests are redirected. Victims think they are entering personal information on a legitimate site when in fact they are not. A pharming site will often forward the web request on to the legitimate site so users see their real data. By monitoring the traffic between the user and the intended site, a pharmer can eavesdrop on personal information and even manipulate transactions.
Identity Theft Laws
The Federal government and many state and local jurisdictions are passing laws and regulations requiring businesses to take certain actions against identity theft and to establish guidelines for notifying consumers when data breaches may have occurred. Governments are promoting consumer education and resources for preventing and, where necessary, recovering from identity theft.
Identity Theft and Business
Identity theft causes substantial financial harm to private industry. Businesses incur costs to implement identity theft prevention measures and to replace the losses suffered by the victims of identity theft. These costs are absorbed by the industry and by insurance companies, but eventually they are passed on to the consumer in the form of higher prices for products and services, higher fees, and higher interest rates. Different industry sectors are tackling this problem in the manner most appropriate for that industry and for the specific patterns of theft. Being proactive, staying ahead of the professionals, and being current and diligent in security and privacy protections are critical.
Identity Theft and Technology
Technology measures can prevent some types of identity theft. Businesses can require multifactor authentication (two indisputable sources or elements that must be supplied to verify a person’s identity). Smart card-based implementations can be adopted, such as subscriber identification modules, which prevent cloning of phones and have eliminated telephone theft/fraud, or smart card-based employee IDs, which provide strong authentication, are difficult to counterfeit, and are tamper-resistant. Human intervention and resistance are required to successfully attack non-technical methods of identity theft such as dumpster diving and social engineering. In the case of dumpster diving, for example, a paper shredder can be used to destroy paper bills.
Identity Theft Prevention
Subscribers should be aware of their rights and responsibilities for protecting themselves and request a free copy of their credit report. In the U.S., a recent amendment to the Federal Fair Credit Reporting Act requires that the national consumer reporting companies (Equifax, Experian, and TransUnion) provide consumers with a free copy of their credit report, upon request, once every 12 months. Subscribers need to make this request through the FTC website, as this is the only authorized online source. Consumers are urged to monitor their reports routinely for unusual activity. Consumers are also encouraged to be proactive:
- Stay educated about the value of identity characteristics.
- Monitor sources of identity for possible abuse or misappropriation.
- Develop an attitude of caring about identity as a personal asset.