Chapter 1
Introduction
Introduction
āI donāt need to worry about identity theft because no one wants to be me.ā
The information age has brought many benefits to consumers, organizations and government agencies. We have ready access over the Internet to a huge range of information that can satisfy just about anyoneās needs, we can communicate with people and organizations in ways unheard of even a decade ago, and consumers, businesses and governments can transact business over the Internet. But along with the speed and convenience of all these innovations has come an enormous increase in the incidence of related risks, such as identity theft, fraud and cyber-extortion by criminals. These criminals can work in anonymity from any country around the world, shielded from unsuspecting citizens and organizations by sophisticated techniques that continue to evolve constantly. The rapidly expanding availability of information and communications technology (ICT) has vastly increased the amount of confidential information at risk, exacerbating the potential for financial and reputational loss to firms and consumers alike through identity theft and fraud.
Identity theft and fraud (IDTF), whereby criminals use another personās personal identity and other relevant information in unauthorized ways, have become a significant and growing problem throughout the world. There is much public confusion about the definition of identity theft. Because of this, we differentiate between identity theft and identity fraud in this book; the differences are explained in detail in Chapter 2. Briefly, identity theft involves the collection of identity information, like birth certificates and credit card identifiers, from the owners of that information. This is not always illegal, so legal systems have only recently started to recognize criminal forms of identity theft. Identity information may also be generated illegally (using fictitious IDs or manipulating oneās own ID). This is not identity theft, but it is a criminal activity. The actual use of stolen or bogus identities to commit fraud is defined as identity fraud, which is, and has been for many years, a criminal offense.
In the United States and Canada, identity theft and related forms of fraud have reached the level where they affect more than 4% of the population each year. As new methods of IDTF continue to appear, this rate may grow. A major reason for the rise in IDTF cases is the increased use of credit and debit cards, and commercial Internet applications, because of which identity information is more widely used and available in online databases and thus an easy target for criminals. These types of criminal activity have been dramatic and stunningly persistent (Anonymous 2007). Although consumers are entitled to free credit reports annually, credit file errors remain undetected and credit repair scams are growing in number. For many successive years, IDTF has ranked first in fraud complaints filed with the United States Federal Trade Commission (FTC). In 2009, these frauds accounted for 21% of the 721,418 complaints received by this agency. Similar concerns and results have been reported by Canada and other Western nations.
Although IDTF has become one of the top business, consumer and legal concerns of the information age, a more dangerous aspect than fraud is the possibility of physical danger, where terrorists can use identity theft to breach national security. Combating IDTF and thus protecting consumers and society as a whole is of urgent importance in maintaining a healthy economy and a stable social environment. Attacking this problem in an organized and focused manner requires a detailed understanding of the relative risks and costs arising from the many facets of IDTF.
IDTF is far from a new phenomenon, as the impersonation of officials and other individuals for the purpose of committing criminal fraud has plagued society for centuries. Over the ages, smugglers, pirates and other criminals have used aliases to hide their true identities in order to commit crime. For example, in the urban society of seventeenth-century London, England, when there was no photo identification and little by way of documented identification for commoners, people looked at dress, demeanour and symbols of office to determine identity, which gave an advantage to impostors of the day (Hurl-Eamon 2005). That environment eventually gave way to a society where, beginning with the upper classes, everyone had some form of identification available, such as birth certificates or passports. The first forms of identity theft merely involved stealing a personās identity papers. Before the widespread use of consumer credit cards in the 1950s, this usually meant stealing passports, social security cards or other identification.
Credit Cards
Credit cards, reportedly first used in Europe for inter-business transactions in the 1890s, soon spread to other Western nations and were made available by banks to some of their credit-worthy business customers in the 1930s (Bellis 2008). Credit cards are a way to extend automatic credit to customers. In a modern economy, sellers offer goods and services to strangers in exchange for a promise to pay, based on systems that link the buyer to a specific account or credit history. While credit cards do not contain all of an individualās identity information, they do provide access to the ownerās credit account, which makes them a frequent target of thieves. Like other entrepreneurs, thieves follow the money. Identity thieves acquire data about another person that enables them to counterfeit the personās identification, so they can access goods and services by fraudulently charging someone elseās account. With the increasingly widespread use, by the 1900s, of credit, banking and utility accounts, various types of account fraud followed. Initially, credit cards could only be obtained by applying in person with photographic identification or by being vouched for by a bank manager. This made identity theft infrequent, but obtaining credit was cumbersome (IDTF History 2008).
Credit cards did not become a common source of personal financial information until the early 1980s in the United States, when the Fair Isaacs Organization developed the FICO system of credit scoring (FICO 2009). This system of rating a personās reliability was often supplied in the form of a report that contained other sensitive and private personal and financial information. If an identity thief could gain access to such a credit report, it was a simple matter to access bank and credit card accounts.
During recent decades, credit cards have become easier to obtain. They are often, in fact, mass-mailed to consumers, with college students being a prime target. This has helped fraudsters to avail themselves of credit transactions on the Internet, as well as reap the bounty of automatic teller machines (ATMs). Ironically, a credit card is considered a superior form of identification, for both the legitimate owner and the thief. Hence, if another person has one in his or her possession and can display it to pretend he or she is someone else, then that someone elseās identity has been successfully stolen. And the speed with which thieves can reap the benefits of these thefts is legendary: some of us know people whose cards were used to buy diamonds in Brazil, cameras in Monte Carlo or groceries in Los Angelesāall before they knew their cards were missingāeven though credit card companies continue to strengthen automatic safeguards to detect and prevent such abuses. It is a simple matter for a thief with a stolen credit card number to open new accounts and go shopping. The thief runs up charges on the stolen cards and returns the goods for cash.
The advent of ATMs and the Internet were the identity thiefās dream come true, and identity theft continues to mutate by taking advantage of new technologies. Much of the recent increase in identity fraud has been made possible by modern online payment systems (Anderson & Rachamadugu 2008). The net effect is a negative impact on public trust (Acoca 2008), which dampens enthusiasm for online commerce.
Consumer Identity Digitization
Prior to the existence of Internet support for business and personal transactions, personal identities in the paper world were tied primarily to a single identifier (in the US, the Social Security Number, or SSN, nominally a unique identifier, and in Canada, the Social Insurance Number, or SIN), or sometimes to driverās license numbers. Businesses, governments and other entities in the United States commonly use the SSN for record locators for both identification and authentication. Use of the SIN in Canada as a common identifier is not illegal, but certain federal government agencies (Revenue Canada, Canada Pension Plan, etc.) are specifically authorized to use it (Privacy Commissioner of Canada 2011). Financial institutions and other businesses must also collect SINs because they are required to report certain personal information such as salaries and benefits to the relevant government agencies. In general, SIN use in Canada is not as widespread as SSN in the United States, where many externally provided identifiers like credit card numbers, student ID numbers and employee ID numbers are tied to SSNs. Paper records containing these identifiers could be accessed and stolen, but only by someone physically present where the records were stored. Thus, large-scale theft of these unwieldy paper records was relatively unlikely until widespread access to and use of the Internet became common.
The smash-and-grab burglary of the past resulted in the theft of physical property like cash, jewellery and pieces of personal and financial information like driverās licenses, social insurance cards, credit cards and chequebooks. The burglar became an identity fraudster by using the stolen identification documents to commit fraud on existing accounts or by opening new accounts. Classically, this was committed on a relatively small scale, since only one dwelling could be burglarized at one time, and there was, of course, considerable risk of being caught. Later, theft of other physical identification became possible, like carbon-copy imprints from credit card receipts, PINs (personal identification numbers) obtained by looking over a cardholderās shoulder at the point of sale and digging through discarded office files. All these crimes must be committed in person, which obviously limited the volume of identity theft and fraud.
Then a dream came true for the underworld: digitization. The digitization of paper records and their storage on networked computers, together with ineffective security, greatly increased the likelihood of illegal access and theft of massive files of names, addresses, social security or social insurance numbers, debit card account numbers and PINs, bank account numbers and passwords, mothersā unmarried names, etc. (Schreft 2007).
The risks to individuals whose identity information and other related data are held by third parties, including government institutions and businesses, include both privacy risks and the danger that stolen identity information will lead to fraud. The public is constantly advised not to give out personal financial information, to shred personal papers, and to be generally cautious when doing business online. Compliant as the public may be, these precautions do not protect citizens in the face of database breaches. Criminal tactics have changed, since thieves no longer need to steal single identities but can steal them by the tens of thousands (Schneier 2005) from databases that are managed, and ostensibly protected, by third parties like banks, credit card companies, retail firms and government agencies. This information is often available on Internet sites protected only by passwords, and personal credit histories are stored, controlled and often sold by companies that the identity owners donāt even know exist.
Online digital IDTF can be accomplished at very low cost, with a greatly reduced chance of arrest and on a much larger scale as a result of the tremendous advances in technology that have altered the way transactions are made. Computer processing speed has increased exponentially and lowered computing costs accordingly, and improvements in network connectivity and communications have made it possible to transfer data at high speeds with broadband technology. This has enabled a tremendous growth in e-commerce, including business-to-consumer, business-to-business and business-to-government transactions. Regrettably, these benefits have come at the cost of user exposure to database hackers and the interception of transaction data. This is why computer and network security has become critically important to successful e-commerce activity. Traditionally anonymous cash transactions have given way to transactions that involve the transfer of personal identification information to authorize transactions, requiring secure authentication processes to ensure that transactions are valid and preventing the theft of identity information during the process. Consumers now also carry out an increasing number of other activities online, like communicating with acquaintances and searching for information. All these activities have resulted in the creation of new online industries, which have h...