Schneier on Security

This type of fraud is actually a classic called Agent Fraud in the insurance business. Agent Fraud is committed by insurance agents creating fake client files and get commissions.

In the best examplaries of the genre, some agents exploited holes in the system and somehow covered the absence of payment for years, while making their fake insurance policy portfolio "live" by adding the statistically required amount of births, deaths and accidents. I remember a case like this years ago in Europe, in which the agent exploited holes in then-primitive computer security to bypass accounting controls and make his portfolio of fake clients "live". Can't find the references now.

I couldn't fully understand the article until the numbers were normalised. Here they are for others interest (I hope they're right).

"Researchers reviewed 517 cases closed by the Secret Service between 2000 and 2006. 66% (335) of the cases were concentrated in the Northeast and South and there were 933 defendants. The Federal Trade Commission has said about 3 million Americans have their identities stolen annually.

The study found that 42.5% (395) of offenders were between the ages of 25 and 34. Another 18% (168) were between the ages of 18 and 24. 66.7% (622) of the identity thieves were male.

Nearly 25% (233) the offenders were born outside the United States.

80% (746) of the cases involved an offender working solo or with a single partner, the report found.

While identity thieves used a wide combination of methods, fewer than 20% (233) of the crimes involved the Internet. The most frequently used non-technological method was the rerouting of mail through change of address cards. Other prevalent non-technological methods were mail theft and dumpster diving.

Of the 933 offenders, 609 (65%) said they initiated their crime by stealing fragments of personal identifying information, as opposed to stealing entire documents, such as bank cards or driver's licenses.

Most of the offenses were committed by non-employees who victimized strangers. Employee insiders were the offenders in just 33% (172) of the 517 cases. When an employee did commit identity theft, the offenders were employed in a retail business in 40% (?) instances (employees or cases?), the report said. Stores, gas stations, car dealerships, casinos, restaurants, hotels, doctors and hospitals were all considered retail operations in the study.

In about 20% (103) of the cases, the employee worked in the financial services industry."

USPS needs to eliminate change of address cards, or require rigorous id requirements.

I don't use them when I move because I don't want the junk mail following.

Is this study limited by selection bias? It depicts only closed cases, a subset of cases selected for investigation. What is the relationship between closed cases and the universe of identity theft crime?

Without knowing the answer to that, all someone can say is the study depicts the characteristics of closed cases.

I think this was discussed previously on slashdot.

They're looking at closed cases. Not at all of the "Identity theft" (fraud) cases out there.

So there isn't much information you can really get from this except that these are the cases that the FBI has been able to solve.

Now, are they solved because these are examples of the easiest kind to solve? Maybe.

Does that mean that using different techniques (phishing, being a Russian criminal) means that you have a better chance of NOT being caught? Maybe.

If you're reviewing an approximate 1 in 30,000 (assuming on theft per case, so maybe as high as 1 in 1000) cases, selection bias is bound to be a huge issue.

I also wonder about the definition of "identity theft", which seems to have morphed from creating a fairly complete shadow persona based on a single person -- which then haunts them as they try to do their own transactions -- to just using some chunk of personal data to facilitate a fraudulent transaction. Of course, when the volume of stolen identifiers is so large, it may be much more cost-effective for crooks to put less work into each transaction.

Interesting choice of phrasing:

"Nearly a quarter of the offenders were born outside the United States."

You can express the exact same semantic content with such vastly different implied meanings.

"Less than a quarter of the offenders were born outside the United States."

or

"Over three quarters of the offenders were born in the United States."

Big difference, isn't it?

"Stores, gas stations, car dealerships, casinos, restaurants, hotels, doctors and hospitals "

I suspect this is the largest class of identity theft. "Waiter... bring the check," sure beats hacking any day.

Re: Normalization -- "offenders were employed in a retail business in 40% (?) instances (employees or cases?)"

Given that only 33% of the cases (172) were employee insiders to begin with, and that roughly one fifth (100) were financial employees, it makes sense that the remainder (72?) is the 40% of 33% of 517 (=62?).

So -
- non-employees: 345
- retail employees: 69
- financial employees: 103