Identity Theft Study

Interesting study: "Identity Fraud Trends and Patterns: Building a Data-Based Foundation for Proactive Enforcement," October 2007. It's long, but at least read the executive summary. Or, even shorter, this Associated Press story:

Researchers reviewed 517 cases closed by the Secret Service between 2000 and 2006. Two-thirds of the cases were concentrated in the Northeast and South and there were 933 defendants. The Federal Trade Commission has said about 3 million Americans have their identities stolen annually.

The study found that 42.5 percent of offenders were between the ages of 25 and 34. Another 18 percent were between the ages of 18 and 24. Two-thirds of the identity thieves were male.

Nearly a quarter of the offenders were born outside the United States.

Eighty percent of the cases involved an offender working solo or with a single partner, the report found.

While identity thieves used a wide combination of methods, fewer than 20 percent of the crimes involved the Internet. The most frequently used non-technological method was the rerouting of mail through change of address cards. Other prevalent non-technological methods were mail theft and dumpster diving.

Of the 933 offenders, 609 said they initiated their crime by stealing fragments of personal identifying information, as opposed to stealing entire documents, such as bank cards or driver's licenses.

Most of the offenses were committed by non-employees who victimized strangers. Employee insiders were the offenders in just one-third of the 517 cases. When an employee did commit identity theft, the offenders were employed in a retail business in two out of every five instances, the report said. Stores, gas stations, car dealerships, casinos, restaurants, hotels, doctors and hospitals were all considered retail operations in the study.

In about a fifth of the cases, the employee worked in the financial services industry.

Posted on November 7, 2007 at 7:36 AM • 13 Comments

Comments

Fred MoraNovember 7, 2007 8:38 AM

This type of fraud is actually a classic called Agent Fraud in the insurance business. Agent Fraud is committed by insurance agents creating fake client files and get commissions.

In the best examplaries of the genre, some agents exploited holes in the system and somehow covered the absence of payment for years, while making their fake insurance policy portfolio "live" by adding the statistically required amount of births, deaths and accidents. I remember a case like this years ago in Europe, in which the agent exploited holes in then-primitive computer security to bypass accounting controls and make his portfolio of fake clients "live". Can't find the references now.

JohnNovember 7, 2007 9:08 AM

I couldn't fully understand the article until the numbers were normalised. Here they are for others interest (I hope they're right).

"Researchers reviewed 517 cases closed by the Secret Service between 2000 and 2006. 66% (335) of the cases were concentrated in the Northeast and South and there were 933 defendants. The Federal Trade Commission has said about 3 million Americans have their identities stolen annually.

The study found that 42.5% (395) of offenders were between the ages of 25 and 34. Another 18% (168) were between the ages of 18 and 24. 66.7% (622) of the identity thieves were male.

Nearly 25% (233) the offenders were born outside the United States.

80% (746) of the cases involved an offender working solo or with a single partner, the report found.

While identity thieves used a wide combination of methods, fewer than 20% (233) of the crimes involved the Internet. The most frequently used non-technological method was the rerouting of mail through change of address cards. Other prevalent non-technological methods were mail theft and dumpster diving.

Of the 933 offenders, 609 (65%) said they initiated their crime by stealing fragments of personal identifying information, as opposed to stealing entire documents, such as bank cards or driver's licenses.

Most of the offenses were committed by non-employees who victimized strangers. Employee insiders were the offenders in just 33% (172) of the 517 cases. When an employee did commit identity theft, the offenders were employed in a retail business in 40% (?) instances (employees or cases?), the report said. Stores, gas stations, car dealerships, casinos, restaurants, hotels, doctors and hospitals were all considered retail operations in the study.

In about 20% (103) of the cases, the employee worked in the financial services industry."

postmaster specificNovember 7, 2007 9:10 AM

USPS needs to eliminate change of address cards, or require rigorous id requirements.

I don't use them when I move because I don't want the junk mail following.

dNovember 7, 2007 9:51 AM

Is this study limited by selection bias? It depicts only closed cases, a subset of cases selected for investigation. What is the relationship between closed cases and the universe of identity theft crime?

Without knowing the answer to that, all someone can say is the study depicts the characteristics of closed cases.

Brandioch ConnerNovember 7, 2007 9:53 AM

I think this was discussed previously on slashdot.

They're looking at closed cases. Not at all of the "Identity theft" (fraud) cases out there.

So there isn't much information you can really get from this except that these are the cases that the FBI has been able to solve.

Now, are they solved because these are examples of the easiest kind to solve? Maybe.

Does that mean that using different techniques (phishing, being a Russian criminal) means that you have a better chance of NOT being caught? Maybe.

paulNovember 7, 2007 11:18 AM

If you're reviewing an approximate 1 in 30,000 (assuming on theft per case, so maybe as high as 1 in 1000) cases, selection bias is bound to be a huge issue.

I also wonder about the definition of "identity theft", which seems to have morphed from creating a fairly complete shadow persona based on a single person -- which then haunts them as they try to do their own transactions -- to just using some chunk of personal data to facilitate a fraudulent transaction. Of course, when the volume of stolen identifiers is so large, it may be much more cost-effective for crooks to put less work into each transaction.

dragonfrogNovember 7, 2007 12:46 PM

Interesting choice of phrasing:

"Nearly a quarter of the offenders were born outside the United States."

You can express the exact same semantic content with such vastly different implied meanings.

"Less than a quarter of the offenders were born outside the United States."

or

"Over three quarters of the offenders were born in the United States."

Big difference, isn't it?

CGomezNovember 7, 2007 12:52 PM

"Stores, gas stations, car dealerships, casinos, restaurants, hotels, doctors and hospitals "

I suspect this is the largest class of identity theft. "Waiter... bring the check," sure beats hacking any day.

Chris SNovember 7, 2007 1:51 PM

Re: Normalization -- "offenders were employed in a retail business in 40% (?) instances (employees or cases?)"

Given that only 33% of the cases (172) were employee insiders to begin with, and that roughly one fifth (100) were financial employees, it makes sense that the remainder (72?) is the 40% of 33% of 517 (=62?).

So -
- non-employees: 345
- retail employees: 69
- financial employees: 103

MentorNovember 7, 2007 6:55 PM

Identity theft is happening all over the world. When I use to live and work in Korea you can be an identify theft casulty by going to the gas station. All Korean gas station is a full service and most people pay with credit card. The attendant takes the credit card and run it through their machine which produce two copies, one for the customer and one for the gas station. The employee will make a copy of the credit card charge slip and use it.

Brandioch ConnerNovember 8, 2007 9:51 AM

@CGomez
"I suspect this is the largest class of identity theft. "Waiter... bring the check," sure beats hacking any day."

Maybe. Today.

But it is getting too easy for the big criminals. All they're going to have to do is to start a database of all the possible Social Security Numbers and start filling in the blanks of:
FirstName
LastName
HomeAddress
SpouseName
BankAccount_1
BankAccount_2

Pretty soon, they'll have enough information on you to steal more money than you have.

They can buy a car by impersonating you. And they'll have all the info needed to do so.

They could take out a second mortgage on your home.

And, unlike the waiter example, it would be extremely difficult to find them and stop them. At that point it becomes pure data. Stored anywhere. Accessed anywhere. Used anywhere.

The worst the waiter can do is max out that single card (hope it's not a debit card).

The worst the other kind can do is to become you and start NEW debts as you.

Which is why we need laws limiting the amount of personal information that a company can collect and store ... and requiring that accessing such information be extremely restricted ... and that it be encrypted.

Every single company/organization that collects that information is another potential leak.

Every person at those companies/organizations that has access to that information is a potential leak.

We've seen laptops with thousands of names stored on them being stolen/lost.

SteveNovember 8, 2007 10:38 AM

How Netflix and junk mail protects my security.

I did not realize that my waiting for DVD's from Netflix acts as an active heartbeat where I would know within 1-2 days that my mail has been hi-jacked. While junk mail is as effective, I will notice a missing DVD from Netflix.

JohnnyBossAugust 12, 2008 1:13 PM

I think that Postmaster Specific hit on a very good point but brought it to the extreme. I don't think fowards should be taken away, I think that you really need to prove your identity to accomplish one. In addition, I believe the public should take a proactive approach to this problem. Secure your computer, shred any personal documents, and own a secure locking mailbox. Yes, "secure"...not just a locking mailbox. A locking mailbox will keep determined criminals at bay for a few seconds at most. Whereas a good security locking mailbox will keep them out long enough to make them go on to easier prey. My co-workers and I have spent endless hours researching this subject and written many articles addressing this problems and many others on closely related subjects.

In the last several years we have seen many people realize the problem and take the necessary measures to protect themselves. They realize and understand, as they should, that we can't count on government entities to look out for us. We must go it on our own.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..