Banks' And Credit Card Issuers React To The New Credit Card Law
Are Fraud Alerts Useless?

Victims' Perspectives: The 2008 ITRC Annual Identity Theft Survey

Identity Theft Resource Center Every year, the Identity theft Resource Center surveys identity theft victims, consumers who are in the best position to report what it is like to deal with the consequences of identity theft and identity fraud. Last week, the ITRC released its annual report for 2008. (PDF, 360 K bytes). The key findings:

"Financial identity theft continues to be the most prevalent form of identity theft... The “unlawful use of personal identifying information” for only financial identity theft crimes was reported by 73% of the respondents, a marginal decrease from 2007. Criminal cases represented 5%, a slight increase from the past couple of years. Governmental issues, which may involve employment, benefit fraud, tax fraud or someone using a fraudulent driver’s license as an identifier, accounted for 2%. The rest were combination cases: financial and criminal (6%), financial and governmental (9%), and a combination of all three types (5%)."

The ITRC used the following definitions for the different types of identity theft:

Financial: Information was used in situations involving money, credit, checking, debit, or collection issues; Criminal: Information was used by an impostor was given a ticket, arrested, arraigned or prosecuted; Governmental or Benefit Fraud: There are now problems with the IRS, DMV, SSA or other government assistance programs."

Detailed findings regarding financial identity theft:

"For the past six years, opening new lines of credit has remained the most frequently occurring financial crime. In 2008, 67% of the victims were in this category.... charges on stolen credit cards and debit cards without a PIN also ranked high on the list (39%). This is more than double any preceding year... check fraud grew to 17% in 2008, increasing from the 12% in 2007. Criminals also took out various types of loans using personal identifying information. Mortgages and 2nd mortgages (33%), car loans (22%), personal loans (32%) and business loans (8%)..."

What does this mean? Identity criminals take the easiest path. Retailers that accept credit cards without a PIN make it very easier for criminals to commit fraud:

"The advice of the ITRC to strengthen identity verification at the point of application and/or sale is a simple and effective way to immediately reduce card-based fraud. Matching a photo ID to the name on the card may be inconvenient for a person making the purchase, but it pales in comparison to the inconvenience and consequences of an identity crime. A simple way to verify identity documents used in loan processes is a more intractable problem and will take longer to solve because it requires the private sector – the people who grant credit – and the government to cooperate."

The consequences of criminal and government identity fraud (bold, italics added):

"Often times, victims of identity theft are not just plagued by financial crimes... innocent people have had to prove they were not the person given a ticket, on probation or wanted on a warrant. Often they don’t know about the problem until notified adversely by law enforcement. First awareness could be a denial to get on a plane, a pulled driver’s license, or a knock on the door by law enforcement. You are now guilty until proven innocent. A criminal history on background checks for a job or tenancy may also be the first indication of a problem. This often leads to a resounding “you aren’t the type of person we are looking for” response from a potential employer."

How this criminal fraud can happen:

"Your imposter gives your name and address when cited for vandalism, speeding or other misdemeanors while claiming not to have any identifying documents. Perhaps a fraudulent driver’s license is used to cash a bad check. Bad checks are bounced and reported by banks to the District Attorney’s bad check division resulting in a warrant for an arrest. Fraudulent documents can be used to get welfare. Anyone knowing your Social Security Number can file a tax return before you do, get your refund, or cause you to pay additional taxes for “your second job.”

The ITRC's findings about medical identity theft:

"More than 2/3 of those responding to these questions reported that medical providers billed for services received by the imposter. Another 56% were contacted by a collection agency or billing department for those services. One-third of the respondents said there is now another person’s information on their medical records and 11% were denied health or life insurance due to unexplained reasons."

This means that consumers are directly affected: lost jobs, lost medical coverage, and lost money:

"Respondents in 2008 spent an average of $739 dollars in out-of-pocket expenses for damage done to an existing account indicating an increase from 2007 ($550). These expenses include: postage, photocopying, purchasing police reports, travel, buying court records, and childcare. In reference to new accounts, respondents spent less in 2008 with an average of $951 compared to $1865 in 2007. At least one person reported this included fees charged by an attorney... victims reported spending an average of 58 hours repairing the damage done by identity theft to an existing account used or taken over by the thief. In cases where a new account was created, respondents reported an average of 165 hours to clean up the fraud."

I doubt that most consumers don't have the money ($740) and time (60 hours) to undo the damage from identity thieves and identity fraud. For many consumers the time needed to fix the damage by identity thieves is far longer (bold italics added):

"For the past five years, there has been a steady increase in the number of respondents able to clear issues of all misinformation within the first six months. In 2008, 53% reported their time involvement was 1-6 months. Nearly 30% reported that it took 7-23 months to resolve their case... The number of respondents needing more than 2 years to clear their name has remained relatively steady for the past two years at nearly 20%. It is disturbing that some victims still need such an extended amount of time to clear their records.

The ITRC concludes that this long duration to fix fraud damage could indicate continued fraud by criminals, and/or a more severe case such as criminal identity theft which often requires multiple steps to erase records within local and national crime databases. All identity fraud victims experience emotional impacts:

In 2008, ITRC found more victims acknowledging short term feelings of feeling defiled (37%), betrayal (60%), a loss of innocence (21%), and a sense of powerlessness (63%). Long term emotional responses included: 30% felt unable to trust people, 4% felt suicidal, 25% were ready to give up the fight, and 10% believed that they have lost everything. The answer of “family doesn’t understand why I’m feeling like I do” is higher than ever reported (33%). Also, 33% reported that those close to them “don’t want to understand my feelings.” Almost half said family life is stressed and another 21% stated that children are also affected.


Feed You can follow this conversation by subscribing to the comment feed for this post.

John Taylor

I think identity theft can be prevented. All we need is enough information about identity theft, criminals' modus and new technologies that criminals use to steal private information. We should peek into the mind of criminals and think like them to find a way to stop it of prevent it from happening, at least. It's very hard to depend on anti-fraud services because we may relax on security thinking they could do it for us. But our protection is our responsibility. We are the ones who should try and do something to guard ourselves.



I agree. Consumers could do more, and so too should companies, higher education institutions, hospitals, and government agencies.

A lot of data breaches and identity theft could be prevented. There are sites that track the multitude of breaches, and some sites that track breach incidents, such as lost/stolen laptops or improper trash disposals.

In my instance, IBM had sensitive personal data for its employees and former employees stolen in 2007. IBM is a company that specializes in security and knows better.

So, there is a lot that companies could and should do. It is unfair to place the burden solely on consumers.

A lot of consumers' sensitive personal data is un-regulated (e.g., the hobby and personal interests that people share on social media sites). Combine that with behavioral targeting and you have a ton of data out there being collected and traded, that may not be adequately protected.

Criminals' attack vectors are numerous and frequently change:
- Dumpster diving
- e-mail phishing
- Web site phishing
- v-phishing
- hacking databases, wireless connections, or systems
- trolling public records
- Impersonations on social media sites
- Planting malware
- Botnets

These are examples I could think of off the top of my head. There clearly are more. My point: the Internet is a fast changing thing, which means that criminals' approaches will continue to change quickly, too.

Think of it as an arm's race between the criminals and protection services and methods.


The comments to this entry are closed.