Identity theft: causes, prevention, and impact

Identity Theft: Managing the Risk Management

What's New for the Future of Identity Theft Prevention

In this paper I examine the basics of identity theft in today's age of widespread and accessible information. The fundamental problem is that while information technologies continue to make aspects of our lives as simple as "point and click," they tend to make certain forms of crime equally simple. The internet, in particular, makes information not only instantly available but also available to an untold number of faceless strangers. However, the central methods for preventing identity theft remain what they were before personal computers became as common as the television; social security numbers and credit card information must be guarded.

I begin this discussion with an overview and definition of identity theft, including the most common ways it is committed. I identify the fundamental steps towards prevention, as well as the latest laws enacted to combat this threat to individual privacy. Next, I mention a number of the ways the internet has been employed by thieves to obtain personal information. Combating invasions of privacy on the internet involves, largely, secure passwords and selectivity is the dealing out of personal data.

Certainly, some individuals are at a greater risk for having their identities stolen than others -- even if they take the necessary precautions. These people need to be notified of their risks and informed of what steps can be taken. In the future it is likely that laws dealing with identity theft will become stronger, but also that new thieves will find ways around them. They keys to avoid becoming a victim include the simple acts of using a paper shredder, and taking away the identity thief's most powerful ally -- surprise.

I. Introduction

In this emerging age of information, increasingly, the most precious information for consumers and criminals alike is of a personal nature. The handful of numbers, passwords, and identification cards that define who you are and what you purchase in your ordinary everyday life are becoming the most vulnerable avenues by which others can manipulate your monetary transactions. Today, identity theft is far more prevalent, and a much greater threat to personal security than ever in the past. "In the fiscal year 1999 alone, the Social Security Administration Office of Inspector General Fraud Hotline received approximately 62,000 allegations involving Social Security Number (SSN) misuse." (Hammond 20). However, SSN misuse is only one method by which personal information can be manipulated illegally. All together, it is estimated that "somewhere between 500,000 and 750,000 consumers will become victims of identity theft this year -- and the number is growing." (May 1).

Clearly, this form of theft is increasing in magnitude and has become a serious threat for a large portion of the population. Largely, what makes identity theft such a concern for the public is not simply the number of people it happens to, but the fact that it can occur without the victim's knowledge. Unlike the traditional bank robbery, this crime can span thousands of miles, requires no brazen force, and it could happen to anyone, anywhere and without warning. Doubtlessly, such a covert robbery would worry anyone. Often times the victim feels completely helpless and unable to protect themselves or their personal information. In short, it is an impersonal crime, with very personal consequences.

Essentially, "Identity theft occurs when someone uses the identifying information of another person-name, social security number, mother's maiden name, ect. -- to commit fraud or engage in other unlawful activities." (May 2). There exist many variations of this crime, and the thief can use the information he obtains for any number of purposes. A few of the most common acts of fraud that can occur include: opening of new credit card accounts; taking over existing credit card accounts; applying for loans; renting apartments; establishing services with utility companies; writing fraudulent checks; transferring bank money; filing bankruptcy; and obtaining employment in the victim's name (May 2). This is an imposing list; and just as there are numerous ways identity thieves can exploit an individual's information, there are equally many ways in which they can obtain it.

Identity thieves can potentially use both banal and sophisticated methods to acquire your personal information. These tactics include: stealing wallets; stealing mail; filling out "change of address" forms in another's name; rummaging through the trash; fraudulently obtaining credit reports; using personal information shared on the internet; purchasing personal information from an inside source; and many others (Hammond 22). This introduces a problem both for those wishing to protect themselves from this form of crime and those wishing to capture the perpetrators: there are simply too many ways identity theft can be committed to ever possibly defend against them all.

However, to concede defeat or claim helplessness in the face of such threats would be a mistake. There are steps that can be taken to defend against identity theft in its most common and its most disastrous forms. First and most generally, do not readily give out your personal information unless you have cause to trust the individual or organization you are providing with that information. Additionally, "Put passwords on your credit card, bank, and phone accounts. Memorize them, change them regularly, and don't share them, even with family or friends." (Hammond 74). It is also important to protect the avenue by which you transfer your personal information and passwords. "Do not give out personal information on the phone, through the mail, or over the Internet unless you have initiated the contact or know with whom you're dealing." (Hammond 74). Avoid giving out your SSN to institutions other than your employer or banks. "If someone asks for your SSN, you should ask the following questions: Why do you need my SSN? How will my SSN be used? What law requires me to give you my SSN? What will happen if I don't give you my SSN?" (Hammond 75). A useful guideline for any personal information you are uncomfortable with providing is to ask how the information will be used.

It has only been in recent years that the federal government and most states adopted laws that specifically dealt with the crime of identity theft. Largely, this is because of the recent amplification of the threat both in its number of occurrences and in its public perception. "Currently, more than three quarters of the states have passed laws relating to this crime. . . . Meanwhile, at the federal level, Congress passed the Identity Theft and Assumption Deterrence Act of 1998." (May 9). According to this law identity theft is defined as when anyone,

'knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under applicable state or local law." (Hammond 9).

If an individual is suspected of violating this Act they are investigated by several branches of the United States government and subsequently prosecuted by the Department of Justice. Other recent federal acts that are specifically targeted at pursuing identity theft include: the Fair Credit Reporting Act, the Fair Credit Billing Act, and the Electronic Fund Transfer Act. All of these Acts are aimed at increasing consumer awareness and access to their own account information, and well as alerting them if questionable transactions appear. Such precautions are gradually reducing the risks of identity theft, but they can never fully be eliminated.

A large problem with identity theft is the fact that the very information you wish to keep protected is the same information that credit card companies use to conduct their business. "Identity theft is made possible because credit card companies, always on the lookout for new customers, don't have a good way to verify the identity of a person who mails in an application or orders a credit card over the telephone." (Garfinkel 31). The trouble with this is that the credit card companies make the assumption that if you have a few bits of information on an individual, you must in fact be that individual. However, this assumption is almost essential to the manner by which these companies perform their transactions, and makes much of their business possible.

Furthermore, often times when fraud does occur -- traditionally -- there has been little or nothing that the victim can do. Regularly, "When the fraud takes place, the credit issuer simply notes that information in the consumer's credit file and moves on; the consumer is left to pick up the pieces and otherwise deal with the cost of a stolen identity." (Garfinkel 32). This is primarily why many current creditors advertise their policies of credit reimbursement in the event of identity theft; although, it is not yet mandatory for them to do so. Consequently, the laws may bring the criminals to justice, but the victims are regularly left to deal with the effects.

II. Identity Theft on the Internet.

Identity theft in general may not be new, but the ways in which it can be carried out are expanding rapidly. The Internet has become one of the largest and most readily used ways to communicate, purchase and sell goods, pay bills, and make bank transactions. The primary difference between identity theft perpetrated over the internet and identity theft perpetrated in other ways is the speed by which personal information can be obtained and the distance it can travel. "For example, access to drivers' license information has traditionally been restricted to law enforcement officials. But now some states allow the purchase of such information over the Internet." (May 11). Obviously, the volume and type of transactions that take place on the internet are increasing constantly, and it is only natural to question the security of such transactions.

One way that identity theft has come to the internet is through online credit card applications. "Today, an identity thief armed with a social security number and other personal information can apply for credit cards over the Internet with little scrutiny from card issuers." (May 13). Additionally, since these credit transactions are not required to be in person, the thief can make a few initial purchases, pay his monthly balances, establish good credit and "gain the credibility to apply for high dollar value items such as cars." (May 13).

Another common way identity thieves can obtain your personal information is through hacking. "This is where a computer user slips by electronic security and password barriers to gain access to a company's computer server, or sometimes the server of an internet service provider." (May 13). Once inside, the person can retrieve names, addresses, passwords, credit card numbers, social security numbers, and many other pieces of information. Clearly, this is a particularly attractive approach for many criminals, but it can be fairly difficult. Early in the history of the internet, relatively simple hacking software could be developed and helped thieves break pass codes, but these codes and encryption have become increasingly complex and difficult to break. Nevertheless, the thieves are evolving as well, and hacking remains a serious threat to internet security.

Yet another method used by identity thieves is to create websites that appear to be official and obtain personal information through false applications and forms. "For example, one cyber-criminal decided to impersonate the FBI in order to obtain social security numbers and other personal information. . . . He put together a fake website complete with the FBI logo." (May 14). This particular ingenious approach got the perpetrator numerous social security numbers complete with names and addresses. Doubtlessly, this is not the only example of false websites but is perhaps the most daring.

So, it is reasonable to wonder in the face of such deception and impersonal theft, how to possibly protect yourself from criminals looking to type a few buttons to gain access to your most guarded records. Unfortunately, many of the recent federal acts to not apply directly to business on the internet. An individual's credit information can be obtained by anyone over the internet and, "Although credit header information is generates as part of the credit reporting process, the Federal Trade Commission has determined that it is not part of the credit history and therefore is not regulated over the Fair Credit Reporting Act." (May 23). Thus, there exists a legal lag behind the types of crimes that can take place over the internet.

From a personal standpoint, there are a number of precautions that can be taken to minimize the risks associated with these weaknesses in internet security. First, it is important to keep your passwords -- email, billing, credit -- personal, different from one another, and to change them regularly. "Don't use passwords that are easy to break (you'd be surprised how easy it is for hackers to discover your kids' names). Use odd combinations of upper -- and lowercase letters. Add numbers and symbols." (Spector 2). Also, do not post your personal information on the internet. As obvious as this might sound, many people do in fact post genealogies, and family newsletters on websites; this could have potentially hazardous results. Attractive as these practices may be, they are magnets for potential identity thieves. Certainly, these are rather insignificant steps and cannot completely prevent someone from obtaining your information; just as a mugger targets the weakest and frailest looking target, so too do identity thieves. By making yourself a little more difficult to victimize, you make yourself far less likely a victim.

III. Identity Theft: Managing the Risk Management.

By simply living in the world today, where business transactions are regularly impersonal affairs, you are at some level of risk when it comes to identity theft. The key to identity theft, even in the age of information, still remains the Social Security Number. Therefore, the key to preventing identity theft is limiting access to this number and your name. "The privacy Act of 1974 requires all government agencies that use your social security number -- federal, state and local -- to provide you with a disclosure statement. The statement tells whether you're required to provide your social security number or whether it's optional, how the social security number will be used, and what will happen if you refuse to provide it." (May 48). When giving out your SSN you should be familiar with these points and comfortable with the institution you are providing with that information.