Introduction

 

Identity theft is in the news on a daily basis. Whether it is the April 22, 2011, confirmation of the external intrusion on Sony PlayStation Network resulting in the exposed account information of 76,000,000 users, the 2012 announcement that for a period of seven years hackers from Russia and Ukraine collected more than 160,000,000 credit and debit card numbers from individuals trading on the Nasdaq stock exchange (this was just one arm of a massive data theft scheme which also tapped into the records of 7-Eleven, JC Penney, Dow Jones, and JetBlue, among others), the most recent December 19, 2013, breach of 70,000,000 Target customers' names, mailing addresses, phone numbers, and credit and debit card information (including the dates of expiration and 3-digit encrypted security codes), or any number of the thousands of less-than-high-profile cases, the statistics are truly mind-boggling.

 

According to the Identity Theft Resource Center Data Breach Category Summary, 157 data breach incidents were reported in 2005. The trend isn't slowing down. In the first eight months of 2011 alone, 250 breach incidents were reported which resulted in the exposure of 12.6 million confidential records. The same source identifies 619 publicly disclosed breaches in 2013 – a 30% increase from 2012. From the 2013 breaches, nearly 92 million records were exposed (0.9% originated from the banking/credit/financial sector, 84.0% from the business sector, 3.5% from educational sector, 2.0% from government/military sectors, and 9.6% originated from the medical/healthcare sector). These are frightening figures, especially as 66% of all data breaches take months or even years to discover, as reported by the 2013 Verizon Data Breach Investigations Report.

 

Identity theft is a crime that affects roughly 12 million people per year – that's one person every 3 seconds. Privacy Rights Clearinghouse, a not-for profit organization, has kept track of compromised information since the 2005 admission by ChoicePoint that it had sold personal data to a group of criminals masquerading as small business owners. According to their website, over half a billion sensitive records have been breached since 2005. The loss cost to the United States was $18 billion in 2012 alone, according to a study by the Better Business Bureau in August of 2013.

 

So what's the big deal? So your social security number has been hijacked. So what? Date of birth? Who cares?

 

Protectyourbubble.com reports that in 2013 alone, consumers lost $500 million to identity thieves. The average out-of-pocket cost per incident is $631. The average cost of an identity fraud case is and $4,607. Now zoom out – amongst all U.S. households, that's a $13.3 billion loss as a result of identity theft every year.

 

According to the Ponemon Institute, the average loss cost per record comprised was $277. Moreover, United States companies experienced data breaches which exposed or compromised 28,765 records on average. It is no surprise then that the US spent more than any other country on notification costs following a breach of identity-type data (on average, $565,020 per incident). Lastly, the average cyber claim paid by insurers has now reached $954,253, as reported by NetDiligence.

 

What's more? It's not just your wallet at stake, but your time. According to a study compiled by Erie Insurance Company, the average victim spends 33 hours repairing the damage caused when their identity is stolen. In other words, 383 million hours are lost annually by all victims – that's 559 lifetimes.

 

So, who cares? Everyone with something to lose – financial or reputational – must care.

 

What Is Identity Theft?

 

The most concise definition of “identity theft” comes from the National Association of Insurance Commissioners: “Identity theft occurs when a person uses your personal information, such as Social Security number and date of birth, with the intent to commit fraud or to aid an unlawful activity. Once personal information is obtained, the person may open new credit card accounts in your name, open bank accounts in your name to write bad checks or take out a loan in your name.”

 

The story does not end there, however, although these are the most common instances. In State of Wisconsin v. Peters, 665 N.W. 2d ( Wis. 2003), the defendant was charged with armed robbery, retail theft, obstructing an officer, and identity theft. She moved to have the charge of identity theft dismissed, and the court agreed. But the supreme court held that her misappropriation of another's identity to obtain a lower bail met the state's identity theft statute's requirement that the perpetrator must misuse another's identity to obtain either credit, money, goods, services, or something of value.

 

And in State of Washington v. Presba, 126 P.3d 1280 (Ct. App. Wash. 2005), during a traffic stop the defendant gave the officer the name, date of birth, and social security number of a former friend. She was charged with identity theft (a felony) rather than the lesser misdemeanor of criminal impersonation because, said the court, in giving the information of another person she had assumed that person's identity. Had she made up a name, date of birth, and social security number she would have been charged with the lesser count. This is so because the theft of a real, specific person's identity is an element of the crime of identity fraud. State v. Berry, 117 P.3d 1162 (2005). Moreover, to be convicted of aggravated identity theft, the Supreme Court has ruled that the accused must have known the identification belonged to another. Flores-Figueroa v. U.S., 129 S.Ct. 1886 (2009).

 

So, although it is common to think of stealing an identity in order to steal money or goods, it's not necessarily always the case.

 

Common Causes of Identity Theft

 

Theft of laptops might make the news, but theft of a family member's credit card is a common cause of fraudulent use. Writing for MSN Money, Liz Pulliam Weston noted that, according to a survey by Javelin Research, one in four victims knew who was responsible for the theft of their information; of those, half pointed to friends, relatives, neighbors, or in-home employees.

 

Theft of a wallet or handbag often results in loss of more than money. People often unwittingly carry their social security cards with them as well as their drivers licenses. Now, the thief has cash, credit cards, and the means to open new accounts—social security number, date of birth, and a signature. Barring that, the information can be sold over the Internet. (States no longer require social security numbers on drivers licenses, nor can the social security number be used as the license number. If your license has your social security number on it, request a new license.)

 

Contrary to popular belief (and media sensations), according to the 2013 Verizon Data Breach Investigations report, only 14% of all data breaches in 2012 were caused by an internal actor. In fact, reported Kemper Technology Consulting, 75% of attackers are “opportunistic and not directly targeting a single individual or company”. So, who are the real culprits?

 

The Internet has become a common source of identity theft. “Phishing” has become almost a household word – over 95% of all state-affiliated espionage attacks rely on phishing in some way. This is a scheme whereby someone receives an email asking for personal information, social security numbers or credit information in particular. Not long ago it was common to receive an email purportedly from a bank stating something to the effect that the bank's fraud team had noticed unusual activity in the intended victim's account, and, in order to continue the account the victim would have to go to the indicated site to input valid information. Of course, the site to which the victim was directed was not the bank's site.

 

A variation of this is to send an email supposedly coming from PayPal (an online payment service commonly) that says something like “you have a credit of $250 from your last sale, but to confirm your identity we need the following information.” Many persons think that they have forgotten a sale's amount, and follow the link. PayPal will always address any email to its customers personally (as, “Dear Susan Smith”), not “Dear Customer.”

Not satisfied with offering great refinancing rates, current phishing attempts begin with “You have been approved for (usually a six-digit amount) and we just need a few more details to finalize your loan. Just click on the link below.” And, of course, there are the widows/spouses/children/business partners of General/CEO/President/owner who will cut the responders in on 10 to 20 percent of the bazillions if only they will just email their bank account number and routing information.

 

There are two common scams during tax season. The first is to send an email claiming to be from the Internal Revenue Service (IRS) and advising the recipient that they are entitled to an additional refund. They must follow the link to a website and complete the requested information. Because many now file taxes electronically, an email response from the IRS appears to be legitimate. The IRS, however, does not ever communicate via email. The second scam involves an email purportedly from the IRS and says something to the effect that “you have filed your tax return, and now you have just one question—when can I expect my refund?” When the unwary click on the link, they are directed to a site asking for personal information. A less common trap is an email supposedly sent from H&R Block offering personal tax preparation services. The respondent is directed to a fraudulent site asking for personal information.

 

From “phishing” we go to “pharming.” This is a similar scam to phishing, except it can be more dangerous. Here, the Internet user goes to a site he thinks is legitimate, but it is not. Thinking it is a trusted site, he she enters personal information.

 

The explosion of laptop computer use can place the unwary in danger. The number of wi-fi spots is growing, and too many persons do not remember that a person using the same network can hack into their laptop and access personal files. A variation of this involves corporate wireless networks. “Wardriving” is the term for taking a laptop near suspected buildings and accessing the company's wireless network from outside. The same can also be done to a home wireless network. A big danger for businesses is the employee who takes a laptop home, logs onto the corporate address using wi-fi, and leaves the door wide open for a local wardriver to access the corporate system. Laptop users should be cautious about logging into unknown networks. Do you really want the person at the table near to you at Starbucks to see your desktop? Some laptops automatically attempt to connect to a network. It is a good idea to disable this feature unless the laptop is secured.

 

Smartphones are also susceptible to hack-attack. In fact, according to Erie Insurance Company, smartphone users are 33% more likely to become victims of identity theft. Many people think of it only as a convenient emailer or data-store, and forget that it is equipped with networking capabilities.

 

Customers should also use caution when taking advantage of the convenience of automatic bill paying. Setting up automatic bill payment by means of a credit card might be smarter than using a debit card or bank draft, simply because the credit card provides some protection against unauthorized charges. Using a debit or bank draft allows someone to directly dip into a checking account. If this method is chosen, then it should only be done with completely trustworthy companies. Even using a credit card to pay bills gives the merchant (and unknown employees) access to a credit card number. For example, the cable TV bill comes with a stub allowing the customer to pay with a credit card. The customer fills in credit card number, complete with expiration date and a signature.

 

The Techie Side, or What's a Rootkit?

 

The reality is that modern technology has made possible incredible leaps in information-gathering and business practices. We could no more do without computers than we could go back to the horse and buggy days. The cost of convenience, though, is that we are vulnerable. No sooner does Microsoft come out with a new secure version of Windows than the hackers are busy trying to crack the system.

 

It is becoming common knowledge that what an employee does at work is the property of the employer. Hence, emails are not personal. Many employers now have the ability to record keystrokes (called keylogging) from any particular desktop. Unless it does not matter that your employer knows your credit card number from your lunch-time shopping trip to an e-tailer, do your shopping from home.

 

An article entitled “Could Your Keyboard Spy on You?” by Ryan DeBeasi in Computerworld describes a way a device (called a JitterBug) can attach itself to network connections to send passwords and other sensitive data over the Internet. Although the researchers have not yet found specific evidence of this device, they note it can easily be built into keyboards, with the user none the wiser.

 

Rootkits have become more popular as more security measures to thwart hostile intrusion into computers become more prevalent. A rootkit is a collection of tools that gets control of a computer and is able to hide its presence. The hacker (or cracker—a criminal hacker) thus can gain control of a computer and, if the computer is one in a network, obtain access to other computers in the system. These might include ones in accounting or human resources, which contain employees' personal information.

 

One of the most self-serving, supposedly legitimate, uses of a rootkit was by Sony Corporation. The company distributed music CDs that secretly installed a rootkit on the computers used to play the CDs, ostensibly as copy-protection. But the rootkit was used by Sony to gather information about its customers and could have just as easily been used by hackers to access customers' PCs. To add insult to injury, the company offered a fix that simply removed the cloaking portion of the rootkit, not the rootkit itself. Removing the rootkit would damage Windows. Additionally, anti-virus companies (including the most popular) did not catch the problem, and then were only able to offer up removal of the cloaking device (what hides the rootkit), not the rootkit itself.

 

The Governments Step In

 

It should come as no surprise that identity theft is a crime. What are some of the steps being taken by the federal and state governments to protect the public?

 

New U.S. passports carry an RFID (radio frequency identification) chip to prevent forged passports. You cannot request a passport to be issued without an RFID chip. The goal is good, the reality less than stellar for the passport holder. RFID chips can be read with a device called a skimmer, so a passport control officer can easily read several passports in the time it used to take to review just one. The problem is that if a passport control officer can read the tags, so can others. Some cell phones read them. The passport covers supposedly contain anti-skimming material, but that presents a fresh challenge to potential thieves, not security. According to Bruce Schneier, chief technology officer of Counterpane Internet Security, “Someone in the government got it in their head to make it [the passport chip] RFID. Yes, it's cool technology, but don't do it because it's cool.”

 

The FBI has several initiatives in place, among them SLAM-Spam, which targets criminal spammers. Another is Operation Releaf (Retailers & Law Enforcement Against Fraud), which has gone after the scammers who use stolen credit card information to purchase goods, which are then shipped to West Africa and Russia . The unhappy merchant finds he is on the hook when the legitimate owner of the credit card disputes the charges.

 

The federal government has laws on the books, as do the states. For the most, they mirror each other. The federal statute pertains to crimes committed in violation of federal law or that constitutes a felony under any applicable state or local law. Penalties can be a fine, imprisonment, or both.

 

States, of course, have statutes on the books regarding identity theft. Washington state statute (West's RCWA 9.35.020), for example, says that “no person may knowingly obtain, possess, use, or transfer a means of identification or financial information of another person, living or dead, with the intent to commit, or to aid or abet, any crime.” Penalties vary with financial value (including credit, money, goods, services, or anything else of value) obtained.

 

Kentucky (KRS § 514.160) goes to some lengths to tell exactly what the crime involves:

 

A person is guilty of the theft of the identity of another when he or she knowingly possesses or uses any current or former identifying information of the other person or family member or ancestor of the other person, such as that person's or family member's or ancestor's name, address, telephone number, electronic mail address, Social Security number, driver's license number, birth date, personal identification number or code, and any other information which could be used to identify the person, including unique biometric data, with the intent to represent that he or she is the other person for the purpose of:

(a) Depriving the other person of property;

(b) Obtaining benefits or property to which he or she would otherwise not be entitled;

(c) Making financial or credit transactions using the other person's identity;

(d) Avoiding detection; or

(e) Commercial or political benefit.

 

Ohio (O.R.C. § 2913.49) adds that it does not matter if the person whose identity was stolen is dead; the crime is still a crime.

 

Many states are also doing more to assist their citizens before a possible theft. Most states have laws requiring businesses to notify customers if personal data has been accessed by security breach. (Had such a law not been in place in California , ChoicePoint might never have been compelled to disclose it had been tricked into selling personal information on over 100,000 consumers.) Iowa has a special passport issued to victims of identity theft and has enhanced security features in its drivers licenses. However, notification laws vary from state to state and this can cause major problems for nationwide businesses in the event of a breach.

 

Protect Yourself—Tips

 

The best defense, of course, is a good offense. Therefore, here are some prevention tips. To assess your risk for identity theft, visit proptectyourbubble.com and take the test.

 

Around the house:

 

·Shred any and all unwanted credit card offers, or, indeed, any no-longer-necessary personal papers with personal information on them. Be careful as to who house-sits if you are away. You might hide unused checks, but it only takes a used check with the routing number on it to open the door to theft. (Remember Frank “Catch Me if You Can” Abagnale, Jr.? All it takes is some check-washing ability.) The best policy—keep personal papers locked away when not actually using them.

·If you live in an area where the mail carrier picks up mail from your mail box, do not place outgoing mail containing personal information (a credit card payment, for example) in the box. Take it to a mail box. If you have reason to think mail might easily be stolen from your mailbox, rent a post office box.

·There is no need to put the full credit-card number on a check used to pay the account. Your credit card provider knows your number. Simply put the last four digits. Along this same line, do not have your social security number printed on your checks. Never, never, never. Do not have your social security number on your drivers license. When depositing a check to a personal bank account, do not include the bank's routing number. A short identifying number (the last four digits, for example) should suffice.

·Family members can often be identity thieves, sorry to say. A drug addict, a compulsive gambler, a person with “champagne tastes on a beer budget” often cannot resist temptation. Unfortunately, these persons trade on the family tie to protect them; even more unfortunate, other family members often pressure the victim to take no action.

·If you bank or pay bills on the Internet, monitor your accounts regularly so you will readily detect any suspicious activity. Many persons have signed up for credit-monitoring services (see the section Is There any Good News?). Others feel this is unnecessary because by law persons are entitled to a free credit report annually. If you decide to order your own credit reports, be extremely cautious that you are ordering from the legitimate site. This is an individual matter. If you shop online, shop only from a trusted site. You will see a small lock at the bottom of the page, and the secure site's URL will begin https://. Some consumers have one card they use only for online shopping.

·Make a photocopy (front and back) of all the credit cards, health cards, etc., that you carry with you. Then, if your wallet is stolen you have all the information to notify creditors and banks.

 

Your computer, smartphone and tablet:

 

·Be sure you are using a firewall (a hardware firewall is recommended because it is harder to crack), anti-virus software, and any of the other programs readily available that will protect your files from being read by outside entities. For even better security, buy a program to erase spyware and rootkits. Any computer use should be with a hard-to-guess password. A combination of letters and numbers works best; your phone number or any other easily-guessed combination is not a good idea. Never use a word found in the dictionary.

·Do not reply to suspicious emails. If you have never talked to someone about refinancing your home, why would you respond to an email beginning “after talking to you about refinancing, we just need a few more details”? Remember, neither your bank nor the government will email you, so do not reply to an email purporting to come from them. If in doubt, reread the section entitled Common Causes.

·76% of network intrusions exploit weak or stolen credentials. Create strong passwords and change them frequently. SplashData reveals an annual list of the most commonly used passwords on the internet – information which is often subsequently posted by hackers. It suggests mixing characters, numbers and symbols, and to avoid using the same username/password combination for multiple sites to create a non-predictable password.

·A study by Javelin Strategy Research reveals the risk-prone activity of social media networking. As reported by their study, nearly 68% of social media users have revealed their birthday date, 45% have shared the exact day, month, and year of their birth, 63 percent of users have revealed their high school education details, and 18% of people with social media profiles have their phone numbers listed. If you participate in social media, do not make yourself vulnerable by posting confidential, identifying information on your profile.

 

Out and about:

 

·Never carry your social security card with you. If you must have checks while you are out, carry one or two, not the entire checkbook. If you have a health card with your social security number on it, carry a photocopy with the SSN blocked out.

·When shopping with a credit card, especially at a busy time of year, make sure your card is returned to you. Remember, you often hand your card to a complete stranger. This is particularly true in restaurants where the server disappears with your card. It is possible to buy a “skimmer” that reads your card as it is swiped and the server can download the information into his own computer.

·Be watchful who is around you. If you are at an ATM, shield your PIN with your hand as you enter it. Do not stand in a line with an ATM or credit card in full view—anyone with a camera phone can photograph it. Many ATMs now have cameras to deter criminals. Do not let the camera record your PIN. Be wary of ATMs not connected to a bank; some of them have reportedly been used to record account number and PIN of the intended victim.

·If you must give information orally, be careful as to who might be eavesdropping nearby.

 

Finally, if you have become a victim of identity theft:

 

·Notify your credit card issuers immediately and close the accounts. Contact your banker to see if closing your account is advisable.

·If your social security number has been stolen, call the consumer reporting agencies to place a fraud alert on your credit reports. That means that no one can open new accounts in your name. (In theory, of course. Unfortunately not every merchant is careful about extending credit.) Call the Social Security Administration, and, if your drivers license has been stolen, call the state department of motor vehicles and follow their procedures for getting a replacement. Ask the agency to flag your file so no one else can obtain an identification document.

·If your information has been misused, file a police report and file a complaint with the Federal Trade Commission.

Is There Any Good News?

 

Insurance is widely available. ISO has an endorsement HO 04 55 05 11 that provides up to $15,000 for the expenses incurred as the result of any one identity fraud first discovered during the policy period. Various insurers offer the coverage: Travelers High Value Homeowners Policy includes $15,000 expense coverage; USAA includes up to $5,000. The Insurance Information Institute's website says that Allstate, American International, Chubb, Encompass, Farmers Group, Fireman's Fund, Liberty Mutual, and Metlife offer coverage. Remember, though, that insurance does not protect against identity theft; it simply offers a dollar amount, in the event of a stolen identity, to help defray the expenses of restoring one's credit.

 

By law, TransUnion, Experian, and Equifax must provide a free credit report to a consumer annually. It is possible to order a report every four months and thus monitor any suspicious activity.

 

A new breed of companies has come forward with technology to, theoretically, prevent a theft from occurring. Remember that one means of identity theft is to set up new credit, whether bank accounts or charge accounts, in the victim's name. These new companies operate by placing either credit freezes or fraud alerts on the customer's account. A credit freeze (which is not available in all states and might be overturned by federal legislation) blocks any new accounts from being opened, while a fraud alert warns financial institutions to call to verify any new credit applications. Other companies monitor data available on the Internet and notify customers if stolen information is discovered.

 

There are companies that offer computer security services for the consumer. These go beyond the typical antivirus software. Some will alert the user if a site is suspicious or a reported phishing site. For Google searchers, one company has software that will let the user know if the site is legitimate, if the searcher should use caution, or if not enough is known to make a determination.

 

VISA announced a program to require merchants who process fewer than six million card transactions a year to comply with more rigorous standards. Other credit card providers—MasterCard, American Express, and Discover—are also considering more stringent standards.

 

Finally, if after faithfully following all tips and purchasing insurance, identity theft still occurs, move. The top 10 cities most at risk for identity theft are Miami (35,914 victims), New York City (23,297 victims), Los Angeles (18,254 victims), Atlanta, Chicago, Tampa, Dallas, Detroit, Houston, and Philadelphia, as reported by a 2013 study from the Better Business Bureau.