by GR Newman · 2005 · Cited by 147 — 1. breaking identity theft down into carefully defined specific acts or Victims had great difficulty in obtaining police reports (as noted above,
114 pages
57 KB – 114 Pages
PAGE – 1 ============
The author(s) shown below used Federal funds provided by the U.S. Department of Justice and prepared the following final report: Document Title: Identity Theft Literature Review Author(s): Graeme R. Newman, Megan M. McNally Document No.: 210459 Date Received: July 2005 Award Number: 2005-TO-008 This report has not been published by the U.S. Department of Justice. To provide better customer service, NCJRS has made this Federally-funded grant final report available electronically in addition to traditional paper copies. Opinions or points of view expressed are those of the author(s) and do not necessarily reflect the official position or policies of the U.S. Department of Justice.
PAGE – 2 ============
IDENTITY THEFT LITERATURE REVIEW Prepared for presentation and discussion at the National Institute of Justice Focus Group Meeting to develop a research agenda to identify the most effective avenues of research that will impact on prevention, harm reduction and enforcement January 27-28, 2005 Graeme R. Newman School of Criminal Justice, University at Albany Megan M. McNally School of Criminal Justice, Rutgers University, Newark This project was supported by Contract #2005-TO-008 awarded by the National Institute of Justice, Office of Justice Programs, U.S. Department of Justice. Points of view in this document are those of the author and do not necessarily represent the official position or policies of the U.S. Department of Justice. i
PAGE – 3 ============
CONTENTS EXECUTIVE SUMMARY.iv 1. INTRODUCTION ..1 2. DEFINITION OF IDENTITY THEFT.1 3. TYPES OF IDENTITY THEFT3 Exploiting Weakness in Specific Technologies and Information Systems4 Financial Scams..4 As a motive for other crimes.4 Facilitating Other Crimes5 Avoiding Arrest5 Repeat Victimization: fiClassicfl Identity Theft5 Organized Identity Theft.5 4. EXTENT AND PATTERNING OF IDENTITY THEFT7 Sources of Data and Measurement Issues..7 Agency Data..7 Research Studies11 Anecdotes.13 The Extent of Identity Theft13 Distribution in the U.S..19 Geographic patterns.19 Offense-specific patterns..20 Victims 21 Victim demographics..22 Children as victims..22 Deceased as victims.23 Institutional victims.24 The elderly as victims.25 Repeat victimization25 Offenders..26 Offender typology.26 Organizations as offenders27 Relationship between victims and offenders..27 5. THE COST OF IDENTITY THEFT30 Financial costs: Businesses.31 Financial costs: The criminal justice system..32 Financial costs: Individuals.34 Personal costs (non-financial)35 Societal costs..37 6. EXPLAINING IDENTITY THEFT: THE ROLE OF OPPORTUNTIY..38 Identity and its Authentication as the Targets of Theft.39 Identity as a fiHot Productfl.40 Exploiting Opportunities: Techniques of Identity Theft..43 How offenders steal identities.43 How offenders use stolen identities.46 Why Do They Do It?..46 Concealment46 Anticipated rewards.46 A note on motivation..46 NEWMAN AND McNALLY ii
PAGE – 4 ============
CONTENTS (Continued) 7. THE LAW ENFORCEMENT RESPONSE TO IDENTITY THEFT.47 Reporting and Recording of Identity Theft.47 Harm Reduction49 Effective police response.49 Task Forces and Cross Jurisdictional Issues..51 State efforts to address the cross-jurisdictional issues52 Federal efforts to address the cross-jurisdictional issues..53 Attorney General™s Council on White Collar Crime Subcommittee on Identity Theft.54 The Know Fraud initiative..54 The FTC™s Efforts54 Investigation and Prosecution56 State investigation and prosecution..57 Federal investigation and prosecution.60 Sentencing and Corrections 65 8. LEGISLATION..63 State legislation.63 Federal legislation65 9. PREVENTION68 Reducing Opportunity68 Techniques to reduce identity theft 69 The Role of Technology and the fiArms Racefl.71 10. CONCLUSIONS AND RECOMMENDATIONS.73 REFERENCES–79 APPENDIX 1: Descriptions of Identity Theft Data Sources.88 APPENDIX 2: Summary of FTC Consumer Sentinel/Identity Theft Clearinghouse Data..91 APPENDIX 3: Summary of Federal Identity Theft-Related Statutes and State Identity Theft Laws93 APPENDIX 4: Cases of Identity Theft.97 APPENDIX 5: Web pages returned by Google Search on 10/8/04.103 iii
PAGE – 5 ============
EXECUTIVE SUMMARY This review draws on available scientific studies and a variety of other sources to assess what we know about identity theft and what might be done to further the research base of identity theft. Until the federal Identity Theft and Assumption Deterrence Act of 1998, there was no accepted definition of identity theft. This statute defined identity theft very broadly and made it much easier for prosecutors to conduct their cases. However, it was of little help to researchers, because a closer examination of the problem revealed that identity theft was composed of a number of disparate kinds of crimes committed in widely varying venues and circumstances. The majority of States have now passed identity theft legislation, and the generic crime of identity theft has become a major issue of concern. The publicity of many severe cases in the print and electronic media and the portrayal of the risk of identity theft in a number of effective television commercials have made identity theft a crime that is now widely recognized by the American public. The Internet has played a major role in disseminating information about identity theft, both in terms of risks and information on how individuals may avoid victimization. It has also been identified as a major contributor to identity theft because of the environment of anonymity and the opportunities it provides offenders or would-be offenders to obtain basic components of other persons™ identities. The biggest impediment to conducting scientific research on identity theft and interpreting its findings has been the difficulty in precisely defining it. This is because a considerable number of different crimes may often include the use or abuse of another™s identity or identity related factors. Such crimes may include check fraud, plastic card fraud (credit cards, check cards, debit cards, phone cards etc.), immigration fraud, counterfeiting, forgery, terrorism using false or stolen identities, theft of various kinds (pick pocketing, robbery, burglary or mugging to obtain the victim™s personal information), postal fraud, and many others. Extent and Patterning of Identity Theft The best available estimates of the extent and distribution of identity theft are provided by the FTC (Federal Trade Commission) from its victimization surveys and from its database of consumer complaints. The most recent estimate, produced by a study modeled after the FTC’s original 2003 methodology, suggests that 9.3 million adults had been victimized by some form of identity theft in 2004 (BBB 2005), which may represent a leveling off from the FTC’s previous finding of 9.91 million in 2003 (Synovate 2003). While there are some differences in the amount of identity theft according to states and regions and to some extent age, the data available suggest that, depending on the type of identity theft, all persons, regardless of social or economic background are potentially NEWMAN AND McNALLY iv
PAGE – 6 ============
vulnerable to identity theft. This observation applies especially to those types of identity theft that occur when an offender steals a complete database of credit card information for example. However, there is some evidence that individuals are victimized by those who have easy access to their personal information, which may include family members and relatives (access to dates of birth, mother™s maiden name, social security number etc.) or those with whom the victim lives in close contact: college dorms or military barracks, for example. Types and stages of Identity Theft Depending on the definition of identity theft, the most common type of identity theft is credit card fraud of various kinds and there is evidence that the extent of credit card fraud on the internet (and by telephone) has increased because of the opportunities provided by the Internet environment. However, some prefer not to include credit card fraud as fitruefl identity theft, since it may occur only once, and be discovered quickly by the credit card issuing company, often before even the individual card holder knows it. Other types of identity theft such as account takeover are more involved and take a longer time to complete. Three stages of identity theft have been identified. A particular crime of identity theft may include one or all of these stages. Stage 1: Acquisition of the identity through theft, computer hacking, fraud, trickery, force, re-directing or intercepting mail, or even by legal means (e.g. purchase information on the Internet). Stage 2: Use of the identity for financial gain (the most common motivation) or to avoid arrest or otherwise hide one™s identity from law enforcement or other authorities (such as bill collectors). Crimes in this stage may include account takeover, opening of new accounts, extensive use of debit or credit card, sale of the identity information on the street or black market, acquisition (fibreedingfl) of additional identity related documents such as driver™s license, passport, visas, health cards etc.), filing tax returns for large refunds, insurance fraud, stealing rental cars, and many more. Stage 3: Discovery. While many misuses of credit cards are discovered quickly, the ficlassicfl identity theft involves a long period of time to discovery, typically from 6 months to as long as several years. Evidence suggests that the time it takes to discovery is related to the amount of loss incurred by the victim. At this point the criminal justice system may or may not be involved and it is here that considerable research is needed. The recording and reporting of identity theft According to the FTC research, there are differences in the extent to which individuals report their victimization (older persons and the less educated are likely to take longer to report the crime and are less likely to report the crime at all). It also suggests that the longer it takes to discovery, and therefore reporting of the crime to the relevant authority, EXECUTIVE SUMMARY v
PAGE – 8 ============
While considerable research based on case studies has identified the criminogenic elements of the Internet as the prime leader of the information age, there is little information gained directly from offenders as to how exactly they carry out their crimes, and how they identify opportunities for their commission. It is recommended, therefore that studies that interview offenders and their investigators to develop a scripting of the sequences of behaviors and decisions that offenders take in the course of their crimes is essential for developing effective intervention techniques. This approach also will lead to insights as to future ways in which offenders may exploit and identify weaknesses in the information environment. Something like an fiarms racefl is involved between offenders and those trying to thwart them. System interventions and improvements in technology can work wonders for prevention (e.g., passwords for credit cards), but in little time, offenders develop techniques to overcome these defenses. Researching Identity Theft Prevention The research focus recommended is based generally on the situational crime prevention literature and research. This requires the direct involvement of agencies and organizations in addition to, and sometimes instead of, criminal justice involvement. Local police, for example, can do little to affect the national marketing practices of credit card issuing companies that send out mass mailings of convenience checks. Here, interventions at a high policy level are needed, following the lines of a successful program instituted in the U.K. by the Home Office to reduce credit card fraud in the 1990s. However, the strategies and roles of government intervention in business practices — whether by criminal justice agencies or other government agencies Œ are highly complex and necessitate serious research on their own. Experience in other spheres such as traffic safety, car safety and car security and environmental pollution could be brought to bear in developing a strategy for the programmatic reduction of identity theft that involves government agencies and businesses working together. At a local level, research is needed to examine ways to develop programs of prevention in three main areas of vulnerability to identity theft. These are: 1. the practices and operating environments of document issuing agencies (e.g. departments of motor vehicles, credit card issuing companies) that allow offenders to exploit opportunities to obtain identity documents of others, as in Stage 1 of identity theft outlined above; 2. the practices and operating environments of document authenticating agencies that allow offenders to exploit opportunities to use the identities of others either for financial gain or to avoid arrest, or retain anonymity and 3. the structure and operations of the information systems which generally condition the operational procedures of the agencies in (1) and (2). Because the certification of an identity depends on two basic criteria: the unique biological features of that individual (DNA, thumb print etc.) and attachment to those distinct features a history that certifies that the person is who s/he says s/he is. Though EXECUTIVE SUMMARY vii
PAGE – 9 ============
the former is relatively easy, especially with modern technologies now available, the linking of it to an individual™s history (i.e. date and place of birth, marriage, driver™s license, parent™s names etc.) depends on information that accumulates through an individual™s life. Thus, the importance of maintaining careful and secure records of such information both by the individual and by agencies that issue them is essential to secure an identity. It is essential that agencies issuing documentation have in place a systematic and well tried system of establishing an applicant™s identity (i.e. past history) before issuing an additional document of identification. The twin processes of establishing an identity (e.g. issuing a birth certificate) and authenticating an identity (e.g. accepting a credit card at point of sale) are inherently vulnerable to attack for a number of reasons: Old technologies that do not prevent tampering with cards and documents. These are apparent in many departments of motor vehicles across the USA, and the inadequacy of credit cards, though gradually improved over recent years, still fall far short what is technologically possible; Lack of a universally accepted and secure form of ID. While the social security number is universal, is well known that it is not secure. Drivers™ licenses are becoming a universal ID by default, but their technological sophistication and procedures for issuing them vary widely from State to State; Authentication procedures that depend on employees or staff to make decisions about identity. Employees with access to identity related databases may be coerced or bribed or otherwise divulge this information to identity thieves. Many may also lack training in documentation authentication. The availability of information and procedures for obtaining the identities of others. These include, for example the availability of personal information on the Internet free and for sale (e.g. social security numbers), identity card making machines of the same quality of agencies that issue legitimate identity cards, and hacking programs to intercept and break into databases. The ease with which electronic databases of personal information can be moved from one place to another on the Internet, creates the opportunity for hackers (or those obtaining password information from dishonest employees) to steal, hide and sell the numbers on the black market.. The research literature from situational crime prevention on various types of crime (e.g. shoplifting, theft from cars, check fraud) suggests a range of possible interventions that could be applied to counteract many of the above vulnerabilities.. Research on adapting specific interventions in regard to specific modes of identity theft should therefore provide significant indications for effective prevention. Researching Harm and its Reduction Identity theft involves, at a minimum two victims: the individual whose identity is stolen and, in most cases, the financial institution that is duped by the use of the victim™s stolen identity. NEWMAN AND McNALLY viii
PAGE – 10 ============
The issue of reducing harm to individual victims has received much attention in recent years. Congressional hearings and some limited studies of interviews with victims, have exposed the psychological as well as financial suffering of individual victims. The focus has been on local police responses to identity theft which were originally conditioned by their perception that individuals were not the true victims, but that the banks were. Victims had great difficulty in obtaining police reports (as noted above, also caused by cross-jurisdictional problems) and so, without such a report, had great difficulty convincing banks and credit reporting agencies that their identities had been stolen. Steps have been taken by the IACP and other organizations to inform local police about the true suffering of identity theft victims and to introduce reporting and recording rules that will help victims get their police reports. The extent to which this enlightened approach has filtered down to the local police level is yet to be determined and itself is in need of research. In fact, we have extremely little knowledge of what local police departments actually do in response to individuals who report their victimization, There is no systematic information concerning how individual victims fare in the prosecution and disposition of their cases, though we do know that federal, state and multi-agency task forces have cut-off levels for acceptance of cases according to financial loss, time to discovery, and whether there is an organized group involved. We guess that the FBI and US Secret Service between them processed a few thousand cases of identity theft last year. If we guess that there have been similar numbers of cases processed in every state and add in another 50 venues to cover multi-agency task forces and major cities task forces, this would give us on the very high side an estimate of about 303,000 cases. This means that, of the estimated 9.3 million individuals victimized in 2004, some 9 million cases never made it to the criminal justice system. Of those cases that have been processed, available evidence suggests that the majority of such offenders may have been treated leniently by the system Œ particularly before the establishment of fiidentity theftfl as a separate criminal act. A further minority of these offenders continues to perpetrate acts of identity theft against finewfl and fioldfl victims – that is, they use both new personal information and/or the identity for which they had originally been prosecuted to continue victimization while being processed or serving their sentences. The reciprocal element of identity theft has also not been examined. Since banks and card issuers take much of the financial loss, to what extent do victims actually see themselves as victims, and will this affect the steps they may take to avoid being victimized? Obviously, the investigation into this question hinges on the particular type of identity theft: whether the individual is repeatedly victimized by an offender, or whether the victimization is just a one-time event of a lost or stolen credit card that is quickly corrected. These factors may also affect the propensity of individuals to report their victimization and to what agency. There is no research on this or any related issues. The cost of identity theft to business, is generally unknown. Although credit card companies do publish information concerning the cost to them of filost or stolenfl and EXECUTIVE SUMMARY ix
PAGE – 11 ============
ficard not presentfl losses, they do not report their losses concerning other aspects of identity theft, such as the cost of investigating cases, or the cost effectiveness of introducing new security procedures as against taking the losses. There is a serious lack of data on these issues that inhibits research into possible intervention strategies that could reduce the harm. Finally, in a broader sense, the extent of harm done by identity theft to society or to the economy that relies on open markets is yet to be determined. Identity theft is harmful to open markets, because they depend on the very trust that is so obviously violated by identity theft. Since businesses routinely do not report losses resulting from identity theft related crimes to law enforcement agencies, there is the temptation to think of such crimes as not real crimes, but simply a cost of doing business. This issue requires deeper consideration, particularly as it speaks directly to the question of the sharing of responsibility between law enforcement and business for the prevention and reduction of harm done to society by this crime. NEWMAN AND McNALLY x
57 KB – 114 Pages