Confusion about identity theft is growing at a faster rate than the actual incidence of the crime, clouding the true causes and consequences to individuals and enterprises.
That’s according to two experts, one American and one Canadian, who weigh in with some facts and observations to help explode some popular misconceptions.
A central issue is “definition creep” around what actually constitutes identity theft. The term is now being used to sex up crimes reported in the media that were considered plain ordinary fraud in the past. “Whereas before it was just someone forging cheques, suddenly this is being described as identity theft. The public is confused,” says Paul K. Wing, a Toronto-based privacy and security expert and co-author of Protecting Your Money, Privacy & Identity from Theft, Loss & Misuse.
True identity theft occurs when a thief appropriates a victim’s personal identity facts – social insurance number (SIN), date of birth, mother’s maiden name, and so on – to assume that identity and to conduct a range of transactions in that person’s name, he says. “That is different from someone using personal account information such as a credit card number to make an unauthorized transaction,” he says.
This definition problem is corroborated by research conducted by the Ponemon Institute, a privacy research think-tank based in Elk Rapids, Mich. The Institute conducts consumer perception studies in the U.S. every month by polling about 600 respondents to track changes in the public’s privacy concerns. Based on these studies, about nine million Americans classify themselves as victims of identity theft, says Larry Ponemon, chairman of the Ponemon Institute.
But when follow-up studies are done to track the reality of identity theft against the perception, that number falls dramatically. “When we ask them questions about the nature of the fraud, only about two million people would fall into the category of true identity theft victims,” says Ponemon. Many people are self-reporting one-off incidences of credit card or even cell phone fraud as identity theft, he says.
This definition problem feeds into another issue, the misperception that the incidence of identity theft is increasing exponentially. “We have no evidence that there’s an epidemic,” says Ponemon, adding that growth has been stable over the past three years. “The overall percentage increase has been fairly constant, going neither up nor down significantly.”
Both experts agree that Internet use is not a big factor in identity theft. “Based on our findings, offline activities are the primary sources of identity theft. Things like dumpster diving are still very common and lead to identity theft more frequently than online sources like spyware,” says Ponemon, adding that “friendly fraud” – identity theft perpetrated by family and friends – is also quite common. However, phishing is a fast-growing online source of identity theft, accounting for about 20-25 per cent of incidences.
Wing agrees but qualifies the role the Internet plays. While it may not be the primary source for disclosing or acquiring personal information, he says, it is the medium where that information can be abused to maximum advantage. “The Web makes it easier for fraudsters to masquerade as the victim facelessly and anonymously.”
Another misconception is that losses are borne solely by the victims of identity theft. Financial losses are usually absorbed by their financial institutions, says Ponemon, but meaningful average total losses for identity theft are difficult to compute. “In fraudulent credit card use, the cost to the victim is zero, since it is typically absorbed by the financial institution. But full-blown identity theft, which can cause complete financial meltdown, can run into tens of thousands of dollars – and financial institutions don’t redress that.”
This is because the non-financial impact of identity theft can be extremely severe. Criminal identity theft, the most common non-financial type, occurs when an identity thief commits a crime but gives a victim’s identity information to law enforcement when arrested. These victims will have an erroneous credit history and a criminal record that is often expensive and time-consuming to correct.
In Canada, losses tend to be smaller compared with American victims, according to Wing. He points out that Canada’s business and privacy environment is different from the U.S., and this may play a role in the crime’s impact on victims. A key difference is that use of the SIN as an identifier is restricted to income-related situations only in Canada.
But in the U.S., the equivalent social security number (SSN) is used as a universal identifier in much wider circumstances: drivers’ licences, resum