.inbox2 2read computer-crime computer-security confidentiality crime eca fraud graziadio_bsm490 id identity identity+theft identity-theft identity_theft identity_theft2 identitytheft identy_theft idtheft internet_safety issue l4l liars privacy privicy research roubo_de_identidade security theft 6

My tags:

From Wikipedia, the free encyclopedia

It has been suggested that Ghosting (identity theft) be merged into this article or section. (Discuss)

It has been suggested that Wireless Identity Theft be merged into this article or section. (Discuss)

This article or section has multiple issues. Please help improve the article or discuss these issues on the talk page. It may contain original research or unverifiable claims. Tagged since September 2007.

Identity theft is a crime used to refer to fraud that involves someone pretending to be someone else in order to steal money or get other benefits. The term is relatively new and is actually a misnomer, since it is not inherently possible to steal an identity, only to use it. The person whose identity is used can suffer various consequences when he or she is held responsible for the perpetrator's actions. In many countries specific laws make it a crime to use another person's identity for personal gain.

Identity theft is somewhat different from identity fraud, which is related to the usage of a 'false identity' to commit fraud. Identity theft means impersonating a real person.

Contents 1 Types 2 Elaboration 2.1 Financial identity theft 2.2 Identity cloning and concealment 2.3 Criminal identity theft 2.4 Synthetic identity theft 2.5 Medical identity theft 3 Techniques for obtaining personal information 4 Individual identity protection 5 Identity protection by organizations 6 Regional Legal responses 6.1 Australia 6.2 Canada 6.3 France 6.4 Hong Kong 6.5 India 6.6 United Kingdom 6.7 United States 7 Spread and impact 8 Famous Identity Thieves 9 Cultural references 10 See also 11 References 12 External links

[edit] Types

According to the non-profit Identity Theft Resource Center^[1] and other sources, identity theft can be sub-divided into five categories:

• business/commercial identity theft (using another's business name to obtain credit)
• criminal identity theft (posing as another when apprehended for a crime)
• financial identity theft (using another's identity to obtain goods and services)
• identity cloning (using another's information to assume his or her identity in daily life)
• medical identity theft (using another's information to obtain medical care or drugs)

Identity theft may be used to facilitate crimes including illegal immigration, terrorism, and espionage. Identity theft may also be a means of blackmail. There are also cases of identity cloning to attack payment systems, including online credit card processing and medical insurance^[2].

Some individuals may impersonate others for non-financial reasons - for instance, to receive praise or attention for the victim's achievements. This is sometimes referred to as identity theft in the media.^[3]

[edit] Elaboration

[edit] Financial identity theft

There are two basic versions of financial identity theft:

1. Victim Established Accounts Accessed The perpetrator pretends to be an existing account holder in order to obtain funds from the legitimate bank account of the victim. This involves obtaining one or more identity token (plastic card, paper check, deposit slip, PIN code, card number, identifying personal data, etc.) then using the ID token to access funds via one or more delivery system (branch teller, ATM, retail cashier, telephone banking, etc.). If debits (withdrawals, purchases, or checks) are made against the impersonated person's real accounts, that person will need to notify the bank that the debits are not legitimate and request reversal. At the extreme, the perpetrator may take over control of the account by rerouting statements to a new address. This is known as "account takeover" and opens the account to rapid abuse.

2. Perpetrator Established Accounts The perpetrator establishes new accounts using someone else's identity or a made-up identity. Typically the intent is to utilize someone else's good credit history to obtain funds (credit cards or loans) or a checking account which can be overdrafted.

A classic example of credit-dependent financial crime (bank fraud) occurs when a criminal obtains a loan from a financial institution by impersonating someone else. The criminal pretends to be the victim by presenting an accurate name, address, birth date, or other information that the lender requires as a means of establishing identity. Even if this information is checked against the data at a national consumer reporting agency, the lender will encounter no concerns, as all of the victim's information matches the records. The lender has no easy way to discover that the person is pretending to be the victim, especially if an original, government-issued id can't be verified (as is the case in online, mail, telephone, and fax-based transactions). This kind of crime is considered non-self-revealing, although authorities may be able to track down the criminal if the funds for the loan were mailed to them. The criminal keeps the money from the loan, the financial institution is never repaid, and the victim is wrongly blamed for defaulting on a loan he/she never authorized.

An account established by a perpetrator can be abused by passing bad checks, and "busting out" a checking or credit account with bad checks, counterfeit money orders, or empty ATM envelope deposits. If checks are written against fraudulently opened checking accounts, the person receiving the checks will suffer the financial loss. However, the recipient might attempt to retrieve money from the impersonated person by using a collection agency. This action would appear in the victim's credit history until it was shown to be fraud.

In most cases the financial identity theft will be reported to the national Consumer credit reporting agency or Credit bureaus (U.S.) as a collection or bad loan under the impersonated person's record. The victim may discover the incident by being denied a loan, by seeing the accounts or complaints when they view their own credit history, or by being contacted by creditors or collection agencies. The victim's credit score, which affects one's ability to acquire new loans or credit lines, will be adversely affected until they are able to successfully dispute the fraudulent accounts and have them removed from their record.

[edit] Identity cloning and concealment

In this situation, a criminal acquires personal identifiers, and then impersonates someone for the purpose of concealment from authorities. This may be done by a person who wants to avoid arrest for crimes, by a person who is working illegally in a foreign country, or by a person who is hiding from creditors or other individuals. Unlike credit-dependent financial crimes, concealment can continue for an indeterminate amount of time without ever being detected. Additionally, the criminal might attempt to obtained fraudulent documents or IDs consistent with the cloned identity to make the impersonation even more convincing and concealed.

[edit] Criminal identity theft

When a criminal identifies himself to police as another individual it is sometimes referred to as "Criminal Identity Theft." In some cases the criminal will obtain a state issued ID using stolen documents or personal information belonging to another person, or they might simply use a fake ID. When the criminal is arrested for a crime, they present the ID to authorities, who place charges under the identity theft victim's name and release the criminal. When the criminal fails to appear for his court hearing, a warrant would be issued under the assumed name. The victim might learn of the incident if the state suspends their own drivers license, or through a background check performed for employment or other purposes, or in rare cases could be arrested when stopped for a minor traffic violation.

It can be difficult for a criminal identity theft victim to clear their record. The steps required to clear the victim's incorrect criminal record depend on what jurisdiction the crime occurred in and whether the true identity of the criminal can be determined. The victim might need to locate the original arresting officers, or be fingerprinted to prove their own identity, and may need to go to a court hearing to be cleared of the charges. Obtaining an expungement of court records may also be required. Authorities might permanently maintain the victim's name as an alias for the criminal's true identity in their criminal records databases. One problem that victims of criminal identity theft may encounter is that various data aggregators might still have the incorrect criminal records in their databases even after court and police records are corrected. Thus it is possible that a future background check will return the incorrect criminal records.^[4]

[edit] Synthetic identity theft

A variation of identity theft which has recently become more common is synthetic identity theft, in which identities are completely or partially fabricated. The most common technique is combining a real social security number with a name and birthdate other than the ones associated with the number. Synthetic identity theft is more difficult to track, as it doesn't show on either person's credit report directly, but may appear as an entirely new file in the credit bureau or as a subfile on one of the victim's credit reports. Synthetic identity theft primarily harms the creditors that unwittingly grant the fraudsters credit. Consumers can be affected if their names become confused with the synthetic identities, or if negative information in their subfiles impacts their credit.^[5]

[edit] Medical identity theft

Medical identity theft occurs when someone uses a person's name and sometimes other parts of their identity -- such as insurance information -- without the person's knowledge or consent to obtain medical services or goods, or uses the person’s identity information to make false claims for medical services or goods. Medical identity theft frequently results in erroneous entries being put into existing medical records, and can involve the creation of fictitious medical records in the victim’s name. ^[6]

[edit] Techniques for obtaining personal information

In most cases, a criminal needs to obtain personally identifiable information or documents about an individual in order to impersonate them. They may do this by:

• Stealing mail or rummaging through rubbish containing personal information (dumpster diving)
• Retrieving information from redundant equipment, like computer servers that have been disposed of carelessly, e.g. at public dump sites, given away without proper sanitizing etc.
• Researching about the victim in government registers, internet search engines, or public records search services.
• Stealing payment or identification cards, either by pickpocketing or surreptitiously by skimming through a compromised card reader
• Remotely reading information from an RFID chip on a smart card, RFID-enabled credit card, or passport
• Eavesdropping on public transactions to obtain personal data (shoulder surfing)
• Stealing personal information from computers and computer databases (Trojan horses, hacking and Zero day attacks)
• Data breach that results in the public (i.e. posted on the internet) or easily-obtainable (i.e. printed on a mailing label) display of sensitive information such as a Social Security number or credit card number.
• Advertising bogus job offers (either full-time or work from home based) to which the victims will reply with their full name, address, curriculum vitae, telephone numbers, and banking details
• Infiltration of organizations that store large amounts of personal information
• Impersonating a trusted company/institution/organization in an electronic communication to promote revealing of personal information (phishing)
• Obtaining castings of fingers for falsifying fingerprint identification.
• Browsing social network (MySpace, Facebook, Bebo etc) sites, online for personal details that have been posted by users
• Changing your address thereby diverting billing statements to another location to either get current legitimate account info or to delay discovery of fraudulent accounts.
• Using false pretenses to trick a business (usually through a customer service representative) into disclosing customer information (pretexting)

[edit] Individual identity protection

The acquisition of personal identifiers is made possible through serious breaches of privacy. For consumers, this is usually due to personal naiveté about who they provide their information to. In some cases the criminal obtains documents or personal identifiers through physical theft (e.g. vehicle break-ins and home invasions). Guardianship of personal identifiers by consumers is the most common intervention strategy recommended by the US Federal Trade Commission, Canadian Phone Busters and most sites that address identity theft. Personal guardianship issues include recommendations on what consumers may do to prevent their information getting into the wrong hands.

The strongest protection against identity theft is not to identify at all - thereby ensuring that information cannot be reused to impersonate an individual elsewhere. As such, identify theft is often a question of too little privacy or too much identification. Many activities and organizations in a modern society require people to provide personal identifiers (Social Security number, national identification number, drivers license number, credit card number, etc), and in some cases the knowledge of personal identifiers is treated as proof of identity. This is sometimes done as a convenience or to enable transactions by telephone or the internet, however it can also make it more difficult for individuals to protect themselves from identity theft.

To protect an individuals from online identity theft by phishing, hacking or Zero day attacks online consumers are advised by e-retailers to ensure their computer security and [|operating systems] are fully up-to-date.

In some cases an identity thief will attempt to impersonate a deceased individual. Frequently credit checks or other types of verification are not cross referenced with death certificates, so the crime may go unchecked for some time unless the deceased's family detects it and takes steps to prevent further fraud.^[7]

In recent years, many commercial identity theft protection services have been started by companies in the United States. These services purport to help protect the individual from identity theft or help detect that identity theft has occurred in exchange for a monthly or annual membership fee.^[8] The services typically work either by setting fraud alerts on the individual's credit files with the three major credit bureaus or by setting up credit report monitoring with the credit bureaus. While identity theft protection services have been heavily marketed, their value has been called into question.^[9]

[edit] Identity protection by organizations

In their May 1998 testimony before the United States Senate, the Federal Trade Commission (FTC) discussed the sale of Social Security numbers and other personal identifiers by credit-raters and data miners. The FTC agreed to the industry's self-regulating principles restricting access to information on credit reports.^[10] According to the industry, the restrictions vary according to the category of customer. Credit reporting agencies gather and disclose personal and credit information to a wide business client base.

Poor stewardship of personal data by organizations, resulting in unauthorized access to sensitive data, can expose individuals to the risk of identity theft. The Privacy Rights Clearinghouse has documented over 900 individual data breaches by US companies and government agencies since January 2005, which together have involved over 200 million total records containing sensitive personal information, many containing social security numbers.^[11] Poor corporate diligence standards which can result in data breaches include:

• failure to shred confidential information before throwing it into dumpsters
• failure to ensure adequate network security
• the theft of laptop computers or portable media being carried off-site containing vast amounts of personal information. The use of strong encryption on these devices can reduce the chance of data being misused should a criminal obtain them.
• the brokerage of personal information to other businesses without ensuring that the purchaser maintains adequate security controls
• Failure of governments, when registering sole proprietorships, partnerships, and corporations, to determine if the officers listed in the Articles of Incorporation are who they say they are. This potentially allows criminals access to personal information through credit-rating and data mining services.

The failure of corporate or government organizations to protect consumer privacy, client confidentiality and political privacy has been criticized for facilitating the acquisition of personal identifiers by criminals.^[12]

Using various types of biometric information, such as fingerprints, for identification and authentication has been cited as a way to thwart identity thieves, however there are technological limitations and privacy concerns associated with these methods as well.

[edit] Regional Legal responses

[edit] Australia

In Australia, each state has enacted laws that dealt with different aspects of identity or fraud issues.

On the Commonwealth level, under the Criminal Code Amendment (Theft, Fraud, Bribery & Related Offences) Act 2000 which amended certain provisions within the Criminal Code Act 1995,

“

135.1 General dishonesty (3) A person is guilty of an offence if: a) the person does anything with the intention of dishonestly causing a loss to another person; and b) the other person is a Commonwealth entity. Penalty: Imprisonment for 5 years.

”

Likewise, each state has enacted their own privacy laws to prevent misuse of personal information and data. Federal Privacy Act is applicable only to Commonwealth and ACT government agencies.

[edit] Canada

Under the section 403 of the Criminal Code of Canada,

“

Every one who fraudulently personates any person, living or dead, (a) with intent to gain advantage for himself or another person, (b) with intent to obtain any property or an interest in any property, or (c) with intent to cause disadvantage to the person whom he personates or another person, is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years or an offence punishable on summary conviction.[13]

”

In Canada, Privacy Act (federal legislation) covers only federal government, agencies and crown corporations. Each province and territory has its own privacy law and privacy commissioners to limit the storage and use of personal data. For the private sector, the purpose of the Personal Information Protection and Electronic Documents Act ( 2000, c. 5 ) (known as PIPEDA) is to establish rules to govern the collection, use and disclosure of personal information; except for the provinces of Quebec, Ontario, Alberta and British Columbia were provincial laws have been deemed substantially similar.

[edit] France

In France, a person convicted of identity theft can be sentenced up to five years in prison and fined up to €75,000.[2]

[edit] Hong Kong

Under HK Laws. Chap 210 Theft Ordinance, sec. 16A Fraud

“

(1) If any person by any deceit (whether or not the deceit is the sole or main inducement) and with intent to defraud induces another person to commit an act or make an omission, which results either- (a) in benefit to any person other than the second-mentioned person; or (b) in prejudice or a substantial risk of prejudice to any person other than the first-mentioned person, the first-mentioned person commits the offense of fraud and is liable on conviction upon indictment to imprisonment for 14 years.

”

Under the Personal Data (Privacy) Ordinance, it established the post of Privacy Commissioner for Personal Data and mandate how much personal information one can collect, retain and destruction. This legislation also provides citizens the right to request information held by businesses and government to the extent provided by this law.

[edit] India

Under the Information Technology Act 2000 Chapter IX Sec 43 (b)

“

If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network, (b) downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium; he shall be liable to pay damages by way of compensation not exceeding one crore rupees to the person so affected.

”

^[14]

[edit] United Kingdom

In the United Kingdom personal data is protected by the Data Protection Act 1998. The Act covers all personal data which an organization may hold, including names, birthday and anniversary dates, addresses, telephone numbers, etc.

Under English law (which extends to Wales but not necessarily to Northern Ireland or Scotland), the deception offences under the Theft Act 1968 increasingly contend with identity theft situations. In R v Seward (2005) EWCA Crim 1941^[15] the defendant was acting as the "front man" in the use of stolen credit cards and other documents to obtain goods. He obtained goods to the value of £10,000 for others who are unlikely ever to be identified. The Court of Appeal considered sentencing policy for deception offenses involving "identity theft" and concluded that a prison sentence was required. Henriques J. said at para 14:"Identity fraud is a particularly pernicious and prevalent form of dishonesty calling for, in our judgment, deterrent sentences."

Increasingly, organizations, including Government bodies will be forced to take steps to better protect their users' data^[16].

[edit] United States

The increase in crimes of identity theft lead to the drafting of the Identity Theft and Assumption Deterrence Act.^[17] In 1998, The Federal Trade Commission appeared before the United States Senate.^[18] The FTC discussed crimes which exploit consumer credit to commit loan fraud, mortgage fraud, lines-of-credit fraud, credit card fraud, commodities and services frauds. The Identity Theft and Assumption Deterrence Act (2003)[ITADA] amended U.S. Code Title 18, § 1028 ("Fraud related to activity in connection with identification documents, authentication features, and information"). The statute now makes the possession of any "means of identification" to "knowingly transfer, possess, or use without lawful authority" a federal crime, alongside unlawful possession of identification documents. However, for federal jurisdiction to prosecute, the crime must include an "identification document" that either: (a) is purportedly issued by the United States, (b) is used or intended to defraud the United States, (c) is sent through the mail, or (d) is used in a manner that affects interstate or foreign commerce. See 18 U.S.C. § 1028(c). Punishment can be up to 5, 15, 20, or 30 years in federal prison, plus fines, depending on the underlying crime per 18 U.S.C. § 1028(b). In addition, punishments for the unlawful use of a "means of identification" were strengthened in § 1028A ("Aggravated Identity Theft"), allowing for a consecutive sentence under specific enumerated felony violations as defined in § 1028A(c)(1) through (11).

The Act also provides the Federal Trade Commission with authority to track the number of incidents and the dollar value of losses. There figures relate mainly to consumer financial crimes and not the broader range of all identification-based crimes.^[19]

If charges are brought by state or local law enforcement agencies, different penalties apply depending on the state.

Six Federal agencies conducted a joint task force to increase the ability to detect identity theft. Their joint recommendation on "red flag" guidelines is a set of requirements on financial institutions and other entities which furnish credit data to credit reporting services to develop written plans for detecting identity theft. These plans must be adopted by each organization's Board of Directors and monitored by senior executives.^[20]

Identity theft complaints as a percentage of all fraud complaints decreased from 2004-2006.^[21] The Federal Trade Commission reported that fraud complaints in general were growing faster than ID theft complaints.^[21]The findings were similar in two other FTC studies done in 2003 and 2005. In 2003, 4.6 percent of the US population said they were a victim of ID theft. In 2005, that number had dropped to 3.7 percent of the population.^[22][23] The Commission's 2003 estimate was that identity theft accounted for some $52.6 billion of losses in the preceding year alone and affected more than 9.91 million Americans.^[24]; the figure comprises $47.6 billion lost by businesses and $5 billion lost by consumers.

According to the Federal Trade Commission (FTC), a report released in 2007 revealed that 8.3 million American adults, or 3.7 percent of all American adults, were victims of identity theft in 2005.^[25]

Two states, California and Wisconsin have created an Office of Privacy Protection to assist their citizens in avoiding and recovering from identity theft. ^[26][27]

[edit] Spread and impact

Surveys in the USA from 2003 to 2006 showed a decrease in the total number of victims and a decrease in the total value of identity fraud from US$47.6 billion in 2003 to $15.6 billion in 2006. The average fraud per person decreased from $4,789 in 2003 to $1,882 in 2006.

The 2003 survey from the Identity Theft Resource Center found that:

• Only 15% of victims find out about the theft through proactive action taken by a business
• The average time spent by victims resolving the problem is about 330 hours
• 73% of respondents indicated the crime involved the thief acquiring a credit card
• The emotional impact is similar to that of victims of violent crimes

In a widely publicized account,^[28] Michelle Brown, a victim of identity fraud, testified before a U.S. Senate Committee Hearing on Identity Theft. Ms. Brown testified that: "over a year and a half from January 1998 through July 1999, one individual impersonated me to procure over $50,000 in goods and services. Not only did she damage my credit, but she escalated her crimes to a level that I never truly expected: she engaged in drug trafficking. The crime resulted in my erroneous arrest record, a warrant out for my arrest, and eventually, a prison record when she was booked under my name as an inmate in the Chicago Federal Prison."

In Australia, identity theft was estimated to be worth between AUS$1billion and AUS$4 billion per annum in 2001.^[29]

In the United Kingdom the Home Office reported that identity fraud costs the UK economy £1.2 billion annually^[30] (experts believe that the real figure could be much higher)^[31] although privacy groups object to the validity of these numbers, arguing that they are being used by the government to push for introduction of national ID cards. Confusion over exactly what constitutes identity theft has led to claims that statistics may be exaggerated.^[32]

[edit] Famous Identity Thieves

• Radovan Karadžić
• Jocelyn Kirsch and Edward Anderton

[edit] Cultural references

The public fascination with impostors has long had an effect on popular culture and extends to modern literature, and cinema ^[33].

• The story of Michelle Brown has been made into a film.^[34]
• In Frederick Forsyth's novel The Day of the Jackal the would-be assassin of General de Gaulle steals three identities. Firstly, he assumes the identity of a dead child by obtaining the child's birth certificate and using it to apply for a passport. He also steals the passports of a Danish clergyman and an American tourist, and disguises himself as each of those persons in turn. The assumption of a dead person's identity is now generally known as "Jackal Fraud".^[35]
• In the 1995 movie The Net, Sandra Bullock plays a computer consultant whose life is taken over with the help of computer assisted identity theft.
• In Jonathan Smith's novel Night Windows the action is based on the horrific and real life theft of Smith's own identity.
• In the webcomic Kevin and Kell the character Danielle Kindle dies and is later "replaced" by a double from a parallel world. After an attempt at taking over her predecessor's identity, Danielle Kendall confesses her true nature and gets accepted by the predecessor's family - if not by all the readers.
• T. Coraghessan Boyle's 2006 novel Talk Talk describes the theft of Dana Halter's identity, and her and Martin Bridger's chase of the thief across the country.
• In Susan Schaab's novel Wearing the Spider a female attorney gets caught in a web of sexual harassment, identity theft and political intrigue.
• In the Family Guy episode "Back to the Woods", James Woods, having gotten his hands on Peter's wallet, steals Peter's identity, so Peter retaliates by stealing Woods' identity and angering people.
• In Harry Potter and the Goblet of Fire, Barty Crouch Jr. steals the identity of Mad-Eye Moody.
• In The Talented Mr. Ripley novel (1955) and movie (1999), After murdering Greenleaf, Ripley assumes his identity, living off the latter's allowance.
• In Gattaca (1997). Vincent borrows the identity of another person in a society analyzes people’s DNA.

[edit] See also

2007 UK child benefit data misplacement Bank fraud Capgras delusion Credit card fraud Check fraud Check washing Fair and Accurate Credit Transactions Act Fair Credit Billing Act Fair Credit Reporting Act

Identity document forgery Impostor Identity fraud Lapsed lurker Pharming Phishing RFID Spam

[edit] References

[edit] External links

• Dateline NBC investigation 'To Catch an ID Thief'
• Downloadable identity theft curriculum for educators
• Identity theft at the Open Directory Project
• Identity Theft – Carnegie Mellon University
• Identity theft – United States Federal Trade Commission
• Identity Theft: A Research Review, National Institute of Justice 2007
• Identity Theft and Fraud – United States Department of Justice
• The President’s Task Force on Identity Theft - a government task force established by US President George W. Bush to fight identity theft.
• Get ID Smart 'Public service site offering free prevention tips'
• "Transcript of Attorney General Alberto R. Gonzales and FTC Chairman Deborah Platt Majoras Announcing the Release of the President's Identity Theft Task Force". US Department of Justice. April 23, 2007. http://www.usdoj.gov/ag/speeches/2007/ag_speech_0704231.html. Retrieved on 2007-04-24. 

v • d • e Types of crime Note: Crimes vary by jurisdiction. Not all types are listed here. Classes Infraction · Misdemeanor · Felony · Summary · Indictable · Hybrid Against the person Assault · Battery · Extortion · Harassment · Kidnapping · Identity theft · Manslaughter (corporate) · Murder · Rape · Robbery · Sexual assault Against property Arson · Blackmail · Burglary · Deception · Embezzlement · False pretenses · Fraud · Handling · Larceny · Theft · Vandalism Against public order Drug possession Against the state Tax evasion · Espionage · Treason Against justice Bribery · Misprision of felony · Obstruction · Perjury · Malfeasance in office Inchoate offenses Accessory · Attempt · Conspiracy · Incitement · Solicitation · Common purpose WikiSource · Wikimedia Commons · Wikiquote · Wikinews