Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Tuesday, November 15, 2005

ID Theft Numbers May Be Misleading

You can almost hear the maniacal laughter.  By some measures, one in five Americans has been hit.  Another common statistic is that 10 million people fall victim every year.  Making matters even scarier, new laws in California and other states have forced companies to essentially tell all U.S. consumers when their personal data have been compromised—even if the files have not actually been maliciously used.  In response, Congress is considering bills to restrict the flow of personal information.  And identity theft monitoring services have sprung up that can cost consumers well over $100 a year.  But while it’s certainly important to be vigilant against this potentially devastating crime, it also appears identity theft is too broadly defined and often misunderstood.  As a result, some experts say, lawmakers and companies might be misdirecting their anti-fraud energies.  Overly fearful consumers could be unecessarily avoiding doing business on the Web.

Too often overlooked, many analysts argue, are savvy “synthetic” fraud schemes that frequently don’t directly victimize individual consumers.

By some estimates, this accounts for three-quarters of the money stolen by identity crooks.  “There’s a lot of fraud that is not being identified as fraud, not being measured accurately,” said Anne Wallace, executive director of the Identity Theft Assistance Center, an industry-funded group that helps victims resolve fraud problems for free.

To understand the risks we really face, it’s worth analyzing the statistics.  Multiple surveys have found that around 20 percent of Americans say they have been beset by identity theft.  The Identity Theft and Assumption Deterrence Act of 1998 defines it as the illegal use of someone’s “means of identification”—including a credit card.  So if you lose your card and someone else uses it to buy a candy bar, technically you have been the victim of identity theft.

In both cases, the survey didn’t ask whether a faulty memory or a family member—rather than a shadowy criminal—turned out to be to be the culprit.

When Chubb’s report asked whether people had suffered the huge headache of finding that someone else had taken out loans in their name, 2.4 percent—one in 41 people—said yes.

So what about the claim that 10 million Americans are hit every year, a number often used to pitch credit monitoring services?  Perhaps some people decide that raising a stink over a wrongful charge isn’t worth the trouble.  Even so, the finding made the overall validity of the data seem questionable to Fred Cate, an Indiana University law professor who specializes in privacy and security issues.  After all, identity theft remains widespread even by conservative measurements.  And companies that handle our personal information still could go to greater lengths to protect it—often simply by encrypting their files.

Posted on 11/15