This research paper explores the tactics of identity thieves, common prevention techniques, and most especially the prevalence of identity theft. Identity theft is an alarmingly common crime. Though it may sometimes be conflated with the idea of a major data breach such as experienced at Target or Macy’s in recent years, identity theft takes many different forms and it does not at all rely on specialized technical or computer science knowledge. Media attention tends to focus on these large-scale data breaches but as prevalent are the lesser known but more pervasive “low-tech” methods of identity theft which continue to put citizens at risk.
Identity theft is often a crime which conjures up images of clandestine hackers using specialized software and hardware to intrude upon the private networks of citizens in order to steal their information and then use it to purchase goods or otherwise gain some financial advantage. It is a serious problem, with identity theft expert Rob Douglas claiming that some fifteen million people each year fall victim to identity theft (Identity Statistics, 2016, para 1). To put that in perspective, violent crimes in the US “hover somewhere between one and one and a half million each year (Common, 2016, para 1). Douglas notes that the financial losses of identity theft victims each year tends to exceed fifty billion dollars, which means that “approximately 7% of all adults have their identities misused with each instance resulting in approximately $3,500 in losses” (para 2). Yet, a keen grasp on networks, software, hacking, and other computer specific-activities is not needed in order to steal and misuse someone’s identity. Identity theft occurs simply with the “right” information getting into the “wrong” hands. And while digitization and an increasingly digitally ubiquitous world certainly make more information digitally accessible, identity theft is a crime which can be committed without access to a computer. While electronic and cyber-regulations may help to mitigate cyber-crimes, identity theft is not, of itself, a cybercrime, and therefore, cannot be comprehensively combatted only with electronic efforts.
Identity theft “begins when someone takes your personally identifiable information… without your knowledge or permission, for their personal financial gain” (CIMIP, 2016, para 1). Not all scholars agree on what types of stolen information constitute identity theft, but most are virtually agreed that any combination of the following would typically, or at least usually, be enough to commit identity theft: Credit card numbers, CW2 numbers, Credit Reports, Social Security Numbers, Driver’s License Numbers, ATM numbers, Telephone calling cards, mortgage details, Date of birth, Passwords and PINs, Home address, and phone numbers (cited in Hadayati, 2012, p. 2). While a computer hacker may have a distinct advantage in leveraging cyber-space to his advantage in securing any of these bits of information, a computer is not absolutely necessary in order to secure any of them. Concurrently, identity theft is not a cyber-space problem but an information security problem.
Far be it from the scope of this paper to de-emphasize the importance of proper network and cyber-security and regulation in the prevention of fraud and identity theft. The follow section will provide a general literature review on different types of identity theft, including those committed through primarily electronic or cyber mediums. Cyber-security is incredibly important because information is undoubtedly becoming more and more digitized; the key is to remember that information is information—and information is what is required to steal an identity. The delivery method, whether electronic, paper, or otherwise, does not change the sense of urgency needed in protecting personal information to avoid identity theft.
The CIMIP notes that credit and debit card theft are a type of fraud. There are a variety of different ways that a credit card can be stolen—some are non-technological, such as loaning it to a friend or family member who then uses it illicitly, having is stolen from your personal belongings without your knowledge, misplacing it in a public place, having it forcibly stolen, etc. In fact, most of the ways that credit and debit card theft occur—or at least many of the ways—do not rely on any specialized technology nor any technological knowledge. Some exceptions exist, of course, such as fraudulent websites soliciting payment (CICMP Sec. 7 para 5).
In order to prevent credit card theft, it is likewise not necessary to be a technophile. As simple as it sounds, simply keeping one’s credit card on one’s person, and always aware of its location, is really the best way to prevent credit card theft. Avoiding giving credit card information over the phone, especially in public (CICMP Sec. 7 para 5) is also recommended, as is writing “CID” on the back of one’s credit card rather than signing one’s name, which indicates that the merchant is required to request further identification before processing a payment (CICMP Sec. 7 para 1). But with the exception of fraudulent e-commerce sites, none of the usual tactics for stealing credit or debit cards rely on any specialized computer knowledge, and nor does protecting one’s credit or debit card.
These tactics are all, more or less, exclusively electronic. Phishing schemes can occur in a variety of different ways. Generally, “phishing… is a means by which identity thieves assume the identity of a corporation or organization in order to solicit personally identifiable information from individuals” (cited in Finklea, 2014, p. 27). The classic example is an email which appears to be from a reputable and oft-patronized company like Apple or eBay, and the email requests that the receiver reply with their credit card information to verify a purchase. For this reason, such companies tend to have notices in their privacy policies about how they will never solicit such information, even by email, from customers—this serves as a way to inform customers about when to be suspicious about an email they receive.
Pharming, Vishing, and SMSishing are all variations on Phishing. Pharming is when hackers “tamper with a website host file or domain name system so that the URL address requests are rerouted to a fake or spoofed website created by the hacker to capture personal identifying information from victims” (CICMP Sec. 10 para 1). Vishing is a variation on phishing which relies on “voice” interactivity (e.g., over the telephone) where the caller poses as a representative of an official organization in an effort to retrieve the victim’s information, and SMSishing is when text messages are sent to prospective victims who, when replying, are at minimum already giving their phone number and possibly more information to the SMSisher (CICMP Secs. 11 & 12, paras 1).
All of the different variations of phishing are exclusive to the cyber domain, and this is one area where there is no substitute for cyber-vigilance. Techniques for avoiding phishing scams include general vigilance and skepticism; when receiving an unsolicited email, potential victims can hover over links to ensure that the URL is what it says it is; victims can demand credentials from vishers and for SMSishers, the best course of action is to never reply, but to use a different medium to research the claims of the texter to see if the company conducts business that way. In each instance, it’s typically advisable to delete such messages and to notify the companies allegedly represented, as well as local Internet/cell phone service providers.
Skimming is related but distinct from credit card and debit card theft. While credit and debit card theft are, strictly speaking, not reliant on any particular form of technology to commit the theft, skimming is a very specific application of technology that steals credit and debit card information. According to CICMP, “the theft occurs when the device which reads your credit card information from the magnetic strip on the back of the card records you’re the information the card’s the card’s code numbers to another electronic storage device” (Sec. 9 para 1). This particular tactic is incredibly difficult to detect because there’s no real way to ever know whether it’s happening, though such recording devices would most commonly be installed on ATMs or used by merchant clerks. CICMP recommends regular checks of one’s credit reports to help identify any unauthorized purchases, though it may already be “too late” in such instances to stop serious damage from occurring. Like phishing variations, this is an exclusively technological tactic that relies on specialized hardware and computer knowledge.
Having surveyed the few types of cyber-exclusive identity theft tactics, our attention turns back to those tactics which do not rely on any technological know-how. Undoubtedly, a computer-sciences background will certainly broaden the identity thief’s options for stealing your identity, but it’s important to demystify the notion that identity theft is preventable so long as a person is “careful online.” Most identity thieves are not computer scientists, and most identity theft does not rely on electronic means.
Dumpster diving and mail theft are two ways that identity thieves can easily steal sensitive information. Credit card statements, hospital bills, etc.—anything with personally identifiable information that’s been thrown away can be leveraged by an identity thief. Similarly, mail theft is another tactic which requires virtually no resources; mail theft “occurs when someone targets your mailbox and removes mail that has pertinent information [credit card bills, bank statements, etc.] on it” (CICMP Sec 2 para 3). In both cases, the only thing required by the thief is a very basic level of adult-agility and a knowledge of what they’re looking for. There is no specialized training or industrial know-how required to sift through someone’s mail or garbage to retrieve sensitive information.
Social engineering is not, of itself, preclusive to online activities. Social engineering is a more technical term for a “con game” where someone (a thief) attempts to gain the confidence of some gate keeper (de facto or de jure) in order to gain access to something which they would not normally have access to. A quintessential example is a con man loitering outside a secured building, then approaching an employee and claiming that he’s lost his security badge and is asking to get back in. Of course, this can happen also online or over the telephone, but interpersonal actions tend to carry with them cues and subtle indications that are more impactful than online interactions (Cocking and Matthews, 2001). A skilled interpersonal conman can easily succeed at social engineering, and only his charms and wits are necessary—not an IT background.
Shoulder surfing is not quite as bold as social engineering, but it is as deceitful. Shoulder surfers simply aim to get within a close enough proximity to steal personally identifiable information; this could be as crude as simply peering over a shoulder to get a glimpse of a credit card number or an address on a medical bill, or as advanced and premeditated as setting up secret and hidden cameras in order to capture certain types of information (CICMP Sec. 4 para 2). In either event, like social engineering, should surfing tend to occur in broad daylight and “in plain view.”
Finally, there’s simple theft of personal items. This can occur virtually anywhere, anytime, and be committed by any one. Similar to strict credit and debit card theft, the theft of personal items (especially those containing personal information like bills, bank statements, etc.) can give an identity thief more than enough information to cause damage. There can be overlap between technical and non-technical theft of personal items; for instance, a stolen phone could then be used to look up electronically compromising information. But whatever the case may be, the theft of personal information itself is another tactic which relies not on cyber subterfuge but simply in being in the right place at the right time.
All of these non-technological tactics used to gain the requisite information to commit identity theft are difficult to prevent. Certainly, general vigilance can be useful—keeping distance from potential shoulder-surfers in public, being suspicious and judicious to avoid being socially engineered, and making sure that any physical items with personally identifiable information are effectively destroyed and rendered illegible before being disposed can all help mitigate the chance of a would-be identity theft securing sensitive information. But non-digital information is decentralized and difficult to track—especially as we become more and more accustomed to relying on digital means in order to disseminate and control our information, which is far more centralized. And the impression that identity theft is an “online problem” certainly doesn’t help the case, possibly leading victims to believe that so long as they are careful “online” they needn’t be vigilant “in real life.”
Identity theft is already prominent, but its incidence is growing. According to Portland State University (2011), the reason for the growth is simple: identity theft is extremely hard to detect, prevent, and prosecute (p. 1). It might reason that the growth of identity theft, coinciding with the growing use and accessibility of electronic tools like smartphones, is due to the increased digitization of information. This is true to an extent—a cybercriminal who would be interested in identity theft, just not in dumpster diving, now has an appropriate and comfortable medium by which to commit his crime. But the problem runs much deeper. Douglas notes that while
The sophistication level of professional identity thieves involved in organized crime continues to grow… At the same time, basic methods of identity theft continue unabated. From stealing wallets and purses, to dumpster diving and stealing mail, to the use of pretext and social engineering to deceive customer call centers into releasing personal account information, the original methods of identity theft still work. (Statistics, para 4).
In fact, while identity theft involves the misuse of someone’s information without permission for financial gain, it should not be thought that the only financial gain secured by identity theft is strictly monetary. Identity theft now includes theft of cell and landline phone service; cable and satellite television service; power, water, gas and electric service; Internet payment service; medical insurance; home mortgages and rental housing; automobile, boat and other forms of financing and loans; and, government benefits. (Douglas, para 5).
The Department of Justice chronicles a variety of different notable cases that occurred recently where the object of identity theft was not strict cash or a debit/credit balance: car loans, bankruptcy in the name of the victim, fraudulent car titles, and other more “creative” and obfuscated, difficult to track means to securing financial gain all fall within the domain of identity theft (Sec. 4, paras 1-5).
Naturally the question is raised: who commits crimes of identity theft? If identity theft is not primarily the domain of cyber-criminal technophiles who know how to code, program, and have specialized knowledge about how to manipulate and leverage common software, then whose domain is it? Copes, Kerley, Huff, and Kane (2010) note that despite suggestions that “the Internet has become the new international war zone [and that] a “cyber security czar” is necessary for national security… the available research on where offenders get information suggests that the vast majority of them do not use the Internet” (p. 1051). Gordon et al.’s (2007) study found that just under ten percent of identity thieves relied exclusively on the Internet to commit their crimes, and just under twenty percent used the Internet at all to commit their crimes (cited in Copes et al., p. 1051). And these statistics are only taking into account identity theft whose object is direct monetary gain (leaving aside mortgage fraud, tax fraud, and other popular “mail theft” targets of fraud).
With this in mind, the notion that identity theft is something which only—or mainly—happens in cyber space should be easily suppressed. However, it would be a false dichotomy to present only two possible types of identity thieves: dumpster-divers and crypto-hackers. The spectrum of identity thieves leaves plenty of room for a middle ground between the clandestine cyber-criminal who never meets, sees, or thinks of his victims in anything other than bits and bytes, and the varying levels of vagrants who shuffle through trash to find poorly shredded bank statements. Technological advances have made it easier for non-technophiles and casual technologists to use technology to commit identity theft. For instance, Dean, Buck, and Dean remark at how the technologically adept and advanced hacking efforts of few have opened a variety of opportunities for non-technical identity thieves to use technology in their crimes; speaking of the hacker group anonymous who facilitate data breaches and then publish the information retrieved in the breach, “any person who wants to attempt identity theft [how has] a shot at accomplishing this goal” (p. 4). In a similar vein, Nate Anderson, deputy editor at Ars Technica, “with little to no experience cracking passwords… was able to crack over 8,000 passwords by the end of the day through a little reading and help from the Internet” (cited in Dean, Buck, and Dean, para 4).
Resultantly, while more low-tech techniques are still by far the preferred methods of identity thieves at large, this is a trend that may change. Heyadati notes that “the variety of techniques to acquire personal information, and amount of profit reflect the level of motivation, expertise, and commitment of fraudsters” (p. 10) and that “social and technological factors are major motives for perpetrators. These two factors are tied together and increase the identity theft” (p. 10). What we may soon be facing is an increase in high-tech identity theft as low-tech identity thieves become more and more comfortable with the tools at their disposal. Heyadati continues, “it is anticipated that identity thieves move towards using new techniques to obtain personal information particularly in online environment[s]” (p. 10) because “emerging new technology and the lack of enough people’s knowledge about how to protect their personal information motivates fraudsters” (p. 10).
The more motivated and enterprising of identity thieves who are currently using low-tech means may soon (or may have already) begin to make the switch from sifting through mail, shoulder-surfing, and social engineering to some of the more “entry level” high-tech methods such as doxing or password cracking tools. While the majority of identity thieves are not using such techniques currently, as more and more consumers begin to go paperless and to continue digitizing their information, it will be “necessary” for identity thieves to adjust and to adapt to the new market conditions of their criminal industry.
Copes, H. et al. (2010). Differentiating Identity Theft: An Exploratory Study of Victims using a national Victimization Survey. Journal of Criminal Justice (38). [.pdf file].
Cocking, D. & Matthews, S. (2001). Unreal Friends. Ethics and Information Technology (2). [.pdf file].
Criminology and Criminal Justice Senior Capstone, Prevention of Identity Theft: A Review of the Literature. (2011). Portland State University Commons. Criminology and Criminal Justice Senior Capstone Project. Paper 10. [.pdf file].
Dean, P.C., Buck, J. & Dean, P. (n.d.). Identity Theft: A situation of Worry. Journal of Academic and Business Ethics. [.pdf file].
Douglas, R. (2016). Identity Theft Victim Statistics. Identity Theft and Scam Prevention. Retrieved from http://www.identitytheft.info/victims.aspx
Findlea, K. (2014). Identity Theft: Trends and Issues. Congressional Research Service. [.pdf file].
Hedayati, A. (2012). An Analysis of Identity Theft: Motives, related frauds, techniques and prevention. Journal of Law and Conflict Resolution 4(1). [.pdf file].
Identity Theft. (2016). United States Department of Justice. Retrieved from https://www.justice.gov/criminal-fraud/identity-theft/identity-theft-and-identity-fraud
Most Common Schemes. (2016). Center for Identity management and Information Protection. Retrieved from http://www.utica.edu/academic/institutes/cimip/idcrimes/schemes.cfm
What are the most Common Crimes in the United States? (2016). Criminal Justice Hub. Retrieved from http://www.criminaljusticedegreehub.com/what-are-the-most-common-crimes-in-the-united-states/