Identity theft has become the fastest-growing type of fraud across Europe and the US, and already costs a country like Germany or France more than £1.3 billion ($2.6 billion) a year. For individuals, the main impact of identity theft is likely to be the unauthorised use of one or more of their existing credit card accounts. Such crimes can normally be detected by the identity owner within a matter of weeks following receipt of their next statement – assuming that the individual regularly checks it.
However, in the event that the stolen identity information is used to create a new account, it may not be possible for the identity owner to detect any offence for some time. In many such cases, account statements will have been redirected to an address selected by the thief. The owner will only become aware of the activity when either the credit card company debtors or bailiffs contact them to settle the debt-ridden account – or when legitimate future credit applications made by the person fail.
While credit card customers are generally only liable for the first £50 of unauthorised transactions, the harm to a person’s credit rating, their inability to carry out domestic business – as well as efforts to put things right – can be far more damaging and long-lasting to the individual.
The cost of identity theft – in terms of paying for fraudulently obtained goods – is most likely to be claimed against the relevant retailers by the credit card issuer. Indirect costs to business include reduced levels of sales through eCommerce channels due to continuing concerns over security and privacy of the internet and, when news about identity thefts are published, any named company may have its reputation damaged as a result.
In the UK, the Home Office reported identity theft statistics that included over 3,000 driving tests that were terminated due to concern over the identity of candidates, 1,500 fraudulent passport applications, and over 500 cases of identity fraud identified by the Benefits Agency.
In more extreme cases of identity theft, such as identity cloning, the importer uses the victim’s information to establish a new life. Examples include illegal immigrants, criminals avoiding warrants, people hiding from abusive situations or other instances where becoming a ‘new person’ would be advantageous to them.
Corporate identity theft allows criminals to order goods or obtain services from suppliers on company accounts or to conduct industrial sabotage. For the company that becomes the target of this activity, there would be an impact of direct financial losses of misappropriated services or goods, possible fines resulting from breach of regulatory rules and, significantly, loss of actual and potential customers resulting from harm to the company’s reputation.
Company directors have a duty to exercise control and, in the event of them breaching their responsibilities, they may be liable for disqualification from being a director. In the case of stolen corporate identity being used to obtain confidential company information, there could be a loss of competitive or marketing advantage, loss of staff morale and also public confidence. It’s important to note that ‘insiders’ carry out the majority of identity theft and fraud involving companies.
Threats and vulnerabilities
There are a huge number of threats and vulnerabilities to systems that have given rise to the increase in significance of identity theft in recent years.
Internal attacks on systems: The storage of large numbers of individual’s personal records on eCommerce sites presents a clear risk to the identity of the customers or subscribers involved. Credit card details – including expiry dates, which can allow ‘card not present’ purchases to be undertaken – as well as passwords and other personal identifying information offer the identity thief a variety of opportunities for misuse.
Earlier this year, bulk disclosure of personal information from the computer system of a North American insurance company followed the theft of a computer disk drive. The paperback-sized, 30GB drive went missing from the organisation’s supposedly secure computing facility. The drive was recovered but unsurprisingly the data it contained had been overwritten.
Police believe an employee of the company stole the drive for personal use. One of the most widely known and published incidents of identity theft involved an employee of a US company that supplied banks with credit reports from many of the large credit agencies. He used confidential computer passwords and subscriber codes to access and download the credit reports of more than 30,000 consumers during a three-year period. The employee provided the stolen codes to external co-conspirators who were willing to pay up to $60 per credit report.
Increased use of mobile devices: Many millions of people now rely on PDAs for electronic scheduling and address books as well as storing passwords and codes for their online banking accounts. However, very few individuals carry sufficient security protection to prevent identity theft if the handheld device is lost or stolen – and such loss is commonplace.
Of the users who store their bank account details on a PDA, it has been estimated that around two thirds do not encrypt this information, with just under a quarter failing even to implement password protection. Further revealing statistics indicate that around six percent of users have lost PDAs in the past, but 32 percent of those still continue to use them without a password.
Online scams: There have been a great many reported cases where individuals have been enticed, by email, into disclosing sensitive and personal information such as passwords by clever social engineering trickery. The substantial torrent of spam now produced worldwide has included a number of such scams.
In a recent case, a teenager was charged with using spam emails and a fake web page from a well-known ISP to trick people into divulging credit card information. The emails told recipients they needed to update their ISP billing information and instructed them to click on a hyperlink connected to a billing centre. In fact, the link diverted people to a fake website – similar in appearance to the legitimate one – containing the company’s logo and links to real ISP web pages.
The targets of the scam were instructed to enter their credit card numbers, along with their mothers’ maiden names, billing addresses, social security numbers, personal identification numbers and ISP log-on names and passwords. The information that was derived was subsequently used to steal thousands of dollars.
Poor password management: A username and password required to access a free website, such as an online news site, is of limited immediate value in itself. But many users tend to re-use passwords, and those same credentials may be valid for giving access to confidential, web-based email and providing access to information at electronic banking and other eCommerce sites.
There’s even a good chance that the password is identical to the user’s corporate network login. So identity information obtained from one source may have a much bigger impact on its owner when used in different circumstances.
Loss of privacy online: Individuals who register or subscribe to services from websites, or who run file or plug-in downloads, run the risk of giving away more personal information than they realise – and to parties that they are not even aware of. Any activity in which identity information is shared or made available to others creates an opportunity for identity theft.
The majority of these risks relate to loss of privacy – revealing interests and purchasing trends for the benefit of marketing organisations. In some cases, however, theft of identity can result when information submitted to a website run by an unscrupulous organisation is passed on to a dishonest third party.
Web mechanisms including cookies, adware and web bugs may all be misused to achieve this loss of privacy, and ultimately identity theft.
Confidential documentation theft: Dumpster diving – involving the searching of waste bins for confidential information that has been discarded – has been identified in a recent survey as a major source of identity theft.
According to research carried out by Fellowes, businesses are becoming easy victims of corporate identity fraud.
Last year’s research showed that:
• 79 percent of businesses sampled had not made any effort to destroy sensitive material that was thrown away or prepared for recycling
• Only four percent had successfully destroyed all sensitive information
• 30 percent of businesses threw away information that would be advantageous to their competitors
• 40 percent of businesses threw away sensitive client information, including home addresses, phone numbers and photocopies of passports
• 30 percent of businesses threw away personal information relating to employees, including home contact details.
Companies can put measures in place to make it harder for criminals to use their organisation for criminal activity. Many of the rules that apply to individuals can be adapted to protect companies.
Steps for businesses to consider include:
Check identity: Always check the identity of your customers, both businesses and consumers. Credit reference agencies offer a wide range of solutions to authenticate and verify the identity of customers to ensure that they exist and are who they say they are.
Document procedures: Having a well formulated document disposal policy in place, and adhering to it, is the first crucial step in protecting your business and employees from identity fraud.
Store sensitive documents: Lock away sensitive documents in a safe place and limit access to these documents to the staff who really need them. Fellowes has produced an R-Kive Record Management handbook detailing how companies can store sensitive information safely, which offers useful tips and hints, including legal requirements relating to document retention.
Limit access: Make sure that only key members of staff have access to highly sensitive documents, to ensure information doesn’t fall into the wrong hands.
Shred all documents: Businesses have a duty of care to protect their customers’ and employees’ information. Shredding information is the best way to dispose of documents securely and to ensure that criminals cannot gain access to sensitive company details fraudulently. Confetti cut shredders provide greater security by cutting paper into small confetti-like particles and also reduce bulk waste.
Inform staff: Informing staff about the risks of corporate identity fraud will ensure that they remain vigilant. Ensure your document disposal policy is communicated to all employees. Caution them about the risk of giving out company information online or over the phone without first checking to whom they are giving the information.
Reduce the risk of electronic hijacking: Businesses must be responsible for ensuring that firewall and anti virus software is kept up-to-date. This way staff can securely open legitimate email attachments for viewing.