Identity theft

Identity theft is a form of fraud or cheating of another person's identity in which someone pretends to be someone else by assuming that person's identity, typically in order to access resources or obtain credit and other benefits in that person's name. The victim of identity theft (here meaning the person whose identity has been assumed by the identity thief) can suffer adverse consequences if he or she is held accountable for the perpetrator's actions. Organizations and individuals who are duped or defrauded by the identity thief can also suffer adverse consequences and losses, and to that extent are also victims.

The term identity theft was coined in 1964 and is actually a misnomer because it is not literally possible to steal an identity as such - more accurate terms would be identity fraud or impersonation or identity cloning, but identity theft has become commonplace.

"Determining the link between data breaches and identity theft is challenging, primarily because identity theft victims often do not know how their personal information was obtained," and identity theft is not always detectable by the individual victims, according to a report done for the FTC. Identity fraud is often but not necessarily the consequence of identity theft. Someone can steal or misappropriate personal information without then committing identity theft using the information about every person, such as when a major data breach occurs. A US Government Accountability Office study determined that "most breaches have not resulted in detected incidents of identity theft". the report also warned that "the full extent is unknown". A later unpublished study by Carnegie Mellon University noted that "Most often, the causes of identity theft is not known," but reported that someone else concluded that "the probability of becoming a victim to identity theft as a result of a data breach is ... around only 2%". More recently, an association of consumer data companies noted that one of the largest data breaches ever, accounting for over four million records, resulted in only about 1,800 instances of identity theft, according to the company whose systems were breached.

Techniques for obtaining and exploiting personal information for identity theft

Identity thieves typically obtain and exploit personally identifiable information about individuals, or various credentials they use to authenticate themselves, in order to impersonate them. Examples include:

Rummaging through rubbish for personal information (dumpster diving)

Retrieving personal data from redundant IT equipment and storage media including PCs, servers, PDAs, mobile phones, USB memory sticks and hard drives that have been disposed of carelessly at public dump sites, given away or sold on without having been properly sanitized

Using public records about individual citizens, published in official registers such as electoral rolls

Stealing bank or credit cards, identification cards, passports, authentication tokens ... typically by pickpocketing, housebreaking or mail theft

Skimming information from bank or credit cards using compromised or hand-held card readers, and creating clone cards

Using 'contactless' credit card readers to acquire data wirelessly from RFID-enabled passports

Observing users typing their login credentials, credit/calling card numbers etc. into IT equipment located in public places (shoulder surfing)

Stealing personal information from computers using malware, particularly Trojan horse keystroke logging programs or other forms of spyware

Hacking computer networks, systems and databases to obtain personal data, often in large quantities

Exploiting breaches that result in the publication or more limited disclosure of personal information such as names, addresses, Social Security number or credit card numbers

Advertising bogus job offers in order to accumulate resumes and applications typically disclosing applicants' names, home and email addresses, telephone numbers and sometimes their banking details

Exploiting insider access and abusing the rights of privileged IT users to access personal data on their employers' systems

Infiltrating organizations that store and process large amounts or particularly valuable personal information

Impersonating trusted organizations in emails, SMS text messages, phone calls or other forms of communication in order to dupe victims into disclosing their personal information or login credentials, typically on a fake corporate website or data collection form (phishing)

Brute-force attacking weak passwords and using inspired guesswork to compromise weak password reset questions

Obtaining castings of fingers for falsifying fingerprint identification ... or famously using gummy bears to fool low quality fingerprint scanners

Browsing social networking websites for personal details published by users, often using this information to appear more credible in subsequent social engineering activities

Diverting victims' email or post in order to obtain personal information and credentials such as credit cards, billing and bank/credit card statements, or to delay the discovery of new accounts and credit agreements opened by the identity thieves in the victims' names

Using false pretenses to trick individuals, customer service representatives and help desk workers into disclosing personal information and login details or changing user passwords/access rights (pretexting)

Stealing cheques (checks) to acquire banking information, including account numbers and bank routing numbers

Guessing Social Security numbers by using information found on Internet social networks such as Facebook and MySpace

Types

Sources such as the non-profit Identity Theft Resource Center sub-divide identity theft into six categories:

Criminal identity theft (posing as another person when apprehended for a crime)

Financial identity theft (using another's identity to obtain credit, goods and services)

Identity cloning (using another's information to assume his or her identity in daily life)

Medical identity theft (using another's identity to obtain medical care or drugs)

Child identity theft

Identity theft may be used to facilitate or fund other crimes including illegal immigration, terrorism, and espionage. There are cases of identity cloning to attack payment systems, including online credit card processing and medical insurance.

Identity thieves occasionally impersonate others for non-financial reasons—for instance, to receive praise or attention for the victim's achievements.

Identity cloning and concealment

In this situation, the identity thief impersonates someone else in order to conceal their own true identity. Examples might be illegal immigrants, people hiding from creditors or other individuals, or those who simply want to become "anonymous" for personal reasons. Unlike identity theft used to obtain credit which usually comes to light when the debts mount, concealment may continue indefinitely without being detected, particularly if the identity thief is able to obtain false credentials in order to pass various authentication tests in everyday life.

Criminal identity theft

When a criminal fraudulently identifies himself to police as another individual at the point of arrest, it is sometimes referred to as "Criminal Identity Theft." In some cases criminals have previously obtained state-issued identity documents using credentials stolen from others, or have simply presented fake ID. Provided the subterfuge works, charges may be placed under the victim's name, letting the criminal off the hook. Victims might only learn of such incidents by chance, for example by receiving court summons, discovering their drivers licenses are suspended when stopped for minor traffic violations, or through background checks performed for employment purposes.

It can be difficult for the victim of a criminal identity theft to clear their record. The steps required to clear the victim's incorrect criminal record depend on what jurisdiction the crime occurred in and whether the true identity of the criminal can be determined. The victim might need to locate the original arresting officers and prove their own identity by some reliable means such as fingerprinting or DNA fingerprinting, and may need to go to a court hearing to be cleared of the charges. Obtaining an expungement of court records may also be required. Authorities might permanently maintain the victim's name as an alias for the criminal's true identity in their criminal records databases. One problem that victims of criminal identity theft may encounter is that various data aggregators might still have the incorrect criminal records in their databases even after court and police records are corrected. Thus it is possible that a future background check will return the incorrect criminal records. This is just one example of the kinds of impact that may continue to affect the victims of identity theft for some months or even years after the crime, aside from the psychological trauma that being 'cloned' typically engenders.

Synthetic identity theft

A variation of identity theft which has recently become more common is synthetic identity theft, in which identities are completely or partially fabricated. The most common technique involves combining a real social security number with a name and birthdate other than the ones associated with the number. Synthetic identity theft is more difficult to track as it doesn't show on either person's credit report directly, but may appear as an entirely new file in the credit bureau or as a subfile on one of the victim's credit reports. Synthetic identity theft primarily harms the creditors who unwittingly grant the fraudsters credit. Individual victims can be affected if their names become confused with the synthetic identities, or if negative information in their subfiles impacts their credit ratings.

Medical identity theft

Medical identity theft occurs when someone uses a person's name and sometimes other parts of their identity—such as insurance information—without the person's knowledge or consent to obtain medical services or goods, or uses the person’s identity information to make false claims for medical services or goods. Medical identity theft frequently results in erroneous entries being put into existing medical records, which may in turn lead to inappropriate and potentially life-threatening decisions by medical staff.

Child identity theft

Child identity theft occurs when a minor’s Social Security number is used by another person for the imposter’s personal gain. The imposter can be a family member, a friend, or even a stranger who targets children. The Social Security numbers of children are valued because they do not have any information associated with them. Thieves can establish lines of credit, obtain driver’s licenses, or even buy a house using a child’s identity. This fraud can go undetected for years, as most children don’t discover the problem until years later. Child identity theft is fairly common, and studies have shown that the problem is growing. The largest study on child identity theft, as reported by Richard Power of the Carnegie Mellon Cylab with data supplied by AllClear ID, found that of 40,000 children 10.2% were victims of identity theft.