You don’t have to lose your wallet or purse to have bank accounts emptied or credit ruined by identity theft, something surveys say happens to at least 10 million U.S. residents each year. The U.S. government says such fraud cost American consumers and businesses 53 billion dollars in 2002, the latest year for which figures are available.
Nearly anyone can be victimized despite taking common-sense precautions such as destroying papers containing identification information before throwing them away. As Bruce Schneier, founder of CounterPane Internet Security points out, people everywhere are vulnerable.
“We are seeing these fraud rings operating globally. They’re stealing information from people in the United States, Europe and Asia. They’re using them to siphon money from accounts. Because the Internet is so global, the problem becomes global very quickly,” he says.
Another security consultant, Ed Neumann with Javelin Strategies outlines the two major forms of fraud perpetrated against identity theft victims. “There’s ‘existing account’ fraud where a criminal will capture a credit card number or other information and begin using that. The more insidious type is ‘new account fraud’ where a fraudster [i.e. someone who commits fraud] uses information to create a whole new account with a whole new address, etc. And, it takes far longer to clean up.”
Identity theft, also called identity fraud, is used for more than stealing goods and money. Mari Frank, an attorney in San Diego, California who herself was a victim of identity fraud, says false identities can enable dangerous people to slip past immigration controls and other security.
“The 9 -11 terrorists, every single one of them," she says "had some false documents. And, over half of them had taken over a complete other identity so that they could get into the country without anyone knowing who they are.”
U.S. immigration authorities have begun using new ways of identifying people - so called ‘biometrics’ - that use unique identification characteristics such as fingerprints and the iris of the human eye. But Mari Frank says even this information can be stolen from a database and misused. “Even with a piece of your body such as your fingerprint, that can be corrupted unless we really safeguard this information and encrypt it,” she says.
Many security consultants say the trend of consolidating databases into huge centralized files makes it easier to commit identity theft and fraud. It is these databases, according to security consultant Bruce Schneier, that are the main problem. He explains why a person’s efforts to ensure that sensitive information is never thrown away or accessible cannot provide complete protection.
“Two years ago," he says "I would tell people to shred their trash, that identity thieves are going through the trash and stealing personal information that they can use to impersonate you. That doesn’t happen anymore. Identity thieves are getting the data wholesale, tens-and-hundreds-of-thousands of names at a time, from data brokers, from credit card companies and from merchants.”
Linda Foley, co-founder of the privately-run Identity Theft Resource Center in San Diego, worries that these databases are too accessible. She says they are even for sale to people with no legitimate reason to have the personal information of others. “How hard is it to go to one of the [Internet] websites and buy information?" she says, adding "Those who want this information know what street corners to go to in every major city.”
Nearly all security consultants, including Ed Neumann at Javelin Strategies, say the weakest link in protecting personal data is a bad employee at a company that uses these databases. “We’ve found that very few companies are safeguarding it against employees. They’ve done a fair amount of erecting ‘firewalls’ and other safety mechanisms from outsiders ‘hacking’ in. But they’re not doing enough to safeguard employee access.”
Ed Neumann and others say that companies should set up strong internal controls regarding data access. He says there is no reason why a customer service worker, for instance, should be able to see a person’s entire file with all of its sensitive information. Most security consultants also recommend that companies set up a logging system so there is a record of every time a person’s data is accessed and by whom.
But security consultants say getting companies to put strong controls in place may not happen until countries pass laws that require them. A law they say that’s a move in the right direction is the European Union’s Data Protection Act. The problem, many consultants say, is that corporations often lobby politicians to keep such controls from being imposed in an effort to reduce costs and maintain profits. Meanwhile, the personal information of millions of people around the world continues to be stolen and misused.