Identity theft has been the fastest growing crime in this countryand many othersfor many years. Studies by the Federal Trade Commision (FTC) indicate that the rate of identity theft growth has slowed, but that the volume of identity crimes continues so that one out of every three families has been affectedand identity theft wasnt even considered a federal crime until 1998!1
In a case of identity theft, an imposter steals or otherwise obtains key pieces of others personal or financial information, such as Social Security number, drivers license or bank account information, in order to impersonate the victim(s). The stolen information is used to create a phony persona and commit various fraudulent activities, resulting in personal financial gain at the expense of the victim.
One of the scariest things about identity theft and its derivative crimes is that it can be committed from anywhere in the world. There is no face-to-face confrontation between victims and perpetrators. But, the good news is that some progress is being made: Individuals, employers, and federal, state, and local governments have finally become aware of the seriousness of these crimes and our vulnerability to them.
This article focuses on both the individual and the employer as victimsbut, national security should not be overlooked when it comes to understanding the seriousness of the threats to, and possible compromise of, our information systems.
ID theft can be committed through sophisticated or unsophisticated methods. Despite your best efforts to protect your personal information, thieves still have a wide arsenal of methods to gain access to your data.
Here are a few scenarios on how your information may be stolen through identity theft:
They get information from businesses or other institutions by stealing company records or information, bribing an employee who has access to these records, hacking into company systems or by conning information out of employees.
Thieves may steal your mailincluding bank and credit card statements, credit card offers, new checks and tax information. They may rummage through your trash, your offices trash, or public trash dumps, in a practice known as dumpster diving.
They may obtain your credit reports by abusing their companys authorized access to them, or by posing as a landlord, employer, or another person who has a legal right to access your report.
They may steal your credit or debit card numbers by capturing the information in a data storage device, in a practice known as skimming. They may swipe your card for an actual purchase, or attach the device to an ATM machine or gas pump where you need to swipe your card.
Or, identity thieves may take a different route. They may steal your wallet or purse. They may steal personal information they find in your home. They may steal personal information from you through e-mail or phone by posing as legitimate companies and claiming that you have a problem with your account. This practice is known online as phishing, or pretexting by phone.
They may call your credit card issuer to change the billing address on your credit card account, in order to run up a charge without your being aware of it. Because your bills are then sent to a different address, it may be some time before you realize theres a problem.
They may open new credit card accounts in your name. When they use the credit cards and dont pay the bills, the delinquent accounts are reported on your credit report, lowering your score and ruining your credit. (In an attempt to restrict such illegal actions, many, if not all, credit card companies and banks now utilize security features such as additional passwords and security questions to verify the identity of the person requesting account information or modification.)
Or, they may establish phone or wireless services in your name. They may open a bank account and write bad checks on itall in your name. They may counterfeit checks or credit or debit cards or authorize electronic transfers, and drain your bank account. They may file for bankruptcy under your name to avoid paying the debts theyve incurred or to avoid eviction.
Where to Go for Help
The Federal Trade Commission (FTC) produces a booklet, available online, to help remedy the effects of identity theft. It describes what steps you can take, your legal rights, how to handle specific problems you may encounter on the way to clearing your name, and what to watch out for in the future.
The Federal Trade Commissions ID Theft Web site: www.ftc.gov/bcp/edu/microsites/idtheft/
The Privacy Rights Clearinghouse: www.privacyrights.org/identity.htm
Identity Theft and Your Social Security Number, Social Security Administration: www.ssa.gov/pubs/10064.html
They may buy a car by taking out an auto loan. They may get identification, such as a drivers license, issued with their picture but your name. They may get a job or file fraudulent tax returns in your name.
They may give your name to the police during an arrest. And, if they dont show up for their court date, a warrant for arrest is issued in your name.
Not too many years ago, an employee of the Illinois Human Services Department stole personnel data, including Social Security numbers, from thousands of state workers and used the information to open credit card accounts. Hundreds of thousands of dollars were charged in employees names. This scenario, sadly, is becoming more and more common.
Large corporations and government agencies are often the victims, but small employers need to be just as alert. Personal records and other proprietary information can be profitable to employees and others who cant resist temptation and have been allowed easy access to this sensitive information.
The single best preventive recommendation I can give to employers: Know whom you hire. If potential employees job responsibilities will grant them access to your assets, do a thorough background check before hiring them. (See How to Deal with Sticky-Fingered Staff, February 15, 2008.)
Many identity theft experts have suggested for years that identity theft was being committed more often by employees than by outsiders, especially when identity information comes from computer files.
Judith Collins, Ph.D., a Michigan State professor in the department of criminal justice, estimated that as much as 70% of all identity theft starts with theft of personal data from a company by an employee.2 In the 1,037 cases studied, Dr. Collins traced the crime back to its origins and found that a company employee pilfered the victims identity in at least 50% of cases. And, her evidence strongly suggested the involvement of an insider in another 20% of the cases studied.
Dr. Collins suggested that the theft of information could become (if its not already) the third largest expense to the employer after payroll and health care.
Companies and employers must examine or create policies to deal with identity theft. One only needs to read the headlines over the past couple of years to find cases in which employees have sued corporations for negligence after personal information was lost because of weak security efforts on the part of the employer.
Fortunately, identity theft problems and risks in the workplace are starting to get more attention by governing bodies as well.
One great resource for employers concerning insider threat and the protection of computerized systems is given at the U.S. Secret Service Web site. In August 2004, the U.S. Secret Services
This report focuses on those people who have had access to and have perpetrated harm by using information systems in the banking and finance sector, which includes credit unions and financial institutions. It identifies the physical and online behaviors and communications that insiders engaged in before such incidents, as well as how the incidents were eventually executed, detected, and the insider identified.
The study was designed to develop information to help private industry, government and law enforcement better understand, detect and ultimately prevent harmful insider activity. Various proactive practices are among the suggestions offered by the report.
A "Red Flag to Pay Attention To
You may be a creditor. If so, you may have to institute identity theft programs in your practice. Then again, you have a few months to find out and do something about it.
e-mail RedFlags@ftc.gov. The text of the Red Flags Rule is available in the November 9, 2007, Federal Register: www.ftc.gov/os/fedreg/2007/november/071109redflags.pdf (The guidelines are on pages 63773 and 63774).
1. Federal Trade Commission. FTC will grant six-month delay of enforcement of Red Flags Rule requiring creditors and financial institutions to have identity theft prevention programs. Available at: www.ftc.gov/opa/2008/10/redflags.shtm (Accessed December 12, 2008).
2. Sorrel AM. Caught unaware, doctors get delay in FTC enforcement of ID theft rules. Amer Med News 2008 Nov 3; 51(41):1-2.
What the Employer Can Do
The Insider Threat Study report states that insider attacks can only be prevented through a layered defense strategy consisting of policies, procedures, and technical controls.
Organizations should provide training programs that create a culture of security that is appropriate for them and that includes all personnel. Each must train its members about malicious employee actions on customer data and service, including a confidential means of reporting security issues with appropriate follow-up to security reports.
Separation of duties and remote access monitoring should be explained. While employee alertness is key to detecting many insider attacks, several cases have been detected because of abnormal system activity (including changes in system configuration and illicitly escalated user privileges).
Employees should be notified that system activity is monitored, especially system administration, privileged and remote activity.
All employees should be trained in their personal responsibility, such as protection of their own passwords and work products.
Also, password protection and change policies should be instituted and enforced, in order to reduce the likelihood of another employee accessing a computer.3
Likewise, when an employee is let go from the company, his or her access to any of the systems, e-mail, or other accounts should be terminated immediately.3
A safe system through which employees can report any concerns or suspicious behavior could also be beneficial.
For example, if a coworker attempts to discover someones password, create an unnecessarily shared account, gain access to accounts and systems beyond the scope of their responsibilities, bypass technical safeguards or firewalls or disregard acceptable use policies, this behavior should be reported to a superior in a manner that is safe, anonymous and trustworthy.3
But, the trust in such an arrangement must go two waysone, it can not be abused by the superior who receives the report, and two, the employee making the report must not be doing so with malicious intent.
In 61% of cases studied by the Secret Service, the insider in a theft was detected by non-security personnel, including customers (35%), supervisors (13%) and other employees (13%).3
What You Can Do
As an employee, you can help reduce the rise of insider threat by honestly reporting any suspicious event without malicious intent.
The insider in an insider threat within a company has no real demographic profile. The ages of various perpetrators studied ranges from late teens to retirement and included both men and women.3 They were programmers, graphic artists, system and network administrators, managers and executives. They were currently employed or recently terminated employees, contractors and temporary employees.
Identify possible malicious insiders by behavior, not by stereotypical characteristics. For example, behaviors that should be a source of concern include making threats against the organization, bragging about the damage one could do to the organization, or discussing plans to work against the organization.
Also of concern are attempts to gain other employees passwords and to fraudulently obtain access through trickery or exploitation of a trusted relationship.
There are many ways that you can protect yourself against identity theft outside the professional sphere as well.
For example, ensuring that your computer is securely firewalled will prevent hackers from stealing information from your hard drive.
Or, when shopping online, verify that the retailer uses secure encryption to keep your credit card information private.
More guidelines on protecting yourself can be found at the
A Federal Response
In October 2008, the Presidents Identity Theft Task Force released a strategic plan. The plan recommends the use of all available tools, from enhanced consumer and business education, to better data security and consumer authentication, to expanded resources for victim recovery, to increased training and support for our foreign law enforcement partners, to more certain and stronger punishment for perpetrators.
Specifically, the strategic plan recommends that federal departments and agencies make improvements in four key areas:
- Protecting data by keeping consumer data out of the hands of criminals.
- Avoiding data misuse by making it harder for criminals to exploit consumer data.
- Assisting victims by making it easier for them to detect and recover from identity theft.
- Deterring future cases of identity theft by increasing prosecution and punishment of perpetrators.
The Task Force made a total of 31 recommendations in these four areas. Much of this work has been completed; some is still ongoing.
Some of the Task Force member agency initiatives are working to reduce the unnecessary collection and use of Social Security numbers (SSNs). The Social Security Administration is restricting release of SSNs and Freedom of Information Act-related correspondence on identification cards, internal records, etc.
There is no silver bullet to end the identity theft problem. The more aggressive proactive efforts become, the more creative perpetrators become. Any effective solution will require federal, state and local governments to work in conjunction with the private sector and consumers to form a united front.
The battle is a shared responsibility. Consumers, businesses and other organizations that collect consumer data; information technology and software providers that supply anti-fraud solutions; and federal, state and local governments are all impacted by identity theft and have roles to play in the fight against it. Will you do your part?
Mr. Walton is the Associate Dean of Student Services for
1. United States Department of Justice. Identity Theft and Fraud. Available at: www.usdoj.gov/criminal/fraud/websites/idtheft.html (Accessed Dec 2008).
2. Collins, J., Investigating Identity Theft: A Guide for Businesses, Law Enforcement, and Victims, 2006.