EPIC logo

Identity Theft: Its Causes and Solutions

Introduction | How and Why it Occurs | Curbing the Problem

This page addresses identity theft policy issues.  If you are a victim of identity theft, this page may be useful to you, but you should first focus on the resources authored by the Privacy Rights Clearinghouse.  Victims should make themselves familiar with Privacy Rights Clearinghouse Fact Sheet 17, and other resources on the organization's page.  EPIC is not affiliated with the Privacy Rights Clearinghouse.

Top News

Introduction -- What is identity theft?

Often referred to as the fastest growing crime, identity theft is the appropriation of another's personal information in order to commit fraud, or to masquerade as another person. 

Almost all identity theft involves at least three persons:

There are many different types of identity theft that have been labeled by advocates.  They include, in order of severity to the consumer:

One must remember that there will always be financial fraud, and that no payment system is perfect.  However, when it comes to identity theft, the financial services industry must bear some of the blame for the crime.  The credit granting system and electronic payment mechanisms are designed in such a way that committing fraud is easy.  A key thesis of EPIC's thinking on identity theft is that the credit industry causes the crime by adopting practices that favor convenience over security.  Steps could be taken to reduce the incidence of identity theft dramatically, such as requiring credit issuers to more carefully check applications for new accounts. 

It's not that credit card companies and banks want to cause harm, it's that tolerating some identity theft results in more profits for the companies.  Turning away a legitimate customer in the interest of caution may result in lost sales.  And, sometimes victims pay debts that impostors charge on their accounts.  Also, in many cases, merchants swallow the costs of identity theft.  Some have alleged that in these cases, credit card companies and banks profit from the crime. 

In a 2003 survey of more than 4,000 Americans, the Federal Trade Commission found that in the previous year, identity theft cost victims $5 billion in out-of-pocket expenses, as well as 300 million hours of their time trying to fix damage caused by the crime.  The FTC survey showed that in all, 27.3 million Americans were affected by identity theft in the previous five years.

The FTC found that 49 percent of all the 4057 respondents did not have any idea whatsoever how their identity came to be purloined, while 22 percent cited theft and another 12 percent claimed the information was stolen in the course of a transaction.  Businesses incurred $48 billion in loss as a result of identity theft.

How Identity Theft Occurs

Identity theft is so easy to commit that even unsophisticated criminals can steal your identity.

First personal information is acquired. 

Then the personal information is used to apply for credit. The impostor will use the Social Security Number, mother's maiden name, date of birth, and current address on an application at a retail store.  The clerk checks this information against a file at a consumer reporting agency, like Equifax, Trans Union, or Experian.  This information is known as a "credit header," it is personal information at the top of a credit report.  The credit header consists of the name, date of birth, Social Security number, current and previous address, phone number, employment information, and spouse's name.  If the information from the application matches the credit header (or even if it doesn't—read below), the clerk typically will issue an account to the impostor in the victim's name. 

Understanding the Causes of Identity Theft

Creditors Use a Flawed, Circular System to Identify and Authenticate Individuals

The core problem in identity theft is that a business cannot discern the difference between the impostor and the victim.  This problem has its roots in the credit granting process--the same information that is used to identify the credit applicant is used to "authenticate" her. 

Identification is the process of placing a label on an individual ("I am John Doe").  Authentication is the process of verifying the label.  That is, proving that one is who she claims to be ("This document proves that I am John Doe").  Many different things can be used for authentication.  For instance, a password can be used to verify that one is authorized to use a computer account.  Tokens are also used for identification.  For instance, a bus token can prove that one has authority to ride the bus.

But creditors don't use sound authentication methods.  They use your personal information as a password—the same personal information you use to identify yourself.  It is the equivalent of this exchange:

Creditor: Who are you?
John Doe's Impostor: I am John Doe.  My SSN is 111-11-1111.
Creditor: Thank you, Mr. Doe.  I need to check whether you have adequate credit with the consumer reporting agency.
Consumer reporting agency: There exists a John Doe with the SSN 111-11-1111.  Here is his credit report.
Creditor: Thanks, Mr. Doe.  Here's a new credit card.
John Doe's Impostor: Thanks!  I'll take that Rolex while I'm here.  See ya.

If you are reading this and are thinking to yourself that this doesn't make any sense, you get it.  It doesn't.  But it is the system that creditors use.

The Social Security Number

Reliance on the Social Security number (SSN) causes identity theft.  As explained above, the SSN is used both to identify and to authenticate individuals.

But many other problems exist with the SSN.  Unlike credit card numbers, the SSN contains no "checksum," a mathematical formula to verify integrity.  Credit card numbers are generated using a mathematical formula that allows an individual to tell whether the number is authentic.  SSNs are issued in numerical order, and have no internal structure that allows easy verification.  Practically, this means that it is very easy to simply make up a fake SSN, and there is a high probability that a manufactured SSN belongs to a real person.  This means that if someone applies for credit and simply guesses a SSN, the account may be attributed to a total stranger.

The SSN is also widely available in public records, mostly at the county level, where property deeds are filed.  Because they are in public records, SSNs are available to almost anyone. 

Lax Credit Granting Practices

Credit granting practices are so lax that new accounts are regularly issued to pets and toddlers.  Take the case of "Clifford J. Dawg."  Clifford J. Dawg was issued a Chase Manhattan Platinum Visa Card with a $1,500 credit limit.  The problem is that Mr. Dawg is a dog, a four-legged domestic animal that lacks the ability to pay credit card bills or even enter into a credit contract.

In this instance, the owner of the dog had signed up for a free e-mail account in his pet's name and later received a pre-approved offer of credit for "Clifford J. Dawg." The owner found this humorous and responded to the pre-approved offer, listing nine zeros for the dog's Social Security number, the "Pupperoni Factory" as employer, and "Pugsy Malone" as the mother's maiden name. The owner also wrote on the approval: "You are sending an application to a dog! Ha ha ha." The card arrived three weeks later.

Mr. Dawg's owner contacted the issuing bank to cancel the card. According to the owner, the issuing bank explained that Mr. Dawg's name had been acquired from a marketing list. The issuing bank's representative joked that the incident could be used as a commercial with the slogan "Dogs don't chase us, we chase them."

How does this happen?  How can dogs (Clifford J. Dawg isn't the only one—Monty, a Shih-Tzu was extended a $24,600 credit line), other pets, and toddlers get credit cards?  The problem lies in lax credit granting practices.  Creditors want to establish new accounts in order to make a sale.  In the rush to issue a new account, errors can be made, and fraudsters can scam the system.

Insufficient Regulation of Access to Credit Reports

Under the Fair Credit Reporting Act (FCRA), credit reporting agencies only are required to "maintain reasonable procedures designed" to prevent unauthorized release of consumer information.  In practice, this means that credit reporting agencies must take some action to ensure that individuals with access to credit information use it only for permissible purposes enumerated in the Act. The Federal Trade Commission Commentary on the FCRA specifies that this standard can be met in some circumstances with a blanket certification from credit issuers that they will use reports legally.

This certification standard is too weak. It allows a vast network of companies (and their employees) to gain access to credit reports with little oversight. It treats credit issuers and other users of credit reports as trusted insiders, and their use of credit reports and ultimate extension of credit as legitimate. The problem is that insiders can pose a serious risk to security of personal information. For instance, in a high-profile case, criminals relied upon the relationship between Ford Motor Credit Company and credit reporting agency Experian to steal credit reports for identity theft purposes. The criminals used passwords for terminals that gave Ford access to the Experian database. To create this relationshipas a trusted user of the credit system, Ford Motor Credit Company would have had to certify that it only obtained and used credit reports for permissible purposes. Despite this certification standard, the criminals were still able to order 30,000 reports using Ford's account before they were caught. Since this fraud occurred over a three-year period, it suggests that a mere certification does not include monitoring or auditing of access to the credit database.

Competition in the Credit Markets

Competition to gain customers also exacerbates identity theft.  In order to gain new customers, credit grantors have flooded the market with "pre-screened" credit offers, pre-approved solicitations of credit made to individuals who meet certain criteria.  These offers are sent in the mail, giving thieves the opportunity to intercept them and accept credit in the victim's name.  Once credit is granted, the thief changes the address on the account in order to obtain the physical card and to prevent the victim from learning of the fraud.  The industry sends out billions of these pre-screened offers a year.  It 1998, it was reported that 3.4 billion were sent.  By 2003, the number increased to an estimated 5 billion.

Competition also drives grantors to quickly extend credit.  Once a consumer (or impostor) expresses acceptance of a credit offer, issuers approve the transaction with great speed.  Experian, one of the "big three" credit reporting agencies, performs in this task in a "magic two seconds."  In a scenario published in an Experian white paper on "Customer Data Integration," an individual receives a line of credit in two seconds after only supplying his name and address.  Such a quick response heightens the damage to business and victims alike, because thieves will generally make many applications for new credit in hopes that a fraction of them will be granted.

The Architecture of Vulnerability

Professor Dan Solove argues in Identity Theft, Privacy, and the Architecture of Vulnerability, that "many modern privacy problems are systemic in nature. They are the product of information flows…"  Identity theft is such a problem, as the availability of personal data under current information architectures makes it simple for impostors to obtain the identifiers needed to apply for credit.  Solove explains that information policy makes people vulnerable to fraud.  The current policy is similar to being rented a home that lacks door locks.

Solove argues that to address these "problems that are architectural, the solutions should also be architectural."   By creating an architecture that secures personal information and by establishing rights for individuals and responsibilities on data collectors, we can reduce the risk of misuse of personal information.

Credit Cards are Designed for Convenience, Not Security

From a technical standpoint, credit cards are not a secure form of payment.  In the credit card system, the same number is used time and time again to charge an account.  The number is disclosed to hundreds of people, some of whom cannot be observed by the consumer or card issuer. 

Credit cards are a good form of payment because under the law, consumers' liability is limited to $50, and all of the major issuers have waived that charge.  Card issuers manage risk by monitoring charges carefully, looking for patterns of fraud.  A lot of fraud could be reduced on the front end if issuers built better security into the cards, which could be done by adding a password or PIN to the account, by creating smarter cards that do not "swipe" until a password is keyed onto the card, or by creating cards that generate random numbers rather than employing the same number over and over again.

But the prospects for greater credit card security are bleak, because card companies are trying to make payments even faster, despite security risks.  In 2006, major issuers plan to implement charge mechanisms that operate on RFID--technology that transmits identifiers via radio frequencies.  These RFID devices can be embedded in money clips or jewelry, allowing the customer to waive the device near a reader to initiate a charge.  These devices will be susceptible to new attacks by fraudsters who can cause the payment method to transmit without the customer's knowledge.

 Approaches to Curbing Identity Theft

Several approaches have been discussed and considered by both the federal and state governments in an attempt to curb the growing problem of identity theft.  Addressing fraud is difficult, and no single approach can offer a perfect solution to the problem.  

The US government has taken a reactive approach to identity theft.  US law addresses identity theft largely by creating remedial measures and heightened penalties.  These remedial measures (such as the "fraud alert") help consumers but do not prevent the crime.  Similarly, heightened criminal penalties have been ineffective as well, because impostors are so rarely caught.  We need to implement policies that will prevent identity theft.

Credit Freeze

It is critical to understand that before each identity theft incident, a business is tricked by an impostor into pulling a credit report on the victim.  Therefore, if one can stop dissemination of the credit report, identity thieves will be thwarted.  Knowing this, state legislators have started to pass laws that place a "freeze" on credit reports so that they cannot be released unless certain conditions are met. 

Notice of Credit Report Pull

In a typical identity theft situation, an impostor may make many attempts to apply for credit.  Each one of these attempts will result in a credit report being requested from a consumer reporting agency.  Although not as good as a credit freeze, if individuals had a system that alerted them to this activity, they could reduce the severity and the cost of identity theft.

Technology

There is tremendous opportunity to limit identity theft through technology.  For instance, a significant percentage of credit card fraud would be thwarted if credit cards were designed so that they wouldn't work without a password.  Credit card fraud would also be less likely if websites did not store credit card numbers (thus creating a honey pot for computer crackers). 

Biometrics is Not the Solution

Many in the financial services industry try to address the privacy problems of identity theft by requiring more and more personal information. Many are now deploying biometric systems, tools that authorize charges based on some characteristic of the body. These systems offer little added convenience, and raise serious privacy and security risks. For instance, the fingerprint or other biometric that you give to a retailer can be handed over to police without a warrant or subpoena.

Many of the promises that advocates of biometrics make regarding their privacy and reliability are demonstrably falsifiable. For instance, a group of Japanese scientists have conducted a study whereby they were able to deceive fingerprint scanners with an astonishing success rate by using a mold made from a material similar to that which makes up "gummy bears." The experiment, which tested 11 different types of fingerprint systems, found that all of the fingerprint systems accepted the gummy finder in their verification procedure more than 67% of the time. In a November 2002 article in Heise Magazine, an entire array of biometric authentication systems were fooled using simple methods. In addition to claims of reliability, biometrics vendors claim that privacy is protected because fingerprints are stored in a "template," and thus the retailer does not have the customer's actual print. But researchers have demonstrated that prints can be reverse-generated through analysis of templates.

One should carefully consider risks of biometric payment systems. After all, if you lose your PIN or credit card, you can always be issued a new one. What do you do when someone is able to steal your fingerprint?

Previous Top News

EPIC Privacy Page | EPIC Home Page

Last Updated: August 4, 2008
Page URL: http://www.epic.org/privacy/idtheft/default.html