New Frontiers in the Identity Theft War

It seems hard to believe that six years ago, pundits were wondering if people would send their credit-card numbers over the Internet. Some said firmer controls were needed before e-commerce could take off. Then someone else made the brilliant observation that sending your credit-card number to Amazon.com via modem is no more or less risky than leaving a carbon copy of your credit card at the local drugstore. Everyone forgot their reservations, and consumers went on to spend tens of billions of dollars online last year.

Still, the phrase “fools rush in” has not lost its meaning. Fraud on the Web may be analogous to fraud in the real world, but it seems to be far easier to defraud individuals of their bank accounts, cell phone accounts and other personal information online. As Hugh Stevenson, associate director of the Division of Planning and Information in the Federal Trade Commission’s Bureau of Consumer Protection, told the U.S. Senate two years ago, “The Commission’s experience is that fraud operators are always among the first to appreciate the potential of a new technology to exploit and deceive consumers.”

In other words, the black hats are outpacing the white hats, at least so far. Analysts are hoping that the ability to gather more information about perpetrators and victims can stem the tide.

Houston, We Have a Problem

Identity theft has been around at least since Rosalind dressed up as a boy in Shakespeare’s “As You Like It.” However, the practice of misappropriating someone’s personal information “with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law,” as the Identity Theft and Assumption Deterrence Act of 1998 characterizes it, is a greater potential problem when information is more easily accessible.

Determining the prevalence of identity theft in cyberspace is a contentious issue, because the FTC, which is charged with serving as a clearinghouse for such information, insists its data is far from definitive. “No one really knows how much identity theft is out there,” the commission’s Claudia Bourne Farrell told the E-Commerce Times. “If you drop your wallet on the street, and the next day someone is using your account at Saks Fifth Avenue, you make the connection. If someone’s using your data online and your cards are still in your wallet, it’s hard to know you’ve been robbed.”

The FTC’s Identity Theft Data Clearinghouse has been gathering data points since the autumn of 1991. Last year, it collected 161,819 individual reports of identity theft, plus an additional 57,000 reports from consumers worried about theft. It also collected about 100,000 reports of general Internet-related fraud. But Farrell said there is no way to determine how much of this theft is occurring online. “Eighty percent of people reporting ID fraud have no idea how the perpetrator got hold of their information,” she noted.

Who Can You Trust?

That lack of concrete data has not stopped some parties from trying to grasp the scope of online identity theft. Last year, Gartner surveys of Web surfers revealed that 5 percent had been the victim of credit-card fraud, while 1 percent said they had been victims of identity theft. In terms of overall e-tail, the dollar value of theft is 1.7 percent, or $1.64 billion lost out of $91 billion in total sales.

However, that figure is too low, according to Gartner vice president Avivah Litan, because many valid transactions are rejected by merchants concerned the purchase may be fraudulent. In fact, a total of 5 percent of transactions are lost each year, swelling the real economic damage of fraud.

Litan told the E-Commerce Times that although credit-card fraud still leads identity theft because of its relative simplicity, this form of crime is experiencing a renaissance online. “It’s the scaling of information — the ability to acquire information on thousands of individuals,” Litan said.

The Net Changes Everything

In fact, an Internet merchant will be quick to tell you that identity theft is qualitatively different online versus offline. For one thing, the online auction marketplace is a new and unique venue for fraud, currently accounting for 50 percent of the FTC’s overall Internet fraud complaints. However, eBay, the largest online auction house, says that though identity theft happens, a distinction must be made.

“Identity theft in the broadest sense doesn’t happen at eBay because the customer’s personal information is behind a firewall,” Kevin Pursglove, senior communications director at the company, told the E-Commerce Times. In other words, eBay is not a conduit to stolen bank and cell phone accounts set up with fake credentials. Nor, said Pursglove, does his company find people bidding with stolen credentials.

What the auction giant does encounter are counterfeit sellers — people who have used some kind of con to wrest personal info from a bidder, then turned around and used that information to set up shop, never intending to deliver the goods. Pursglove claims “less than 1/100th of 1 percent” of listings on eBay have been found to be fraudulent, but he admits perpetrators constantly shift their tactics. “Initially, we were able to recoup charges” through the PayPal system, he explained. “But the [perpetrators] have become more sophisticated, using Western Union,” meaning there is no account from which to recoup stolen funds.

New Venue, Same Crooks

Some say eBay scams and the like are evidence of the bold new world of online cons: A flashy Web site induces surfers to give up account information, or a scammer contacts a seller asking for password data, posing as a system administrator, then uses the information to sell from the account. That squares with what the FTC’s Stevenson told Congress in 2001 — that numerous online frauds begin with innocent-sounding offers of work-at-home employment or other business opportunities. Some of them can lead to identity theft.

Others say that what is happening online is just more of the same. “Don’t look at online identity theft as disconnected from what happens in the real world,” Jim Hurley, vice president of security and privacy at Aberdeen Group, told the E-Commerce Times. He noted that professional ID thieves are highly methodical, and online fraud represents a more efficient process to collect the high-quality accounts that can help a crook land the lowest interest rate with the highest line of credit at a bank. He points not to isolated auctions, but to electronic databases that can be cracked for personal information that may be used both on- and offline.

Gartner’s Litan said much the same, noting that “the appeal of the Internet is how easily you can collect the necessary pieces of information. There are so-called ‘skip-trace’ databases where you can find out anything you want about someone for $35.”

To Catch a Thief

Merchants and law enforcement officials are trying to turn online tools to their advantage. For example, eBay’s Pursglove said that because a fraudster may use a particular seller account for a while, the company can track that person. “There are a number of cases where for one reason or another a pattern of listings of the seller is questionable, and we may freeze the listings from that account,” he added. In some cases, law enforcement officals tracking a perp have urged eBay to let an auction proceed in order to catch a fraudulent seller red-handed.

The FTC testified in April that right now, the most important measure remains working with merchants to seal vulnerable sources of information. Some are skeptical that this will happen, however.

For example, Aberdeen’s Hurley said that in the aftermath of the September 11th attacks, U.S. law enforcement and intelligence agencies have been distracted by more pressing kinds of data collection and investigation, relegating identity theft to a lower priority. “There’s a greater awareness that there’s a problem than there was a few years ago,” he noted, “but I’m not sure there’s really any fortitude to do anything about it.”

In the breach, then, the prevailing mantra might well be: Surfer Beware. Some practical things consumers can do include bookmarking the FTC’s Identity Theft Affidavit. If defrauded, a consumer can use this single form to report the matter to many credit-card issuers and credit unions. Reporting incidents to the major credit-reporting bureaus, such as Equifax, Experian and Trans Union, is the first step the FTC recommends in any fraud case, and the affidavit can be used for that purpose.

Fighting this battle may get tougher before it gets easier, but law enforcement likely will emerge victorious down the road — especially if consumers and companies do their part.