Center for Problem-Oriented Policing

Identity Theft

Guide No. 25 (2004)

by Graeme R. Newman

The Problem of Identity Theft

This guide addresses identity theft, describing the problem and reviewing factors that increase the risks of it. It then identifies a series of questions to help you analyze your local problem. Finally, it reviews responses to the problem, and what is known about them from evaluative research and police practice.

† The term identity fraud is sometimes used to include the whole range of identity theft related crimes (Economic Crime Institute 2003).

Identity theft is a new crime, facilitated through established, underlying crimes such as forgery, counterfeiting, check and credit card fraud, computer fraud, impersonation, pickpocketing, and even terrorism. It became a federal crime in the United States in 1998, with the passage of the Identity Theft Assumption and Deterrence Act.1 This act identifies offenders as anyone who

…knowingly transfers or uses, without lawful authority, any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law.

A significant feature of identity theft is the offender’s repeated victimization of a single person. This may include repeatedly using a stolen credit card, taking over a card account, or using stolen personal information to open new accounts.

† A victimization survey conducted by the Federal Trade Commission (FTC) found that 16 percent of victims whose credit cards were misused said the people responsible had also tried to “take over” the accounts by doing such things as changing the billing address or adding themselves to the card as an authorized user (Federal Trade Commission 2003a).[Full Text]

Congressional hearings on identity theft in the 1990s revealed that police generally did not regard those whose identities had been stolen as the true victims, since the credit card companies took the financial loss. In addition, the companies typically did not report their losses to local police (or to anyone else, for that matter). Studies also showed that victims rarely reported the loss or theft of a card to the police, since they believed that the card company would cover the loss. However, because the repeated use of a victim’s identity caused serious disruption and emotional damage, more victims began to report the offense.

It is likely that your initial exposure to identity theft will be the request of a victim for a police report about the incident. Credit-reporting agencies now require that victims do so as part of the an “identity theft affidavit.” that the victim submit a police report. Until recently, victims had a hard time getting such reports from the police. However, in response to growing media coverage and congressional testimony concerning identity theft, the International Association of Chiefs of Police (IACP) adopted a resolution in 2000 urging all police departments to provide incident reports and other assistance to identity theft victims. It is also possible that people you have stopped or questioned have given you a fake ID—or a legitimate ID acquired with a false or forged document.

† WHEREAS, reports of identity theft to local law enforcement agencies are often handled with the response ‘please contact your credit card company,’ and often no official report is created or maintained, causing great difficulty in accounting for and tracing these crimes, and leaving the public with the impression their local police department does not care…. RESOLVED, that the International Association of Chiefs of Police calls upon all law enforcement agencies in the United States to take more positive actions in recording all incidents of identity theft and referring the victims to the Federal Trade Commission…” (International Association of Chiefs of Police 2000).

It is difficult, though not impossible, for local police to influence some important factors that contribute to identity theft. These concern

  • the ways that businesses and government agencies manage clients’ personal information (for example, the procedures your motor vehicle department uses to authenticate driver’s license applications); and
  • the policies and practices of financial institutions in dealing with fraud (for example, the ease with which they provide applicants with credit cards and convenience checks).

That said, this guide will help you determine what you can do to prevent identity theft and help victims in your jurisdiction.

Related Problems

The following problems are closely related to identity theft, but not specifically addressed in this guide:

  • Financial crimes against the elderly.

    † See the POP Guide on Financial Crimes Against the Elderly.

  • Various telemarketing and Internet scams.2
  • Theft of autos and auto parts aided by fraudulent documentation. As the effectiveness of car security has increased in recent years, making cars more difficult to steal, offenders have exploited weaknesses in documentation systems that link cars to their owners, including registration and owner’s certificates, license plates, and vehicle identification numbers.3
  • Thefts from autos. Offenders commonly target wallets and purses, and dispose of their contents for profit.
  • Burglary. Burglaries of residences or businesses may reward offenders with a wide range of personal and business records that can be converted into loans or bank accounts, or provide access to existing accounts.
  • Pickpocketing. Even if there is no credit card in a wallet, or even if the victim notifies the credit card issuer that a card has been stolen, the offender can use the victim’s driver’s license or other personal information to obtain a new card, or even establish credit with banks. Health insurance cards commonly list the holder’s social security number as an identifier.
  • Street robbery. Personal information and credit cards are an important target of muggers, who may sell such information and cards on the street.
  • Counterfeiting and forgery. Offenders use the latest technologies to reproduce credit cards, checks, driver’s licenses, passports, and other means of identification.
  • Trafficking in human beings. Studies have found that stolen identities and false documentation are essential to successful international trafficking in prostitution and other illegal labor markets.4
  • Check and card fraud. This is complex but very easy to commit once an offender has a victim's checks or credit cards. Retailers give only cursory attention to card users' identity (the signature), and on the Internet or telephone, there is no easy way to authenticate the user.

    † See the POP Guide on Check and Card Fraud.

Harms Caused by Identity Theft

  • The FTC states that nearly 5 percent of respondents to its 2003 survey reported that they had been victims of identity theft in the past year.5 This amounts to almost 15 million victims a year in the United States.
  • The FTC reports that identity theft is the major subject of consumer complaints it receives—42 percent of all those received in 2003. Such complaints numbered 214,905, up 33 percent from the previous year, although the FTC does not believe this is a true measure of the increase in identity theft.6
  • Identity theft victims experience long-term and well-documented pain and suffering,7 such as harassment from debt collectors, banking problems, loan rejection, utility cutoffs, and even arrest for the identity thief’s other crimes. In fact, since federal and state laws often protect victims against financial loss resulting from identity theft, it is the disruption of their lives and the psychological damage suffered that are probably the worst aspects of their victimization. Victims spend, on average, 600 hours trying to clear damaged credit or even criminal records caused by the thief.8
  • People fear having their identities stolen. In a recent poll, only one fear topped respondents’ fear of having personal data stolen: that of another attack like the one on the World Trade Center.9
  • The financial losses to consumers and businesses are enormous. The U.S. Secret Service estimated in 1997 that of the 9,455 cases investigated, consumers lost more than $745 million due to identity theft.10 The 2003 FTC survey found that the total annual cost of identity theft to its victims was about $5 billion. Businesses, including financial institutions, lost another $47 billion in identity theft-related costs.11
  • The cost to law enforcement ranges from $15,000 to $25,000 to investigate each case.12

Sources of Identity Theft Data

Data sources vary in quality and often provide conflicting or different estimates, especially concerning the extent and cost of identity theft. A recent problem is the tendency of businesses to exaggerate the threat of identity theft to sell products tailored to prevent it, such as insurance or software. Several sources supply data on identity theft:

  • Government sources. The FTC was assigned the responsibility of collecting data as a result of the Identity Theft Act of 1998. Other data sources include the U.S. General Accounting Office, Social Security Administration, Postal Service, Department of Homeland Security, FBI, Secret Service, Sentencing Commission, and congressional hearings on identity theft and fraud.
  • Popular and trade media reports. These provide mostly anecdotal information and reinterpret reports from government sources.
  • Credit reporting agencies.

The FTC’s 2003 victimization survey provides the most reliable information to date.13

Factors Contributing to Identity Theft

Understanding the factors that contribute to your problem will help you frame your own local analysis questions, determine good effectiveness measures, recognize key intervention points, and select appropriate responses. There are few scientific studies on identity theft victims, offenders, or incidents, though there are studies on some identity theft-related crimes such as check and credit card fraud.

† See the POP Guide on Check and Card Fraud.

Regarding victims, the most important findings concern the time taken to discover the theft:

  • The longer it takes to discover the theft, the greater the victim’s loss and suffering.14
  • Low-income, less-educated victims take longer to discover or report the crime, resulting in greater suffering, especially from harassment by debt collectors, utility cutoffs, and banking problems.15

Victim characteristics are probably not related to identity theft vulnerability, though more research is needed in this area. The average age of victims is 42. They most often live in a large metropolitan area, and typically don’t notice the crime for 14 months. Evidence suggests that seniors are less victimized by identity theft than the rest of the population, though they can be targeted in specific financial scams that may or may not involve identity theft. African Americans may suffer more from non-credit card identity theft, especially theft of telephone and other utility services, and check fraud.16

† See the POP Guide on Financial Crimes Against the Elderly.

Regarding offenders, data from the above sources suggest they are attracted to identity theft for two important reasons:

  • It is easy to commit because of the ready availability of personal information on the Internet, or contained in business files accessible to dishonest employees or burglars. Many people are not vigilant in protecting their personal information, and businesses are rarely held accountable for customer information accessed by those unauthorized to do so. Opportunities are legion. There are even websites that offer guides on how to create alternative IDs and to access other people’s personal identifying information.

    † You can find out anyone’s social security number for a small fee. Just visit http://www.docusearch.com/, or check out Undercover Press at http://www.aaffordable.com/best-sellers.html, which promotes itself as the “no questions asked source for Birth certificates, social security cards, city ID's, press cards, Diplomas, credentials of almost any kind including badges and police ID’s.”

  • Victims don’t typically discover the crime until some time after it has occurred—in some cases, years. If a retailer has lax security, and an offender gets away with using a stolen credit card, the legitimate cardholder may not realize it until receiving the next card statement.

Familiarity between victim and offender provides opportunities for identity theft because of the availability of personal information among relatives, coworkers, and others. According to the 1999–2001 FTC complaint files (see figure below), close to 11 percent of the complainants knew the offender. The FTC’s 2003 survey found that 86 percent of victims had no relationship with the thief.17 However, other sources claim closer to 60 percent of victims knew or had some information about the offender.18

Offenders’ opportunities to commit identity theft may be classified under two broad categories: place and guardianship.The trouble is that committed offenders know very well where to find personal information, and the guardianship is not too effective.

Place

Offenders can generally find people’s personal information in three places:

  • in wallets or purses;
  • in homes, cars, or other designated “safe” places (e.g., a safe deposit box, gym locker, office drawer); and
  • at businesses or institutions that maintain customer, employee, patient, or student records.

These all can offer opportunities to thieves, depending on how well they are protected.

Guardianship

Personal Guardianship

People are generally casual about protecting their personal information, even though they indicate in opinion polls that they are very concerned about doing so.19

  • People carry personal information on them, which offenders may obtain via pickpocketing, mugging, or, if it is lost, simply finding it. People also leave personal information in cars or other places where experienced thieves know to look.
  • Burglars can get information from victims’ homes, and “Internet burglars,” or hackers, can obtain personal identifying data from people’s home computers.
  • People’s trash can serve as another source of information. People often throw away credit card statements, bank statements, and other documents containing personal information. Offenders may go through people’s trash looking for such information.

    † In a study of 400 households in Nottingham, England, 40 percent of trashcans contained documents listing full credit and debit card numbers, as well as names, addresses, and expiration dates (Davis 2002).

  • People routinely give out personal information during business transactions, such as in shops and restaurants. Businesses that fail to use modern technology to protect customers’ personal information create abundant opportunities for dishonest employees to steal customers’ identities.

Agency Guardianship

There is an enormous amount of personal information available, and it is incredibly easy to obtain. Government agencies and businesses keep computerized records of their clients. They may sell or freely provide that information to other organizations. Often, all that is needed is one form of identification, such as a driver’s license, and an offender can obtain the victim’s mother’s maiden name, social security number, etc. Many identity theft crimes are committed by employees of organizations that maintain client databases. For example, a widely publicized Detroit case involved an identity theft ring in which employees of a major credit card company stole customer information.20 Procedures for authenticating individual identities are often inadequate. Establishing a given person’s “true identity” is a complex task. It requires the careful assessment of

  • the person’s biological identity (physical features, DNA, fingerprints, etc.);
  • the person’s historical identity (date of birth, marriage, etc.); and
  • the link between those identities.21

† U.S. residents do not own personal information contained in agency databases, so they have little control over how that information is used. Recent “opt-out” laws allow people to prevent their information from being provided to others, but these laws are not widely publicized.

†† Social security numbers are not so secure. A recent study estimated that 4.2 million people have managed to acquire alternative numbers (Finch 2003) [Full Text]

Many agencies and businesses make only a cursory attempt—if any—to assess these.


How Offenders Steal Identities

The notoriety of identity theft rose with media coverage of the dangers of buying and selling on the Internet. However, the ways offenders steal identities are decidedly low-tech. Computer hackers aren’t necessarily geniuses; sometimes they simply obtain a password by trickery or from a dishonest insider. Some methods are more popular than others, as is clear from Figure 1, which is based on data collected by the FTC and reported by the General Accounting Office. In general, these data indicate that offenders make the most of the easiest available opportunities:

† Available data indicate that Internet-related identity theft constitutes a small proportion of all identity theft, probably less than 20 percent. However, there are many definitional problems here. For example, just one act of hacking into a database may reap thousands of credit card numbers and other personal data. These are then used to commit thousands of identity thefts offline. So it is wise to reserve judgment on this issue for now.

  • They steal wallets or purses from shopping bags, from cars, or by pickpocketing.
  • They steal mail, by several means. They may simply take it from insecure mailboxes, submit a false change-of-address form to the post office to direct someone’s mail to themselves, or collude with a postal employee to steal mail that contains personal information. Mail that is useful to offenders includes preapproved credit card applications, energy or telephone bills, bank or credit card statements, and convenience checks.
  • They rummage through residential trashcans or through business dumpsters (“dumpster diving”).
  • They obtain people’s credit reports by posing as someone who is legally permitted to do so, such as a landlord or employer.
  • They collude with or bribe employees of businesses, government agencies, or service organizations, such as hospitals and HMOs, to obtain personnel or client records, or if they are employees, they access the information themselves.
  • They break into homes to find personal information on paper or on personal computers.
  • They hack into corporate computers and steal customer and employee databases, then sell them on the black market or extort money from the database owners for their return.
  • They call credit card issuers and change the billing address for an account. The offender immediately runs up charges on the account, knowing that the victim will not receive the bill for some time, if ever.
  • They buy identities on the street for the going rate (about $25), or buy credit cards that may be either counterfeit or stolen.
  • They buy counterfeit documents such as birth certificates, visas, or passports. In 2001, the U.S. Immigration and Naturalization Service intercepted over 100,000 fraudulent passports, visas, alien registration cards, and entry permits.
  • They buy false or counterfeit IDs on the Internet for as little as $50.
  • They counterfeit checks and credit or debit cards, using another person’s name. All the technology for reproducing plastic cards, including their holograms and magnetic strips, can be bought on the Internet.
  • They steal PINS and user IDs, using software available on the Internet; trick Internet users into giving their passwords and other personal information; or watch users punch in their PINs on telephones or at ATMs.
  • They use a single stolen ID to obtain legitimate IDs they can use for a wide variety of additional frauds.
  • They gain entry into ID-issuing agencies, such as motor vehicle departments, by using bribery or extortion, or posing as employees.

How Offenders Use Stolen Identities

Offenders use victims’ personal information in countless ways. Some of the most common examples follow:

  • They open a new credit card account using the victim’s name. All this requires, apart from the applicant’s address, is usually a few pieces of information: the victim’s mother’s maiden name, the victim’s birth date, and, sometimes, the victim’s social security number.
  • They open a landline or cell phone account in the victim’s name.
  • They open a bank account in the victim’s name. They often open multiple accounts in multiple places, and write bad checks on each.
  • They file for bankruptcy under the victim’s name, to avoid paying their own debts or to avoid eviction.
  • They steal the victim’s identity, take over his or her insurance policies, and make false claims for “pain and suffering” suffered from auto accidents.22
  • They take out auto loans or mortgages under the victim’s name and residence.
  • They submit fraudulent tax returns using the victim’s identity, and collect the refunds.
  • They submit applications for social security using others’ identities (often those of people who have died), and receive social security payments.

Types of Identity Theft

Classifying identity theft into types is difficult, as it involves a wide variety of crimes and related problems. However, the acknowledged motives for identity theft can be used to construct a simple typology. Research indicates that the two dominant motives for identity theft are financial gain and concealment (either of true identity or of a crime). These motives are mediated by the offenders’ level of commitment to the task and the extent to which offenders are simply opportunists taking advantage of the moment.

† The FTC survey reported that 15 percent of ID theft victims in the past five years had their personal information misused in nonfinancial ways. The most common such misuse was for the offender to give the victim’s name and identifying information when stopped by law enforcement or charged with a crime (Federal Trade Commission 2003a).[Full Text]

Professionals who seek out targets and create their own opportunities—usually in gangs—have a high level of commitment. A lot of planning and organization is involved. Some lone offenders also display considerable commitment and planning, especially in regard to concealing personal history. Offenders with low commitment take advantage of opportunities in which ID theft appears to solve an immediate problem; thus their identity thefts are “opportunistic.”

As seen in Table 1, there are four types of identity theft, based on the combinations of commitment and motive. Of course, any single case could reflect aspects of more than one type.

 

Financial gain

Concealment

High commitment (lots of planning)

Organized. A fraud ring systematically steals personal information and uses it to generate bank accounts, obtain credit cards, etc. (See box below.)

Individual. The offender sets up a look-alike Internet website for a major company; spams consumers, luring them to the site by saying their account information is needed to clear up a serious problem; steals the personal/financial information the consumer provides; and uses it to commit identity theft.

Organized. Terrorists obtain false visas and passports to avoid being traced after committing terrorist acts.

† An Algerian national facing U.S. charges of identity theft allegedly stole the identities of 21members of a Cambridge, Mass., health club and transferred the identities to one of the people convicted in the failed 1999 plot to bomb Los Angeles International Airport (Willox 2002). [Full Text]

Individual. The offender assumes another’s name to cover up past crimes and avoid capture over many years.

Opportunistic (low commitment)

An apartment manager uses personal information from rental applications to open credit card accounts.

The offender uses another’s name and ID when stopped or arrested by police.

Table 1 The Four Types of Identity Theft

High Commitment, for Financial Gain

Organized. In this type of identity theft, a group or gang carefully plans and orchestrates the crimes. Indeed, while it is widely believed that committing identity theft is easy because of the numerous opportunities described above, carrying out a truly successful identity theft requires considerable organization and preparation:

  • searching for an easy target,
  • locating sources of personal information for that target,
  • obtaining the necessary documents (legal or counterfeit) to establish legitimacy,
  • choosing how to use the identity to obtain money,
  • convincing officials that one is the person named in identity documents, and
  • anticipating how long one can exploit the identity before the victim discovers the losses.

Research has shown that organized criminal gangs in Southeast Asia manufacture plastic cards using stolen identities. These are then marketed on the street in large U.S. and European cities. Street fraudsters tend to specialize in particular types of card fraud. They use highly sophisticated techniques to avoid detection either when using the card in a retail store or when converting purchased goods into cash. They tend to work in small gangs, deal in high volume, and operate in high-population areas, usually 50 miles or more away from where they live.

A Classic Case of Organized Identity Theft for Financial Gain

Jane Sprayberry handed over her driver’s license to an American Express customer service representative who had asked for it in order to replace Jane’s lost credit card. True to the Amex promise, she received the replacement card without delay. The only trouble was that the recipient was not the real Jane Sprayberry. The driver’s license had her name on it, but the photograph was not of her. In no time, the imposter ran up a big bill on high-priced jewelry, clothing, and appliances. Just a week before, Jane’s husband’s bank account had been emptied and his credit card cloned. A coincidence? Not at all. A ring of fraudsters in Detroit had gotten jobs at large businesses and had collected reams of personal information: personnel records, credit records, old rental-car agreements. Those offenders who were eventually caught had bags and books full of such records—records they had used over several years. They had run up an average of $18,000 in credit card charges per victim. And they had sold identities on the street for around $25 each. It took the real Jane Sprayberry and her husband more than six months to clean up the mess.23

Individual. Individuals may become strongly committed to the crime once they discover, after casually using someone’s identity, how easy it is to get away with doing so. For example, someone with a drug habit may regularly buy stolen credit cards on the street (stolen cards are cheaper if others have used them), to raise money to buy drugs.

Opportunistic, for Financial Gain

The second type of identity theft occurs when the offender takes advantage of the access he or she has to the personal information of friends, family, or others. Examples include the following:

  • A college student uses his or her roommate’s personal information to apply for a preapproved credit card, which comes in the mail to which they both have access.
  • A restaurant worker processes a customer’s credit card payment and notices that the complete card number is printed out on the receipt, along with the expiration date. The worker copies the information and later makes several large purchases over the Internet, where he or she does not need to show the card or verify his or her identity.

High Commitment, for Concealment

Organized. Terrorism is the most recently cited instance of organized groups’ stealing identities to conceal illegal activities, and to make tracking their true identities much more difficult after they’ve committed crimes. Authorities claim that all 19 of the September 11 terrorists were involved in identity theft in some way.24 This resulted in the mistaken arrest of people whose identities had been stolen.

Individual. Covering up past crimes is a major reason for individuals to steal or assume another’s identity. Kathleen Soliah, wanted for various bombings and attempted murder in relation to her activities in the Symbionese Liberation Front in the late 1960s, assumed the identity of Sara Jones Olson (a common Scandinavian surname in Minnesota). She evaded capture for 23 years, and in the meantime became a doctor’s wife, mother of three, community volunteer, veteran of charity work in Africa, and practicing Methodist living in an upscale neighborhood in St. Paul, Minn.

Text Box: http://www.ariza-research.com/new-id/

Sources on the web make it easy for people to hide their identities.

Opportunistic, for Concealment

The most common type of opportunistic identity theft for concealment occurs when an offender gives the name of an acquaintance, friend, or family member when stopped, questioned, or arrested by police. Examples include the following:

  • Jefferey Williams was jailed for 10 days without bail on a warrant for drug possession and resisting arrest. The Orange County ( Fla.) Sheriff’s Department had issued the warrant in Orlando. Williams insisted that he was not the person the police were looking for. The trouble was that Florida authorities were seeking a relative of Williams who had passed himself off as Jefferey, giving Jefferey’s name, birth date, and old home address.25
  • Lisa Sims (alias Elisa McNabney) assumed the name of her cellmate from a prior prison term to cover up her extensive criminal past and avoid arrest on suspicion of murdering her husband. Investigation revealed that she had multiple social security numbers and other forms of identity.26