Vulnerabilities / Threats
2/9/2011
12:50 PM
Connect Directly
RSS
E-Mail
50%
50%

Identity Theft Down 28% In 2010

While overall rates are down, incidents involving friendly fraud as well as costs for consumers are on the rise, according to Javelin Strategy & Research.

Top 10 Security Stories Of 2010
(click image for larger view)
Slideshow: Top 10 Security Stories Of 2010

Good news on the ID theft front: The number of identity fraud incidents, after increasing for two years in a row, fell by 28% from 2009 to 2010. As a result, the amount lost to identity fraud in that timeframe decreased from $56 billion to $37 billion.

Those findings come from a survey of the behavior and financial habits of about 5,000 adults in the United States, including 470 who were victims of identity fraud, conducted by market researcher Javelin Strategy & Research.

According to Javelin, about 8.1 million people -- or 3.5% of the U.S. population -- were ID fraud victims in 2010, down from 11 million people in 2009. Interestingly, in 2010, 14% of identity fraud was committed by someone the victim knew.

While the number of ID theft incidents has recently declined, unfortunately they're also becoming more difficult to detect. In part, that's because "new account" fraud, which is more difficult to spot than fraud involving stolen credit cards, now accounts for 46% of the total dollar value of identity fraud, up from 38% in 2009.

"New account fraud on average takes longer to detect and results in higher mean consumer costs than other types of fraud," according to Javelin. As a result, when consumers had to pay out-of-pocket costs, the average bill was $631 -- the highest level seen since 2007.

Still, the typical ID theft victim doesn't have to pay any costs out of pocket. "Because of the zero-liability fraud protection offered by the majority of banks and card issuers, most victims will have to pay out-of-pocket expenses only to cover their time in resolving fraud, not to reimburse fraudulent charges," the study said.

Resolving ID theft can take time. On average, consumers in 2010 spent 33 hours resolving instances of identify fraud, up from 12 hours in 2009. Resolution times now are nearly back to their 2005 mark of 40 hours.

The report notes that in 2010, 7% of U.S. consumers received a notification that their personal information may have been involved in a data breach. Today, 46 states require businesses to disclose when their customers' data has been involved in a data breach. Unfortunately, consumers who receive these notices are four times more likely to become victims of identity fraud.

Javelin said that when it comes to spotting ID theft, proactivity pays. In 35% of identity fraud cases, victims said that their financial institution or credit card provider notified them of the suspected fraud. But according to the report, "the next two most frequent methods for victims to discover fraud were through their own review of either paper or electronic statements."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2003-1598
Published: 2014-10-01
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

CVE-2011-4624
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.

CVE-2012-0811
Published: 2014-10-01
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files gene...

CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.