Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Ten Myths About Identity Fraud

Think ID fraud is running amok over the Internet? Are online credit card thieves your worst fear? Here's a dose of reality that may change your mind

Identity fraud is running rampant. Between corporate breaches and online exploits against individuals, hackers are stealing identities in record numbers and posting it to the Web from all over the country, right?

Wrong on all counts, according to new studies of the ID fraud space. The reports -- one released yesterday by Javelin Strategy and Research, and one released by ID Analytics a few months ago -- offer data that debunks many of the current myths about identity theft.

If you think you know what's happening in the ID fraud space, take a gander at some of the data offered by these new reports. You may find you don't know as much as you thought you did.

1. There is a higher incidence of ID fraud today than in past years.
Javelin Strategy and Research, which has conducted a mega-study on U.S. identity theft and fraud annually for the past five years, has definitely recognized a trend. But it's downward, not upward.

According to Javelin's 2008 survey, some 3.58 percent of respondents reported experiencing online fraud during the previous year. That's down from 3.74 percent in the 2007 study, 4.0 percent in the 2006 study, and 4.7 percent in the 2003 study.

In fact, Javelin says, the identity fraud incidence rate has decreased every year since the research firm began doing the report five years ago.

2. There are more victims of identity theft and fraud today than there have ever been before.
If it hasn't happened to you, it's happened to someone you know. And with so much personal data being exposed every day via corporate security breaches and cunning hacker exploits, there must be more victims than ever, right?

Wrong, according to the Javelin study. The research firm estimates that there were approximately 8.1 million victims of ID theft and fraud last year, but that number is down, not up, from the year before.

In fact, just like the incidence rate, the number of ID theft victims in the United States has dropped every year since Javelin began conducting the study. Approximately 10.1 million people reported experiencing fraud or theft in the 2003 study; that figure had dropped to 8.4 million by last year, and 8.1 million this year.

3. Identity fraudsters are stealing record amounts of money from their victims.
Despite reports of big-dollar thefts and a booming black market for credit cards and other personal information, the cost of identity fraud and theft underwent its most precipitous drop last year, according to Javelin.

After hitting an all-time-high of $58 billion in the 2007 study, ID fraud and theft totaled just $51 billion in the U.S. this year, Javelin says. The $7 billion drop was the largest in the history of the research.

The drop also is the first that Javelin has seen since it began publishing the study in 2003. From 2003 to 2007, the fraud damage figure has been on a steady incline, going from $56 billion to $58 billion and increasing slightly every year.

4. Most identity theft and fraud occurs online.
Now that everybody's doing business via the Web, the criminals must be moving there too, conventional wisdom says. Many enterprises have responded to this wisdom with improved sign-on and multi-factor authentication schemes designed to protect the online consumer.

Rather than fight this trend, however, criminals are simply moving to places where the pickings are easier: telephone and mail fraud. According to the Javelin study, identity theft via phone and mail order fraud have skyrocketed in the past year, going from approximately 3 percent of cases in the 2007 report to 40 percent this year.

The difference is primarily in the defense, Javelin says. As of 2007, only 48 percent of the top 25 U.S. financial institutions had instituted a multifactor authentication scheme for telephone banking, making it a much easier approach for criminals than the increasingly armored Website.

5. Online attackers are the greatest perpetrators of identity fraud and theft.
In the TV cop shows, they always cite statistics to show that murder is often committed by someone you know, rather than a stranger. Apparently, this is true of identity theft as well.

In the Javelin study, approximately 14 percent of thefts occurred through traditional "hacker methods" such as Trojans, viruses, or phishing. Data breaches accounted for another 7 percent of thefts -- but even taken together, these account for less than a quarter of all ID fraud.

So where does the rest of it come from? About a third (33 percent) comes from physical theft -- a lost or stolen wallet, purse, or credit card. But a surprising 17 percent of identity theft is perpetrated by friends, relatives, or in-home employees, the study says.

"Often, consumers find it hard to believe that a close friend or family member would perpetrate identity theft against them, but it is these very individuals that have the easiest access to one's private information," the study says.

Continue to Page Two

6. Large security breaches, such as the ones at TJX or the Department of Veterans' Affairs, are the most dangerous to users.
The TJX case has been held up as one of the most egregious breaches in online history, and there have been some incidences of identity theft arising from it. But according to a study published in November by ID Analytics, you're more likely to be victimized by a small data breach than one of the much-ballyhooed gaffes such as TJX's.

Smaller breaches have a higher misuse rate, according to ID Analytics. Misuse of personal data ranged from one in 200 identities for breaches of fewer than 5,000 individuals to a misuse rate of less than one in 10,000 identities for breaches of more than 100,000 individuals. (See What You Don't Know About ID Fraud.)

7. Identity thieves distribute their booty widely, selling or publishing it wherever they can.
Once a criminal has your personal information, you're history, right? It's just a matter of time before the whole world has it, too.

That's not necessarily true, according to the ID Analytics study. In fact, many identity thieves apparently protect the data they steal, just as a bank robber will protect his bags of money.

The study found no evidence that fraudsters who misuse breach data were selling the data broadly or distributing it over the Internet. "This finding is significant because one of the greatest potential risks of data breaches is the broad dissemination of personal information to others with criminal intent," ID Analytics says.

8. Valid credit cards are an identity thief's primary target.
While a nice fat batch of valid credit card numbers is a good haul for an identity thief, there are many other ways to use personal data that can be just as dangerous to the consumer, researchers say.

According to the Javelin study, virtually every category of "card not present" fraud and theft has shown an increase over the past year. Among these are attempts to create new accounts using stolen personal data, as well as efforts to break into existing bank or credit card accounts through means that don't require a card.

Address changes are among the most popular methods of attack, Javelin says. A criminal may call or email a company and claim that he wants to change the address on a card or account. Then, using stolen data to verify his identity, he may gain access to the account without ever possessing a card.

9. Fraudsters steal as much personal data as they can, storing it up until they are ready to use it.
Many consumers -- and even some IT people -- have an image of an identity criminal who hoards personal information like Ali Baba's 40 thieves. Even if your data was stolen years ago, this notion says, it might be used any minute.

But according to ID Analytics, in most cases, online fraudsters don't store up stolen ID information, but cycle through it quickly. Fraudsters misuse a breached identity for no more than two weeks before moving onto the next identity, researchers found.

The Javelin study confirms this conclusion. In the study, data collected via viruses, Trojans, or phishing was misused for the shortest period of time, usually between 21 and 41 days. By contrast, data obtained from a physical theft or by a friend or relative may be misused for an average of 112 to 130 days.

10. The incidence of identity fraud is pretty much the same from state to state.
We're all on the same Internet, so we all share an equal risk, right? Computer users are no safer in one region than another.

According to the Javelin study, that's not so. In fact, over the past three years, consumers in California, Delaware, Idaho, Illinois, and West Virginia have experienced a higher rate of identity fraud and theft than their counterparts in other states. On average, New England and the Plains States reported the lowest incidence of fraud.

Generally, states with the most populous metropolitan areas, such as California, are more likely to have higher rates of fraud activity, thanks to higher incomes and more frequent use of online commerce, the study says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-26
libtac in pam_tacplus through 1.5.1 lacks a check for a failure of RAND_bytes()/RAND_pseudo_bytes(). This could lead to use of a non-random/predictable session_id.
PUBLISHED: 2020-10-26
An out-of-bounds read in the JavaScript Interpreter in Facebook Hermes prior to commit 8cb935cd3b2321c46aa6b7ed8454d95c75a7fca0 allows attackers to cause a denial of service attack or possible further memory corruption via crafted JavaScript. Note that this is only exploitable if the application usi...
PUBLISHED: 2020-10-26
Ruckus through is affected by remote command injection. An authenticated user can submit a query to the API (/service/v1/createUser endpoint), injecting arbitrary commands that will be executed as root user via web.py.
PUBLISHED: 2020-10-26
Ruckus vRioT through has an API backdoor that is hardcoded into validate_token.py. An unauthenticated attacker can interact with the service API by using a backdoor value as the Authorization header.
PUBLISHED: 2020-10-26
In the git-tag-annotation-action (open source GitHub Action) before version 1.0.1, an attacker can execute arbitrary (*) shell commands if they can control the value of [the `tag` input] or manage to alter the value of [the `GITHUB_REF` environment variable]. The problem has been patched in version ...