Despite recent scary stories and numbers surrounding online identity theft, the Internet still isn't the main vehicle for stealing personal information, according to a newly released study of U.S. Secret Service cases by the Center for Identity Management and Information Protection (CIMIP). (See ID Theft Research Group to Come Out of the Shadows.)

CIMIP, a public-private partnership that includes IBM, the U.S. Secret Service, and the FBI, dispelled a few misperceptions about the identity thieves in its new findings, which were based on over 500 cases closed by the Secret Service between 2000 and 2006. CIMIP released study results today at its identity management conference in McLean, Va.

Gary Gordon, executive director for CIMIP, said the study focused on the modus operandi of the identity thieves, offering a slightly different perspective from previous studies, which honed in on the victims.

"It shows a wide range of how people steal identity information -- and it's not the image we have of somebody hacking into a corporate computer system or putting a keylogger on a personal computer," Gordon says.

The study focuses mainly on cases that are a few years old, which may explain why online theft played a lesser role. But Gordon says it's the inside look at identity thieves and the way they operate that's most important about the groundbreaking study.

"This is the first time we've had the opportunity to look at the lifecycle of identity theft, from point of detection through arrest and conviction," he says. The next phase of the study will look at cases from 2005-2007, which could contain more Internet activity, he says. It takes the Secret Service about a year and a half on average to close a case.

In the current study, identity thieves used a mix of techniques to steal personal information from their victims. In 41 percent of the cases in the study, the Internet was not used at all, nor any other technology. In fact, the methods used were mostly manual, such as rerouting mail through change of address cards; mail theft; public records; and dumpster diving.

Nearly 10 percent of the ID thieves used the Internet exclusively, and 5.8 percent used both the Internet and another technology -- such as computers or peripherals -- in their crimes. Technology devices were used in 22 percent of cases. Only about 2 percent of the cases combined the Internet, other technologies, and manual techniques.

Demographically, 42.5 percent of the ID thieves were between 25 and 34 years old, and two thirds were males. Just under 20 percent were between the ages of 18 and 24, and nearly one fourth of these bad guys were born outside of the U.S. In 80 percent of the cases, the thief either worked alone or with just one partner, which doesn't exactly jibe with the image of Eastern European crime organizations initiating such crimes.

Most of the crimes (59 percent) were against people the thieves did not know. Some 10.5 percent were customers or clients of the perpetrator; 5 percent were relatives.

What about the insider threat? Only 20.3 percent of the criminals in the study committed identity theft crime from work -- the retail industry (including casinos and health care institutions) had the most offenders (59.7 percent). About 22 percent came from the financial services industry.

About half of the defendants in the cases received jail sentences, and the median actual dollar loss in a case was $31,356.

CIMIP's Gordon says there were only "a couple of cases" where botnets played a role in the identity theft crimes studied for this report. But that it's likely there will be more botnet activity in more current Secret Service cases, which CIMIP has already begun researching.

But low-tech methods won't disappear. "There appears to be some variety of ways people do this," Gordon says. "We'll probably still find low-tech means being utilized."

Meanwhile, Gordon emphasizes that the study is specifically based on federal cases. "This is limited to federal law enforcement cases, for the primary agency investigating identity theft," he says. "You can't generalize it to all [identity theft] cases."

Still, the study takes a holistic look at who identity thieves are, how they do their dirty deeds, and who their victims are, Gordon notes. "This starts to paint a picture we can use to improve our investigative methods, and to enhance training and [education of] policymakers."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.