The Costs of ID Theft

From one-time credit card fraud incidents to sophisticated organized crime syndicates, identity theft's reach is expansive. It's far from a victimless crime: Consumers, businesses, government and law enforcement all suffer.

The steep price of ID theft

• What is it?
  
• Who does it and how?
  
• How much it costs ... consumers
  
• How much it costs ... businesses
  
• How it affects law enforcement
  
  According to an annual survey released in February by Javelin Strategy and Research, the incidence of identity fraud has steadily declined over the past three years in most parts of the country. But the scope of the problem still scrapes the stratosphere. "The total cost (in 2007) was $45 billion," says James Van Dyke, president and founder of Javelin. That's down from $51 billion the previous year. "It's a huge crime, the number of victims is 8.1 million," he adds.

  Many studies have sought to put a dollar figure on identity fraud costs to consumers and business. Unfortunately, part of the price remains hidden. Criminals can piece together an identity from bits of valid information or make up a new identity from scratch in a scheme known as synthetic identity theft. Since individual consumers are not victims, this form of ID theft can be difficult to detect, says Avivah Litan, vice president and analyst at Gartner, a technology and research advisory company.

  "There are no numbers that you can rely on for big-picture synthetic identity theft," she says. "That would have to come from the bank or the business -- anyone that issues new accounts to fake IDs, and they would have to classify it. And those companies aren't disclosing it either.

  "Some of them don't know about it. If they're not looking for it, they just think that they made a bad loan or something."

  With a big portion of the crime unknown and unmeasured, determining just how much the economy and society suffer as a whole remains difficult to gauge. But this much we know: It's a lot.

   What is identity theft?
  Because co-opting someone's identity can lead to numerous types of crimes, identity theft is a difficult crime to define and measure. According to the Federal Trade Commission, identity theft occurs when someone uses your personal identifying information to commit fraud or other crimes. Personal identifying information can include your name, Social Security number or a credit card number.

   

  Javelin defines it similarly. "We use the term identity fraud. It's probably synonymous with identity theft. And it is anytime there's a transaction in another person's name without their knowledge. So it's not a data breach in and of itself. It can be account takeover or a one-time credit card transaction, and it can be a new account for the purpose of fraud. We limit our focus to cases where it's a fraudulent transaction."

  However, fraudsters can benefit from stealing identifying information in a few different ways.

  With financial identity theft, fraudulent activity generally goes in one of two directions -- new account fraud or existing account takeover. For instance, a criminal can use a person's identifying data such as a Social Security number to open a new account at a bank, for instance, or to set up utilities or rent an apartment. Or an imposter can take over an existing account by engaging in credit card fraud or check fraud.

  Criminal identity theft involves using another person's records to commit crimes.

  A third category of identity theft, and often the stickiest to resolve, is identity cloning. In this variation, a criminal is actually living as you, getting married, having kids, going to school -- in addition to possibly committing crimes and performing financial transactions every day.

  In his role as chief operating officer at Kroll's Fraud Solutions, Brian Lapidus saw identity cloning in action.

  "A gentleman employed here at Kroll a few years ago got a letter from the IRS telling him that he owed taxes," he says. "And without thinking about it, it was a letter from the IRS after all, he paid it. The second time it happened he said something is not right."

  As it turned out, someone in another state had gotten a job in his name and wasn't having taxes taken out of his paycheck.

  "So Craig here was paying for Craig in Florida's taxes," says Lapidus. "And to compound the problem, Craig in Florida had also gotten married and the government was less than thrilled about the fact that Craig was married in two states."

  Luckily this identity theft victim worked at a company that deals with victims of fraud everyday. Obviously, most people don't have that experience.
  
  Who does it and how?
  "The average identity thief is what I would call a criminal opportunist," says Donald Rebovich, Ph.D., associate professor at Utica College and acting executive director of the Center for Identity Management and Information Protection, or CIMIP.

   

  "They're always looking for the weakest point, to manipulate a system or individual."

  As such, there's really no bias toward high-tech or low-tech identity theft. In fact, identity thieves are more likely to be insiders than sophisticated hackers. In a recent study, more than 30 percent of the cases evaluated by CIMIP began with an employee stealing information from their employer.

  "There are really a lot of different ways that identity thieves can work," says Gartner's Litan. "They can be high-tech crimes, directly against consumers, through phishing or malware attacks. We've seen a big increase in those."

  "Or they can be attacks against systems that house the data, like retailers or processors, where external hackers take the data -- we saw that with TJX and CardSystems."

  “Trash cans make up almost no crime at all.” It can also be a partial insider job. "Some cases are collusions or insiders at banks or other businesses that deal with sensitive information that take it and sell it to the black market," Litan says. "Others involve contractors that get in through privileged accounts, whether it's at retail systems or bank systems. There's a big increase in that. We call it 'partial insider.'"

  As part of their study, every year Javelin asks victims of identity theft how thieves got their information.

  "There are data breaches which make up just a few percentage points of the fraud in our study," Van Dyke says. "And then there are the people that are on the Internet. If you combine all the sources, from online shopping to banking to someone hacking into your PC, it makes up about 10 (percent) to 12 percent."

  Despite the reputation for being repositories of oodles of info, Dumpster diving happens less often than you may think.

  "We no longer even ask people if their data was taken from the trash because only 1 percent of people said that's how their information was taken."

  Then again, how would someone pinpoint a Dumpster in the alley as the scene of the crime?

  Consumers should resist blithely tossing out credit card statements and scraps of paper emblazoned with Social Security numbers. Javelin recommends that consumers invest in a shredder or take some care with sensitive documents that get thrown out. It's just not at the top of their list, says Van Dyke.

  One receptacle to worry about more than the trash: the mailbox.

  "The mail always makes up about 6 (percent) to 9 percent," Van Dyke says.

  But consumers shouldn't confine their concerns to the criminals lurking outside the post office or behind a computer. In some instances, victims are the architects of their own undoing.

  The Javelin study found that most often, consumers lose a wallet or a checkbook which leads to fraud of some kind.

  "That's the largest category -- in the 30 percent range," says Van Dyke.

  Other common sources of data theft are friends and family. "People that are close to the victim make up a significant portion of crime, mostly among lower-income (individuals) because they tend to live in areas of higher crime and don't have the financial education to minimize their losses," says Van Dyke.

   

  Plus, vishing is on the rise while phishing attempts have stabilized after rising over the past few years.

  "People become victimized on the phone, which has that social engineering element. They hear the silky smooth voice or maybe they just get some basic information from the caller and they talk them into releasing more a little bit at a time," he says.

   How much it costs ... consumers
  By definition identity theft encompasses a broad range of crimes and the consequences are equally far-reaching.

  At a personal level consumers stand to lose the most from identity theft. In a real way it is a crime against them and victims feel it acutely.

  "We know from qualitative research, victims take it as a personal violation and have amazing recall of the crime. They are very traumatized," says Van Dyke.

  Time may heal their wounds but it's not easy. Javelin found that it can take 26 hours on average for the injured party to clear up the issues surrounding the fraud. Some of the more complicated cases can take 200 hours or more, according to the Identity Theft Resource Center in San Diego.

  "There are the inconveniences that accrue as a result of having to make numerous phone calls, send out letters, track down information and so forth," says Robert Siciliano, security expert and author of "The Safety Minute."

  There's also the lost work time spent trying to contact businesses that only operate from 9 to 5, he adds.

  Most often consumers work on the problem on their own. In cases of account takeover, working with a bank or credit card company can quickly remedy the problem.

  But dealing with other issues can prove difficult -- for instance, getting law enforcement involved. Victims are encouraged or mandated to get a police report to prove their seriousness, but often just accomplishing this first step can be daunting.

  "Just recently we had a case where a victim of identity theft could not get a police report written," says Kroll's Lapidus. But because the victim was in one of Kroll's programs, "we were able to get the police chief to write a police report," he adds.

  According to Javelin, of the 8.1 million consumer victims, most lose nothing. The median in their study loses $0, which means more than half don't lose money.

  On average though, $691 is lost, up from $541 last year. "That includes unreimbursed losses, legal fees in the rare cases where there are some and, in some cases, lost wages," says Van Dyke.

  In February a report from the FTC estimated that the total cost to consumers in 2007 was $1.2 billion.

   

   How much it costs ... businesses
  When analyzing the impact of identity fraud on business and government, the dollar amounts rise considerably. A study by CIMIP released in October 2007 analyzed closed cases from the U.S. Secret Service to find out more about identity theft offenders. The study examined data from 517 cases from the years 2000 to 2006 and included banks and businesses as victims as well as some individuals. The median dollar loss was $31,356.

  "We went with the median because one of the cases involved a loss of about $13 million which skewed the average up. Some victims lost no money," says Rebovich.

  While personally devastating for individuals, fraud can poke holes in otherwise solid businesses in inventive ways, from security breaches to credit card fraud.

  For example, merchants can lose money from charge backs if they accept a stolen card or number. With charge backs, the bank requires merchants to reimburse it for the value of the fraudulent purchase, plus pay a processing fee as high as $50.

  "Everyone is affected differently; some companies aren't affected at all, they don't have to disclose it," says Litan. "In other cases it hurts retailers or accepters of credit cards, not the creditor, because the accepter has to eat the fraudulent transaction."

  Security breaches at businesses are commonplace but not always covered by the media.

  "Unlocked file cabinets, where they have sensitive information in the file cabinet and it's not locked, is particularly widespread," says Joseph Campana, a privacy consultant and certified identity theft risk management specialist with J. Campana and Associates in Madison, Wis.

  "And laptops that contain unencrypted sensitive information -- that is the most common thing," he says.

  Some states require that businesses notify customers when their data has been lost, which then almost obligates the business to pay for credit monitoring.

  "The cost of credit monitoring can be pretty significant as well," says Campana. "And it's become the expectation now. If you lose information, we want credit monitoring and in a lot of cases it's not even warranted because the information was misplaced and there is no evidence that it was misused. But the company still has to pay those expenses."

  Larger businesses can face regulatory fines as well as public relations nightmares. "If regulators have to come in and do a forensic audit where they do a deep investigation as to how that information was accessed, those start at about $10,000," says Campana.

   

  Regaining the trust of their customers can be the biggest expense. A 2007 study from the Ponemon Institute found that the average cost for a company that reports a breach is over $6.3 million per incident, the majority of which -- two-thirds -- is the cost to recover lost business.

  "I don't think anyone in the market or any organization can truly understand the ramifications and impact of the customer experience," says Lapidus.

   How it affects law enforcement
  Catching the people who cause all these problems isn't easy. Local and state police lack the resources and manpower to launch prolonged investigations into identity theft cases.

  "When deluged with numerous reports (of crimes) that ultimately occur out of their jurisdiction, police can only then file the information to be accessed when looking at other newer cases. Otherwise, it's almost impossible to catch a criminal who is conducting themselves anonymously online from all over the world. Their hands are tied," says Siciliano.

  The federal cases analyzed by CIMIP typically involved one year or more of investigation on the part of the Secret Service, says Rebovich. "You're talking about dedicating time to interview informants and evidence."

  The nature of the crimes makes tracking down criminals much more difficult and, as Dallas attorney Matt Yarborough found, tough to prove.

  The former federal prosecutor who focused on cybercrime and online fraud once worked with a victim of identity theft whose neighbor had stolen his mail. The neighbor had applied for a credit card with the information.

  "(The victim) thought he knew who had done it but couldn't prove it to the police," says Yarborough. "We asked them to subpoena the credit card company, and their records showed the e-mail address that (the neighbor) had used to communicate with them. We had her e-mail address that she had communicated with us from, and they matched. That was enough for them to go ahead and indict her."

  In the cases studied at CIMIP, coincidences often sparked an identity theft case with the police.

  "As a researcher, what surprised me in looking over the files was how many cases started with a police officer making a vehicular stop, broken taillight, and they see evidence that this person has more than just a speeding problem," says Rebovich.

  Identity theft should be on the radar of more law enforcement departments when they're investigating routine crimes, he says. "Local enforcement can be made alert to the fact that they could be the first responders to these types of cases."

More From Bankrate:

• 12 Steps for ID Theft Victims
• FDIC 99-Year Payment Rule is Urban Myth
• 10 Ways to Save $500