Thursday, February 6, 2014

Threat Agent Profile: Identity Thieves

Identity thieves lie somewhere in the lower half of the continuum between the low end smash and grab purse-snatchers and the high-end credit card database heists. Identity theft is “the misuse of another individual’s personal information to commit fraud.”[1]  To pull off identity theft, the criminal usually needs a person’s name, address, Social Security Number, and date of birth. That information is resident in thousands of databases held by employers, government agencies, health care organizations, and educational and financial institutions. And hackers want them because they can use the information to apply for credit in the name of other people. Not quite as direct as stealing payment card information, but still pretty good.

In 2006, 8.4 million individuals in the U.S. were victims of identity fraud with related losses totaling $49.3 billion, according to estimates published by Javelin Strategy and Research.[2]  Since 2001, identity theft has been the most common consumer complaint registered to the Federal Trade Commission. 

Why is identity theft such a popular crime among fraudsters? Because it is low risk, low cost, and highly profitable. In 2005 8.3 million U.S. adults were victims of identity theft – 3.7% of the American adult population. In 10% of the cases thieves made off with at least $6,000.[3] Of the 512 cases handled by the Secret Service between 2001 and 2006, the median loss was $31,356.  Of the cases, the highest loss was over $13 million.[3]  Compare this with the average take in a bank robbery of under $5000, a much riskier crime.[5]

As with credit cards, many fraudsters use the information they have stolen to commit fraud themselves. Others, primarily those who have compromised large identity databases such as ChoicePoint in 2005, offer the stolen identities for sale on-line for others to use in identity theft schemes. Numerous online forums provide markets for sellers and buyers of identities. The screenshot below is a listing from In this screenshot the seller provides a ‘sample’ of his goods for sale. Clearly, this “Benjamin’s” identity is completely p0wned.

1) The Presidents Identity Theft Task Force: Combating Identity Theft – A Strategic Plan, page 2, April 2007
2) 2007 Identity Fraud Survey Report, Javelin Strategy and Research
3) Federal Trade Commission – Identity Theft Survey Report, November 2007, Synovate
4) Identity Fraud Trends and Patterns: Building a Data-Based Foundation for Proactive Enforcement – October 2007