Analog Identity Theft is a Bigger Problem than Digital Identity Theft
When it comes to assessing your risk of identity theft and fraud, being digitally compromised in a...
If preliminary estimates hold steady, the amount of fraud victims and the total amount lost to fraud in 2015 is virtually indistinguishable to the amount of fraud victims and the total amount lost to fraud in 2014. While it’s good to know that the rate of and the amount lost to fraud has not increased, it is actually quite worrisome that fraud figures have not decreased from 2014 to 2015.
2015 was the year EMV was officially implemented in the United States. EMV, put simply, is a protocol designed to reduce the amount of payment card fraud by strengthening payment security through the addition of a microchip into payment cards. If you’d like to learn about the specifics of EMV, please read our previous post about EMV. In order to fully understand why identity fraud in the post-EMV world is so problematic, you don’t need to know everything about EMV – all you need to know is that its purpose is to reduce fraud.
Once you understand that the point of EMV is to reduce fraud, it raises the question: Why didn’t fraud decrease in 2015? This issue becomes even more problematic when taking a closer look at the fraud data from 2015: the type of fraud that criminals are now committing creates much more serious implications for victims whose information is being fraudulently used.
The microchip in EMV-compliant credit cards has made it much, much harder for criminals to successfully duplicate stolen credit card information onto a new, blank credit card. In response, criminals have begun stealing much more sensitive information than a credit card number to conduct fraudulent activities, even if stealing this type of information is more difficult as well as riskier than stealing just credit card numbers. In a sense, EMV has not only compelled thieves to steal more types of sensitive information, but also enabled thieves to extract a much higher volume of fraudulent funds than ever before.
Just a couple of years ago, when the great majority of fraud victims experienced identity theft via a compromised debit or credit card, the fix was to cancel said debit/credit card and move on with life. In the span of a year, fraud victims have been increasingly discovering much more sensitive information - bank account numbers, information found on driver license/identification cards, and even Social Security numbers - are being used fraudulently.
In increasing numbers, thieves have been after information such as:
The problem with the increase in the particular type of information being stolen is this: identity theft now creates much bigger problems than a compromised payment card. Armed with this type of information, criminals can fraudulently:
Through identity theft, criminals not only are committing much more fraudulent types of behavior for their own personal gain, but are also leaving behind large financial messes for victims to clean up that requires much more time, effort, and often, money, to fix than simply canceling a debit/credit card.
“Beyond the numbers, identity theft can be a difficult and challenging personal experience. It can take several months or several years to recover.”
More and more criminals have been discovering that stealing a person’s identity is much, much more lucrative than only stealing that person’s credit card. It cannot be stressed enough that data shows that:
Identity theft is the most popular – and the most profitable – form of consumer fraud
The following comparison of fraud data from 2014 between fraud data from 2015 gives a clear glimpse into the complicated landscape of fraud, particularly identity theft, in the years to come.
*Please note that new figures as well as updated figures may be released later this year as companies and organizations continue to release data from 2015 to government and private entities that compile data on identity theft as well as other types of fraud*
One of the biggest reasons there are millions of identity theft victims each year is the sheer amount of data breaches. In 2014, there were 783 breaches and in 2015, there were 781 breaches; more records were lost in 2015 than in 2014, even though there were 2 more breaches in 2014.
After siphoning off the identities of millions of individuals through data breaches, the hackers responsible for the breaches will most likely put all that data up for sale on the dark web.
“As most Americans know, we live in an age when it’s not a matter of if, but when you will become a victim of identity theft”
According to a study on identity fraud released earlier this month, preliminary estimates for 2015 put the total number of victims from data breaches at 13.1 million For comparison, the total number of victims in 2014, according to the same study, was 12.7 million.
Although the Department of Justice’s Bureau of Justice Statistics (BJS) has yet to release figures for 2015, they estimated that in 2014, 17.6 million Americans – 7% of US residents who were at least 16 years old – were victims of identity theft.
The difference between the study’s figures (a private entity) and the BJS’s figures (a government entity) can be explained by the fact that the BJS doesn’t release their figures for the previous year until the second half of the year while the study’s figures were released this month. In other words, the BJS’s estimations include data that was not yet available for the study.
Nonetheless, despite the differences in the total amounts, data compiled from both private and government entities reveal an unsettling trend in the type of data being stolen and the types of activities for which this data is being used: sensitive information is being used to wholly steal people’s identities as opposed to just their credit card information.
As mentioned above, identity theft can be quite lucrative. Thieves can purchase the data needed to steal an individual’s identity off the dark web for $30; this $30 investment can end up netting a criminal thousands of dollars.
Identity theft criminals have stolen $112 billion in the past six years, which equals $35,600 stolen per minute, or enough to pay for four years of college in just four minutes.
The lucrative nature of identity theft is manifested in the fact that more and more Americans are becoming victims of identity theft. According to the Federal Trade Commission (FTC), the total number of identity theft complaints rose by 47% from 2014 to 2015; this is the 16th consecutive year that identity theft has been the #1 complaint by US consumers.
It is interesting to note that the number of identity theft complaints rose significantly while the number of identity theft victims remained relatively stagnant. This could be explained by the fact that thieves now have a variety of avenues with which to conduct fraud using victims’ identities – for example, they can open new credit card accounts or file a fraudulent tax return in order to receive a refund. In the past, as mentioned above, criminals mostly would simply use a stolen credit card number to make purchases; once the credit card had been cancelled, the criminal could no longer take advantage of the stolen information.
In other words, complaints likely rose because criminals can now do much more damage than running up the balance on a credit card. These types of identity fraud – the reason why identity theft is such a hot topic right now – have come to be known as new account fraud and taxpayer ID theft and refund fraud.
On October 1, 2015, EMV regulations in the United States went into effect. The added security provided by the chip has made in-person (card present) transactions more secure by making fraudulent credit cards created using stolen information virtually useless for in-person purchases. This, in turn, has forced fraudsters to find new, creative ways to exploit stolen personally identifying information: creating entirely new financial accounts, such as credit card accounts, using victims' identities. This is known as new account fraud.
“EMV drives a doubling of new account fraud . . . Fraudsters have reacted [to EMV] by moving away from existing-card fraud to focus on new account fraud. This drove a 113 percent increase in incidence of new account fraud, which now accounts for 20 percent of all fraud losses.”
New account fraud allows criminals to not only extract a lot more fraudulent funds from more than just the limits of a credit card, but also to keep extracting those funds without being detected for a longer period of time. It’s much easier to notice fraudulent activity on an existing credit card as opposed to a credit card you had no idea was under your name. It isn’t surprising why new account fraud is so popular with criminals these days.
New account fraud isn’t the only type of fraud that criminals have been taking advantage of lately- taxpayer ID theft and refund fraud has been the crowd-favorite when it comes to identity theft.
Taxpayer ID theft and refund fraud occurs when a criminal uses an identity theft victim’s identity to fraudulently file a tax return in order to receive a refund – just as the name implies.
“The FTC also said that taxpayer ID theft and refund fraud is ‘the largest and fastest growing ID theft category’ and that taxpayer ID theft and refund fraud was the primary reason for the increase.”
It may, at first glance, seem strange that taxpayer ID theft and refund fraud is the biggest financial drain when it comes to the total losses to identity theft considering the IRS allegedly double-checks filed tax returns for accuracy. However, once you learn that the IRS is stretched so thin that IRS Commissioner John Koskinen has admitted that the IRS is capable of only answering “47 percent to 50 percent of taxpayer calls”, you can begin to understand why taxpayer ID theft and refund fraud has become so attractive to thieves.
To combat taxpayer ID theft and refund fraud, the FTC recommends that individuals should file their taxes as soon as possible. After all, thieves can’t successfully file a fraudulent tax return in your name if you’ve already filed your tax return.
So, what does this all mean for identity theft now and in the future? Well, nothing good.
A comparison of data between 2014 and 2015 only strengthens the position that identity theft is snowballing into a much more destructive force than ever before.
In 2014, there were 138 data breaches that involved the theft of debit/credit card numbers, while in 2015, there were 160 data breaches that involved the theft of debit/credit card numbers. However, only 800,000 records were stolen in 2015, but a whopping 64.4 million records were stolen in 2014.
In 2014, there were 325 data breaches that involved the theft of Social Security numbers and other sensitive information, while in 2015, there were 338 data breaches that involved the theft of Social Security numbers and other sensitive information. However, 85.6 million records were stolen in 2014; just a year later in 2015, 169 million records were stolen.
The data shows that in 2014, thieves were concerned with stealing credit card numbers over other types of sensitive data such as Social Security numbers, but by 2015, thieves were overwhelmingly turning to Social Security numbers and other sensitive data – it’s simply a bigger payoff for thieves to completely take over someone’s identity.
“We recognized 2014 as the year of the credit card breach; 2015 must be similarly recognized but as the year of the Social Security Number breach. The concerning trend here is that remediation of a compromised SSN remains a more arduous task for victims when compared to remediation of an individual credit card number. The opportunities for thieves who possess Social Security Numbers are significantly greater and pose more consumer risk, not to mention more difficulty for the individual consumer when it comes to deployment of risk minimization techniques.”
In 2016 and beyond, we can expect more egregious types of identity theft - the type of theft in which thieves wholly take over a victim’s identity, leaving behind a costly and time-consuming financial mess for the victim to clean up.
As for EMV and its impact on identity theft: EMV adoption has been quite slow – it is estimated that only 37% of US retailers are currently EMV-compliant. But as more and more merchants upgrade their point-of-sales systems to be compliant, and as more and more people have their old payment cards replaced with EMV-compliant cards, you can be sure that you will see thieves continuing to steal people’s identities by the millions.
“I am convinced that 2016 will see more massive public and private sector takedowns, hacks, and exposure of sensitive personal information like we have witnessed in years past. I wouldn’t be surprised if a major political party, PAC or presidential campaign suffers a major compromise. Malvertising and ransomware attacks will reach a fever pitch. Medical data and business information like intellectual property will be prime targets, with cyber thieves looking for opportunistic financial gain based on black market value, corporate extortion and cyber terrorism.”