Identity Theft Research Review: Issues That Need More Research

Overview

The study of identity theft provides a rich review of the myriad issues and dynamics involved with this crime. This information can be broken down by stages of identity theft [labeled as "T1" (time of offense), "T2" (the identity theft itself), and "T3" (outcomes)], in relationship to research focus, needs, and benefits. For example, for a research focus of outcomes (costs or losses), the research needs are identified as: the relationship between the losses or costs in relation to the period of misuse (time between T1 and T2 and the number of subsequent offenses before discovery); the time until discovery, differences between victims, and the lag time between the crime and its discovery; and the reciprocal nature of costs vis-à-vis individuals and businesses. The benefits of this research focus are identified as development of more reliable ways of estimating the cost of identity theft to individuals, organizations, and society—possibly leading to reduced harm.

Challenges Associated With Identity Theft Research

Several characteristics of identity theft data (or lack thereof) impede research:

  • The number and variety of crimes that may be subsumed under identity theft has made defining identity theft difficult. Compounding this uncertainty, researchers disagree as to whether theft of credit card information (especially one-time thefts discovered that present little or no loss to victims) should be classed as true identify theft.
  • Although the Federal Trade Commission has a database of identity theft complaints, no law enforcement entity maintains a national database of identity theft incidents reported to law enforcement or how those cases are resolved. In particular, little is known about how local law enforcement agencies respond to reports of identity theft.
  • A lack of data about the indirect costs of identity theft or the cost-effectiveness of increased security measures inhibits research into possible strategies to reduce the harm from identity theft.
  • Cross-jurisdictional issues make it difficult to isolate patterns of activity, and it is not entirely clear whether the information that is available pertains to the location of the incident or the residence of the victim.

The researchers list specific research recommendations in great detail. (See Conclusions and Recommendations.)

For more information, see Specific research recommendations (pdf, 114 pages).



Identity Theft Offending

Although the component behaviors of identity theft and its related crimes have been known for many years, identity theft is viewed primarily as a product of the information age, just as car theft is a product of the industrial age of mass production. Thus, research should emphasize uncovering the opportunity structure of identity theft. This requires two important steps:

  1. Breaking identity theft down into carefully defined specific acts or sequences of behaviors.
  2. Identifying the opportunities provided offenders by the new environment of the information age.

Although considerable research based on case studies has identified the criminogenic elements of the Internet as the prime leader of the information age, offenders have provided little information as to how exactly they carry out their crimes and identify opportunities for their commission.

Research is needed to interview offenders and investigators to learn the sequences of behaviors and decisions that offenders take in the course of their crimes. This approach will not only aid law enforcement in developing effective intervention techniques, it also will lead to insights as to future ways in which offenders may exploit and identify weaknesses in the information environment.

Identity thieves and those trying to thwart them are waging an "arms race." Although system interventions and improvements in technology (e.g., passwords for credit cards) can work wonders for prevention, offenders quickly develop techniques to overcome these defenses.



Identity Theft Prevention

The research focus recommended to identify the best ways to prevent identity theft crimes is based generally on the situational crime prevention literature and research. This requires the direct involvement of financial and commercial agencies and organizations in addition to, and sometimes instead of, criminal justice involvement. Local police, for example, can do little to affect the national marketing practices of credit card issuing companies that send out mass mailings of convenience checks. Here, interventions at a high policy level are needed.

The strategies and roles of government intervention in business practices—whether by criminal justice agencies or other government agencies—are highly complex and not very well known by researchers. Experience in other spheres such as traffic safety, car safety and security, and environmental pollution could be brought to bear in developing a strategy and program for government agencies and businesses to work together to reduce identity theft.

Local Level Prevention. At the local level, research is needed to examine ways to develop prevention programs in three main areas of vulnerability to identity theft. These are:

  1. The practices and operating environments of document-issuing agencies (e.g. departments of motor vehicles, credit card issuing companies) that allow offenders to exploit opportunities to obtain identity documents of others.
  2. The practices and operating environments of document-authenticating agencies that allow offenders to exploit opportunities to use the identities of others for financial gain, to avoid arrest, or to retain anonymity.
  3. The structure and operations of the information systems that allow offenders to exploit opportunities to gain access to and use the identities of others.

Certifying Identity. Certification of an identity depends on two basic elements: confirmation of the unique biological features of that individual (DNA, thumbprint, etc.) and the ability to attach to those distinct features a history that certifies that the person is who he or she says he or she is. Though the former is relatively easy, especially with modern technologies now available, linking those biometrics to an individual's history (i.e., date and place of birth, marriage, driver's license, parent's names etc.) depends on information that accumulates through an individual's life. Thus, maintaining careful and secure records of that information both by the individual and by agencies that issue them is crucial to establishing an identity. It is essential that agencies issuing documentation have in place a systematic and well-tried system of establishing an applicant's identity (i.e., past history) before issuing an additional identification document.

The twin processes of establishing an identity (e.g., issuing a birth certificate) and authenticating an identity (e.g., accepting a credit card at point of sale) are inherently vulnerable to attack for a number of reasons:

  • Old technologies that do not prevent tampering with cards and documents. These are apparent in many departments of motor vehicles across the Nation, and the credit card protections, though gradually improved over recent years, still fall far short what is technologically possible.
  • Lack of a universally accepted and secure form of identification document. Although the Social Security number is universal, it is well known that it is not secure. Drivers' licenses are becoming a universal identifier by default, but their technological sophistication and the procedures for issuing them vary widely from State to State.
  • Authentication procedures that depend on employees or staff to make decisions about identity. Employees with access to identity-related databases may be coerced or bribed or may otherwise divulge this information to identity thieves. Many may also lack training in authenticating documents.
  • The availability of information and procedures for obtaining others' identities. These include, for example, the availability of personal information (e.g., Social Security numbers) free and for sale on the Internet, identity card making machines of the same quality as those used by agencies that issue legitimate identity cards, and hacking programs to intercept and break into databases.
  • The ease with which electronic databases of personal information can be moved from one place to another on the Internet, which creates the opportunity for hackers (or those obtaining password information from dishonest employees) to steal, hide, and sell the numbers on the black market.

Interventions. Research into situational crime prevention of various types of crime (e.g., shoplifting, theft from cars, check fraud) suggests a range of possible interventions that could be applied to counteract many of the above vulnerabilities. Research on adapting specific interventions to specific modes of identity theft should therefore provide significant indications for effective prevention.



Harm and Its Reduction

Identity theft involves, at a minimum, two victims: the individual whose identity is stolen and, in most cases, the financial institution that is duped by the use of the victim's stolen identity.

The issue of reducing harm to individual victims has received much attention. Congressional hearings and some limited studies of interviews with victims have exposed the psychological as well as financial suffering of individual victims. The focus has been on local police responses to identity theft, which were originally conditioned by their perception that banks, not individuals, were the true victims. Victims had great difficulty in obtaining police reports (as noted above, also caused by cross-jurisdictional problems) and, without such a report, had great difficulty convincing banks and credit reporting agencies that their identities had been stolen.

The International Association of Chiefs of Police and other organizations have taken steps to inform local police about the true suffering of identity theft victims and to introduce reporting and recording rules that will help victims get police reports. The extent to which this enlightened approach has filtered down to local police has yet to be determined. Researchers have extremely little knowledge of what local police departments do in response to individuals who report their victimization. (See Law Enforcement Issues and Response.)

Disposition of Cases. No systematic information is available concerning the results for victims in the prosecution and disposition of individual cases. Federal, State, and multiagency task forces have cutoff levels for acceptance of cases according to financial loss, time to discovery, and involvement of an organized group. It is estimated that the FBI and U.S. Secret Service together processed a few thousand cases of identity theft in 2004. Assuming that similar numbers of cases were processed in every State and in another 50 venues by multiagency major cities' task forces, this would yield a generous estimate of about 303,000 cases. Thus, of the estimated 9.3 million individuals victimized in 2004, an estimated 9 million cases never made it to the criminal justice system.

Of those cases that have been processed, available evidence suggests that the majority of offenders may have been treated leniently by the system—particularly before the establishment of identity theft as a separate criminal act. Some of these offenders continue to perpetrate acts of identity theft against both new and old victims; that is, they use both personal information from new individuals or the identity for the theft of which they had originally been prosecuted to continue victimization while being processed or serving their sentences.

The reciprocal element of identity theft has also not been examined. Because banks and card issuers take much of the financial loss, it is not known to what extent victims actually see themselves as victims and how this affects the steps they may take to avoid being victimized. Investigation into this problem hinges on the particular type of identity theft: whether the offender repeatedly victimizes an individual or the victimization is just a one-time event of a lost or stolen credit card that is quickly corrected. These factors may also affect how likely individuals are to report their victimization and, if so, to what agency. No research has been done on this or any related issues.

Date Created: June 7, 2010