Identity theft - a growing epidemic?

Identity theft is an increasing problem for individuals. But, as Lesley Meall finds, it also has serious cost, security and systems implications for business and government

I didn't do it. It wasn't me. A big boy did it then ran away. Denial is not just a river in Egypt, it's the stock reaction to any accusation of wrongdoing, and identifying the guilty and the innocent is no mean feat. So, earlier this year when British pensioner Derek Bond was imprisoned at the request of the Federal Bureau of Investigation, the world looked on askance while he denied everything - including being the man the FBI were looking for. Establishing his innocence took three weeks, but it was eventually attributed to identity theft.

In most cases, identity theft involves using someone else's personal information to open bank and credit accounts; debts are incurred, then left unpaid. At best, it can damage the credit history of the victim. At worst, it can also leave them with huge unpaid debts. But crimes committed under an alias can have more far-reaching consequences. Instead of enjoying a wine tasting holiday, Bond spent 21 days in prison.

'Identity fraud is sweeping the UK,' says Chris Gahan, data development manager at BT, adding: 'It threatens businesses as well as consumers and costs the economy over £1.3bn a year.' During 2002 more than 75,000 cases of identity fraud were recorded by Cifas, the UK's (not-for-profit) credit information fraud avoidance system, compared to 20,000 in 1999. Even so, according to Gahan, the real scale of the problem is concealed. 'The cost of identity fraud remains under-reported, and not fully investigated,' he says. 'Most incidences are written off as 'bad debt' or confused with invalidated applications for financial services products.'

Out of control

'It's the fastest growing type of fraud the UK has ever seen,' says Peter Dorrington, head of fraud solutions with software supplier SAS. But the problem in the UK is nothing compared to that in the US, where it has reached almost epidemic proportions. 'It's very frequent,' comments FBI investigator, John Lewis. 'In a sense it's out of control.'

Last year, the US Federal Trade Commission's (FTC) clearing house for crimes against consumers received more than 160,000 reports of identity theft, but the real figure could be significantly higher. 'Many banks, credit card issuers, cell phone providers and other enterprises that extend financial credit to consumers don't recognise most identity theft fraud for what it is,' asserts Avivah Litan, a Vice President with the research company Gartner.

Based on its own research, Gartner puts the annual US victim toll up in the millions, and estimates that the authorities will catch a mere one in 700 identity thieves. This makes the FBI's recent unearthing of what it called 'the biggest identity theft case in US history' doubly worrying: this single case alone had tens of thousands of victims and losses estimated to be at least $2.7m.

Philip Cummings, a British citizen, allegedly used his helpdesk job at a software firm to steal credit reports from Experian and other credit rating companies, then sold them on to accomplices for $30 each. 'So far we have identified more than 30,000 victims,' says US attorney James Comey, 'and the numbers are growing every day.' The scam went on for three years before the men were caught.

According to the FTC, on average more than a year passes before most victims realise that their identity has been stolen. 'Even if people don't lose out financially, the process of getting their records put right is still time consuming and stressful,' says Home Office minister, Beverley Hughes. The Home Office estimates that it takes the average victim of identity theft 300 hours to put their records straight.

E is for easy

'Identity theft is not necessarily a high-tech crime,' comments Litan, but technology has made it quicker and easier to perpetrate, and on a wider scale. Fraudsters don't need to resort to social engineering or sifting through rubbish when they can easily obtain useful personal information from websites like Friends Reunited, or collect multiple details by hacking insecure sites or posting fake job ads. As Comey says of the biggest identity theft case in US history: 'With a few keystrokes, these men essentially picked the pockets of tens of thousands of Americans.'

It's an approach we're probably going to see more of. 'The most organised identity fraud criminals will manage large numbers of stolen and falsified identities simultaneously, each with a legitimate life history,' predicts Simon Foster, associate director with specialist consultancy, Detica. This is backed up by the City of London police fraud squad, which points out that one of the fastest growing criminal trends is placing people in positions of trust which give them access to sensitive customer information. 'The criminals don't need to be technical experts,' notes Foster, 'they simply need a normal login account on a company system.'

Many businesses are extremely vulnerable to this kind of attack, because traditional security technologies are dependent on trust. 'They're based around the assumption that employees who have been granted access to information are trusted to use it legitimately and not to defraud us,' says Foster. By comparison, it is much easier for organisations to protect themselves against external threats, and many go to great lengths to establish the identity of their customers. But as Foster warns: 'We must not lose sight of the basic rule that information security is only as strong as its weakest link.'

Individuals can do a certain amount to protect themselves and their personal details. 'Ensure that credit card and personal details, such as your mother's maiden name or the name of your first school, are only given to reputable companies,' advises Steve Cornmell, a fraud expert within Grant Thornton's forensic and investigations services practice. He also suggests tearing up credit card receipts and statements before throwing them away, and adequately informing all the relevant parties when you move house.

In the UK and the US, government is considering additional legislation: in the UK at the moment, identity theft isn't even a crime. Businesses are also trying to minimise the problem, not least because of increasing anti-money laundering legislation and regulation. But the problem refuses to go away.

Despite moves by the Financial Services Authority to reduce the risks of identity theft and money laundering under its 'Know Your Customer' (KYC) requirements, the UK's financial institutions are witnessing a dramatic rise in identity fraud. Earlier this year, a survey by BT and the GB Group found nearly 67% of the UK's top fraud experts were alarmed by the growing incidences of identity fraud committed against their organisations. Yet, if the KYC requirements were working properly, financial institutions would not be experiencing any cases of identity theft, let alone an increase.

'Something is not working,' says Dorrington. 'Unfortunately, it is a combination of poor regulation, patchy enforcement, and complacency on the part of the financial institutions.' It's already too late for hundreds of thousands of individuals, but no one wants another Derek Bond.

'Undoubtedly, this case grabbed the headlines making the incident seem like a work of fiction,' says Cornmell. Yet it remains a warning to us all: identity theft is a growing problem, and no individual or organisation is immune.

Lesley Meall is a writer on business and technology issues.