Identity Theft Loss Doubles

Approximately 15 million Americans fell victim to some sort of identity theft-related fraud in the 12 months ending in July 2006, according to a survey by Gartner. These statistics represent a more than 50 percent increase since 2003, when the Federal Trade Commission (FTC) reported 9.9 million American adult identity theft victims. According to the Gartner survey of 5,000 online U.S. adults in August 2006, the average loss was $3,257 in 2006, up from $1,408 in 2005. At the same time, the percentage of funds consumers managed to recover dropped from 87 percent in 2005 to 61 percent in 2006. "Hackers are exploiting Internet auctions, nonregulated money transmittal systems, the ability to impersonate lottery and sweepstakes contests, and other types of imaginative scams," says Avivah Litan, a vice president and distinguished analyst at Gartner. "The thieves have also discovered the weakest links in U.S. payments systems. Typically, the weak links are found among the five or more million businesses that accept electronic payments from consumers, and the consumers themselves." Electronic theft of sensitive information is a leading cause of certain types of fraud, including credit card, debit/ATM card, and bank account transfer fraud. This is not the case with check forgery and new account fraud, where in-person data theft is the leading cause. "All sensitive electronic data needs to be protected, but enterprises should be aware that the low-hanging fruit for the criminals is electronic card and checking account numbers, as well as user IDs and passwords for online financial accounts," Litan says. The average loss on new account fraud more than doubled from $2,678 in 2005 to $5,962 in 2006. Unauthorized charges to credit cards rose nearly fourfold from an average of $734 in 2005 to $2,550 in 2006. This reconciles with a trend cited by various U.S. card issuers who reported large increases in counterfeit card fraud in 2006. Similarly, there were large increases in checking account transfer fraud and other noncategorized types of fraud (for example, scams exploiting eBay, PayPal and phone companies). "Oftentimes, consumers have no idea how criminals hijack their accounts and/or identities," Litan says. "They also typically have no clue if one or more of their personal attributes, such as their social security number, is used to piece together a new fictitious identity in a phenomenon typically referred to as synthetic identity fraud." Regardless of the method used to steal data to commit new account fraud, the fraud itself can be largely prevented by using identity verification and scoring services. When consumers are struck by identity theft, Litan says it's critical companies have the policies in place to protect the customer's financial interests. "Enterprises that store credit card, debit/ATM card, and bank account data should expect electronic data breaches and/or hacks, and migrate away from that practice while protecting their systems accordingly until they are able to do so," she says. "Rule makers debating identity-theft legislation should consider comprehensive financial protection for consumers who lose money to fraud that goes beyond disparate regulations in place today. Service providers should pay for this protection when data or accounts under their custody are breached." Related articles: Phishing For Trouble The Convergence of Enterprise Security