January 26, 2005 2:45 PM PST

Offline ID crimes still more severe

Though identity theft using the Internet seems to get all the attention, most of the financial loss linked to fraud is still from offline crime, a new study shows.

Losses related to an average case of Internet-initiated fraud were $551, compared to $4,543 lost from fraud tracked back to paper statements, according to the 2005 Identity Fraud Survey conducted by the Better Business Bureau and Javelin Strategy & Research.

The survey, which follows an earlier study carried out by the Federal Trade Commission in 2003, indicated that Internet-related crimes are actually less severe, less costly and not as widespread as previously thought.

The amount of money lost to identity fraud in 2004 was $52.6 billion--about the same as in 2003. And the number of victims dropped to 9.3 million in 2004 from 10.1 million the year before.

"This new research contradicts some common assumptions about identity-theft fraud and points to new paths of prevention. There are several steps consumers can take to improve their identity safety and protect themselves against this type of fraud," Ken Hunter, CEO of the Council of Better Business Bureaus, said in a statement.

The survey said computer crimes accounted for only 11.6 percent of identity fraud in 2004 in which the cause was known. Half of those crimes stemmed from spyware, software that surreptiously tracks users online or causes ads to pop up when the consumer is online.

"Our numbers show that fears about online identity fraud may be out of proportion to the relative risk, causing consumers to ignore the most glaring issues," James Van Dyke, Javelin's founder, said in a statement. "Indeed, most instances of identity fraud occur through traditional channels and are paper-based, not Internet-based."

Users can protect their financial data by using updated software that protects against spyware and viruses and by and not responding to suspicious e-mail ploys that request personal data. By managing their financial accounts through a password-authenticated Web site, the report added, "consumers can reduce access to personal information on paper bills and statements that may be used to commit identity theft and fraud."

Also revealing was the finding that half of those who committed the online crimes are closely related to the victim as a friend, family member or neighbor.

2 comments

Join the conversation!
Add your comment
Online ID crime is a major concern
Despite the title of this article, on line ID crime IS a very severe issue.

"...the survey which indicated that Internet-related crimes are actually less severe, less costly and not as widespread as previously thought."

I'm very surprised at this statement as in other reports it's stated that over 90% of online pcs are infected with spyware. Couple this with the fact that a pc (with a certain OS) connected to the Internet without proper hardening will be compromised in under 5 minutes. Now to me, that seems pretty wide spread.

This article also seems to give the impression that the research conducted by the FTC in 2003 is in agreement with the research conducted by the BBB and Javelin Strategy & Research Group - but the first link below highlights the fact that the FTC is very aware of this serious and growing issue. The link is a testimony before the Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census by Howard Schmidt - CISO, eBay Inc.

Additionally, the notion that users can protect their personal information by conducting their financial business over password-authenticated Web sites is part of the problem. Passwords are no longer a strong measure of security. Spyware on pcs can collect those passwords from Internet browsers as a user is typing it into a "protected web site". What good is it then? A password is only as good as the user typing it, and as such, does not prove that a user is he or she claims to be. A better solution would be to urge financial institutions to administer 2-factor authentication. That way, even if a password is compromised, there is still a portion of the required credential that isn't known to the attacker.

Lastly, to wrap up with a few figures, in a report furnished by the SMU Engineering Department, damages to US financial institutions in 2004 was estimated at $1.2 billion. Estimated damages to consumer victims was $1.8 million. Now these figures may still not be near offline ID fraud, but the ease of which online fraud can be conducted make it a very serious crime to pay close attention to.

<a class="jive-link-external" href="http://reform.house.gov/UploadedFiles/Schmidt1.pdf" target="_newWindow">http://reform.house.gov/UploadedFiles/Schmidt1.pdf</a>
<a class="jive-link-external" href="http://www.antiphishing.org" target="_newWindow">http://www.antiphishing.org</a>
<a class="jive-link-external" href="http://engr.smu.edu/~tchen/papers/talk-bt-Nov2004.pdg" target="_newWindow">http://engr.smu.edu/~tchen/papers/talk-bt-Nov2004.pdg</a>
Posted by (1 comment )
Reply Link Flag
Offline ID crimes still more severe
Dear Associates,

How timely could this story possibly be with the economy slowing down......

It's all relative isn't it when it comes to consumer protection. Ask
yourself, is one crime too many? Especially if that one crime turns out to
be against one of us.

Quite often in IT Governance we use a maturity model, which I am sure that
many of you are familiar with. Based on that concept we'd have to say that
so called off-line ID crime tools and countermeasures have had a few hundred
years to mature and evolve and yet we continue to see a figure like $4,543
in losses. On the other side of the coin, the Internet only really took off
just sixteen years ago, 1989 and the skills and techniques of perpetrators
today have only begun to mature. The objectives and results of the different
techniques may be the same, but the similarities end there. The tools and
access to vulnerable information are drastically incomparable. So where or
how do these crimes really compare?

Another fascinating spin on this article is how it differs from the CSI/FBI
2004 report. Fraud is definitely a crime of opportunity. Thus it's only
logical that as more and more people become interconnected there will be
more opportunity. If so what purpose does this report truly serve to the
public? Have you let you guard down yet?

Best regards,
Mark.


Mark E. S. Bernard, CISM, CISSP, PM,
e-mail: Mark.Bernard@TechSecure.ca
Web: <a class="jive-link-external" href="http://www.TechSecure.ca" target="_newWindow">http://www.TechSecure.ca</a>
Phone: (506) 325-0444


Leadership Quotes by John Quincy Adams: "If your actions inspire others to
dream more, learn more, do more and become more, you are a leader."


Information Security Notice:
This e-mail is classified as private and is intended for use by the sender
and recipient "only". Unauthorized access to this e-mail will be dealt with
in accordance to the Canadian charter of rights and freedoms section 7 and
8.
Posted by (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.