posted 30 May 2007 in Volume 10 Issue 8
EI: The last word
The real fraud?
Identity fraud has been overhyped and overplayed. The truth is much more mundane – and largely out of ordinary people’s hands.
By Frank Nesbitt
It is unusual to start any article with an apology and it is not my intention to question the opinions of many eminent experts or to challenge the known facts of such an insidious crime as identity fraud. It is a serious matter and does affect the people who have been targeted in many different ways. On top of this, corporate identity fraud can destroy an otherwise sound and well-run business.
An alternative view
But I wish to present a different slant to identity fraud – a much-hyped phrase. For example, in November 2004 The Guardian newspaper wrote, “Identity fraud costs the UK more than £1.3bn a year and by the end of 2004 there will be 130,000 cases”. That’s one every four minutes. In March 2005, the red-top daily, The Daily Mirror, claimed that one-in-four people have had their identity stolen, or know someone who has. And in the US, the incidence of identity theft is reportedly even worse.
Yet much earlier, around 1608, playwright William Shakespeare wrote, “But he that filches from me my good name; Robs me of that which not enriches him; And makes me poor indeed”. So, where was the publicity machine back then, when obviously it was evident that such a thing as identity theft was not unknown even in Shakespeare’s time?
It should be stressed that there is a technical difference between identity theft and identity fraud. Identity theft is the procurement of a fictitious (invented) or existing (genuine) identity, that has been altered to create a fictitious one. Having committed identity theft – which in the US is a crime, but not in the UK – a criminal can then perpetrate a fraudulent act using that identity. Identity fraud has now been committed.
This clear difference often confuses, depending on which newspaper you read or television programme watched. Is it theft or fraud? Often, the journalists themselves do not seem to know the difference.
When an identity is stolen this can be used to procure other false documentation, typically from the internet, and these procured documents can be used to carry out a number of illegal acts.
The financial sector bares the brunt of identity fraud, via falsely opened or abused accounts, rather than those individuals whose personal details may have been stolen. I say ‘may’ because personal details can be so easily obtained and not necessarily from the person who is being impersonated.
Large amounts of personal information are already in the public domain and the choice of target by the criminal is mostly bad luck for the individual – it’s nothing personal. A quick search on 192.com, followed by the BT telephone website and, finally, Google Earth, can enable a fraudster to very quickly determine the full names of household members, a telephone number and the type and colour of car on the driveway within the last two years. A birth certificate can be obtained using this information and, therefore, mother’s maiden name (a basic piece of information that so many organisations use as a proof of identity).
But the Police have not, until recently, been that concerned, the figures are woolly, to say the least. The UK government, for example, relies heavily on the Credit Industry Fraud Advisory Service (CIFAS) rather than its own crime figures.
Yet credit card fraud is not the same as identity fraud. So does anyone really know the true extent of identity fraud?
No. The government admits that accurate measurement of the extent and cost of any fraudulent activity, including identity fraud, is difficult. Nevertheless, it is already forgiving ahead with identity cards as the answer.
In the draft Identity Cards Bill of April 2003, the UK government created a new offence of being in control of false identity documents, including genuine documents that had been improperly obtained.
A full Identity Card Bill followed in 2005, with biometric identity cards slated to appear within ten years. But if passports, driving licences and other accepted forms of identity can be so easily obtained and/or manufactured fraudulently, then what will stop these documents being used to obtain ‘genuine’ identity cards?
So, despite all the claims made in newspapers or by the financial sector, the issue of identity fraud is not as straightforward as they might try to portray. It is possible that massive publicity and marketing campaigns might persuade the public to be more careful. But it is equally possible that such campaigns are intended merely to stoke up a moral panic – a mass movement based on the perception that some individual, group, crime or act is dangerous and must be combated.
There have been periods of moral panic throughout history, from medieval witch-hunts to claims of satanic child-abuse. In the Newcastle-based Sunday Sun newspaper in 2005, an article suggested that paranoid householders were leading a boom in sales of paper shredders.
That coincided with a television commercial for one credit-card company, implying that marauding hoards of ne’er-do-wells all over the country come out at night, dressed in black, to trawl through our dustbins, seeking out carelessly discarded gas bills that they can put to nefarious use.
Such a simple piece of television sensationalism was no doubt intended to hide the fact that a zero per cent balance-transfer offer had been removed and substituted with a ‘free credit check’. The easily impressed no doubt went out to buy extra-powerful shredders and extra locks for their doors (and dustbins). Yet a visit to the local bank’s dustbins is likely to be for more productive for a determined fraudster (and also less smelly).
Today’s technology, tomorrow’s history
A well known politician is quoted as saying, “Our liberties will be strengthened if our identity is protected from theft”.
That would be good if personal information, freely provided to government, banks and other organisations, was also well protected. We are constantly bombarded by requests for highly intrusive and personal information in the name of security. But then the organisations that we give this information to fail to adequately protect it, especially when it is stored on computer, and online, too.
Furthermore, no-one has a choice but to hand over the requested information. Refusal can result in draconian penalties or, at the very least, non-provision of the necessary goods or services. The ‘old days’ of paper-based files and microfiche protected us from such information being disseminated too widely, but paper and microfiche are considered inefficient and old hat.
Hype or overstatement?
I do not personally think that identity fraud is the fastest growing crime in the UK (or anywhere else) because the public is at constant risk of this crime and it has been around for decades – yet it’s out of individuals’ control already. To lessen the impact I believe there must be put in place proper controls best suited for the purpose of protecting information, the costs of which should be borne by the organisations that insist on asking for, and retaining, that information.
Despite the many claims, identity fraud is not the priority with some organisations that they would have us believe. They want to pass the buck of responsibility onto ordinary people yet, quite simply, many do not protect the personal information they hold well enough.
The government’s reactions, in my opinion, reflect the sources from which they are taking their advice – narrow vested interests (overwhelmingly financial services organisations) that are not as interested in protecting the public as they would like us to believe.
Identity fraud is not a mirage. It is real and it does underpin serious organised crime. The fight against it needs to be stepped up, but the ‘guns’ must be trained in the right direction. That means requiring organisations to protect personal information far more tightly – as tightly as they protect their own profits. But the introduction of an identity card is a fraud in itself and will do little to prevent it.
Frank Nesbitt is a former police officer specialising in fraud and now a fraud consultant in the forensic services department of accountants Tait Walker. Frank Nesbitt will also be a key speaker at the annual National Information Security conference at St Andrews, Scotland, in May 2007. He can be contacted via e-mail, firstname.lastname@example.org.