Credit-card data theft is exploding, increasing 50 percent from 2005 to 2010, according to the latest figures available from the U.S. Department of Justice.
Credit-card data theft is exploding, increasing 50 percent from 2005 to 2010, according to the latest figures available from the U.S. Department of Justice. less
Your credit-card data is out there. And criminals are buying and selling it in bulk.
Credit-card data theft is exploding, increasing 50% from 2005 to 2010, according to the latest figures from the U.S. Department of Justice.
Millions of card numbers are for sale. A single number might go for $10 to $50; a no-limit American Express card number for a consumer with good credit can sell for hundreds of dollars, said Monica Hamilton, marketing director at cybersecurity firm McAfee Inc. in Santa Clara, Calif.
As a result, identity theft has become big business. The number of malicious programs written to steal your information has grown exponentially to an estimated 130 million from about 1 million in 2007, Hamilton said.
The most successful identity thieves have learned that it's more lucrative to hack into businesses, where they can steal card numbers by the thousands or even millions.
Losses suffered by the businesses they hack can be staggering — an estimated $150 to $250 for each card number stolen. Those costs come in the form of legal settlements, fees for consultants hired to remove malware, and personnel hours spent notifying customers. The costs are passed on to consumers in the form of higher retail prices and credit-card fees.
Identify theft, defined as the successful or attempted misuse of credit-card, bank-account or other personal information to commit fraud, is expected to surpass traditional theft as the leading form of property crime. Security analysts say everyone should prepare to become a victim at some point.
Other types of identity theft, including the filing of fraudulent tax returns, also are growing fast.
Yet identity theft often goes unreported, and the crimes that are reported are rarely investigated.
“Police don't want to be bothered. It's a difficult crime to investigate, and the feeling is, "Oh, we're never going to catch these guys."”
Mark Rasch, cybersecurity specialist
Most merchants are content to clean up the damage from an attack, rather than pay for better preventive measures, said Mark Rasch, a cybersecurity specialist and a former federal cybercrime prosecutor in Bethesda, Md.
That approach isn't likely to change unless consumers pressure businesses they patronize to get serious about security.
Financial institutions have become savvy about spotting potentially fraudulent activity and quashing questionable transactions. Thus far, banks have made identity theft relatively painless for consumers by covering their immediate losses. But some analysts wonder whether that approach will be sustainable as the problem grows.
Most local law enforcement lacks the personnel and expertise to investigate smaller identity crimes, and the FBI is only interested in massive cases involving hundreds of victims or more, Rasch said.
"Police don't want to be bothered," he said. "It's a difficult crime to investigate, and the feeling is, 'Oh, we're never going to catch these guys.' "
According to Phoenix police, it is often impossible to locate the perpetrators of identity-related crimes, which makes them among the most difficult cases to solve.
Kellie Droste got surprising news from her accountant last month.
An identity thief had stolen the Maricopa, Ariz. resident's personal information and filed a tax return in her name to claim her refund.
"He (her accountant) couldn't file our joint tax return, because someone had already filed a tax return under my Social Security number," Droste said.
Droste reported the fraud and was told it would take at least six months to sort out the matter. Meanwhile, she would have to wait to receive her $2,700 tax refund.
Droste is among thousands of taxpayers victimized by a fast-growing form of identity theft in which stolen personal information is used to file fraudulent tax returns. And although fraudulent tax returns are popular with criminals right now, they represent the tip of the iceberg.
Identity theft is especially prevalent in Arizona, which had more victims per capita than any other state in 2010, with about 149 victims for every 100,000 residents. California, Florida, Texas and Nevada also were leading states for identity theft, according to Federal Trade Commission data.
Most victims suffer little more than the inconvenience of having to replace
their credit and debit cards.
But when a stolen identity is used to apply for additional lines of credit, the victim can spend years trying to resolve bad debt run up by thieves in their names. Some struggle to borrow money because of the damage to their credit scores. Others have been forced to file bankruptcy and lose their homes.
“Software is fallible, and software can be compromised.”
Kim Singletary, business-security expert at McAfee Inc.
It's not uncommon for victims to suffer multiple forms of identity theft, as was the case with Droste. A customer-service representative from Discover called in August to inform Droste, a speech therapist, that her recent credit-card application was incomplete.
"I hadn't applied for a Discover card," she said.
The identity thief somehow had managed to get her Social Security number, full name and date of birth, Droste was told.
Droste said she spent dozens of hours on the phone trying to stop the fraudulent applications. She filed a police report and even had an excellent lead for investigators to pursue: an address which had been used on some of the applications.
It didn't seem to matter, Droste said. She was told there was little the police could do.
When asked for comment on the challenges of investigating identity theft, Phoenix police deferred to the department's online identity-theft victim packet.
"In identity theft cases it is difficult to identify the suspect(s) as they often use inaccurate information such as addresses and phone numbers," it states. "Frequently the investigator cannot find evidence to prove who actually used the victim's name and/or personal information over the phone or Internet."
A 2012 study, by the Washington, D.C.-based Identity Theft Assistance Center. found that child identity theft is even more difficult to detect and resolve than adult identity theft.
One problem is children often don't find out until years later that their identities were stolen and their credit histories damaged.
Another disturbing aspect of child identity theft is the prevalence of "friendly fraud," in which a family friend or relative — often the child's own parents — steals the child's identity, using the child's pristine credit history to open credit-card accounts and take out mortgages and loans.
According to the study, more than 70% of reported child identity fraud is friendly fraud.
Challenge for retailers
Individuals can have their identity stolen in a number of ways, including while swiping credit or debit cards at the cash registers of trustworthy retailers.
Identity thieves use computer programs to infiltrate retail systems and begin siphoning off bank-card numbers when purchases are made.
Point-of-sale system hacking is a serious and growing problem, according to business-security expert Kim Singletary.
Singletary, director of technical solution marketing at McAfee, said the security-software company has discovered about 130 million unique malware programs from across the Internet, up from just 1 million in 2007.
Many of the programs are designed to infiltrate point-of-sale systems and steal customer data that can be sold or used to make fraudulent purchases, Singletary said.
The fact is, no retailer can protect customer data with 100% certainty because every store, from huge chains to small mom-and-pops, relies on computer systems that are inherently vulnerable, she said.
"Software is fallible, and software can be compromised," Singletary said.
Merchants, who usually incur the greatest losses from identity theft, often don't pursue an investigation because it's expensive, and the chances of solving the crime are slim, former federal prosecutor Rasch said.
As a result, identity thieves usually get away with their crimes, Rasch said.
"They get to do this with impunity," he said.
The upshot is that it's easier and safer for an identity thief to steal $100,000 worth of credit-card numbers than it would be to shoplift an inexpensive item from the store, Rasch said.
Rasch said he worries about the cumulative effect of that lack of enforcement.
"These crimes are going to become more numerous, and they're going to become more sophisticated," he said.
What thieves want
According to Phoenix-based cybersecurity expert Mark Pribish, identity thieves look for specific pieces of information:
• User names, passwords and PIN numbers.
• Social Security numbers.
• Phone and utility account numbers.
• Bank and credit account numbers.
• Employment and student identification numbers.
• Driver's license and passport numbers.
• Professional license numbers.
• Insurance identification numbers.