Identity theft, or masquerading, is a legal term used to define the malicious theft and consequent misuse of someone else’s identity to commit a crime. Land-based identity theft can occur if a burglar, say, breaks into someone’s home and steals the homeowner’s credit cards, driver’s license, and Social Security card and then uses these to buy things using a false identity. Identity theft, or masquerading, is fraudulent criminal behavior (Schell and Martin 2005).
II. The Four Critical Elements of Traditional and Identity Theft Crimes
III. Phishing and Pharming: Relatively New Forms of Identity Theft
IV. Other Legal Means for Controlling Identity Theft and Fraud
V. Identity Theft, Phishing, and Pharming: Defying the Online Tenets of Privacy, Security, and Trust
VI. The Bottom Line
Introduction In the modern age, identity theft can and does occur in the virtual world. In this venue, it often involves the cybercriminal’s hacking into a computer network to obtain personal information on online users—such as their credit card numbers, birth dates, and Social Security numbers—and then using this information in an illegal manner, such as purchasing things with the stolen identity or pretending to be someone of higher professional status to gain special and undeserved privileges. Because of the huge financial and reputational harms it can cause for victims, identity theft is one of the fastest growing and most devastating crimes in the United States and globally. On February 21, 2005, ChoicePoint, Inc., a data warehouse having 17,000 business customers, had its massive database of client personal information hacked. Consequently, the company said that about 145,000 consumers across the United States may have been adversely affected by the breach of the company’s credentialing process. The company said that the criminals not only obtained illegal access but used stolen identities to create what seemed to be legitimate businesses wanting ChoicePoint accounts. The cybercriminals then opened 50 accounts and received abundant personal data on consumers—including their names, addresses, credit histories, and Social Security numbers (Weber 2005). As a result of the ChoicePoint breach and those occurring in 2005 at the LexisNexis Group (affecting 310,000 clients), the Bank of America (affecting about 1.2 million federal employees having Bank of America credit cards), and Discount ShoeWarehouse (affecting about 1.2 million clients), U.S. politicians called for hearings and ramped-up regulations to protect consumers against identity theft or masquerading. These breaches also prompted many U.S. states to propose more than 150 bills aimed at regulating online security standards, increasing identity theft and fraud protections, increasing data broker limitations, increasing limits on data sharing, and improving the process to clients regarding security breach notifications (Associated Press 2005; McAlearney 2005). According to a recent article in Forbes, identity theft and related online fraud increased considerably in 2009. The article cited over 11 million victims—at an estimated cost of $54 billion. A year earlier, just under 10 million people were allegedly targeted— at an estimated cost of $48 billion. Interestingly, the cost to individual victims as a result of network data breaches has declined from $498 in 2008 to $373 in 2009. Who, then, is covering the costs for the personal harms inflicted on innocent victims as a result of identity theft? Increasingly, affirm the experts, it is the financial institutions to whom land-based and online citizens entrust their money and from whom they receive assurances of privacy protection regarding personal information. Even as the cost of fraud mitigation continues to spiral out of control, financial institutions are bringing the out-of-pocket expenses for identity theft victims as close to zero as possible so as to maintain their clients’ confidence in the system. Losing customers over the longer term because of fractured consumer confidence translates into the institutions’ investing in shorter-term remedies for assisting identity theft victims to become financially and psychologically “whole” again as quickly as possible (Merrill 2010). The Four Critical Elements of Traditional and Identity Theft Crimes According to legal expert Susan Brenner (2001), both traditional land-based crimes and cybercrimes like identity theft cause harm—to property, persons, or both. Some innocent victims of identity theft even incur prison records when false criminal charges are filed. As in the real world, there are politically motivated crimes, controversial crimes, and technical nonoffenses in the virtual world. In U.S. jurisdictions and elsewhere, traditional and cybercrimes like masquerading involve four key elements:
- Actus reus (wrongful act, or the physical component of a crime)
- Mens rea (a culpable mental state)
- Attendant circumstances (the presence of certain necessary conditions)
- Harm (to either persons or property, or both)
Perhaps an example can illustrate these critical elements more clearly. One such identity theft case that made world headlines occurred in 2001. It involved U.S. waiter Abraham Abdullah., a hacker who was arrested and imprisoned for defrauding financial institutions of about $20 million by using an identity theft scheme. Abdullah selected his targets’ identities from the Forbes 400 list of America’s wealthiest citizens; his targets included Steven Spielberg, Oprah Winfrey, Martha Stewart, and Warren Buffett. Then, with the help of his local library’s computer, Abdullah used the Google search engine to glean financial information about these wealthy U.S. citizens. He also used the information obtained from forged Merrill Lynch and Goldman Sachs correspondence to persuade credit reporting services (like Equifax) to give him detailed financial reports on the targets. Such reports were then used by Abdullah to dupe banks and financial brokers into transferring money to accounts controlled by him (Credit Identity Theft.com 2008; Schell, Dodge, and Moutsatsos 2002). This case illustrates that with mere access to the library’s computer and the Internet, this cybercriminal was able to initiate a surprisingly simple process of masquerading by gaining unauthorized access to credit card and brokerage accounts. His scheme was revealed when he sent a fake e-mail message to a brokerage house requesting a transfer of $10 million to his bank account in Australia from an account owned by millionaire Thomas Siebel. Abdullah, an American, was tried according to U.S. jurisdictional law and sent to prison (Schell 2007). In terms of the four elements of the crime, Abdullah gained entry into and unlawfully took control of the property—the sensitive information in credit card and brokerage accounts (actus reus). He entered with the intent of depriving the lawful owner of sensitive information (mens rea). By society’s norms, Abdullah had no legal right to gain access to credit card and brokerage accounts of targeted wealthy individuals for his own financial gain. He clearly was not authorized to do so by the rightful owners (attendant circumstances). Consequently, Abdullah was liable for his unlawful acts, for he illegally entered the private accounts (i.e., criminal trespass) to commit an offense once access was gained (i.e., identity theft and fraud). As the targeted users eventually realized that harm was caused to their financial property, the judge hearing the evidence ruled that Abdullah should spend some time behind prison bars. Phishing and Pharming: Relatively New Forms of Identity Theft Within the past several years, a relatively new form of identity theft has emerged called “phishing.” This refers to various online techniques used by identity thieves to lure unsuspecting Internet users to illegitimate Web sites so that the thieves can “fish for” sensitive personal information—to be later used for criminal acts like identity theft and fraud. These illegitimate or rogue Web sites are commonly designed to look as though they came from legitimate, branded, and trusted businesses, financial institutions, and government agencies. Often the cyberthieves deceive vulnerable Internet users into disclosing their financial account information or their online usernames or passwords (Public Safety Canada 2009). The more aware Internet users receiving phishing emails from supposedly legitimate banks or financial institutions are likely to realize that the cyberthieves may have used spamming techniques (i.e., mass e-mailing) to send the same message to thousands of people. Many of those receiving the spam do not have an account or client relationship with the business or financial institution sending the said e-mail, so they may just ignore the message. The cybercriminals creating phishing e-mails, however, hope that some e-mail recipients will actually have an account with the legitimate business; thus the recipients may believe that the e-mail has come from a “trusted” source and will therefore release the requested personal information (Public Safety Canada 2009). According to a 2004 report released by Gartner, Inc., an IT marketing research firm, phishing exploits cost banks and credit card companies an estimated $1.2 billion in 2003—and since then the costs have continue to climb. Like phishing, pharming is a technique used by cybercriminals to get personal or private (typically financially related) information by “domain spoofing.” Instead of spamming targets with ill-intended e-mail encouraging them to visit spoof Web sites appearing to be legitimate, pharming poisons a domain name system server by putting false information into it. The outcome is that the online user’s request is redirected elsewhere. Often, the online user is totally unaware that this process is occurring because the browser indicates that the online user is at the correct Web site. Consequently, Internet security experts view pharming as a more of a serious menace, primarily because it is more difficult to detect. In short, although phishers try to “scam” targets on a one-on-one basis, pharming allows ill-intentioned cybercriminals to scam large numbers of online targets all at once by effectively using the domain spoofing technique (Schell 2007). What, therefore, should Internet users do about phishing and pharming? According to the U.S. Department of Justice and Canada’s Department of Public Safety and Emergency Preparedness, Internet users should keep three points in mind when they see e-mails or Web sites that may be part of a phishing or pharming scheme (Public Safety Canada 2009):
- Recognize it. If one receives an unexpected e-mail from a bank or credit card company saying that one’s account will be blocked if one does not confirm the billing information, one should not reply or click on any links in the e-mail.
- Report it. One should contact the bank or credit card company if one has unwittingly supplied personal or financial information. One should also contact the local police, who will often take police reports even if the crime may ultimately be investigated by another law enforcement agency. The identity theft case should also be immediately reported to the appropriate government agencies. In the United States, online users should contact the Internet Crime Complaint Center, or IC3 (http://www.ic3.gov/). In Canada, online users should contact Canadian Anti-Fraud Centre. Canadian and American agencies such as these are compiling data about identity theft to determine trends in this domain.
- Stop it. Online users should become familiar with the safe online practices of one’s financial institutions and credit card companies; typically, for example, such businesses will not utilize e-mail to confirm an existing client’s information. Moreover, a number of legitimate targeted financial institutions have distributed contact information to online users so that they can quickly report phishing or pharming incidents. Finally, online users having the Internet Explorer browser can go to the Microsoft security home page to download special fixes protecting them against certain phishing schemes.
Other Legal Means for Controlling Identity Theft and Fraud Because of its often anonymous and decentralized composition, the Internet is fertile ground for identity theft and fraud. Fraud, defined by law, is viewed as an intentional misrepresentation of facts made by one person, knowing that such misrepresentation is false but will, in the end, induce the other person to act in some manipulated fashion resulting in injury, harm, or damage to the person manipulated. Th us, fraud may include an omission of facts or an intended failure to state all of the facts. Knowledge of the latter would be needed to prevent the other statements from being misleading. In cyberterms, spam is often sent in an effort to defraud another person into purchasing a product or service that he or she has no intention of purchasing. Fraud can also occur through other means, such as online gaming, online auctions, or false claims of inheritance or lottery wins (Schell 2007). Recently in the United States, the Sarbanes-Oxley Act (SOA) was passed as a reaction to accounting misdeeds in companies like WorldCom and Enron, but its passage has fraud implications as well, particularly with regard to online personal information storage. With the vast amounts of personal information stored on company computers, fraud opportunities abound. A major problem prompting the passage of the SOA was that companies storing large amounts of information have tended to give little thought to what is being stored in company or institutional networks—or how securely it is being stored. Consequently, occasional occurrences of fraud or alterations of data by hackers have gone undetected. Some experts have argued that, rather than spending lots of money to store data in accordance with SOA compliance provisions, companies should allocate funds to determine exactly what kinds of information must be stored and for how long (Schell 2007). In the spring of 2010, a number of Web site companies — including Google, Microsoft, and Yahoo — faced consumer and advocacy group backlash for keeping Internet search records for too long. These companies were told in writing by European Union (EU) officials probing possible breaches of EU data privacy law that “their methods of making users’ search data anonymous” continue to breach EU data protection rules. The group also told Google—the world’s largest search engine—to shorten its data storage period from nine months to six months or face harsh penalties for noncompliance. Shortening the data storage period would adversely affect the search engine companies’ potential for generating advertising revenue, for they rely on users’ search queries to target more specific advertising. It is important to note that search engine companies are competing for online market share, whereby consumer queries are expected to generate a whopping $32.2 billion in advertising revenue just for 2010. Technically speaking, a user’s search history contains a footprint of the user’s interests and personal relations. This very personal information can be misused in many ways, so consumer protections are required (Bloomberg News 2010). Also in the spring of 2010, following numerous complaints from online users, the social networking Web site Facebook announced four reforms to more easily control access to their personal data. The complaints started when Facebook announced features like “instant personalization,” which tailors other Web sites to users’ Facebook profiles. In fact, so many online consumers became irate with Facebook that thousands of them planned to “de-friend” the $24 billion social media corporation as a sign of protest on Monday, May 31, 2010 (Zerbisias 2010). In a news conference on May 26, 2010, Facebook CEO Mark Zuckerberg said that the company had offered a lot of controls to date, but if consumers found them too hard to use, then consumers won’t feel that they have enough control—so the company needed to improve things. The following four reforms were announced to make it easier for online consumers to decline the instant personalization feature: (1) one simple control was created so users can see the content they post—everyone, friends of their friends, or just their friends; (2) the amount of basic information that must be visible to everyone has also been reduced, and the information fields will no longer have to be public; (3) the company has made it simpler for users to control whether applications and Web sites can access any of users’ information; and (4) with these changes, the overhaul of Facebook’s privacy model was said to be complete (“Facebook” 2010). Despite these announced reforms, Canada’s Office of the Privacy Commissioner warned Facebook that the company still was not complying with Canadian federal privacy laws. The Office noted that Facebook’s new settings continue to require users to publicly reveal their names, profile information, pictures, gender, and networks to the broader Internet population. Under Canadian law, companies are bound to give consumers full control over how their personal data are used, thus enabling them to curb identity theft and affiliated cybercrimes. The office put Facebook on notice that it will continue to monitor the situation to ensure that the social networking site complies with the law (McNish and El Akkad 2010). Identity Theft, Phishing, and Pharming: Defying the Online Tenets of Privacy, Security, and Trust Identity theft, phishing, and pharming defy the basic online tenets of privacy, security, and trust (PST). Recent public surveys have shown that a number of consumers are still afraid to buy goods and services online because they fear that their personal information will be used by someone else. In recent times, trust seals and increased government regulation—such as the SOA—have become two main ways of promoting improved privacy disclosures on the Internet. Trust seals often appear on e-business Web sites— including green Trust images, the BBBOnLine (Better Business Bureau OnLine) padlocks, and a host of other privacy and security seals. In fact, some companies are paying up to $13,000 annually to display these logos on their Web sites in hopes of having consumers relate positively to their efforts to provide online privacy (Schell and Holt 2010). Generally, businesses and government agencies take two kinds of approaches to prevent security breaches: (1) proactive approaches to prevent security breaches— such as preventing hackers from launching attacks in the first place (typically through various cryptographic techniques) and (2) reactive approaches—by detecting security threats “after the fact” and applying the appropriate fixes or “patches.” These two approaches combined generally allow for comprehensive network solutions (Schell and Holt 2010). Without question, a major barrier to the success of online commercial and social networking Web sites has been the fundamental lack of faith between business and consumer partners. This lack of trust by consumers is largely caused by their having to provide detailed personal and confidential information to companies on request. Also, when purchases have been made online, consumers fear that their credit card numbers may be used for purposes other than those for which permission was given. And from the business partner’s trust vantage point, the company is not really sure if the credit card number the consumer gives is genuine or in good credit standing. In short, “communicating” with unknowns through the Internet elicits two sets of questions that call for reflection: First, what is the real identity of the other person(s) on the Internet, and can their identities somehow be authenticated? Second, how reliable are the other persons on the Internet, and is it safe to interact with them (Schell and Holt 2010)? To respond to these queries, in recent years a number of products have been developed to assist in the authentication process, including the following (Schell 2007):
- Biometrics, which assesses the users’ signatures, facial features, and other biological identifiers
- Smart cards, which contain microprocessor chips running cryptographic algorithms and store a private key
- Digital certificates, which contain public or private keys—the value needed to encrypt or decrypt a message
- SecureID, a commercial product using a key and the current time to generate a random number stream that is verifiable by a server, thus ensuring that a potential users puts a verifiable number on the card within a set amount of time (such as 5 or 10 seconds)
The Bottom Line Despite the goodwill and multiple technical and legal means to protect privacy, security, and trust provisions online, should we affirm that online consumers can rest assured that cyberspace is a risk-free environment in which they can safely communicate with others, buy things, and socially network? To answer this question, on March 4, 2005, a team of researchers at Seattle University “surfed” the Internet with the intent of harvesting social insurance and credit card numbers. In less than 60 minutes, they found millions of names, birth dates, and Social Security and credit card numbers—using just one Internet search engine, Google. The researchers warned that by using the right kind of sophisticated search terms, a cybercriminal could even find data deleted from company or government Web sites but temporarily cached in Google’s extraordinarily large data warehouse. The problem, the researchers concluded, was not with Google per se but with companies allowing Google to enter into the public segment of their networks (called the DMZ) and index all the data contained there. Although Google and other search engine companies do not need to be repaired, companies and government agencies must understand that they are exposing themselves and their clients by posting sensitive data in public places. The bottom line is that even today, with many provisions in place to keep online consumers safe, there remain identity theft and related crime risks (Schell and Martin 2006). Bernadette H. Schell Bibliography:
- Associated Press, “Data Brokerages: LexisNexis Database Hit by ID Thieves.” Globe and Mail (March 10, 2005): B13.
- Biegelman, Martin T., Identity Theft Handbook: Detection, Prevention, and Security. Hoboken, NJ: Wiley, 2009.
- Bloomberg News, “Web Firms Breach Data Privacy, EU Group Says.” Toronto Star (May 27, 2010): B3.
- Brenner, Susan W., “Is There Such a Thing as Virtual Crime?” California Criminal Law Review 4, no. 1 (2001): 105–111.
- Credit Identity Theft.com, “Identity Theft of Celebrities and Wealthy.” September 29, 2008. http://creditidentitysafe.com/articles/identity-theft-of-celebrities-and-wealthy.htm
- “Facebook Seeks End to Privacy War.” Toronto Star (May 27, 2010): B3.
- Hoff man, Sandra K., Identity Theft: A Reference Handbook. Santa Barbara, CA: ABC-CLIO, 2010.
- McAlearney, Shawna, “Privacy: How Much Regulation Is Too Much?” April 28, 2005. http://security.networksasia.net/content/privacy-how-much-regulation-too-much
- McNish, J., and O. El Akkad, “Facebook Piracy Changes under Fire.” Globe and Mail (May 27, 2010): B11.
- Merrill, Scott, “Identity Theft Costs Rise Overall, While Costs per Victim Decline.” February 10, 2010. http://techcrunch.com/2010/02/10/identity-theft-costs-rise-overall-while-costs-per-victim-decline/
- Public Safety Canada, “Phishing: A New Form of Identity Theft.” 2009. http://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/archive-phshng/index-eng.aspx
- Schell, B. H., The Internet and Society. Santa Barbara, CA: ABC-CLIO, 2007.
- Schell, B. H., J. L. Dodge, and S. S. Moutsatsos, The Hacking of America: Who’s Doing It, Why, and How. Westport, CT: Quorum Books, 2002.
- Schell, B. H., and T. J. Holt, “A Profile of the Demographics, Psychological Predispositions, and Social/Behavioral Patterns of Computer Hacker Insiders and Outsiders.” In Online Consumer Protection: Theories of Human Relativism, ed. K. Chen and A. Fadlalla. Hershey, PA: Information Science Reference, 2010.
- Schell, B. H., and C. Martin, Webster’s New World Hacker Dictionary. Indianapolis, IN: Wiley, 2006.
- Weber, H. R., “Criminals Access ChoicePoint’s Information Data.” Globe and Mail (February 22, 2005): B15.
- Zerbisias, A., “Facebook under Fire: Is Social Site Getting a Little Too Friendly?” Toronto Star (May 20, 2010): A4.