ApriL 11, 2007The Honorable George W. Bush, President of the United States, The White House, Washington, D.C.
Dear Mr. President:
By establishing the President's Task Force on Identity Theft by Executive Order 13402 on May 10, 2006, you launched a new era in the fight against identity theft. As you recognized, identity theft exacts a heavy financial and emotional toll from its victims, and it severely burdens our economy. You called for a coordinated approach among government agencies to vigorously combat this crime. Your charge to us was to craft a strategic plan aiming to make the federal government's efforts more effective and efficient in the areas of identity theft awareness, prevention, detection, and prosecution. To meet that charge, we examined the tools law enforcement can use to prevent, investigate, and prosecute identity theft crimes; to recover the proceeds of these crimes; and to ensure just and effective punishment of identity thieves. We also surveyed current education efforts by government agencies and the private sector on how individuals and corporate citizens can protect personal data. And because government must help reduce, rather than exacerbate, incidents of identity theft, we worked with many federal agencies to determine how the government can increase safeguards to better secure the personal data that it and private businesses hold. Like you, we spoke to many citizens whose lives have been uprooted by identity theft, and heard their suggestions on ways to help consumers guard against this crime and lessen the burdens of their recovery. We conducted meetings, spoke with stakeholders, and invited public comment on key issues.
The views you expressed in the Executive Order are widely shared. There is a consensus that identity theft's damage is widespread, that it targets all demographic groups, that it harms both consumers and businesses, and that its effects can range far beyond financial harm. We were pleased to learn that many federal departments and agencies, private businesses, and universities are trying to create a culture of security, although some have been faster than others to construct systems to protect personal information.
There is no quick solution to this problem. But, we believe that a coordinated strategic plan can go a long way toward stemming the injuries caused by identity theft and, we hope, putting identity thieves out of business. Taken as a whole, the recommendations that comprise this strategic plan are designed to strengthen the efforts of federal, state, and local law enforcement officers; to educate consumers and businesses on deterring, detecting, and defending against identity theft; to assist law enforcement officers in apprehending and prosecuting identity thieves; and to increase the safeguards employed by federal agencies and the private sector with respect to the personal data with which they are entrusted.
Thank you for the privilege of serving on this Task Force. Our work is ongoing, but we now have the honor, under the provisions of your Executive Order, of transmitting the report and recommendations of the President's Task Force on Identity Theft.
Very truly yours,
Alberto R. Gonzales, ChairmanAttorney General
U.S. Department of Justice logo Deborah Platt Majoras, Co-ChairmanChairman, Federal Trade Commission
United States of America Federal Trade Commission logo
From Main Street to Wall Street, from the back porch to the front office, from the kitchen table to the conference room, Americans are talking about identity theft. The reason: millions of Americans each year suffer the financial and emotional trauma it causes. This crime takes many forms, but it invariably leaves victims with the task of repairing the damage to their lives. It is a problem with no single cause and no single solution.
Eight years ago, Congress enacted the Identity Theft and Assumption Deterrence Act,1 which created the federal crime of identity theft and charged the Federal Trade Commission (FTC) with taking complaints from identity theft victims, sharing these complaints with federal, state, and local law enforcement, and providing the victims with information to help them restore their good name. Since then, federal, state, and local agencies have taken strong action to combat identity theft. The FTC has developed the Identity Theft Data Clearinghouse into a vital resource for consumers and law enforcement agencies; the Department of Justice (DOJ) has prosecuted vigorously a wide range of identity theft schemes under the identity theft statutes and other laws; the federal financial regulatory agencies2 have adopted and enforced robust data security standards for entities under their jurisdiction; Congress passed, and the Department of Homeland Security issued draft regulations on, the REAL ID Act of 2005; and numerous other federal agencies, such as the Social Security Administration (SSA), have educated consumers on avoiding and recovering from identity theft. Many private sector entities, too, have taken proactive and significant steps to protect data from identity thieves, educate consumers about how to prevent identity theft, assist law enforcement in apprehending identity thieves, and assist identity theft victims who suffer losses.
Over those same eight years, however, the problem of identity theft has become more complex and challenging for the general public, the government, and the private sector. Consumers, overwhelmed with weekly media reports of data breaches, feel vulnerable and uncertain of how to protect their identities. At the same time, both the private and public sectors have had to grapple with difficult, and costly, decisions about investments in safeguards and what more to do to protect the public. And, at every level of government - from the largest cities with major police departments to the smallest towns with one fraud detective - identity theft has placed increasingly pressing demands on law enforcement.
Public comments helped the Task Force define the issues and challenges posed by identity theft and develop its strategic responses. To ensure that the Task Force heard from all stakeholders, it solicited comments from the public.
In addition to consumer advocacy groups, law enforcement, business, and industry, the Task Force also received comments from identity theft victims themselves.3 The victims wrote of the burdens and frustrations associated with their recovery from this crime. Their stories reaffirmed the need for the government to act quickly to address this problem.
The overwhelming majority of the comments received by the Task Force strongly affirmed the need for a fully coordinated approach to fighting the problem through prevention, awareness, enforcement, training, and victim assistance. Consumers wrote to the Task Force exhorting the public and private sectors to do a better job of protecting their Social Security numbers (SSNs), and many of those who submitted comments discussed the challenges raised by the overuse of Social Security numbers as identifiers. Others, representing certain business sectors, pointed to the beneficial uses of SSNs in fraud detection. The Task Force was mindful of both considerations, and its recommendations seek to strike the appropriate balance in addressing SSN use. Local law enforcement officers, regardless of where they work, wrote of the challenges of multi-jurisdictional investigations, and called for greater coordination and resources to support the investigation and prosecution of identity thieves. Various business groups described the steps they have taken to minimize the occurrence and impact of the crime, and many expressed support for risk-based, national data security and breach notification requirements.
These communications from the public went a long way toward informing the Task Force's recommendation for a fully coordinated strategy. Only an approach that encompasses effective prevention, public awareness and education, victim assistance, and law enforcement measures, and fully engages federal, state, and local authorities will be successful in protecting citizens and private entities from the crime.
Although identity theft is defined in many different ways, it is, fundamentally, the misuse of another individual's personal information to commit fraud. Identity theft has at least three stages in its "life cycle," and it must be attacked at each of those stages:
First, the identity thief attempts to acquire a victim's personal information.
Criminals must first gather personal information, either through low-tech methods - such as stealing mail or workplace records, or "dumpster diving" - or through complex and high-tech frauds, such as hacking and the use of malicious computer codes. The loss or theft of personal information by itself, however, does not immediately lead to identity theft. In some cases, thieves who steal personal items inadvertently steal personal information that is stored in or with the stolen personal items, yet never make use of the personal information. It has recently been reported that, during the past year, the personal records of nearly 73 million people have been lost or stolen, but that there is no evidence of a surge in identity theft or financial fraud as a result. Still, because any loss or theft of personal information is troubling and potentially devastating for the persons involved, a strategy to keep consumer data out of the hands of criminals is essential.
Second, the thief attempts to misuse the information he has acquired.
In this stage, criminals have acquired the victim's personal information and now attempt to sell the information or use it themselves. The misuse of stolen personal information can be classified in the following broad categories:
Existing account fraud: This occurs when thieves obtain account information involving credit, brokerage, banking, or utility accounts that are already open. Existing account fraud is typically a less costly, but more prevalent, form of identity theft. For example, a stolen credit card may lead to thousands of dollars in fraudulent charges, but the card generally would not provide the thief with enough information to establish a false identity. Moreover, most credit card companies, as a matter of policy, do not hold consumers liable for fraudulent charges, and federal law caps liability of victims of credit card theft at $50.
New account fraud: Thieves use personal information, such as Social Security numbers, birth dates, and home addresses, to open new accounts in the victim's name, make charges indiscriminately, and then disappear. While this type of identity theft is less likely to occur, it imposes much greater costs and hardships on victims.
In addition, identity thieves sometimes use stolen personal information to obtain government, medical, or other benefits to which the criminal is not entitled.
Third, an identity thief has completed his crime and is enjoying the benefits, while the victim is realizing the harm.
At this point in the life cycle of the theft, victims are first learning of the crime, often after being denied credit or employment, or being contacted by a debt collector seeking payment for a debt the victim did not incur.
In light of the complexity of the problem at each of the stages of this life cycle, the Identity Theft Task Force is recommending a plan that marshals government resources to crack down on the criminals who traffic in stolen identities, strengthens efforts to protect the personal information of our nation's citizens, helps law enforcement officials investigate and prosecute identity thieves, helps educate consumers and businesses about protecting themselves, and increases the safeguards on personal data entrusted to federal agencies and private entities.
The Plan focuses on improvements in four key areas:
- keeping sensitive consumer data out of the hands of identity thieves through better data security and more accessible education;
- making it more difficult for identity thieves who obtain consumer data to use it to steal identities;
- assisting the victims of identity theft in recovering from the crime; and
- deterring identity theft by more aggressive prosecution and punishment of those who commit the crime.
In these four areas, the Task Force makes a number of recommendations summarized in greater detail below. Among those recommendations are the following broad policy changes:
- that federal agencies should reduce the unnecessary use of Social Security numbers (SSNs), the most valuable commodity for an identity thief;
- that national standards should be established to require private sector entities to safeguard the personal data they compile and maintain and to provide notice to consumers when a breach occurs that poses a significant risk of identity theft;
- that federal agencies should implement a broad, sustained awareness campaign to educate consumers, the private sector, and the public sector on deterring, detecting, and defending against identity theft; and
- that a National Identity Theft Law Enforcement Center should be created to allow law enforcement agencies to coordinate their efforts and information more efficiently, and investigate and prosecute identity thieves more effectively.
The Task Force believes that all of the recommendations in this strategic plan - from these broad policy changes to the small steps - are necessary to wage a more effective fight against identity theft and reduce its incidence and damage. Some recommendations can be implemented relatively quickly; others will take time and the sustained cooperation of government entities and the private sector. Following are the recommendations of the President's Task Force on Identity Theft:
Identity theft depends on access to consumer data. Reducing the opportunities for thieves to get the data is critical to fighting the crime. Government, the business community, and consumers have roles to play in protecting data.
Data compromises can expose consumers to the threat of identity theft or related fraud, damage the reputation of the entity that experienced the breach, and carry financial costs for everyone involved. While "perfect security" does not exist, all entities that collect and maintain sensitive consumer information must take reasonable and appropriate steps to protect it.
Decrease the Unnecessary Use of Social Security Numbers in the Public Sector by Developing Alternative Strategies for Identity Management
Survey current use of SSNs by federal government
Issue guidance on appropriate use of SSNs
Establish clearinghouse for "best" agency practices that minimize use of SSNs
Work with state and local governments to review use of SSNs * Educate Federal Agencies on How to Protect Data; Monitor Their Compliance with Existing Guidance
Develop concrete guidance and best practices
Monitor agency compliance with data security guidance
Protect portable storage and communications devices
Ensure Effective, Risk-Based Responses to Data Breaches Suffered by Federal Agencies
Issue data breach guidance to agencies
Publish a "routine use" allowing disclosure of information after a breach to those entities that can assist in responding to the breach
Data Security in Private Sector
Establish National Standards for Private Sector Data Protection Requirements and Breach Notice Requirements
Develop Comprehensive Record on Private Sector Use of Social Security Numbers
Better Educate the Private Sector on Safeguarding Data
Hold regional seminars for businesses on safeguarding information
Distribute improved guidance for private industry
Initiate Investigations of Data Security Violations
Initiate a Multi-Year Public Awareness Campaign
Develop national awareness campaign
Enlist outreach partners
Increase outreach to traditionally underserved communities
Establish "Protect Your Identity" Days
Develop Online Clearinghouse for Current Educational Resources
Because security systems are imperfect and thieves are resourceful, it is essential to reduce the opportunities for criminals to misuse the data they steal. An identity thief who wants to open new accounts in a victim's name must be able to (1) provide identifying information to allow the creditor or other grantor of benefits to access information on which to base a decision about eligibility; and (2) convince the creditor that he is the person he purports to be.
Authentication includes determining a person's identity at the beginning of a relationship (sometimes called verification), and later ensuring that he is the same person who was originally authenticated. But the process can fail: Identity documents can be falsified; the accuracy of the initial information and the accuracy or quality of the verifying sources can be questionable; employee training can be insufficient; and people can fail to follow procedures.
Efforts to facilitate the development of better ways to authenticate consumers without burdening consumers or businesses - for example, multi-factor authentication or layered security - would go a long way toward preventing criminals from profiting from identity theft.
Hold Workshops on Authentication
Engage academics, industry, entrepreneurs, and government experts on developing and promoting better ways to authenticate identity
Issue report on workshop findings
Develop a Comprehensive Record on Private Sector Use of SSNs
Identity theft can be committed despite a consumer's best efforts at securing information. Consumers have a number of rights and resources available, but some surveys indicate that they are not as well-informed as they could be. Government agencies must work together to ensure that victims have the knowledge, tools, and assistance necessary to minimize the damage and begin the recovery process.
Provide Specialized Training About Victim Recovery to First Responders and Others Offering Direct Assistance to Identity Theft Victims
Train law enforcement officers
Provide educational materials for first responders that can be used as a reference guide for identity theft victims
Create and distribute an ID Theft Victim Statement of Rights
Design nationwide training for victim assistance counselors
Develop Avenues for Individualized Assistance to Identity Theft Victims
Amend Criminal Restitution Statutes to Ensure That Victims Recover the Value of Time Spent in Trying to Remediate the Harms Suffered
Assess Whether to Implement a National System That Allows Victims to Obtain an Identification Document for Authentication Purposes
Assess Efficacy of Tools Available to Victims
Conduct assessment of FACT Act remedies under FCRA
Conduct assessment of state credit freeze laws
Strong criminal law enforcement is necessary to punish and deter identity thieves. The increasing sophistication of identity thieves in recent years has meant that law enforcement agencies at all levels of government have had to increase the resources they devote to investigating related crimes. The investigations are labor-intensive and generally require a staff of detectives, agents, and analysts with multiple skill sets. When a suspected theft involves a large number of potential victims, investigative agencies often need additional personnel to handle victim-witness coordination.
Coordination and Information/Intelligence Sharing
Establish a National Identity Theft Law Enforcement Center
Develop and Promote the Use of a Universal Identity Theft Report Form
Enhance Information Sharing Between Law Enforcement and the Private Sector
Enhance ability of law enforcement to receive information from financial institutions
Initiate discussions with financial services industry on countermeasures to identity theft
Initiate discussions with credit reporting agencies on preventing identity theft
Encourage Other Countries to Enact Suitable Domestic Legislation Criminalizing Identity Theft
Facilitate Investigation and Prosecution of International Identity Theft by Encouraging Other Nations to Accede to the Convention on Cybercrime
Identify the Nations that Provide Safe Havens for Identity Thieves and Use All Measures Available to Encourage Those Countries to Change Their Policies
Enhance the United States Government's Ability to Respond to Appropriate Foreign Requests for Evidence in Criminal Cases Involving Identity Theft
Assist, Train, and Support Foreign Law Enforcement
Increase Prosecutions of Identity Theft
Designate an identity theft coordinator for each United States Attorney's Office to design a specific identity theft program for each district
Evaluate monetary thresholds for prosecution
Encourage state prosecution of identity theft
Create working groups and task forces
Conduct Targeted Enforcement Initiatives
Conduct enforcement initiatives focused on using unfair or deceptive means to make SSNs available for sale
Conduct enforcement initiatives focused on identity theft related to the health care system
Conduct enforcement initiatives focused on identity theft by illegal aliens
Review Civil Monetary Penalty Programs
Close the Gaps in Federal Criminal Statutes Used to Prosecute Identity Theft-Related Offenses to Ensure Increased Federal Prosecution of These Crimes
Amend the identity theft and aggravated identity theft statutes to ensure that identity thieves who misappropriate information belonging to corporations and organizations can be prosecuted
Add new crimes to the list of predicate offenses for aggravated identity theft offenses
Amend the statute that criminalizes the theft of electronic data by eliminating the current requirement that the information must have been stolen through interstate communications
Penalize creators and distributors of malicious spyware and keyloggers
Amend the cyber-extortion statute to cover additional, alternate types of cyber-extortion
Ensure That an Identity Thief's Sentence Can Be Enhanced When the Criminal Conduct Affects More Than One Victim
Enhance Training for Law Enforcement Officers and Prosecutors
Develop course at National Advocacy Center focused on investigation and prosecution of identity theft
Increase number of regional identity theft seminars
Increase resources for law enforcement on the Internet
Review curricula to enhance basic and advanced training on identity theft
Enhance the Gathering of Statistical Data Impacting the Criminal Justice System's Response to Identity Theft
Gather and analyze statistically reliable data from identity theft victims
Expand scope of national crime victimization survey
Review U.S. Sentencing Commission data
Track prosecutions of identity theft and resources spent
Conduct targeted surveys
Every day, too many Americans learn that their identities have been compromised, often in ways and to an extent they could not have imagined. Identity theft victims experience a sense of hopelessness when someone steals their good name and good credit to commit fraud. These victims also speak of their frustration in fighting against an unknown opponent.
"I was absolutely heartsick to realize our bank accounts were frozen, our names were on a bad check list, and my driver's license was suspended. I hold three licenses in the State of Ohio - my driver's license, my real estate license, and my R.N. license. After learning my driver's license was suspended, I was extremely fearful that my professional licenses might also be suspended as a result of the actions of my imposter."
Maureen Mitchell Testimony Before House Committee on Financial Services, Subcommittee on Financial Institutions and Consumer Credit June 24, 2003
Identity theft - the misuse of another individual's personal information to commit fraud - can happen in a variety of ways, but the basic elements are the same. Criminals first gather personal information, either through low-tech methods such as stealing mail or workplace records, or "dumpster diving," or through complex and high-tech frauds such as hacking and the use of malicious computer code. These data thieves then sell the information or use it themselves to open new credit accounts, take over existing accounts, obtain government benefits and services, or even evade law enforcement by using a new identity. Often, individuals learn that they have become victims of identity theft only after being denied credit or employment, or when a debt collector seeks payment for a debt the victim did not incur.
Individual victim experiences best portray the havoc that identity thieves can wreak. For example, in July 2001, an identity thief gained control of a retired Army Captain's identity when Army officials at Fort Bragg, North Carolina, issued the thief an active duty military identification card in the retired captain's name and with his Social Security number. The military identification, combined with the victim's then-excellent credit history, allowed the identity thief to go on an unhindered spending spree lasting several months. From July to December 2001, the identity thief acquired goods, services, and cash in the victim's name valued at over $260,000. The victim identified more than 60 fraudulent accounts of all types that were opened in his name: credit accounts, personal and auto loans, checking and savings accounts, and utility accounts. The identity thief purchased two trucks valued at over $85,000 and a Harley-Davidson motorcycle for $25,000. The thief also rented a house and purchased a time-share in Hilton Head, South Carolina, in the victim's name.4
In another instance, an elderly woman suffering from dementia was victimized by her caregivers, who admitted to stealing as much as $200,000 from her before her death. The thieves not only used the victim's existing credit card accounts, but also opened new credit accounts in her name, obtained financing in her name to purchase new vehicles for themselves, and, using a fraudulent power of attorney, removed $176,000 in U.S. Savings Bonds from the victim's safe-deposit boxes.5
In these ways and others, consumers' lives are disrupted and displaced by identity theft. While federal agencies, the private sector, and consumers themselves already have accomplished a great deal to address the causes and impact of identity theft, much work remains to be done. The following strategic plan focuses on a coordinated government response to: strengthen efforts to prevent identity theft; investigate and prosecute identity theft; raise awareness; and ensure that victims receive meaningful assistance.
There is considerable debate about the prevalence and cost of identity theft in the United States. Numerous studies have attempted to measure the extent of this crime. DOJ, FTC, the Gartner Group, and Javelin Research are just some of the organizations that have published reports of their identity theft surveys.6 While some of the data from these surveys differ, there is agreement that identity theft exacts a serious toll on the American public.
Although greater empirical research is needed, the data show that annual monetary losses are in the billions of dollars. This includes losses associated with new account fraud, a more costly, but less prevalent form of identity theft, and misuse of existing accounts, a more prevalent but less costly form of identity theft. Businesses suffer most of the direct losses from both forms of identity theft because individual victims generally are not held responsible for fraudulent charges. Individual victims, however, also collectively spend billions of dollars recovering from the effects of the crime.
In addition to the losses that result when identity thieves fraudulently open accounts or misuse existing accounts, monetary costs of identity theft include indirect costs to businesses for fraud prevention and mitigation of the harm once it has occurred (e.g., for mailing notices to consumers and upgrading systems). Similarly, individual victims often suffer indirect financial costs, including the costs incurred in both civil litigation initiated by creditors and in overcoming the many obstacles they face in obtaining or retaining credit. Victims of non-financial identity theft, for example, health-related or criminal record fraud, face other types of harm and frustration.
In addition to out-of-pocket expenses that can reach thousands of dollars for the victims of new account identity theft, and the emotional toll identity theft can take, some victims have to spend what can be a considerable amount of time to repair the damage caused by the identity thieves. Victims of new account identity theft, for example, must correct fraudulent information in their credit reports and monitor their reports for future inaccuracies, close existing bank accounts and open new ones, and dispute charges with individual creditors.
Consumers' fears of becoming identity theft victims also may harm our digital economy. In a 2006 online survey conducted by the Business Software Alliance and Harris Interactive, nearly one in three adults (30 percent) said that security fears compelled them to shop online less or not at all during the 2005/2006 holiday season.7 Similarly, a Cyber Security Industry Alliance survey in June 2005 found that 48 percent of consumers avoided making purchases on the Internet because they feared that their financial information might be stolen.8 Although no studies have correlated these attitudes with actual online buying habits, these surveys indicate that security concerns likely inhibit some commercial use of the Internet.
Unlike some groups of criminals, identity thieves cannot be readily classified. No surveys provide comprehensive data on their primary personal or demographic characteristics. For the most part, victims are not in a good position to know who stole their information or who misused it. According to the FTC's 2003 survey of identity theft, about 14 percent of victims claim to know the perpetrator, who may be a family member, friend, or in-home employee.
Identity thieves can act alone or as part of a criminal enterprise. Each poses unique threats to the public.
In an article entitled "Waitress Gets Own ID When Carding Patron," the Associated Press reported that a bar waitress checking to see whether a patron was old enough to legally drink alcohol was handed her own stolen driver's license, which she reported missing weeks earlier in Lakewood, Ohio. The patron was later charged with identity theft and receiving stolen property.
According to law enforcement agencies, identity thieves often have no prior criminal background and sometimes have pre-existing relationships with the victims. Indeed, identity thieves have been known to prey on people they know, including coworkers, senior citizens for whom they are serving as caretakers, and even family members. Some identity thieves rely on techniques of minimal sophistication, such as stealing mail from homeowners' mailboxes or trash containing financial documents. In some jurisdictions, identity theft by illegal immigrants has resulted in passport, employment, and Social Security fraud. Occasionally, small clusters of individuals with no significant criminal records work together in a loosely knit fashion to obtain personal information and even to create false or fraudulent documents.9
In September 2005, a defendant was sentenced by a federal judge in Colorado to a year and one day in prison, and ordered to pay $181,517.05 in restitution, after pleading guilty to the misuse of a Social Security number. The defendant had obtained the identifying information of two individuals, including their SSNs, and used one such identity to obtain a false Missouri driver's license, to cash counterfeit checks, and to open fraudulent credit accounts. The defendant used the second identity to open a fraudulent credit account and to cash fraudulent checks. The case was investigated by the SSA OIG, FBI, U.S. Postal Inspection Service, and the St. Charles, Missouri, Police Department.
A number of recent reports have focused on the connection between individual methamphetamine ("meth") users and identity theft.10 Law enforcement agencies in Albuquerque, Honolulu, Phoenix, Sacramento, Seattle, and other cities have reported that meth addicts are engaging in identity and data theft through burglaries, mail theft, and theft of wallets and purses. In Salt Lake City, meth users reportedly are organized by white- supremacist gangs to commit identity theft.11 Tellingly, as meth use has risen sharply in recent years, especially in the western United States, some of the same jurisdictions reporting the highest levels of meth use also suffer from the highest incidence of identity theft. Some state law enforcement officials believe that the two increases might be related, and that identity theft may serve as a major funding mechanism for meth labs and purchases.
Law enforcement agencies around the country have observed a steady increase in the involvement of groups and organizations of repeat offenders or career criminals in identity theft. Some of these groups - including national gangs such as Hell's Angels and MS-13 - are formally organized, have a hierarchical structure, and are well-known to law enforcement because of their longstanding involvement in other major crimes such as drug trafficking. Other groups are more loosely-organized and, in some cases, have taken advantage of the Internet to organize, contact each other, and coordinate their identity theft activities more efficiently. Members of these groups often are located in different countries and communicate primarily via the Internet. Other groups have a real-world connection with one another and share a nationality or ethnic group.
Law enforcement agencies also have seen increased involvement of foreign organized criminal groups in computer- or Internet-related identity theft schemes. In Asia and Eastern Europe, for example, organized groups are increasingly sophisticated both in the techniques they use to deceive Internet users into disclosing personal data, and in the complexity of tools they use, such as keyloggers (programs that record every keystroke as an Internet user logs onto his computer or a banking website), spyware (software that covertly gathers user information through the user's Internet connection, without the user's knowledge), and botnets (networks of computers that criminals have compromised and taken control of for some other purpose, ranging from distribution of spam and malicious computer code to attacks on other computers). According to law enforcement agencies, such groups also are demonstrating increasing levels of sophistication and specialization in their online crime, even selling goods and services - such as software templates for making counterfeit identification cards and payment card magnetic strip encoders - that make the stolen data even more valuable to those who have it.
In July 2003, a Russian computer hacker was sentenced in federal court to a prison term of four years for supervising a criminal enterprise in Russia dedicated to computer hacking, fraud, and extortion. The defendant hacked into the computer system of Financial Services, Inc. (FSI), an internet web hosting and electronic banking processing company located in Glen Rock, New Jersey, and stole 11 passwords used by FSI employees to access the FSI computer network as well as a text file containing approximately 3,500 credit card numbers and associated card holder information for FSI customers. One of the defendant's accomplices then threatened FSI that the hacker group would publicly release this stolen credit card information and hack into and further damage the FSI computer system unless FSI paid $6,000. After a period of negotiation, FSI eventually agreed to pay $5,000. In sentencing the defendant, the federal judge described the scheme as an "unprecedented, wide-ranging, organized criminal enterprise" that "engaged in numerous acts of fraud, extortion, and intentional damage to the property of others, involving the sophisticated manipulation of computer data, financial information, and credit card numbers." The court found that the defendant was responsible for an aggregate loss to his victims of approximately $25 million.
Consumer information is the currency of identity theft, and perhaps the most valuable piece of information for the thief is the SSN. The SSN and a name can be used in many cases to open an account and obtain credit or other benefits in the victim's name. Other data, such as personal identification numbers (PINs), account numbers, and passwords, also are valuable because they enable thieves to access existing consumer accounts.
Identity theft is prevalent in part because criminals are able to obtain personal consumer information everywhere such data are located or stored. Homes and businesses, cars and health-club lockers, electronic networks, and even trash baskets and dumpsters have been targets for identity thieves. Some thieves use more technologically-advanced means to extract information from computers, including malicious-code programs that secretly log information or give criminals access to it.
The following are among the techniques most frequently used by identity thieves to steal the personal information of their victims.
While often considered a "high tech" crime, data theft often is no more sophisticated than stealing paper documents. Some criminals steal documents containing personal information from mail boxes; indeed, mail theft appears to be a common way that meth users and producers obtain consumer data.12 Other identity thieves simply take documents thrown into unprotected trash receptacles, a practice known as "dumpster diving."13 Still others steal information using techniques no more sophisticated than purse snatching.
A ramp agent for a major airline participated in a scheme to steal financial documents, including checks and credit cards, from the U.S. mail at Thurgood Marshall Baltimore-Washington International Airport and transfer those financial documents to his co- conspirators for processing. The conspirators used the documents to obtain cash advances and withdrawals from lines of credit. In September 2005, a federal judge sentenced the ramp agent to 14 years in prison and ordered him to pay $7 million in restitution.
Picture of a table stacked with stolen ID documents Partial display of credit cards, checks, and identifying documents seized in federal investigation of identity theft ring in Maryland, 2005. Source: U.S. Department of Justice
Progress is being made in reducing the opportunities that identity thieves have to obtain personal information in these ways. The Fair and Accurate Credit Transactions Act of 2003 (FACT Act)14 requires merchants that accept credit or debit cards to truncate the numbers on receipts that are electronically printed - a measure that is intended, among other things, to reduce the ability of a "dumpster diver" to obtain a victim's credit card number simply by looking through that victim's discarded trash. Merchants had a period of time to comply with that requirement, which now is in full effect.15
Dishonest insiders can steal sensitive consumer data by removing paper documents from a work site or accessing electronic records. Criminals also may bribe insiders, or become employees themselves to access sensitive data at companies. The failure to disable a terminated employee's access to a computer system or confidential databases contained within the system also could lead to the compromise of sensitive consumer data. Many federal agencies have taken enforcement actions to punish and deter such insider compromise.
In December 2003, the Office of the Comptroller of the Currency (OCC) directed a large financial institution to improve its employee screening policies, procedures, systems, and controls after finding that the institution had inadvertently hired a convicted felon who used his new post to engage in identity theft- related crimes. Deficiencies in the institution's screening practices came to light through the OCC's review of the former employee's activities.
Hackers steal information from public and private institutions, including large corporate databases and residential wireless networks. First, they can intercept data during transmission, such as when a retailer sends payment card information to a card processor. Hackers have developed tools to penetrate firewalls, use automated processes to search for account data or other personal information, export the data, and hide their tracks.16 Several recent government enforcement actions have targeted this type of data theft.
Second, hackers also can gain access to underlying applications - programs used to "communicate" between Internet users and a company's internal databases, such as programs to retrieve product information. One research firm estimates that nearly 75 percent of hacker attacks are targeted at the application, rather than the network.17 It is often difficult to detect the hacker's application-level activities, because the hacker connects to the website through the same legitimate route any customer would use, and the communication is thus seen as permissible activity.
According to the Secret Service, many major breaches in the credit card system in 2006 originated in the Russian Federation and the Ukraine, and criminals operating in those two countries have been directly involved in some of the largest breaches of U.S. financial systems for the past five years.
In December 2004, a federal district judge in North Carolina sentenced a defendant to 108 months in prison after he pleaded guilty to crimes stemming from his unauthorized access to the nationwide computer system used by the Lowe's Corporation to process credit card transactions. To carry out this scheme, the defendant and at least one other person secretly compromised the wireless network at a Lowe's retail store in Michigan and gained access to Lowe's central computer system. The defendant then installed a computer program designed to capture customer credit card information on the computer system of several Lowe's retail stores. After an FBI investigation of the intrusion, the defendant and a confederate were charged.
Identity thieves also use trickery to obtain personal information from unwitting sources, including from the victim himself. This type of deception, known as "social engineering," can take a variety of forms.
Image of phishing emailImage of fake website asking for personal information"Phishing" Email and Associated Website Impersonating National Credit Union Administration Email and Website Source: Anti-Phishing Working Group
Phishing: "Phishing" is one of the most prevalent forms of social engineering. Phishers send emails that appear to be coming from legitimate, well- known sources - often, financial institutions or government agencies. In one example, these email messages tell the recipient that he must verify his personal information for an account or other service to remain active. The emails provide a link, which goes to a website that appears legitimate. After following the link, the web user is instructed to enter personal identifying information, such as his name, address, account number, PIN, and SSN. This information is then harvested by the phishers. In a variant of this practice, victims receive emails warning them that to avoid losing something of value (e.g., Internet service or access to a bank account) or to get something of value, they must click on a link in the body of the email to "reenter" or "validate" their personal data. Such phishing schemes often mimic financial institutions' websites and emails, and a number of them have even mimicked federal government agencies to add credibility to their demands for information. Additionally, phishing recently has taken on a new form, dubbed "vishing," in which the thieves use Voice Over Internet Protocol (VOIP) technology to spoof the telephone call systems of financial institutions and request callers provide their account information.18
At the beginning of the 2006 tax filing season, identity thieves sent emails that purported to originate from the IRS's website to taxpayers, falsely informing them that there was a problem with their tax refunds. The emails requested that the taxpayers provide their SSNs so that the IRS could match their identities to the proper tax accounts. In fact, when the users entered their personal information – such as their SSNs, website usernames and passwords, bank or credit-card account numbers and expiration dates, among other things – the phishers simply harvested the data at another location on the Internet. Many of these schemes originated abroad, particularly in Eastern Europe. Since November 2005, the Treasury Inspector General for Tax Administration (TIGTA) and the IRS have received over 17,500 complaints about phishing scams, and TIGTA has identified and shut down over 230 phishing host sites targeting the IRS.
Malware/Spyware/Keystroke Loggers: Criminals also can use spyware to illegally gain access to Internet users' computers and data without the users' permission. One email-based form of social engineering is the use of enticing emails offering free pornographic images to a group of victims; by opening the email, the victim launches the installation of malware, such as spyware or keystroke loggers, onto his computer. The keystroke loggers gather and send information on the user's Internet sessions back to the hacker, including user names and passwords for financial accounts and other personal information. These sophisticated methods of accessing personal information through malware have supplemented other long-established methods by which criminals obtain victims' passwords and other useful data - such as "sniffing" Internet traffic, for example, by listening to network traffic on a shared physical network, or on unencrypted or weakly encrypted wireless networks.
Pretexting: Pretexting19 is another form of social engineering used to obtain sensitive information. In many cases, pretexters contact a financial institution or telephone company, impersonating a legitimate customer, and request that customer's account information. In other cases, the pretext is accomplished by an insider at the financial institution, or by fraudulently opening an online account in the customer's name.20
In addition to instances of deliberate theft of personal information, data also can be obtained by identity thieves in an "incidental" manner. Criminals frequently steal data storage devices, such as laptops or portable media, that contain personal information.21 Although the criminal originally targeted the hardware, he may discover the stored personal information and realize its value and possibility for exploitation. Unless adequately safeguarded - such as through the use of technological tools for protecting data - this information can be accessed and used to steal the victim's identity. Identity thieves also may obtain consumer data when it is lost or misplaced.
Data brokers compile consumer information from a variety of public and private sources and then offer it for sale to different entities for a range of purposes. For example, government agencies often purchase consumer information from data brokers to locate witnesses or beneficiaries, or for law enforcement purposes. Identity thieves, however, can steal personal information from data brokers who fail to ensure that their customers have a legitimate need for the data.
The Fair Credit Reporting Act (FCRA) and the Gramm-Leach-Bliley Act (GLB Act) impose specific duties on certain types of data brokers that disseminate particular types of information.22 For example, the FCRA requires data brokers that are consumer reporting agencies to make reasonable efforts to verify the identity of their customers and to ensure that those customers have a permissible purpose for obtaining the information. The GLB Act limits the ability of a financial institution to resell covered financial information.
Existing laws, however, do not reach every kind of personal information collected and sold by data brokers. In addition, when data brokers fail to comply with their statutory duties, they open the door to criminals who can access the personal information held by the data brokers by exploiting poor customer verification practices.
In January 2006, the FTC settled a lawsuit against data broker ChoicePoint, Inc., alleging that it violated the FCRA when it failed to perform due diligence in evaluating and approving new customers. The FTC alleged that ChoicePoint approved as customers for its consumer reports identity thieves who lied about their credentials and whose applications should have raised obvious red flags. Under the settlement, ChoicePoint paid $10 million in civil penalties and $5 million in consumer redress and agreed to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes, to establish a comprehensive information security program, and to obtain audits by an independent security professional every other year until 2026.
Because it is possible to use someone's credit account without having physical access to the card, identity theft is easily accomplished when a criminal obtains a receipt with the credit account number, or uses other technology to collect that account information.23 For example, over the past several years, law enforcement authorities have witnessed a substantial increase in the use of devices known as "skimmers." A skimmer is an inexpensive electronic device with a slot through which a person passes or "skims" a credit or debit card. Similar to the device legitimate businesses use in processing customer card payments, the skimmer reads and records the magnetically encoded data on the magnetic stripe on the back of the card. That data then can be downloaded either to make fraudulent copies of real cards, or to make purchases when the card is not required, such as online. A retail employee, such as a waiter, can easily conceal a skimmer until a customer hands him a credit card. Once he is out of the customer's sight, he can skim the card through the device, and then swipe it through the restaurant's own card reader to generate a receipt for the customer to sign. The waiter then can pass the recorded data to an accomplice, who can encode the data on blank cards with magnetic stripes. A variation of skimming involves an ATM-mounted device that is able to capture the magnetic information on the consumer's card, as well as the consumer's password.
Image of a skimmer "skimmer" Source: Durham, Ontario Police
Once they obtain victims' personal information, criminals misuse it in endless ways, from opening new accounts in the victim's name, to accessing the victim's existing accounts, to using the victim's name when arrested. Recent survey data show that misuse of existing credit accounts, however, represents the single largest category of fraud.
Misuse of existing accounts can involve credit, brokerage, banking, or utility accounts, among others. The most common form, however, involves credit accounts. This occurs when an identity thief obtains either the actual credit card, the numbers associated with the account, or the information derived from the magnetic strip on the back of the card. Because it is possible to make charges through remote purchases, such as online sales or by telephone, identity thieves are often able to commit fraud even as the card remains in the consumer's wallet.
In March 2006, a former candidate for the presidency of Peru pleaded guilty in a federal district court to charges relating to a large- scale credit card fraud and money laundering conspiracy. The defendant collected stolen credit card numbers from people in Florida who had used skimmers to obtain the information from customers of retail businesses where they worked, such as restaurants and rental car companies. He used some of the credit card fraud proceeds to finance various trips to Peru during his candidacy.
Recent complaint data suggest an increasing number of incidents involving unauthorized access to funds in victims' bank accounts, including checking accounts - sometimes referred to as "account takeovers."24 The Postal Inspection Service reports that it has seen an increase in account takeovers originating outside the United States. Criminals also have attempted to access funds in victims' online brokerage accounts.25
Federal law limits the liability consumers face from existing account misuse, generally shielding victims from direct losses due to fraudulent charges to their accounts. Nevertheless, consumers can spend many hours disputing the charges and making other corrections to their financial records.26
A more serious, if less prevalent, form of identity theft occurs when thieves are able to open new credit, utility, or other accounts in the victim's name, make charges indiscriminately, and then disappear. Victims often do not learn of the fraud until they are contacted by a debt collector or are turned down for a loan, a job, or other benefit because of a negative credit rating. While this is a less prevalent form of fraud, it causes more financial harm, is less likely to be discovered quickly by its victims, and requires the most time for recovery.
In December 2005, a highly organized ring involved in identity theft, counterfeit credit and debit card fraud, and fencing of stolen products was shut down when Postal Inspectors and detectives from the Hudson County, New Jersey, Prosecutor's Office arrested 13 of its members. The investigation, which began in June 2005, uncovered more than 2,000 stolen identities and at least $1.3 million worth of fraudulent transactions. The investigation revealed an additional $1 million in fraudulent credit card purchases in more than 30 states and fraudulent ATM withdrawals. The account information came from computer hackers outside the United States who were able to penetrate corporate databases. Additionally, the ring used counterfeit bank debit cards encoded with legitimate account numbers belonging to unsuspecting victims to make fraudulent withdrawals of hundreds of thousands of dollars from ATMs in New Jersey, New York, and other states.
Series of 4 pictures showing how a skimmer works mounted to an ATMCriminal's skimmer, mounted and colored to resemble exterior of real ATM. A pinhole camera is mounted inside a plastic brochure holder to capture customer's keystrokes. Source: University of Texas Police Department
When criminals establish new credit card accounts in others' names, the sole purpose is to make the maximum use of the available credit from those accounts, whether in a short time or over a longer period. By contrast, when criminals establish new bank or loan accounts in others' names, the fraud often is designed to obtain a single disbursement of funds from a financial institution. In some cases, the criminal deposits a check drawn on an account with insufficient funds, or stolen or counterfeit checks, and then withdraws cash.
Law enforcement has also witnessed an increase in the marketing of personal identification data from compromised accounts by criminal data brokers. For example, certain websites, known as "carding sites," traffic in large quantities of stolen credit-card data. Numerous individuals, often located in different countries, participate in these carding sites to acquire and review newly acquired card numbers and supervise the receipt and distribution of those numbers. The Secret Service calculated that the two largest current carding sites collectively have nearly 20,000 member accounts.
In various parts of the country, illegal immigrants use fraudulently obtained SSNs or passports to obtain employment and assimilate into society. In extreme cases, an individual SSN may be passed on to and used by many illegal immigrants.27 Although victims of this type of identity theft may not necessarily suffer financial harm, they still must spend hour upon hour attempting to correct their personal records to ensure that they are not mistaken for an illegal immigrant or cheated out of a government benefit.
Federal identity theft charges were brought against 148 illegal aliens accused of stealing the identities of lawful U.S. citizens in order to gain employment. The aliens being criminally prosecuted were identified as a result of Operation Wagon Train, an investigation led by agents from U.S. Immigration and Customs Enforcement (ICE), working in conjunction with six U.S. Attorney's Offices. Agents executed civil search warrants at six meat processing plants. Numerous alien workers were arrested, and many were charged with aggravated identity theft, state identity theft, or forgery. Many of the names and Social Security numbers being used at the meat processing plants were reported stolen by identity theft victims to the FTC. In many cases, victims indicated that they received letters from the Internal Revenue Service demanding back taxes for income they had not reported because it was earned by someone working under their name. Other victims were denied driver's licenses, credit, or even medical services because someone had improperly used their personal information before.
Recent reports have brought attention to the problem of medical identity theft, a crime in which the victim's identifying information is used to obtain or make false claims for medical care.28 In addition to the financial harm associated with other types of identity theft, victims of medical identity theft may have their health endangered by inaccurate entries in their medical records. This inaccurate information can potentially cause victims to receive improper medical care, have their insurance depleted, become ineligible for health or life insurance, or become disqualified from some jobs. Victims may not even be aware that a theft has occurred because medical identity theft can be difficult to discover, as few consumers regularly review their medical records, and victims may not realize that they have been victimized until they receive collection notices, or they attempt to seek medical care themselves, only to discover that they have reached their coverage limits.
Identity theft is inherent in numerous other frauds perpetrated by criminals, including mortgage fraud and fraud schemes directed at obtaining government benefits, including disaster relief funds. The IRS's Criminal Investigation Division, for example, has seen an increase in the use of stolen SSNs to file tax returns. In some cases, the thief files a fraudulent return seeking a refund before the taxpayer files. When the real taxpayer files, the IRS may not accept his return because it is considered a duplicate return. Even if the taxpayer ultimately is made whole, the government suffers the loss from paying multiple refunds.
With the advent of the prescription drug benefit of Medicare Part D, the Department of Health and Human Services' Office of the Inspector General (HHS OIG) has noted a growing incidence of health care frauds involving identity theft. These frauds include telemarketers who fraudulently solicit potential Medicare Part D beneficiaries to disclose information such as their Health Insurance Claim Number (which includes the SSN) and bank account information, as well as marketers who obtain identities from nursing homes and other adult care facilities (including deceased beneficiaries and severely cognitively impaired persons) and use them fraudulently to enroll unwilling beneficiaries in alternate Part D plans in order to increase their sales commissions. The types of fraud that can be perpetrated by an identity thief are limited only by the ingenuity and resources of the criminal.
In July 2006, DOJ charged a defendant with 66 counts of false claims to the government, mail fraud, wire fraud, and aggravated identity theft, relating to the defendant's allegedly fraudulent applications for disaster assistance from the Federal Emergency Management Agency (FEMA) following Hurricane Katrina. Using fictitious SSNs and variations of her name, the defendant allegedly received $277,377 from FEMA.
Robert C. Ingardia, a registered representative who had been associated with several broker-dealers, assumed the identity of his customers. Without authorization, Mr. Ingardia changed the address information for their accounts, sold stock in the accounts worth more than $800,000, and, in an effort to manipulate the market for two thinly-traded penny stock companies, used the cash proceeds of the sales to buy more than $230,000 worth of stock in the companies. The SEC obtained a temporary restraining order against Mr. Ingardia in 2001, and a civil injunction against him in 2003 after the United States Attorney's Office for the Southern District of New York obtained a criminal conviction against him in 2002.
Identity theft is a multi-faceted problem for which there is no simple solution. Because identity theft has several stages in its "life cycle," it must be attacked at each of those stages, including:
when the identity thief attempts to acquire a victim's personal information;
when the thief attempts to misuse the information he has acquired; and
after an identity thief has completed his crime and is enjoying the benefits, while the victim is realizing the harm.
The federal government's strategy to combat identity theft must address each of these stages by:
keeping sensitive consumer data out of the hands of identity thieves in the first place through better data security and by educating consumers on how to protect it;
making it more difficult for identity thieves, when they are able to obtain consumer data, to use the information to steal identities;
assisting victims in recovering from the crime; and
deterring identity theft by aggressively prosecuting and punishing those who commit the crime.
A great deal already is being done to combat identity theft, but there are several areas in which we can improve. The Task Force's recommendations, as described below, are focused on those areas.
Identity thieves can ply their trade only if they get access to consumer data. Reducing the opportunities for identity thieves to obtain the data in the first place is the first step to reducing identity theft. Government, the business community, and consumers all play a role in protecting data.
Data compromises can expose consumers to the threat of identity theft or related fraud, damage the reputation of the entity that experienced the breach, and impose the risk of substantial costs for all parties involved. Although there is no such thing as "perfect security," some entities fail to adopt even basic security measures, including many that are inexpensive and readily available.
The link between a data breach and identity theft often is unclear.
Depending on the nature of the breach, the kinds of information breached, and other factors, a particular breach may or may not pose a significant risk of identity theft. Little empirical evidence exists on the extent to which, and under what circumstances, data breaches lead to identity theft, and some studies indicate that data breaches and identity theft may not be strongly linked.29 Nonetheless, because data thieves search for rich targets of consumer data, it is critical that organizations that collect and maintain sensitive consumer information take reasonable steps to protect it and explore new technologies to prevent data compromises.
The SSN is especially valuable to identity thieves, because often it is the key piece of information used in authenticating the identities of consumers. An identity thief with a victim's SSN and certain other information generally can open accounts or obtain other benefits in the victim's name. As long as SSNs continue to be used for authentication purposes, it is important to prevent thieves from obtaining them.
SSNs are readily available to criminals because they are widely used as consumer identifiers throughout the private and public sectors. Although originally created in 1936 to track workers' earnings for social benefits purposes, use of SSNs has proliferated over ensuing decades. In 1961, the Federal Civil Service Commission established a numerical identification system for all federal employees using the SSN as the identification number. The next year, the IRS decided to begin using the SSN as its taxpayer identification number (TIN) for individuals. Indeed, the use by federal agencies of SSNs for the purposes of employment and taxation, employment verification, and sharing of data for law enforcement purposes, is expressly authorized by statute.
In June 2006, a federal judge in Massachusetts sentenced a defendant to five years in prison after a jury convicted him of passport fraud, SSN fraud, aggravated identity theft, identification document fraud, and furnishing false information to