Identity Theft and Society: What's in it for me?
Upcoming SlideShare
Loading in...5
×
 

Identity Theft and Society: What's in it for me?

on

  • 6,301 views

Paper aims to provide an overview of the problems of identity theft and its impacts on society coupled iwth potential solutions for individuals, corprorations and government agencies to mitigate and ...

Paper aims to provide an overview of the problems of identity theft and its impacts on society coupled iwth potential solutions for individuals, corprorations and government agencies to mitigate and solve the issue.

Statistics

Views

Total Views
6,301
Views on SlideShare
6,301
Embed Views
0

Actions

Likes
2
Downloads
36
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft Word

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Identity Theft and Society: What's in it for me? Identity Theft and Society: What's in it for me? Document Transcript

  • Identity Theft and Society: How does it affect me? IDENTITY THEFT AND SOCIETY: HOW DOES IT AFFECT ME? TABLE OF CONTENTS INTRODUCTION – WHAT IS IDENTITY THEFT?..................................................1 IDENTITY MANAGEMENT: WHAT IS IT TO ME?.................................................5 COSTS OF IDENTITY THEFT AND FRAUD..........................................................12 CONCULSION: PROTECTION.................................................................................14 AND SECURITY STRATEGIES................................................................................14 REFERENCE LIST......................................................................................................18 PAPER BACKGROUND Identity theft and fraud against individuals, corporations and governments across the industrialised world is measured in billions of dollars annually, causing significant difficulties for those involved in monitoring and resolving the effects. The development and expansion of electronic technologies have allowed fraudsters to expedite such activities across multiple jurisdictions with near anonymity whilst leaving those affected with months, perhaps years, of hard toil to recover. Additionally individuals, corporations and governments have been institutionally lackadaisical with securing critical information and systems, allowing a back entrance to be left effectively unguarded for exploitation by identity thieves and fraudsters. The 2007 U.K. Revenue and Customs data breach, data losses by U.S. government agencies and educational institutions, and the Australian Tax File Number system with millions of excess entries demonstrate that an attitudinal and cultural overhaul – throughout the industrial world – is desperately required. The aims of the paper are to: 1. Outline the history of identity theft and fraud; 2. Illustrate what identity management means for individuals and groups within the industrial world; 3. Quantify and explain the costs and impacts on individuals, corporations and governments; and 4. Outline possible strategies on how to balance online security and privacy with effective interaction on commercial, social and governmental matters. Table of Contents and Paper Background
  • Identity Theft and Society: How does it affect me? Introduction: What is Identity Theft? INTRODUCTION – WHAT IS IDENTITY THEFT? Identity theft – and the broader concept of identity crime – has become a complex and challenging issue for individuals, corporations and government agencies across the world during recent times. The advent of various online technologies has facilitated the ability to gather personal identifying information (PII) with minimal monetary outlay. In addition, lax standards and security measures have indirectly assisted in providing PII to those who wish to ghost or otherwise individuals or to commit some form of fraud. A common definition of identity theft – and of identity crime – is by no means established by authorities or the community at national or international forums (OECD 2008, p. 3). Direct and indirect costs – financial and other – vary according to how identity crime is defined (OECD 2008, p. 4) in each jurisdiction. Statistics, where they are gathered, are collected differently complicating effective cross-border comparisons (OECD 2008, p. 4) To provide some scope of the concept of identity theft – one scenario occurs when one person utilises personal identifiers of a second person to fraudulently or otherwise illegally obtain or access goods, services or financial benefits (Arata Jnr 2004, p. 5) or to otherwise impersonate that individual in a legal context (Vacca 2003, p. 4). The OECD (OECD 2008, p. 2) defines identity theft as when one party acquires, transfers, possesses or uses personal information of a natural or legal person in an unauthorised manner with the intent to commit, or in connection with, fraud or other crimes. From an individual’s perspective, the advent of networking websites over the past decade – whilst allowing increased social interaction globally has facilitated the ability of swift collection and aggregation of personal information, allowing an electronic ‘cloud’ of disparate information on individuals to be collected with minimal input or reference from external agencies. Page 1
  • Identity Theft and Society: How does it affect me? Introduction: What is Identity Theft? The consequence of the proliferation of information availability on individuals, government agencies and corporations, particularly in an electronic context, is to assist in the facilitation of the collection of PII by identity criminals in a surreptitious manner, enabling the criminals to conduct nefarious activities with minimal physical interaction with the target, their associates or government agencies. Identity concerning individuals can be classified into three distinct components (Mills 2007, pp. 14-18): 1. Biometric: Unique physical features distinguishable to the individual at birth; 2. Attributed: Identity components acquired at birth – including the name of child and parents, location and date of birth; and 3. Biographical: Identity components acquired over an individual’s lifetime. The U.S.-based Identity Theft Resource Centre (ITRC) categorises identity theft into four major categories: 1. Financial: The use of personal identifiers to improperly obtain goods or services; 2. Criminal: Posing as another person when apprehended for an alleged crime; 3. Cloning: Utilising personal identifiers for daily living; and 4. Business and Commercial: The utilisation of corporate identifiers to impersonate or target a specific organisation. The Australian-based Independent Commission Against Corruption (ICAC 2006, p. 15) has further defined the broader issue of identity fraud – of which identity theft is one component – as being: 1. The dishonest misrepresentation of any major aspect of identity, whether or not supported by documentation; 2. The fraudulent use of business or corporate identifiers; 3. The misuse or theft of an individual’s username or password to assume the individual’s identity on a computer system to procure information or benefits; and 4. Public officials misusing their position to: (a) Steal, alter or otherwise misuse paper or electronic records pertaining to a third person held by the agency; (b) Fraudulently create identity documents; or (c) Create or assume false identities. Page 2
  • Identity Theft and Society: How does it affect me? Introduction: What is Identity Theft? The growth of electronic networks, coupled with the availability of storage facilities to corporate and government entities, places data integrity at risk of being compromised or breached. A data breach event occurs when “an organisation’s unauthorised or unintentional exposure, disclosure or loss of sensitive personal information” (Peretti 2009, p. 377) to external entities. Those wishing to illicitly gain access or to obtain PII, a number of “traditional” methods can be utilised (OECD 2008, p. 3 Box 1; Vacca 2003, pp. 8-9) to obtain such information: 1. Dumpster Diving; 2. Pre-texting; 3. Shoulder Surfing; 4. Record Theft; 5. Theft of mail, wallets, purses containing PII or bank cards; 6. Fraudulently obtain credit reports posing as a representative with legitimate requirement for information; 7. Gather or purchase of personal information from “inside” sources; and 8. Completion of a change of address form to divert mail to another destination. Coupled with the strategies reviewed above, numerous online strategies for gathering PII have been developed with the growth of the internet and electronic networks worldwide. Such methods include (OECD 2008, p. 4): 1. Phishing: Where false identifiers of an organisation are utilised in an attempt to lure clients into disclosing PII on the fraudulent website; 2. Pharming: The use of false identifiers (similar to those used in phishing attacks) to redirect users from authentic to fraudulent sites; 3. SMiShing: Where text messaging is utilised to ‘alert’ customers to use of services being charged at a certain dollar amount per day unless service is cancelled; and 4. Spear Phishing: Originator impersonates other staff member to obtain access codes with aim to access computer system under stolen codes. The strategies outlined above allow identity criminals to collect PII and other information in a surreptitious manner, usually without the organisation or individual being aware of the intrusion until (sometimes well) after the event. The ability to conduct a “successful” operation is to mimic the target site as realistically as possible. Page 3
  • Identity Theft and Society: How does it affect me? Introduction: What is Identity Theft? Particular tactics associated with the strategies include (OECD 2008, p. 3 Box 2; Vacca 2003, pp. 8-9; Warren & Streeter 2005, p. 164): 1. Malware; 2. Spam; 3. Phishing (described above); 4. Hacking; 5. Gathering of information that users share on the internet; 6. Gain access to corporate or governmental databases that contain personal information – whether by direct hacking or through inside contacts; 7. Harvesting published data though online searches or “Who’s Who”- type publications; 8. Utilise technology to raid or hack the target’s computer to obtain the required information; and 9. Utilise deception by impersonating someone in authority to deceive the target into voluntary disclosure of information. The most high profile data breach event occurred in the United Kingdom during November 2007 when two CD-ROMs utilising minimal security measures and containing information on 7.25 million families claiming family tax benefits (comprising half of the total population) were lost via internal mail. The CD-ROMs have yet to be recovered, posing a current and ongoing threat to those families affected. A 2006 study highlights three underlying factors facilitating the success of phishing attacks (Dhamija 2006, pp. 582-583): 1. Lack of knowledge: Covering both computer systems and security indicators. Users are unaware of how various online technological aspects operate and how to distinguish between valid and forged aspects (email headers, website URL) or processes (SSL locks and placement on webpage, security certificates). 2. Visual Deception: Various attempts to mislead users via deceptive text; images masking underlying text; images mimicking or masking content or windows manipulation; and deceptive look and feel requiring users to carefully view the site to ensure validity. 3. Bounded Attention: Even if users are familiar with strategies outlined in Steps One and Two above, they can still be duped if they fail to notice the presence (or absence) of security indicators associated with a valid site. Page 4
  • Identity Theft and Society: How does it affect me? Identity Management: What is it to me? IDENTITY MANAGEMENT: WHAT IS IT TO ME? The issue of identity management for individuals, government agencies and corporations has become particularly significant since alternative methods of cash payments have been available to participants (Schreft 2007, p. 5). The occurrence of large scale data breaches has become feasible recently with the advent of electronic payment mechanisms, particularly those associated with non-bank merchants, coupled with the rise of corporate and governmental databases containing information suppliers, customers and citizens. Research conducted by Standards Australia during 2003 indicated that identity theft is becoming the most important fraud-related theft within the Australian economy and that Australian organisations are ill-prepared to detect and prevent it (QPS Major Fraud Investigative Group, p. 28). In addition, recent statistics published by various Australian security firms, the United States, United Kingdom and Australia are the top three countries susceptible to Phishing-related attacks (Bajkowski 2009, p. 34), In 1997, David Shenk documented 13 Laws of Data Smog (p. 11) that highlighted issues that concerned information overload – the “noxious muck and druck of the information age” (Shenk 1997, p. 31). The 1997 laws are: 1. Information, once rare and cherished like caviar, is now plentiful and taken for granted like potatoes; 2. Silicon chips evolve much more quickly than human genes; 3. Computers are neither human or humane; 4. Putting a computer in every classroom is like putting a power plant in every home; 5. What they sell as information technology but information anxiety; 6. Too many experts spoil the clarity; 7. All high-stim roads lead to Times Square; 8. Birds of a feather flock virtually together; 9. The electronic Town Hall allows for speedy communication and bad decision-making; 10. Equifax is watching; 11. Beware stories that dissolve all complexity; 12. On the information superhighway, most roads bypass journalists; and 13. Cyberspace breeds libertarianism. Page 5
  • Identity Theft and Society: How does it affect me? Identity Management: What is it to me? In 2009, a vox-pop survey conducted by a Queensland-based regional newspaper highlights the overall ignorance concerning identity theft across the demographic divide. Comments like “I lock my doors” (elderly male); “I have never been in that situation” (middle aged female); “It doesn’t worry me” (twenty-something male); “I don’t give details out ever” (primary school aged male); “I don’t use the internet much” (primary school aged male) and “I live in a quiet area” (elderly male) (Bundaberg News-Mail 2009, p. 5) serve to emphasize the reactive nature of some segments of the population to the non-electronic mechanics of identity theft. The 2007 ITRC study illustrates the battle that individuals have when dealing with identity crime. Even though the majority of discoveries have occurred during the first year post-incident, over ten percent of cases are discovered three years plus after the event – allowing substantial time for identity criminals to establish a ghost identity of the victim. Even the three month discovery statistics is disturbing with a five percent slippage from 2003 to 2007. The ability for individuals and law enforcement agencies to detect and track identity criminals is predicated on timely and effective proactive mechanisms from organisations and individuals themselves. Page 6
  • Identity Theft and Society: How does it affect me? Identity Management: What is it to me? USA Identity Theft 2003 to 2007 Months elapsed between first incident and victim discovery 60% 50% 40% 30% 20% Victim Percentage 10% 0% 2007 2006 2005 2004 2003 0 to 3 42.0% 33.0% 46.0% 37.5% 47.7% 4 to 6 11.0% 16.0% 11.0% 10.9% 12.0% 7 to 12 11.0% 13.0% 7.0% 13.5% 12.6% 13 to 18 13.0% 5.0% 12.0% 4.2% 8.7% 19 to 23 4.0% 8.0% 6.0% 7.8% 4.6% 24 to 36 9.0% 8.0% 5.0% 8.3% 5.2% 37 plus 11.0% 17.0% 13.0% 17.7% 9.2% Calendar Year Figure 1 - Time elapsed (months) between first incident and victim response 2003 to 2007 (ITRC 2008, p. 16 Table 8) Congressional testimony in the United States during 2000 demonstrates how debilitating and long lasting identity crime can be (Privacy Rights Clearinghouse 2000). The ability to assume someone else’s identity to fulfil a fantasy, to ‘disappear’ from society or even to conduct criminal behaviour impacts on the individual, corporations and government agencies in administrative, financial, resource and social terms. From a corporate and government agency perspective, attitudes towards information security are just as muddled. A recent independent audit conducted by the Queensland Audit Office (Passmore 2009) of eight government agencies highlighted that six had no or minimal measures to monitor network resources for unauthorised intrusions, facilitating the unauthorised access to network resources and to gather PII to go unreported. Despite the minister Robert Schwarten’s assurance that “under no circumstances under which people’s private records have been accessed”, the audit revealed that measures are not in place to ensure that PII – or broader network security – are not compromised or reported when such events occur. Page 7
  • Identity Theft and Society: How does it affect me? Identity Management: What is it to me? Several recent analyses have debunked the perception that identity crime is principally – or solely – based online. A Pronemon Institute study indicates that nine million Americans have their identity stolen annually; with some 200 million data breaches since 2005 – 85 million breaches during the first quarter of 2008 alone (Prosch 2009, p. 58). In Australia, data breaches cost some $6.3 million during 2007, averaging $197 per record compromised (Prosch 2009, p. 58) In addition, the multi-year Javelin Study on identity theft seems to supports the Pronemon Institute study, though with differing methodology. The 2007 study highlights that the majority of identity fraud being conducted through traditional mechanisms (Attorney General Department 2008, p. 10). The Identity Theft Resource Centre’s Identity Theft: The Aftermath 2007 survey (2008, p. 3) reports that the average time to resolve damage at 116 hours for existing account theft and 157.87 hours for new account theft. The Australian Bureau of Statistics published the first ever Personal Fraud analysis during June 2008. It highlighted the direct personal impact of identity theft. During the 12 months prior to the survey period (July to December 2007), the following was recorded: • 124,400 persons were identified as victims of identity theft, with males comprising 56% and females comprising 44% of victims; • The 25 to 34 age group was the highest percentage victim group (34,400 or 28%); • 16% (20,100) persons reported a financial loss associated with most recent incident • 57% reported the incident to law enforcement, financial institution or other formal entity and 43% reported the incident to some other agency. Recent media reports (Walker 2006, Anon 2005) have estimated the costs of identity crime in Australia between AUD$1 billion and AUD$4 billion annually. The United Kingdom suffers similar costs and the USA suffered a record $56.6 billion against consumers (Anonymous 2009). Worldwide, the costs are estimated at approximately US$2 trillion annually and are rising. Page 8
  • Identity Theft and Society: How does it affect me? Identity Management: What is it to me? Despite the quantity of studies and analyses available, no common legal definition of identity crime (and its components identity theft and fraud) have been agreed upon for national – or international – purposes. Consequently, effectively measuring the financial cost (both direct and indirect) to consumers, governments and corporations from an independent perspective is challenging, resulting in the confusion by the community as highlighted by the Bundaberg News-Mail May 2009 Vox-Pop survey. From a general corporate perspective, human resource departments are a high value target for the misappropriation of PII for use in identity theft (Calvasina, Calvasina & Calvasina 2006, p. 25). Recent examples of high profile data breaches highlight the complex nature of this – in the United States, companies suffering inadvertent or deliberate breaches include Time Warner, Eastman Kodak, Bank of America, Boeing, Ford and Equifax. The Time Warner breach involved approximately 600,000 PII of current and former employees being disclosed in an unauthorised manner (Calvasina, Calvasina & Calvasina 2006, p. 25). A burglary in May 2006 involving the theft of a laptop and external hard drive at a US Department of Veterans Affairs employee residence netted PII of up to 6½ million veterans. Despite agency rules prohibiting such situations, the computer equipment was at the employee’s residence (Calvasina, Calvasina & Calvasina 2006, p. 25). The current identity framework poses a risk not just to individuals, but to organisations and the broader payment system as identity theft undermines the agreed framework between participants (Schreft 2007, pp. 5-6), resulting in a migration to less efficient payment mechanisms (Schreft 2007, p. 6) or the abandonment of any form of payment mechanism. Page 9
  • Identity Theft and Society: How does it affect me? Identity Management: What is it to me? Various countries have, over the past decade, enacted identity-crime related statutes (sometimes at state, other times at national levels) in an attempt to combat this type of crime. In Australia, the New South Wales Attorney General John Hatzistergos proposed introducing identity fraud laws during July 2009 (ZDNet 2009). In addition, an offence relating to identity crime has been on the federal statute book since the mid-1990’s. In the United States of America, the passage of the Identity Theft and Assumption Deterrence Act (ITADA) of 1998 (Schreft 2007, p. 7) was one element in an attempt, at the federal level, to combat identity theft. The scope of identity theft under this act is defined as the “knowingly transfer, possession or usage of any name or number that identifies another person with the intent of committing or aiding and abetting a crime” (Schreft 2007: 7). Advocates argue that the above definition is broad enough to encompass a person’s unique identifiers including voice and finger prints. In addition, other federal statutes that combat identity theft include (Roberson 2008, pp.16-21): • Drivers Privacy Protection Act of 1994; • Customer Identification Program Rules; • Gramm-Leach-Bliley Act (Title V, 15 U.S. Code sections 6801-6809); • Fair Credit Billing Act; and • Fair and Accurate Credit Transaction Act. Despite various legislative efforts since the mid-1990s, the complexity of the USA’s government-sponsored document issuance systems is immense. As of 2003, a total of 240 different driver licence formats were in circulation and approximagtely 10,000 agencies were authorised to issue birth certificates (Sullivan 2004, p. 129). The complexity of these systems is highlighted by the United States Postal Inspection Service – between October 2002 and June 2003, a total of 2,264 arrests were made deriving from mail theft investigations (Sullivan 2004, p. 162). Page 10
  • Identity Theft and Society: How does it affect me? Identity Management: What is it to me? Other industrialised countries deal with the criminality aspect of identity crime, particularly against individuals, in various manners – however, the measures mentioned above are probably the vanguard of efforts (at national or international levels) in dealing with identity crime. One recent effort undertaken by three countries – the USA, United Kingdom and Australia – has been the promotion and development of some form of electronic-based identity or access card system ostensibly to combat identity crime and fraud against the public purse. Ignoring the rushed nature and under-funding associated with each of the systems, the continual shifting technical requirements and other technological issues involved in systems rollout and maintenance, each system (if fully implemented) would provide a “honey pot tree” for identity crime thieves to collect and collate PII from a single source, rather than from multiple sources as currently occurs. Page 11
  • Identity Theft and Society: How does it affect me? Costs of Identity Theft and Fraud COSTS OF IDENTITY THEFT AND FRAUD Calculating accurate figures relating to identity theft and fraud is challenging. A lack of accurate data, coupled with differing definitions of what constitutes an identity crime, impairs effective independent analysis of identity theft (OECD 2008, p. 3; Newman & McNally 2005, p.30; Schreft 2007, p. 13; Attorney General Department 2008, p. 9). In addition, incidents of organisational and government data breaches are occurring on an almost a daily basis (Schreft 2007, p. 14). The impact of identity crime impact in various ways on victims, including (Attorney General’s Department 2008, pp. 4-5): 1. Financial: both direct (loss of funds, costs associated with investigation and prevention of future events) and indirect (reputational loss, restoration of credit history, opportunity cost from benefit- generating activity); 2. Psychological: Trauma, stress and reduced societal interaction; 3. National Security: Crime groups utilising identity crime for people smuggling or other illicit activities; and 4. Other: Obtaining products and services not entitled to. A review of available sources indicates estimates that conservative annual costs associated with identity crime are in the tens billions of dollars (Newman & McNally 2005, p. 30). Such estimates are made additionally difficult by the differing statistical and definitional measures utilised by national (and sub national) jurisdictions in calculating the figures used (OECD 2008). Examples of individual nation-state costs include: • A 2002 UK study calculated that identity theft cost the UK economy £1.3 billion (HM Cabinet Office 2002, p. 13, Box 2.1) during 2001-2002, out of a total fraud related loss of £18.3 billion; • In Australia, it is estimated that identity fraud costs between AUD$1 billion and AUD $3 billion annually (Walker 2006, p. 88); Page 12
  • Identity Theft and Society: How does it affect me? Costs of Identity Theft and Fraud The United Kingdom’s Credit Industry Fraud Avoidance System (CIFAS) attributes that identity theft and fraud amounts to £10 million per day, whilst the Association for Payment Clearing Services calculates that credit card crime has grown from £95 million (1998) to £504 million (2005) and benefits fraud costs approximately £3 billion yearly (Mills 2007, pp. 8-9). Impacts of identity crime are not just measured in financial or economic terms. Confidence in the payments system that underpins economic activity, trust in the payment instruments that facilitate online transactions coupled with downstream costs in dealing with fraudulent activity all influence how individuals and organisations interact in the marketplace – whether in the electronic or physical environments. Page 13
  • Identity Theft and Society: How does it affect me? Possible Protection and Security Strategies CONCULSION: PROTECTION AND SECURITY STRATEGIES Individuals, corporations and government agencies all have a vested interest in ensuring identity crime is eliminated. Lost profitability, decreased taxation revenue, increased costs for consumers and amplified distrust for electronic commerce and payments platforms result from the upsurge of identity crime related incidents. Substantive proactive measures are required from all three groups to combat this issue before such distrust becomes endemic. Shenk’s 13 Laws of Data Smog (mentioned earlier in this paper) do have an influence in this environment. A Ten-Point Laws of Identity Smog can be derived to assist in the awareness of identity management for individuals, corporations and government agencies: 1. Personal information, once rare and cherished like diamonds, is now plentiful and taken for granted like sand; 2. Silicon chips evolve and adapt much more quickly than public service guidelines; 3. Placing a credit (or debit) card in every wallet is like putting a tracking device on every person; 4. What politicians sell as information security but information anxiety; 5. All high-stim roads leave lasting digital footpints; 6. The Electronic Town Hall allows for speedy communication and a wealth of data points; 7. The Prime Minister’s (or President’s) office is watching; 8. On the identity information superhighway, most roads pass through corporate databases; 9. Databases, like elephants, never forget anything; and 10. Security is as powerful as the weakest link. A range of strategies have been identified by a number of authors (Abagnale Jnr 2007, pp. 102-132; Vacca 2003, pp. 19-21; Hastings & Marcus 2006, pp. 319-323; Mitnick & Simon 2002, 2006) that would enable some form of protection for individuals in both electronic and physical attacks, including: Page 14
  • Identity Theft and Society: How does it affect me? Possible Protection and Security Strategies 1. Check credit reports regularly; 2. Keep track of billing cycles; 3. Closely examine financial statements; 4. Protect computer – physically and electronically; 5. Guard physical mail from theft; 6. Practice safe shopping – physical and electronic; 7. Invest in a shredder; 8. Be vigilant at Automated Tellers; 9. Monitor access to online banking; 10. Secure home and office environments. Many of the strategies are low cost and all are proactive, yet require constant maintenance to avoid potential slippage or misappropriation of personal information to undesirable entities or individuals. For corporations and government agencies, the challenge to safeguard PII in a highly electronic and networked environment is a more complex and intensive task from technological and personnel perspectives. Policy development covering data security; social engineering penetrations; network (both wireless and cable) security; personnel and finance form a core element of any effective deployment combating identity crime. Two of the core elements that underpin business and governmental (particularly involving the payments system) interaction with the community are trust and confidence – without these elements economic activity and interaction is impaired and becomes withdrawn, profitability slides and distrust climbs. Specific strategies for corporations and government agencies to combat identity crime are based on those for individuals, with additional focus on physical and data security, personnel selection, access rights and document security to ensure protection against possible intrusions or other inappropriate activity. One aspect of gaining intrusion in a traditional context, social engineering, has been described as “information security’s greatest weakness” (Mitnick & Simon 2006, p. 244). Page 15
  • Identity Theft and Society: How does it affect me? Possible Protection and Security Strategies Despite the funds allocated to physical infrastructure aimed at preventing intrusions, minimal effort has been directed towards the preventing the human element of intrusions (Mitnick & Simon 2006, p. 244). The UK Customs and Revenue data loss in November 2007 of two minimally encrypted compact discs containing personal identifiers of half the population brought substantive ridicule and embarrassment for the relevant minister and the agency concerned. As demonstrated in Figure 1, a small yet significant percentage of identity theft is discovered after the three year, making vigilance all the more importance. From a personnel management perspective, corporations and government agencies need to examine in detail what information is required and how it is collected and managed to discharge legal and other responsibilities to staff, clients and regulatory agencies. In addition, systemic and regular reviews of policy and practice to ensure that privacy, storage and access to sensitive information is granted only those authorised to handle such information (Calvasina, Calvasina & Calvasina 2006, p. 27). Another consideration pertains to the development of a risk management framework, particularly for organisations that operate in finance-type sector and those organisations that handle substantive quantities of personal information. The potential for reputational loss resulting from a sustained wave of identity crime could undermine confidence in the organisation and the broader payment system (Bielski 2005, p. 55). From the broader societal perspective requires a proactive, coordinated and sustained effort between government agencies, corporations, advocacy groups and individuals is needed to ensure that identity crime is contained and (ideally) eliminated. This involves a range of proactive measures from all three sectors to safeguard PII against misappropriation and inappropriate access. Page 16
  • Identity Theft and Society: How does it affect me? Possible Protection and Security Strategies Some efforts are occurring at multilateral forums – particularly at the OECD and the United Nations – in combating identity crime across international borders. Without some form of common understanding of what constitutes identity crime (in legal and common understanding contexts), the ability for the community to effectively and proactively participate in protecting their identity in an interconnected, online environment is impaired. One entity Australia currently lacks is an independent analysis and research agency dedicated to monitoring developments and to serve as an independent information clearinghouse and on identity theft. Currently there are a host of federal and state agencies (mainly policing and fair trading) offering distinct and sometimes apparent contradictory messages to the community. Page 17
  • Identity Theft and Society: How does it affect me? Reference List REFERENCE LIST Abagnale, FW 2007. Stealing your life: The ultimate identity theft prevention plan. Transworld Publishing Milsons Point Abagnale, FW 2001. The Art of the Steal: How to protect yourself and your business from fraud. Bantam Books Milsons Point Acoca, B 2008. “Online Identity Theft”. OECD Observer. Organisation for Economic Cooperation and Development no. 268, July pp. 12-13. Adams, C 2008. “No. certainty yet for identity assurance: The need for assuring identity is clear, but the path to achieving it is not”. Signal. vol. 63 no. 1 September pp. 83-86 Anonymous 2009. ‘Identity theft costs a record $56.6 billion’. Identity Theft Daily. Published 24/Feb/2009, Accessed 16/Aug/2009. Anonmyous 2005. ‘ID Theft costs Australia $2 billion a year’. The Age. Melbourne Victoria Published 3/June, viewed 18/June/2009. URL: http. ://www.theage.com.au/news/Breaking/ID-theft-costs-Australia-2b-a-year/ 2005/06/03/1117568360968.html# Arata Jnr, MJ 2004. Preventing Identity Theft for Dummies. Wiley Publishing Indiana. Attorney’s General Department March 2008. Final Report: Identity Crime. Commonwealth of Australia, Canberra. Australian Bureau of Statistics (ABS) 2007. Personal Fraud June 2007. Cat no. 4528.0 ABS Canberra Australian Communications and Media Authority (ACMA) 2009. Australia in the Digital Economy: Trust and Confidence. Commonwealth of Australia, Canberra. Bajkokowski, J 2009. ‘Being awake to zombie armies’. The Australian Financial Review. Published 11/Aug/2009 p. 34. Bavis, C and Parent, M 2007. “Data theft or loss: ten things your lawyer must tell you about handling information”. Ivey Business Journal Online. June/July Bielski, L 2005. “Will you spend to thwart ID Theft?” ABA Banking Journal. vol. 97 no. 4 pp. 54-62. Burkhalter, C and Crittenden, J. “Professional Identity Theft: What is it? Are we contributing to it? What can we do to stop it?” Contemporary Issues in Communication Science and Disorders. vol. 35, Spring pp. 89-94 Page 18
  • Identity Theft and Society: How does it affect me? Reference List Calvasina, GE; Calvasina, EJ and Calvasina, RV 2006. “Preventing employee identity fraud”. Proceedings of the Academy of Legal, Ethical and Regulatory Issues. vol. 10 no. 2 pp. 25-29. Clarke, E 2009. “How secure is your client data? 5 questions you should ask your IT professionals”. Journal of Financial Planning. Jan/Feb pp. 24-25. Dhamija, R; Tygar, JD and Hearst, M April 2006. “Why Phishing Works”. CHI Proceedings: Security. pp. 581-590. Government Accountability Office 2006. Electronic Government: Agencies face challenges in implementing the federal employee identification standard. Washington D.C. Hamadi, R. Identity Theft: What it is; How to prevent it and what to do if it happens to you. Vision. Hastings, G and Marcus, R 2006. Identity Theft Inc: A wild ride with the world’s number one identity thief. Disinformation Company New York. House of Representatives Standing Committee on Economics, Finance and Public Administration 2000. Numbers on the Run: Review of the ANAO Report no. 36 1998-99 on the management of Tax File Numbers. Parliament House, Canberra. HM Cabinet Office July 2002. Identity Fraud: A study. London Identity Theft Resource Centre. • Identity Theft: The Aftermath 2007. Published May 2008. • Identity Theft: The Aftermath 2006. Published October 2007 • Identity Theft: The Aftermath 2004. Published September 2005 • Identity Theft: The Aftermath 2003. Published September 2003 Independent Commission Against Corruption (ICAC) 2006. Protecting Identity Information and Documents: Guidelines for public service managers. Sydney New South Wales. Jakobsson, M and Myers, S (editors) 2007. Phishing and Countermeasures: Understanding the increasing problems of electronic identity theft. John Wiley & Sons New Jersey. Kendall-Raynor, P. 2008. “Identity fraud case prompts call for tougher recruitment checks”. Nursing Standard. vol. 22 no. 36 May 14-20 p. 7. Laudise, TM 2008. “Ten practical things to know about ‘sensitive’ data collection and protection”. The Computer and Internet Lawyer. vol. 25 no. 7 July pp. 26-33. Leon, JF 2008. “Top Ten Tips to combat Cybercrime”. The CPA Journal. vol. 78 no. 5 pp. 6-11 Page 19
  • Identity Theft and Society: How does it affect me? Reference List Linninger, R and Dines, RD 2005. Phishing: Cutting the identity theft line. Listerman, RA and Romesberg, J 2009. ‘Creating a culture of security is key to stopping a data breach. Are we safe yet?’ Strategic Finance. July pp. 27-33. May, DA 2005. Identity Theft. Mills, G 2007. Identity Theft: Everything you need to know to protect yourself. Summersdale Publishers. Mitnick, KD & Simon WL 2006. The Art of the Intrusion: Real stories behind the exploits of hackers, intruders and deceivers. Wiley Publishing Inc. Mitnick, KD & Simon WL 2002. The Art of the Deception. Wiley Publishing Inc. Newman, GR and McNally, MM 2005. Identity Theft Literature Review. United States Department of Justice Washington D.C. Organisation for Economic Cooperation and Developement (OECD) June 2008. Policy Guidance on Online Identity Theft. OECD Ministerial Meeting on the future of the Internet Economy Seoul. Passmore, D 2009. “Sunshine State is a hackers’ paradise”. The Sunday Mail Brisbane Queensland. Published 5/Jul/2009, viewed 5/Jul/2009. URL: http://www.news.com.au/couriermail/story/0,23739,25732782-3102,00.html Peretti, KK 2009. “Data breaches: What the underground work of ‘carding’ reveals”. Sanat Clara Computer and High-Technology Law Journal. vol. 25 no. 2 pp. 375-413. Prosch, M 2009. “Preventing Identity Theft throughout the Data Life Cycle”. Journal of Accountancy. vol. 207 no. 1 pp. 58-62 Privacy Rights Clearinghouse 2000. “Identity Theft Victim Stories: Written testimony of Michelle Brown”. Viewed 26-Mar-2007. URL: http://www.privacyrights.org/cases/victim8.htm QPS Major Fraud Investigative Group. ‘Theft by Fraud’. Queensland Police Service Police Bulletin pp. 27-30. State of Queensland (Attorney General’s Department) 2009. ‘New security paper for registry certificates’. Brisbane. Viewed 21/July/2009. URL: http://www.justice.qld.gov.au/5629.htm Roberson, C 2008. Identity Theft Investigations. Kaplan Publishing. Saunders, KM and Zucker, B August 1999. “Counteracting Identity Fraud in the Information Age: The Identity Theft and Assump. tion Deterrence Act”. International Review of Law. vol. 13 no. 2 pp. 183-192. Page 20
  • Identity Theft and Society: How does it affect me? Reference List Schreft, SL 2007. “Risks of Identity Theft: Can the market protect the payment system?” Economic Review – Federal Reserve Bank of Kansas City. vol. 92 no. 4 Fourth Quarter pp 5-40. Shenk, D 1997. Data Smog: Surviving the information glut. HarperCollins Publishers. Sokolov, AP. (editor) 2005. Identity Theft on the Rise. Nova Science Publishers Inc Stickley, J 2009. The Truth About Identity Theft. Why be me when I can be you? Pearson Education New Jersey. Sullivan, B 2004. Your Evil Twin: Behind the identity theft epidemic. Wiley Publishing USA. Swartz, N 2008. “Officials crack largest ID theft ring ever”. Information Management Journal. vol. 42 no 6 p. 18. Vacca, J.R. 2003. Identity Theft. Prentice Hall PTR USA. Walliker, A 2006. “Identity Theft soars and now costs $3 billion a year”. Sunday Hearld-Sun. Melbourne Victoria. Published 11/Jun/2006 p. 88. Warren, P. and Streeter, M 2005. Cyber Alert: How the world is under attack from a new form of crime. Vision Paperback London. Wells. JT 2009. “Mortgage Fraud: A scourge of the 21st century?” The CPA Journal. vol. 79 no. 2 February pp. 6-11. ZDNet Australia 2009. “NSW Govt seeks new ID fraud laws”. Published 13/July/2009, Viewed 14/July/2009. URL: http://www.zdnet.com.au/news/security/soa/NSW-Govt-seeks-new-ID- fraudlaws/0,130061744,339297362,00.htm Page 21