Report: ID Fraud Grows At Record Pace
Despite widespread awareness of cybercrime and the resulting avalanche of electronic identity theft, the issue of people having their names and accounts hijacked online continues to spiral out of control.
According to the latest version of the annual Identity Fraud Survey Report conducted by Javelin Strategy and Research -- which is based on interviews conducted with some 5,000 U.S. adults in late 2009, the number of ID theft victims in the U.S. jumped by 12 percent over the last year, a number that equates to roughly 4.9 percent of the overall population, or 11 million people having their likeness or finances misused during 2009 when extrapolated over the entire nation.
That results marks the largest increase in identity theft since Javelin first begin doing the report in 2003.
Perhaps even more staggering, the total value of the fraud carried out against these individuals rose to approximately $54 billion in losses, Javelin researchers said.
A combination of sophisticated malware programs that hide on users' machines and lay in wait to steal their data along with increasingly targeted phishing attacks that dupe people into handing over their own e-banking log-in details continues to power an entire underground economy aimed wholly at stealing such information to turn it into cold hard cash, said James Van Dyke, a longtime security industry analyst who founded Javelin and remains president at the firm.
While the growth of ID theft has risen steadily throughout roughly the last decade, the lagging worldwide economy has served to worsen the problem considerably, he said.
"Obviously this is a big increase, and we're seeing that as being linked to the tough economy; if you look at the parallels with GNP growth and decline, you see a very consistent pattern of growth in ID theft over the last few years," said Van Dyke. "People are using very sophisticated and organized methods to carry out these campaigns, with ID fraud being driven by a very complex network of events with separate people working together to empower this underground economy in a supply-chain type fashion."
More traditional payment card account fraud grew to affect some 2.76 percent of the U.S. population, compared to 2.53 percent in last year's report, however other forms of ID theft are growing much faster, Javelin contends. Among the largest areas of increased activity are checking account fraud and hijacked utility accounts, according to the survey.
This non-card fraud is often carried out via the use of malware programs and frequently takes longer to detect as e-banking providers have attempted to stem the problem most aggressively. These campaigns also often result in higher out-of-pocket losses, the researchers said. In many cases it may take as long as a year before such fraud is detected -- and the longer it takes for people to realize that their identities have been stolen, the longer it takes and more expensive it is for them to resolve the issue.
At the same time, Javelin found that the creation of e-commerce accounts using stolen information on popular online properties such as Amazon, eBay and PayPal also grew by 12 percent. Mobile telephone service accounts created using stolen identities accounted for roughly 30 percent of such activity. However, account takeovers still far outpace newly created accounts, the researchers said.
Among those being victimized most frequently are small business owners, who typically use their own names and personal accounts for business purposes. This group is suffering ID fraud at one and half times the rate of all other adults, Javelin found.
So-called Millenials, or people ages 18-24 are also being targeted widely and more successfully than their older peers. The abuse of social networking accounts is playing a large part in that case, the researchers said. These younger victims are also taking much longer to discover that their IDs have been stolen.
According to Michael Stanfield, chairman and CEO of consumer and corporate identity risk management services provider Intersections, which sponsored the Javelin report for the second year in a row, criminals have established that it is simply easier to rip off individual consumers versus trying to attack businesses themselves.
This won't change unless end users and businesses such as banks find new ways to interdict the ongoing wave of ID theft activities and somehow slow down the underground economy behind the issue.
"Attackers in Eastern Europe are selling ID-thieving malware programs with guarantees attached to them, they can promise their customers a certain level of effectiveness, and that's a sign that they have no fear of being stopped," Stanfield said. "And people can't depend on international police cooperation to stop this from happening, that simply hasn't happened, so, they need to try to deploy methods that help them stop it at home."
Along with incorporating smarter usage habits such as avoiding unknown sites and changing their passwords, people need to move beyond simple AV programs and utilize more advanced ID theft monitoring tools, the executive said.
"Most people still believe that if they have AV on their computer that's a viable solution, but it's not comprehensive enough to stop today's advanced attacks," said Stanfield. "That leaves too much exposure to zero day attacks, phishing and key loggers because most AV programs don't address any of that. Until more people are informed of this issue and educated as to how to better protect themselves, this whole problem will not slow down."
Follow eWeek Security Watch on Twitter at: eWeekSecWatch.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.