Identity theft is running at “epidemic” levels in the UK, fraud prevention service Cifas has glumly announced.
Ever the bearer of bad news, the organisation has been saying the same thing for years. Since 2008 (when ID fraud fell after the credit crunch), reporting of the problem by Cifas’s 360 members across banking and financial services rose steadily from 77,000 cases in 2009 to 173,000 in 2016.
In the first six month of 2017, the figure reached 89,000, which implies a rise of around 9% for this year as a whole, or 500 individual identities stolen every single day in a crime that now makes up half of all fraud. Should ID theft breach 200,000 in 2018, nobody will be surprised.
If a bad thing keeps getting worse, it’s probably worth asking why. A clue comes in the breakdown of the individual fraud types that make up ID theft as a whole.
It’s noticeable that the two biggest – opening bank accounts or applying for credit cards in someone’s name – have fallen.
In the first six months of 2017, card fraud fell 12% to 30,000 compared to the same period in 2016, while bank account fraud fell 14% to 25,000.
Meanwhile, other types of fraud boomed spectacularly, with fraudulent loans rising 54% to 11,500 cases, telecoms fraud up 61% to 9,000, and online retail up 56% to 5,000.
The odd crime of taking out insurance in someone’s name went from only 20 cases to more than 2,000, apparently because it is a simple way of accessing personal data to fuel more serious ID theft crimes.
These are amazing rises in mere months and suggest that as security becomes more stringent in one area, criminals shift attention to less well-defended parts of the system.
A second depressing conclusion is that ID theft is inextricably linked to the rise of online commerce, whose rapid growth it neatly tracks. If so, ID theft it will continue to grow as this channel expands further.
Cifas is an organisation that represents the financial services industry so, naturally, it wants consumers to carry the can by paying attention to the amount of personal information they share online. Comments chief executive Simon Dukes:
These frauds are taking place almost exclusively online. The vast amounts of personal data that is available either online or through data breaches is only making it easier for the fraudster.
That’s not bad advice, but being cagey about one’s name, dates of birth and addresses isn’t easy in an online world that constantly demands this stuff even for relatively trivial services.
The deeper problem is that the online world depends on a notion of identity so crocked it would make the Victorians wince. It was bad enough when the world depended on birth certificates, passports and diving licences – these days, some online systems can be beaten simply by feeding them an individual’s personal data points.
Sounds far-fetched? Try applying for online credit and see how few checks are carried out in many cases.
Personal data is not identity and yet, too often today, it is taken to be. The financial services industry, for its part, is addicted to the flawed system of credit reports, ironically one of the first ways ID theft victims end up being “punished” for behaviour conducted in their name.
What to do – and not do
Be cagey about personal data on social media. Mentioning addresses, dates of birth and mobile numbers is now extremely risky. Profile pages are where criminals start.
Treat any online accounts containing personal data as precious. This means using decent passwords and every available security measure from multi-factor authentication to security software. And remember that dictionary attacks can beat a lot of apparently good passwords if they use common patterns of words or character substitutions.
UK citizens have a statutory right to see a copy of their credit report for a £2 ($3.50) fee. This might be worth checking annually for unusual activity.
If you’re contacted about a service you think borrowed your identity, contact your bank first rather than arguing about it with the company involved. Do not delay.
anon
Credit score punishment as the first reaction by financial institutions in reaction to identity theft fall-out is no coincident, and that sort of irony should always be looked upon with suspiscion. Higher interest rates benefit the very companies charged with protecting our data.
Here are some more tips:
– Maintain the minimum number of online accounts you can tolerate. Be deliberate and frugal.
– Choose your online vendors very carefully. The more resources they have to combat fraud, including deep pockets, the safer you are.
– Clearly define personal data that will uniquely identify you to your accounts, cash, and other assets (e.g., name, birthday, last four digits of any id or account number, vacation plans, home address, names of financial institions, and online vendor sites) and start acting like it matters.
Lucky for our generation that life does not depend on computers yet. Eventually everything will be connected whether you intended it or not. Don’t ever take this for granted. Start holding others accountable for your identity!
delayedthoughtengineering
This is another area of online life where a password management software package gives me tools to help protect myself.
Many of the popular password managers have “notes” fields, which end up just as encrypted in the password vault as the passwords, and can contain any number of helpful facts and non-facts, like alternate dates of birth, a fake answer for “Who was your teacher in second grade” and so on. Plus, you can always use a password generator to generate a nonsense answer to one of those “security questions”.
Double points if you have to talk to someone on the phone and they ask that security question.
John E Dunn
An excellent suggestion (answering security questions with a random string) – well reminded.
Rick
Although I’m not old enough to have lived in that era, I can certainly commiserate with those who had to produce a diving licence to establish their identity. ;-)