Identity theft is big business. Now, we’re finding out exactly how big. The FTC estimates that as many as 9 million of us have our identity stolen each year. It’s topped the list of consumer complaints filed with the agency for the past 12 years running, garnering about 15% of all complaints. And new research from ID Analytics shows that there are roughly 10,000 identity theft rings in the United States involved in this fast-growing illegal enterprise.
ID Analytics’ ID:A Labs looked at more than a billion applications for bank cards, store credit cards and wireless service over a nearly four-year period. Its algorithm detected the presence of identity thieves by looking for discrepancies in personal information or constantly-changing addresses, red flags that indicate fraud.
Some geographic areas have higher concentrations of identity thieves. The most popular “home base” states for crooks are Alabama, the Carolinas, Delaware, Georgia, Mississippi and Texas. “There appears to be a ‘belt of fraud’ that runs through the rural Southeast, extending from Virginia to Mississippi, with significant activity in the Carolinas, Georgia, Florida and Alabama,” the report says.
While “rings” can consist of as few as two people coordinating their efforts to steal people’s identity, some are much larger. The study finds that a surprising number of fraud rings consist of families working together.
(MORE: Here’s How Your Identity Will Be Stolen: The Top 10 Scams)
ID Analytics classifies a few different kinds of identity theft: The first is a lost or stolen account. While this is a headache for the victim, closing the account usually takes care of the issue since the crook can’t pretend to be you in another forum. It’s like a benign tumor: It’s still bad news, but it doesn’t spread to other areas.
Then there’s straightforward identity theft, when a crook appropriates a victim’s personal information — name, Social Security number, birthday, and so on. This is what happened to author Rick Moody.
As he explained to TIME, untangling the real you from a criminal’s impersonation, especially in today’s digital age, can be a Kafkaesque exercise in frustration.
Third, some criminals will make up or steal information from various sources and mash it up to basically invent a new, fake identity. This can be a big headache for people if their real name, address, or Social Security number, or credit history is linked with the fraudster’s activity in credit databases.
Finally, there’s identity manipulation, which involves someone changing their own personal information. This is usually done either to hide past credit or criminal infractions, or to get access to benefits to which they’re not actually entitled. Wireless services are the most popular target for identity thieves, the study says. The increased portability of phone numbers and accounts have made wireless appealing to crooks for a few years now. In 2009,
authorities busted an eight-person ring that perpetuated a massive $22 million identity theft scam against AT&T and T-Mobile.
“Cellphone use is escalating and, most likely, so will the number of related identity-theft complaints. In addition, technology-savvy criminals will continue to develop new cellphone scams that we’ll have to confront,” Robert E. Holtfreter
wrote in Fraud magazineearlier this year.Store credit cards and bank cards are also popular — there’s big money to be made, and the migration of banking and financial transactions to the digital space gives computer-savvy crooks the way to break in as well as the anonymity they need to impersonate someone else. Holtfreter predicts that the growing use of smartphones for financial transaction will lead to an increase and a merging of these two targets for identity thieves.
ID Analytics says another popular trend is stealing the identities of dead people. “Fraudsters gather personal information from people whom they know are deceased and use that information to open new credit card accounts and make purchases. When when the bill comes due, there is no responsible party,” the report says. Earlier research found that 2.5 million dead people get their identities stolen every year — giving a whole new meaning to “grave robbing.”
Impersonating the dead is pretty brazen, but even single-account identity thieves are getting bolder and more disruptive. Payments middleman Global Payments suffered a data breach earlier this year that cost more than $84 million to clean up — and those thieves didn’t even get people’s names, addresses, or Social Security numbers.Last month, Barnes & Noble suffered a breach in which hackers wormed their way into 63 stores across nine states. What was unusual about this case wasn’t just the size, but how they pulled it off. Crooks tampered with the terminals where customers swipe their card and enter a PIN. Al Pascual, an security analyst at Javelin Strategy & Research called tampering with terminals “one of the most serious threats” to the payments industry.
The appeal for the bad guys is obvious: With a PIN, they don’t have to go through the hassle of buying stuff, sending it to a fake address, and then turning around and selling it. They can just hit the ATM and withdraw somebody else’s cash, then go on their way. “PINs are the Holy Grail,” Jeff Hall, director of Technology Risk Management Services at consultancy McGladrey,
told USA Today. “If it’s a debit card, you can cash in up to the limit on the ATM.”