Big ID Thefts Not To Be Feared

goldseries writes "A new study released by ID Analytics says that only about 1 out of every 1000 stolen identities are actually used, due to the amount of time it takes to use the identity, limiting a single thief to 250 identities a year. The likelihood that your information will be used increases drastically when the size a the theft is small. So size does not matter, in identity thefts at least; the identity thefts you need to worry about aren't the big ones heard on the news but the small unreported ones." From the article: "While the findings will provide some comfort to consumers whose credit cards are lost or lifted, or whose sensitive information is compromised when, for instance, a laptop is stolen, as recently happened at Chicago-based Boeing, some of ID Analytics' suggestions could be controversial. The company suggests, for instance, that companies shouldn't always notify consumers of data breaches because they may be unnecessarily alarming people who stand little chance of being victimized."

Of Course You Should Inform Them!

[SeanDuggan]

Unless the companies who lost the information are willing to be liable for any and all damages caused by the identity theft, not limitted to damaged credit ratings, credibility damage, and all monetary losses, they should definitely inform consumers. That would be like not informing people of airplane safety measures "because very few planes actually crash."

Not in the hospital setting

[PIPBoy3000]

I work for a healthcare organization and one of the applications I support is this system for merging multiple medical records into a single one. We have a team of people whose sole purpose is to take multiple accounts and turn them into one. This extra accounts can be created accidentally, such as when a Jane Doe comes into the ER and their identity is later established. It can happen on accident, such as when a registration person creates a new account instead of finding the old one.

In the last couple years, identity theft and identity fraud have resulted in huge inputs to the system. Where we once had to merge up to three identities, the system now supports merging up to ten. What happens is that a single individual will steal a bunch of different identities and then use them all, typically to get drugs.

So, while the risk of your credit card being stolen and used may be low in certain cases, don't lose your other "proof of identity" stuff: driver's licenses, insurance cards, and your social security number.

Only 250? Thank God crime isn't organized.

[shotgunefx]

These people are idiots. All it would take is a little organization to increase the efficiency.

Of course with a larger number of potential victims, fewer percentage-wise will be hit. But they also contradict themselves.

They say...

ID Analytics said it discovered that identity thieves have a hard time using a stolen credit cards to hijack the identity of cardholders. That's because the cards are usually quickly canceled and because piecing together an identity based on the information on the card is hard work. Not one of the card breaches it studied resulted in a subsequent identity takeover.

Now if credit card companies don't report it, who says the cards will be canceled?

I can't remember which company it was, but I remember a breach a couple years ago, the initial numbers where in the tens of thousands, after the FBI got involved the true number was over a million IIRC.

They should never be able to hide their culpability. If they can, they will always minimize their liability.

Re:Nice whitewash...

[BushCheney08]

Have you ever been the victim of identity theft? I have. They essentially have you "prove" that you did not open a line of credit somewhere. The full burdon of proof is on you for something that you had nothing to do with.

I'm more worried about accidental mistakes

[Anonymous Brave Guy]

I'm not, personally, too worried about having my identity deliberately stolen. I take reasonable precautions, and key places like banks and employers tend to be wise to obvious and seriously damaging identity theft and how to deal with it these days. Relative to the odds of it happening, I have more serious things to worry about...

...like incompetence, for example. All it took was one government staffer mistyping my NI number (roughly the UK equivalent of a US SSN) into a database, out of probably thousands they typed that day, and my whole tax/NI contribution record was messed up. It took me months to clear it up, calling round several tax offices, and out of pocket by hundreds of pounds in the meantime. (At the time, I had just started my first job, and could barely afford the rent as it was, so that was a very serious position to be in.)

The thing that was scary was that this is supposed to be systemically "impossible". (I think that just means there's a check digit in the number, and they have to fluke that being consistent when they mistype it...) That means they don't bother telling you about it (even though their database had me working in two different full time jobs on opposite sides of the country!), so the first I heard of it was when my employer deducted more from my pay for tax than usual, as they are legally required to do on receiving notice from the tax office.

Worse, there weren't any serious systems in place to deal with the problem. The first several government people I spoke to on the phone wouldn't even talk to me, because I couldn't tell them the name of my employer or my address. Or rather, I couldn't tell them the name of the other guy's employer and his address, since it turned out they'd somehow merged part of my record with someone else's because of the incorrect ID. I only got through in the end by convincing one of the staffers to listen to my explanation and tell me what I could do, and between us we figured out what must have happened and who I needed to contact to get it fixed.

This bothers me far more than a malicious ID theft, because (a) it's the tax man, who is basically immune to any sort of useful legal action in this sort of situation; (b) it's probably far more common, because thousands of people get processed by these operators every day; and (c) there obviously aren't sufficient checks and safeguards in the system to even identify a clearly inconsistent database entry and flag it for checking by a real person, never mind a proper mechanism for me to get the situation resolved quickly and effectively.

Given that the problems are much the same here as for a minor identity theft, except that you don't have the normal legal avenues available to you to pursue the culprit and it's probably a lot more common, I'd say that makes unintended human error a much bigger danger than ID theft with criminal intent, at least until they tighten up key systems in governments, banks, credit agencies, etc.

Re:Not in the hospital setting

[Equuleus42]

This happened to me a few months ago -- I had a couple visits to the physical therapist and then started receiving bills for numerous drugs that I had no clue about. I had to call, write letters and complain to the hospital billing department for six months for them to fix it. The crazy part is that they didn't know how it happened, they just claimed that it was fixed...

Do you know anything more about this sort of medical identify theft? If so, please reply to this or email me at i_love_junk_email@yahoo.com [mailto].

Re:Nice whitewash...

[Anonymous Coward]

I won't seek to do business with a company with a poor track-record of safeguarding my identity.

And where exactly do you find a company's track record for safeguarding data?

Re:Of Course You Should Inform Them!

[Anonymous Coward]

Rivers lakes?

Date: 13 January 1982
Airline: Air Florida
Flight No.: 90
Aircraft: B737-222
Location: Washington, DC
Fatalities: 74:79+5

http://www.airdisaster.com/photos/af90/photo.shtml [airdisaster.com]