Over 15 million people in the US were burned by some kind of fraud related to identity theft last year said Avivah Litan, a Gartner analyst, adding that the outlook for identity theft is bad across the board. That number is 50 per cent higher than 2003 data released by the Federal Trade Commission.
Other figures from Litan's study were equally downbeat. The average identity theft fraud loss more than doubled in 2006 to $3,257 (£1,684) from $1,408 (£728) the year before, while the percentage of recovered funds dropped to 61 per cent in 2006 from 87 per cent in 2005. The average loss on new-account fraud – where criminals use the data they've stolen to open new credit card or bank accounts – was $5,962 (£3,083) in 2006, a jump of 223 per cent over 2005's $2,678 (£1,384). Unauthorised charges to credit cards leaped nearly fourfold, to an average last year of $2,550 (£1,319). Unauthorised charges in 2005 averaged just $734 (£380).
"What's useful here are the trends; the numbers can never be exact," Litan said. "The only good news, and it's not much, is for banks. They're less on the hook than before. They're not getting attacked directly as much now."
That's because criminals are increasingly turning to unconventional identity theft ploys rather than tackling the banks themselves. Financial institutions have, at least in the cases of large banks, fortified their data. "Hackers are exploiting internet auctions, money transfers like Western Union and PayPal, the ability to impersonate lottery and sweepstake contests and other types of imaginative scams," said Litan. "They're going after the weakest links, the consumers using social engineering tactics and the US's payment systems at retail and businesses."
Of those surveyed who knew or suspected the causes of the identity theft, data breaches led the charge with 15 per cent. "Banks eat the fraud there," at least for now, said Litan. A Massachusetts state lawmaker, however, has proposed a bill that would hold retailers financially responsible for breaches.
Litan scoffed at the idea. "The retailers are already paying for fraud" in the form of higher interchange charges, she said. "The banks are already collecting this. What are they doing with it?"
In fact, Litan didn't hold out a lot of hope for change, at least in the short run. "Identity thieves have gotten more clever," she said. "The only way this will be solved is if the data is rendered useless if it's stolen. Then it won't matter if they steal it." She offered up examples of how that might be done, including more sophisticated authentication on debit cards and payment processors relying on identity scoring systems that were able to spot thieves using indicators like physical location.
"But I really think that it will take an extreme attack of some kind and broad disruption before things change," Litan said. When asked what form such an attack might take, she put forward a pair of scenarios.
"We know [that criminals and cyberterrorists] are collecting tens of millions of records, maybe as many as 100 million. They might just publish them all on the internet. Or a massive attack on banks, a massive number of bank account takeovers all at once," she said. "Simultaneous attacks like that would slow commerce down. It would be a kind of financial 9/11."