This study explores the problem of the ever escalating incidence of identity theft in scope
and scale, evolving into identity fraud undertaken by organised crime for the purpose of creating
all the false documents necessary to create a false identity for illegal persons. The study is
particularly focused on the extent to which the development of the internet, and online shopping
and social media, have contributed a host of new situations in which identity theft can occur. In
order to examine the problem, and offer some preventive solutions to the problem, and in lieu of
the weaknesses in the current paradigm utilizing red flag rules, breach notification laws, and
characterized by lack of law enforcement prioritization and punishment for this type of crime,
23
routine activities theory which argues that situations engender crime, and not innate
characteristics in persons involved. RAT is utilized to frame a battery of questions asked of
offender identity thieves, victims of identity theft, as well as stakeholders in law enforcement, in
order to determine their perceptions on why identity theft as a crime continues to grow. At
present, it appears, according to routine activities theory, that the situations in which the crime
takes place, both offline and online, are characterized by high offender motivation (and only
getting higher because the higher pay-off in more sophisticated uses of stolen personal data),
high target suitability (characterized by careless consumer behaviour with regard to personal data
both offline and online) and low guardianship (characterized by relative lack of concern about or
inability to respond effectively to identity theft). It is the hypothesis of this study that if the
situation of identity theft could be changed through a combination of preventive, prosecution and
deterrent action to one characterized by low offender motivation, low target suitability and high
presence of guardianship, law enforcement could contribute much to stemming the rising tide
and even epidemic and viral nature of identity theft as it sweeps through the criminal world and
24
CHAPTER 2: Literature Review
(a) Introduction
This literature review was drawn from a search of the following EBSCO databases:
Academic Search Premier and MasterFILE Premier, utilizing keywords such as identity theft,
identity fraud, phishing and dumpster diving. The results of the review will be compared to the
public record of recent legislation regarding identity fraud, police records and interviews with
investigators specializing in identity theft in various police departments, police officials, and
impacted stakeholders such as CEO’s of credit card companies, identity theft offenders and
identity theft victims. The review establishes that identity theft, a relatively new crime, has
soared in recent years, with the internet becoming, either ultimately or exclusively, the primary
site and most important enabler of this new kind of crime. While credit card fraud and laptop
theft are occasions for a considerable amount of identity theft, it is also true that the quick
development of ever more sophisticated hacking and phishing techniques by hackers online,
combined with exponential growth in online shopping and use of social networking sites, has
relocated the focus of identity theft to the internet (Bronk, 2008; Giles, 2010). Therefore, the
review focuses attention not only on how personal data is originally stolen but also on the extent
and type of identity fraud which is committed by way of the Internet. When it comes to the
response by law enforcement to identity theft crime, while it would seem that laptop or credit
card theft could be responded to in ways that fit into pre-existing paradigms for combating theft
generally, the novelty of internet crime has placed law enforcement in a defensive position
(Burdon, 2011; Coats, 2008; Glithero, 2009; Winn, 2010). Moreover, the evolution of the
25
specialists who believe that the ever more sophisticated tools used for identity theft can only be
met by technical development of more tools to combat the crime, in essence, engaging in a kind
of technological warfare or arms race on the world wide web. The review finds that while the
technological response paradigm is strong, government response has been less robust.
Government response, through legislation, appears to be split over how to respond to identity
theft, with some calling for the creation of rules that companies must, by law, enforce themselves,
so-called red flag rules, and others arguing that these rules are too easily superseded by advances
in crime and that more general field-wide standards are the best approach (Bose & Leung, 2009).
The self-policing and employee-awareness focus of the red flag rule paradigm in particular,
however, has much in common, in its approach to crime, to preventive models of crime response
in policing. Indeed, the review proceeds to consider how, if most of the focus in identity theft
prevention is on red flag rules, industry standards or improved technological response, exactly
law enforcement can help combat identity theft.
Using the theoretical model of situational crime prevention, which includes the routine
activities theory of crime reduction, the review demonstrates the efficacy of both models in
reducing crime, especially theft (Boetig, 2006; Groff, 2008; Miethe & Sousa, 2010). By
outlining the principles of the situational crime prevention model, moreover, the similarity
between its methods and the language used by proponents of red flag rules, with the focus on
consumer awareness training and reduction of the opportunity for crime, is made clear. The
review finally turns to case studies of law enforcement efforts to respond to identity theft
(Mensch & Wilkie, 2011; Ramsey & Venkatesan, 2010; Reyns, 2010). Though at present this
remains an understudied area, a few researchers have, in fact, explicitly done some theoretical
26
framework specifically to identity theft, and also to identity theft online. Here, as in other
paradigms, consumer awareness training, removing opportunities for crime and increasing the
guardianship role of either controllers or super controllers (which would encompass industry
standards as well as legislative response) would reduce crime. To help all stakeholders embrace
a culture-based preventive approach to reducing identity theft, as opposed to getting involved in
what at times seems like a hopeless arms race against technological-based theft, law enforcement
therefore has a strong advisory, consultant and even investigatory role in preventing identity theft.
In sum, this literature review will provide an overview of research literature to date
focusing on the research questions which are the focus of the study. First, the review will
examine efforts to identify identity theft, and the dimension of its incidence in recent years
through statistics and analysis of the trends and patterns of identity theft crime. Second, the
review will address the issue of how the growth of identity theft has been facilitated by
technology and the expansion of cyberspace, bringing identity theft criminals in more routine
opportunistic contact with the general public. Third, the identity of identity thieves, fraudsters or
scammers will be reviewed, as will the means by which these individuals were able to acquire
the skills needed to commit identity theft. Fourth, the review will examine research concerning
the various mechanisms employed by fraudulent individuals in order to commit their crimes,
with attention paid as well to offender motivation, the organizational qualities of the work, and
the degree to which identity theft supports or is supported by other criminal activity. In this
study, the mechanisms will be limited to fraudulent use of credit cards, debit cards, bank
accounts, personal information for obtaining loans, with regard to criminals; as well as the nature
of the occurrence of the actions (separately or concurrently), the quickness of discovery, how the
27
accounts), and other negative consequences of the crime. Finally, the review will study the
impact of the criminal justice system in the United States on the volume and rate of identity theft,
what the branches of government, as well as the criminal justice system, have done to address
identity theft and the challenges the system continues to face in its efforts to stem the rising tide
of identity theft. All of these concerns are directly related to the research questions underlying
this research project, by way of testing the efficacy of applying routine activities theory to the
prevention of identity theft today.
(i) Statistics, Trends and Patterns of Identity Theft at Present
According to a recent survey, in February, 2011, there were 8.1 million identity theft
fraud victims in the U.S. with the crimes amounting to $37 billion in losses. While out-of-pocket
losses to victims of identity theft remain limited, they rose from $387 per victim in 2009 to $631
per victim in 2011, an increase of 63% (Curtis, 2011). There is evidence that identity theft rates
began to accelerate in about 2005 (Jefson, 2007). From 2005 to 2007, 255,565 people in the U.S.
were victims of identity theft. At that time, the most prominent type of identity theft was credit
card fraud. It is likely that the rapid escalation of identity theft fraud created a gap between a
crime wave and law enforcement, as it would appear that, insofar as 61% of victims failed to
notify police departments of the crime, victims themselves were unsure of what crime had been
committed against them. In 2008, a then record-setting 275,284 complaints of identity theft were
reported by the FBI Internet Crime Complaint Center (Wagner, 2009). The cost to consumers or
companies of fraud has increased from $68 million per year in 2004 to $265 million per year in
2008 (Wagner, 2009). The fact that 29% of victims of identity theft are between the ages of 18
28
Internet use and need to be instructed on the nature of identity theft. Indeed, Jefson (2007)
argued that more consumer education on the nature, causes, ways and growth of identity theft
may be required as a fundamental approach for reducing consumer exposure to the crime.
Listerman & Romesberg (2009) further broke down the profile of which types of
companies are targets of identity theft. In the context of a 400% increase in identity theft
between 2005 and 2008, Listerman & Romesberg (2009) found that businesses generally
experienced the most incidents of theft (240), educational institutions came next (131), the
military and government experienced 110 incidents, while medical settings had 97 and financial
78 breaches of security. As a result of this growth, a number of federal laws that impose
penalties for the mishandling of personal information were drafted, and most laws apply to small
as well as large companies. Listerman & Romesberg (2009) also found that incidents of identity
theft negatively impacted company-customer relations, with one study finding that if a company
reported an identity theft incident it might well expect to lose 20% of business outright, 40% of
clients will have questions about their services and 5% may sue the company. Indeed, this kind
of figure may in fact make companies unwilling to abide by red flag rules which mandate that
incidents of theft be reported to consumers.
(ii) How did Identity Theft Evolve as Technology and Cyberspace Became Readily Available to the General Public?
Berg (2006) found that identity crime evolved quickly, once technology became involved,
as technology allowed criminals to perform new and more complex forms of fraud. The theory
of the three phrases of technology-enabled impacts argues that there are, online, ordinary,
adaptive and new crime, with ordinary crime defined as well-known types of crimes, adaptive
29
new crimes which “are typically not well-understood and involve radically innovative use of
technology to commit” (Berg, 2006, p. 10). With new crimes in particular, law enforcement
struggles to understand the crime and keep up with ever newer innovations. These new crimes
put law enforcement at a disadvantage while they struggle to understand the “new crime” and
also to keep pace with newer innovations. One may conclude that “new crime” may also be
defined by the fact that the policy lag enables this occurrence. Even though law enforcement
efforts were on the cutting edge, the bureaucracy and policy developers were slow in
implementing those innovations. Adding to the complexity of Internet crime is that some victims
do not see themselves as such, or even know they have been victimized, often making these
crimes classifiable as victimless. As a result, file sharing, downloading mp3 files and other illicit
activities online are not viewed as criminal because they are victimless. Victim precipitation
theory, however, argues that the victim was somehow responsible for the crime, by behaving in a
way that created an opportunity for the crime, and shoring up victim behaviour has been one
approach to combat Internet crime. By contrast, lifestyle exposure theory argues that contrasts in
lifestyle can open persons up to criminal victimization. Finally, routine activities theory argues
that “structural changes in routine activity patterns influence crime rates by affecting the
convergence in time and space of three elements of direct-contact predatory crimes: motivated
offenders, suitable targets and the absence of capable guardians against a violation” (Berg, 2006,
p. 18). On the internet, the routine activity would be any number of habits in surfing or emailing,
and the opportunity created by unsecure habits in doing so, but guardians can be provided in
various ways, through access control lists or other means. Also, routine activities theory has
been utilized to explain how everyday real-world crime can contribute to identity theft, in, for
30
may also, according to the theory, prevent recurrence, as the victims may change their behaviour
by using anti-virus software or shredding documents, or not giving out their Social Security
numbers. Indeed, the primary forms of identity theft involve credit card theft and electronic
banking fraud, illegal use of Social Security numbers, misuse of ATM’s, all of which developed
alongside of technological developments in the banking industry. The expansion of the use of
various pieces of personal information over time has also contributed to criminal opportunity.
The Social Security number was first instituted in the United States in1935 to keep track
of funds to be directed back at workers upon retirement, and originally intended to be only used
in the Social Security Administration. In the 1960s, however, it began to be adopted as a basic
unit of ID for federal employees, taxpayer identification with the IRS, Medicare, Veterans
Administration admissions, and bank records. Here, too, then, online identity theft using SSNs is
the result of an opportunity created by a long-term expansion of the use of the number for ID
purposes, possibly undermining the original security of the number. Some 26% of ID theft
entails credit card fraud, 18% unauthorized phone use, and 17% bank fraud.
(b) Moving Toward the Internet
Most of the gain in the amount of identity theft is attributable to the internet becoming the
primary and increasingly dangerous site of identity theft. The proliferation of malware is getting
worse, worrying experts. Information Week (2009) reported that in the first half of 2009, for
example, the number of fake anti virus programs being utilized on the Internet to extract personal
user information had increased by 585%. The number of so-called banking Trojans, moreover,
31
same time. One commentator therefore asserted that “the Internet has never been more
dangerous” (Information Week, p. 1). So prevalent is identity theft that Information Week (2009)
also identified its world as “the identity theft underground,” a whole sector of the Internet where
the number of malware programs designed to steal personal information has risen 600% in recent
years (p. 1). The fact that a number of the newer malicious software or malware, such as the
Zeus Trojan, designed to steal passwords and user names, are more sophisticated than ever, and
have also challenged science information experts. Another of these programs, the URL zone
Trojan has anti-forensic techniques in it that conceals that it is looting data by issuing false bank
reports to users to cover the fraudulent transaction. This then would undermine the breach
notification reporting approach to preventing identity theft, as the user would have little sense
that they have in fact been hacked. Many criminals are also making use of the Plucky cybernetic
tool kit to compromise legitimate web sites, in effect turning detection software against itself.
One gang made use of the program to attract 90,000 visitors to their false site, 7.5% of which
provided data and were infected, allowing them to make over $400,000 in 22 days. In 2009,
moreover, 66% of all companies reported at least some infection of computers by malware, and
54% of all computers also are infected. While acknowledging that the tech industry responses to
these advances are equal to the task in many ways, Information Week (2009, p.2) commented
nonetheless that “no doubt there’s more to be done.” The urgent need for reform is reinforced by
findings from consumer polls that 66% of U.S. adults worry frequently about the danger of
identity theft, representing more concern over this issue than worry about having their car stolen
or their home broken into (Saad, 2009).
32
Some experts speculate at convergences in areas of crime leading to rise in malware on
the web. For example, one expert argued that “the global economic downturn and the thriving
black market for credit and debit card numbers and online account information is driving the
creation of so much identity stealing malware” (Information Week, 2009, p. 1). The fact that
malware can also be transmitted through Facebook and Twitter has contributed to the rise of
malware on the web. One detection company reported receiving reports of new malware,
ranging from viruses to Trojans, being launched at a pace of 35,000 per day. Trojan programs
stealing bank information constitute 71% of that total, an increase of 51% since 2007, and
strongly indicating that banks are one of the primary targets of identity theft criminals. Moreover,
in addition to stealing identity by spoofing online bank sites, spoofing of PayPal, Amazon and
eBay is also on the rise. Malware also appears to be generally shifting its focus from email to
social media sites. Reporting on a case where Alberto Gonzalez was successfully prosecuted for
hacking a corporate computer and stealing more than 130 million credit and debit card numbers,
it remains questionable whether or not this kind of prosecution will be able to stem the rising tide