Someone to watch over me

10 Jan 2006

In the absence of hard facts a problem is just as easily downplayed as it is hyped: identity theft is a case in point. It was considered important enough to be one of the four main points of the recent Make IT Secure campaign, but the fact is that in Ireland we know something about its nature but little about its true extent.

Sean O’Connell, security consultant with CA in Ireland, has begun work on research that he hopes will contribute to raising awareness of the problem. At this early stage there’s little doubting the motivation for this type of crime. “It’s all about trying to steal money from an individual or steal the identity for another purpose such as applying for a loan or a mortgage,” he says.

A second aim of O’Connell’s research is that it may prompt some financial organisations to come forward with details on how widespread the problem is here. We know that in the US, for example, a 2004 survey by the Federal Trade Commission estimated that 27.3 million Americans had suffered some form of identity theft over the previous five years. Credit card providers are believed to lose up to US$5bn annually due to this form of fraud.

“The information’s not being published and so the consumer rights groups are not pushing banks to implement better security,” O’Connell asserts. “It’s a vicious circle.” Unlike US financial service providers that are obliged by law to disclose any security breaches, Irish banks are not compelled to do so, making it difficult to gauge the extent of the problem here.

The most recently available data available to O’Connell comes from the Irish Payment Services Organisation in 2002. Its report put the figure of €1m on the amount lost to ID theft in Ireland, equivalent to 9pc of total credit card fraud in the country at the time. According to O’Connell, there’s a lot of anecdotal evidence to suggest the sums involved are now far greater.

“Although there’s nothing specific in terms of statistics, the problem is bigger,” he said. “I can only imagine that it is up to multimillion amounts now,” O’Connell added. He cited as an example ongoing investigations by the Garda Bureau of Fraud Investigation into several cases, along with recent arrests of certain gangs, as well as the revelation that a fraudster was able to withdraw more than €20,000 from a Permanent TSB account using a falsified passport.

A related crime is to tamper with ATMs in order to steal card information and PIN codes. O’Connell says the technology to do this is very specialised and expensive, indicating that the returns from this type of fraud justify the investment for criminals.

The consequences aren’t pleasant: aside from coming to terms with a financial loss, O’Connell calculates that victims of identity theft can spend up to 300 hours trying — often with considerable difficulty — to clear their names with banks or credit agencies.

Aside from the unlucky victims, wider public awareness of the problem is another matter – according to research released for the Make IT Secure campaign (see story below), just 19pc of Irish internet users know what identity theft is. This is a problem, O’Connell believes. “In Ireland, a lot of people would not be aware of identity theft and would trust what they receive in email or through the post,” he points out.

According to O’Connell, criminals look for a range of different types of information, from the obvious such as credit, laser and ATM card numbers to telephone bills and bank account information. He points out that driving licence information is now easily obtained because many people leave this document in their cars because of the legal requirement to produce it if stopped by the gardaí.

Irish banks usually require a utility bill and a credible photo ID for applicants looking to open a new account, which in theory makes the process somewhat secure. However, O’Connell warns against easy assumptions. “All those documents are forgeable is you have enough time and know how to obtain that information,” he says. It’s not uncommon for people when moving house to forget to update service providers with their new address, so that bills may still arrive to their previous house. O’Connell says that there have been cases in the UK where people have had their identities stolen through ‘housesitting’.

In the meantime, individuals can take steps to prevent anything happening to them. People should never disclose personal information about themselves or their financial details by email, for example. O’Connell recommends that people use their own computers if buying or selling online, as it’s difficult to gauge the security of a PC in an open environment such as an internet cafe. Bank and credit card statements should be checked as soon as they arrive for any unusual transactions. These documents shouldn’t be carried around — although there’s evidence to suggest that many people do. A survey by CapitalOne found that more than five million UK citizens carry around their payslips with them, 3.5 million people their passports and three million people their bank statements.

“People are not aware of the implications. They think ‘It wouldn’t happen to me’,” O’Connell says, likening the current situation to the time when house alarms weren’t widely used. Now, as more people know of the problem, or perhaps have been burgled themselves, alarms are a standard feature in many homes. His assessment, however, is that things may get worse for some unfortunate or unwary people before things improve. “When [identity theft] starts to become more common, people will become more cagey and more aware,” he suggests.

By Gordon Smith