Identity and Internet Crimes: Trends, Methods, and Mitigation

The Rise of Identity and Internet Crimes

Emergence and Growth of Identity Crimes

• Identity crime has become a primary public and law enforcement concern, mirroring the general growth in computer crimes over several decades.

• The exponential growth in identity theft is largely attributed to new opportunities created by technological and commercial advancements.

• This has led to an alarming rise in the fraudulent use of personal information like Social Security numbers, dates of birth, and credit card numbers for personal gain.

• Law enforcement agencies have been forced to redirect scarce resources to mitigate this threat.

Trends and Statistics (Congressional Research Service Report)

• The number of identity theft complaints peaked during 2007 and 2008.

• Complaints decreased in both 2009 and 2010.

• Despite the decrease, identity theft remains the most frequent type of consumer fraud complaint.

• In 2010, approximately $8.1 \text{ million}$ Americans were victims of identity fraud.

• The average victim suffered a mean loss of $631</strong> from these crimes.</p></li><li><p>A more troubling trend is the continued increase in <strong>aggravated identity theft cases</strong> relative to the total number of identity crimes.</p></li></ul><h4 id="7d644ed0-deb2-4d88-a4a9-95ecc26cc897" data-toc-id="7d644ed0-deb2-4d88-a4a9-95ecc26cc897" collapsed="false" seolevelmigrated="true">The Role of Social Security Numbers (SSNs)</h4><ul><li><p>The increasing use of SSNs as personal identifiers contributes to these trends.</p></li><li><p>Decades ago, SSNs were rarely referred to by those under retirement age.</p></li><li><p>Now, SSNs are used for a wide range of business transactions, particularly for <strong>opening new lines of personal credit</strong>.</p></li><li><p>Their use extends beyond credit transactions to include medical records, motor vehicle driver’s licenses, and educational and employment records.</p></li><li><p>Some car dealers even request SSNs before a test drive.</p></li><li><p><strong>Theft opportunities increase directly with the frequency</strong> consumers are required to use SSNs by commercial and governmental enterprises.</p></li><li><p>Policymakers are exploring options, including legislation, to <strong>reduce the use of SSNs by private companies</strong>.</p></li></ul><h4 id="cf6f1fe2-b3a5-4b2b-bd02-be55012d0b1b" data-toc-id="cf6f1fe2-b3a5-4b2b-bd02-be55012d0b1b" collapsed="false" seolevelmigrated="true">Methods of Identity Theft</h4><ul><li><p><strong>Low-tech methods</strong>:</p><ul><li><p><strong>"Dumpster diving"</strong>: Rummaging through private or commercial trash for discarded bills or preapproved credit applications.</p></li></ul></li><li><p><strong>Sophisticated and technologically-based methods</strong> (used by organized thieves for mass quantities of information):</p><ul><li><p><strong>Hacking corporate databases</strong> used for online transactions.</p></li><li><p><strong>Bribing employees</strong> with internal access to customer identifiers.</p></li></ul></li></ul><h4 id="b24d4fce-08be-45f9-912c-a012775c290e" data-toc-id="b24d4fce-08be-45f9-912c-a012775c290e" collapsed="false" seolevelmigrated="true">Financial Impact of Data Theft</h4><ul><li><p>The loss of sensitive personal information is costly.</p></li><li><p>Estimates from <strong>2007</strong> indicate U.S. businesses lost over <strong>$5 \text{ million} due to confidential electronic data theft by hackers.

• The TJX Companies, Inc. breach: A small group of hackers compromised an internal database, stealing at least $94 \text{ million}$ customer credit card accounts.

  • Financial agencies estimate this caused as much as $1 \text{ billion}</strong> in damages.</p></li></ul></li></ul><h4 id="53879dd8-1c08-4a94-bd10-d4c59c69f995" data-toc-id="53879dd8-1c08-4a94-bd10-d4c59c69f995" collapsed="false" seolevelmigrated="true">Consequences for Victims</h4><ul><li><p>Once personal identifying information is obtained, thieves can easily <strong>ransack a victim’s financial status and destroy their credit history</strong>.</p></li><li><p><strong>Examples of fraudulent activities</strong>:</p><ul><li><p>Opening new credit accounts using stolen SSNs, names, and dates of birth, leaving the victim with unpaid bills and delinquent accounts.</p></li><li><p>Creating entirely new bank accounts, writing "hot" checks traced back to the victim.</p></li><li><p>Establishing wireless phone service.</p></li><li><p>Buying cars and other expensive consumer goods.</p></li><li><p>Filing for bankruptcy under assumed identities to avoid paying past-due accounts.</p></li></ul></li></ul><h4 id="12b15542-60ed-4452-ae7b-d12517ee15a1" data-toc-id="12b15542-60ed-4452-ae7b-d12517ee15a1" collapsed="false" seolevelmigrated="true">The Black Market for Stolen Information</h4><ul><li><p>Identity thieves have developed <strong>online black markets</strong> where stolen personal information is sold and re-sold globally.</p></li><li><p><strong>Internet Relay Chat (IRC) channels and websites</strong> are used by hackers to sell large volumes of data obtained through database compromises.</p></li><li><p>These web-based resources sell credit card and bank accounts, PINs, and supporting customer information in <strong>lots of tens or hundreds</strong>.</p></li><li><p>Stolen credit and bank accounts are referred to as <strong>"dumps"</strong>; participants are called <strong>"carders"</strong>.</p></li><li><p>Financial accounts can be sold for very low prices, sometimes as little as <strong>$1.30.

  • The ability to buy accounts from around the world demonstrates that identity theft and fraud have no boundaries.

  • Carding markets facilitate real-world identity theft and fraud:

    • Individuals offer cash-out services to convert electronic funds into physical money.

    • Buyers can purchase skimming devices to attach to ATMs or point-of-sale terminals to capture magnetic stripe data from cards.

    • Sales of passports, drivers’ licenses, and financial records enable more efficient real-world identity theft.

  Significant Cases of Identity Theft and Carding

  • Long Island Software Company Employee: A former employee originated a crime ring that cost consumers $2.7 \text{ million}</strong>.</p><ul><li><p>The suspect sold credit reports of over$30,000$people (including names, SSNs, credit info) to black market identity thieves.</p></li><li><p>This information was used to fraudulently obtain consumer goods.</p></li><li><p>Each victim’s credit history was sold for only <strong>$30.

• Federal Conviction of Military Officer Data Thief: A defendant was convicted for fraudulently obtaining names and SSNs of high-ranking military officers from internal government websites.

  • He used this information to apply for credit cards and lines of credit online.

  • Sentenced to $41$ months in prison and ordered to pay over $186,000$ in restitution.

• Insurance Firm Employee Fraud: A former temporary employee of an insurance firm used policyholders’ bank account information to deposit over $764,000$ in counterfeit bank checks.

• Identity Theft-Drug Smuggling Scheme: Seven defendants were convicted.

  • They used stolen SSNs to obtain employment and identification documents to facilitate heroin and methamphetamine smuggling from Mexico.

  • A number of defendants also used stolen identities to claim earned income tax credits on IRS tax forms.

• CASE #1: The ShadowCrew (2002-2004):

  • Opened a website in 2002 and developed a brisk trade in credit cards, financial information, and identity documents.

  • Over $1 \text{ million}$ credit cards were sold; there were over $2,000$ registered members.

  • Website was taken down on October 26, 2004, by the U.S. Secret Service and international police agencies.

  • Homes of $28$ members were raided; $12$ individuals pled guilty to charges ranging from computer fraud and abuse to document fraud and conspiracy.

  • The group leader, $32$-year-old Andrew Mantovani, received $32$ months in federal prison.

Law Enforcement and Legislative Responses

• Federal law enforcement and the criminal justice system are responding through new legislation and consumer awareness programs.

• Identity Theft and Assumption Deterrence Act of 1998:

  • Makes it a federal crime to knowingly transfer or use, without lawful authority, another person's means of identification with the intent to commit or aid any unlawful activity (federal law violation or state/local felony).

  • Violations are punishable by up to $15$ years in prison.

  • While significant, the impact of such laws may be largely symbolic for many victims due to prosecution difficulties.

Challenges in Prosecuting Identity Crimes

• Identity crimes remain extremely difficult to prosecute once detected.

• Many cases are detected too late for adequate investigation.

• These cases are labor-intensive and often require collaborative efforts from federal, state, and local law enforcement.

• The actual monetary losses in many individual identity theft cases may be considered too small to dedicate substantial prosecutorial resources.

Future Strategies to Mitigate Identity Theft: Proactive Approaches

• Experts believe consumer awareness and monitoring programs are the most viable avenue to thwart identity theft growth, given prosecution difficulties.

• Federal Trade Commission (FTC) Identity Theft Clearinghouse:

  • Collects identity theft complaints.

  • Provides victims with referral information and resources to restore credit history and financial status.

  • Established a hotline for victims.

• Fundamental problems with traditional strategies:

  • Identity thieves are extremely difficult to catch.

  • They often steal amounts too small to garner significant attention from local law enforcement.

  • These issues reduce the effectiveness of reactive or post-occurrence strategies.

• Observers underscore the need for more proactive mitigation strategies to prevent identity theft before it occurs.

The Concept of Fractured Identities (Birch)

• Birch argues large-scale identity theft occurs because citizens are routinely required to provide too much personal information or "parts" of their identity.

• Most transactions require verification of only a single piece of data, yet we are asked to provide many unnecessary data points.

• Identity theft increases with the amount of personal information made available in each transaction.

• We don't have one single identity but many "fractured" identities depending on the situation.

• The proposed solution is to only reveal the specific part of our identity required to complete each individual transaction.

Internet Fraud: General Trends and Statistics

• The Internet's growth over the last decade (communications, research, consumer spending, B2B transactions) has created unparalleled opportunities but also fresh avenues for fraud and abuse.

• Many online fraud schemes are simply new takes on old themes (e.g., chain letter hoaxes, confidence schemes, bait-and-switch cons) adapted to an electronic medium.

• The increasing use of the Internet has led to an alarming growth in fraudulent schemes.

• According to NWCCC reporting rates:

  • Consumer complaints concerning online fraud rose from $16,838$ in 2000 to over $75,000$ in 2002.

  • This represents over a $400 \% \text{ increase}</strong> in just two years.</p></li></ul></li><li><p>These schemes encompass diverse offenses: financial institution fraud, investment fraud, communications fraud, and confidence schemes.</p></li></ul><h4 id="7698c6e7-4780-47e5-82d5-86129a751415" data-toc-id="7698c6e7-4780-47e5-82d5-86129a751415" collapsed="false" seolevelmigrated="true">Types of Internet Fraud</h4><h5 id="32fb9d6d-b578-4737-8cc4-8d81a5d76110" data-toc-id="32fb9d6d-b578-4737-8cc4-8d81a5d76110" collapsed="false" seolevelmigrated="true">Online Auction Fraud</h5><ul><li><p>The <strong>most widely reported type of Internet fraud</strong> by a large margin, comprising$64 \%$of all reported Internet fraud.</p></li><li><p>The <strong>Internet Crime Complaint Center (IC3)</strong> received over$30,000$auction fraud complaints in <strong>2001</strong>.</p></li><li><p>Losses related to online auction fraud surpass <strong>$4 \text{ million} annually.

  • The IC3 has seen an increase in auction fraud reports over time; the average loss per complaint was 610.

  • Common methods of defrauding participants:

    • Nondelivery of goods: The most prevalent form; victims often have little recourse as payment is received, and they lack physical address/description of perpetrator.

    • Misrepresentation: Sellers purposely misrepresent item quality or characteristics through descriptions or altered pictures.

    • "Shill bidding": Intentional fake bidding by the seller to artificially inflate the item's auctioned price.

    • "Fee stacking": Sellers add hidden charges (often inflated shipping costs) to the item's cost prior to delivery.

  • CASE #1: Raj Trivedi (CATCH Task Force):

    • Successfully prosecuted for victimizing over 700$individuals worldwide through advertising high-tech products, accepting payment, and failing to deliver.</p></li><li><p>Total losses exceeded <strong>$992,000.

    • Trivedi advertised on eBay, uBid, and Yahoo.

    • In March 2002, sentenced to three years in prison and ordered to pay restitution; victims averaged $1,200$ in individual losses.

  • CASE #2: Teresa Smith (Massachusetts):

    • One of the largest online auction fraud schemes on record, with over $300$ individual complaints from April 2001 to October 2002.

    • Scheme: sold computers, required upfront payment, then did not send merchandise or issue refunds.

    • Spent victims’ money on living expenses, a new vehicle, and advertising.

    • Changed online identity when complaints were reported.

    • Detected after investigators uncovered over $800,000$ in fraudulent proceeds.

    • Sentenced in 2003 to nearly five years in prison.

  Financial Institution Fraud

  • Involves attempts to conceal the truth from deposit and lending institutions to gain monetarily.

  • Examples: credit/debit card fraud and identity theft.

  • Credit card fraud is one of the most widely reported Internet frauds.

  • Identity theft is a primary concern for law enforcement and the public.

  Investment Frauds

  • Defined as "deceptive practices involving the use of capital to create more money."

  • Includes traditional stock market schemes and pyramid business schemes, all of which can be conducted online.

  Communication Frauds

  • Involving new technologies, these have skyrocketed (e.g., thefts of wireless phone codes and satellite communication devices).

  Confidence Schemes

  • Involve a breach of personal trust and are among the most widely practiced and familiar forms of Internet fraud.

  • Typically use email or online sites as the primary medium, rather than mail or telephone.

  • Widely perpetrated Internet confidence schemes include:

    • Online auction fraud.

    • The Nigerian "419" fraud.

    • Chain letter hoaxes.

    • "Urban legends" passed along through electronic mailings.

  Nigerian "419" Fraud Scheme

  • Originating in 1989, this online email letter scheme has cost individuals and businesses an estimated $1 \text{ billion}</strong> globally.</p></li><li><p>Named "419" after the relevant Nigerian criminal codes.</p></li><li><p><strong>Content of fraudulent emails (Interpol summary)</strong>:</p><ul><li><p>Outlines nonexistent opportunities for recipients to receive Nigerian government funds in exchange for advance fees.</p></li><li><p>Claims the money is from delayed contract payments to companies/individuals who abandoned claims, now being paid by the military government.</p></li><li><p>Signatories pose as middlemen, requesting victims supply signed/stamped blank company letterheads, invoices, and detailed account information.</p></li><li><p>This is supposedly for transferring money in advance to pay taxes and bribe officials for the supposed proceeds.</p></li><li><p>No money is ever received; victims suffer a total loss of bank deposits.</p></li></ul></li><li><p>The IC3 received over <strong>$16,000$complaints about the scheme in 2008 alone</strong>.</p></li><li><p>Largely due to this scheme, <strong>Nigeria ranks second only to the United States in Internet fraud losses</strong>.</p></li><li><p>Victims in the U.S. lost an average of <strong>$1,650$</strong> due to these schemes, making them one of the more costly forms of fraud.</p></li></ul><h6 id="6555e0ac-4176-4ce3-a53c-918e7eff7a82" data-toc-id="6555e0ac-4176-4ce3-a53c-918e7eff7a82" collapsed="false" seolevelmigrated="true">Phishing</h6><ul><li><p>Perpetrators attempt to "lure" or "hook" potential victims to <strong>fraudulent websites</strong> to gather sensitive personal information.</p></li><li><p><strong>Process</strong>:</p><ul><li><p>Distribution of emails appearing to be from legitimate financial institutions or credit card companies.</p></li><li><p>Message states the recipient’s account is compromised or requires maintenance.</p></li><li><p>Asks the victim to log into financial accounts via a web link in the email.</p></li><li><p>The link appears legitimate but redirects to a <strong>fraudulent website created by the criminal</strong>.</p></li><li><p>These "spoofed" web pages mirror legitimate sites, often directly copying images and designs.</p></li><li><p>Victim provides bank account number, PIN, passwords, or other sensitive information.</p></li><li><p>Criminals use this information for credit card fraud or identity theft without the victim's knowledge.</p></li></ul></li><li><p>The IC3 has seen an <strong>increase in phishing schemes since 2004</strong>, making them a common form of Internet fraud.</p></li><li><p>The <strong>Gartner Group estimated the cost of phishing schemes in the U.S. in 2007 alone to be$3 \text{ billion} for both victims and financial institutions.

  Detecting Phishing Emails: The PILFER System

  • Researchers at Carnegie Mellon University developed a method for detecting phishing emails.

  • Their approach, called "PILFER", is designed to detect intentionally deceptive communication.

  • Methodology:

    • (1) Extracting data contained in the phishing email.

    • (2) Collecting additional information from external sources.

  • Data used by PILFER:

    • Web addresses.

    • Website domain names.

    • Number of links in the email.

    • HTML email content.

    • JavaScript.

    • Information from existing spam filters.

  • Researchers found PILFER identified phishing emails with $99.5 \% \text{ accuracy}</strong>.</p></li><li><p>This research shows the increasing possibility of detecting phishing emails using specialized filters, but future strategies must evolve as attacks change.</p></li></ul><h6 id="95039af8-7813-4a8c-be1c-106412b1be49" data-toc-id="95039af8-7813-4a8c-be1c-106412b1be49" collapsed="false" seolevelmigrated="true">Chain Letter Hoaxes</h6><ul><li><p>Online versions of age-old schemes designed to encourage email forwarding.</p></li><li><p>Often ask recipients to forward to as many people as possible in exchange for a specified sum per forwarded email.</p></li><li><p>Typically <strong>less costly</strong> than other online frauds, as victims are simply duped into believing they will receive non-forthcoming compensation.</p></li><li><p><strong>Examples of prominent businesses falsely claimed to compensate recipients</strong>:</p><ul><li><p>Microsoft</p></li><li><p>Outback Steak House</p></li><li><p>Victoria’s Secret</p></li><li><p>Newell Company</p></li><li><p>Nokia</p></li><li><p>Old Navy</p></li><li><p>McDonalds</p></li></ul></li><li><p>These claims are false, as <strong>no software currently exists to track email forwards and compile reports</strong> to a central tabulator.</p></li></ul><h6 id="2028fa6b-e517-40cc-8844-3714e2c1c1c1" data-toc-id="2028fa6b-e517-40cc-8844-3714e2c1c1c1" collapsed="false" seolevelmigrated="true">Urban Legends</h6><ul><li><p>Myths designed to create <strong>generalized panic</strong> among email recipients.</p></li><li><p>Typically entail grandiose claims of impending danger arising from commonplace activities.</p></li><li><p><strong>Examples of common online urban legends (all untrue)</strong>:</p><ul><li><p><strong>Hypodermic needles on gas pump handles (Jacksonville, Florida)</strong>: Claims of HIV-infected needles,$17$cases in Jacksonville,$12$$ other cases nationwide, warning to check pump handles.

  • Cyanide-laced ATM deposit envelopes (Bank of America): Claims a woman died from licking an envelope, other envelopes found, advice to spit on envelopes before sealing.

  • Ether-laced perfume at mall parking lots: Claims people selling cut-rate perfume are actually using ether to knock out victims and steal valuables.

  • Hanta virus from dried rat droppings: Story of a stock clerk dying after cleaning a storeroom with dried rat droppings, warning to rinse canned foods/soda tops due to dust-like droppings.