Back in 2008, Identity Theft was the gossip topic of the year for information security and a right lot of muck was being spread around the fields of industry. Trying to help make some sense of things and introduce a bit of reality into the “30% of people suffer from ID theft” statistics, I proposed a “Taxonomy of ID Theft” in an article1.
Today, a colleague queried a dodgy looking statistical statement in a piece of security advice:
In 2013, 36% of UK internet users reported that they had been the victim of online identity theft.
Looking at the original piece of research, an Experian paper from 2013, that says:
36% of UK internet users in the survey state that the had been the victim of ID or device theft in the past.
So, the original statement is both incorrect (in that it both excludes device theft and expressly limits Identity Theft to the online realm) and misleading, in that there is a significant implication that the identity theft occurred in 2013 rather than the reporting. Of course, the survey was based on a limited methodology (2,249 interviews) and the report itself didn’t not claim any significant status for that finding (“It appears that …”)
But one of the key issues that this statistic (even the correct one) does not address is what actually is “identity theft”. In the demonic rhetoric of the media, this is evil people taking over your life – running up debts, drawing benefits and committing crimes, under your name. However, in the basic statistics, I expect that much lower impact crime is included – having your credit card cloned or your bank account phished. These do cause both loss and, often worse, considerable inconvenience but they are usually relatively quickly dealt with. And technical controls have been and are continuing to be introduced, not always obvious to the customer, which will assist in preventing or mitigating this level of crime.
I originally proposed a taxonomy that climbed from misuse, to abuse, to account takeover, and then fraudulent account opening, before you get to the heights of actual “identity theft”. Things, since then have got more complicated, not least with the general improvements in online transaction security and the more advanced methods the fraudsters now need to use to gain sufficient access to complete fraudulent transactions.
Consider this. You conduct transactions, using credentials, against various accounts. You open those accounts using certain approved identifiers. Therefore there are 4 things that can be attacked and, apart from transactions2, attacks can either be transient or extended3 in duration. So you then have a punctuated continuum of attacks.
- Transaction hijacking (normally diversion).
- Credential abuse.
- Credential theft.
- Account access.
- Account diversion.
- False account opening.
- Identity theft.
Aside from the more explicit differentiation between immediate and extended impacts, this does not vary significantly from my previous taxonomy, although I have dropped the distinction between misuse and abuse, which used to concentrate on the unfortunately common situation where an account holder has given permission to somebody else to do certain things with their account (i.e. a carer being given an ATM card and PIN to get money for a less-mobile person) and they then misuse those permissions. These are, it has to be said, very difficult for the banks or similar organisations to detect, never mind prevent.
- Pemble, Matthew. “Don’t panic: taxonomy for identity theft.” Computer Fraud & Security 2008.7 (2008): 7-9.
- I can’t think of a time-extended attack against a transaction, particularly a consumer one. But that might just be a lack of imagination.
- I didn’t want to use the more obvious “permanent” here, simply because attacks can eventually be reversed, although it may take legal involvement.