Online Fraud Ã¯Â¿Â½ PAGE Ã¯Â¿Â½1Ã¯Â¿Â½
Running Head: Online Fraud
Identity Theft & The Internet: Committing Online Fraud
The Internet continues to make day-to-day business transactions easier for consumers. Along with this convenience come risks because it also creates the opportunity for an identity thief to commit fraud. The number of cases of online fraud is expected to rise dramatically over the next few years. In turn, everyone must take extra precautions to protect personal identifying information from falling into the wrong hands.
Table of Contents
I. Introduction . . . . . . . . . . . . . . . . . 5
Definitions & Terms . . . . . . . . . . . 6
II. Identity Theft . . . . . . . . . . . . . . . . 8
The Internet. . . . . . .
. . . . . . . . 9
Online Fraud. . . . . . . . . . . . . . .12
III. Statistical Data . . . . . . . . . . . . . . .15
IV. Industry Issues. . . . . . . . . . . . . . . .16
V. Legislation. . . . . . . . . . . . . . . . . .19
VI. Personal Concerns. . . . . . . . . . . . . . .21
VII. Conclusion . . . . . . . . . . . . . . . . . .23
References. . . . . . . . . . . . . . . . . . . . .24
List of Tables
Source: FTC web site, 2003
"What is the relationship between Identity Theft & The Internet and committing online fraud? Identity theft continues to rise and has been the top consumer complaint for the past four years. According to the Federal Trade Commission (FTC), more than half of the reports filed in 2003 dealt with Internet related fraud and victims reported losing an average of $200.
The results of identity theft can cause expensive headaches for business and consumers. To minimize this unethical business practice, Netizens (citizens of the Internet) must actively participate in reducing vulnerabilities. It's important to ensure the proper security measures are in place to overcome the sophisticated tactics used by criminals. Government officials and industry leaders must take a united stand against identity theft and online fraud by establishing defensive strategies to conquer this crime on all fronts.
As stated in the Ten Commandments: "Thou shalt not bear false witness against thy neighbor" (Exodus 20:16).
Definitions & Terms:
Blended Threat: a combination of the characteristics of viruses, worms, Trojan horses and malicious code with server and Internet vulnerabilities to initiate, transmit and spread an attack.
Malicious code: Software (e.g., viruses, trojan horses and worms) that appears to perform a useful or desirable function, but actually gains unauthorized access to system resources or tricks a user into executing other malicious logic.
Trojan horse: A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program.
Virus: hidden, self-replicating section of computer software, usually malicious logic, that propagates by infecting - i.e., inserting a copy of itself into and becoming part of - another program. A virus cannot run by itself; it requires that its host program be run to make the virus active.
Worm: A computer program that can run independently, can propagate a complete working version of itself onto other hosts on a network, and may consume computer resources destructively.
Spam: unwanted and unsolicited junk e-mail.
Spoofing: an attempt to gain access to a system by posing as an authorized user.
Identity theft is defined as the criminal act of assuming another person's name, address, social security number and date of birth in order to commit fraud (Lease & Burke, 2000). Types of identity theft include phone, utility, banking, tax return, social security, auto and mortgage loan fraud. Methods used to obtain identifying information range from basic street theft to sophisticated, organized crime (Hoar, 2001). Identity theft against family members, children and the deceased is a very common practice. However, most family members are reluctant to call police and press charges against their relatives.
In October 1998, the Federal Trade Commission was established as the "Clearinghouse" for consumer complaints, victim assistance and consumer education. The Consumer Sentinel is a secure online repository of identity theft complaints that can be accessed by law enforcement officials to aid investigations. Since the Commission began collecting complaints in 1999, the number of complaints continues to double each year. Identity theft has become the fastest growing crime in America to date (Hoar, 2001).
The Internet has become an important international infrastructure and is changing the very nature of conducting business. It is fast, thorough, accurate and increasingly indispensable (David, 2003). However, it must be utilized appropriately in order to maintain its continued availability. The Internet Activities Board (RFC 1087) states: "Access to and use of the Internet is a privilege and should be treated as such by all users of the system" (Krutz & Vine, pg. 441).
The first case of computer crime was reported in 1958 (Long & Long, 2002). Currently, millions of people are actively involved in e-commerce. Protecting computers from viruses and hackers is no longer the only concern for consumers who conduct business transactions over the Internet. Consumers must be aware of the risks that could potentially compromise their privacy or security and must exercise great caution when conducting business online. Experts agree that physical and logical security is no longer enough and additional measures must be taken in order to fight this crime.
While surfing the Internet, it is important to keep a low profile. Deleting history files and managing cookies is one way of protecting your privacy while shopping online. Intruders can gain access to personal information that is stored on computers and sent via e-mail (Winder, 2003). Most consumers have a preconceived notion that their information is protected once they log-off. This is not the case if that system is connected to the Internet via DSL or High Speed modem. Having an established IP address makes the system more vulnerable to privacy breeches. Consumer education is the key to guarding privacy and eliminating the threat of identity theft online.
Computer systems can be marginally or very secure, but not totally secure (Long & Long, 2002). Installing anti-virus software and firewalls is the first step to protecting computers from malicious attacks. Downloading updates regularly to ensure the latest security patches are installed and adjusting the browser settings will reduce vulnerabilities. It's a good idea to establish passwords that are difficult to crack and disable file-sharing features. Establishing a digital ID is one-way of ensuring transactions are protected from tampering.
Instant messaging is one of the most popular forms of communication, but it should be exercised with caution. It may disclose personal information to hackers who are monitoring the network via remote access. It also has the potential for transferring worms and spreading blended threats. Even though these threats can spread extremely fast, they can also be destroyed very quickly with instant message anti-virus products (Internet Security Threat Report, 2003).
Protecting your identity:
Using the Internet is a convenient way of doing business, but limiting exposure is the key to protecting your identity. Be sure there is a valid "need to know" before sharing personal information with anyone. The following actions can minimize the risk of becoming a victim:
Monitor financial statements to ensure that all activity is valid.
Review credit reports annually for accuracy.
Shred identifying information before disposal.
Remove name from mailing lists.
Secure incoming and outgoing mail.
Computer crimes fall into two categories; crimes that are committed against the computer and crimes that are committed using the computer (Krutz & Vine, 2003). Internet fraud is a relatively recent phenomenon. The various types of online fraud include: insider theft, hacking, spam, spoofing, account hijacking, auction fraud and peer to peer (P2P) file sharing (Farnan, 2003). Spam is an e-mail customer's No. 1 complaint and spoofing has been known to deliver computer viruses. The most rapidly spreading scam known is "phishing" and involves hyperlinks sent via e-mail that redirect users to disguised Web sites created by identity thieves. Computer users are fooled into revealing credit card numbers and other personal information that appears to come from legitimate banks or e-commerce sites (Clark, 2004). These crimes create an indisputable threat to personal security and privacy (Gates, 2004).
Credit card fraud is the most popular form of consumer fraud because it is the easiest to get away with and the most profitable (My ID Fix). Consumers who shop online should only use secure sites to avoid the risks associated with Internet fraud.
How Identity Thieves steal your information:
There are a number of ways thieves can gather another person's identifying information. Some of the traditional methods include stealing a wallet, purse or mail and rummaging through garbage. More sophisticated tactics involve using the Internet to gather another person's identifying information. Information brokers collect, sort, package and sell personal information to identity thieves. Criminals can also purchase this type of information from an employee who has access to a bank, utility, phone or insurance company's database. The various ways that criminals obtain personal information will change as technological developments continue. The best defense is to be proactive and keep personal information under lock and key.
If you become a victim:
File a police report.
Contact the fraud department of the 3 major credit bureaus to place a fraud alert on your credit file.
Close all credit accounts that were opened fraudulently or may have been tampered with.
Report the crime to the Federal Trade Commission.
Identity theft victims are not obligated to pay fraudulent bills if reported within a specified time frame. Be sure to document all conversations in writing to include the name, number, date and what actions were taken. Include the time and money spent straightening out your credit. You may be entitled to lost wages and restitution (Spillenkothen, 2001). Early detection is the key to recovery and seek counseling from victim assistance groups if necessary.
In 2003 there were approximately 10 million victims who reported losing $5 billion in out of pocket expenses (FTC). The average victim spends thirty hours and $500 repairing the damage as described in Table 1. An estimated 500,000 to 750,000 new identity theft cases are reported each year.
A study by Gartner Group reveals that 2% of online shoppers fell victim to identity theft and 5% were victimized by credit card fraud last year (My ID Fix). Most cases of identity theft go undetected and quite a few cases are never reported. Majority of the time, victims don't even know how their information was obtained.
The investigation of identity theft is a very labor-intensive process. Most individual cases are usually considered to be too small for Federal prosecution. Only 25% of the hundreds of Internet crime cases filed are prosecuted. Disturbingly, no arrests were made in any of the six recent high-profile cases because the criminals were far more technologically advanced than law enforcement officials (Sandoval, 2002). In cases where the culprit is known, it has been known to take months or years to prosecute. As reported by the FBI, this is the most difficult crime to prove (Long & Long, 2002).
Corporations are subject to new laws that can penalize them if personal information is not safeguarded. Without the proper control mechanisms in place, a company could risk compromising their integrity and their customer's personal information.
Industry leaders continue to seek new ways of counteracting data theft and spam. There are indications that nearly half of all e-mail sent is spam and this puts a heavy strain on networks and wastes money, time and resources. According to Microsoft Chairman Bill Gates, the company will continue to invest heavily in anti-spam research and development until this fast growing problem is resolved (Gates, 2004). Microsoft Corporation is partnering with Internet service providers to establish a "caller ID" system for e-mail. A proposal on how to put an end to spam is outlined in the company's Coordinated Spam Reduction Initiative (CSRI) that is expected to launch this summer.
Time Warner's America On Line unit introduced a proposed solution that would require senders to publish their Internet Protocol (IP) address so recipients could verify incoming mail against its true identity. This concept is known as Sender Permitted From (SPF) and has been incorporated into security software programs across the globe (Clark, 2004). Other developers have created software designed to protect corporations from accidental transmission of confidential information via e-mail and eavesdropping.
How much is your identity worth? The average cost of credit card protection is $79.00 annually. Homeowner insurance policies offer identity theft coverage options, however, the problem with purchasing additional coverage is that it is not necessary. According to the Better Business Bureau, consumers are protected under Federal law. These laws were established to soften the devastating blows most victims previously experienced.
Businesses and financial institutions lost over $48 billion in identity theft related expenses last year (FTC). The Gramm-Leach-Bliley Act was established to ensure that financial institutions have policies, procedures and controls in place to prevent unauthorized disclosure of customer financial information (Spillenkothen, 2001). The most recent scam involving the financial industry is pre-text calling. Pre-text calling is a tactic that involves using scraps of information to trick clerks into divulging more information or asking them to "verify" data (O'Harrow, 2003). To combat this scam, most institutions require callers to verify previously established personal identification numbers (PIN) or passwords prior to discussing accounts.
The financial industry is lobbying for uniformed federal regulations. These regulations would eliminate the need for state laws to outline the application and processing of credit (Ambrose, 2003).
Most states have established laws that prohibit the theft of identity information, but identity theft is a federal crime. Information Privacy Laws concerning the handling of personal information have been established and will continue to surface as new crimes are created.
The Computer Abuse Amendments Act of 1994 makes it a felony to gain unauthorized access to a computer system with the intent to obtain anything of value (Long & Long, 2002). Title 18 United States Code defines fraud and related activity in connection with identification documents and information. Under this code, the Identity Theft and Assumption Deterrence Act of 1998 makes identity theft a crime with penalties up to 15 years imprisonment and a maximum fine of $250,000. In December 2003, President Bush signed the Fair & Accurate Credit Transaction Act, giving consumers the right to a free copy of their credit report and access to credit scores (Ambrose, 2003).
Sensitive information in the wrong hands could potentially harm your credit rating and subject you to undue stress and financial worries. The following federal laws were established to protect victims of identity theft and assist them with repairing the damage:
Fair Credit Reporting Act establishes policies and procedures for correcting mistakes on credit records.
Fair Credit Billing Act establishes procedures for resolving billing errors on credit accounts if reported within a timely manner.
Truth-in-Lending Act limits liability for unauthorized credit card charges up to $50.00.
Fair Debt Collection Practices Act prohibits debt collectors from using unfair or deceptive practices to collect overdue bills.
Electronic Fund Transfer Act provides consumer protection for transfers using debit card to credit or debit an account.
Protecting personal information has always been a major concern of mine. I shred everything with my name on it. I picked up this habit when I joined the military. Fresh out of boot camp, I was sent to Germany and worked as a document control custodian. I was responsible for ensuring classified material was secured, transferred and destroyed in accordance with established regulations. Proper handling and accurate accountability was the key to avoiding a security violation. The last thing I wanted was to make a mistake that could ruin my career.
I've been on active duty for fifteen years now and I am more security conscious because of the threats associated with identity theft. Recently, service members have become targets of identity theft scams. This caused the FTC to adopt an "active duty fraud alert" that can be placed on credit reports for up to one year when military members are called away on duty (Ambrose, 2003). In response to these threats, the Army established a Web Risk Assessment Cell that ensures personal information is removed from publicly accessible web sites. Service members use the Internet to view and update personnel and finance information. A compromise to this system would be devastating.
I've lived in Alexandria for over five years and was unaware of the high ratings this region received on the most recent survey conducted by the Federal Trade Commission. According to the Consumer Sentinel, the Washington, DC metropolitan area is ranked number 1 for fraud related complaints last year. On a per capita basis, Maryland and D.C. have the most victims of identity theft in the nation (FTC). Based on these facts, where I work and live put me at a higher risk of becoming a victim of identity theft. I frequently shop on the net and use online banking. The additional knowledge I've gained during the course of this project makes me feel confident that my identity is protected. I take good security precautions and I am more educated than the average consumer in regards to identity theft.
A local man's case of stolen identity as reported in the Washington Post Magazine last year, is in my opinion, the worst-case scenario. An Arlington, VA man had his identity stolen and his name and social security number published on "America's Most Wanted" web site. The man who stole his identity had actually committed murder in his name (O'Harrow, 2003).
Measuring the extent of identity theft on the Internet is difficult because there are a number of cases that are not reported. The Internet makes it easier for thieves to commit fraud by tapping into the resources available online. Company database files store a wealth of information and once penetrated, can cause mass victimization. Strict Federal legislation, industry cooperation and communication between law enforcement agencies at all levels are required in order to combat this epidemic. The fact is, identity theft is a serious crime and offenders should be held accountable regardless of the amount of loss. Identity theft is not going to disappear, the results can have traumatic consequences on your life and the damage to your credit can be devastating.
Ambrose, E. (2003). Bush signs Bill giving consumers new safeguards
against ID theft, credit fraud. Knight Ridder Tribune Business
News. Retrieved Mar 1, 2004, from ProQuest database.
Clark, D. & Wingfield, N. (2004, Feb 23). Computer-Security Efforts
Intensify. The Wall Street Journal, p.B4.
Coogan, M.(2001). The New Oxford Annotated Bible. New Revised
Standard Version. New York: Oxford University Press.
David, Fred R. (2003). Strategic Management Concepts & Cases
(9th ed.). Upper Saddle River, NJ: Prentice Hall.
Gates, Bill (2004). Outlines technology vision to help stop Spam.
Presspass Information for Journalists. Retrieved Mar 02, 2004,
from Microsoft Corporation Web site:
Guth, R. & Mangalindan, M. (2004, Feb 25). Microsoft takes
"Caller ID" tack against Spam. The Wall Street Journal, pp.B3.
Farnan, J. (2003, May 15). Congressional statement. Message posted to
House Committee on Government Reform, archived at
Federal Trade Commission, (2004). Identity Theft Complaint Data:
Figures and Trends on Identity Theft. Washington, DC.
Hoar, S. (2001, Mar 01). Identity Theft: The Crime of the New
Millenium. Vol. 49 No. 2. Retrieved Mar 30, 2004, from
Identity Theft and Assumption Deterrence Act of 1998. Retrieved
Mar 9, 2004, from Identity Theft Prevention and Survival Web
Instant Messaging, (2003). Internet Security Threat Report. Retrieved
Mar 26, 2004, from Symantec Web site:
Krutz, R., & R. Vines. (2003). The CISSP Prep Guide. Gold Ed.
Indianapolis, IN: Wiley Publishing, Inc.
Lease, M. & Burke, T. (2000). Law Enforcement Bulletin. Retrieved
Feb 15, 2004, from FBI Publications Web site:
Long L., & Long, N. (2002). Computers: Information Technology
in Perspective. Upper Saddle River, NJ: Pearson Education.
My ID Fix (n.d.). Identity Theft Prevention & Victim Assistance Center.
Retrieved Mar 04, 2004, from World Wide Web site:
O'Harrow, R. Jr. (2003). Identity crisis. The Washington Post Magazine,
Sandoval, G. (2002). Why hackers escape. News.com. Retrieved
Mar 29, 2004, from http://news.com.com/2009-1017-912708.html
Sans Institute, (2003). Glossary of Terms used in Security and
Intrusion Detection. Retrieved Feb 25, 2004. Sans Web site:
Spillenkothen, R. (2001, Apr 26). Identity theft and Pretext Calling.
Message posted to Federal Reserve Board, archived at
Winder, R. (2003). Untangling the web: an introduction to Internet