Identity theft at ‘epidemic’ levels, warn experts

Identity theft is running at “epidemic” levels in the UK, fraud prevention service Cifas has glumly announced.

Ever the bearer of bad news, the organisation has been saying the same thing for years. Since 2008 (when ID fraud fell after the credit crunch), reporting of the problem by Cifas’s 360 members across banking and financial services rose steadily from 77,000 cases in 2009 to 173,000 in 2016.

In the first six month of 2017, the figure reached 89,000, which implies a rise of around 9% for this year as a whole, or 500 individual identities stolen every single day in a crime that now makes up half of all fraud. Should ID theft breach 200,000 in 2018, nobody will be surprised.

If a bad thing keeps getting worse, it’s probably worth asking why. A clue comes in the breakdown of the individual fraud types that make up ID theft as a whole.

It’s noticeable that the two biggest – opening bank accounts or applying for credit cards in someone’s name – have fallen.

In the first six months of 2017, card fraud fell 12% to 30,000 compared to the same period in 2016, while bank account fraud fell 14% to 25,000.

Meanwhile, other types of fraud boomed spectacularly, with fraudulent loans rising 54% to 11,500 cases, telecoms fraud up 61% to 9,000, and online retail up 56% to 5,000.

The odd crime of taking out insurance in someone’s name went from only 20 cases to more than 2,000, apparently because it is a simple way of accessing personal data to fuel more serious ID theft crimes.

These are amazing rises in mere months and suggest that as security becomes more stringent in one area, criminals shift attention to less well-defended parts of the system.

A second depressing conclusion is that ID theft is inextricably linked to the rise of online commerce, whose rapid growth it neatly tracks. If so, ID theft it will continue to grow as this channel expands further.

Cifas is an organisation that represents the financial services industry so, naturally, it wants consumers to carry the can by paying attention to the amount of personal information they share online.  Comments chief executive Simon Dukes:

These frauds are taking place almost exclusively online. The vast amounts of personal data that is available either online or through data breaches is only making it easier for the fraudster.

That’s not bad advice, but being cagey about one’s name, dates of birth and addresses isn’t easy in an online world that constantly demands this stuff even for relatively trivial services.

The deeper problem is that the online world depends on a notion of identity so crocked it would make the Victorians wince.  It was bad enough when the world depended on birth certificates, passports and diving licences – these days, some online systems can be beaten simply by feeding them an individual’s personal data points.

Sounds far-fetched? Try applying for online credit and see how few checks are carried out in many cases.

Personal data is not identity and yet, too often today, it is taken to be. The financial services industry, for its part, is addicted to the flawed system of credit reports, ironically one of the first ways ID theft victims end up being “punished” for behaviour conducted in their name.

What to do – and not do

Be cagey about personal data on social media. Mentioning addresses, dates of birth and mobile numbers is now extremely risky. Profile pages are where criminals start.

Treat any online accounts containing personal data as precious. This means using decent passwords and every available security measure from multi-factor authentication to security software. And remember that dictionary attacks can beat a lot of apparently good passwords if they use common patterns of words or character substitutions.

UK citizens have a statutory right to see a copy of their credit report for a £2 ($3.50) fee. This might be worth checking annually for unusual activity.

If you’re contacted about a service you think borrowed your identity, contact your bank first rather than arguing about it with the company involved. Do not delay.