2007 brings another identity theft survey from Javelin Strategy. As usual, it strives to conclude that identity theft is on the decline and that most identity theft is the result of information being stolen from the victim. Both conclusions are dead wrong. Why?

Javelin’s study doesn’t detect “synthetic identity fraud.” Public polling on identity theft completely misses the biggest modern fraud issue–synthetic identity theft. In synthetic cases, the impostor creates an entirely new identity using information from many different victims. Since this synthetic identity is based on some real information, and sometimes upon artfully created credit histories, it can be used to apply for new credit accounts. This harms consumers because it creates subfiles at the CRAs, and the real owner of the SSN is sometimes targeted by collections efforts.

According to Mike Cook of ID Analytics (PDF), a company that specializes in reduction of fraud risk, synthetic fraud “is a larger problem than identity theft and is growing at a faster rate.” Because “the combination of the name, address and Social Security number do not correspond to one particular consumer, the fraud is unreported and often goes undetected…financial losses stemming from synthetic identity fraud are difficult for organizations to label as fraud when the approved account becomes delinquent and eventually charges-off as a loss.”

According to ID Analytics, in 2003, 88% of fraudulent new accounts were opened with synthetic identities. In addition, 73% of dollar losses were due to synthetic theft, with only 26% being attributed to traditional, true name identity theft. These frauds go completely unmeasured by public polling, but cost the consumers and the economy billions in higher fees.

Javelin’s conclusions on how identity theft occurs (through connections to the victim) contradicts all the existing literature, which attributes the problem largely to insiders. The FDIC reported in 2004 that:

Some industry analysts and security professionals estimate that 65 to 70 percent of identity theft is committed with confidential information stolen by employees or participants in transactions or services. In a survey conducted in 2003, an estimated half of all workers and managers who had access to customer information said that it would be either “easy” or “extremely easy” for workers to remove sensitive data from corporate databases. Two-thirds of the respondents believed that their coworkers, not hackers, posed the greatest risk to consumer privacy. Insiders can sell the information or use it directly to commit identity theft. Because of the increased networking of internal operations and pervasiveness of huge customer databases, financial institution employees have access to more customer information than ever before. The exact size of the problem is unknown, but fraud is sometimes perpetrated by financial institution insiders, often in ways that require little technical sophistication.

In a study of 1,037 verified instances of identity theft, Collins and Hoffman found that 47% of impostors stole information from individuals by stealing mail and trash, purse snatching, and stealing information from friends and relatives. 51% of impostors obtained information by stealing it from businesses.

Collins and Hoffman continue:

“The data on workplace identity theft, however, vary from the present 51% to as much as 70%…Thus, although precise numbers are unknown, these corroborative studies point to insider theft as a majority source of the crime, and when the source of a crime is known, mechanisms for prevention can be implemented, such as by conducting information process risk assessments and by adopting and enforcing personnel practices for security.”

In an annual survey of corporate security executives and law enforcement, CSO Magazine found (PDF) in 2006 that 36% of respondents reported that criminals stole proprietary information, including customer records. When the business could identity the source of the attack, it reported that 56% of such crimes were committed by insiders. 29% reported being the victim of credit card fraud; when the business could identify the attacker, 47% of such crimes were committed by insiders. 19% reported that attackers committed identity theft against the business’ customers; in those cases, 46% were associated with an insider. 11% reported an electronic attack where personal information was intentionally revealed to the public; in those cases, 71% were associated with insiders.

The 2005 CSO study, an online survey of 819 security professionals, 80% reported (PDF) that identity theft was one of the top five areas in which the majority of time was spent. 48% reported that in 2004, their organization was the victim of a criminal seeking unauthorized access to information, and 19% the victim of a crime seeking exposure of privacy or sensitive information.

In CSO’s 2003 survey, 36% of companies reported unauthorized access to information by insiders, and 27% reported such access by outsiders.

Statistically, Javelin’s finding is suspect, because it relies upon a minority of the sample to infer conclusions about the entire population. In order to take a minority of a sample and generalize it to the full population, one must first show that the known cases (the minority) are “exchangeable” with the unknown ones (the majority). That is, one must show that the unknown cases have similar causes of identity theft as the known ones. The attempts to do this are inadequate. Footnote 9 of Javelin’s 2005 study warns readers of this very problem: “Where less than a clear majority of victims has answered the question, readers should note that the data may not be as representative of the total population of victims as in other instances”.

Extrinsic evidence and logic suggests that they’re not exchangeable. First, victims are obviously more likely to know the identity of the victim when it is a family member/friend. They’re much less likely to know when someone far away from them committed the crime (such as the many well documented cases of outsourced data being sold to thieves). Second, existing studies of confirmed victim studies (from police reports and newspaper reports, such as Collins’ report in 2004) shows that the most likely source of data is businesses. Similarly, internal analyses written by the business community itself estimates that identity theft finds its roots in business databases 50-70% of the time. Finally, even if risk behaviors are consistent between the known and unknown victims, certain threats (such as security breaches, outsourcing risk, etc) are not addressed by any consumer action. That is, you are just as likely to become a victim, regardless of whether you shred, etc.

The FTC’s Opinion on Javelin rejects Javelin’s findings as “misleading:” In an email to Wall Street Journal reporter Robin Sidel, obtained under the Freedom of Information Act concerning the Javelin Report, an FTC employee wrote: “Since most surveyed–74 percent–could not identify the person who stole their identity, and half the 26 percent who could identify the thief either didn’t personally know the thief or said it was someone other than a friend or relative, it would be misleading to suggest that the ‘Culprit is likely a friend or relative.'”

Why didn’t Javelin recommend that consumers opt out of prescreening? Finally, I would like to ask Javelin why they didn’t recommend that consumers protect their identity by opting out of prescreened offers of credit and convenience checks. Thieves steal preapproved credit card offers and “convenience checks” from mailboxes in order to obtain new accounts and lines of credit. These mailings are a major vector of identity fraud, and they can be stopped with a single call to 1-888-5-OPTOUT. Every consumer organization makes this recommendation? Why not Javelin?

Using Javelin’s methods of projecting results from the minority of the sample to the general population, one could conclude that a large number of identity theft incidents could be ended if consumers opted out. For instance, the FTC survey found that 4% of victims cited stolen mail as the vector for identity theft. Projecting that 4% figure to the entire estimate of victims (10,000,000 * .04) would mean that 400,000 people were victims of identity theft because of marketing offers sent by credit card companies and banks in 2002. According to the 2005 Javelin Report, 8% of victims cited stolen mail as the source for their personal information, and therefore (9,300,000 victims * .08) 744,000 people were victimized accordingly.

This trick can be applied in other surveys as well. In 2003, Privacy & American Business found that 4% of identity theft victims reported that: “Someone went to a public record and used information there to steal my identity.” Again, if we use the Javelin tactic of projecting the data to the full population of victims (33,400,000 victims * .04), it would mean that 1,336,000 people have had their identities stolen because of information in the public record. This would suggest that efforts should be made to remove personal information from the public record.

Similarly, the same survey found that 7% of victims reported that identification information was stolen from credit card offers and courtesy checks. Using Javelin’s methods, in the years prior to 2003, 2,338,000 people have had their identities stolen because of the marketing practices of financial services companies.

Why didn’t Javelin recommend opting out? Ask Visa, the study’s sponsor.