ARCHIVE - Report on identity theft

Archived Content

Information identified as archived is provided for reference, research or record-keeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

A Report to the Minister of Public Safety Canada and the Attorney General of the United States

Bi-national Working Group on Cross-Border Mass Marketing Fraud
October 2004

Executive summary

Identity theft refers to all types of crime in which someone wrongfully obtains and uses another person's identifying information for the purpose of fraud or other criminal activity, typically for economic gain. The perpetrators of identity theft include members of organized criminal groups or networks, terrorists and individual criminals. Identity theft is usually done for economic gain but has also been used by terrorists to obtain cover employment, finance their activities and avoid detection when carrying out their attacks. Criminals also use identity theft to divert law enforcement focus away from the true perpetrators of crimes.

There are indications identity theft is growing rapidly, due in part to the Internet and modern technology. During a one-year period in 2002-2003, total losses to individuals and businesses related to identity theft in the United States were estimated at approximately US$53 billion. In Canada the losses for 2002 were estimated at approximately CAN$2.5 billion.

Identity theft is committed in every place associated with daily life. Methods include mail theft, stealing from residences and personal spaces, misuse of personal data in business transactions, phishing, and theft from company or government databases.

The victims of identity theft come from every age group and all segments of society; however, the majority of victims appear in segments of the population with good or potentially good credit ratings. Victims of identity theft often suffer financial loss, damage to their credit rating and reputation as well as emotional distress. Many are also left with the complicated and sometimes arduous task of clearing their name and credit rating. A 2003 U.S. Federal Trade Commission identity theft survey report found victims had spent a total of 300 million hours in the preceding year to resolve problems created by the theft of their identity.

Identity theft is not confined by borders. Joint efforts to address this problem are coordinated through the Bi-national Working Group on Mass Marketing Fraud (a Cross-Border Crime Forum sub-group), consisting of government and law enforcement officials from Canada and the United States. Governments and the private sector in both countries have pursued a variety of initiatives and legislative reforms to combat identity theft.

On the basis of available data, it appears that identity theft is likely to continue to grow substantially over the next decade and become increasingly important in cross-border criminality. It is expected to pose a threat to tens of millions of people and businesses in Canada and the United States unless law enforcement authorities and private-sector entities mount a vigorous and coordinated response to the problem.

There are a number of areas in which law enforcement, government and the private sector in both countries can strengthen efforts to combat identity theft. They include:

Introduction

In 2003, the Canada-United States Cross-Border Crime Forum determined that it would be appropriate to conduct a threat assessment of identity theft and its impact on cross-border criminality. It directed the Canada-United States Working Group on Cross-Border Mass-Marketing Fraud, which reports to the Forum annually, to prepare such an assessment. This assessment is the product of many agency and individual participants in the Working Group from the United States and Canada. It was prepared jointly by the United States Department of Justice (DOJ) and Public Safety Canada (PS).

The objective of this threat assessment is to define the nature, scope and impact of identity theft. It includes trends, statistics and an examination of the factors surrounding identity theft to increase understanding of the nature of the crime as well as current and potential responses to the problem.

This report, which is being presented at the time of the October 2004 Cross-Border Crime Forum, will provide information and recommendations for policy makers, law enforcement, consumers and the private sector.

While there is a growing volume of data on the incidence of identity theft, statistical and analytical studies on the patterns of and participants in this criminal behaviour are still limited. Both countries are developing initiatives to respond to these challenges. These initiatives will be described later in the assessment.

This report is intended to provide Canada, the United States and other countries with essential information and to promote increased coordination on improving oversight and management of the risks of identity theft and developing comprehensive responses. As discussed below, this assessment recommends a coordinated response embracing public education and awareness campaigns, legislative measures and enforcement actions.

Identity theft - the threat

Unlike certain crimes that are specific to particular types of property and locations - for example, car theft and burglary - identity theft is committed in every place associated with daily life. Identity thieves target residences, workplaces and even places of recreation. Moreover, the growing ubiquity of digital data, and of computers and devices that transmit or store such data, means that identity thieves can ply their trade without ever coming into physical proximity with the individuals whose data they are stealing.

Simply by doing things that are part of everyday routines - for example, charging dinner at a restaurant, using payment cards to purchase gasoline or rent a car, or submitting personal information to employers and various levels of government - individuals may be leaving or exposing their personal data where identity thieves can access and use it without the victim's knowledge or permission. The victim may not discover the effects of the fraud until weeks, months or even years later.

What is identity theft?

In broad terms, identity theft refers to all types of crime in which someone wrongfully obtains and uses another person's identifying information for the purpose of fraud or other criminal activity, typically for economic gain. Such data may include name and date of birth and a range of closely related information such as social insurance numbers in Canada and Social Security numbers in the United States, as well as passport, driver's license and credit card numbers. Once stolen, the personal information can be used to take over or create financial accounts, transfer bank balances, apply for loans and credit or purchase goods and services. 1

Identity thieves may also present or create documents such as birth certificates or immigration documents to obtain benefits such as health care, education, social assistance and public pensions.

Why is it committed?

Canadian and United States law enforcement agencies are seeing a growing trend in both countries towards greater use of identity theft as a means of furthering or facilitating other types of crime. 2 In the overwhelming majority of identity theft cases, the objective is financial.

Some criminals engage in identity theft to obtain funds under their victim's name, mislead law enforcement as to the real perpetrator of the crime, or hide from law enforcement. Others obtain publicly-funded benefits or services to which they would not otherwise be entitled. Some use others' identifying data as means to larger ends, ranging from fraud to human trafficking and terrorism.

The scope of identity theft

There are substantial indications that identity theft has become a significant problem for consumers and businesses in Canada and the United States. One indication is the increase in the number of identity theft complaints filed in both countries.3

In the United States, identity theft-related complaints reported to the Federal Trade Commission (FTC) increased from 86,212 in 2001, to 161,836 in 2002, to 214,905 in 2003 - an increase of nearly 250 percent. 4 In the first two quarters of 2004, the FTC received an additional 130,217 identity theft complaints. This means that the average number of complaints that the FTC received per week has consistently increased: more than 1600 per week in 2001, more than 3,100 per week in 2002, more than 4,100 per week in 2003 and more than 5,000 per week in the first half of 2004.

In Canada, the Canadian Anti-Fraud Centre received 7,629 identity theft complaints in 2002 from Canadians reporting total losses of more than CAN$8.5 million. In 2003, Canadian Anti-Fraud Centre received 14 526 identity theft-related complaints from Canadians, reflecting reported losses of more than CAN$21.8 million. 5

Statistics gathered by Canadian Anti-Fraud Centre in 2003 and the first half of 2004 indicate the largest number of complaints surrounding identity theft relate to credit cards or false application for a credit card (32 percent) and cell phones or false application for a cell phone (10-12 percent). Similarly, the FTC reports that in 2003, 33 percent of identity theft victims reported that their identifying information was used for credit card fraud and 16 percent of victims reported that their identifying information was used for fraud in ordering phone service. Cell phones accounted for 10.4 percent of this total while landline phones accounted for 5.6 percent 6. Due to challenges categorizing the statistical information, law enforcement in both countries has reason to believe that actual instances, particularly of credit card "takeover", may actually be much higher.7

In addition, a September 2003 survey 8 for the U.S. Federal Trade Commission found that within a one-year period nearly 10 million persons in the United States - 4.6 percent of the adult U.S. population - discovered that they were victims of some form of identity theft. Of those 10 million persons, 3.2 million persons discovered that an identity thief opened new accounts in their name and 6.6 million consumers learned that an identity thief was misusing existing accounts. The survey also found that businesses suffered nearly US$48 billion in identity theft-related losses, individual victims suffered nearly US$5 billion in losses and victims spent nearly 300 million hours trying to resolve the problem.

In addition, two major Canadian credit bureaus, Equifax and Trans Union, indicate that they receive approximately 1400 to 1800 Canadian identity theft complaints per month, the majority of which are from the province of Ontario. The Canadian Council of Better Business Bureaus estimates consumers, banks, credit card firms, stores and other businesses lost CAN$2.5 billion to the perpetrators of identity theft in 2002 9.

On the basis of available data, it appears that identity theft is likely to continue to grow substantially over the next decade and become increasingly important in cross-border criminality. It is expected to pose a threat to tens of millions of people and businesses in Canada and the United States unless law enforcement authorities and private-sector entities mount a vigorous and coordinated response to the problem.

Who are the victims? Who are the perpetrators?

Another notable feature of identity theft is that its impact on victims extends across all ages. According to the U.S. Federal Trade Commission, 29 percent of identity theft complaints came from persons aged 18-29, 25 percent from persons aged 30-39, 21 percent from persons aged 40-49, 13 percent from persons aged 50-59, and 10 percent from persons aged 60 and more. Even persons under the age of 18 accounted for 3 percent of all identity-theft complaints. 10 Similar findings are echoed in Canadian research. According to research recently conducted by the Fraud Prevention Forum in Canada, victims of identity theft cut across all segments of Canadian society regardless of income and levels of education.11 However, the largest targeted segments of the population appear to be those who have a good credit rating or potential for good credit.

Individuals are not the only victims of identity theft. Corporations, financial institutions and small businesses can suffer not only financial loss but also damage to reputation, credibility and future operations.

Comprehensive statistics on the perpetrators of identity theft are lacking and available data on identity thieves is largely anecdotal. However, this data indicates that identity thieves tend to fall into three broad categories:

How is identity theft committed?

Identity theft, in its modern form, often occurs out of the sight of, and beyond the effective reach of, the victim. It is carried out by means of compromising electronic data systems, obtaining false foundation documents (such as birth certificates or citizenship documents), directing mail to new addresses, obtaining new credit accounts and improperly charging existing ones. It relies on the modern culture of ubiquitous personal information holdings, easy consumer credit and the rapid advancement and widespread acceptance of information technology. It also relies on any weaknesses in the safeguarding of personal identifying information. For example, identity thieves are quick to exploit any vulnerability in the measures that businesses, government agencies and consumers use to protect personal data.

The means of compromising personal data for identity theft are so varied and evolve so rapidly that even technologically sophisticated individuals and organizations may have difficulty maintaining adequate control over those data.

As noted earlier, identity theft is committed in every place associated with daily life. This section identifies the principal points of vulnerability that identity thieves exploit to acquire identifying data, and the methods they use to do so. They fall into two broad categories: physical methods and electronic methods.

Physical methods

Mail theft

Criminals regard both incoming and outgoing mail as a potential target for identity theft. Incoming mail, for example, may contain solicitations for "pre-approved" credit cards. Identity thieves have been known to intercept these mailings, fill out the required information and mail back the credit card form, but falsely state that the recipient's mailing address has changed. As a result, the credit card is issued in the recipient's name, but mailed back to a new address chosen by the identity thief. The intended recipient may not realize that the solicitation was sent or that a new account was established without his or her authorization.

Outgoing mail from residences can also provide information valuable to identity thieves. Consumers who pay their bills by mail routinely include their bank cheques, which typically contain personal identifying information as well as bank account and routing numbers. Credit card bill payments are also likely to include payment stubs that show the consumers' credit card numbers.

For these reasons, identity thieves have been known to break into postal collection boxes and to steal incoming or outgoing mail from residential mailboxes. In some cases, identity thieves can amass large quantities of mail simply by driving along roads and removing mail from each roadside mailbox that has a red flag raised to alert postal carriers that the mailbox contains outgoing mail. The prevalence of this practice has prompted some law enforcement agents to refer to these mailbox red flags as "steal-me flags".

Example - Mail theft in Canada: Thieves stole the mail of a Canadian victim and got access to critical information such as credit card numbers. Using those numbers, thieves extended the victim's credit lines, applied for credit cards and opened fraudulent accounts. The thieves also robbed the victim of about $15,000.

Theft from residences and personal spaces

Criminals also target locations where individuals may believe they are unlikely to be victimized because they regard those locations as being under their personal control. Some identity thieves, for example, have exploited their legitimate access as workers to look for identifying data in others' residences or offices. Other identity thieves target cars in which the owners have left wallets or purses, and simply break the car windows to steal identifying or financial information. Still others resort to "dumpster diving", i.e., rummaging through garbage in dumpsters or trash bins to remove documents containing valuable personal information.

Electronic methods

Misuse of personal data in business transactions

Even in a public business setting (for example, paying for a meal in a restaurant or ordering merchandise in a retail store) identity thieves can make use of physical devices to ply their trade. Criminals, for example, are known to issue special devices known as "skimmers" to workers in restaurants, bars and stores. Skimmers are devices no larger than a pager or personal data assistant, which read the data on credit cards' magnetic stripe when someone swipes the cards through the skimmer. The persons using these skimmers can then provide the data from the skimmers to higher-level criminals, who can use the recorded credit card data to order merchandise or create counterfeit credit cards. In some instances, identity thieves have installed skimmers on the outside of legitimate financial institutions' ATM machines. These skimmers are carefully designed to look like they are part of the real ATM machines, but can be detached later by the identity thieves to retrieve the recorded data.

Phishing, spoofing and pretexting

Criminals who want to obtain personal data from people online are increasingly using a technique known as phishing. Consumers will receive "spoofed" emails (emails that appear to belong to legitimate businesses such as financial institutions or online auction sites). These emails will typically redirect consumers to a spoofed website, appearing to be from that same business or entity. Similarly, many consumers receive "pretext" phone calls (phone calls from persons purporting to be with legitimate institutions or companies) asking them for personal information. In fact, the criminals behind these emails, websites and phone calls have no real connection with those businesses. Their sole purpose is to obtain the consumers' personal data to engage in various fraud schemes.

Example - Phishing scam targets Royal Bank customers

In June 2004, the Royal Bank of Canada notified customers that fraudulent emails purporting to originate from the Royal Bank were being sent out asking customers to verify account numbers and personal identification numbers (PINs) through a link included in the email. The fraudulent email stated that if the receiver did not click on the link and key in their client card number and pass code, access to their account would be blocked. These emails were sent within a week of a computer malfunction that prevented customer accounts from being updated. The malfunction impacted payroll deposits that were scheduled to enter many accounts, leaving customers at risk of missing mortgage, rent and other payments. The Royal Bank believes it is likely someone tried to take advantage of the situation.

Example - Citibank customers besieged by phishing

In just one month (June 2004), Citibank was the target of 492 unique phishing attacks - more than any other organization. One recent phishing scheme falsely informed its recipients that there had been attempts to log into the recipients' Citibank accounts from a foreign Internet Protocol (IP) address. The email from the phishers also falsely stated that Citibank had established an offline verification system that the recipients could access by clicking on a link enclosed in the email. If a recipient clicked on the link, the legitimate Citibank website appeared in the background and a pop-up window, programmed to send the recipient's data to a completely different location, appeared in the foreground.

Theft from company or government databases

Law enforcement agencies in both Canada and the United States have noticed a significant increase in efforts by identity thieves to access large databases of personal information maintained by private companies and government agencies. Criminals have broken into offices to steal computer hard drives, bribed or compromised employees into obtaining personal data for them and hacked into databases.

Example - Identities stolen from company database

A temporary replacement worker assigned to the office of a national financial services company in Ontario stole customer profiles from the company database. The company had thousands of profiles in the database and was unaware that the thefts had taken place. Numerous medical doctors began finding themselves the victims of identity theft in the form of false applications for credit being attributed to their name. The profiles that were stolen contained complete financial data on the doctors and their families.

The fraud source came to light when an officer stopped a vehicle as part of a routine operation and found the passenger in possession of several profiles. The officer was unable to effect an arrest as no offence was being committed at the time. He was unaware that the profiles were stolen and no credit card data existed on the profile sheets. The officer had the presence of mind to have the documents photocopied and turned over to fraud investigators.

An investigation identified the source of the compromise and an acknowledgement from the company that they were the source resulted in charges against the employee. Over one million dollars in fraud was attributed to the data theft and the incident resulted in charges against four individuals, to date, including the occupants of the car originally stopped. This case had over 100 victims from across Canada and resulted in frauds being perpetrated across the country. Obtaining a complete list of victims was problematic because of the lack of correlation of victims' names between the credit grantors, the credit bureaus, the police, the victims and the source company.

The impact of identity theft

Identity theft causes two distinct types of harm to its victims. The first is direct financial loss. Depending on the type of fraud that a criminal commits with the aid of stolen identifying data, consumers and businesses may lose anywhere from a few hundred dollars to tens of thousands of dollars. Indeed, small e-commerce businesses may be particularly hard-hit by identity theft. Because of credit card association policies, an online merchant who accepts a credit card number that later proves to have been acquired by identity theft may be liable for the full amount of the fraudulent transactions involving that card number.

The second, more insidious, type of harm involves indirect costs that identity theft creates for its victims. Individuals whose identities are stolen may have their credit ratings and reputations damaged, if not ruined, for extended periods of time because of the fraudulent transactions that have been conducted in their names. Many victims report that it takes them months, if not years, and substantial personal expense to clear their credit ratings. In a 2003 survey conducted for the Federal Trade Commission, victims of all types of identity theft reported that they had spent an average of US$500 to repair the damage done by identity thieves. Victims of the most serious form of identity theft, involving the creation of new accounts and other frauds, reported that they had spent an average of US$1200 to repair the damage from identity theft. Moreover, the survey indicated that identity theft victims as a group had spent nearly 300 million hours (an average of 30 hours per person) in the preceding year resolving problems relating to identity theft.13

These indirect costs, in some cases, even include the risk that the victims of identity theft will be mistaken by law enforcement as the criminals. In the FTC survey, 4 percent of identity theft victims reported that criminals had misused the victims' personal information by offering the victims' names and identifying information when those criminals were stopped by law enforcement authorities or were charged with a crime.14 In rare instances, victims have even been arrested and detained by law enforcement authorities for a time before their true identity and relationship to the crimes could be established.

Although primarily economic in nature, identity theft can also have national security implications and an impact on social benefits and government services (welfare payments, driver's licenses, workers' compensation benefits, passports, birth certificates, tax refunds, etc.). Benefits going to individuals who are not entitled to receive them are a significant cost to governments and ultimately to the people of Canada and the United States.15

Efforts to combat identity theft

Both Canada and the United States have undertaken a variety of initiatives and legislative reforms to combat identity theft. As explained below, many of these initiatives are multi-sectoral, multi-jurisdictional and multi-agency, and extend beyond law enforcement.

Reporting identity theft

In an effort to acquire a better understanding of the scope and magnitude of identity theft, governments and the law enforcement community, with participation from the private sector, have established public reporting mechanisms.

Bi-national and national coordination

Identity theft-related issues cut across all jurisdictions and involve all levels of government, the law enforcement community and the private sector. In an effort to avoid duplication of activities and to ensure consistency across all jurisdictions and programs, a number of coordinating bodies have been established at the bi-national and national levels.

Prevention and mitigation

Preventing victimization and mitigating the impacts of identity theft on consumers and businesses are critical components of both countries' overall strategies to combat identity theft.

Legislative initiatives

A strong legislative framework is also fundamental to combating identity theft successfully. Since 1998, the United States federal government and nearly all state governments have adopted a number of measures to address identity theft.19

The way forward: Challenges and recommendations

The United States and Canada, like other countries, live in an increasingly open and fast-paced global environment, and benefit from the increased ease with which goods and information can be shared and transmitted across local and international boundaries. These same elements also lend themselves to cross-border criminality, including identity theft. While individual criminals are involved in opportunistic crime, organized crime is increasingly involved in systematic theft. Law enforcement authorities are concerned that the same aspects benefiting organized crime will be used by terrorists to finance or carry out attacks.

Now that the Internet is a permanent and valuable presence in our everyday lives, borders and jurisdictions have given rise to new vulnerabilities, increasingly exploited by criminals committing identity theft. Criminals can gather and disseminate sensitive personal data on the Internet through sites hosted by any Internet Service Provider (ISP) in the world. Similarly, "spoofed" websites, used to lure personal information, can be built and uploaded on an ISP anywhere in the world. Therefore, the location of the crime can become a problem for law enforcement and raises jurisdiction and coordination issues.

Like the telephone, the Internet is a powerful means of communications that can be used for lawful or unlawful purposes. Those who use it for criminal purposes exploit vulnerabilities that we must be able to identify and contain quickly. Timeliness, jurisdictional issues and coordination are some of the challenges in the fight against identity theft. This section details these challenges and recommends responses.

Coordinating public education initiatives

Challenge: The public is not fully aware of the pervasive nature of identity theft and its devastating impacts on their daily lives. Emerging trends, such as phishing, are expected to grow and to affect more and more people if appropriate actions are not taken to prevent victimization.

Recommended response: Coordinated public education and awareness initiatives involving both governments and the private sector should be continued to inform individuals, businesses and other entities that collect personal identifying information. These initiatives should address how to minimize the risk of identity theft and what to do if victimized.

Both countries should also be prepared to develop joint education and awareness initiatives, where appropriate, on specific identity theft-related problems as they arise. An example of this is the joint public advisory on phishing from the United States Department of Justice and Public Safety Canada issued at the 2004 Cross-Border Crime Forum.

Enhancing reporting mechanisms and enforcement

Challenge: The public needs to know where to report identity theft and what will be done with that information by law enforcement.

Recommended response: Both governments need to increase their efforts to inform the public about the existence of national points of contact to report identity theft, such as Canada's Canadian Anti-Fraud Centre and RECOL, and the U.S. FTC's Identity Theft Clearinghouse. There should be better coordination of law enforcement efforts at the national and bi-national levels in analyzing and using citizen complaints, as well as identifying trends and patterns, to foster more effective prosecution and disruption of identity theft operations.

Challenge: The private sector must also address the issue of reporting identity theft more systematically to law enforcement authorities. The selective reporting of this activity gives an incomplete image of the situation and may hamper efforts to protect the greater public good. Identity theft cannot continue to be treated as a business loss that may or may not be reported to the police.

Recommended response: The private sector and law enforcement should pursue discussions to enhance identity theft reporting to law enforcement. These efforts are likely to produce more concrete and lasting results in investigating identity theft.

Reviewing legislative frameworks

Challenge: The legislative sanctions applicable to identity theft need to keep pace with the constantly evolving nature of identity theft, notably its use of new technologies.

Recommended response: Governments at all levels in both countries should review the adequacy of their laws that apply to identity theft and, where appropriate, amend those laws to ensure that they provide sufficient scope of coverage and suitable criminal and civil sanctions. That review should include existing false-personation and fraud statutes as well as separate identity theft offences.

Improving document and data integrity and security

Challenge: The security and integrity of personal identification documents is an important part of protecting individuals and society at large from identity theft. Intrinsic to that is the very issuance and security of identity documents, particularly those that are the foundation in establishing a person's identity, such as birth certificates, passports, and permanent resident and citizenship documents.

Recommended response: Both countries should work, respectively, towards greater consistency and security in document issuance and verification processes. In Canada, such efforts should build on the work of the Federal/Provincial/Territorial Council on Identity, which has a mandate to develop a policy framework to govern documentation of individual identity issued by governments.

Challenge: There have been incidents where personal identifying information retained by the private sector has been wrongfully used, resulting in harm to individuals.

Recommended response: Both countries already have laws that govern the collection, retention and dissemination of personal identifying information. However, private sector entities - especially those that use and retain large volumes of personal identifying data or personal financial data - should review and, where appropriate, revise their internal procedures and policies affecting the security of those data. In some cases, this may mean improving information-security and physical-security measures; in other cases, this may mean closer scrutiny of employees who are granted access to large volumes of personal data.

Conclusion

Law enforcement, other government agencies and the private sector need to strengthen and better coordinate their efforts to combat identity theft, particularly with regard to the growth of identity theft in cross-border criminality. Governments in both countries should develop comprehensive approaches to identity theft, ranging from prevention to prosecution. In particular, reporting structures, legislative frameworks, public education initiatives and private sector involvement should be improved to reduce identity theft.


Date modified: