Identity Theft Numbers

One of the things I have learned writing this blog is that I have no power to predict which topics and posts are going to be popular. Sometimes I write what I think is an insightful and even controversial post and it gets five ho-hum comments and Socseccardfront - Michael Gogulski no links.  Then I write what I think is a forgettable few paragraphs on a unimportant  topic and next thing I know there are 30 impassioned comments and links to it all over the web.

My post last week on LifeLock’s legal woes fell into the surprisingly popular category. I thought it was a modestly interesting wrinkle on a rather unexciting topic.  I didn’t understand what a hot button identity theft is for some, and what a great business it is for others.

Controversy and money is a combination I can’t stay away from, so I decided I  needed to learn more about identity theft. It hasn’t been going that well.  It seems the more I read the more confused the picture gets and even answers to some basic questions become more murky and ambiguous the more I dig.

For illustration, here’s a paragraph of background info I found at the end of a LifeLock press release:

The Federal Trade Commission reports that this fast growing crime [identity theft] is costing Americans more than $1.8 billion annually, and that complaints have risen 50% from 2007 to 2008. Since 2000, identity theft complaints filed with the Federal Trade Commission have gone from 230,000 to 1.2 million, a 422% increase in nine years.

That seems like a fairly ordinary and factual pair of sentences.  A person who did not, as I do, live by the motto trust no one and check the math might happily accept the figures and move on.  I just can’t. It’s like a compulsive disorder.  Let’s examine those numbers.

$1.8 Billion

When I started looking into this, in a rare moment of optimism, I thought I would soon find a definitive and believable number for the total annual cost of identity theft in the US. It seems like such a basic thing. But estimates are all over the place.  The FTC came up with a figure of $47.6 Billion for 2003 and then in later survey $15.6 Billion for 2006. They blamed this difference on differing survey methodology, specifically cautioning against concluding that identity theft had become less of a problem between 2003 and 2006 and ignoring the more obvious conclusion that their numbers are just wildly inaccurate.

And the $1.8 Billion figure? The only mention of that number in the FTC’s latest report refers to the total cost to consumers of "fraud", a category that does not include identity theft.  Interestingly, although the report is full of statistics on identity theft, it has no estimate for its cost, either to consumers or to the economy as a whole.

230,000 to 1.2 million, a 422% increase

Again, those numbers are in the FTC report, but they don’t refer to what LifeLock says they do. Since 2000 the FTC has been building the Consumer Sentinel Network complaint database, of which they are obviously proud. For 2008 it gathered 1.2 million complaints, but only 26% of those were identity theft complaints.

And it is not, to say the least, clear that the 422% increase in the size of this database is indicative of an increase in crime. The CSN is an aggregation of many data sources that have been added over the years. In context, I suspect that the increase in the size of the database reflects only that the FTC has been bringing in more data. If nothing else, I think it is reasonable to assume that if they believed that the types of crime they were tracking had grown more than four-fold in the past seven years they would have mentioned it in the report. They didn’t, although they made a nice chart of the growth of the size of the database over that period.

So how many consumers suffer identity theft in a year?

This might be the most basic of questions.  The recent FTC report, based on consumer complaints, counted 318,000 for 2008. In any reasonable context, that’s a pretty big number. According to the Justice Department, it’s in the same ballpark as the number of robberies (445,125 in 2007) and about a third of the number of stolen cars (1,095,769).

But in the unreasonable context of LifeLock and the identity theft paranoia, that number is rather small. It’s only about a 0.1% of the population, orders of magnitude less than what is commonly asserted. Even the FTC’s 2003 and 2006 studies (which were based on phone surveys) pegged the percentage of Americans suffering identity theft at 4.6% and 3.7% respectively.

So which is it, hundreds of thousands or millions per year? The only honest answer is that I don’t really know.  But I’m leaning towards hundreds of thousands. I think there are more stolen cars. Stealing cars is easier, more profitable, and not a federal crime.

And there is a whole tribe of companies and people, led by LifeLock but including Suze Orman, countless experts, and even FTC bureaucrats, who stand to benefit from pumping up the identity theft numbers and the fear that goes with them. Nobody is going to benefit from talking the hysteria down, so on balance I am going to assume that the public perception of the danger is exaggerated.

[Photo: Michael J Gogulski.  His somewhat disturbing blog.]

No Comments

  • By Four Pillars, June 10, 2009 @ 8:44 am

    It’s Y2K all over again.

  • By Rob Bennett, June 10, 2009 @ 11:38 am

    We have a right to our identities.

    We don’t want to hear that there is even a chance that our identities can be stolen.

    The individual loses faith in the society when the society fails to act properly on such core questions. Trust is lost. When trust is lost, there is social breakdown.

    We are NOT numbers. We are people. Knowing that the number of cases of this happening is not large in relative terms does not satisfy.

    Can it happen? If the answer is “yes,” that’s the wrong answer. How did we ever get to a place where something like this could happen and where the innocent party could not fix things quickly and with ease?

    We all accept that people get sick and die and this sort of thing. These things are a sad part of life. We will not accept it if trampoline manufacturers build their products so that they cause serious injuries to children. That’s not acceptable.

    Even if only a tiny percentage of the population uses a trampoline each year, it is still not acceptable. The problem needs to be fixed.

    When efforts are made to fix the problem, those things that cannot be fixed become acceptable. That’s something different.

    That’s not where we are today with identity theft. We all have heard stories where the way it played out was 100 percent unacceptable. Our society has failed. Most of us do not want there to be ANY chance whatsoever of these totally unacceptable things happening to us.

    Rob

  • By Kosmo @ The Casual Observer, June 10, 2009 @ 12:32 pm

    We just need the implantable chips. Chip readers for computers and phones to allow e-commerce. The data is encrypted and needs information from the person’s DNA in order to decrypt for transactional use (different data would be needed every day, to make this a moving target).

    Ah, Utopia, you are not far away.

    ;)

  • By tm, June 10, 2009 @ 3:12 pm

    “Stealing cars is easier, more profitable, and not a federal crime.”

    Since I do not have any hard numbers on profitability, I will say that the typical car thief is at greater physical risk, and at greater risk of being caught, prosecuted and sent to make license plates. In my experience, local law enforcement could care less about your credit card info being stolen (I’ve usually just been given a case number and a fairly useless pamphlet on ID theft), since to them it is “not real” (a direct quote I heard from a local cop). But cars? Them cars are real, unlike ephemeral lines of data in a bank’s database, and most local police have years of experience busting car thieves.

    Also consider that ID thieves, especially those that traffic in stolen CC info (“carders”), have pretty good online infrastructure to quickly filter through their hauls of stolen data and automate much of the work that needs to be done, all from the comfort of their undisclosed locations. It is certainly less laborious than stripping a car for parts.

    The most severe form of ID theft results in a criminal being able to open accounts with financial institutions in the name of the victim and running up a big tab, which should leave a record with the big 3 reporting agencies, which, by the way, offer a whole panoply of services to detect such a thing. Or you could just pull a free annual credit report and check it. The far more common is the stealing of credit card information, in which the victim is usually the bank that issued the card, since they’ll take the hit after the cardholder runs through a few hoops. Either way, it’s more of an annoyance to an individual who has to deal with it, and it is something that’s fairly easily caught and rectified (if it’s caught early), with little or no actual monetary loss to the individual. So it is entirely possible you can have 3-4% of the population “victimized” by “identity theft”, given that a single carder can steal many credit cards in an automated fashion, or say, a company (Choicepoint) loses a whole bunch of data to thieves, but in the end most of those people would not be out a penny (zero liability).

    BTW, if you’re planning on setting up a bogus CC account, don’t use Disneyland’s phone number on the application, as one guy tried on me. The bank (Advanta) figured that one out pretty quick and sent a nice letter. I had a pretty good chuckle with their fraud person on the phone. I’ve since stopped all credit card offers from being sent to me, through the prescreen opt-out site.

  • By hickchick, June 10, 2009 @ 8:43 pm

    Awesome idea with the chips. Between that and stop light cameras at every intersection and individually mandated insurance. Bring on the totalitarian nanny government.

  • By dawn, June 11, 2009 @ 11:22 am

    It’s hard to agree with you when you say the public perception of the problem of identity theft is exaggerated when there are widely disseminated news accounts, on a regular basis, it seems, of widescale computer break-ins that expose millions of consumers’ Social Security numbers, credit card numbers, etc. The TJ Maxx debacle in 2007 was one, and now we have the Heartland Payments systems breach, which could easily dwarf the TJ Maxx episode which exposed 94 million account numbers.

  • By Frank Curmudgeon, June 11, 2009 @ 11:31 am

    Dawn: Uh, yeah, it is exaggerated. Mostly becuase of wildly disseminated news accounts on a regular basis of widescale computer break-ins. How many instances of identity theft resulted from the TJX episode?

  • By GPR, June 11, 2009 @ 12:02 pm

    Just wanted to say that these logic/math posts are my favorites.

  • By Bud, June 11, 2009 @ 5:43 pm

    Identity theft is like a lot of things in life – not a big deal until it happens to you. Someone only needed my name and SS number to open an account at a retail store and quickly charge $4,000 to my name.

    I spent many hours, over the course of many weeks, cleaning up the mess, and ended up with a thick file and another life lesson.

    The bank that issued the credit card to the thief had me file a police report, and it was obvious from talking to the police that nothing would be done about it.

    But even after all that, I chose not to use a service such as Lifelock.

  • By tm, June 12, 2009 @ 6:46 pm

    “How many instances of identity theft resulted from the TJX episode?”

    from: http://www.securityfocus.com/news/11493/2
    “As of June 2007, Visa established that 65 million unique accounts had been compromised because of the breach, Majka stated. Mastercard International estimated that at least 29 million cards of its cards had been compromised, the card company’s Director of Fraud Management Neil Maguire stated in an excerpt from his September 27 deposition.”

    But that, I know you’ll say, doesn’t answer how many people ended up with losses from this fine example of how not to secure your network.

    I think the main point to understand is that for consumers, the threat is greatly exaggerated, especially for credit card holders, where in the US, the liability for fraud is zero. While there was a class action lawsuit filed on behalf of victims (settled with 3 years of dubious “ID theft protection” services), the more serious lawsuit TJX faced was from bankers associations, which they also settled, but for a lot more. As consumers, the numbers are scary, and the media drumbeat only reinforces that, and it’s all hype. The people who should be scared are the banks that need to cover these losses, and who are dealing with retailers who don’t have much of an interest (or talent) in protecting themselves, let alone the banks.

  • By getagrip, March 10, 2010 @ 5:07 pm

    I agree that it doesn’t seem like a big deal until it happens to you or someone you know. My mother in law’s employer had her purse stolen. Within four hours there were thousands of dollars charged on her current credit accounts, new accounts were openned not only that day but in the following days and immediate charges placed on them. In this case, because it was a purse snatching and the thieves were actually caught two weeks later still trying to open new accounts, the cops had something to charge them with locally, so they did. Since the thieves had all her information, she began receiving threats against her and her children on her cell phone, home phone, work phone, and dropped off at her house and place of business. They canceled her gas and cut off her electricity in the middle of winter (she had bills she was going to mail in her purse at the time so they had the account numbers). Admittedly this happened a while back, but for years she had trouble because the credit bureaus did a crappy job of clearing the bad information which seemed to keep popping up.

    Do banks really care? No or they would be going after these thieves a lot harder.
    Did she actually have to pay anything? In the end, no. Was it a major source of worry and aggrevation over the course of years? Yes. Did it take many, many hours of time dealing with it? Yes. Did it affect things they could do? Sure, aside from the fear factor of someone threatening your kids potentially restricting your activities, it affected new car loans, a new home loan they were in the process of moving to, and other parts of their financial life.

    I fail to see many “minor” ID theft issues when every other month we’re getting a cold call claiming they need our checking account number to keep from having someone pull a couple of hundred out of the account, and could we please read that number off the check.

Other Links to this Post

RSS feed for comments on this post. TrackBack URI

Leave a comment

WordPress Themes