Identity Crime in New Zealand 2015 to 2019 › wp... · Misuse Picture –What we are trying to...

Preview:

Citation preview

Identity Crimein

New Zealand

2015 to 2019

causes

cures

curses

0

20

40

60

80

100

120

Mar

-15

Ap

r-1

5

May

-15

Jun

-15

Jul-

15

Au

g-1

5

Sep

-15

Oct

-15

No

v-1

5

Dec

-15

Jan

-16

Feb

-16

Mar

-16

Ap

r-1

6

May

-16

Jun

-16

Jul-

16

Au

g-1

6

Sep

-16

Oct

-16

No

v-1

6

Dec

-16

Jan

-17

Feb

-17

Mar

-17

Ap

r-1

7

May

-17

Jun

-17

Jul-

17

Au

g-1

7

Sep

-17

Oct

-17

No

v-1

7

Dec

-17

Jan

-18

Feb

-18

Mar

-18

Ap

r-1

8

May

-18

Jun

-18

Jul-

18

Au

g-1

8

Sep

-18

Oct

-18

No

v-1

8

Dec

-18

Jan

-19

Feb

-19

Mar

-19

Ap

r-1

9

May

-19

Jun

-19

Jul-

19

Au

g-1

9

Avge Weekly Caseload (2015-2019)

From March 2015 to August 20199,328 identity theft cases3,987 hours of counselling support27,891 identity credentials stolen132,490 breached person events

causes

0.0%

2.0%

4.0%

6.0%

8.0%

10.0%

12.0%

14.0%

16.0%

18.0%

20.0%

How are New Zealander's having their identity compromised?

Mostly occurs over the phone (~ 22%)

Identity theft system attributes

• 72.6% of New Zealanders are in direct communication with the criminals responsible for stealing their information

• 76.6% of persons responsible for stealing identity information from New Zealanders are thought to reside overseas

• One in ten New Zealanders to experience identity theft have no idea where criminals got their personal information

• Around half of New Zealanders impacted by identity theft reside in one of fifty postcodes – overlays the population distribution

0.0% 10.0% 20.0% 30.0% 40.0% 50.0% 60.0% 70.0% 80.0% 90.0%

CREDIT REPORTING BUREAU

OTHER

POLICE

DEBT COLLECTOR

OTHER ORGANISATION

BREACHED ORGANISATION

FINANCIAL INSTITUTION

FAMILY / FRIEND / BYSTANDER

SELF-DETECTED

Who initially detects identity theft?

Identity Information Targeted %Passport Information 21.2%Driver Licence Details 19.7%Credit / Debit Card Details 13.7%Bank Account Details 13.7%Mobile Account Information 10.9%IR Number 7.7%Email Username / Password 4.8%Birth Certificate 2.2%Network / Device Login 2.2%Superannuation Account Details 2.0%Utility Account Information 0.8%Online Banking Login Details 0.6%Other 0.6%

So what “identification” is being stolen?

What do we know about targeted credentials…

• In a twin-track identity economy like New Zealand, criminals will favour the traditional over the digital (for now)

• The most targeted credentials are those pieces of information that afford the greatest access to money, accounts and credit

• On average New Zealanders who experience identity theft will have 3.4 different identifiers stolen

• Combinations matter, so too does the intention of the criminals in their misuse

So what happens next? The misuse picture

Misuse Type % of CasesAccess Bank Account 28.7%Fraudulent Debit / Credit Card Access 16.0%Fraudulent IR Lodgement 6.8%Send Unauthorised Emails 5.8%Set Up New Phone Account 5.5%Acquire New Personal Loan 4.9%Change Online Passwords 4.7%Manipulate Social Media Account 3.1%Unauthorised Port of Phone 3.1%Avoid Traffic Fine 2.7%Provide False Statement to Police 2.3%Open Social Media Account 2.3%Install Malware 2.1%Open New Bank Account 1.9%Remote Access 1.8%Create Utility Account 1.8%Other 1.8%Redirection of Mail 1.6%Spoofing of Number 1.4%Obtain Investment 1.2%Access Superannuation 0.6%

Who is being targeted as a site of misuse?

Banking52%

Telecommunications / ISPs14%

Government13%

Other10%

Social Media5%

Policing / Enforcement2%

Investment & Superannuation

2%

Utilities2%

Misuse Sector / Industry Targets

Misuse

• Average loss from identity theft $12,213

• Average time taken to 25.3 non-consecutive hours responding.

• They will make around 17 phone calls and write around 15 emails across thirteen different organisations over the space of four weeks following initial detection.

• Around one in three will experience more than one misuse event (additional crimes to come from the initial identity theft).

cures

• It takes identity thieves 6.7 days to misuse a stolen identity

• It takes individuals around 18.9 days to detect the compromise of their identity.

• If an organisation is the detection point, the detection / notification timeframe jumps to an average of 36 days.

• The type of compromise event influences both the detection point and the timeframe:• Telephone scams – detection within 2 days, predominantly by individual or

their family / friend and misuse within 1 day

• Relationship scams – detection within 287 days and misuse within 38 days

Misuse Picture – What we are trying to avoid

• Around 77.6% of the identity misuse experienced by New Zealanders could have been prevented if the consumer had prior warning about the compromise.

• 22.4% of identity misuse has no preventative “cure”, such as:• Mail redirection

• Establishment of transaction account

• Providing false statements to police

• Avoiding traffic infringements

• Unauthorised mobile phone porting

• Establishment of fake social media and email accounts

curses

• Megan’s research followed the journey of 211 individuals across Australia and New Zealand over 12 months post the theft of their identity credentials.

• Each had received specialist support and counselling by IDCARE Case Managers.

• Each experienced identity theft events that mirrored the broader population’s experience (more telephone scams than relationship scams etc).

• Kindly funded by the Australian Criminology Research Grant Scheme.

• She applied Event Analysis of the Systemic Teamwork a human factors method in understand the interplay between task networks, information networks and social networks in the identity theft response system.

your curse….

Very high dependency the response system has on the individual victim to perform repetitive tasks, including disclosing sensitive personal information via channels that are often the same as those used by identity thieves to acquire their compromised information in the first instance.

Many respondents felt re-victimized during the response period.

Individual victims were identified as having to perform 45 of the 63 tasks captured in analyzing the identity theft response system. The passage of information across the system is also highly leveraged on victims to perform – with 29 of 37 information sharing activities dependent on individual victims.

Megan’s research also revealed

• 14% did not follow their response plans.

• Primary reason – the response requirements were too onerous, particularly CRBs

• One in four respondents indicated that they were still experiencing on-going issues 12 months from their initial detection

• 15% of all clients were still trying to investigate and recover their financial losses 12 months on.

• 36% of individuals indicated that they had experienced other compromise events in the first 12 months, mostly relating to data breaches

• 13% of individuals received notification of further misuse of their compromised credentials, mostly relating to credit applications.

When clients engage, we ask them what they have experienced during their response.

0%

5%

10%

15%

20%

25%

30%

Dissatisfaction Drivers - Percentage of Clients

Here’s what they’ve said over the past month…

Felt bashed when I went there. I felt awful, they said 'you people give money, then more and more money’. I went to a different

station and he was fantastic. I was crying and he said ‘don't worry. No they are not going to come to your house’. I honestly wanted to

kill myself. (Law Enforcement Agency)

They didn't care and told me not to worry about it. It wasn’t my problem it was the banks. They told me to google credit reports online and he

didn't know which organisation to deal with. (Law Enforcement Agency)

Online Payment Provider said i have to pay the bill then they would investigate. I don't have $1000 to pay for a bill that isn't mine! (Online Payment Provider)

Telco have told me that it will take 4 months as they have a back log of cases. They have not assigned a case manager to my case as yet. This plan was requested and done over the phone. I hope it does not take them that long to assign me with a case manager. I'd like for them to explain how this could happen. When the DL number does not match mine. The spelling of the name is slightly incorrect also. (Telco)

They allowed the porting so not happy - made 3 phone calls to them and all advice was wrong. was told to go to a shop the next day but the fraud team are not in a shop and weren’t available until Monday. Telco blamed the bank and the bank blamed Telco.

They are being difficult and are demanding that I provide a police report number in order for them to investigate but the police will not write one up because the misuse happened overseas. Basically I'm stuck between a rock and a hard place. (Financial Institution)

What I’m really concerned about is they told me that more serious things have occurred but they can’t tell me what they are??? I’ve been racking my brain trying to think of all of the things that these people have been using my wife’s ID for“ (Law Enforcement Agency)

Telco rep in branch told me that the account doesn’t match my driver licence so I won’t have to worry about it, despite the debt collectors calling me repeatedly. (Telco)

“disheartening”, the bank said, “that’s not fraud my love, you've been scammed“. (Financial Institution)

Unsatisfied they haven't closed the account 6 months on. I’m still receiving statements. (Financial Institution)

Started off with a phone call. I latter discovered they had linked government services. I called them and explained what happened. She said look they have accessed the account and they got an advance on my tax refund. She offered to help her cancel the online stuff, then transferred me to relevant tax people and they treated me like a criminal and said I was responsible, and have to prove it wasn't me. I then spoke with someone else who said, well you shouldn't have spoke with Ministry A, you still have to call Department B. Very disjointed. (Government Agencies)

Couldn't help because mum didn't have any photo ID. (Government Agency)

Just a reporting mechanism when what I really wanted was to be able to speak with someone. (Law Enforcement Reporting Mechanism)

www.idcare.org

Recommended