Identity Theft and Society: What's in it for me?

Identity Theft and Society: How does it affect me?

IDENTITY THEFT AND SOCIETY:HOW DOES IT AFFECT ME?

TABLE OF CONTENTSIntroduction – What is Identity Theft?...........................................................................1Identity Management: What is it to me?........................................................................5Costs of Identity Theft and Fraud................................................................................12Conculsion: Protection and Security Strategies...........................................................14Reference List..............................................................................................................18

PAPER BACKGROUNDIdentity theft and fraud against individuals, corporations and governments across the industrialised world is measured in billions of dollars annually, causing significant difficulties for those involved in monitoring and resolving the effects. The development and expansion of electronic technologies have allowed fraudsters to expedite such activities across multiple jurisdictions with near anonymity whilst leaving those affected with months, perhaps years, of hard toil to recover.

Additionally individuals, corporations and governments have been institutionally lackadaisical with securing critical information and systems, allowing a back entrance to be left effectively unguarded for exploitation by identity thieves and fraudsters. The 2007 U.K. Revenue and Customs data breach, data losses by U.S. government agencies and educational institutions, and the Australian Tax File Number system with millions of excess entries demonstrate that an attitudinal and cultural overhaul – throughout the industrial world – is desperately required.

The aims of the paper are to:1. Outline the history of identity theft and fraud;2. Illustrate what identity management means for individuals and groups

within the industrial world;3. Quantify and explain the costs and impacts on individuals,

corporations and governments; and4. Outline possible strategies on how to balance online security and

privacy with effective interaction on commercial, social and governmental matters.

Table of Contents and Paper Background

Identity Theft and Society: How does it affect me?Introduction: What is Identity Theft?

INTRODUCTION – WHAT IS IDENTITY THEFT?

Identity theft – and the broader concept of identity crime – has become a

complex and challenging issue for individuals, corporations and government

agencies across the world during recent times. The advent of various online

technologies has facilitated the ability to gather personal identifying

information (PII) with minimal monetary outlay. In addition, lax standards

and security measures have indirectly assisted in providing PII to those who

wish to ghost or otherwise individuals or to commit some form of fraud.

A common definition of identity theft – and of identity crime – is by no means

established by authorities or the community at national or international forums

(OECD 2008, p. 3). Direct and indirect costs – financial and other – vary

according to how identity crime is defined (OECD 2008, p. 4) in each

jurisdiction. Statistics, where they are gathered, are collected differently

complicating effective cross-border comparisons (OECD 2008, p. 4)

To provide some scope of the concept of identity theft – one scenario occurs

when one person utilises personal identifiers of a second person to

fraudulently or otherwise illegally obtain or access goods, services or financial

benefits (Arata Jnr 2004, p. 5) or to otherwise impersonate that individual in a

legal context (Vacca 2003, p. 4). The OECD (OECD 2008, p. 2) defines

identity theft as when one party acquires, transfers, possesses or uses personal

information of a natural or legal person in an unauthorised manner with the

intent to commit, or in connection with, fraud or other crimes.

From an individual’s perspective, the advent of networking websites over the

past decade – whilst allowing increased social interaction globally has

facilitated the ability of swift collection and aggregation of personal

information, allowing an electronic ‘cloud’ of disparate information on

individuals to be collected with minimal input or reference from external

agencies.

Page 1

http://www.oced.org/


The consequence of the proliferation of information availability on

individuals, government agencies and corporations, particularly in an

electronic context, is to assist in the facilitation of the collection of PII by

identity criminals in a surreptitious manner, enabling the criminals to conduct

nefarious activities with minimal physical interaction with the target, their

associates or government agencies.

Identity concerning individuals can be classified into three distinct

components (Mills 2007, pp. 14-18):

1. Biometric: Unique physical features distinguishable to the individual at birth;

2. Attributed: Identity components acquired at birth – including the name of child and parents, location and date of birth; and

3. Biographical: Identity components acquired over an individual’s lifetime.

The U.S.-based Identity Theft Resource Centre (ITRC) categorises identity

theft into four major categories:

1. Financial: The use of personal identifiers to improperly obtain goods or services;

2. Criminal: Posing as another person when apprehended for an alleged crime;

3. Cloning: Utilising personal identifiers for daily living; and4. Business and Commercial: The utilisation of corporate identifiers to

impersonate or target a specific organisation.

The Australian-based Independent Commission Against Corruption (ICAC

2006, p. 15) has further defined the broader issue of identity fraud – of which

identity theft is one component – as being:

1. The dishonest misrepresentation of any major aspect of identity, whether or not supported by documentation;

2. The fraudulent use of business or corporate identifiers;3. The misuse or theft of an individual’s username or password to

assume the individual’s identity on a computer system to procure information or benefits; and

4. Public officials misusing their position to:(a) Steal, alter or otherwise misuse paper or electronic records

pertaining to a third person held by the agency;(b) Fraudulently create identity documents; or(c) Create or assume false identities.

Page 2

http://www.icac.nsw.gov.au/

http://www.itrc.org/


The growth of electronic networks, coupled with the availability of storage

facilities to corporate and government entities, places data integrity at risk of

being compromised or breached. A data breach event occurs when “an

organisation’s unauthorised or unintentional exposure, disclosure or loss of

sensitive personal information” (Peretti 2009, p. 377) to external entities.

Those wishing to illicitly gain access or to obtain PII, a number of

“traditional” methods can be utilised (OECD 2008, p. 3 Box 1; Vacca 2003,

pp. 8-9) to obtain such information:

1. Dumpster Diving;2. Pre-texting;3. Shoulder Surfing;4. Record Theft;5. Theft of mail, wallets, purses containing PII or bank cards;6. Fraudulently obtain credit reports posing as a representative with

legitimate requirement for information;7. Gather or purchase of personal information from “inside” sources; and8. Completion of a change of address form to divert mail to another

destination.

Coupled with the strategies reviewed above, numerous online strategies for

gathering PII have been developed with the growth of the internet and

electronic networks worldwide. Such methods include (OECD 2008, p. 4):

1. Phishing: Where false identifiers of an organisation are utilised in an attempt to lure clients into disclosing PII on the fraudulent website;

2. Pharming: The use of false identifiers (similar to those used in phishing attacks) to redirect users from authentic to fraudulent sites;

3. SMiShing: Where text messaging is utilised to ‘alert’ customers to use of services being charged at a certain dollar amount per day unless service is cancelled; and

4. Spear Phishing: Originator impersonates other staff member to obtain access codes with aim to access computer system under stolen codes.

The strategies outlined above allow identity criminals to collect PII and other

information in a surreptitious manner, usually without the organisation or

individual being aware of the intrusion until (sometimes well) after the event.

The ability to conduct a “successful” operation is to mimic the target site as

realistically as possible.

Page 3


Particular tactics associated with the strategies include (OECD 2008, p. 3 Box

2; Vacca 2003, pp. 8-9; Warren & Streeter 2005, p. 164):

1. Malware;2. Spam;3. Phishing (described above);4. Hacking;5. Gathering of information that users share on the internet;6. Gain access to corporate or governmental databases that contain

personal information – whether by direct hacking or through inside contacts;

7. Harvesting published data though online searches or “Who’s Who”-type publications;

8. Utilise technology to raid or hack the target’s computer to obtain the required information; and

9. Utilise deception by impersonating someone in authority to deceive the target into voluntary disclosure of information.

The most high profile data breach event occurred in the United Kingdom

during November 2007 when two CD-ROMs utilising minimal security

measures and containing information on 7.25 million families claiming family

tax benefits (comprising half of the total population) were lost via internal

mail. The CD-ROMs have yet to be recovered, posing a current and ongoing

threat to those families affected.

A 2006 study highlights three underlying factors facilitating the success of

phishing attacks (Dhamija 2006, pp. 582-583):

1. Lack of knowledge: Covering both computer systems and security indicators. Users are unaware of how various online technological aspects operate and how to distinguish between valid and forged aspects (email headers, website URL) or processes (SSL locks and placement on webpage, security certificates).

2. Visual Deception: Various attempts to mislead users via deceptive text; images masking underlying text; images mimicking or masking content or windows manipulation; and deceptive look and feel requiring users to carefully view the site to ensure validity.

3. Bounded Attention: Even if users are familiar with strategies outlined in Steps One and Two above, they can still be duped if they fail to notice the presence (or absence) of security indicators associated with a valid site.

Page 4

Identity Theft and Society: How does it affect me?Identity Management: What is it to me?

IDENTITY MANAGEMENT: WHAT IS IT TO ME?

The issue of identity management for individuals, government agencies and

corporations has become particularly significant since alternative methods of

cash payments have been available to participants (Schreft 2007, p. 5). The

occurrence of large scale data breaches has become feasible recently with the

advent of electronic payment mechanisms, particularly those associated with

non-bank merchants, coupled with the rise of corporate and governmental

databases containing information suppliers, customers and citizens.

Research conducted by Standards Australia during 2003 indicated that identity

theft is becoming the most important fraud-related theft within the Australian

economy and that Australian organisations are ill-prepared to detect and

prevent it (QPS Major Fraud Investigative Group, p. 28).

In addition, recent statistics published by various Australian security firms, the

United States, United Kingdom and Australia are the top three countries

susceptible to Phishing-related attacks (Bajkowski 2009, p. 34),

In 1997, David Shenk documented 13 Laws of Data Smog (p. 11) that

highlighted issues that concerned information overload – the “noxious muck

and druck of the information age” (Shenk 1997, p. 31). The 1997 laws are:

1. Information, once rare and cherished like caviar, is now plentiful and taken for granted like potatoes;

2. Silicon chips evolve much more quickly than human genes;3. Computers are neither human or humane;4. Putting a computer in every classroom is like putting a power plant in

every home;5. What they sell as information technology but information anxiety;6. Too many experts spoil the clarity;7. All high-stim roads lead to Times Square;8. Birds of a feather flock virtually together;9. The electronic Town Hall allows for speedy communication and bad

decision-making;10. Equifax is watching;11. Beware stories that dissolve all complexity;12. On the information superhighway, most roads bypass journalists; and13. Cyberspace breeds libertarianism.

Page 5


In 2009, a vox-pop survey conducted by a Queensland-based regional

newspaper highlights the overall ignorance concerning identity theft across the

demographic divide.

Comments like “I lock my doors” (elderly male); “I have never been in that

situation” (middle aged female); “It doesn’t worry me” (twenty-something

male); “I don’t give details out ever” (primary school aged male); “I don’t use

the internet much” (primary school aged male) and “I live in a quiet area”

(elderly male) (Bundaberg News-Mail 2009, p. 5) serve to emphasize the

reactive nature of some segments of the population to the non-electronic

mechanics of identity theft.

The 2007 ITRC study illustrates the battle that individuals have when dealing

with identity crime. Even though the majority of discoveries have occurred

during the first year post-incident, over ten percent of cases are discovered

three years plus after the event – allowing substantial time for identity

criminals to establish a ghost identity of the victim. Even the three month

discovery statistics is disturbing with a five percent slippage from 2003 to

2007. The ability for individuals and law enforcement agencies to detect and

track identity criminals is predicated on timely and effective proactive

mechanisms from organisations and individuals themselves.

Page 6


Figure 1 - Time elapsed (months) between first incident and victim response 2003 to 2007 (ITRC 2008, p. 16 Table 8)

Congressional testimony in the United States during 2000 demonstrates how

debilitating and long lasting identity crime can be (Privacy Rights

Clearinghouse 2000). The ability to assume someone else’s identity to fulfil a

fantasy, to ‘disappear’ from society or even to conduct criminal behaviour

impacts on the individual, corporations and government agencies in

administrative, financial, resource and social terms.

From a corporate and government agency perspective, attitudes towards

information security are just as muddled. A recent independent audit

conducted by the Queensland Audit Office (Passmore 2009) of eight

government agencies highlighted that six had no or minimal measures to

monitor network resources for unauthorised intrusions, facilitating the

unauthorised access to network resources and to gather PII to go unreported.

Despite the minister Robert Schwarten’s assurance that “under no

circumstances under which people’s private records have been accessed”, the

audit revealed that measures are not in place to ensure that PII – or broader

network security – are not compromised or reported when such events occur.

USA Identity Theft 2003 to 2007Months elapsed between first incident and victim discovery

0%

10%

20%

30%

40%

50%

60%

Calendar Year

Victim Percentage

0 to 3 42.0% 33.0% 46.0% 37.5% 47.7%

4 to 6 11.0% 16.0% 11.0% 10.9% 12.0%

7 to 12 11.0% 13.0% 7.0% 13.5% 12.6%

13 to 18 13.0% 5.0% 12.0% 4.2% 8.7%

19 to 23 4.0% 8.0% 6.0% 7.8% 4.6%

24 to 36 9.0% 8.0% 5.0% 8.3% 5.2%

37 plus 11.0% 17.0% 13.0% 17.7% 9.2%

2007 2006 2005 2004 2003

Page 7


Several recent analyses have debunked the perception that identity crime is

principally – or solely – based online. A Pronemon Institute study indicates

that nine million Americans have their identity stolen annually; with some 200

million data breaches since 2005 – 85 million breaches during the first quarter

of 2008 alone (Prosch 2009, p. 58). In Australia, data breaches cost some $6.3

million during 2007, averaging $197 per record compromised (Prosch 2009, p.

58)

In addition, the multi-year Javelin Study on identity theft seems to supports the

Pronemon Institute study, though with differing methodology. The 2007 study

highlights that the majority of identity fraud being conducted through

traditional mechanisms (Attorney General Department 2008, p. 10). The

Identity Theft Resource Centre’s Identity Theft: The Aftermath 2007 survey

(2008, p. 3) reports that the average time to resolve damage at 116 hours for

existing account theft and 157.87 hours for new account theft.

The Australian Bureau of Statistics published the first ever Personal Fraud

analysis during June 2008. It highlighted the direct personal impact of identity

theft. During the 12 months prior to the survey period (July to December

2007), the following was recorded:

124,400 persons were identified as victims of identity theft, with males comprising 56% and females comprising 44% of victims;

The 25 to 34 age group was the highest percentage victim group (34,400 or 28%);

16% (20,100) persons reported a financial loss associated with most recent incident

57% reported the incident to law enforcement, financial institution or other formal entity and 43% reported the incident to some other agency.

Recent media reports (Walker 2006, Anon 2005) have estimated the costs of

identity crime in Australia between AUD$1 billion and AUD$4 billion

annually. The United Kingdom suffers similar costs and the USA suffered a

record $56.6 billion against consumers (Anonymous 2009). Worldwide, the

costs are estimated at approximately US$2 trillion annually and are rising.

Page 8


Despite the quantity of studies and analyses available, no common legal

definition of identity crime (and its components identity theft and fraud) have

been agreed upon for national – or international – purposes. Consequently,

effectively measuring the financial cost (both direct and indirect) to

consumers, governments and corporations from an independent perspective is

challenging, resulting in the confusion by the community as highlighted by the

Bundaberg News-Mail May 2009 Vox-Pop survey.

From a general corporate perspective, human resource departments are a high

value target for the misappropriation of PII for use in identity theft (Calvasina,

Calvasina & Calvasina 2006, p. 25).

Recent examples of high profile data breaches highlight the complex nature of

this – in the United States, companies suffering inadvertent or deliberate

breaches include Time Warner, Eastman Kodak, Bank of America, Boeing,

Ford and Equifax. The Time Warner breach involved approximately 600,000

PII of current and former employees being disclosed in an unauthorised

manner (Calvasina, Calvasina & Calvasina 2006, p. 25).

A burglary in May 2006 involving the theft of a laptop and external hard drive

at a US Department of Veterans Affairs employee residence netted PII of up to

6½ million veterans. Despite agency rules prohibiting such situations, the

computer equipment was at the employee’s residence (Calvasina, Calvasina &

Calvasina 2006, p. 25).

The current identity framework poses a risk not just to individuals, but to

organisations and the broader payment system as identity theft undermines the

agreed framework between participants (Schreft 2007, pp. 5-6), resulting in a

migration to less efficient payment mechanisms (Schreft 2007, p. 6) or the

abandonment of any form of payment mechanism.

Page 9


Various countries have, over the past decade, enacted identity-crime related

statutes (sometimes at state, other times at national levels) in an attempt to

combat this type of crime. In Australia, the New South Wales Attorney

General John Hatzistergos proposed introducing identity fraud laws during

July 2009 (ZDNet 2009). In addition, an offence relating to identity crime has

been on the federal statute book since the mid-1990’s.

In the United States of America, the passage of the Identity Theft and

Assumption Deterrence Act (ITADA) of 1998 (Schreft 2007, p. 7) was one

element in an attempt, at the federal level, to combat identity theft. The scope

of identity theft under this act is defined as the “knowingly transfer, possession

or usage of any name or number that identifies another person with the intent

of committing or aiding and abetting a crime” (Schreft 2007: 7).

Advocates argue that the above definition is broad enough to encompass a

person’s unique identifiers including voice and finger prints. In addition, other

federal statutes that combat identity theft include (Roberson 2008, pp.16-21):

Drivers Privacy Protection Act of 1994; Customer Identification Program Rules; Gramm-Leach-Bliley Act (Title V, 15 U.S. Code sections 6801-

6809); Fair Credit Billing Act; and Fair and Accurate Credit Transaction Act.

Despite various legislative efforts since the mid-1990s, the complexity of the

USA’s government-sponsored document issuance systems is immense. As of

2003, a total of 240 different driver licence formats were in circulation and

approximagtely 10,000 agencies were authorised to issue birth certificates

(Sullivan 2004, p. 129). The complexity of these systems is highlighted by the

United States Postal Inspection Service – between October 2002 and June

2003, a total of 2,264 arrests were made deriving from mail theft

investigations (Sullivan 2004, p. 162).

Page 10


Other industrialised countries deal with the criminality aspect of identity

crime, particularly against individuals, in various manners – however, the

measures mentioned above are probably the vanguard of efforts (at national or

international levels) in dealing with identity crime.

One recent effort undertaken by three countries – the USA, United Kingdom

and Australia – has been the promotion and development of some form of

electronic-based identity or access card system ostensibly to combat identity

crime and fraud against the public purse. Ignoring the rushed nature and

under-funding associated with each of the systems, the continual shifting

technical requirements and other technological issues involved in systems

rollout and maintenance, each system (if fully implemented) would provide a

“honey pot tree” for identity crime thieves to collect and collate PII from a

single source, rather than from multiple sources as currently occurs.

Page 11

Identity Theft and Society: How does it affect me?Costs of Identity Theft and Fraud

COSTS OF IDENTITY THEFT AND FRAUD

Calculating accurate figures relating to identity theft and fraud is challenging.

A lack of accurate data, coupled with differing definitions of what constitutes

an identity crime, impairs effective independent analysis of identity theft

(OECD 2008, p. 3; Newman & McNally 2005, p.30; Schreft 2007, p. 13;

Attorney General Department 2008, p. 9). In addition, incidents of

organisational and government data breaches are occurring on an almost a

daily basis (Schreft 2007, p. 14).

The impact of identity crime impact in various ways on victims, including

(Attorney General’s Department 2008, pp. 4-5):

1. Financial: both direct (loss of funds, costs associated with investigation and prevention of future events) and indirect (reputational loss, restoration of credit history, opportunity cost from benefit-generating activity);

2. Psychological: Trauma, stress and reduced societal interaction;3. National Security: Crime groups utilising identity crime for people

smuggling or other illicit activities; and4. Other: Obtaining products and services not entitled to.

A review of available sources indicates estimates that conservative annual

costs associated with identity crime are in the tens billions of dollars (Newman

& McNally 2005, p. 30). Such estimates are made additionally difficult by the

differing statistical and definitional measures utilised by national (and sub

national) jurisdictions in calculating the figures used (OECD 2008).

Examples of individual nation-state costs include:

A 2002 UK study calculated that identity theft cost the UK economy £1.3 billion (HM Cabinet Office 2002, p. 13, Box 2.1) during 2001-2002, out of a total fraud related loss of £18.3 billion;

In Australia, it is estimated that identity fraud costs between AUD$1 billion and AUD $3 billion annually (Walker 2006, p. 88);

Page 12

Identity Theft and Society: How does it affect me?Costs of Identity Theft and Fraud

The United Kingdom’s Credit Industry Fraud Avoidance System (CIFAS)

attributes that identity theft and fraud amounts to £10 million per day, whilst

the Association for Payment Clearing Services calculates that credit card

crime has grown from £95 million (1998) to £504 million (2005) and benefits

fraud costs approximately £3 billion yearly (Mills 2007, pp. 8-9).

Impacts of identity crime are not just measured in financial or economic terms.

Confidence in the payments system that underpins economic activity, trust in

the payment instruments that facilitate online transactions coupled with

downstream costs in dealing with fraudulent activity all influence how

individuals and organisations interact in the marketplace – whether in the

electronic or physical environments.

Page 13

Identity Theft and Society: How does it affect me?Possible Protection and Security Strategies

CONCULSION: PROTECTIONAND SECURITY STRATEGIES

Individuals, corporations and government agencies all have a vested interest in

ensuring identity crime is eliminated. Lost profitability, decreased taxation

revenue, increased costs for consumers and amplified distrust for electronic

commerce and payments platforms result from the upsurge of identity crime

related incidents. Substantive proactive measures are required from all three

groups to combat this issue before such distrust becomes endemic.

Shenk’s 13 Laws of Data Smog (mentioned earlier in this paper) do have an

influence in this environment. A Ten-Point Laws of Identity Smog can be

derived to assist in the awareness of identity management for individuals,

corporations and government agencies:

1. Personal information, once rare and cherished like diamonds, is now plentiful and taken for granted like sand;

2. Silicon chips evolve and adapt much more quickly than public service guidelines;

3. Placing a credit (or debit) card in every wallet is like putting a tracking device on every person;

4. What politicians sell as information security but information anxiety;5. All high-stim roads leave lasting digital footpints;6. The Electronic Town Hall allows for speedy communication and a wealth

of data points;7. The Prime Minister’s (or President’s) office is watching;8. On the identity information superhighway, most roads pass through

corporate databases;9. Databases, like elephants, never forget anything; and10. Security is as powerful as the weakest link.

A range of strategies have been identified by a number of authors (Abagnale

Jnr 2007, pp. 102-132; Vacca 2003, pp. 19-21; Hastings & Marcus 2006, pp.

319-323; Mitnick & Simon 2002, 2006) that would enable some form of

protection for individuals in both electronic and physical attacks, including:

Page 14


1. Check credit reports regularly;2. Keep track of billing cycles;3. Closely examine financial statements;4. Protect computer – physically and electronically;5. Guard physical mail from theft;6. Practice safe shopping – physical and electronic;7. Invest in a shredder;8. Be vigilant at Automated Tellers;9. Monitor access to online banking;10. Secure home and office environments.

Many of the strategies are low cost and all are proactive, yet require constant

maintenance to avoid potential slippage or misappropriation of personal

information to undesirable entities or individuals.

For corporations and government agencies, the challenge to safeguard PII in a

highly electronic and networked environment is a more complex and intensive

task from technological and personnel perspectives. Policy development

covering data security; social engineering penetrations; network (both wireless

and cable) security; personnel and finance form a core element of any

effective deployment combating identity crime.

Two of the core elements that underpin business and governmental

(particularly involving the payments system) interaction with the community

are trust and confidence – without these elements economic activity and

interaction is impaired and becomes withdrawn, profitability slides and

distrust climbs.

Specific strategies for corporations and government agencies to combat

identity crime are based on those for individuals, with additional focus on

physical and data security, personnel selection, access rights and document

security to ensure protection against possible intrusions or other inappropriate

activity. One aspect of gaining intrusion in a traditional context, social

engineering, has been described as “information security’s greatest weakness”

(Mitnick & Simon 2006, p. 244).

Page 15


Despite the funds allocated to physical infrastructure aimed at preventing

intrusions, minimal effort has been directed towards the preventing the human

element of intrusions (Mitnick & Simon 2006, p. 244).

The UK Customs and Revenue data loss in November 2007 of two minimally

encrypted compact discs containing personal identifiers of half the population

brought substantive ridicule and embarrassment for the relevant minister and

the agency concerned. As demonstrated in Figure 1, a small yet significant

percentage of identity theft is discovered after the three year, making vigilance

all the more importance.

From a personnel management perspective, corporations and government

agencies need to examine in detail what information is required and how it is

collected and managed to discharge legal and other responsibilities to staff,

clients and regulatory agencies. In addition, systemic and regular reviews of

policy and practice to ensure that privacy, storage and access to sensitive

information is granted only those authorised to handle such information

(Calvasina, Calvasina & Calvasina 2006, p. 27).

Another consideration pertains to the development of a risk management

framework, particularly for organisations that operate in finance-type sector

and those organisations that handle substantive quantities of personal

information. The potential for reputational loss resulting from a sustained

wave of identity crime could undermine confidence in the organisation and the

broader payment system (Bielski 2005, p. 55).

From the broader societal perspective requires a proactive, coordinated and

sustained effort between government agencies, corporations, advocacy groups

and individuals is needed to ensure that identity crime is contained and

(ideally) eliminated. This involves a range of proactive measures from all

three sectors to safeguard PII against misappropriation and inappropriate

access.

Page 16


Some efforts are occurring at multilateral forums – particularly at the OECD

and the United Nations – in combating identity crime across international

borders. Without some form of common understanding of what constitutes

identity crime (in legal and common understanding contexts), the ability for

the community to effectively and proactively participate in protecting their

identity in an interconnected, online environment is impaired.

One entity Australia currently lacks is an independent analysis and research

agency dedicated to monitoring developments and to serve as an independent

information clearinghouse and on identity theft. Currently there are a host of

federal and state agencies (mainly policing and fair trading) offering distinct

and sometimes apparent contradictory messages to the community.

Page 17

Identity Theft and Society: How does it affect me?Reference List

REFERENCE LIST

Abagnale, FW 2007. Stealing your life: The ultimate identity theft prevention plan. Transworld Publishing Milsons Point

Abagnale, FW 2001. The Art of the Steal: How to protect yourself and your business from fraud. Bantam Books Milsons Point

Acoca, B 2008. “Online Identity Theft”. OECD Observer. Organisation for Economic Cooperation and Development no. 268, July pp. 12-13.

Adams, C 2008. “No. certainty yet for identity assurance: The need for assuring identity is clear, but the path to achieving it is not”. Signal. vol. 63 no. 1 September pp. 83-86

Anonymous 2009. ‘Identity theft costs a record $56.6 billion’. Identity Theft Daily. Published 24/Feb/2009, Accessed 16/Aug/2009.

Anonmyous 2005. ‘ID Theft costs Australia $2 billion a year’. The Age. Melbourne Victoria Published 3/June, viewed 18/June/2009.URL: http. ://www.theage.com.au/news/Breaking/ID-theft-costs-Australia-2b-a-year/2005/06/03/1117568360968.html#

Arata Jnr, MJ 2004. Preventing Identity Theft for Dummies. Wiley Publishing Indiana.

Attorney’s General Department March 2008. Final Report: Identity Crime. Commonwealth of Australia, Canberra.

Australian Bureau of Statistics (ABS) 2007. Personal Fraud June 2007. Cat no. 4528.0 ABS Canberra

Australian Communications and Media Authority (ACMA) 2009. Australia in the Digital Economy: Trust and Confidence. Commonwealth of Australia, Canberra.

Bajkokowski, J 2009. ‘Being awake to zombie armies’. The Australian Financial Review. Published 11/Aug/2009 p. 34.

Bavis, C and Parent, M 2007. “Data theft or loss: ten things your lawyer must tell you about handling information”. Ivey Business Journal Online. June/July

Bielski, L 2005. “Will you spend to thwart ID Theft?” ABA Banking Journal. vol. 97 no. 4 pp. 54-62.

Burkhalter, C and Crittenden, J. “Professional Identity Theft: What is it? Are we contributing to it? What can we do to stop it?” Contemporary Issues in Communication Science and Disorders. vol. 35, Spring pp. 89-94

Page 18

http://www.theage.com.au/news/Breaking/ID-theft-costs-Australia-2b-a-year/2005/06/03/1117568360968.html#

http://www.theage.com.au/news/Breaking/ID-theft-costs-Australia-2b-a-year/2005/06/03/1117568360968.html#


Calvasina, GE; Calvasina, EJ and Calvasina, RV 2006. “Preventing employee identity fraud”. Proceedings of the Academy of Legal, Ethical and Regulatory Issues. vol. 10 no. 2 pp. 25-29.

Clarke, E 2009. “How secure is your client data? 5 questions you should ask your IT professionals”. Journal of Financial Planning. Jan/Feb pp. 24-25.

Dhamija, R; Tygar, JD and Hearst, M April 2006. “Why Phishing Works”. CHI Proceedings: Security. pp. 581-590.

Government Accountability Office 2006. Electronic Government: Agencies face challenges in implementing the federal employee identification standard. Washington D.C.

Hamadi, R. Identity Theft: What it is; How to prevent it and what to do if it happens to you. Vision.

Hastings, G and Marcus, R 2006. Identity Theft Inc: A wild ride with the world’s number one identity thief. Disinformation Company New York.

House of Representatives Standing Committee on Economics, Finance and Public Administration 2000. Numbers on the Run: Review of the ANAO Report no. 36 1998-99 on the management of Tax File Numbers. Parliament House, Canberra.

HM Cabinet Office July 2002. Identity Fraud: A study. London

Identity Theft Resource Centre. Identity Theft: The Aftermath 2007. Published May 2008. Identity Theft: The Aftermath 2006. Published October 2007 Identity Theft: The Aftermath 2004. Published September 2005 Identity Theft: The Aftermath 2003. Published September 2003

Independent Commission Against Corruption (ICAC) 2006. Protecting Identity Information and Documents: Guidelines for public service managers. Sydney New South Wales.

Jakobsson, M and Myers, S (editors) 2007. Phishing and Countermeasures: Understanding the increasing problems of electronic identity theft. John Wiley & Sons New Jersey.

Kendall-Raynor, P. 2008. “Identity fraud case prompts call for tougher recruitment checks”. Nursing Standard. vol. 22 no. 36 May 14-20 p. 7.

Laudise, TM 2008. “Ten practical things to know about ‘sensitive’ data collection and protection”. The Computer and Internet Lawyer. vol. 25 no. 7 July pp. 26-33.

Leon, JF 2008. “Top Ten Tips to combat Cybercrime”. The CPA Journal. vol. 78 no. 5 pp. 6-11

Page 19


Linninger, R and Dines, RD 2005. Phishing: Cutting the identity theft line.

Listerman, RA and Romesberg, J 2009. ‘Creating a culture of security is key to stopping a data breach. Are we safe yet?’ Strategic Finance. July pp. 27-33.

May, DA 2005. Identity Theft.

Mills, G 2007. Identity Theft: Everything you need to know to protect yourself. Summersdale Publishers.

Mitnick, KD & Simon WL 2006. The Art of the Intrusion: Real stories behind the exploits of hackers, intruders and deceivers. Wiley Publishing Inc.

Mitnick, KD & Simon WL 2002. The Art of the Deception. Wiley Publishing Inc.

Newman, GR and McNally, MM 2005. Identity Theft Literature Review. United States Department of Justice Washington D.C.

Organisation for Economic Cooperation and Developement (OECD) June 2008. Policy Guidance on Online Identity Theft. OECD Ministerial Meeting on the future of the Internet Economy Seoul.

Passmore, D 2009. “Sunshine State is a hackers’ paradise”. The Sunday Mail Brisbane Queensland. Published 5/Jul/2009, viewed 5/Jul/2009.URL: http://www.news.com.au/couriermail/story/0,23739,25732782-3102,00.html

Peretti, KK 2009. “Data breaches: What the underground work of ‘carding’ reveals”. Sanat Clara Computer and High-Technology Law Journal. vol. 25 no. 2 pp. 375-413.

Prosch, M 2009. “Preventing Identity Theft throughout the Data Life Cycle”. Journal of Accountancy. vol. 207 no. 1 pp. 58-62

Privacy Rights Clearinghouse 2000. “Identity Theft Victim Stories: Written testimony of Michelle Brown”. Viewed 26-Mar-2007.URL: http://www.privacyrights.org/cases/victim8.htm

QPS Major Fraud Investigative Group. ‘Theft by Fraud’. Queensland Police Service Police Bulletin pp. 27-30.

State of Queensland (Attorney General’s Department) 2009. ‘New security paper for registry certificates’. Brisbane. Viewed 21/July/2009.URL: http://www.justice.qld.gov.au/5629.htm

Roberson, C 2008. Identity Theft Investigations. Kaplan Publishing.

Saunders, KM and Zucker, B August 1999. “Counteracting Identity Fraud in the Information Age: The Identity Theft and Assump. tion Deterrence Act”. International Review of Law. vol. 13 no. 2 pp. 183-192.

Page 20

http://www.justice.qld.gov.au/5629.htm

http://www.privacyrights.org/cases/victim8.htm

http://www.news.com.au/couriermail/story/0,23739,25732782-3102,00.html


Schreft, SL 2007. “Risks of Identity Theft: Can the market protect the payment system?” Economic Review – Federal Reserve Bank of Kansas City. vol. 92 no. 4 Fourth Quarter pp 5-40.

Shenk, D 1997. Data Smog: Surviving the information glut. HarperCollins Publishers.

Sokolov, AP. (editor) 2005. Identity Theft on the Rise. Nova Science Publishers Inc

Stickley, J 2009. The Truth About Identity Theft. Why be me when I can be you? Pearson Education New Jersey.

Sullivan, B 2004. Your Evil Twin: Behind the identity theft epidemic. Wiley Publishing USA.

Swartz, N 2008. “Officials crack largest ID theft ring ever”. Information Management Journal. vol. 42 no 6 p. 18.

Vacca, J.R. 2003. Identity Theft. Prentice Hall PTR USA.

Walliker, A 2006. “Identity Theft soars and now costs $3 billion a year”. Sunday Hearld-Sun. Melbourne Victoria. Published 11/Jun/2006 p. 88.

Warren, P. and Streeter, M 2005. Cyber Alert: How the world is under attack from a new form of crime. Vision Paperback London.

Wells. JT 2009. “Mortgage Fraud: A scourge of the 21st century?” The CPA Journal. vol. 79 no. 2 February pp. 6-11.

ZDNet Australia 2009. “NSW Govt seeks new ID fraud laws”. Published 13/July/2009, Viewed 14/July/2009.URL: http://www.zdnet.com.au/news/security/soa/NSW-Govt-seeks-new-ID-fraudlaws/0,130061744,339297362,00.htm

Page 21

http://www.zdnet.com.au/news/security/soa/NSW-Govt-seeks-new-ID-fraudlaws/0,130061744,339297362,00.htm

http://www.zdnet.com.au/news/security/soa/NSW-Govt-seeks-new-ID-fraudlaws/0,130061744,339297362,00.htm