Identity theft: Difference between revisions

"Determining the link between [[data breachesbreach]]es and identity theft is challenging, primarily because identity theft victims often do not know how their personal information was obtained",. andAccording to a report done for the FTC, identity theft is not always detectable by the individual victims, according to a report done for the FTC.<ref>Federal Trade Commission – 2006 Identity Theft Survey Report, p. 4</ref> [[Identity fraud]] is often but not necessarily the consequence of identity theft. Someone can steal or misappropriate personal information without then committing identity theft using the information about every person, such as when a major [[data breach]] occurs. A US[[Government Accountability Office|U.S. Government Accountability Office]] study determined that "most breaches have not resulted in detected incidents of identity theft".<ref>{{cite web |url=http://www.gao.gov/new.items/d07737.pdf |title=Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown |author= |date= |work=Highlights of GAO-07-737, a report to congressional requesters |publisher=gao.gov |accessdateaccess-date=22 September 2010}}</ref> The report also warned that "the full extent is unknown". A later unpublished study by [[Carnegie Mellon University]] noted that "Most often, the causes of identity theft is not known", but reported that someone else concluded that "the probability of becoming a victim to identity theft as a result of a data breach is ... around only 2%".<ref>{{cite web |url=http://www.heinz.cmu.edu/research/241full.pdf |title=Do Data Breach Disclosure Laws Reduce Identity Theft? |author=Sasha Romanosky |date= |work=Heinz First Research Paper |publisher=heinz.cmu.edu |accessdateaccess-date=2009-05-27 |archive-date=2012-01-20 |archive-url=https://web.archive.org/web/20120120001255/http://www.heinz.cmu.edu/research/241full.pdf |url-status=dead }}</ref> MoreFor recentlyexample, an association of consumer data companies noted thatin one of the largest data breaches ever,which accounting foraffected over four million records, it resulted in only about 1,800 instances of identity theft, according to the company whose systems were breached.{{citation needed|date=May 2021}}

* Financial identity theft (using another's identity to obtain credit, goods, and services)

Identity theft may be used to facilitate or fund other crimes including [[illegal immigration]], [[terrorism]], [[phishing]] and [[espionage]]. There are cases of identity cloning to attack [[payment systemssystem]]s, including online credit card processing and [[medical insurance]].<ref>{{cite web |url=http://www.worldprivacyforum.org/medidtheft_consumertips.html |title=Medical Identity Theft: What to Do if You are a Victim (or are concerned about it) }}, World Privacy Forum</ref>

In this situation, the identity thief impersonates someone else in order to conceal their own true identity. Examples mightare be[[illegal immigrant]]s hiding their illegal immigrantsstatus, people hiding from creditors[[creditor]]s or other individuals, orand those who simply want to become "[[Anonymity|anonymous]]" for personal reasons. Another example areis ''posers'', a label given to people who use somebodysomeone else's photos and information throughon social networking sites. Mostly,Posers posersmostly create believable stories involving friends of the real person they are imitating. Unlike identity theft used to obtain credit which usually comes to light when the debts mount, concealment may continue indefinitely without being detected, particularly if the identity thief is able tocan obtain false credentials in order to pass various authentication tests in everyday life.

When a criminal fraudulently identifies himselfthemselves to police as another individual at the point of arrest, it is sometimes referred to as "Criminal Identity Theft." In some cases, criminals have previously obtained state-issued identity documents using credentials stolen from others, or have simply presented a [[fake ID]]. Provided the subterfuge works, charges may be placed under the victim's name, letting the criminal off the hook. Victims might only learn of such incidents by chance, for example by receiving a court summons, discovering their driversdriver's licenses are suspended when stopped for minor traffic violations, or through [[background check]]s performed for employment purposes.

It can be difficult for the victim of a criminal identity theft to clear their record. The steps required to clear the victim's incorrect [[criminal record]] depend inon which jurisdiction the crime occurred and whether the true identity of the criminal can be determined. The victim might need to locate the original arresting officers and prove their own identity by some reliable means such as fingerprinting or DNA testing, and may need to go to a court hearing to be cleared of the charges. Obtaining an [[expungement]] of court records may also be required. Authorities might permanently maintain the victim's name as an alias for the criminal's true identity in their criminal records databases. One problem that victims of criminal identity theft may encounter is that various [[data aggregators]] might still have the incorrect criminal records in their databases even after court and police records are corrected. Thus it is possible that a future background check willmay return the incorrect criminal records.<ref>{{cite web |url=http://www.privacyrights.org/fs/fs17g-CrimIdTheft.htm |title=Privacy Rights Clearinghouse |url-status=dead |archive-url=https://archive.today/20120921/http://www.privacyrights.org/fs/fs17g-CrimIdTheft.htm |archive-date=21 September 2012 }} - "Fact Sheet 17g: Criminal Identity Theft: What to Do ifIf It Happens to You "</ref> This is just one example of the kinds of impact that may continue to affect the victims of identity theft for some months or even years after the crime, aside from the psychological trauma that being 'cloned' typically engenders.

A variation of identity theft whichthat has recently become more common is ''synthetic identity theft'', in which identities are completely or partially fabricated.<ref>[http{{Cite web|url=https://www.leagle.com/decision/2009567417bbr150_1566 In re Marie A. COLOKATHIS, Catherine Bauer, M.D., Plaintiff v. Marie Colokathis, 417 B.R. 150 (2009)] {{webarchive 2009567417bbr1501566|urlarchiveurl=https://web.archive.org/web/20150719051854/http://www.leagle.com/decision/2009567417bbr150_1566|url-status=dead|title=In Re Colokathis &#124; 417 B.R. 150 (2009)|archive-date=July 19, 2015July 2015|website=Leagle}}</ref> The most common technique involves combining a real [[social security number]] with a name and birthdate other than the ones that are simply associated with the number. Synthetic identity theft is more difficult to track as it doesn't show on either person's credit report directly, but may appear as an entirely new file in the [[credit bureau]] or as a subfile on one of the victim's credit reports. Synthetic identity theft primarily harms the creditors who unwittingly grant the fraudsters credit. Individual victims can be affected if their names become confused with the synthetic identities, or if negative information in their subfiles impacts their credit ratings.<ref>{{cite web |url=http://www.bankrate.com/brm/news/pf/identity_theft_20070516_a1.asp |title=Detecting synthetic identity fraud |accessdateaccess-date=2008-09-21 September 2008 |last=McFadden |first=Leslie |date=2007-05-16 May 2007 |work=Bankrate.com |pages=1–2 |doi= |quote= }}</ref>

Child identity theft occurs when a minor's identity is used by another person for the impostor's personal gain. The impostor can be a family member, a friend, or even a stranger who targets children. The Social Security numbers of children are valued because they do not have any information associated with them. Thieves can establish lines of credit, obtain driver's licenses, or even buy a house using a child's identity. This fraud can go undetected for years, as most children do not discover the problem until years later. Child identity theft is fairly common, and studies have shown that the problem is growing. The largest study on child identity theft, as reported by Richard Power of the [[Carnegie Mellon]] Cylab with data supplied by [[AllClear ID]], found that of 40,000 children, 10.2% were victims of identity theft.<ref>{{citationCite neededweb|url=https://www.foxbusiness.com/features/government-turns-spotlight-on-child-id-theft-problem|title=Government Turns Spotlight on Child ID Theft Problem|date=September12 January 2016|website=CreditCards.com|language=en-US|access-date=22 April 2019}}</ref>

The most common type is financialof identity theft, whereis someone wantsrelated to gainfinance. economicalFinancial benefitsidentity in someone else's name. Thistheft includes gettingobtaining creditscredit, loans, goods, and services, while claiming to be someone else.<ref>{{cite web |url=http://www.idtheftcenter.org/Identity-Theft/what-is-financial-identity-theft.html |title=What is Financial Identity Theft |author= |date= |work= |publisher=ID Theft Center |accessdateaccess-date=3 December 2014}}</ref>

=== Techniques for obtaining and exploiting personal information forTax identity theft ===

The acquisition of personal identifiers is made possible through serious breaches of [[privacy]]. For consumers, this is usually a result of them naively providing their personal information or login credentials to the identity thieves as(e.g., in a result[[phishing of being dupedattack]]) but identity-related documents such as credit cards, bank statements, utility bills, checkbooks, etc. may also be physically stolen from vehicles, homes, offices, and not the least [[letter boxletterboxes]]es, or directly from victims by pickpockets and bag snatchers. Guardianship of personal identifiers by consumers is the most common intervention strategy recommended by the [[US Federal Trade Commission]], [[PhoneBusters|Canadian Phone Busters]] and most sites that address identity theft. Such organizations offer recommendations on how individuals can prevent their information from falling into the wrong hands.

In their May 1998 testimony before the United States Senate, the [[Federal Trade Commission]] (FTC) discussed the sale of Social Security numbers and other personal identifiers by credit-raters and data miners. The FTC agreed to the industry's self-regulating principles restricting access to information on credit reports.<ref>{{cite web |url=http://www.ftc.gov/os/1998/05/identhef.htm |title=Testimony before the Subcommittee on Technology, Terrorism and Government Information |url-status=dead |archive-url=https://archive.today/20120801/http://www.ftc.gov/os/1998/05/identhef.htm |archive-date=1 August 2012 }}, Committee of the Judiciary, United States Senate May 20, May 1998 pp 5,6</ref> According to the industry, the restrictions vary according to the category of customer. Credit reporting agencies gather and disclose personal and credit information to a wide business client base.

Poor stewardship of personal data by organizations, resulting in unauthorized access to sensitive data, can expose individuals to the risk of identity theft. The Privacy Rights Clearinghouse has documented over 900 individual data breaches by US companies and government agencies since January 2005, which together have involved over 200 million total records containing sensitive personal information, many containing social security numbers.<ref>[{{Cite web|url=http://www.privacyrights.org/ar/ChronDataBreaches.htm A Chronology of Data Breaches<!--Bot-generated title-->] {{webarchive|archive-url=https://web.archive.org/web/20100613183200/http://www.privacyrights.org/ar/ChronDataBreaches.htm|dateurl-status=Junedead|title=A Chronology of Data Breaches<!-- Bot generated title -->|archive-date=13, June 2010}}</ref> Poor corporate diligence standards which can result in data breaches include:

The failure of corporate or government organizations to protect [[consumer privacy]], [[client confidentiality]] and [[political privacy]] has been criticized for facilitating the acquisition of personal identifiers by criminals.<ref>[http://www.siia.net/software/pubs/iit-00.pdf Internet Identity Theft - A Tragedy for Victims] {{webarchive |url=https://web.archive.org/web/20110422192157/http://www.siia.net/software/pubs/iit-00.pdf |date=22 April 22, 2011 }}, [[Software and Information Industry Association]]. Retrieved 30 June 30, 2006.</ref>

Using various types of [[biometric]] information, such as [[fingerprint]]s, for identification and authentication has been cited as a way to thwart identity thieves, however, there are technological limitations and privacy concerns associated with these methods as well.

In March 2014, after it was learned two passengers with stolen passports were on board [[Malaysia Airlines Flight 370]], which went missing on March 8, March 2014,. itIt came to light that [[Interpol]] maintains a database of 40 million lost and stolen travel documents from 157 countries, which itInterpol makes available to governments and the public, including airlines and hotels. The Stolen and Lost Travel Documents (SLTD) database, however, is littlerarely used. ''Big News Network'' (which is based in the [[UAE]],) observedreported that Interpol Secretary -General [[Ronald Noble|Ronald K. Noble]] told a forum in [[Abu Dhabi]] in the previous month this was the case., "The bad news is that, despite being incredibly cost -effective and deployable to virtually anywhere in the world, only a handful of countries are systematically using SLTD to screen travelers. The result is a major gap in our global security apparatus that is left vulnerable to exploitation by criminals and terrorists,." Noble is quoted as saying.<ref name="InterpolSLTD">{{cite news|title=Airlines and governments not checking stolen passports register|url=httphttps://www.telegraph.co.uk/news/worldnews/asia/malaysia/10686319/Interpol-warned-of-danger-posed-by-stolen-passports.html |accessdatearchive-url=Septemberhttps://ghostarchive.org/archive/20220112/https://www.telegraph.co.uk/news/worldnews/asia/malaysia/10686319/Interpol-warned-of-danger-posed-by-stolen-passports.html |archive-date=2022-01-12 |url-access=subscription |url-status=live|access-date=11, September 2014|publishernewspaper=The Daily Telegraph}}{{cbignore}}</ref>

In [[Australia]], each state has enacted laws that deal with different aspects of identity or fraud issues. Some states have now amended relevant criminal laws to reflect crimes of identity theft, such as the Criminal Law Consolidation Act 1935 (SA), Crimes Amendment (Fraud, Identity and Forgery Offences) Act 2009, and also in Queensland under the Criminal Code 1899 (QLD). Other states and territories are in states of development in respect of regulatory frameworks relating to identity theft such as Western Australia in respect of the Criminal Code Amendment (Identity Crime) Bill 2009.

OnAt the Commonwealth level, under the ''Criminal Code Amendment (Theft, Fraud, Bribery & Related Offences) Act 2000'' which amended certain provisions within the ''Criminal Code Act 1995'',

{{quoteBlockquote|'''135.1 General dishonesty'''

(3) A person is guilty of an offenceoffense if

{{quoteBlockquote|Everyone commits an offenceoffense who knowingly obtains or possesses another person's identity information in circumstances giving rise to a reasonable inference that the information is intended to be used to commit an indictable offenceoffense that includes fraud, deceit, or falsehood as an element of the offenceoffense.

is guilty of an indictable offenceoffense and liable to imprisonment for a term of not more than five years; or is guilty of an offenceoffense punishable on summary conviction.}}

{{quoteBlockquote|(1) Everyone commits an offenceoffense who fraudulently personates another person, living or dead,

is guilty of an indictable offenceoffense and liable to imprisonment for a term of not more than 10 years; or guilty of an offenceoffense punishable on summary conviction.}}

For the private sector, the purpose of the Personal Information Protection and Electronic Documents Act ( 2000, c. 5 ) (known as PIPEDA) is to establish rules to govern the collection, use, and disclosure of personal information; except for the provinces of Quebec, Ontario, Alberta and British Columbia where provincial laws have been deemed substantially similar.

In France, a person convicted of identity theft can be sentenced up to five years in prison and fined up to [[euro|€]]75,000.<ref>{{citeCite web |url=http://www.journaldunet.com/juridique/juridique040309.shtml |title=JournaldunetUsurpation d'identité : la loi ou la technique pour se protéger ?|website=www.journaldunet.com|accessdate=25 December 2023}}</ref>

Under HK Laws. Chap 210 ''Theft Ordinance'', sec. 16A Fraud:

{{quoteBlockquote|(1) If any person by any deceit (whether or not the deceit is the sole or main inducement) and with '''intent to defraud''' induces another person to commit an act or make an omission, which results either-

Under theThe ''Personal Data (Privacy) Ordinance'', it(PDPO) establishedregulates the postcollection, of Privacy Commissioner for Personal Datause and mandateretention how muchof personal information onein can collect,Hong retain and destructionKong. This legislationIt also provides citizens the right to request information held by businesses and the government to the extent provided by this law. The PDPO establishes the [[Office of the Privacy Commissioner for Personal Data]] which enforces the law and advises on the use of personal data.

Under the Information Technology Act 2000 Chapter IX Sec 66C:

{{quoteBlockquote|SECTION 66C

Whoever, fraudulently or dishonestly makes use of the electronic signature, password, or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one [[lakh]].<ref>{{cite web |url=http://nicca.nic.in/pdf/itact2000.pdf |title=The Information Technology Act 2000 |formataccess-date=PDF2013-08-20 |datearchive-url=https://web.archive.org/web/20130724123617/http://nicca.nic.in/pdf/itact2000.pdf |accessdatearchive-date=2013-0807-2024 |url-status=dead }}</ref>}}

Social networking sites are one of the most famous spreaderspreaders of ''posers'' in the online community, giving the users the freedom to placepost any information they want without any verification that the account is being used by the real person.{{clarify|date=April 2021}}

The Philippines, which ranks eighth in the numbers of users of [[Facebook]] and other social networking sites (such as [[Twitter]], [[Multiply (website)|Multiply]] and [[Tumblr]]), has been known as a source of various identity theft problems.<ref>[{{Cite web|url=https://www.techunblocked.org/2015/06/facebook-users-by-country-wise.html List Of Facebook Users By Country Wise Top Ranking 2016] {{webarchive |archive-url=https://web.archive.org/web/20160310213502/https://www.techunblocked.org/2015/06/facebook-users-by-country-wise.html|url-status=dead|title=List of Facebook Users by Country Wise Top ranking 2016 - Tech Unblocked|archive-date=March 10, 2016March 2016}}</ref> Identities of those people who carelessly put personal information on their profiles can easily be stolen just by simple browsing. There areSome people who meet online, get to know each other through the free Facebook chat, and exchange of messages that then leads to sharing ofshare private information. Others get romantically involved with their online friends thatand theyend tendup to givesharing too much information (such as their social security number, bank account and even personal basic information such as, home address, and company address).

This phenomenon leadleads to the creation of Senate Bill 52:the [[Cybercrime Prevention Act of 2010.<ref>[https://www.scribd.com/document/59428205/Senate-Bill-52-Cyber-Crime-Prevention-Act Full Text of Senate Bill 522012]] (Proposing the Cybercrime PreventionRepublic Act ofNo. 201010175)] {{webarchive |url=https://web.archive.org/web/20160816172609/https://www.scribd.com/document/59428205/Senate-Bill-52-Cyber-Crime-Prevention-Act |date=August 16, 2016 }}</ref> Section 2 of this billact states that it recognizes the importance of [[communication]] and [[multimedia]] for the development, exploitation, and dissemination of information{{clarify|date=April 2021}}, but violators will be punished by the law through imprisonment or a fine upwards of Php200₱200,000, but not exceeding 1 million₱1,000,000, or (depending on the damage caused, or) both (Section 7).

Sweden has had relatively few problems with identity theft. This is because only Swedish [[identity document]]s have beenwere accepted for identity verification. Stolen documents are traceable by banks and somecertain other institutions{{which|date=April 2021}}. TheBanks banks have theare dutyrequired to check the identity of peopleanyone withdrawing money or getting loans. If a bank gives money to someone using an identity document that has been reported as stolen, the bank must take thethis loss. Since 2008, any EU passport is valid in Sweden for identity checkverification, and Swedish passports are valid all over the EU. This makes it harder to detect stolen documents, but still banks in Sweden still must ensure that stolen documents are not accepted.

Other types of identity theft have become more common in Sweden. One common example is ordering a credit card to someone who has an unlocked letterbox and is not home induring the daytime. The thief steals the letter with the credit card and then the letter with the code, which typically arrives a few days later. Usage of a stolen credit card is harddifficult in Sweden, since an identity document or a PIN code it is normally demanded. If thea shop does not demand thateither, it must take the loss from accepting a stolen credit cardscard. The methodpractice of observing someone using thetheir credit card's PIN code, stealing the credit card, or [[skimming (credit card fraud)|skimming]] it, and then using the credit card, has become more common.

Legally, Sweden is an open society. [[Freedom of information legislation|The Principle of Public Access]] saysstates that all information (e.g. addresses, incomes, taxes) kept by public authorities must be available for anyone, except in certain cases. Specifically(for example, anyone'sthe address,addresses income,of taxespeople etc.who are availableneed to anyonehide are restricted). This makes fraud easier (the address is restricted only for people who needs to hide).

ThereUntil was2016, untilthere 2016were no legallaws banthat specifically againstprohibited using someone's identity. Instead, there were only onlaws theregarding any indirect damagedamages caused. ToImpersonating impersonate someoneanyone else for financial gain is a kind[[type of [[fraud]], which is described in the [[Criminal Code]] ({{lang-langx|sv|brottsbalken}}). ToImpersonating impersonate someoneanyone else to discredit someonethem by breakinghacking into their social media accounts and provoke,{{clarify|date=April 2021}} is considered [[libel]]. However, but thatit is harddifficult to sentenceconvict someone forof committing this crime. AIn late 2016, a new law was introduced late 2016 which partially banned unpermittedundetermined{{clarify|date=April 2021}} identity usage.<ref>[{{Cite web|url=http://rkrattsdb.gov.se/SFSdoc/16/160485.PDF |title=SFS 2016:485 Lag om ändring i brottsbalken]|accessdate=25 December 2023}}</ref>

In the United Kingdom, personal data is protected by the [[Data Protection Act 1998]]. The Act covers all personal data which an organization may hold, including names, birthday and anniversary dates, addresses, and telephone numbers, etc.

Under [[English law]] (which extends to [[Wales]] but not to [[Northern Ireland]] or [[Scotland]]), the [[Deception (criminal law)|deception]] offences under the [[Theft Act 1968]] increasingly contend with identity theft situations. In ''R v Seward'' (2005) EWCA Crim 1941,<ref>{{citeCite web |url=http://www.bailii.org/ew/cases/EWCA/Crim/2005/1941.html |title=Seward, R. v Seward ([2005)] EWCA Crim 1941 (11 July 2005)|accessdate=25 December 2023}}</ref> the defendant was acting as the "front manfrontman" in the use of stolen credit cards and other documents to obtain goods. He obtained goods to the value of £10,000 for others who are unlikely ever to be identified. The Court of Appeal considered a sentencing policy for deception offenses involving "identity theft" and concluded that a prison sentence was required. Henriques J. said at para 14: "Identity fraud is a particularly pernicious and prevalent form of dishonesty calling for, in our judgment, deterrent sentences."

Statistics released by [[CIFAS]] - The (UK's Fraud Prevention Service) show that there were 89,000 victims of identity theft in the UK in 2010 and 85,000 victims in 2009.<ref>{{cite web |url=http://www.cifas.org.uk/identity_fraud |title=CIFAS: your identity }}, CIFAS</ref> This compared with 2009 where there were 85,000 victims.<ref>{{cite web |url=http://id-theft-uk.blogspot.com/2010/02/uk-fraud-prevention-agency-say-id-theft.html |title=UK Fraud Prevention Agency Say ID Theft Increase of 32% in 2009 |access-date=2010-02-03 |archive-date=2012-07-01 |archive-url=https://archive.today/20120701/http://id-theft-uk.blogspot.com/2010/02/uk-fraud-prevention-agency-say-id-theft.html |url-status=dead }}, Identity Theft UK Blog, 3 February 2010</ref>{{Unreliable source?|date=December 2015}}</ref> Men in their 30s and 40s are the most common UK victims.<ref>{{cite web |url=http://blog.protectmyid.co.uk/index.php/the-most-likely-victims-of-identity-fraud-men-in-their-late-30s-and-early-40s/ |title=The most likely victims of identity fraud: men in their late 30s and early 40s |url-status=dead |archive-url=https://archive.today/20120708/http://blog.protectmyid.co.uk/index.php/the-most-likely-victims-of-identity-fraud-men-in-their-late-30s-and-early-40s/ |archive-date=8 July 2012 }}, Protect MY ID Blog, 21 January 2011</ref>{{Unreliable source?|date=December 2015}}</ref> and identityIdentity fraud now accounts for nearly half of all frauds recorded.<ref>{{cite web |url=http://www.cifas.org.uk/press_release_twentyeleven_c |title=Fraudscape: report reveals the UK's fraud landscape in 2010 }}, CIFAS</ref>

{{seeSee also|Identity theft in the United States}}

The increase in crimes of identity theft led to the drafting of the Identity Theft and Assumption Deterrence Act.<ref>{{cite web |url=http://www.ftc.gov/os/statutes/itada/itadact.htm |title=FTC.gov |url-status=dead |archive-url=https://archive.today/20120801/http://www.ftc.gov/os/statutes/itada/itadact.htm |archive-date=1 August 2012 }}, Public Law 105-318, 112 Stat. 3007 (Oct. 30, October 1998)</ref> In 1998, The Federal Trade Commission appeared before the United States Senate.<ref>{{cite web |url=http://www.ftc.gov/os/1998/05/identhef.htm |title=Prepared Statement of the Federal Trade Commission on "Identity Theft" |url-status=dead |archive-url=https://archive.today/20120801/http://www.ftc.gov/os/1998/05/identhef.htm |archive-date=1 August 2012 }}, May 20, May 1998</ref> The FTC discussed crimes which exploit consumer credit to commit loan fraud, [[mortgage fraud]], lines-of-credit fraud, [[credit card fraud]], commodities and services frauds. The Identity Theft Deterrence Act (2003)[ITADA] amended [https://www.law.cornell.edu/uscode/text/18/1028A- U.S. Code Title 18, § 1028] ("Fraud related to activity in connection with identification documents, authentication features, and information"). The statute now makes the possession of any "means of identification" to "knowingly transfer, possess, or use without lawful authority" a federal crime, alongside unlawful possession of identification documents. However, for federal jurisdiction to prosecute, the crime must include an "identification document" that either: (a) is purportedly issued by the United States, (b) is used or intended to defraud the United States, (c) is sent through the mail, or (d) is used in a manner that affects interstate or foreign commerce. ''See'' {{usc|18|1028}}(c). Punishment can be up to 5, 15, 20, or 30 years in federal [[prison]], plus fines, depending on the underlying crime per {{usc|18|1028}}(b). In addition, punishments for the unlawful use of a "means of identification" were strengthened in § 1028A ("Aggravated Identity Theft"), allowing for a consecutive sentence under specific enumerated felony violations as defined in § 1028A(c)(1) through (11).<ref>Doyle, Charles. (2013). [https://fas.org/sgp/crs/misc/R42100.pdf Mandatory Minimum Sentencing: Federal Aggravated Identity Theft.] {{webarchive |url=https://web.archive.org/web/20161011031227/https://fas.org/sgp/crs/misc/R42100.pdf |date=11 October 11, 2016 }} Washington, D.C.: [[Congressional Research Service]].</ref>

The Act also provides the [[Federal Trade Commission]] with authority to track the number of incidents and the dollar value of losses. Their figures relate mainly to consumer financial crimes and not the broader range of all identification-based crimes.<ref>[http://www.consumer.gov/idtheft/ Federal Trade Commission]. Retrieved June 30, June 2006. {{webarchive |url=https://web.archive.org/web/20060131210801/http://www.consumer.gov/idtheft/ |date=January 31, January 2006 }}</ref>

If charges are brought by state or local law enforcement agencies, different penalties apply dependingto depend on the state.

Six Federal agencies conducted a joint task force to increase the ability to detect identity theft. Their joint recommendation on "red flag" guidelines is a set of requirements on financial institutions and other entities which furnish credit data to credit reporting services to develop written plans for detecting identity theft. The FTC has determined that most medical practices are considered creditors and are subject to requirements to develop a plan to prevent and respond to patient identity theft.<ref>Michael, Sara {{cite web |url=http://www.physicianspractice.com/index/fuseaction/newsletterArticles.view/articleID/87.htm |title=Getting Red Flag Ready |access-date=2009-07-02 |archive-date=2012-09-11 |archive-url=https://archive.today/20120911/http://www.physicianspractice.com/index/fuseaction/newsletterArticles.view/articleID/87.htm |url-status=dead }} PhysiciansPractice.com, 21 May 2009-05-21. Retrieved 2 July 2, 2009.</ref> These plans must be adopted by each organization's Boardboard of Directorsdirectors and monitored by senior executives.<ref>[http://www.ftc.gov/os/fedreg/2007/december/071213factafurnisheraccuracy.pdf 72 Fed. Reg. 70944 ] {{webarchive |url=https://web.archive.org/web/20130217151554/http://www.ftc.gov/os/fedreg/2007/december/071213factafurnisheraccuracy.pdf |date=17 February 17, 2013 }} (PDF). Retrieved 29 January 2008-01-29.</ref>

Identity theft complaints as a percentage of all fraud complaints decreased from 2004- to 2006.<ref name="autogenerated1">[{{Cite web|url=http://www.ftc.gov/bcp/edu/microsites/idtheft/downloads/clearinghouse_2006.pdf Law Enforcement Contact1 January 1 December 31, 2001] {{webarchive |urlarchiveurl=https://web.archive.org/web/20080911044319/http://www.ftc.gov/bcp/edu/microsites/idtheft/downloads/clearinghouse_2006.pdf|url-status=dead|title=Law Enforcement Contact1 January 1 December 31, 2001|archive-date=September 11, 2008September 2008}}</ref> The Federal Trade Commission reported that fraud complaints in general were growing faster than ID theft complaints.<ref name="autogenerated1" /> The findings were similar in two other FTC studies done in 2003 and 2005. In 2003, 4.6 percent of the US population said they were a victim of ID theft. In 2005, that number had dropped to 3.7 percent of the population.<ref name=SR_1>[http{{cite web| title=Federal Trade Commission – Identity Theft Survey Report| url=https://www.ftc.gov/bcpsites/edudefault/micrositesfiles/idtheftdocuments/downloadsreports/federal-trade-commission-identity-theft-program/synovate_reportsynovatereport.pdf| publisher=[[Federal Trade Commission]]| date=September 2002| access-date=5 January 2024}}</ref><ref>{{webarchiveCite web|url=https://webwww.archiveftc.orggov/webreports/20080516094455/httpfederal-trade-commission-2006-identity-theft-survey-report-prepared-commission-synovate|archiveurl=https://wwwweb.ftcarchive.govorg/bcpweb/edu20080911044311/microsites/idtheft/downloads/synovate_report.pdf |date=May 16, 2008 }}</ref><ref>[http://www.ftc.gov/os/2007/11/SynovateFinalReportIDTheft2006.pdf |url-status=dead|title=Federal Trade Commission: 2006 Identity Theft Survey Report: Prepared for the Commission by Synovate|date=1 (November 2007)] {{webarchive |url=https://web.archive.org/web/20080911044311/http://www.ftc.gov/os/2007/-date=11/SynovateFinalReportIDTheft2006.pdf September 2008|datewebsite=SeptemberFederal 11, 2008Trade Commission}}</ref> The Commissioncommission's 2003 estimate was that identity theft accounted for some $52.6 billion of losses in the preceding year alone and affected more than 9.91 million Americans;<ref>{{cite web |url=http://www.ftc.gov/opa/2003/09/idtheft.shtm |title=FTC.gov<!-- Bot- generated title --> |url-status=dead |archive-url=https://archive.today/20120731/http://www.ftc.gov/opa/2003/09/idtheft.shtm |archive-date=31 July 2012 }}, releases Survey of Identity Theft in U.S. 27.3 Million Victims in past 5 Years, Billions in Losses for Businesses and Consumers</ref> the figure comprises $47.6 billion lost by businesses and $5 billion lost by consumers.

According to the [[Bureau of Justice Statistics|U.S. Bureau of Justice Statistics]], in 2010, 7% of US households experienced identity theft - up from 5.5% in 2005 when the figures were first assembled, but broadly flat since 2007.<ref name="Bureau of Justice Statistics">{{cite web | url=http://bjs.gov/content/pub/pdf/itrh0510.pdf | title=Identity Theft Reported by Households, 2005-2010 | publisher=Bureau of Justice Statistics | year=2011 | accessdate=2013-06access-date=24 June 2013}}</ref> In 2012, approximately 16.6 million persons, or 7% of all U.S. residents age 16 or older, reported being victims of one or more incidents of identity theft.<ref>Harrell, Erika and Lynn Langton. (2013). [http://www.bjs.gov/content/pub/pdf/vit12.pdf Victims of Identity Theft, 2012.] {{webarchive |url=https://web.archive.org/web/20160907043423/http://www.bjs.gov/content/pub/pdf/vit12.pdf |date=7 September 7, 2016 }} Washington, D.C. [[United States Department of Justice|U.S. Department of Justice]], [[Bureau of Justice Statistics]].</ref>

TwoAt least two states, [[California]]<ref>{{cite web |url=http://www.privacyprotection.ca.gov/ |title=California Office of Identity Protection |access-date=2009-01-08 |archive-date=2012-08-05 |archive-url=https://archive.today/20120805/http://www.privacyprotection.ca.gov/ |url-status=dead }}</ref> and [[Wisconsin]]<ref>{{citeCite web |url=httphttps://privacydatcp.wi.gov/ Pages/Programs_Services/IdentityTheft.aspx|title=Wisconsin'sDATCP OfficeHome ofIdentity PrivacyTheft Protection|website=datcp.wi.gov|accessdate=25 December 2023}}</ref> have created an Office of Privacy Protection to assist their citizens in avoiding and recovering from identity theft.

In 2009, Indiana created an Identity Theft Unit within their Office of Attorney General to educate and assist consumers in avoiding and recovering from identity theft as well as assist law enforcement in investigating and prosecuting identity theft crimes.<ref>{{cite web|url=http://www.in.gov/legislative/ic/code/title4/ar6/ch13.pdf |title=ArchivedIndiana copyGeneral Assembly |accessdateaccess-date=3 October 2013-10-03 |deadurlurl-status=nolive |archiveurlarchive-url=https://web.archive.org/web/20131004215445/http://www.in.gov/legislative/ic/code/title4/ar6/ch13.pdf |archivedate=2013archive-10-04 |dfdate=4 October 2013 }}</ref><ref>{{cite web |url=http://www.in.gov/attorneygeneral/2853.htm |title=Attorney General: ID Theft Prevention |publisher=In.gov |date=6 December 2013 |access-12-06date=24 January 2014 |accessdatearchive-date=11 January 2014 |archive-01url=https://web.archive.org/web/20140111062848/http://www.in.gov/attorneygeneral/2853.htm |url-24status=dead }}</ref>

In Massachusetts in 2009-20102009–2010, Governor [[Deval Patrick]] made a commitmentcommitted to balancebalancing consumer protection with the needs of small business owners. His Office of Consumer Affairs and Business Regulation announced certain adjustments to Massachusetts' identity theft regulations that maintain protections and also allowsallow flexibility in compliance. These updated regulations went into effect on 1 March 1, 2010. The regulations are clear that their approach to data security is a risk-based approach important to small businesses and might not handle a lot of personal information about customers.<ref>[http://www.mass.gov/?pageID=ocatopic&L=3&L0=Home&L1=Consumer&L2=Identity+Theft&sid=Eoca "Consumer Identity Theft"]. Commonwealth of Massachusetts, 2010 {{webarchive |url=https://web.archive.org/web/20111105045936/http://www.mass.gov/?pageID=ocatopic&L=3&L0=Home&L1=Consumer&L2=Identity+Theft&sid=Eoca |date=5 November 5, 2011 }}</ref><ref>[http://www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf "Frequently Asked Question Regarding 201 CMR 17.00"] {{webarchive |url=https://web.archive.org/web/20110811054640/http://www.mass.gov/Eoca/docs/idtheft/201CMR17faqs.pdf |date=11 August 11, 2011 }}, Commonwealth of Massachusetts, Office of Consumer Affairs and Business Regulation, 3 November 3, 2009</ref>

The [[Internal Revenue Service|IRS]] has created{{when|date=August 2017}} the IRS Identity Protection Specialized Unit to help taxpayers' who are victims of federal tax-related identity theft.<ref>{{cite web|title=Taxpayer Guide to Identity Theft|url=httphttps://www.irs.gov/newsroom/article/0,,id=251501,00.html|work=IRS.gov|publisher=US Internal Revenue Service|accessdate=2012-06access-date=29 June 2012 }}</ref> Generally, the identity thief will use a stolen SSN to file a forged tax return and attempt to get a fraudulent refund early in the filing season. A taxpayer will need to fill out Form 14039, [httphttps://www.irs.gov/pub/irs-pdf/f14039.pdf ''Identity Theft Affidavit''].<ref>{{cite web|title=Form 14039|url=httphttps://www.irs.gov/pub/irs-pdf/f14039.pdf|work=IRS website|publisher=US Internal Revenue Service|accessdate=2012-06access-date=29 June 2012}}</ref><ref name="ALERT: Beware of Phishing Scam Mentioning TAS">{{cite web | url=http://www.taxpayeradvocate.irs.gov/Individuals/Identity-Theft | title=ALERT: Beware of Phishing Scam Mentioning TAS | publisher=Taxpayer Advocate | accessdateaccess-date=18 December 2014 | url-status=dead | archive-url=https://web.archive.org/web/20141218162516/http://www.taxpayeradvocate.irs.gov/Individuals/Identity-Theft | archive-date=18 December 2014 }}</ref>

MostMany states followed California's lead and enacted mandatory [[data breach notification laws]]. As a result, companies that report a data breach typically report it to all their customers.<ref>{{cite web |url=http://www.naag.org/states-offer-data-breach-protection.php |title=States Offer Data Breach Protection |url-status=dead |archive-url=https://archive.today/20120913/http://www.naag.org/states-offer-data-breach-protection.php |archive-date=13 September 2012 }}, NAAG</ref>

The 2003 survey from the Identity Theft Resource Center<ref>{{citeCite web |url=httphttps://www.idtheftcenter.org /|title=IDtheftcenter.orgHome Page|website=ITRC|accessdate=25 December 2023}}</ref> found that:

In a widely publicized account,<ref>{{cite web |url=http://www.privacyrights.org/cases/victim9.htm |title=Verbal Testimony by Michelle Brown |url-status=dead |archive-url=https://archive.today/20120921/http://www.privacyrights.org/cases/victim9.htm |archive-date=21 September 2012 }}, July 2000, U.S. Senate Committee Hearing on the Judiciary Subcommittee on Technology, Terrorism and Government Information{{spaced ndash}}"Identity Theft: How to Protect and Restore Your Good Name"</ref> Michelle Brown, a victim of identity fraud, testified before a U.S. Senate Committee Hearing on Identity Theft. Ms. Brown testified that: "over a year and a half from January 1998 through July 1999, one individual impersonated me to procure over $50,000 in goods and services. Not only did she damage my credit, but she escalated her crimes to a level that I never truly expected: she engaged in drug trafficking. The crime resulted in my erroneous arrest record, a warrant out for my arrest, and eventually, a prison record when she was booked under my name as an inmate in the Chicago Federal Prison."

In [[Australia]], identity theft was estimated to be worth between A$1billion and A$4 billion per annum in 2001.<ref>[http://www.acpr.gov.au/research_idcrime.asp Identity Crime Research and Coordination] {{webarchive |url=https://web.archive.org/web/20051230021614/http://www.acpr.gov.au/research_idcrime.asp |date=30 December 30, 2005 }}, Australasian Center for Policing Research. Retrieved 30 June 30, 2006.</ref>

In the United Kingdom, the Home Office reported that identity fraud costs the UK economy £1.2 billion annually<ref>{{cite web |url=http://www.identitytheft.org.uk/ |title=What is Identity theft? |author=[[Home Office]] |date=May 26, May 2004 |work= |publisher=identitytheft.co.uk |accessdateaccess-date=September 27, September 2010 |author-link=Home Office }}</ref> (experts believe that the real figure could be much higher)<ref>{{cite web |url=httphttps://identity-theft.weeblybestidprotection.com/whatguides/10-isways-it.htmlto-prevent-identity-theft/ |title=Free help, tips and advice on avoiding and dealing with Identity Theft |authorwebsite= bestidprotection.com|date=9 |work=February |publisher=identity-theft.weebly.com |accessdate=2022 }}</ref> although privacy groups object to the validity of these numbers, arguing that they are being used by the government to push for introduction of [[British national identity card|national ID cards]]. Confusion over exactly what constitutes identity theft has led to claims that statistics may be exaggerated.<ref>{{cite web |url=http://www.schneier.com/blog/archives/2005/11/identity_theft.html |title=Identity Theft Over-Reported |author=[[Bruce Schneier]] |access-date=30 |work=June |publisher=2006 |accessdateauthor-link=JuneBruce 30, 2006Schneier }}</ref>

An extensively reported<ref>{{cite news |url=httphttps://www.bbc.co.uk/news/technology-13726085 |title=Hi-tech crime and sexual partner surveys 'biased' |author= |date= 10 June 10, 2011|work= |publisher= BBC|accessdate= }}</ref><ref>{{cite news |url=http://www.economist.com/node/21532263 |title=Measuring the black web |authordate= |date=15 October 15, 2011|work= |publishernewspaper= The Economist|accessdate= }}</ref> study from Microsoft Research<ref>{{cite web |url=http://research.microsoft.com/pubs/149886/SexLiesandCybercrimeSurveys.pdf |title=Sex, Lies and Cybercrime Surveys |first1=D. |last1=Florencio |first2=C. |last2=Herley |date=June |work=2011 |publisher= Proc. WEIS|accessdate=}}</ref> in 2011 finds that estimates of identity theft losses contain enormous exaggerations, writing that surveys "are so compromised and biased that no faith whatever can be placed in their findings."

{{colbegin||27emdiv col}}

*=== [[GhostingTypes (identityof fraud and theft)]] ===

{{Reflist|230em}}

{{commonsCommons category}}

* [https://web.archive.org/web/20070401000301/http://www.msnbc.msn.com/id/17805134/ Dateline NBC investigation] 'To Catch an ID Thief'

* {{cite news|title=Transcript of Attorney General Alberto R. Gonzales and FTC Chairman Deborah Platt Majoras Announcing the Release of the President's Identity Theft Task Force |date=April 23, April 2007 |url=http://www.usdoj.gov/ag/speeches/2007/ag_speech_0704231.html |archive-url=https://archive.istoday/20070911112747/http://www.usdoj.gov/ag/speeches/2007/ag_speech_0704231.html |deadurl-urlstatus=yesdead |archive-date=September 11, September 2007 |work=US Department of Justice |pagesaccess-date=24 April |accessdate=2007-04-24

* {{cite news |url= httphttps://abcnews.go.com/US/wireStory/woman-prison-time-total-identity-theft-18809034 |title=Woman Gets Prison Time in 'Total Identity Theft' - ABC News |first=Hegeman |last=Roxana |work=ABC News |date=March 25, March 2013 |accessdateaccess-date=March 27, March 2013}}