D5.2b: ID-related Crime: Towards a Common Ground for Interdisciplinary Research

Title: ECONOMIC ASPECTS

The financial impact of identity-related crimes from the perspective of the victims can be decomposed into five types: 

1. The economic cost most commonly measured or estimated is direct financial loss through identity fraud. The US Federal Trade Commission (Synovate, 2003) and a Report by the Gartner Group1 indicates that the damage of identity theft in the US amounts to around US $ 50 Billion in direct damage and an additional loss of approximately 300 million workhours for damage containment by the individuals. According to (Mitchison et al., 2004) comparable statistics for Europe do not exist, but equal amounts are to be expected. below gives different estimates for this figure from a range of sources.

Table . Estimates of identity fraud in the UK, USA and Canada

The Synovate report provides some data on the costs of ID theft in the US in 2002.

Table . Costs of ID theft in 2002/2003.

The sources for these figures stress that the numbers most likely under represent the true economic cost of identity fraud. Some costs are difficult to estimate exactly, or may occur years after the identity theft. Some costs are unreported, e.g. because companies do not want to damage their reputations with criminal proceedings, and some costs are undiscovered e.g. because they go unnoticed by victims. For this reason the figures in the table above are best seen as a lower bound on the direct economic cost.

1. Identity theft, which as discussed in section , is not currently an offence in itself in most countries, is often a facilitating step (breeder offence) for criminal activity. In some cases identity theft may be a necessary step for another crime. The total ‘cost’ of identity-related crimes should therefore include the cost of the theft, as well as those of the costs of the crimes it breeds. The costs of identity fraud itself may include, for instance, the cost of preventive revocation of credit card numbers after they have been stolen, as in the CardSystems case to prevent misuse of them. The misuse itself would constitute ID fraud costs. As noted previously, the numbers presented in the various studies usually do not make these distinctions.

2. Another type of indirect cost is the decrease in transaction volume due to a fear of identity fraud in online environments. Many consumers fear that their credit card details will be stolen and misused. This fear has, according to several surveys limited e-commerce growth (e.g. Ben-Ner and Putterman 2002). Though lost sales are very difficult to estimate, in the US alone the Federal Trade Commission reported an estimate of 2.8bn USD lost online retail sales for 1999. (Federal Trade Commission 2000). 

3. Costs are incurred in order to detect identity fraud and they are subsequently incurred for investigation and prosecution of each case. It is estimated that an investigation requires 400 hours of work on average (CIFAS 2004). In this category we could include the costs incurred by individual victims in resolving a case of identity theft or fraud, as mentioned in the previous section. 

4. A final indirect cost is the cost of improving security (of systems and processes) in order to fight against identity theft and fraud. This type of cost however contributes towards a reduction of identity theft and fraud in the future.  

Investment motivation 

To convince an organization (or better its management) to invest in better security, usually a business case reflecting the financial/business advantage has to be made. In this section we discuss how to motivate a company to take precautionary measures against ID-related crimes. Mitchison et al. (2004) assume that legislation is the most promising means as it would force all parties to comply. However, according to Zuccato (2004b), the urge for legal compliance is often not sufficient to convince enterprises to actually comply to the law. Legal compliance also depends on a company’s (a) estimation of the chances of being caught when not complying, and (b) the weighing of the cost to comply to the legislation versus the cost of the potential loss.

In our view a holistic approach to determine whether or not to invest in better security. To this purpose, we propose to use an adapted form of requirement engineering that is made suitable for the ID-related crimes/privacy domain. This approach relies on the assumption that requirements are derived from the risk analysis, business modelling and stakeholder domain.  

A view on risk analysis 

According to DIN 31000 (DIN, 1979) a risk is defined in the following way: “A risk (r) consists of the expected likelihood of a hazardous event (p) and the expected damage (e) of it.” The expected damage is inflicted on an asset which, due to its own value, determines the amount of expected damage.  

For an individual, her identity is the asset and its value is composed of the resources accessible through this identity. The asset, therefore, is a composite of values of other assets, given the likelihood that the asset can be accessed with the identity. Due to the “positive feedback” (Mitchison et al. 2004) of a successful committed ID abuse, we have to assume that the likelihoods are interdependent. We therefore have to assume conditional probabilities which imply that for value assessment we must use a Bayesian probability function. We have to make a simplification as the exponential runtime behaviour of Bayesian probability function make the practical application for a greater number of interdependent likelihood difficult. As a simplification we suggest to treat the assets as independent with the implication of dramatically reducing accuracy. This lack of accuracy needs to be compensated in the use of the results. When it comes to the organization to protect a customer/partner identity the determination of the asset and its value is not so straight forward. Various viewpoints need to be applied:

damage to the organization’s reputation 

damage from reduced customer trust (which is necessary to conduct business) 

damage due to the fraudulent abuse of stolen identities 

damage from legal prosecutions (Zuccato 2004b) 

By considering potential damage from a general perspective, it is possible to avert the asset approach and move towards a baseline approach. This makes the approach fit the requirement engineering approach proposed below. 

Requirement engineering 

To understand what protection requirements are necessary on a system to prevent ID-related crimes, the problem can be approached from an insurance and a business enabler perspective. The insurance perspective is usually covered by assessing the risk reduction that can be achieved by an investment.  

The FTC and Mitchison et al. (2004) indicated that customers are reluctant to use e-commerce because they are afraid of ID Theft. We assume that if this reluctance can be overcome, this would open new markets, and hence generate business benefits. This argument is supported by claims in the privacy debate by Frosch-Wilke (2001), Wright (1994), and Cate and Staten (1999) who say that its availability has the capabilities to improve customer retention, customer profitability and customer acquisition. These observations for privacy apply, in our view, to ID-related crimes as well, as the types of fear and lack of trust has similar grounds.

To foster both perspectives, a holistic requirement engineering approach which takes them into account, is necessary. In (Zuccato, 2004a) a process to elucidate holistic security requirements, is proposed, see .

Figure . Requirement engineering process

This process argues that it is necessary to elicit requirements from three foci: internal, external and the risk analysis described above. The traditional process of eliciting requirements can be adopted to suit our purpose as follows. 

The internal focus, with an emphasis on business, has to modify and enable the business process for ID Theft protection. This means that in the business process the need for personal information, and where it must be processed, has to be identified. The business units which have such a demand include Customer Relation Management (needs personal information to serve better), Marketing (want personal information to conduct direct marketing) and Security, Audit and Control (wants to assign people to (malicious) actions). This identification of needs has to lead to a statement about the appropriate protection.  

The second focus means taking external sources for ID Theft requirements into account. This enables a social and business treatment of the problem. According to Zuccato (2004a) this approach relies on stakeholders. For ID Theft, this could mean (non-exclusively) Individual Customers, Customer Protection Organizations, Privacy Protection Organizations, the Legislature and Law Enforcement as important stakeholders. Except for the customer and the legislative stakeholder, we suggest workshops as the primary means to elucidate the external requirements. For the customer, we suggest interviews and surveys as the primary means, and for the law and legislature, we propose literature research. Those approaches are described in Zuccato (2004a).  

Concerning risk analysis, the third and last focus area, we suggest using the risk analysis approach presented above. Due to its simple and baseline like character this approach is suitable within a privacy requirement engineering scenario. In respect to the second phase, compilation and prototype, (Zuccato 2004a) assumes no difference between security and privacy requirement engineering.  

Difficulties in countering identity fraud 

There are several economic reasons why identity theft and fraud are difficult to tackle. One problem is the moral hazard in the securing of identity information. For instance, perverse incentives arise when the party that is in a position to protect a system is not the one who suffers the consequences from a security failure (Anderson 2001). There are several examples of this in the field of identity-related crimes. For example, many credit card companies and banks will reimburse consumers for fraudulent transactions, provided the consumer has taken certain elementary precautions. The cost of this kind of fraud resolution is passed back to the consumer indirectly, in the form of higher service charges for companies (shops), who of course pass these charges on to the customers through higher prices for their goods and services. There is no direct cost to the consumer, and hence no direct incentive to take every possible measure against information theft. 

Moral hazard can also be seen on the part of companies that send out pre-completed application forms for bank accounts or credit cards to home addresses of their (prospective) customers. Junk mail such as this is a common source of personal information for identity thieves but the disastrous consequences fall on the individual, rather than the company responsible for creating the opportunity for ID theft and ID fraud. A similar example is the recent case of a nationwide identity theft in the US. Commercial information companies inadvertently sold personal data, including social security numbers, to impostors posing as business officials. Though the onus should have been on the companies to carry out more background checks on their clients before selling the personal information, in practice there was little incentive to do so. So, again, the burden of the cost rests not on the shoulders of the origin of misuse, but on the innocent victims.

A second problem arises from the disparity between people’s stated concern for the privacy of their personal details and the level of action they will take in order to ensure it. Acquisti (2002) points out that the negative utility which may occur as a result of identity theft is almost impossible to calculate. Potential outcomes could be catastrophic for an individual (losing one’s job, criminal prosecution, etc.), but the probabilities of these events are low. Furthermore, individuals tend to place an increasing discount rate on risks the further they occur in the future Rabin and O’Donoghue, (2000).  This implies a myopic outlook and a bias for present gratification. Therefore, a paternalistic rationale for intervention exists: individuals do not take the precautions they would take if they were able to rationally estimate the negative utility of failing to secure their personal information.

A third, and novel, challenge is posed by the spread of digital communications. The same benefits that make the Internet attractive to individuals and companies alike, namely the speed and efficiency of communications and transactions, also make it a valuable tool for identity thieves. Phishing emails provide a good example. It is possible that individuals who give away their banking details to a spoofed website would similarly respond to a fraudulent phone call or letter. Yet, cold-calling large numbers of people is prohibitively expensive for potential fraudsters. Also, phone calls are easier to trace. On the internet, even a very low response rate to phishing scams (up to 5%) is an economically efficient way of targeting potential victims. The marginal cost of sending an email is next to zero and the potential gains if the victim responds are high.

Electronic media also enable scams to be set up inexpensively with basic technical knowledge. Many consumers have become accustomed to Internet shopping and will hand over payment details with relative ease. A professional-looking website can be set up by a single individual and can reach people worldwide. The ease with which a website can be set up also assists fraudsters in corporate identity theft, e.g. by using a similar domain name and imitating a genuine company’s site. The examples of corporate identity theft described earlier bear testament to this.  

It is undesirable to greatly limit the benefits of an increasingly networked world in order to prevent theft and fraud. Yet, policy makers do have a role in ensuring that proper incentives exist for companies that collect and hold personal data on individuals to safeguard it well. General countermeasures against ID-related crimes are discussed further in chapter 6.