Most people know someone who has been a victim of identity theft. I personally have had my debit card number stolen by a card skimmer at a gas station. The thief was only able to use it for a couple of small purchases before my bank flagged my account and notified me. The bank immediately refunded the money and shut down the card, but I was forced to wait for a new card to arrive in the mail. I was lucky. Many victims of identity theft do not get off so easily. According to the Bureau of Justice Statistics (2021, p. 1), about 16.3 million people lost an estimated $15.1 billion dollars in 2018 alone. These numbers are staggering, but the additional cost of emotional distress and damaged relationships cannot be expressed in numbers. Many people, including myself, never think this could happen to them, or they believe they are too savvy to fall into a thief’s trap. The truth is, the more we use the internet to conduct business or communicate with loved ones the more we are at risk. Unless we take the threat of identity theft seriously, we will most likely become one of those statistics. The good news is, there is a solution. In order to significantly reduce the threat of identity theft and fraud, businesses need improve how they protect our information, our government should implement legislation enforcing information security best practices, and most importantly we as consumers need to educate ourselves and become more aware of the current threats to information security.

Identity theft and identity fraud are broad topics covering a variety of threats and types of crimes. According to the Federal Trade Commission Consumer Advice website, “Identity theft is when someone uses your personal or financial information without your permission” (Federal Trade Commission Consumer Advice, 2021). This could include using a stolen credit card number, using someone else’s name to sign up for a credit card or other service, or using someone’s name and social security number to file their taxes and steal the refund. Identity theft has always been a problem, but with the introduction of the internet it has grown exponentially. In the past, a criminal would have to physically steal your checkbook to gain access to your bank account. Today they can hack into a company’s database and gain access to thousands of credit or debit cards at once; and they do not have to leave home to do it. Bad actors also use a technique called “social engineering” in which they gather as much publicly available information about a target as possible then use that information to gain access to more sensitive information. One example of this is a “phishing attack” where the victim receives an email concerning a work emergency or loved one in trouble requesting immediate assistance. Th email is convincing because it may include your boss or loved one’s name or other personal information. The psychological name for this is an “amygdala hijack” (Buzzard, 2022, p. 14), because it preys on the reduced ability to think clearly in a panicked or “fight or flight” state which the amygdala part of the brain controls. This is just one example of how seemingly insignificant information can be used in an attack and how the solution will need to involve the consumer as well as government and businesses.

The complex and rapidly evolving nature of identity theft will require new and equally evolved solutions. In the early days of the internet having a username and password was considered good enough if you did not share it with anyone or write it down where it could be found. That is no longer the case. A recent study based on multiple focus groups, which included industry insiders working to prevent identity theft and fraud, found that knowledge-based authentication (i.e. username and password) was ineffective, “because information used for authentication also has been stolen and can be used to commit identity theft” (Piquero et al., 2021, p. 450). To improve log-in security, the use of two-factor authentication has been widely adopted but is usually optional for users to adopt. Chipped credit cards have also become a necessity to combat the prevalence of increasingly hard to spot card skimmers. Behind the scenes, the industry has needed to implement significant changes in encryption standards, and new innovations in cyber-defense to resist hacking attempts. The most important thing learned over the years is that there is no “silver bullet” to stop identity theft; it will take a combination of techniques and the cooperation of multiple parties. In the end our data may never be 100% safe, and most likely never will be, but that does not mean we should do nothing.

One potential solution would be the introduction of government legislation that defines what personal information businesses can collect and how they store and use that information. Representative Ro Khanna from California has proposed what he calls an “Internet Bill of Rights” (Khanna, 2018). These rights include requiring “opt-in” consent before businesses can collect and use your data. The bill also establishes that the data is still a user’s property even after consent and requires that those collecting it apply “reasonable business practices and accountability to protect your privacy” (Khanna, 2018). These ideas are a good start, but there are many details left out. For example, how will these rights be enforced, or what does “reasonable business practices” mean? This approach is not enough. One idea for legislation would be to expand the scope of existing laws like the Health Insurance Portability and Accountability Act (HIPPA) to include all companies that collect and store their user’s information. This would help protect the seemingly insignificant information, which can be used to gain access to other more sensitive information.

As previously mentioned, the idea of businesses adopting reasonable business practices would also help reduce identity theft, but they need to be well defined. Most large corporations already follow some kind of best practices model along with any applicable laws pertaining to data security. The issue is with small and medium-sized businesses. For example, your local pizza shop probably has your name, phone number, and home address saved to a hard drive on a computer that is connected to the internet. Small businesses like this do not have the knowledge or financial ability to adequately protect your data, and having some kind of best practice model would go a long way to protect that data. There are many examples of best practice models already in existence, one of which is the Cybersecurity Framework developed by the National Institute of Standards and Technology, or NIST for short. As stated on their web site, “the Framework is voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk” (National Institute of Standards and Technology, 2023). The NIST model is detailed and complex and would go a long way toward protecting user’s data, but a simpler model may be needed to ensure better adoption. The point is that making cyber-security tools accessible to businesses lacking special knowledge or large budgets would dramatically improve information security.

The best solution in my opinion, and the only one that consumers have direct control over, is self-education and awareness. The rapid adoption of the internet and evolution of technology used to access it has left many people confused and uninformed about the risks that go along with using it. Research has shown that outreach and awareness campaigns directly correlate to reductions in losses due to identity theft (Buzzard, 2022, p. 9). I would propose a national ad campaign sponsored by the government and financial institutions that would educate people about the costs of identity theft and how to help protect themselves, and that this campaign should remain in effect continuously evolve over the years to keep consumers informed. The Federal Trade Commission has a good start with their Consumer Advice website, but most people do not know it exists. They need to broadcast tips and facts regarding identity theft and entice people into learning more.

As a way of getting this process started, I will give my top three recommendations for protecting your information online. First, never share information that you are not willing to lose. When asked for information, question the necessity for it and consider not using the service that is requesting it. Also never share sensitive information like social security or credit card numbers by email, and only share them over the phone if you absolutely trust the recipient. Second, practice good “password hygiene.” Use long passwords that consist of random characters or words. According to BitWarden’s “Password Strength Testing Tool” (2023), a five-character password takes less than ten seconds to crack, while a twelve-character password would take three years. Never use the same password twice, and use a password manager to help remember them. Third, protect your payment methods. Do not allow an online retailer to store your payment information. It is more convenient but believe it or not the information is safer in transit at the time of purchase than it is stored on their server. Learn how to spot credit card skimmers at gas pumps and ATMs. If your card has a chip, you are safer, but be wary of machines that require you to swipe the card or completely insert it as the magnetic strip is still vulnerable. It should also be obvious, but do not let a waiter, waitress, or anyone walk away with your card even if you “think” you know them. These three guidelines are simple to follow and should significantly help protect you from fraud.

Identity theft may sometimes seem like an insurmountable problem to solve. Like any big issue we face, if we break it down into smaller parts it becomes doable. State and federal governments need to improve protection requirements on businesses, small and medium sized businesses need to learn about and adopt better security practices, and most importantly we as consumers need to take responsibility and learn to protect ourselves. It will take a team effort, but if we keep kicking the can down the road nothing will improve. For more information I recommend visiting the Federal Trade Commission’s website at consumer.ftc.gov, the USA.gov Scams and Frauds pages at usa.gov/scams-and-frauds, and to report identity theft go to identitytheft.gov.

References

BitWarden, Inc. (2023). Password strength testing tool. https://bitwarden.com/password-strength/

Bureau of Justice Statistics. (2021). Victims of identity theft, 2018. Department of Justice, Office of Justice Programs. https://bjs.ojp.gov/library/publications/victims-identity-theft-2018

Buzzard, J. &. (2022). A practical guide for reducing identity fraud [White paper]. Javelin Strategy & Research. https://javelinstrategy.com/research/

Federal Trade Commission Consumer Advice. (2021, April). What to know about identity theft. https://consumer.ftc.gov/articles/what-know-about-identity-theft

Khanna, R. (2018, October 4). Rep. khanna releases ‘Internet bill of rights’ principles, endorsed by sir tim berners-lee [Press release]. https://khanna.house.gov/media/press-releases/release-rep-khanna-releases-internet-bill-rights-principles-endorsed-sir-tim

National Institute of Standards and Technology. (2023, March 16). Cybersecurity framework getting started. https://www.nist.gov/cyberframework/getting-started

Piquero, N., Piquero, A., Gies, S., Green, B., Bobnis, A., & Velasquez, E. (2021). Preventing identity theft: perspectives on technological solutions from industry insiders. Victims & Offenders, 16(3), 444-463. https://doi.org/10.1080/15564886.2020.1826023