Shostack + Friends Blog Archive


ID Theft and the 18-24 Set

Matt Rose has an interesting post, “What is Higher Education’s Role in Regards to ID Theft?:”

A recent study by the US Justice Department notes that households headed by individuals between the ages of 18 and 24 are the most likely to experience identity theft. The report does not investigate why this age group is more susceptible, so I’ve started a list…

It’s worth looking at. I’ve suggested the random slinging of SSNs about as part of the applications process, but would like to add applications to rent property. The stock forms demand absolutely everything you need to steal an identity, with the possible exception of mother’s maiden name. The maiden name is more useful for account-takeover fraud, which is less damaging to young people, since they’re unlikely to have rich accounts to drain.

2 comments on "ID Theft and the 18-24 Set"

  • Chris Walsh says:

    Maybe they:
    engage in more credit transactions?
    patronize establishments/vendors who are more likely to treat their PII poorly? (like universities!)
    have had less time to learn “sophisticated” PII-management?
    have less to lose, and act that way?
    aren’t as risk averse as us old farts?
    All I know is, I lost my PII (to my knowledge) exactly once, and it was when somebody stole my wallet at a party when I was in college. Luckily, I didn’t carry my social security card (why bother? I knew the number).

  • Data! Yippee! Thanks for catching this, I missed its announcement. First, explanations, then an analysis of the report. [Sorry, this is long]
    1) I think the ITRC’s Aftermath study noted that many victims knew the perpetrator, who had access to mail, files, etc. Young people have roommates who have unfettered access and often few strong social ties.
    2) Young people also move more often. Mailing lists may lag, sending credit offers and PII to strangers. I seem to recall a claim that mail forwarding itself has been documented as a potential source of fraud.
    3) More lines of open credit. Building on Matt and Chris’ point, if I have more cards, a constant rate of fraud on any account leads to higher fraud rates.
    Now, comments on the DoJ report. I am tempted to crack the spreadsheets myself, but am a little too busy, so just from the report:
    First is the old chestnut of lumping credit card fraud in with impersonation fraud. Of the total projected 3.5 million instances of “ID theft”, 1.7 million are unauthorized use of existing cards, .9 million are other accounts includng “wireless telephone account, bank account or
    debit/check cards”. Using personal information to obtain NEW credit/loans/etc was only 538,000.
    The survey in the appendix from the NCVS shows that the multiple episode question (45d) was offered *seperately* from the three forms of fraud mentioned above (45c{a-c}). In the report stats, they are summed together. I hope that they calculated that seperately for Table 1 of the report, which adds another 417,000 to the fraud victims.
    NCVS relies on self-reporting, which requires identification of the crime and understanding of it. There could well be an age bias for detection. On the other hand, such a bias would probably spill over into 25-36. I’m also curious about how they weighted for young people, compensated for cell phones, etc. Generally, though, NCVS is regarded highly by criminologists, or at least by my friend here who does that sort of thing.
    It would be nice to have the age crosstabs, but I don’t think NCVS allows access to dissaggregated data. (Conflict of interest in being a privacy researcher… )
    Finally, the harms of ID theft. A very interesting note on p.3 — only 1/3 of respondents reported any harms from ID theft. This suggests that, perhaps, a strategy of poor data protection may be a socially efficient means of dealing with PII if data protection is very expensive, since the number of victims with identified harms is relatively low. We do not know the effective harms of the most popular answer, “contacted by a debt collector or creditor”. Economic harms, such as “fee paid” are not included. On the other hand, 2/3 of the population took at least two days to resolve the problem, so perhaps the harms were not fully captured.
    The survey does not specify incidence of economic harm. The only monetary question in the survey is “What was the total dollar amount of the credit, loans,
    cash, services, and anything else the person obtained
    while misusing” (45e). We have no way of knowing how much of that expense was directly borne by the victims. (From the preceding paragraph, less than a third had indirect harms.) Still, based on the survey questions, the claim “Most households incurred a monetary loss as a result of the identity theft” is highly misleading.
    I have an abstract accepted for TPRC in the fall where I hope to tackle how data leakage affects ID theft, and would love more discussion of this.

Comments are closed.