The headlines are enough to make you swear off eBay (EBAY) and lock your wallet in a safe-deposit box. Supposedly trustworthy companies like LexisNexis, Time Warner (TWX), ChoicePoint, (CPS) and Wells Fargo (WFC), admit that the records of their customers or employees have fallen into the wrong hands. In one case, thieves break into a Midwest office of American International Group (AIG)and steal a computer server containing personal data on 930,000 employees of companies seeking medical coverage. And in the Big Kahuna of identity theft, a laptop containing Social Security numbers and other sensitive information for nearly 29 million active and former military personnel is stolen from a Veterans' Affairs Dept. staffer's home in suburban Maryland.
All told, as many as 88 million Americans -- more than one in four -- had digital data exposed in the past 18 months. With each report, the feeling of helplessness grows. As George Anderson, a 74-year-old U.S. Navy vet and potential victim of the VA caper, puts it: "Here we go again."
But for all of the drama over ID theft, what is not often pointed out is how rarely it results in actual financial loss for consumers. There's reason to believe that the actual losses may be a little more than a tenth of the $48 billion annual estimate that often gets thrown around. In fact, at the same time that regular folks are getting the wits scared out of them about security breaches, experts in the field are growing less worried about the impact. Law enforcement officials, who braced for a wave of financial fraud following all those well-publicized incidents, admit they've been struck by the lack of follow-through by criminals. "What we've seen has not been significant," says Daniel Larkin, who heads the Internet Crime Complaint Center for the FBI. "Given the high profile, we would have expected to have seen more."
What gives? For one thing, it's not that easy to convert stolen data into dollars. The media frenzy surrounding each security breach has helped put consumers and merchants alike on the alert; once notified, many victims quickly get on the horn with their bank or credit-card company. Also, some of the purloined data from corporate and government computer systems are encrypted, password-protected, or at least require specific software to open. They aren't easily accessible. That appears to be the case with the VA records, which officials have noted were in a database format that would be hard to read.
Of course, anytime you lose your personal information to a stranger it feels like a big deal, regardless of how it's used. You don't have to tell that to anyone who has spent a day canceling credit cards or having a driver's license replaced. And for corporations, the ease with which criminals and vandals can crack into their computer systems is hugely worrisome. More than three-quarters of companies recently surveyed by Deloitte Touche Tohmatsu said they had suffered a security breach from the outside, up sharply from the 26% that said they had suffered one when polled in 2005. But even for companies, it's hard to find specific examples where hacking resulted in substantial financial losses. "Theft of information is out of control, but use of that information to commit fraud is not out of control," says Avivah Litan, senior analyst at Gartner (IT) Inc., a research outfit based in Stamford, Conn.
BANKS BEAR THE BRUNT
The truth is, in the great majority of cases involving consumers, criminals don't have enough data with which to commit a crime. Consider the findings of a study conducted late last year by ID Analytics Inc., a San Diego firm that provides fraud detection services to a wide roster of clients, including six of the nation's 10 largest banks. ID Analytics analyzed four high-profile security breaches, which exposed the records of 500,000 consumers. (It declined to identify the companies involved, except to say they included two retailers and a bank.) Millions of transactions were examined for suspicious activity, using technology that can spot anomalies such as a Social Security number being used by more than one individual. ID Analytics concluded that the highest rate at which victims' personal data were misused in the four breaches it studied was just 0.09%, or roughly one in 1,020 individuals. Mike Cook, ID Analytics' co-founder, notes that rate lags far behind the 4% of Americans who said they had been the victim of financial fraud or identity theft in the latest survey by Javelin Strategy & Research.
If anyone were going to get hit, you would think it would be banks. They bear the brunt of most ID-theft losses, thanks to their "zero liability" policy of indemnifying holders of credit and debit cards. Yet card fraud not only hasn't risen in the past 10 years, but it's dropping. Jean Bruesewitz, senior vice-president of processing and emerging products for Visa USA Inc., notes that in relative terms fraud losses have declined sharply, from 19 cents for every $100 of credit-card spending in 1991 to just 7 cents per $100 of spending in the first quarter of this year. Bruesewitz estimates that no more than 2% of all credit-card and debit accounts exposed in a security breach have seen any unauthorized spending as a result.
One explanation is that banks have implemented sophisticated screening systems that can now monitor purchases and new account applications in real time. Visa has developed algorithms that provide its member banks with a rating of the odds that every individual transaction is fraudulent, based on a variety of criteria, including whether the account was among those exposed in a recent security breach, notes Bruesewitz. Similarly, MasterCard (MA) International now employs technology that enables its member banks to spot questionable spending patterns in time to decline the transactions.
Using that sort of sophisticated technology, MasterCard can compare purchases made on one bank's card with other transactions to spot broader patterns of criminal behavior: Joshua L. Peirez, group executive in charge of global public policy for MasterCard, notes that some thieves establish bogus retailer accounts and then try out credit-card numbers by charging a nominal amount, before making bigger purchases. "We can now spot those type of transactions almost instantly," says Peirez.
As a result, some security experts question whether actual losses from identity theft and financial fraud come anywhere close to the $48 billion in losses cited in many media reports from a 2003 study by the Federal Trade Commission based on phone interviews with roughly 4,000 individuals. To get that figure, the FTC simply toted up the number of individuals who said they suffered losses in the past year, multiplied that by the average of what they said they lost, and extrapolated for the U.S. population. Fred H. Cate, a law professor and director of Indiana University's Center for Applied Cybersecurity Research, notes that if the estimate were accurate, it would wipe out up to half of the banking industry's $103 billion profits in 2005. "If those numbers were true, we'd have a banking crisis on our hands," he says.
A more realistic figure for losses to identity theft and related fraud may be the $3.2 billion that consumers say they lost over the prior six months, according to a study of 40,000 households conducted in the second half of 2004 and released this past April by the Bureau of Justice Statistics. Most other studies of card fraud, including an annual survey by The Nilson Report, peg the bank industry's annual losses at about $1.1 billion -- a far cry from $48 billion.
Perhaps the most spooky thing about the ID-theft scare is that chances are high the data weren't stolen by some shadowy hacker in Estonia, after all, but someone very close to you. Fully one-fourth of the respondents in the 2003 FTC study who had been the victim of a financial fraud said they knew who had committed the crime, and in half those instances the perpetrator turned out to be a friend, relative, or neighbor.
By Dean Foust, with Sonja Ryst in New York