eighteenseventyonelimited1© 2006 1871 ltd identity theft bcs north london branch stefan fafinski...

1 © 2006 1871 Ltdeighteen•seventy•one•limited

Identity theftBCS North London Branch

Stefan Fafinski and Emily Finch28 November 2006

eighteen•seventy•one•limited2 © 2006 1871 Ltd

Agenda

• What is identity theft?– What is identity?

• Strategies of adaptation and diversification– The role of organised crime– Sources of information– A very personal harm

• The transformative nature of new technology

• The legal response• Conclusions


What is identity theft?


What is identity?

Personal identity

Social identitySocial

identitySocial identitySocial

identitySocial identity

Legal identity

• Personal identity• Social identity• Legal identity


Personal identity

• Personal identity– Internalised view– ‘I am …’– ‘What most of us think

of when we think of the deepest and most ensuring features of our unique selves that constitute who we believe ourselves to be’ (Williams, 2001)


Social identity

• Social identity– Externalised view– ‘How do you see me?’– Multiple social identities– A necessary convenience to facilitate social

interaction (Jung, 1988)


Legal identity

• Legal identity– Accumulation of social facts– Established at birth and expands throughout

life – Details can be added but not removed– About identifiability rather than identity

• ‘Who is this person?’• ‘Is this the same person?’


Classifications of identity

Personal Born the illegitimate son of a Polish immigrant and a one-legged telephonist…

Social LawyerReading FC bigotDonkey sanctuary chairman

Legal NI number: ZR 76 23 18 CNHS number: 403217987Driving licence: FAFIN etc.


Chronology of legal identity

Birth certificate: name, place, date, parents

Health records

Education

NI; Employment

Financial records

Marriage

Credit historyMortgage

Children

Criminal record

Professional qualifications

Death


What is identity theft?

• Not a legal term– Identity theft will only be criminal if the fraudster’s

conduct falls within the boundaries of the criminal law

• Liability depends what is done in the new identity– Around 150 common law and statutory deception

offences• Socially – synonymous with financial fraud

• Initial acquisition of identity• Unlawful act using that identity

• How should it be conceptualised?– Appropriation of another’s identity (living or dead)

irrespective of purpose or motivation


What does it mean for identity to be stolen?

• Media construction of identity theft creates a misapprehension that it is a two-stage process:– Assumption of identity of another– Commission of a substantive offence using that identity,

generally financial fraud• Identity theft has come to be synonymous with credit

card fraud


Strategies of adaptation and diversification


Fraudsters’ responses to change

• With the advent of new developments to prevent fraud, fraudsters desist, adapt or diversify:– Cheques– Cheque guarantee cards– Credit cards– Switch and electronic transactions– Chip and PIN


Fraudsters’ response to Chip and PIN

• Desist– None of the fraudsters interviewed in the 2-

year study planned to stop• Adapt

– Stolen cards abroad– Distance transactions– Buy cards only with PIN numbers

• Diversify– Steal identity and obtain fresh cards


An incomplete picture of the problem

• Other criminal purposes– Harassment– Bullying– Sham marriages– Driving offences

• Non-criminal purposes– Multiple relationships– Acceptable use of

alternate identity


A ‘spare’ identity for motoring purposes

• 1,400 fraudulent driving licence applications detected by the DVLA (2001)

• Over 3,000 driving tests stopped due to doubts over driver’s identity (2001)

• Somali bus driver took 200 bogus driving tests (Daily Mail, 26th September 2006)


Psychological suicide

• 210,000 adults go missing in UK every year, many never return

• 2 men vanish every day• Fake suicide provides opportunity for

fresh start


Cleaning a deviant identity

• Invisible man fakes death in Paddington rail crash (The Times, 6th February 2000)


Creating a more favourable persona

• The Earl of Buckingham– Impostor took name of

deceased child ‘Christopher Edward Buckingham’

– Adopted title last used in 1689

– Imprisoned under assumed name as impossible to establish ‘real’ identity


Creating a more favourable persona

• ‘Sir Alan Mcilwraite KBE DSO MC’ modified own identity

• Added progressively more honour and outlandish detail

• Fabricated substantiating evidence

• Worked in a Dell call centre


The role of organised crime

• Four distinct ‘organised’ typologies– Highly-organised, structured and hierarchical

systems– Semi-structured networks of fraudsters operating

co-operatively– Small organisations with a simple power

delineation– Small self-contained operations that typically

involve between one and four individuals• Plus

– Freelance experts• Including ‘identity brokers’


Sources of information

• ‘Obvious’ sources– Electoral roll, Companies House, Land Registry

• Online sources– Chat rooms– Professional bodies– Social networking sites– Online auction sites– Email (impersonating target)

• Offline sources– Conversation with target– Conversation purporting to be target– Office paperwork and personnel files– Collaboration with holders of information


A very personal harm

• Individual victims– Fear arising from uncertainty as to how

victimisation arose; where was the weak link?– Reluctance to use cards for payment or to

disclose personal information– Sense of violation and loss of reputation

• Deceased children or relative– Sullies memory and reopens old wounds– “We don’t know who our daughter would have

been but it wouldn’t have been this woman”• Seen as far more worrying than financial

loss


The transformative nature of new technology


Transformative nature of technology

• Transformative nature of new technology– More opportunities for ‘traditional’ crime– New opportunities for ‘traditional’ crime– Opportunities for new crimes

• ‘True’ cybercrimes• Solely the product of the Internet

• Classification by type (COE Convention on Cybercrime 2001)– Harmful trespass– Acquisition, theft and deception– Obscenity– Violence


Cybercrimes transformed

Harmful trespass

Acquisition, theft and deception

Obscenity Violence

More opportunities for traditional crime

PhreakingPyramid schemes

Trading sexual materials

StalkingHarassmentBullying

New opportunities for traditional crime

HackingViruses

419 fraudIdentity theft

Online sex trade

General hate speechPaedophile rings

Opportunities for new crimes

SpamDenial of service

Intellectual property piracyE-auction scams

CybersexCyberpimps

Online groomingTargeted hate speech


The legal response


What is the law?

• Legislation with direct impact on cybercrime– Computer Misuse Act 1990 (as amended)– Data Protection Act 1998– Privacy and Electronic Communications

Regulations 2003– Regulation of Investigatory Powers Act 2000– Terrorism Act 2000– Electronic Communications Act 2000– Anti-terrorism Crime and Security Act 2001


Legislation with indirect impact

• Theft Act 1968, 1978– Obtaining property by deception (s.15)– Obtaining a money transfer by deception

(s.15A) • But cannot deceive a machine • Davies v. Flackett (1973), DC; Holmes (2004), CA

– Blackmail (s.21)– Theft (s.1)

• But ‘identity’ does not amount to ‘property’

– No such offence as ‘identity theft’– Currently no such offence as ‘fraud’


The recent legal response

• Identity Cards Act 2006, section 25– Possession of false identity document with intention to establish,

ascertain or verify registrable facts• Fraud Act 2006

– Royal Assent 8 November 2006 but relevant provisions not yet in force

– Fraud by false representation (section 2)– Fraud by failing to disclose information (section 3)– Fraud by abuse of position (section 4)– Obtaining services dishonestly (section 11)– Possessing (section 6) or making or supplying articles (section 7)

for use in frauds• Computer Misuse Act 1990

– as amended by Police and Justice Act 2006 – Royal Assent 8 November 2006

– Unauthorised access with intent to facilitate commission of a further offence (section 2)

– Unauthorised access with intent to impair operation (new section 3)


How effective is the law?

• The short arm of the law– No proprietary rights in personhood– Transjurisdictional nature of the Internet

• Concerted international effort against cybercrime and malware not forthcoming

– Difficulty in obtaining admissible evidence• Forensic computing/Computer forensics has developed

outside the main traditions of forensic science• Issues of disclosure, testing, repeatability have been

neglected – or not applied uniformly– Lack of specialist knowledge

• Victim, police, judge and jury• Inaccessibility of expert evidence

– Victims reluctant to come forward• Crime goes unreported – ‘dark figure’ of cybercrime


How effective is the law?

• The law is– Slow-moving– Reactive– Fragmented– Uncertain– Underused– Often likely to fail on evidential grounds– Applicable only to England and Wales!


Conclusions


Conclusions

• Problem is unquantifiable in absolute terms– All trends suggest that reported instances (and thus

financial impact) are growing– More quantitative research is needed

• Evidence to suggest move to more organised criminal activity– Although much ID theft is still committed by the low-

level opportunist• Criminals use ‘non obvious’ information to build up

identity portfolio• Potential financial gain from all facets of one

identity can be great• Harm is more that just financial – a very personal

harm• Law is changing, but its effects remain to be seen


Identity theftBCS North London Branch

Stefan Fafinski and Emily Finch28 November 2006

eighteenseventyonelimited1© 2006 1871 ltd identity theft bcs north london branch stefan fafinski...

Documents

new identity

assumption of identity

financial fraud identity

legal term identity

diversification slide

pin slide

motivation slide

credit card fraud slide