Identity theft

About: Identity theft is a research topic. Over the lifetime, 2284 publications have been published within this topic receiving 31700 citations.

Do You Trust Your Phone

Abstract: Despite the promising start, Electronic Commerce has not taken off mostly because of security issues with the communication infrastructures that are popping up threateningly undermining the perceived trustworthiness in Electronic Commerce. Some Internet security issues, like malware, phishing, pharming are well known to the Internet community. Such issues are being, however, transferred to the telephone networks thanks to the symbiotic relation between the two worlds. Such an interconnection is becoming so pervasive that we can really start thinking about a unique network, which, in this paper, we refer to as the Interphonet. The main goal of this paper is to analyze some of the Internet security issues that are being transferred to the Interphonet and also to identify new security issues of the Interphonet. In particular we will discuss about mobile phones malware and identity theft, phishing with SMS, telephone pharming, untraceability of phone calls that use VoIP and Caller ID spoofing. We will also briefly discuss about countermeasures.

Data Breaches and Identity Theft: When is Mandatory Disclosure Optimal?

Abstract: Data breaches occur when personal consumer information is lost or stolen, and can result in the loss of hundreds or millions of records (e.g., local schools or small retail stores; TJX or Heartland). They can occur from the improper disposal of documents containing personal information, from the loss of a laptop or thumb-drive, or when criminals penetrate corporate networks to steal information. The personal data compromised include individuals’ names, addresses, social security numbers, dates of birth, driver’s licenses, passport numbers, and financial data. This information can then be used to commit crimes, including fraudulent unemployment claims (Goodin 2008), fraudulent tax returns (McMillan 2008), fraudulent loans (Hogan 2008), home equity fraud (Krebs 2008), and payment card fraud. Consumers can also suffer the burden of increased loan interest rates, being denied utility services, civil suits or criminal investigation (Baum 2004). While the consumer costs incurred from credit card fraud may be negligible, out of pocket expenses can reach thousands of dollars (Federal Trade Commission 2007).As a result of these losses, in recent years U.S. policy makers have enacted laws that require organizations to notify individuals when personally identifiable information has been lost or stolen. As of late 2009, 45 states (as well as other countries around the world) have adopted data breach disclosure, or security breach notification, laws (Maurushat 2009). Aside from two studies (one showing an improvement in firm practices (Samuelson Law 2007), and another finding only a marginal reduction in consumer rates of identity theft (Romanosky et al. 2008)), however, the effects of data breach disclosure laws have yet to be rigorously studied.One of the main intents of notification laws is to empower consumers to take action and mitigate their loss (Majoras 2005). In addition, the possibility of loss from a breach and resulting costs from notification, it is argued, forces firms to internalize more of the cost of a data breach, thereby inducing them to increase their investment in security measures. This, in turn, is expected to reduce the probability, or magnitude, of future breaches. In short, data breach disclosure “drive[s] performance through transparency and oversight” (Mulligan 2007).However, critics argue that such laws inflict unnecessary costs for both firms and consumers if indeed firms already bear most of the loss (Lenard and Rubin 2005) or when lost data is recovered before it is even accessed (Majoras 2005). Moreover, when the risk of harm is low, unnecessary notification may desensitize individuals, preventing them from acting when a serious threat does exist (Majoras 2005). Further, consumers may be unable to properly respond to the breach notifications, as the notices may present a substantial cognitive and psychological barrier to tacking action, also causing them to under-react (Romanosky and Acquisti 2009). Alternatively, news media and a burgeoning market of identity theft prevention services may breed panic and confusion, causing consumers to over-react by unnecessarily purchasing such products, increasing their expected costs.But mandatory disclosure may also affect firms in conflicting ways. On the one hand, disclosure is costly. Firms will incur costs of notification, customer services operations (call centers, customer support), consumer redress (such as identity theft insurance or credit monitoring), legal fees, regulatory fines, and the potential loss of market valuation or lost business (customer churn) (GAO 2007, Ponemon 2010). On the other hand, notifications may also cause consumers to take appropriate action and reduce their harm (either by preventing or mitigating identity theft) - this would lower the firm’s own expected costs, because the amount of consumer harm that the firm internalizes is reduced.In short, it is unclear whether disclosure would result in a net increase or decrease of firm, consumer, or overall social costs. Using both analytical and numerical modeling, we show that even though firm costs will be higher under disclosure regimes, firms can be induced to increase their investment in care, which may lower social costs. Moreover, disclosure can induce consumers to increase their level of care, thus lowering their total costs. Finally, we find that the change in social costs are typically increasing in disclosure tax (costs imposed on the firm due to disclosure laws) and decreasing in consumer redress (compensation paid by the firm to the consumer). However, when the firm compensates consumers for only a small amount of loss, some disclosure tax may be necessary to optimally reduce social costs.The next section discusses the literature related to information disclosure in IT security and the economics of (accident) law, which we leverage to frame information disclosure within the context of other common means of reducing externalities. We then define the costs involved in a data breach absent any legal regime, and illustrate how these costs change under mandatory breach disclosure.Next, we use analytical methods to determine the conditions under which disclosure reduces social costs. Finally, we provide discussion and empirical validation, followed by some model extensions and our conclusion

Adoption of identity theft countermeasures and its short- and long-term impact on firm value

Abstract: Identity theft has impaired e-commerce. To combat the crime, many identity theft countermeasures (ITC) have been proposed. As investments in ITC are substantial and the benefits of such investments are intangible, companies are often hesitant to adopt such measures. This was the motivation for this study of the impact of 526 ITC adoption announcements on short- and long-term market value. The event study shows that such announcements result in positive market return of about U.S. $583 million around the date of announcement. Calendar-time portfolio analysis (CPA) is used for the long-term impact analysis and shows that the adoption of ITC generates positive and significant average monthly return up to 1.5% with control of market risk factors in a year. Subsampling analysis and interaction analysis show that U.S. listing, early ITC adoption, and two- factor authentication may moderate the market value of ITC adopters differently. A number of robustness checks (e.g., Heckman model, cross-sectional regression on Tobin’s Q, firm-specific risk factor analysis, subsampling analysis by ICT development, and analysis of security statements in annual reports) are performed. The research provides quantitative evidence of financial gain resulting from adoption of ITC and aspires to raise ITC awareness among industrial practitioners.

Challenges of responding to online fraud victimisation in Australia

Abstract: The Australian Bureau of Statistics (2012: np) categorises personal fraud as being either identity fraud or a consumer scam. A consumer scam is a fraudulent invitation, request, notification or offer, designed to obtain someone's personal information or money, or otherwise obtain a financial benefit by deceptive means. Identity fraud involves the theft of an individual's personal details without their consent and includes both identity theft and credit or bank card fraud (ABS 2012: np). For the purposes of this paper, online fraud is defined as the experience of an individual who has responded via the internet to a dishonest invitation, request, notification or offer by providing personal information or money that has led to a financial or non-financial loss or impact of some kind. To fall within this definition, an individual must have received an unsolicited invitation via the internet and responded in some way that has led to a loss or other negative impact. While the loss need not necessarily be monetary in nature, cases in which individuals reply to fraudulent requests merely to solicit more information but without incurring a loss or other negative impact, are excluded from the current discussion.