This page considers contemporary identity theft/fraud
involving paper and plastic money.
It covers -
- the shape of identity crime at the turn of the millennium
and authority in an information economy - questions
about authorisation, verification and credentialism
in 'anonymist' societies
blocks - where does information come from for ID
systems - cheque fraud, credit card skimming, shoulder
surfing and credit risk
are the criminals - opportunists, gangs, insiders
cases - some local incidents
- some works on contemporary ID crime.
is of interest as most offences (and arguably most economic
and personal damage) occurs offline.
Woody Guthrie's 1939 Pretty Boy Floyd reminded
the listener that
seen lots of funny men;
Some will rob you with a six-gun,
And some with a fountain pen.
Contemporary identity crime is an extension of the offences
discussed in the preceding page of this profile, rather
than an unprecedented new development.
As in the past it encompasses a range of misbehaviour,
from direct financial theft through to people-smuggling,
sullying someone's reputation on a non-financial basis
or improperly claiming expertise. It has largely been
addressed through traditional law, explored later in this
profile, and through action by regulators, financial institutions
Some of that action would be familiar to a person living
in the 1650s. Other action, including biometric
verification services, is a distinctly modern response
to uncertainties about identity and authorisation. It
forms the basis for responses to much online identity
crime and, more broadly, for questions about identity
in electronic networks where perceptions of risk allow
Responses have been complicated by mythologising about
the extent and shape of identity crime. Some pundits and
journalists for example have indicated that it is uniquely
modern or unprecedented, that it is "the crime of the
century" and that it primarily involves gangs of skilled
criminals, often depicted as lurking behind a computer
screen somewhere offshore.
Politicians and government officials have similarly succumbed
to the temptation to simplify, on occasion referring to
a wave of welfare fraud - unsubstantiated by statistics
- or identity abuse by terrorists that can supposedly
be comprehensively addressed through mechanisms such as
an Australia Card.
Solution vendors have hyped particular tools. Consumer
advocates have noted concerns about responses by some
data custodians or merely the irresponsibility
of some large organisations.
The US Federal Trade Commission notes that the basket
of offences characterised as 'identity theft' is the top
consumer fraud in that country, a comment consistent with
experience in Australia and New Zealand.
The FTC indicates that as of 2004 only 11% of known identity
theft cases occurred online (of which around half involved
spyware and the rest phishing or hackers). Much involved
traditional misuse of paper.
Around 30% of its 'identity fraud crimes' involved loss
of a wallet, chequebook or credit card. Under 5% was a
result of information being removed from personal garbage;
over 10% occurred when personal information was misused
by a family member, friend or acquaintance. 32% of identity
theft victims (in cases where the perpetrator's identity
was known) found a family member or relative was responsible;
18% had been victimized by a friend, neighbor or in-home
Complete strangers outside the workplace accounted for
only 24% of identity thefts, with a colleague perpetrating
only 4% of identity thefts. Much identity theft involved
insiders within data custodians: staff/contractors at
organisations with access to personal information were
responsible for 13% of identity theft.
The UK Cabinet Office, consistent with studies by the
Australian National Audit Office, concluded that the incidence
of identity offences in pension and other social services
was a fraction of 1% of recipients and was not growing
identity and authority in an info economy
Contemporary offline identity crime is a consequence of
where people rely on identity documents rather than
where most commercial transactions are not conducted
face to face
environments where the volume of transactions and perceptions
of risk militate against forensic scrutiny of individual
documents and interactions unless there is cause for
The following methods have been noted by law enforcement
documents containing personal information (eg bank and
credit card statements) from rubbish - 'dumpster diving'
credit cards, debit cards and documents such as passport
applications in post offices, letter boxes or courier
service premises and bags
wallets, coats and other items that contain cards and
we have highlighted theft, sale or forgery of breeder
documents such as birth certificates and passports. In
May 2007 UK police revealed that at least 200 of 850 blank
birth certificates stolen from Erewash in Derbyshire during
2005 had been used to create fake identities and claim
student loans. Adeleke Adebayo created 17 separate identities
and signed himself up for courses at universities across
the UK, collecting the loans but not going to class. At
London Metropolitan University he was enrolled in five
degree courses using five bogus identities.
Electronic 'skimming' of credit cards and ATM cards updates
misuse of the carbons, with illicit capture of information
from the magnetic stripe on the back of a card. At its
simplest it involves unauthorised swiping of a card when
a consumer makes a payment, for example in a restaurant
when a waiter takes the card away to pay the bill. At
its most exotic it has involved scams where criminals
collect information (including PINs) via a fake ATM in
a public place or where there is covert surveillance of
a PIN when the consumer confirms an authorised swipe.
Arguably there has been more media attention and consumer
angst about 'shoulder surfing', with thieves observing
people at automatic teller machines while keying in identifiers
or listening while an individual provides a credit card
number to someone by mobile telephone. That information
generally is insufficient for an effective fraud but provides
a building block for identity theft.
'Mail non-receipt fraud' occurs when a criminal intercepts
a new or replacement card from a retailer or financial
institution, for example inside a post office or by removing
the envelope from letterboxes. That has led most card
issuers to send out 'inactive' cards, which are not authorised
until the account holder confirms that person's identify
and card number.
One writer in the London Times, discussing exposure
of 45 million credit cards in the TJX
incident, claimed that cardersmarket.com, cardingworld.cc,
scandinaviancarding.com and darkmarket.ws act as "an
eBay for hackers", allowing criminals to buy and
sell stolen card details.
who are the criminals?
As the preceding paragraphs suggest, there is no single
discrete type of identity criminal: theft is not restricted
to a cyberliterate Russian mafiya or people over 21.
Some criminals wear suits and are active in boardrooms
and executive suites at the big end of town, having engaged
in resume fraud. Others
are your neighbour's children (misusing mum's credit card)
or the students in your classroom (editing an identity
document to gain a cheap fare or evade age-based restrictions
regarding entertainment venues and purchases).
Some are itinerants who steal individual credit cards
from bags and letterboxes (easier than stealing your VCR
or turning your car into spare parts). Others operate
on an industrial scale, illicitly accessing databases
or trading in details obtained from those databases. As
with much retail crime, some offences involve insiders
- whether behind the till or in the computer suite.
In 2002 for example a group of US high school students
bought US$36,000 worth of goods online after stealing
credit card data from a Chase Bankcard office where they
had worked as interns. One 16 year old student was arrested
after altering addresses and phone numbers on credit card
accounts to direct online purchases to abandoned houses
in his neighborhood, where he collected the packages.
The theft was detected when customers complained about
being billed for the goods.
Dido Mayue-Belezika led a gang of around 220 people who
stole around £20m from people in the UK. Mayue-Belezika
for example intercepted every chequebook he encountered
as a postman, indulging in gangsta bling such as £1,400
for a pair of shoes that featured his initials engraved
on the soles. In a separate UK case during 2006 Ali Dahir
indicated that a gang used over 3,000 stolen cards, extracted
from letterboxes and postal sorting rooms, to buy luxury
goods worth £870,000.
There has been no comprehensive dissection of reported
Australian identity crime. The following paragraphs offer
blurry snapshots of particular incidents, illustrating
the range of offences and perpretrators.
NSW police received a bag during 2004, apparently found
in a Sydney street. It reportedly contained disks featuring
templates for manufacture of bogus Medicare cards, drivers'
licences, utility bills, bank statements and birth and
marriage certificates, ie 'breeder documents' for creation
of an identity and for establishment of bank accounts.
The bag also contained fake certificates from the Civil
Aviation Authority regarding authorisation to fly light
aircraft. Follow-up action saw the arrest of two men for
234 forgery-related offences. One of the perpetrators
spent $35,000 on a ski boat unwisely named 'Crime Pays'.
In the mid-1990s a Victorian used desktop publishing skills
to concoct 41 birth certificates and student identification
cards, gaining the requisite 100 points
for a mere 42 bank accounts, registration of a business
name, sales tax refunds and equipment purchases.
Another criminal obtained the birth certificates of four
babies who had died in the 1970s, using their identity
to obtain $20,857 in unemployment benefits. On arrest
he was in possession of fake proof of identity documents
such as rental leases, mobile phone accounts, motor vehicle
learner's permits and student cards. A contemporary used
up to 50 false identities in a $7 million property fraud
in NSW, Victoria and the ACT, obtaining home loans from
Not to be outdone, a bank manager and assistant created
accounts in fictitious names and in the names of relatives,
circumventing proof of identity protocols to snaffle $1.5
million in unauthorised loans. The scam was discovered
in 2001 when an account went into default and the bank
could not find the fictitious customer.
A solicitor similarly relied on old-fashioned methods
of making money, relying on fake birth certificates and
drivers' licences to disguise money looted from the accounts
of his clients. During 1997 an adventurous 24 year old
gained 45 credit cards in different names (after applying
for 61). She had charmingly appropriated some names from
school acquaintances. This resulted in the destruction
of credit of many, one of whom also suffered the additional
indignity of being named by the applicant as her co-offender
and mentor in the frauds.
More bizarrely, a murdererer entered Australia using the
passport of a female friend's brother, subsequently exploiting
the passport of another brother before being convicted
with that person's murder.
A group of car thieves operated on a more industrial scale,
using personal details of owners of cars with the same
make and model as vehicles stolen by the gang. The information
was used to obtain duplicate registration certificates,
number plates and labels to 're-birth' those vehicles
prior to sale to unsuspecting purchasers interstate. One
victim discovered that the thieves had amended his name
by deed poll to facilitate further offences; other victims
experienced difficulty in proving lack of involvement
in the scam.
In R v Fletcher (2002 WL 559471,  VSCA
40) the Victorian Supreme Court heard that the offender
gained a merchant facility to accept credit and debit
card payment for goods and services. 275 transactions
were processed in the first week of 2000: 55 transactions
totalling $147,945 were approved, the remaining 220 transactions
(totalling $534,125) were declined.
admitted that he had effected all those transactions
using credit card numbers obtained from a Swedish woman
over the Internet. The arrangement was that she would
provide the appellant with the numbers in exchange for
10% of any money credited to his account. Of the $147,945.60
so credited, the sum of $28,900 was withdrawn in three
amounts on the day on which he was arrested.
next page (resumes)