Upload
alexia-mildred-powers
View
217
Download
3
Tags:
Embed Size (px)
Citation preview
1 © 2006 1871 Ltdeighteen•seventy•one•limited
Identity theftBCS North London Branch
Stefan Fafinski and Emily Finch28 November 2006
eighteen•seventy•one•limited2 © 2006 1871 Ltd
Agenda
• What is identity theft?– What is identity?
• Strategies of adaptation and diversification– The role of organised crime– Sources of information– A very personal harm
• The transformative nature of new technology
• The legal response• Conclusions
eighteen•seventy•one•limited4 © 2006 1871 Ltd
What is identity?
Personal identity
Social identitySocial
identitySocial identitySocial
identitySocial identity
Legal identity
• Personal identity• Social identity• Legal identity
eighteen•seventy•one•limited5 © 2006 1871 Ltd
Personal identity
• Personal identity– Internalised view– ‘I am …’– ‘What most of us think
of when we think of the deepest and most ensuring features of our unique selves that constitute who we believe ourselves to be’ (Williams, 2001)
eighteen•seventy•one•limited6 © 2006 1871 Ltd
Social identity
• Social identity– Externalised view– ‘How do you see me?’– Multiple social identities– A necessary convenience to facilitate social
interaction (Jung, 1988)
eighteen•seventy•one•limited7 © 2006 1871 Ltd
Legal identity
• Legal identity– Accumulation of social facts– Established at birth and expands throughout
life – Details can be added but not removed– About identifiability rather than identity
• ‘Who is this person?’• ‘Is this the same person?’
eighteen•seventy•one•limited8 © 2006 1871 Ltd
Classifications of identity
Personal Born the illegitimate son of a Polish immigrant and a one-legged telephonist…
Social LawyerReading FC bigotDonkey sanctuary chairman
Legal NI number: ZR 76 23 18 CNHS number: 403217987Driving licence: FAFIN etc.
eighteen•seventy•one•limited9 © 2006 1871 Ltd
Chronology of legal identity
Birth certificate: name, place, date, parents
Health records
Education
NI; Employment
Financial records
Marriage
Credit historyMortgage
Children
Criminal record
Professional qualifications
Death
eighteen•seventy•one•limited10 © 2006 1871 Ltd
What is identity theft?
• Not a legal term– Identity theft will only be criminal if the fraudster’s
conduct falls within the boundaries of the criminal law
• Liability depends what is done in the new identity– Around 150 common law and statutory deception
offences• Socially – synonymous with financial fraud
• Initial acquisition of identity• Unlawful act using that identity
• How should it be conceptualised?– Appropriation of another’s identity (living or dead)
irrespective of purpose or motivation
eighteen•seventy•one•limited11 © 2006 1871 Ltd
What does it mean for identity to be stolen?
• Media construction of identity theft creates a misapprehension that it is a two-stage process:– Assumption of identity of another– Commission of a substantive offence using that identity,
generally financial fraud• Identity theft has come to be synonymous with credit
card fraud
eighteen•seventy•one•limited13 © 2006 1871 Ltd
Fraudsters’ responses to change
• With the advent of new developments to prevent fraud, fraudsters desist, adapt or diversify:– Cheques– Cheque guarantee cards– Credit cards– Switch and electronic transactions– Chip and PIN
eighteen•seventy•one•limited14 © 2006 1871 Ltd
Fraudsters’ response to Chip and PIN
• Desist– None of the fraudsters interviewed in the 2-
year study planned to stop• Adapt
– Stolen cards abroad– Distance transactions– Buy cards only with PIN numbers
• Diversify– Steal identity and obtain fresh cards
eighteen•seventy•one•limited15 © 2006 1871 Ltd
An incomplete picture of the problem
• Other criminal purposes– Harassment– Bullying– Sham marriages– Driving offences
• Non-criminal purposes– Multiple relationships– Acceptable use of
alternate identity
eighteen•seventy•one•limited16 © 2006 1871 Ltd
A ‘spare’ identity for motoring purposes
• 1,400 fraudulent driving licence applications detected by the DVLA (2001)
• Over 3,000 driving tests stopped due to doubts over driver’s identity (2001)
• Somali bus driver took 200 bogus driving tests (Daily Mail, 26th September 2006)
eighteen•seventy•one•limited17 © 2006 1871 Ltd
Psychological suicide
• 210,000 adults go missing in UK every year, many never return
• 2 men vanish every day• Fake suicide provides opportunity for
fresh start
eighteen•seventy•one•limited18 © 2006 1871 Ltd
Cleaning a deviant identity
• Invisible man fakes death in Paddington rail crash (The Times, 6th February 2000)
eighteen•seventy•one•limited19 © 2006 1871 Ltd
Creating a more favourable persona
• The Earl of Buckingham– Impostor took name of
deceased child ‘Christopher Edward Buckingham’
– Adopted title last used in 1689
– Imprisoned under assumed name as impossible to establish ‘real’ identity
eighteen•seventy•one•limited20 © 2006 1871 Ltd
Creating a more favourable persona
• ‘Sir Alan Mcilwraite KBE DSO MC’ modified own identity
• Added progressively more honour and outlandish detail
• Fabricated substantiating evidence
• Worked in a Dell call centre
eighteen•seventy•one•limited21 © 2006 1871 Ltd
The role of organised crime
• Four distinct ‘organised’ typologies– Highly-organised, structured and hierarchical
systems– Semi-structured networks of fraudsters operating
co-operatively– Small organisations with a simple power
delineation– Small self-contained operations that typically
involve between one and four individuals• Plus
– Freelance experts• Including ‘identity brokers’
eighteen•seventy•one•limited22 © 2006 1871 Ltd
Sources of information
• ‘Obvious’ sources– Electoral roll, Companies House, Land Registry
• Online sources– Chat rooms– Professional bodies– Social networking sites– Online auction sites– Email (impersonating target)
• Offline sources– Conversation with target– Conversation purporting to be target– Office paperwork and personnel files– Collaboration with holders of information
eighteen•seventy•one•limited23 © 2006 1871 Ltd
A very personal harm
• Individual victims– Fear arising from uncertainty as to how
victimisation arose; where was the weak link?– Reluctance to use cards for payment or to
disclose personal information– Sense of violation and loss of reputation
• Deceased children or relative– Sullies memory and reopens old wounds– “We don’t know who our daughter would have
been but it wouldn’t have been this woman”• Seen as far more worrying than financial
loss
eighteen•seventy•one•limited25 © 2006 1871 Ltd
Transformative nature of technology
• Transformative nature of new technology– More opportunities for ‘traditional’ crime– New opportunities for ‘traditional’ crime– Opportunities for new crimes
• ‘True’ cybercrimes• Solely the product of the Internet
• Classification by type (COE Convention on Cybercrime 2001)– Harmful trespass– Acquisition, theft and deception– Obscenity– Violence
eighteen•seventy•one•limited26 © 2006 1871 Ltd
Cybercrimes transformed
Harmful trespass
Acquisition, theft and deception
Obscenity Violence
More opportunities for traditional crime
PhreakingPyramid schemes
Trading sexual materials
StalkingHarassmentBullying
New opportunities for traditional crime
HackingViruses
419 fraudIdentity theft
Online sex trade
General hate speechPaedophile rings
Opportunities for new crimes
SpamDenial of service
Intellectual property piracyE-auction scams
CybersexCyberpimps
Online groomingTargeted hate speech
eighteen•seventy•one•limited28 © 2006 1871 Ltd
What is the law?
• Legislation with direct impact on cybercrime– Computer Misuse Act 1990 (as amended)– Data Protection Act 1998– Privacy and Electronic Communications
Regulations 2003– Regulation of Investigatory Powers Act 2000– Terrorism Act 2000– Electronic Communications Act 2000– Anti-terrorism Crime and Security Act 2001
eighteen•seventy•one•limited29 © 2006 1871 Ltd
Legislation with indirect impact
• Theft Act 1968, 1978– Obtaining property by deception (s.15)– Obtaining a money transfer by deception
(s.15A) • But cannot deceive a machine • Davies v. Flackett (1973), DC; Holmes (2004), CA
– Blackmail (s.21)– Theft (s.1)
• But ‘identity’ does not amount to ‘property’
– No such offence as ‘identity theft’– Currently no such offence as ‘fraud’
eighteen•seventy•one•limited30 © 2006 1871 Ltd
The recent legal response
• Identity Cards Act 2006, section 25– Possession of false identity document with intention to establish,
ascertain or verify registrable facts• Fraud Act 2006
– Royal Assent 8 November 2006 but relevant provisions not yet in force
– Fraud by false representation (section 2)– Fraud by failing to disclose information (section 3)– Fraud by abuse of position (section 4)– Obtaining services dishonestly (section 11)– Possessing (section 6) or making or supplying articles (section 7)
for use in frauds• Computer Misuse Act 1990
– as amended by Police and Justice Act 2006 – Royal Assent 8 November 2006
– Unauthorised access with intent to facilitate commission of a further offence (section 2)
– Unauthorised access with intent to impair operation (new section 3)
eighteen•seventy•one•limited31 © 2006 1871 Ltd
How effective is the law?
• The short arm of the law– No proprietary rights in personhood– Transjurisdictional nature of the Internet
• Concerted international effort against cybercrime and malware not forthcoming
– Difficulty in obtaining admissible evidence• Forensic computing/Computer forensics has developed
outside the main traditions of forensic science• Issues of disclosure, testing, repeatability have been
neglected – or not applied uniformly– Lack of specialist knowledge
• Victim, police, judge and jury• Inaccessibility of expert evidence
– Victims reluctant to come forward• Crime goes unreported – ‘dark figure’ of cybercrime
eighteen•seventy•one•limited32 © 2006 1871 Ltd
How effective is the law?
• The law is– Slow-moving– Reactive– Fragmented– Uncertain– Underused– Often likely to fail on evidential grounds– Applicable only to England and Wales!
eighteen•seventy•one•limited34 © 2006 1871 Ltd
Conclusions
• Problem is unquantifiable in absolute terms– All trends suggest that reported instances (and thus
financial impact) are growing– More quantitative research is needed
• Evidence to suggest move to more organised criminal activity– Although much ID theft is still committed by the low-
level opportunist• Criminals use ‘non obvious’ information to build up
identity portfolio• Potential financial gain from all facets of one
identity can be great• Harm is more that just financial – a very personal
harm• Law is changing, but its effects remain to be seen