We're losing the battle against identity theft. After more than a decade of growing consumer awareness, a barrage of new laws and regulations, and impressive advancements in security, the bad guys appear to be gaining ground.
And the latest study from Javelin Research seems to support this, concluding that more than 11 million Americans fell victim to identity theft in 2009 - the highest on record. That's more than the total number of burglaries, attempted burglaries, auto thefts, arson, purse snatchings, and pick pocketing combined.
Of course, it's easy to win when the other side just walks off the field. I've identified a dozen compelling reasons why after so much progress in the fight against identity theft, that fight is still steeply uphill.
1. Zero Liability has made consumers feel they have nothing to lose. The notion of zero liability came from a blend of federal law (the FACT Act or FACTA) and marketing savvy by financial institutions, to shift losses to identity theft from consumers and victims to the financial industry.
The financial industry has often seen absorbing identity theft and fraud losses as the cost of doing business and keeping customers happy, but an unfortunate side affect: consumers believe that zero liability means zero responsibility or loss.
2. Law enforcement lack resources to handle id theft cases. The number one complaint I hear from victims is the indifference from law enforcement to identity theft and its victims. And most police departments I work with admit that at best they investigate less than 1% of identity theft cases. Most police departments don't have the resources to investigate identity theft, but many don't understand that they need to be more sympathetic to victims who arrive on their doorstep desperately looking for help.
3. Consumers think we're winning the battle. Consumers have become increasingly apathetic to identity theft in the last few years, either because they believe they have little to lose (or zero liability will take care of everything) or because they think the enemy is on the retreat. This increase in apathy has led to a decrease in vigilance as consumers continue to keep their guard down.
4. Organized crime gave cybercrime and identity theft a whole new lease of life. They have pumped millions of dollars into sophisticated and well organized scams, hiring some of the most talented hackers and thieves in the world, creating some of the most sophisticated new kinds of malware (like banking Trojans) and operating in regions where law enforcement can't, or won't, reach them.
Organized crime gangs around the world have upped the stakes, turning identity theft into a global business that they have no intention of abandoning any time soon.
5. Financial institutions need to talk to their customers about identity theft. Financial Institutions need to educate their customers about identity theft and other security risks.
If done right, talking to customers more often about identity theft can create a powerful marketing and brand building opportunity.
6. The small business community is still ignoring their security responsibilities. I'm a small business owner and have worked with small businesses and Chambers of Commerce for years.
The small business community represents a major vulnerability both to identity theft and national cyber security, yet most small business owners don't consider data and customer protection a priority.
Small businesses in America employ an estimated 130 million workers, many of them computer users. That means tens of millions of internet-connected computers with little security are being used by employees with little security awareness or training.
These unprotected computers and employees are not just an easy target for the spread of viruses, Trojans, and phishing emails, they are also very vulnerable to bots that can enlist these computers in attacks on other computers and networks.
Even targets of national security importance.
7. Thieves are emboldened because they know they're unlikely to be caught. Some studies have suggested that one in every 700 cases of identity theft (1) is ever prosecuted.
And even if those numbers are true, many of those convicted face few consequences. The punishments for identity theft are now very severe, with stiff prison sentences for the worst offenders.
But when the vast majority of identity theft cases go uninvestigated, unprosecuted, and unpunished, thieves know this is a criminal career worth pursuing.
8. Consumers are still not protecting their computers or changing their habits. In spite of repeated advice and warnings, most consumers are still not checking their credit reports often enough, not changing their passwords often enough, and not updating their security often enough.
And they're still not as cautious and vigilant as they should be, especially in their online habits.
9. Check verification still has too many loopholes. While retailers have the option to use sophisticated technologies to instantly verify that a check being presented in a store is legitimate, many don't bother using them.
Identity thieves are very aware of this, which is why so many thieves trawl through phone books, pick names and addresses at random, and use home computers to create fake checks with random account numbers and routing numbers.
If the store doesn't verify that the account number is genuine, the check is presumed authentic and the thief wins every time.
10. Many banks are not using all the authentication and verification options available because they think more security challenges will annoy customers.
Banks still fear that the more steps they require a customer to take to verify their identity for security purposes, the more likely they are to frustrate or even lose that customer.
11. Consumers are giving away too much personal information on social networking. Study after study has shown that consumers are literally giving their information away to thieves, especially on sites like Facebook, MySpace, and Twitter.
Information like birthday, employer, family names and photos, friend connections, interests and hobbies are all immensely valuable to identity
thieves who need this information to piece together a cloned identity.
12. Businesses and consumers are becoming immune to data breaches. There are now so many publicized data breaches - an average of 10 per week throughout 2009, according to the Identity Theft Resource Center - that consumers are becoming indifferent to them.
For example, the highly publicized data breach at retail giant TJX in early 2007 was one of the worst on record, affecting more than 45 million customers and threatening the financial future of a chain of stores that includes TJ Maxx, Marshalls, and Home Goods.
Many experts, myself included, speculated that TJX would pay dearly for the incident. Customers would abandon the brand for fear their personal information would be exposed, and investors would avoid the brand because of the crippling fines and costs faced by the company.
Yet in the 12 months that immediately followed the announcement of the breach, TJX never looked better. Revenues increased, profits increased, and the share price increased.
It seems like customers and investors were at least forgiving, but more likely just ambivalent.
And it was a clear message to TJX and other businesses that not only is a data breach no big deal any more, it may, like its close cousin identity theft, just be another acceptable cost of doing business.