Still misunderstood by many as a “victimless” crime, identity theft is often personally devastating, causing both economic and emotional suffering. It may take months or even years for the innocent to reclaim their lives—and the problem never fully goes away. Identity crimes have a lifelong impact, with one violation generating a domino effect throughout victims’ lives and on larger society as a whole.
I recently sat down with Eva Velasquez, CEO of the Identity Theft Resource Center, for the first episode of Ping’s podcast Hello, User to talk about the tremendous costs of identity theft. In “How Can Identity Theft Victims Be Made Whole Again?,” we discuss the perpetual nature of digital identity, the emotional and financial toll of identity theft on its victims, and the inconsistencies of cybersecurity approaches businesses use to protect their users from fraud. Here are the highlights of our conversation.
Takeaway #1: There is no such thing as a victimless crime when it comes to identity theft and fraud.
“Just because a bank makes you whole because of a fraud committed against your account, doesn’t mean that it was victimless.”
If you take just one thing away from this blog post, please let it be this: There are true identity theft victims, people hurting as a result of bad actions in the digital world, and it is happening far too often. As a society we have this notion that identity theft is a victimless crime that disturbs a credit card or bank account, with little impact on the people involved.
But it doesn’t work that way. The process for making victims whole is inherently flawed, and they are often left both financially and emotionally damaged. The mental trauma that these individuals experience is similar to what violent crime victims experience, with about 10% saying it was so devastating that they felt suicidal last year.
As for the financial costs, no one is waving a magic wand and wishing them away. In many cases, the victim isn’t fully compensated, through no fault of their own. Perhaps they didn’t detect the fraud within the window required for reporting it to their card company, or maybe their claim is disputed because of an action they took. (“Hey, you clicked that link and gave your information to the scammer. Therefore you are culpable and have some level of responsibility.”) Even if a victim is eventually made whole financially, we all pay when bad actors do bad things to individuals in the consumer and citizen space.
Takeaway #2: The more data that’s out there, the more our risk increases.
“There’s a person behind every single one of those data points and those fraud rates, and they need to have a voice.”
An immense amount of personal data is collected on human beings—exact figures are unknown, but estimates are that the “big four” online storage and service companies of Google, Amazon, Microsoft and Facebook alone store at least 1,200 petabytes of data amongst themselves—and data harvesting continues at an astounding volume. That data never goes away. It doesn't expire, it doesn’t age. It doesn't even get wiped off the record when you pass away. Bad actors find every piece of this information valuable in assembling a fake person.
Part of the challenge in preventing identity theft is that our personally identifiable information (PII) is seemingly everywhere. The use of our credentials in authentication and verification is pervasive, and we continue to add new methods. For example, just a handful of years ago many people saw biometrics as Big Brother-ish, but now it is being much more widely adopted. As we add new data about ourselves, the expanding notion of identity and the credentials that go into it increase the risk surface for everyone. (Addressing this risk is outside the scope of this post, but I’ve written and spoken extensively on how companies can create true security for their users’ digital identities.)
Takeaway #3: Responsibility for identity theft recovery shouldn’t fall on individuals, but it does.
“It’s only within the extreme examples that we see all the true fractures and breaks in the process.”
I’ve spent 20+ years in the corporate world running identity for huge enterprises, and I believe strongly that companies (particularly here in the United States) push the actual risks from aggregating data and the actual consequences suffered as the result of their bad management onto the individual. A company gets all of our information, they get our transactions, they get our money, they get our data—and then they mishandle it and make it our problem. To add insult to injury, companies then develop a tool or a program or a business offering that they sell back to you so you can pay to fix the problem they created.
This is a problem that affects everyone, even children. During our conversation, Eva mentioned it’s common for her organization to receive calls from teenagers applying for college who find out that they can't qualify for financial aid because they have a years-long credit history that's been decimated. These teens (and their families) must clean up the mess, and it can stop their lives for a semester or a year or even longer, placing them permanently behind their peers and affecting their lifetime earning potential. She described one 18-year-old who spent three years getting fraudulent activity finally removed from her credit report. While this may be an extreme example, it's only within the extreme examples that we can see all the true fractures and breaks in the process.
Takeaway #4: Many stakeholders have an obligation in this fight.
“Right now the single biggest problem that we’re looking at, with fraud losses in the billions, is through government benefits.”
People should have the right to confirm that they are who they say they are. We have these mechanisms in person, but not when it comes to digital identity. To move the responsibility for making individuals whole off of the backs of the victims, it will take a concerted effort among all entities involved. And it isn’t just down to corporations; governments also have a responsibility to step up.
This is glaringly evident during these unprecedented times of the pandemic. We’re facing massive and long-term consequences of widespread unemployment benefits fraud in an area that currently accounts for the largest losses in the United States. Eva notes that her organization’s call center has had a 4,000% increase—yes, 4,000% is not a typo—in the volume of calls this year for this particular type of identity theft. It’s estimated to be costing us a whopping $26 billion for the nation through various state platforms, although she believes that’s an undercount. The full extent of the problem won’t truly be known until individuals begin to file their tax returns, where they’ll discover they appear to have income that they didn't claim.
Takeaway #5: There’s hope.
“The first step in solving any problem is identifying that you have one.”
If this is all sounding full of doom and gloom, take heart, as we’re detecting signs of hope in tackling identity theft. The Identity Theft Resource Center has seen an increasing number of organizations acknowledging that this is a problem that they have a responsibility to fix, whereas a decade ago many companies refused to partner with the center because they didn’t want their brands to be tainted by the perception of a problem.
And, of course, here at Ping our mission is to champion identity, which involves helping companies give their customers control over aspects of their digital identities. Watch our video to learn why organizations need to be more accountable for protecting their customers’ personal data and privacy. Meanwhile, support for identity theft victims exists through work of organizations like the Identity Theft Resource Center.
The Hello User Podcast
I hope you’ve found this post to be useful and interesting. Identity theft has real costs and consequences, and is clearly not a victimless crime. I invite you to listen to the full broadcast of “How Can Identity Theft Victims Be Made Whole Again?” and find out about upcoming episodes at the Hello User podcast page.