Major identity thieves get the personal information they crave from retailers, financial companies and other businesses about half the time, a new study suggests, undercutting a common perception that potential victims should worry most about being scammed by people they know.
The federally funded study being released today paints a complex portrait of the signature crime of the digital age, one that has been the top consumer-fraud complaint to federal authorities for six straight years.
Of more than 500 offenders arrested by the U.S. Secret Service from 2000 to 2006, just 8% were related to or acquainted with victims, whose sensitive data were used to write checks, take out loans or buy cars.
"The role of strangers -- that's different than what's been reported until now," said lead scientist Gary Gordon of the year-old Center for Identity Management and Information Protection at Utica College in New York, which produced the report.
Previous analyses mainly were based on surveys of victims who knew how someone ended up pretending to be them. They often pointed to acquaintances. Federal Trade Commission officials have faulted such figures, saying most victims of online thefts and compromised businesses are unlikely to learn how their data were pried loose.
The best-known of the past studies have been publicized by Javelin Strategy & Research, a firm that has received funding from Visa USA, Wells Fargo & Co. and others that benefit from electronic transactions.
In April, for example, Pleasanton, Calif.-based Javelin said consumer fears about data break-ins were overblown because "breaches only account for 3% of all known-cause ID fraud." The company has claimed that half of known offenders are family or friends, and this year it said 40% of identity theft cases stemmed from lost or stolen wallets, credit cards and checks.
But the Utica College research shows that "nontechnological means" such as mail theft and "Dumpster diving" were used in about 20% of the identity theft crimes solved by the Secret Service. That's the same proportion driven by Internet scams such as e-mail hustles and computer hacking.
The most common tool for identity theft was the use of technology devices, a broad category that includes credit card encoders, computer printers and telephones. Devices were used 37% of the time.
The new study is based on cases closed by the Secret Service, which has become the lead federal agency in criminal identity theft by dint of its role protecting U.S. financial systems.
Javelin founder James Van Dyke said Saturday that he didn't see a conflict with his firm's results because the Secret Service typically takes high-dollar cases. Those would be more likely to involve businesses, strangers and technology than Javelin's broad base of victims reached through telephone polling, Van Dyke said.
The median loss in the Utica College database was $31,000, while a Gartner Inc. survey of consumer victims this year found an average loss of about $3,300.
Gordon did caution against generalizing from the statistics because his study looked only at cases that were solved by the Secret Service -- a tiny minority of the more than 15 million annual instances estimated by Gartner. Other investigations are handled by local or state police.
The exclusion of unsolved cases also could skew the findings. In particular, crimes in which the trails lead overseas are much harder to pursue, government experts said. They may include a higher proportion of Internet-assisted attacks.
Among the other findings by Gordon's team: When businesses were targeted, 40% of the time it was by employees of the companies, not outsiders such as contractors or hackers. In the employee cases, 60% worked in retail and 22% in financial services. Gordon said the effect of new security measures for businesses should be studied.
Criminals had one or more accomplice 42% of the time, and the more people that were involved, the higher the average losses. Gordon said law enforcement should consider devoting more resources to cracking down on organized groups.
"The data shows a wide range of ways personal identifier information can be stolen. It's not just a person sitting at a computer screen hacking into a corporation," Gordon said. "It's a wide spectrum."
The study will be available at www.cimip.org.