Identity fraud was always predicted to be a crime that would boom in the early 21st Century, and now we have some evidence that shows it on the up. Last week, the Consumers Association, a profit-making pressure group based in the UK, estimated from interviewing almost 1,000 people that is has affected up to a quarter of adults in Britain, costing £1.3 billion ($2.4 billion) a year.

Put that figure another way; criminals have created a £1.3 billion industry with high profit margins and relatively low risks relative to other forms of crime. It’s an endeavour that will get a lot bigger and nastier before the authorities and banks get on top of it, which is assuming they ever do.

The statistics came from an analysis of face-to-face interviews carried out with 965 people, 10 percent of whom had personally been the victim of identity fraud. Another 15 percent claimed to know of someone who had experienced the crime, which together account for the headline-grabbing 25 percent figure.

The £1.3 billion estimate of the value of this crime came from a UK Home Office study carried out in 2002, and if anything looks like a quaint under-estimate given that it won’t include more recent scams such as phishing.

The researchers were also able to do the sorts of things that make you wonder if the institutions that guard people’s lives are competent that handle the responsibility. Using the Which? Magazine editor as a test case, they were able to gain access to his address from an entry in the electoral register (although being entered in the public version of this is now optional in the UK), were able to discover his birth date, and find out his mother’s maiden name (used as a security question by many credit card issuers) from a birth certificate sent out with great efficiency.

Armed with such data, fraudsters could have gained access to a credit card issuer and informed them of a changed address while applying for new credit cards. Discovering the fraud would have taken weeks or even months, by which time large sums would have been stolen using a single assumed identity. Why work for a living like the rest of us when it’s as easy as this?

Hitting a similar note, in February the U.S Federal Trade Commission (FTC) produced a depressing report (pdf) after analysing its Consumer Sentinel database of fraud and identity theft complaints. The stats for 2004 showed 635,000 complaints had been made in total, 39 percent of which related to identity scams, by some way the largest category. The figures revealed a complex picture of identify fraud, but there was evidence that what had started in the real world with old-fashioned credit card rip-offs had now moved rapidly into the online world, where it was flourishing; the report noted that “electronic fund transfer” identity theft had doubled between 2003 and 2004.

Identity fraud obviously comes in a number of guises, many of them nothing to do with computing-based scams. The simplest are activities such as credit or debit card skimming and theft, all of which involve buying goods after copying basic details of a single card. More sophisticated are frauds – including the one in the Which? example - carried out by stealing more specific personal information such as date of birth, address and forging document such as birth certificates.

Neither reports offered any statistics for phishing, and they would likely have been small relative to the whole, but that will change. Barely a week now goes past without news of some new technique for defrauding online users, almost all involving banking sites. The level of criminal innovation is now outstripping if not the security industry then certainly the banks and other large institutions who are supposed to be its mains customers, and our protectors.

Identity parade
And this is the bottom line. Identity fraud has been a growing problem for decades – since long before computers became part of the household and business furniture - and governments and financial instructions have mostly done nothing about it. They have carried on rolling out new technology, turning money into its virtual equivalent, credit, and getting rid of bricks and mortar in favour of online management of money.

In the case of banks, what they have built is really a huge hole-in-the wall ATM with scant safeguards. The best defence they’ve so far come up with is that customer ignorance about security pitfalls should not entirely insulate them from the worst effects of banking under-investment.

To put this mentality in perspective, the 2004 pre-tax profits made by a list of the UK’s leading banks included the £9.6 billion ($17.6 billion) made by HSBC, Royal Bank of Scotland’s £6.9bn ($13.1bn), Lloyds TSB’s £3.49 billion ($6.65 billion), Barclays’ £4.6 billion ($8.6 billion), and HBOS’s £4.5 billion ($8.4 billion). That alone adds up to just under £30 billion ($54.5 billion) in one year, in one country.

As if this wasn’t enough of a poke in the eye for ordinary users in the year when phishing rose to prominence, the banks are notoriously unwilling to discuss the topic of online fraud – or any fraud. So nobody really knows how much of it there is because they have only reported figures to go on.

Admittedly, governments appear to be falling over themselves to invest tax-payer’s money in forms of identity to replace the hopeless system of passports and birth certificates that can be faked with laughable ease. Banks are also belatedly investing in technologies such as chip & PIN, and added online bank security. But there will always be enough holes in even the most carefully-policed identity system for a determined criminal to get round checks, or overcome new systems that don’t quite go far enough. Now that the rewards of online scamming have been added to the mix, there is even more incentive to beat the system.

Banks will tell you that customers don’t like inconvenience, and are reluctant to invest in systems that might put them at a competitive disadvantage or force them to pass the cost on to fussy customers. The future will be very different, however. Government regulation now looks inevitable, possibly trans-nationally initiated, giving all banking institutions a care of responsibility for their customers, and forcing them to head of a problem before it gets even worse.

But, as ever, only when the fines for not investing in security exceed the losses incurred by banks and their customers will anything actually get done.