Oxford Analytica has a brief on identify theft published over at Forbes.com. The reason I say “hit the big time” is because OA is quoting some monsterous incident numbers in Hooked On Phishing. Accordingly, they say that the FTC reported roughly 27.3 million cases of identify theft over the last five years - nearly one-tenth of the US population. The total cost of the problem in the U.S. last year was $52.6 billion.

Some parts of this story strike me as odd. The first is the sheer magnitude of the cases. I suspect there are some other numbers in there, like possibly credit card fraud via traditional theft. The second issue is why throw “phishing” in the headline? Many of the cases quoted, like the Lexis-Nexis and Choicepoint issues, were not really phishing cases, but instead either a lack of internal security, or just plain stupidity. And the article mentions other forms of fraud as well.

I think those numbers deserve a little more scrutiny. This article is more so one on identity theft and consumer financial fraud, and the writers need to think a little harder about their words before they create a panic and everyone turns off their computers out of fear. Although phishing is an issue, it is part of a much bigger problem which will require additional regulatory and financial infrastructure changes far beyond protecting personal computer communications before it is solved.

***UPDATE***

The FTC’s latest congressional testimony stated that there were roughly 10 million victims of “some form of ID theft” in 2003. A quick peak of the FTC’s ID theft resource center (which is paltry, to say the least), denotes incidents of ID theft as any time “someone uses your personal information such as your name, Social Security number, credit card number or other identifying information, without your permission to commit fraud or other crimes.” I can agree that the use of a name or Social Security number should likely fall into the heinous category, but the use of someone’s credit card number is nothing more than financial fraud, that is unless they parlay that number into acquiring additional credit or other financial resources in the person’s name.

This reinforces what what Bruce Schneier said a few weeks back. The FTC cannot properly report the real story, so I suspect the financial world is going to have serious problems targeted and fixing the real problem. Maybe the FTC should start listening to Schneier as well.