The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)
Center for Education and Research in Information Assurance and Security

What is Higher Education’s Role in Regards to ID Theft?

Thursday, April 06, 2006 by Matt Rose
in Kudos, Opinions and Rants
Share:

A recent study by the US Justice Department notes that households headed by individuals between the ages of 18 and 24 are the most likely to experience identity theft.  The report does not investigate why this age group is more susceptible, so I’ve started a list:

  • Willingness To Share Information: If myspace, facebook, and the numerous blog sites like livejournal are any indication, younger adults tend to be more open about providing personal information.  While these sites may not be used by identity thieves, they nonetheless illustrate students’ willingness to divulge intimate details of their personal lives.  Students might be more forthcoming with their SSN, account information and credit card numbers than are their elders.
  • Financial Inexperience: Many college students are out on their own for the first time.  Many also are in “control” of their finances for the first time.  With that lack of experience comes a lack of experience with and knowledge about tracking expenditures and balancing checkbooks.  College students are an easier target for identity thieves who can ring up several purchases before being noticed.
  • Access to Credit: A walk around campus during the first few weeks of the year also reveals another contributing factor. Students are lured into applying for credit cards by attractive young men and women handing out free T-shirts and other junk.  It is not unusual for a college freshman to have three or four credit cards with limits of $1000 to $5000.
  • Lost Credit Cards and Numbers: This might be a stretch, but I know many college students who periodically loose their wallets, purses, etc. and who did not act quickly in canceling their debit and credit cards.  I also know many who have accidentally left a campus bar without closing their tab.  It would be trivial to get access to someone else’s card at these establishments.  Along with this reason comes access to friends’ and roommates’ cards.

I’m sure there are many more contributing factors.  What interests me is determining the appropriate role of the university in helping to prevent identity theft among this age group.  Most colleges and universities now engage in information security awareness and training initiatives with the goal of protecting the university’s infrastructure and the privacy of information covered by regulations such as FERPA, HIPPA, and so on.  Should higher education institutions extend infosec awareness campaigns so that they deal with issues of personal privacy protection and identity theft?  What are the benefits to universities?  What are their responsibilities to their students?

For educational organizations interested in educating students about the risks of identity theft, the U.S. Department of Education has a website devoted to the topic as does EDUCAUSE.

 

Tags for this post:

Leave a comment (4 so far) »

Comments

Posted by Anthony
on Friday, April 7, 2006 at 01:28 AM

I guess that there are no benefits to the Universities.

Should there be any?! After all, University is destined to teach students something and I guess that it must teach them much more than subjects of the programs students are enrolled in.

If the gullible student is ripped of due to the sharing of the personal information on the web, it could be the best lesson that he will undoubtedly share with his peers.

Posted by adam
on Monday, May 22, 2006 at 12:42 PM

What about the extensive and broad distribution of SSNs as part of the admissions process?

Posted by Emergent Chaos
on Wednesday, May 31, 2006 at 02:54 PM

<strong>ID Theft and the 18-24 Set</strong>

Matt Rose has an interesting post, “What is Higher Education’s Role in Regards to ID Theft?:” A recent study by the US Justice Department notes that households headed by individuals between the ages of 18 and 24 are the most…

Posted by Allan Friedman
on Friday, June 2, 2006 at 07:35 AM

[left this comment at Emergent Chaos, but thought I would double post my long-ish ramblings]

Thanks for catching this, I missed its announcement.  First, explanations, then an analysis of the report. [Sorry, this is long]

1) I think the ITRC’s Aftermath study noted that many victims knew the perpetrator, who had access to mail, files, etc. Young people have roommates who have unfettered access and often few strong social ties.

2) Young people also move more often. Mailing lists may lag, sending credit offers and PII to strangers. I seem to recall a claim that mail forwarding itself has been documented as a potential source of fraud.

3) More lines of open credit. Building on Matt and Chris’ point, if I have more cards, a constant rate of fraud on any account leads to higher fraud rates.

Now, comments on the DoJ report. I am tempted to crack the spreadsheets myself, but am a little too busy, so just from the report:

First is the old chestnut of lumping credit card fraud in with impersonation fraud. Of the total projected 3.5 million instances of “ID theft”, 1.7 million are unauthorized use of existing cards, .9 million are other accounts includng “wireless telephone account, bank account or
debit/check cards”. Using personal information to obtain NEW credit/loans/etc was only 538,000.

The survey in the appendix from the NCVS shows that the multiple episode question (45d) was offered *seperately* from the three forms of fraud mentioned above (45c{a-c}). In the report stats, they are summed together. I hope that they calculated that seperately for Table 1 of the report, which adds another 417,000 to the fraud victims.

NCVS relies on self-reporting, which requires identification of the crime and understanding of it. There could well be an age bias for detection. On the other hand, such a bias would probably spill over into 25-36. I’m also curious about how they weighted for young people, compensated for cell phones, etc. Generally, though, NCVS is regarded highly by criminologists, or at least by my friend here who does that sort of thing.

It would be nice to have the age crosstabs, but I don’t think NCVS allows access to dissaggregated data. (Conflict of interest in being a <i>privacy</i> researcher… )

Finally, the harms of ID theft. A very interesting note on p.3—only 1/3 of respondents reported any harms from ID theft. This suggests that, perhaps, a strategy of poor data protection may be a socially efficient means of dealing with PII if data protection is very expensive, since the number of victims with identified harms is relatively low. We do not know the effective harms of the most popular answer, “contacted by a debt collector or creditor”. Economic harms, such as “fee paid” are not included. On the other hand, 2/3 of the population took at least two days to resolve the problem, so perhaps the harms were not fully captured.

The survey does not specify <i>incidence</i> of economic harm. The only monetary question in the survey is “What was the total dollar amount of the credit, loans,
cash, services, and anything else the person obtained
while misusing” (45e). We have no way of knowing how much of that expense was directly borne by the victims. (From the preceding paragraph, less than a third had indirect harms.) Still, <b>based on the survey questions, the claim “Most households incurred a monetary loss as a result of the identity theft” is highly misleading.</b>

I have an abstract accepted for TPRC in the fall where I hope to tackle how data leakage affects ID theft, and would love more discussion of this.

Leave a comment

Commenting is not available in this section entry.

Previous entry »

« Next entry