Author: Vedant Saxena, II Year of B.A.,LL.B(Hons), from Rajiv Gandhi National University of Law, Punjab
1. Introduction
Identity theft is one of the most common and widespread forms of cybercrime, wherein the criminal uses somebody else’s identity or personal information as bait to obtain illicit financial profits or any other benefits. Such crimes could be commissioned by simply obtaining the victim’s credit card details, social security number, social media passwords, etc. Since identity theft involves falsely misrepresenting oneself as someone else in the advent of a crime or using somebody’s personal information to facilitate online transactions, healthcare benefits, or insurance covers, the victim may face a number of consequences, ranging from hefty financial losses to undesirable physical and mental trauma.
2. Types of identity theft
2.1. Criminal identity theft
This form of identity theft is rare, yet it could bring about dire outcomes. Criminal identity theft occurs when a person, on being arrested/apprehended for the commission of a crime, portrays himself to be somebody else. He could do so by presenting photo identification – either real or counterfeit, or could simply use the victim’s name or driver’s license or social security number. The result of such an act is the incorporation of a criminal record in an innocent person’s name, who more often than not learns of the incident when it’s too late.
In a 2016 Mexican case, a person had committed a number of felonies in the name of another person. The victim came to know of this many decades later and faced extreme financial losses.
2.2. Medical identity theft
Medical identity theft occurs when a fraudster uses somebody else’s personal information or healthcare data to obtain healthcare benefits, such as insurance covers that weren’t originally under the name of the fraudster. Such theft could also be committed in order to see a doctor or obtain prescription drugs in the name of the victim, which could lead to the incorporation of unwanted criminal records in the victim’s profile.
2.3. Financial identity theft
Arguably the most common of all, financial identity theft occurs when the fraudster obtains sensitive personal information of the victim, such as credit/debit card PIN, social security number, driver license number or bank account number, and uses it to obtain money or facilitate purchases. Worse case scenarios could include the fraudster securing job titles in the name of the victim or altering bank account details to his advantage.
2.4. Child identity theft
Adults are generally aware of the consequences or cyber theft, and thus keep their personal information secure enough. But what about children? Securing personal information is the matter of least concern for them, and thus fraudsters could use their personal information, such as social security number, in order to commit hefty fraudulent acts for their benefits. Records suggest that in such cases, the fraudster is mostly a family member or a friend or a close acquaintance. This is why parents are advised to put in extra efforts to keep their children’s personal information secure and away from the clutches of hungry fraudsters.
3. Modes of accomplishing identity theft
3.1. Phishing
Complementing mere phenotypic similarity, phishing is literally ‘fishing’ within cyberspace. Through this technique, fraudsters send unwanted and malicious email attachments, which are presented to the victims as information from authorized sources, such as banks, companies with which the victim is doing businesses, or links to download important attachments. A number of people get trapped in such bait, with the fraudsters succeeding in extracting invaluable personal information such as social security number, credit/debit card PIN, bank account details, driver license number, healthcare details, account passwords, et cetera. Perhaps one of the most notable phishing attack cases is from March 2016, when hackers managed to extract Hillary Clinton campaign chairperson John Podesta’s Gmail account password. ‘Smishing’ and ‘Vishing’ are two hybrid forms of phishing.
The former occurs when hackers use text messages, especially juicy links, as bait to entrap the user. The latter occurs when hackers make phone calls in order to extract information. The user more often than not gets duped into believing that the information is required within a limited time, thus falling prey to the hackers’ malicious intents.
3.2. Pharming
The pharming is a more effective way than phishing to extract personal information from users. Here, the user is not made to open a suspicious email attachment or click on an unwanted link. Rather, he/she is automatically redirected to a bogus website. Such attacks occur mostly when banking sites or financial transactions are concerned, in order to extract important information primarily meant for pursuing identity theft to facilitate monetary benefits for the hacker. Pharming is generally an easy 2-step process.
The first step involves the hackers corrupting the user’s system with malicious code. Once the code is set up, either through malware or through DNS server poisoning, the user on entering a website’s URL is automatically directed to the bogus page without his knowledge/consent. The fake page often resembles the original, thus duping the user into entering his login info, and other such sensitive information such as bank account details.
3.3. Credit card skimming
This mode of identity theft enters the picture mostly when the victim uses his credit/debit card at ATMs, gas stations, restaurants, et cetera., to facilitate online transactions. A ‘skimmer’ is a device through which hackers steal all of the information stored in the black strip of the victim’s card, which includes his/her name, the card number and its expiry date. Sometimes, a skimmer also contains a hidden camera that could record the victim entering his pin. Such information could then be used by hackers for online transactions and obtaining loans in the name of the victim.
3.4. Weak passwords
More often than not, people use weak passwords and pins for their social media and bank accounts respectively. This could turn out to be a blessing in disguise for hackers on the lookout. Weak passwords can often be detected by hackers in the course of cyberstalking the victim on social media, for example, observing common phrases and terms used in captions, statuses, etc.
4. The Indian laws governing identity theft
4.1. The Information Technology Act, 2000
4.1.1. Section 43
This section says that if any person, without the assent of the person in charge of a computer, computer system or computer network, gains access to such computer, computer resource or computer network, extracts, destroys or modifies data, contaminates it with a computer virus, disrupts its normal working, or causes a denial of access to the owner, such person shall be liable to make compensation to the person so affected.
4.1.2. Section 66
According to this section, if any person dishonestly or fraudulently commits and offence under Section 43, he shall be punished with imprisonment for a term which may extend up to 3 years or with a fine which may extend up to 5 lakh rupees, or with both.
4.1.3. Section 66B
This section pertains to the unlawful obtaining of a computer resource or communication device. It says that if the accused had reason to believe that such a computer resource or communication device was obtained by illicit means, he shall be punished with imprisonment which may extend up to 3 years or with a fine which may extend to rupees one lakh, or with both.
4.1.4. Section 66C
This section prohibits the unlawful attempt to impersonate somebody else by means of electronic signature, password, credit/debit card pin, social security number, etc. Such a person is to be imprisoned for a period not extending 3 years and to be charged with a fine not extending 1 lakh rupees.
4.2. The Indian Penal Code, 1860
Identity theft pertains to the theft of data, which essentially is an intangible asset. Therefore, it fails to fall within the ambit of ‘moveable property’ under Section 378 of the IPC. However, the sections encompassing fraud and other related offences concerning identity theft, such as forgery, forgery as an accomplice in cheating, making false documents, reputation etc. may be invoked along with the provisions of the IT act. Section 4(3) says that if any person across the globe commits and offence targeting a computer resource in India, he shall be punished under this code.
5. Limitations within the laws
The punishment for an offence as grave as identity theft is paltry. And offence committed under Section 43 attracts a meagre penalty of a 3-year jail term or a fine of one lakh rupees.
The term ‘unique identification feature’ within section 66C of the IT Act is not clear.
With identity theft being a compoundable offence, most of the matters are settled through compromises.
Identity theft is a bailable offence.
6. Impact of identity theft
6.1. Financial toll
Identity theft could cause a severe financial crisis for the victim. Apart from gaining access to personal information and using it for transactions, the fraudster could use the information for securing huge loans, taking over the property of the individual, obtaining prescription drugs and insurance covers, which could affect pensions, mortgages et cetera., thus completely derailing the victim’s financial estate. In extreme cases, the fraudsters might sell the victim’s personal information on the dark web and obtain hefty illicit gains. This is why one needs to constantly be on the alert for potential cyber-attacks, changing his/her passwords and pins from time to time, and securing sensitive credentials, especially those that are more vulnerable to attacks such as children’s security number.
6.2. Emotional toll
Identity theft, along with bringing forth financial breakdown, also hampers the mental structure of the victim, clearly evident in cases of criminal identity theft when the victim is wrongfully labelled as a criminal. Having a criminal record against his/her name could affect the victim’s education, job security, and general social relations. In a Mexican case back in March 2016, the fraudster had been using the victim’s identity to commit a number of offences, including having intimate relations with a child. The victim learnt of this several decades later and subsequently lost his job. His marriage broke up too.
A 2016 Identity Theft Resource Center survey of identity theft victims shed light on the prevalence of this emotional suffering caused by identity theft: 74 per cent of the people reported feeling stressed, 69 per cent reported feelings of fear associated with a personal financial safety, 60 per cent reported anxiety, 42 per cent reported fearing for the financial security of family members, and 8 per cent reported feeling suicidal.
6.3. Physical toll
The victim of stolen identity may face dire physical exertions. When the victim is wrongfully apprehended for a crime, he/she goes under the scanner in order to clear his name. Proving his/her whereabouts at the time of the commission of the crime, providing his fingerprints and other important documents, and facilitating the switching of the victim’s name to the fraudster’s name (in respect of the crimes committed) become incumbent tasks for the victim to prove his innocence. In other cases, the victim might lose his entire property when the fraudster has obtained hefty loans using the former’s identity, the fraudster might use up all of your healthcare benefits.
6.4. Social toll
Not all identity theft instances are directed towards the benefits of the fraudster. They may also be commissioned purely to the detriment of the victim. Social media has become a household term in today’s era, with approximately 3.8 billion people having social media accounts.