18- to 24-year-olds most at risk for ID theft, survey finds

By Allison Klein
Washington Post Staff Writer
Wednesday, March 17, 2010; B01

Ryan Thomas, an airman in the Air Force Honor Guard, bought some DVDs on the Internet using his debit card. It was a $20 payment made from his account, which had about $900.

But the following day, his account balance was zero.

Someone had stolen his account information and bought computer games and other items.

"I didn't know better about securing your information on the computer," said Thomas, 21, who lives in Southeast Washington and flies planes over Arlington National Cemetery during funerals.

After the 2007 incident, Thomas took a class about how to protect information in cyberspace. But last month, he was hit again, this time by someone who targeted his account from Malaysia.

Similar identity-theft cases are rising sharply across the country, as young people -- sometimes cavalier with their personal information -- are hit the hardest, according to a survey released last month.

Identity fraud can include stealing a credit card number or opening a bank account in someone else's name. Thieves generally cross state lines in the commission of their crimes and are often linked to rings overseas in places such as Russia and Spain.

The "core millennial" group, identified as people ages 18 to 24, is at the greatest risk because it takes them longer to figure out that they have been defrauded -- meaning their information is compromised for a longer period, according to the survey, which is a snapshot of the identity fraud landscape from last year.

"Millennials don't protect enough or detect enough," said James Van Dyke, president of Javelin Strategy & Research, a California-based company that examined where identity theft threats are coming from and what effects they are having on consumers.

It takes young people an average of 132 days to detect fraudulent activity on their credit cards, bank accounts and other personal holdings, and those in older age groups average 49 days, the survey shows. When their identities are stolen, millennials are victimized by thieves for an average of about five months.

"The 18-to-24 group is unique. They're going to college. They're away from home for the first time. They're sharing more information. More of their information is exposed," Van Dyke said. "The old stereotype is true that people are sharing information willy-nilly and are waiting until they become a victim to listen to sound advice."

Thieves stole $400 from law student Gregory Peltz after he opened a tab at an Ohio dive bar, giving the bartender his debit card for the evening as he rang up drinks. He was shocked when his bank called him days later and told him that someone had withdrawn cash from the account, even without the card.

"I felt clueless," said Peltz, a second-year student at Ohio Northern University College of Law. He said he would have no problem handing over his debit card again for a night out at a bar -- just not the same dive as last time.

"I got my cash back the next day," Peltz, 25, said.

Last year, there were an estimated 11.1 million identity fraud victims of all ages, a 12 percent increase from the year before, according to the survey. Thieves stole about $54 billion from them, according to the study, which surveyed 5,000 people nationwide, 703 of whom had been victims of identity theft.

Javelin Research, which sells data studies to businesses and consumers, conducts surveys of consumer attitudes and behaviors on a variety of financial matters, including security, risk and fraud.

Its most recent identity fraud study found that in addition to well-known methods of thievery such as stealing wallets and credit cards, criminals are increasingly using high-tech methods of pilfering.

Among the common schemes: phishing (in which e-mails direct a victim to fraudulent Web sites that mimic respectable entities, including banks), smishing (in which text messages bait a victim to download malicious spyware), pharming (in which malicious code on computer sends victims to bogus Web sites) and keylogging (in which hidden software monitors victims' keystrokes to collect passwords).

When people are victimized with those methods, it's much harder to detect, often leaving them with no explanation about how their identities were stolen. Only about half of the victims file police reports, the study found.

Identity thieves steal an average of $4,841 per victim, but the end cost to each person is about $373, because banks generally reimburse the victims. Victims spend about 21 hours resolving their cases and getting their money back, the survey shows.

The study looked at social networking sites such as Facebook and MySpace and found that millennials are compromised more than other groups on the sites but that, in general, the sites account for small percentages of identity theft. Seven percent of young people said their financial information was compromised because of a social networking site, compared with 2 to 4 percent for other age groups.

But there's a caveat: About 55 percent of victims never figure out how their information was stolen.

Mary Madden, senior research specialist at the Pew Research Center's Internet and & American Life Project, said 72 percent of millennials use social networking sites daily, compared with 40 percent of adults 30 or older.

She said young people share personal information about themselves, whether it is their birth date, phone number or a picture from a party, as a way to nourish relationships.

"You are trading information about yourself as a form of cultural currency," Madden said. "By posting a photo or an update about what you did at a bar last night, you are sharing with friends to initiate an exchange and continue a friendship."

Problems arise, she said, when the information is misused.

"It's an interesting balance they have to strike in deciding how much to share in order to initiate or maintain a relationship but not overshare with their network," she said.

Madden pointed to studies that show most people can be identified with three pieces of information: their sex, Zip code and date of birth. And seemingly anonymous profiles that catalogue preferences, such as movie lists on Netflix, can also be used to identify users.

Adam Morrison, 19, a freshman at Arizona State University, realized that his identity had been stolen a few summers ago when he applied for a job and figured out that someone had been using his Social Security number for his own employment purposes. Morrison's bank account was not affected, but he remains miffed about how long the person had been using the Social Security number and how it was stolen.

"No idea how he got it," Morrison said.

Staff writers Matt Zapotosky and Jenna Johnson contributed to this report.

View all comments that have been posted about this article.

© 2010 The Washington Post Company