Identity fraud involves impersonating the victim for economic gain, whereas identity theft involves stealing the victim's credentials used for such impersonation.

In the electronic realm, the victims' identity information is covertly captured during online transactions by logging their keystrokes or by seducing them into cons like phishing. Electronic identity thefts also routinely take place through breaches into companies' databases that hold customer credit card or other identity information. In the physical realm victims' credentials are harvested by skimming their credit cards, intercepting their postal-mail or by culling through their garbage to retrieve scraps of identity-related information that is pieced together to form a composite identity of the victim.

Typical use of the stolen identity credentials is to carry out online purchases that are billed to the victim, and using the stolen identity information to open fraudulent bank accounts for obtaining loans on the victim's name.

Identity theft has become an epidemic of frightening proportions. It is the number one consumer crime in the US with someone losing their identity every two-and-a-half seconds. While in India concrete statistics on the extent of identity theft is not available, it would be fair to assume a rapid escalation in identity theft and fraud with increase in the number of net banking and ecommerce transactions.

Although the common perception is that the largest risk of identity theft is while buying online, the Council of Better Business Bureaus has in its surveys found that half of all identity fraud is committed by someone who knows the victim. Individuals must take protective measures like shredding all important documents before discarding them into trash, exercising vigilance against social engineering cons like phishing, checking bank and credit card accounts for discrepancies, and installing anti-virus, anti-spyware and firewalls in their PCs.

Countering Identity Theft and Fraud in India
To counter identity theft and fraud in India, the government must focus on three areas — legislating specific provisions to counter identity theft, enabling flow of information from credit bureaus to consumers, and implementing an identity fraud alert registry.

Legal provisions to counter identity theft. The IT Act 2000 in its present form does not have any specific provision to deal with identity theft. However, the Expert Committee on Amendments to the IT Act 2000 (whose report is presently under consideration by the government for adoption) has recommended amending the Indian Penal Code (IPC) by inserting in it two new sections: section 417A which prescribes punishment of up to 3 years imprisonment and fine for 'cheating by using any unique identification feature of any other person'; and section 419A that prescribes punishment of up to 5 years imprisonment and fine for 'cheating by impersonation' using a network or computer resource.

Sections 417A and 419A comprehensively cover identity theft and their incorporation into the IPC would place India amongst the handful of countries to have specific provisions to counter the scourge of identity theft.

Enabling flow of information from credit bureaus. In many cases victims discover the identity fraud perpetrated on them only when they receive their bills. The time gap between the commission of fraud and discovery may be too large to trace the impersonator. To proactively counter identity theft the consumers should have a means of being kept informed about any significant changes in their credit accounts as soon as possible. The government should bring into force provisions that would require credit bureaus like the Credit Information Bureau (India) Ltd to inform consumers in case of any significant change in their credit account status. In the US the Fair and Accurate Credit Transactions Act (FACTA) achieves this objective, and is considered as a potent anti-identity theft measure.

Identity fraud alert registry. In case of suspected identity theft, consumers require a way to inform financial institutions and credit bureaus to watch out for possible identity frauds. Likewise, companies holding customer credit card information when breached would require a means to inform financial institutions and credit bureaus to flag the breached credit card numbers for possible misuse. Such requirements entail setting up of a national fraud alert registry that can be updated directly by consumers/companies. Credit bureaus and financial institutions can take extra precautions in transactions pertaining to those accounts which are flagged in the fraud alert registry.