Social networking sites a treasure trove for identity thieves

The increasing amount of information individuals share on social networking Web sites also could put them at greater risk of identity theft, according to identity management professionals.

The amount of personal information posted on social networking sites has made it easier for criminals and others to collect data and impersonate individuals online, said identity specialists speaking on Thursday at a panel in Washington hosted by the technology lobbying group TechAmerica.

"The definition of personal identifiable information will continue to expand," said Rick Kam, president of the consulting firm ID Experts. "Our approaches must also evolve."

The number of phishing incidents where individuals are asked to enter their personally identifiable information into a third-party Web site has increased sharply in recent years, said Dianne Usry, deputy director for incident management at the Internal Revenue Service's Office for Privacy, Information Protection and Data Security.

To comply with an Office of Management and Budget mandate intended to combat the increase in identity theft, the IRS is limiting its use of Social Security numbers both on printed documents and as a way to authenticate online visitors to its Web sites. Last year the IRS decreased the number of documents and letters with Social Security numbers by 8 million.

"The IRS will never get away from paper," Usry said. "We're actually more concerned about the possibility of a data breach from paper documents than from online."

The IRS does not keep statistics on the number of phishing attempts that successfully steal personal data, but most domestic phishing sites usually are shut down within three hours, she said. International sites take longer to shutter.

"The criminals are more active and so are we," Usry said. "We hope awareness is going up along with activity."

Social Security numbers are no longer the only target of online criminals, according to the panel members. Social networking sites such as Twitter and Brightkite allow individuals to post a stream of updates that include where they are. The popular photo-sharing Web site Flickr allows users to see exactly where a photo was taken. By aggregating the data about an individual's activities and movements, someone can create a detailed account about the person's work or personal life, according to Ian Glazer, a senior analyst for identity and privacy strategies at Burton Group.

"Individuals and organizations should treat their location as an enterprise asset," Glazer said, adding that disclosures made on social networking sites like Facebook could reach much larger audiences than users intended.

Also on the rise is medical identity theft, whose victims account for 3 percent of all identity theft, according to Dan Steinberg, an associate at Booz Allen Hamilton. Steinberg said medical identity theft is especially troubling because in addition to financial damage, the act can result in physical injury or loss of life.

One of the most common forms of this type of theft is when an individual uses someone else's information to seek medical care, either with or without their consent. The impostor's patient information is then added to the authentic patient's record, creating the possibility that the victim might receive a misdiagnosis or mistreatment when he or she visits a doctor or hospital.

Steinberg said health care providers can prevent this by verifying the identity of patients before providing care. Many providers now request identification when patients arrive, but the practice is not widely followed.