Original URL: http://www.theregister.co.uk/2012/10/31/essential_research_id_theft/

Pollster says ID fraud less costly than we thought

Most attacks relatively trivial

By Richard Chirgwin

Posted in Security, 31st October 2012 21:30 GMT

Here’s a riddle for you: what’s the cost of identity theft and so-called “cybercrime” in Australia on an annual basis? If you answer “I don’t know”, you’re probably as close as most people.

The latest data to be lobbed into the discussion is here, from Essential Research. Of its survey respondents – 995, the study had the same sample as its latest political poll – 10 percent of Australians have experienced online fraud of some kind, sixteen percent have had their credit card stolen, and just one percent have experienced identity “theft”.

The average self-reported loss from some kind of computer crime was $310, with 23 percent of respondents reporting loss between $100 and $500.

Unfortunately, the methodology doesn’t give us quite enough to extrapolate the data to the national level, for a few reasons: it’s impossible to state the overlap between the key financial attacks (credit card theft and identity theft); and the study didn’t differentiate between online and offline attacks (for example, the credit card might have been in a stolen wallet).

Unlike Crikey’s Bernard Keane’s analysis, I’m not going to bump the figure up to take into account multiple events happening to one person. However, I am going to treat each incident as distinct – in other words, I won’t try to de-duplicate the data on the assumption that one attack put someone into two categories (for example, identity theft leading to online fraud).

The cumulative total of all computer-related crimes, according to the Essential data, is a little over $AU2.8 billion – and that’s not constrained by a time period (the research didn’t say “in the last twelve months”), if the data is extrapolated only to Australia’s 15.9 million adults (ABS 2011 census).

The really notable datum in the research is “identity theft”, which was reported by just one percent of respondents and would extrapolate out to around $AU37 million. Even if identity theft, online fraud and computer fraud are taken together, the value is only $AU1.4 billion.

Even without singling out the inflated values claimed by computer security firms like Norton or Symantec, this result seems to suggest that even moderately-disinterested data sources overstate the case. The ABS, for example, put the number at $AU1.4 billion for 2010-2011. Its figure for ID theft was lower than Essential’s, at 0.3 percent, in line with lower credit card fraud (3.7 percent) and scam victims (2.9 percent) – but the ABS reported a considerably higher per-incident loss (average $AU2,000).

Yet last year, Suncorp’s preferred number for ID theft alone was $AU3 billion annually, while Austrac believed the figure was $AU1 billion back in 2003.

What are we to make of all this?

Well: the biggest problem with Essential’s research is the small sample size – but that only means there’s a margin of error a little over 3 percent.

There is, however, one major gap in the Essential data: it looks at the cost to the responding individuals, and does not include the charge-back costs borne by the credit industry, for fraudulent transactions that have to be reversed. I don’t call this an “omission” on Essential’s part – but it does mean that the data isn’t sufficient to draw an economy-wide conclusion. ®