For the year-long period that ended last August, 15 million people were burned by some kind of fraud related to identity theft, said Avivah Litan, a Gartner Inc. analyst. That number is 50 percent higher than 2003 data released by the Federal Trade Commission.

Other figures from Litan's study were equally downbeat. The average identity theft fraud loss more than doubled in 2006 to US$3,257 from $1,408 the year before, while the percentage of recovered funds dropped to 61 percent in 2006 from 87 percent in 2005. The average loss on new-account fraud -- where criminals use the data they've stolen to open new credit card or bank accounts -- was $5,962 in 2006, a jump of 223 percent over 2005's $2,678. And unauthorized charges to credit cards leaped nearly fourfold, to an average last year of $2,550. Unauthorized charges in 2005 averaged just $734.

"What's useful here are the trends; the numbers can never be exact," Litan said. "The only good news, and it's not much, is for banks. They're less on the hook than before. They're not getting attacked directly as much now."

That's because criminals are increasingly turning to unconventional identity theft ploys rather than tackling the banks themselves. Financial institutions have, at least in the cases of large banks, fortified their data. "Hackers are exploiting Internet auctions, money transfers like Western Union and PayPal, the ability to impersonate lottery and sweepstake contests, and other types of imaginative scams," said Litan. "They're going after the weakest links, the consumers using social engineering tactics, and the U.S.'s payment systems at retail and businesses."

Of those surveyed who knew or suspected the causes of the identity theft, data breaches led the charge with 15 percent. "Banks eat the fraud there," at least for now, said Litan. A Massachusetts state lawmaker, however, has proposed a bill that would hold retailers financially responsible for breaches.