At a time when your good name and credit are used to judge you as never before--from whether you’ll get that next job to the rates you’ll pay for insurance policies--your good name and credit have never been more at risk. Identity theft--the fraudulent use of your name and identifying data by someone else to obtain credit, merchandise, or services--claimed seven million victims in the U.S. last year, according to a recent survey by Privacy & American Business, a publication of the Center for Social & Legal Research, a nonpartisan think tank. That’s 10 times as high as past estimates. Canada, Japan, and the United Kingdom are among those countries also reporting ID-theft epidemics.
It is an equal-opportunity crime, affecting victims of all races, incomes, and ages. Overall, more than 33 million Americans, about 1 in 6 adults, say they have had their identities used by someone else sometime since 1990, the survey found. Indeed, the Department of Justice says ID theft is the nation’s fastest-growing financial crime, and the damages to consumers are becoming ever more pernicious. Margaret Murray, a disabled homemaker from Spartanburg, S.C., was arrested in front of her son after a thief passed bad checks in her name. Frances Green, a beautician from Jamaica, N.Y., discovered that the house she was about to buy had already been sold--to an ID thief posing as Green who, with a phony seller and fake lawyers, defrauded the mortgage company and ruined Green’s credit. Identity fraud has become a major element in crimes ranging from international drug trafficking to terrorism; Al Qaeda operatives in Spain used stolen credit and telephone cards and false passports and travel documents to open bank accounts and pay for travel and communication abroad, an FBI agent testified before a congressional subcommittee last year. Many victims don’t learn of the crime for a year or more, only after something goes terribly wrong, because thieves often shield their actions by using a different address when they open new accounts in the victim’s name. Typically, federal laws cap monetary losses to consumers, but even in routine cases, it takes victims two years on average to clear their names, according to the Privacy Rights Clearinghouse, a nonprofit advocacy group. Some victims say that during that time, they haven’t been able to get a car loan or a mortgage; they couldn’t even use their cell phone. Moreover, all consumers end up paying for ID theft: The $4.2 billion that businesses will lose this year to the crime, a figure expected to mushroom to more than $8 billion by 2006, they recoup by charging you higher fees and prices. Identity theft is a problem largely because financial institutions, merchants, credit bureaus, and the government do not adequately safeguard vast databases and other records containing consumers’ sensitive information, making it relatively easy for thieves--often insiders--to access these data. Many institutions use Social Security numbers when other identifiers would suffice, fail to notify consumers when security breaches occur, and provide little help or recourse for consumers stuck cleaning up the mess. "ID theft usually occurs not because of the carelessness of the individual consumer, but because of the carelessness or vulnerability of the organizations they deal with, including the government," says Robert Richardson, editorial director of the Computer Security Institute, a research and training organization for computer- and network-security professionals. Many businesses don’t bother to report problems. A recent nationwide survey of 530 large and small businesses by the San Francisco
office of the FBI and the Computer Security Institute found that 56 percent said they had experienced the "unauthorized use"
of a database, but only 30 percent had reported the incident to law enforcement. Prior years were even worse; while the percentage
of break-ins was roughly the same, only 17 percent were reported.
All that ID thieves really need to open credit or bank accounts under your name or to drain your existing accounts are three pieces of information: your full name, Social Security number, and date of birth. They can get by with less when financial institutions fail to check identifying information. What follows are seven ways in which thieves can get information about you and how to stop them:
These databases are often poorly protected. Last fall, a clerk on a computer-help desk in a Bay Shore, N.Y., banking-software company was charged with using access codes obtained on the job to download and sell 30,000 credit reports from credit bureaus to other crooks for $60 each. The resulting losses to victims: more than $2.7 million, federal prosecutors say. Earlier this year, Visa, MasterCard, and American Express confirmed that an unknown hacker had accessed 8 million credit-card records, including 3.4 million Visa accounts and 2.2 million MasterCard accounts, from a merchant processor, Data Processors International. The card companies said no information was used fraudulently, but Gartner Financial Services, a technology research and advisory company, estimates that at least 1 percent of those accounts, or 80,000 consumers, will become targets of fraud since stolen credit-card data make ID theft easy. Last year, the Federal Trade Commission censured online merchant Guess when a 19-year-old novice programmer, testing the site’s security before buying a pair of jeans, was able to break in and retrieve 200,000 customer names and credit-card numbers, despite the site’s claim of being "secure." A Guess spokeswoman says the company has settled the case with the FTC and upgraded security. The fix: Financial institutions and other businesses should use encryption and better systems to prevent and detect computer hackers and to control access by insiders, computer security and privacy experts say. But only 10 percent of businesses encrypt their data, according to Avivah Litan, vice president and research director of Gartner Financial Services.
The fix: Don’t use e-mail to send your Social Security number or other personal data. If you must, make sure that you use a secure Internet connection by checking your browser window for a secure-connection icon. We recommend against giving personal information to someone who has called or e-mailed you unsolicited. At least, independently confirm the legitimacy of the request by phoning or e-mailing the company.
The fix: Shred papers containing personal information and preapproved credit offers before discarding them. (See our test results for shredders.) Businesses and governments also need to do a better job of disposing of old files. Only California, Georgia, Washington, and Wisconsin have laws requiring businesses to shred files.
The fix: Homeowners and landlords can help prevent mail theft by replacing regular mailboxes with locked boxes. Businesses should stop using Social Security numbers in routine correspondence and create alternative ID numbers.
A recent case involved 17 conspirators, including lawyers and an unlicensed real estate agent. They were indicted in Queens County, New York, in connection with a $1 million mortgage fraud ring that victimized Frances Green and others whose houses were literally sold or refinanced out from under them. Imposters used fake IDs, including driver’s licenses, to pose as the homeowners at staged closings to steal money from mortgage lenders. A real-estate office employee may have supplied the victims’ names and Social Security numbers to the conspirators, says Detective David Moore of the New York Police Department. The fix: Better ID verification by mortgage lenders and other financial institutions, such as cross-checking at least four types of identification, would cut down on this kind of fraud, experts say. So would validating Social Security numbers with the Social Security Administration.
The fix: Better employee screening might curb ID theft. Tighter federal regulation of ATMs may also be needed.
The fix: Businesses and individuals should use hard-drive shredding software or remove and destroy hard drives before discarding a
personal computer. Until recently, identity theft seemed to be regarded by police and many financial institutions almost as a victimless crime. Many victims say they had trouble reporting the crime; local police wouldn’t pursue the case. Even today, only 678 of some 18,000 law-enforcement agencies participate in a federal ID-theft database to share tips and leads. Meanwhile, lenders and merchants chalked up losses to "bad debt," which can be written off on income-tax returns and may cost less than paying for security. Also, businesses have seldom been held liable in lawsuits stemming from ID theft, so there has been little incentive to act. However, 60 to 80 percent of losses originally classified as bad debt actually may have resulted from ID-related fraud, according to a study by ID Analytics, a San Diego-based supplier of ID-theft-prevention software. Those losses have been too great to ignore. Financial Insights, a research and advisory company to financial institutions, says that ID-theft losses, if they continue at today’s pace, could reach $8.5 billion in 2006. The current cost to business is $18,000 per incident, the FTC says. Pressure on business and governments to act is also coming from other quarters. The European Union’s 1998 European Data Privacy Directive prohibits transfer of personal data to any country that does not have adequate privacy protection. The United States’ approach to privacy has been considered inadequate by the EU. New studies suggest that consumers want businesses and the government to do more, too. In a recent survey of 2,000 consumers by Star Systems, an ATM network, more than two-thirds of respondents said they want financial institutions to verify customers’ identities during transactions, even if that is less convenient. Nine in ten said the government should take action concerning ID theft. Some businesses and governments are taking steps, but critics say more needs to be done.
Tighten security. Visa and MasterCard now require merchants and big banks that issue their branded cards to use secure Internet technology. They’re using new identity verification and authentication systems for controlling transactions among customers, merchants, and banks. In addition, both now require member banks and merchants to encrypt personal data stored on their servers. Credit-reporting agencies say they have spent millions upgrading computer-system security. But they have done little, it seems, to control access to credit reports by unscrupulous employees of credit-bureau clients such as car dealerships, which have been sources of theft and reselling of credit reports. Robin Holland, senior vice president of customer service at Equifax, says the company inspects clients where its machines are used. If rogue employees of their customers breach security, "I don’t see why we would be blamed for that," she says. But Litan, of Gartner Financial Services, says companies could protect against insider threats by limiting those employees with access to credit data. The largest single source of ID theft is "the corrupt individual on the inside," says privacy expert Alan Westin, president and publisher of Privacy & American Business. Indeed, thousands of businesses and government institutions impose too few limits on access to sensitive information, privacy and security experts say. Ligand Pharmaceuticals recently settled a negligence lawsuit in San Diego over ID thefts that occurred when personnel records were left in an unlocked area after Ligand acquired another company in a merger. A worker discovered the records and used them to open fraudulent credit accounts. "Too many people have access to the documents," says Margaret Byrne, an attorney who represented the Ligand ID-theft victims. Few managers should have access, and records should be kept under lock and key, she says. Detect fraud. Some companies that are frequent targets for identity fraud, including cell-phone services, retailers that offer instant credit, and large banks, are investing heavily in systems designed to detect fraudulent credit applications. ID Analytics has designed one that assigns a score like a credit score to a credit application. A high score means the identity of the applicant is probably stolen or fake. The software has detected fraud in 7.5 percent of credit applications. Under another system, a Social Security number that doesn’t correspond to the birth year of the applicant might trigger a warning. But too many merchants still don’t check. Prevent hacking. Systems that monitor an organization’s connections to the Internet and that prevent and detect hacking are a must to deter ID thieves and virus attacks, says Richardson of the Computer Security Institute. On the horizon: "trustworthy" computing systems that require authentication and verification before allowing information-sharing among computers or computer networks. The systems work by not allowing one computer to talk to another unless it knows the "secret handshake." Such systems are costly, however, Richardson says. They also limit the free exchange of information that many users have come to expect from the Internet. Pass stricter laws. California leads other states and the federal government with its identity-theft laws. Consumers Union’s West Coast Regional Office helped push for many of them. Many consumer-rights, privacy-rights, and law-enforcement advocates say they want to see other states copy the laws, which do the following: • Require that consumers be notified of security breaches that could compromise their personal data, including Social Security numbers. • Entitle fraud victims to a free credit report every month for a year after they notify credit-reporting agencies that they have been victims of fraud. • Require individuals requesting birth or death records to provide proof of identity and to sign a form indicating the reason for the request. • Allow customers to freeze their credit reports if they have been victims of fraud. This requires credit-reporting agencies to get permission from consumers before disseminating their credit reports to lenders. Also, state law requires credit issuers to honor fraud alerts on files and to deny new credit requests until the consumer is notified. Texas enacted a similar credit-freeze law, which Consumers Union supported. • Require law-enforcement officials to take reports of identity theft in the jurisdiction where the victim resides. • Limit the use of Social Security numbers. Proponents say such laws go a long way toward preventing identity theft and helping victims to limit the damage. In addition, more than 20 bills concerning identity theft are pending in Congress. "Anyone who stores information needs to do more," says Eliot Spitzer, New York Attorney General, whose wife, Selda Wall, was an ID-theft victim. But, he added, "federal legislation is going to be necessary." |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
1. Stealing company data. Millions of identities can be stolen at one time when hackers or insiders break into company databases or commercial Web
sites where credit-card information and other personal data are stored. Such databases are proliferating; businesses and governments
share everything from marketing lists to property records on the Internet. The federal Gramm-Leach-Bliley Act of 1999, which
allows financial institutions to share customer data with affiliated companies, opened the floodgates to the exchange of financial
information, some privacy experts say.
