, Washington Post 2002-12-03
You can take all the steps you want to protect yourself against identity theft: Guard your wallet, shred your personal financial papers before throwing them in the trash, monitor your credit reports.
But no matter how careful you are, you may not be able to avoid having your identity assumed by someone who wants to go on a buying spree, using your credit card, bank account, Social Security number or other personal data.That's because the nature of identity theft has changed and the threat today is more likely than ever to come from insiders -- employees with access to large financial databases who can loot personal accounts -- than from a thief stealing a wallet or pilfering your mail. Banks, companies that take credit cards and credit-rating bureaus themselves don't do enough to protect consumers, critics say.
"You can spend a lot of time and money trying to protect yourself," obtaining copies of your credit reports every three to six months, buying a credit-monitoring service to alert you when someone is making inquiries about your account or even buying identity-theft insurance, said Robert Gellman, a D.C. privacy consultant. "You can do as much as you can do, but it won't stop you from being a victim. There's nothing I'm aware of that will guarantee you not become a victim."
That fact was underscored last week when federal prosecutors announced that they had arrested and charged three people in connection with a scheme to steal the personal financial information of 30,000 Americans by downloading data from a computer and selling it to scam artists. The prosecutors said it was the largest case of identity fraud ever detected.
"There is a shift by identity thieves from going after single individuals to going after a mass amount of information," said Joanna Crane, identity-fraud program manager at the Federal Trade Commission. "There's an awful lot of bribery of insiders going on."
Law enforcement experts now estimate that half of all such cases come from thefts of business databanks as more and more information is stored in computers that aren't properly safeguarded. Security experts said the arrests illustrate how vulnerable business databases have become.
"Most companies aren't putting in the proactive steps," said Doug Barbin, a computer forensics consultant at Guardent Inc., a security firm. "It's seen as extraneous. Until it bites you, there's no incentive to do it."
National bank regulators have estimated that there are now half a million cases of identity theft a year. Privacy experts who specialize in identity theft say the number could be twice as high.
What is clear is that it's a growing problem. Beth Givens, director of the Privacy Rights Clearinghouse, said the identity-theft caseload of the Los Angeles County Sheriff's Department climbed to 4,149 cases last year from 2,119 cases in 2000. This year, she said, the department expects to process more than 6,000 cases.
At the federal level, complaints to the FTC have more than doubled, to 85,820 last year from 31,113 in 2000. For the first six months of this year, the agency received 70,000 complaints about identity theft. And 70 percent of the people who call the FTC have no idea how thieves got their personal information.
That was certainly the case for Kate South, 27, a business student at the University of Baltimore. The first sign of trouble came when Southwest Airlines told her in April that her credit card had been used to buy two tickets to the Midwest. When Southwest agreed to cancel the charge, South didn't give the incident much more thought.
In July, it happened again. This time Sears called. The retailer's fraud detectors had raised questions about a $1,000 credit line that South had allegedly opened and used to buy a $999 computer. This time, she got worried. She called the three major credit bureaus and got copies of her credit reports, and she found out that someone had racked up $50,000 in debt in her name -- buying a car, jewelry and a motorcycle and paying for gas service at a Florida apartment.
As South quickly learned, once an identity is stolen, it's not easy to clean up the mess. She has spent countless hours and hundreds of dollars trying to restore her good name and credit. Despite filing police reports, making lots of calls, and sending letters and faxes to the banks and credit card companies involved, the unpaid car loan remains on her credit report. As a result, she was turned down for a student loan she was counting on.
South says she finds it infuriating that the suspected thief, whom police and private investigators identified as black and in her forties, could so easily pose as a white woman 20 years younger. "It seems like a lot of this could have been prevented if people were doing their jobs," she said. "If they had made one phone call to me they could have stopped this."
South is also angry that the suspect hasn't been arrested and that when she reported the case to police in the District, where she was living at the time, they referred the complaint to the Secret Service. The police said the case was out of their jurisdiction, apparently because the city has no law against identity theft.
Several months of complaining and filing reports and affidavits with agencies including the Secret Service and the FTC are finally beginning to bear fruit. Chase Auto Loan, which financed the car purchase, recently agreed to clean South's record, and a different bank has agreed to give her a student loan.
"I never want to go through this again. . . . You feel like you're the one who did something wrong," she said.
Chase Auto Loan spokeswoman Charlotte Gilbert-Biro would not comment on the specifics of South's case, but she said the company has a policy of helping fraud victims clear their record. "We ask them to provide a notarized affidavit. Once we deem the claim to be legitimate, we try to do things as quickly as we can," she said. "We erase the debt, and we ask the credit bureaus to clean up the record."
Gilbert-Biro said car dealerships are responsible for verifying identities: "It is industry-wide practice that when a customer finances their car at a dealership, the dealer as the creditor has the responsibility to verify the identity of the individual. When we purchase the loan, we build in our own fraud detection." But, she said, "it's hard to be foolproof."
A spokesman for Sears said he could not comment on the case.
In the case that made headlines last week, a computer help-desk employee who had access to sensitive passwords from banks and credit companies allegedly downloaded personal information on 30,000 people over three years. Federal prosecutors said the employee then sold that data, including credit card numbers and checking-account information, to scam artists, splitting a fee of $60 per name with an accomplice. Authorities said they have turned up $2.7 million in losses to date and expect to find more.
"A lot of companies have gone to a lot of effort to protect themselves from being hacked, but it's a lot harder to stop a rogue employee," said James H. Vaules, head of the National Fraud Center Inc., a risk-management firm. "The accumulation of data through technology has outpaced our policies and procedures to protect it. The technology is there, but we're not using it."
"It should be more of a duty of the credit bureaus and businesses to ensure they are not disclosing your credit history to an impostor, but unfortunately the burden is unfairly on the individual to be on the lookout," said Evan Hendricks, editor and publisher of the Washington newsletter Privacy Times.
Several businesses are being created to respond to concerns about identity theft. Trans Union LLC is developing a credit-monitoring service that will alert customers when an account has been opened in their name. The two other credit bureaus, Experian Information Solutions Inc. and Equifax Inc., already have such a service. Experian's costs $79.95 a year; Equifax's, $69.95. Equifax's Credit Watch program also includes a $2,500 insurance policy in case you are a victim (after a $250 deductible).
Several independent firms provide similar services.
Jeffrey Junkas, a spokesman for Trans Union, said consumers do have some control over their own financial data. "They can opt out" of programs that allow financial institutions to share data, as well as those that allow credit card issuers to grant preapproved offers of credit. But, he said, "there has to be a free flow of information between businesses to keep the economy going. It's a fine line we have to balance."
Hendricks said that if consumers really want to be diligent, they can check their credit ratings at each bureau every three months -- it costs about $9 for each report. But even then, it won't stop identity theft. "It will just let you catch it early and let you stay ahead of the problem."
The only other thing you can do, he added, is "keep your fingers crossed that you don't get hit."
