Regular readers of SC's Opinionwire will recall me wibbling on about how credit and debit card issuers are moving steadily towards PIN-based authorization of transactions.
If you live in the U.K., you'll probably have noticed some curious PIN-pads on stalks being installed at a growing number of Post Offices while, elsewhere in Europe, similar systems are being installed at a number of bank branches. In the U.S., Visa and MasterCard are locked in a battle with the dozens of ATM networks that span the country, encouraging card users to continue using signatures over PINs for purchases, despite the fact that PINs are more secure.
Now the card issuers are worried about a new type of fraud - identity fraud.
My old sparring partner and mentor, Roy Norton, in the days when I used to be an auditor within the U.K. National Health Service, once told me that the key thing to remember about fraudsters is that they would almost always take the easiest path to financial gain. He was right too - time and time again, we found that fraudsters took the easy route to what they thought was riches, only to be caught out by routine security measures.
Now the card companies are starting to realize that, as they close the number of routes to credit and debit card fraud, organized crime is turning to ID theft as an alternative to transaction fraud. ID theft, in case you haven't come across it, involves amassing sufficient information about your victim to impersonate them, usually across the Internet and via postal mail, allowing you to open various credit lines such as credit cards, loan accounts and bank overdrafts.
The problem has reached terrifying proportions in the U.S. - a quick scan of the newswires revealed several dozen reports in local papers across the country in the last month. On CNN's American Morning program last Thursday (Oct. 17), Paula Zahn reported that the Federal Clearing House has concluded there were 700,000 cases of ID theft last year alone.
A week earlier, Abraham Abdallah, a 32-year-old New York busboy, pleaded guilty to what many experts are calling the biggest case of ID theft in Internet history. Abdallah pleaded guilty to a 12-count indictment that charged him with being part of a scheme to steal personal and financial data from Microsoft co-founder Paul Allen, investor Warren Buffett, movie director Steven Spielberg, and several others. The scamster reportedly used phones and computers in public libraries to steal credit records before his arrest in March of last year 2001.
Incredibly, he used the credit records to steal more than $80 million from individuals, companies and financial institutions. That's a lot of money, I hear you say. While making their client's plea, Abdallah's lawyers told the court that he was suffering from a compulsion disorder and was taking medication for depression.
It's kind of ironic that Abdallah's cases should come up right now, as New York is one the last states in the U.S. to enact a measure to define ID theft as a separate felony. Once the new law kicks in, only the state of Vermont will be left without a specific law on ID theft. The new legislation, signed by New York state governor George Pataki earlier this month, comes into force on Nov. 1, and creates three levels of ID theft, from misdemeanors to felonies, and sets a maximum prison sentence of seven years for the most serious offence. As well as imposing penalties, the new law also allows judges to order convicted thieves to repay their victims, who can also use the civil courts to recoup the cost of the damage done to their credit ratings.
The prospects of any one individual skimming another $80 million from the financial institutions of North America is pretty slim, of course, but $80,000 is much more likely. That's still big bucks when you compare it to the $2,000 or so that an organized criminal can skim from a single piece of plastic before the card account gets turned off.
According to a July report from Meridien Data (www.meridien-research.com), ID theft on both sides of the Atlantic is increasing dramatically, with the result that detecting and preventing this type of fraud is becoming a high priority at financial institutions. The Newton, Massachusetts-based research firm says that the problem is affecting virtually all the mature financial markets in the world, including most of Europe and North America.
Dennis Behrman, an analyst with the company and author of the report, says that anecdotal evidence clearly demonstrates that institutions have continued to grant ID thieves access to financial facilities - even after their victims have notified the authorities and placed fraud alerts on their financial record. Because of this, Behrman says that it is only a matter of time until the problem appears on the radar screens of public policy makers and they put pressure on the institutions to solve the problem. Without adequate attention and due diligence, he warns, ID theft will continue to spiral upwards to become so costly that the only solution to is to block access to certain services.
Behrman's report, entitled "ID Verification Solutions: a Floodlight on the Den of Identity Thieves," predicts that the lion's share of spending on ID verification systems over the next five years will be directed towards transaction fees from service providers. Consumer data, the study says, is the critical ingredient to identity verification, and that ingredient is currently being sold by volume.
The logical step, then, for the credit file companies, would be to stop selling their data by volume. This is a bit like asking Microsoft to stop selling operating systems and allied software - it's their lifeblood and just won't happen.
Fortunately for U.S. citizens worried about the problem, Equifax and The Motley have teamed up to launch a personal credit reporting center service (www.credit.fool.com). The idea behind the new service is to raise awareness among the millions of Motley Fool users about the importance of credit, educate them on how to improve their credit score and introduce them to Equifax's direct-to-consumer services.
Under the linkup, Equifax will be the exclusive sponsor of the center providing Motley Fool members access to the Equifax web site (www.equifax.com). The site features Equifax's range of personal credit service, including a credit report facility and an ID theft alert service called Credit Watch. Like a similar service from Checkmyfile.com (www.checkmyfile.com) in the U.K., Credit Watch involves Equifax sending customers a copy of their credit file (Equifax is one of the main U.S. credit file maintenance firms), along with alerts if anything untoward pops up.
In the U.K., yours truly has been a customer of Checkmyfile.com since the service launched in the summer of last year. In return for 40 pounds sterling or so, I get quarterly printouts and analyses of my entire credit files with the two main U.K. credit agencies, Experian and Equifax. The files are quite enlightening, although some U.K. card issuers, most notably Barclaycard, do not feed their credit files to either of the two companies, preferring instead to "do their own thing."
While this is hardly surprising, as Barclaycard is the largest U.K. card issuer, it does highlight a flaw in the ID theft watching services - if some financial institutions don't share their data, then you can bet your bottom dollar that savvy fraudsters will target those companies. I'm sure the fraud manager at Barclaycard in Northampton will be reaching for his phone to complain when he or she reads this, but that's the way I'd expect fraudsters to try and beat the system.
Steve Gold is news editor for SC Magazine (www.scmagazine.com)