Thwarting ID thieves


How he won, however, is really the story and, for the typical consumer who lacks Lazarus's wherewithal, a scary story, at that.

Lazarus, you see, is an investigative reporter for a major California newspaper. That means for ten years he had the time and resources to pursue the person who appropriated his Social Security number. That, of course, is a capability the overwhelming majority of the ten million Americans hit with identity theft each year lack.

ID theft is one of the fastest growing crimes today, and Lazarus's story points out the magnitude of the problem that victims face in getting their lives under control after they have been victimized. Yes, he nabbed the crook who stole his identity, who was subsequently convicted of mail fraud and deported from the U.S. But he did so only after numerous attempts to get the police and credit agencies involved. He was left with no other choice but to build the case against the miscreant himself.

There are two important points here. First, Lazarus's efforts went well beyond what the typical victim of ID theft can be expected to accomplish. Second, such detective work is a job many consumer advocates believe should be forced upon those who have taken on the role of judge, jury and hangman for our credit ratings. These, of course, would be the three major credit bureaus: Experian, Equifax and TransUnion. But each of the credit agencies has its own hoops that it makes victims of ID theft jump through, Lazarus says, and there is no single place for ID theft victims to go for help.

It is no wonder then that fewer than two percent of all ID thieves end up prosecuted for their crime. Lazarus, for one, says that most major U.S. financial institutions -- and especially the three credit agencies -- should be more proactive in helping consumers recover from ID theft.

Oh, yes, all the large banks, credit card companies and credit agencies offer voluminous tips to help customers protect themselves from ID theft. And the credit reporting services are more than eager to offer for-cost products to consumers that monitor their own services. But Lazarus believes such services are nowhere close enough to stopping ID thieves. After all, such criminals raked in $53 billion in ID theft/fraud goodies from about ten million victims in 2004, according to Gartner Research and the Federal Trade Commission.

Such offerings fail to keep organizations from suffering. According to a November 2005 research report querying 14 companies in 11 industries (conducted by Ponemom Institute LLC, a management practices research organization), the typical security breach cost a company from $477,950 to $52,500,800. The average number of records affected in the breaches studied was 99,667. And the total costs for a company to recover from a data breach averaged $14 million per company.

Bare minimum results

Consumers should not expect the situation to improve until there is an ID theft-related "watershed" event of such major proportions that it has the impact of the major corporate scandals of the late-1990s, says Fred Rica, a partner in the advisory practice at consulting firm PricewaterhouseCoopers. Rica says predicting when such an event will occur is impossible, but he is pessimistic that anything will change until it happens.

According to Rica, billions of dollars will have to leave the U.S. payment system before what he calls the "two Ls" -- litigation and legislation -- will force major changes, just as Sarbanes-Oxley and the Health Information Portability and Accountability Act (HIPAA) finally did for corporate governance.

"That's what it will take to get organizations to react" to the problem of ID theft, he says. Until then, organizations of all stripes "will probably not do more than the bare minimum" required to protect consumer identity information, he believes.

Right now, that "bare minimum" is exactly that, and the U.S. Congress is working to water even that down, according to Mari Frank, an attorney and a privacy- and consumer-rights activist, who was also the victim of ID theft. While California was the first state to enact a law mandating that companies suffering a major security breach notify consumers whose data has been compromised, Congress is working on a national law that would weaken the California legislation, contends Frank.

While admitting that a national privacy and consumer protection law would be ideal, she says the proposed congressional legislation would give organizations hit by a security breach -- not an impartial third party -- the option of determining whether there is a possibility of ID theft.

"That's like letting the fox mind the hen house," she says.

Because of California's Consumer Privacy Law, which the state legislature passed in 2003, however, many companies have been forced to come clean about exposures. For example, ChoicePoint was forced to notify the 35,000 Californians on its list that identify information had been stolen. In this case, a crime ring posing as legitimate business professionals purported to be conducting background checks on customers whose information was provided to them by the data warehousing company. When the scam was unveiled, a public outcry forced the company to expand its alert to all consumers impacted by the incident, the number of which grew to about 165,000.

In recent months, other similar breaches have forced Los Angeles-based City National Bank, discount broker Ameritrade and Bank of America to reveal they had lost critical consumer data.

The latter two breaches should be particularly troubling to the typical enterprise, points out Lazarus. They both involved the loss of computer tapes containing personal data. In the Bank of America case, account information was lost on about a million federal workers. About 200,000 customers were affected in the Ameritrade case.

However, those kinds of breaches do not necessarily point out a lack of proper security policies at either company, cautions Gene Fredriksen, chief security officer and a vice president of technology risk management for Raymond James Financial Services, a national investment firm.

It's not necessarily a systems engineer who fouls up when these types of losses occur, he says. "It's more likely clerical people, those who transport tapes, who misplace such things. You have to change their mindset."

How a company can help

Fredriksen says that his company has been trying to find ways it can help itself and its customers avoid being victimized by identity thieves. The first defense: education.

"We realize that what is commonplace for those of us in the security field -- phishing, viruses, worms, trojans -- is not necessarily on the radar of our clients. So, we have to figure out ways to do education on multiple levels."

For example, in his company's client briefings newsletter, they run articles talking about the dangers of spyware, or steps to take to protect against ID theft. Advice can simply encourage clients to shred important papers before throwing them away, watch statements for errors, or get regular credit reports, he says.

He also has members of his staff attend educational dinners that corporate financial advisors hold with clients.

"I will send one of my engineers out at our expense to partner with local law enforcement to do joint presentations to financial clients regarding ID theft. It's a big project and not cheap. But I offer that service at no charge to our financial advisors when they're having an event or client-facing days because I believe that's important," he says. "Last year we did about 30, and this year we'll probably conduct closer to 60 to 80."

Topics at these meetings run the gamut, he says. But one message is consistent: often ID thieves look for easy marks. They likely check mailboxes with raised flags for personal, identifiable information or sift through trash cans for unshredded financial records or credit card offers.

"We also talk to clients about watching credit reports and statements for unauthorized activity, being aware when their statements are supposed to arrive, and to raise an alert if they don't get them or don't receive a new card when the old one expires," he says. "And we talk about issues of social engineering, such as people who cold call pretending to be your bank."

Additionally, his company has also partnered with the Federal Bureau of Investigation (FBI), universities and industry experts to hold identity theft briefings and conferences.

Sharing the burden

Lazarus has used his newspaper column as a pulpit in his effort to force financial organizations to take more responsibility in protecting consumers and helping them recover from ID theft.

"The three credit agencies need to be brought together into a central repository for consumer and ID theft victims to quickly, easily and expeditiously file complaints about ID theft and clean their credit history," he says.

"I think the Federal Trade Commission should take a far more active role in aggressively fighting fraud, and do everything possible to make the cleaning process painless for people without the wherewithal to deal with financial matters."

But he is also a realist and understands that this will not happen without the "two Ls," and thus says it is consumers who must take ultimate responsibility for their security.

For starters, he recommends that victims of ID theft take advantage of the credit watch services, "at least long enough to get the criminal out of your life. Most services provide quarterly reports, and that's sufficient and will give you some peace of mind."

For victims who want to get truly aggressive, he suggests contacting a computer savvy private investigator. He says these kinds of searches "take only an hour or two and won't cost an arm and a leg." But they allow the creation of a paper trail that consumers can then take to the police, postal service or FBI.

That is exactly how Lazarus got his guy. He did 90 percent of the legwork himself, putting together a file sufficient enough to interest U.S. Postal Service investigators. Eventually, they ran down the criminal and got a conviction.

A HEROIC TALE: Surviving cancer & ID theft

Eric Drew is lying in a hospital bed, feeling like his body has been doused with gasoline, as he describes it, when the credit card letters start pouring in.

Only ten days earlier, the 36-year-old Los Gatos, Calif. resident had arrived at Seattle Cancer Care Alliance, following a grueling eight months of chemotherapy and radiation in Stanford, Calif. It was September 2003, and Drew -- once a strapping runway model and global software consultant -- was expecting to die from leukemia.

He quickly shrugged off the bank letters he was receiving, which thanked him for opening lines of credit, as clerical errors. What would a man on the brink of death want with four new credit cards?

"I had closed all of my accounts before I got to Seattle in preparation of possibly dying," Drew says. He was eventually saved from certain death in 2004 by a cutting-edge cord blood stem cell transplant.

Not long after he received the letters, the telephone calls started. Debt collectors were on the other end of the line, informing Drew he had failed to meet scheduled payments.

A Silicon Valley executive, Drew certainly was not broke. He was, however, a victim of the nation's fastest growing crime: identity theft.

After receiving little help from authorities, credit agencies and government bureaus, Drew chose to put on the detective hat himself. Against family and doctors' wishes, he was fitted with a backpack that pumped him with intravenous medicines, allowing him to venture outside the hospital.

He had already ordered detailed credit reports, which supplied him with local addresses where the credit card statements were being sent.

At the addresses, Drew found credit card mail in his name and had the letters re-directed to him at the hospital. He learned in which stores the suspect had made fraudulent purchases, totaling about $11,000.

Drew interviewed merchants who remembered seeing someone, but refused to furnish Drew with any videos. That is when Drew sent out press releases ridiculing local authorities for their lack of assistance.

A local NBC reporter picked up the story, lending Drew credibility and generating publicity. Soon, the reporter obtained a copy of videotape showing the thief making fraudulent purchases.

It was not long before the suspect was identified as Richard W. Gibson, a lab technician working at the hospital in which Drew was a patient. In November 2004, Gibson was sentenced to 16 months in prison, the first conviction under the federal Health Insurance Portability and Accountability Act. No charges were pursued against the hospital.

After an estimated 3,000 hours of work and $5,000 in attorneys' fees, Drew has been exonerated by the major credit reporting agencies.

But companies must do their share, he says, suggesting they protect their clients and employees by maintaining proper firewalls and storing confidential data on offline computers. Drew also recommends enterprises only permit people who have passed background checks to have access to sensitive information.

-- Dan Kaplan

CORPORATE CAN DO: Steps to take

Companies can do a considerable amount to help protect the identity-related data they house:

Require background checks of employees who have access to key data and data warehouse resources. These should include workers in human resources with access to employee records or IT with administrator rights.

Give law enforcement officials the ability to determine potential leaks by maintaining audit trails of who accesses what.

Personal information -- Social Security numbers, credit cards, student IDs and drivers' licenses -- should not be used as personal identifiers. (California has passed legislation making this practice illegal.)

Implement a strategy of requiring address-change responses that confirm an address change. This eliminates one key tactic used by identity fraudsters to open a new account with the victim's real address, then immediately changing the address to their own.

Implement smart location-based fraud-detection systems, which overcome the weaknesses inherent in magnetic-stripe-card technology. The latter are prone to so-called card-skimming, used by criminals to collect credit card information at gas pumps, automated teller machines and other retail terminals.

Financial services providers should end their reliance on data tapes, replacing them with electronic transmission of encrypted data. Always encrypt data when you cannot avoid using tapes.

The major credit card companies should more stringently enforce the Payment Card Industry (PCI) data-security standard. "There is still too much confusion about the standard and how to comply with it -- confusion that is increased by seemingly unequal treatment of different types of retailers, such as Sam's Club, and processors, such as CardSystems," says Avivah Litan, an analyst with research firm Gartner.

Educate and train. That is, educate consumers and employees on the dangers of ID theft and how to avoid it. Train non-IT employees on safe data-handling practices, including the transportation of tapes or other devices, such as laptops and PDAs, that house personal or proprietary information.

--Jim Carr

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.