Recent news events have highlighted individuals actively engaged in criminal pursuits using false identities to disguise themselves and conceal their unlawful acts.
It is a popularly held notion that using false personal information will conceal crimes by making identification more difficult. In the 1930s gang-related crimes were common in mid-America. One of the most notorious bandits, in an attempt to conceal his true identity, adopted an alias and went so far as to have a questionable physician surgically remove the skin from the tips of his fingers and paint acid over the wounds in an attempt to destroy his fingerprints. After suffering excruciating pain, Alvin Karpis discovered his fingerprints healed through the scars and were distinguishable again. After his conviction, he served a few decades in prison.
In today's world, few bandits want to undergo such extreme physical measures. Instead, they spend countless hours retrieving personal and financial data from compromised computer systems, the Internet, unattended offices, unlocked mailboxes and unshredded trash, with the intention of using it or selling it to other thieves. Information such as complete names, addresses, financial account numbers, identifying numbers such as Social Security numbers or national identity numbers, dates of birth, tax records, canceled checks, credit card statements, and places of birth, are the most collected items.
Leaked information is often available in transportation terminals, in the workplace, and in the home office. Work stations, PDAs and laptops, left unattended may contain valuable information for the identity thief. Imagine the amount of proprietary and personally significant information deposited on a traveler's laptop or PDA taken from a train station, airport terminal or hotel lobby. Contained in an unsecured computer file is the bank name, account number, PIN, and account name of an employee who takes a few minutes during the workday to handle her banking business online. It doesn't take a detailed knowledge of computer architecture to retrieve passwords, logons, and auto-complete information from operating systems files. Password crackers are freely available, making short work of brute-forcing passwords while file restoration applications may retrieve valuable deleted files. In a few minutes, unsecured workstations, PDAs or laptops may yield enough information for someone to go on a spending spree that will take months for the victim to rectify.
It's often the case that identity thieves go to the trouble of obtaining photograph-bearing identity cards such as driver licenses or national identity cards, enhancing the credibility of their assumed identity. As soon as credit is established in the new identity, the spending begins. Thieves are mindful not to connect their purchases to their actual addresses so a series of mail-drop addresses are employed. Depending upon the ambition of the bandit, she may decide to frequently change addresses and telephone numbers, offering excuses to creditors that due to recent personal changes the billings haven't arrived yet. These tactics extend the life of the fraud and maximize the fruits of her scheme.
On a grander scale, there are transient groups organized into cells. Each cell is headed by an individual who is responsible for directing the activities of his members. Several cells often enter a metropolitan area and follow a pre-determined plan of action where pilfered personal information is disseminated to the members who are given formal instructions as to the type of personal identification they are to acquire and the accounts they are to open. Cell members are not aware of the activities of the other cell members, and only have contact with their leader. If anyone is challenged, they merely exit the business and aren't seen again. Once a phony identity is discovered, the subject is issued another, and the process is started again. Online purchasing is done through publicly accessible Internet connections. When they are discovered by the business community or law enforcement agency, they merely disappear and reappear in another city using new identities.
Businesses aren't helpless in discovering and prosecuting persons who are perpetrating identity crimes. In the information security field, there's an old saying: Something a person possesses, something a person knows, or a physical characteristic about that person, can establish authentication. When a person applies for credit, frequently the requested credit report reflects previous residence addresses; asking the applicant their past addresses can help authenticate their identity. On some forms of identification such as national identity cards, drivers' licenses, library cards, the issue dates are recorded on them. If while reviewing the identity information it is discovered that the issue dates are very close together, more qualifying questions should be asked of the candidate. Credit candidates should be asked to provide non-traditional sources of identification such as christening documents, school transcripts, last year's pay stubs, rental contracts, utility bills, etc. Certified copies of the requested identity authentication documents can be delivered to the credit agency, supporting the candidate's application.
In the case of banks cashing questionable checks drawn on other institutions, many have recently adopted the policy that the customer must provide a fingerprint on the endorsed check before cashing. Tellers direct these customers to a small pad containing a colorless liquid, upon which the customer places their index finger. Subsequently, a fingerprint is deposited on the check near the endorsement. This practice permanently connects the customer to their check. In many communities, the rate of fraudulent checks has dropped significantly just by requesting fingerprints of customers with questionable checks.
Information contained in networks and stand-alone computers must be secured by physical controls and access security measures. Security controls are defined by formal company policy with compliance assured by audit practices. Workstations, laptops and PDAs containing sensitive information should be secured by locks, passwords, smartcards, tokens, biometric access devices or encrypted hard drives. Credit applicants having suspicious or incomplete documentation should be requested to provide accurate recollections of previous events, and non-traditional personal history documentation.
Alan B. Sterneckert, CISSP, CISA, CFE, is a supervisory special agent, Federal Bureau of Investigation.