Invasion of the Identity Snatchers, Part Two

Though identify theft is growing precipitously, the problem isn't untenable. Fraud examiners need to know current statistics and methods so they can fight this insidious crime. 

(Editor's note: This article is derived from a paper prepared under the auspices of the Association's Research Committee. The members of that committee, chaired by David S. Partridge, CFE, CFSSP, were: Dr. Thomas Buckhoff, CFE, CPA; Dr. Craig R. Ehlen, CFE, CPA; Marikay Hines-Corcoran, Esq., CFE; Michael J. Flores, CFE, IIA, ISACA; Dr. Robert E. Holtfretter; John Langione, CFE, CIA, CLU; Scott B. Moritz; Kent Smalley, J.D., CFE, CCP; Donna Ingram, CFE, CPA; and Dr. Debra E. Ross.)

After reviewing identity theft statistics in the July/August issue of The White Paper, we'll now further study how thieves worm their ways into unsuspecting lives.

From the Postal System 

• Thieves steal bank and credit card statements, pre-approved credit offers, telephone calling cards, and tax information from mailboxes.
• Thieves submit false change-of-address forms to divert mail to locations of their choices.
• When mail is delivered to places where others have ready access to it, criminals simply intercept and redirect the mail to other locations.
• Postal employees or others steal mail from mail processing areas.
• Thieves steal envelopes containing bills and checks from mailboxes.

From Purchase of ID Information 

From people with access:

Criminals buy personal information from "inside" sources. For example, identity thieves may pay store employees for information that appears on applications for goods, services, or credit.

In March 2001, the U.S. Attorney's Office in the Southern District of Texas announced the sentencing of two former employees of the Houston Office of the Social Security Administration (SSA) after their convictions for conspiring to defraud the SSA between January 1998 and May 1999. During their plea agreement, the perpetrators admitted entering personal information from social security applications into the SSA computer database that caused social security cards to be issued to more than 200 individuals who weren't authorized to receive the cards. The fraudsters also admitted to obtaining personal background information from the SSA computers and providing that information to others to help them commit credit card and immigration fraud.1

From thieves:

Thieves steal personal information from purses and wallets and sell it to accomplices who use the information to purchase merchandise and services.

From credit bureaus:

Crooked proprietors of Web sites sell social security numbers (SSNs) and accompanying information from SSN applications. Credit reporting agencies sell this information, as part of "credit headers," to information brokers. Credit headers include names and name variations, current and former addresses, telephone numbers (including unlisted numbers), years and months of births, and SSNs.

From Information Provided By the Consumer  

Given knowingly:

• Wait staff obtain diners' names and credit card numbers from credit card slips.
• Employers or government agencies obtain personal information from citizens' submitted forms.
• Consumers willingly provide SSNs without asking how the information will be safeguarded.
• Employees or students provide SSNs as ID numbers.
• Employees display their SSNs on work badges.
• Consumers include SSN or driver's license numbers on their personal checks.
• Thieves obtain information from a "Who's Who" guide.
• Dishonest employees, who have access to computer terminals connected to one of the credit-reporting agencies or personnel records, obtain personal information including SSNs.
• Thieves fraudulently obtain credit reports by posing as landlords, employers, or others who may have a legitimate need for - and a legal right to - the information.
• Pre-texting "social engineers," posing as life insurance representatives, call the surviving kin of recently deceased people. They offer benefits in exchange for detailed personal information on the dead relatives.
• Hours after stealing a wallet or purse, the thief calls the victim and pretends to be an employee of the victim's financial institution. The thief asks the victim to verify the account number, PIN number, banks frequented, and number of accounts.

Given unknowingly:

• Thieves steal wallets and purses containing identification, and credit, bank or insurance cards.
• Thieves "dumpster dive" in trash receptacles to find personal data from mailed applications for pre-approved credit cards and mailed catalogs that contain names, addresses, and account numbers.
• "Shoulder surfers" steal telephone calling card or credit card numbers by lingering near victims at pay phones as they reserve hotel rooms or rental cars.
• Relatives or friends, roommates, household workers such as health care givers, and spouses going through a divorce have access to others' personal effects. In one case, a fraudster, posing as a home health care worker, would gain the trust of the family members of a disabled individual and then steal the identity of that person.

Federal Laws Attacking Identity Theft  

The U.S. Gramm-Leach-Bliley Act (GLB Act) of 1999 mandates that financial institutions establish in-house "privacy" policies to inform their consumers how they intend to use private information obtained in the course of financial transactions. Each privacy policy has to include (1) the financial institutions that have access to the information, (2) if that information will be "shared" with an institution's subsidiary organizations and, most important; (3) whether that information will be sold to other financial firms. Additionally, the GLB Act requires that each in-house privacy policy offers consumers the option of "opting out," which means that the financial institution in some way will inform consumers that they have a right to refuse to allow dissemination of their private information.

Section 521(a) of the GLB Act prohibits pretexting or pretext calling - obtaining or attempting to obtain customer information of a financial institution relating to another person by fraud or misrepresentation.2

The U.S. Identity Theft and Assumption Deterrence Act of 1998 strengthens the criminal laws governing identity theft by amending Title 18 U.S.C. § 1028 to make it a federal crime to "knowingly transfer, or use, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law."3

The act also contains provisions on the needs of identity theft victims. It provides direction to the Federal Trade Commission (FTC) to establish procedures to: (1) log the receipt of complaints by victims of identity theft; (2) provide identity theft victims with informational materials; and (3) refer complaints to appropriate entities, including the major national consumer reporting agencies and law enforcement agencies.4 Prior to passage of the act, financial institutions, rather than individuals, tended to be viewed as the primary victims of identity theft. Setting up an assistance process for consumer victims is consistent with one of the act's stated goals: to recognize the individual victims of identity theft.

Under the act, the FTC is charged with creating and maintaining a central clearinghouse for identity theft complaints. The GLB Act also charges the FTC and other agencies with ensuring that financial institutions protect the privacy of consumers' personal financial information.5

Therefore, the FTC has created Consumer Sentinel, a Web-based consumer complaint database and law enforcement investigative tool. Consumer Sentinel is the repository for a variety of complaints via the FTC's Consumer Response Center (CRC), which processes both telephone and mail inquiries and complaints. Potential fraud cases, including identity theft, can also be electronically reported directly to the CRC and the fraud database at www.ftc.gov.

The Consumer Sentinel also receives information from a variety of public and private institutions, including local offices of the Better Business Bureau, the National Consumers League's National Fraud Information Center, and Project Phonebusters in Canada. A U.S. postal inspector manages the program and the U.S. Postal Inspection Service recently signed an agreement to begin sharing consumer complaint data from its central fraud database with Consumer Sentinel.

The FTC provides free secure access to this data through the Internet to more than 300 U.S., Canadian, and Australian law enforcement organizations including the U.S. Department of Justice, U.S. attorneys' offices, the Federal Bureau of Investigation, the Securities and Exchange Commission, the U.S. Secret Service, the U.S. Postal Inspection Service, the U.S. Internal Revenue Service, the offices of all 50 U.S. state attorneys general, local sheriffs and prosecutors, the Royal Canadian Mounted Police, and the Australian Competition and Consumer Commission.

The FTC has expanded Consumer Sentinel to encompass the Identity Theft Data Clearinghouse, another FTC service, which law enforcement agencies use to share identity theft data and spot criminal patterns.6 Identity theft victims can call the toll-free telephone number, 1-877-ID THEFT (438-4338), to report crimes and receive advice. Counselors enter the victims' information into the clearinghouse, which immediately makes the information available, through the Consumer Sentinel Web site, to 174 participating domestic law enforcement agencies.

Detailed information from the complaints received on the FTC's identity theft hotline is entered into the FTC's Identity Theft Data Clearinghouse, which began operating in October 1999. In 2001, Sentinel received 204,334 complaints of which 42 percent or 85,820 were in the identity theft area. (See Figure at top of page.) The FTC says it will disseminate complaint information through customized reports for the specific needs of the clearinghouse's law enforcement partners. The clearinghouse information provides policy makers with a sense of the extent of identity theft activity and the forms it's taking (e.g., credit card versus phone fraud, latest scams, etc.).

How Government Agencies and other Groups can Help  

Most identity thieves are successful because the SSN is commonly used to allow access to a myriad of personal records. Only increased SSN security and reliance on alternative means of identity validation will reduce identity theft. Following are some steps various groups and organizations can take (many of the methods can be used by multiple groups):

Government Agencies  

• Create a national database of state drivers' licenses.
• Use biometrics such as iris recognition.
• Remove birth certificates from public records and Internet sites.
• On the federal level, consider if certain items of highly sensitive personal information, such as SSNs, need to be included in public record data such as bankruptcy documents. This information invariably finds its way to Web sites.

Banks  

• Eliminate the printing and use of SSNs on pay checks, bank statements, and other financial documents.

Postal Service  

• Mail "move validation" letters as a secondary step to confirm changes in address.
• Enforce pre-sort mail security standards.
• Implement computerized mail-theft reporting device to and develop trends, as well as identify "hot spots."

Credit Card Companies and Credit Agencies 

• Perform more secondary identity confirmation steps and mail follow-up letters to consumers who have requested credit cards to make sure they received the cards.
• Eliminate pre-approved credit mailings.
• Use an issuers' clearinghouse when processing applications for credit cards.
• Issue tighter fraud alerts at credit agencies.
• Improve communication among credit agencies and give them easier ways to report identity theft.
• Notify consumers if creditors receive change-of-address requests or requests for additional cards regarding the customers' accounts at other addresses.
• Include photographs on all credit cards to prevent fraudulent use.
• Upon request, provide consumers with one free credit report per year.
• Develop better ways to verify the identities of con sumers before issuing new credit cards or duplicate cards to new addresses.
• Stop sharing consumers' personal financial information with affiliated companies or selling it to unaffiliated third parties unless affirmative consent is obtained up-front (opt-in).
• Ensure that credit card processing at restaurants and retail establishments generates transaction receipts that omit the full credit card number used for the transactions.
• Provide ready and inexpensive access to credit information. Current federal law permits the consumer to obtain credit record information for $8.50 per year.

Businesses and Other Organizations 

• Limit data collecting and adopt privacy policies.
• Conduct staff training and employee background checks that include SSN validation, criminal checks, credit checks, and motor vehicle records.
• Mail follow-up confirmation letters to customers' old and new addresses after receiving change-of-address requests and confirm with the USPS.
• Rely less on SSNs and drivers' licenses as sole sources in verifying identities.
• Use informed consent to secure an individual's private information.
• Conduct more employee background checks.
• Work with the U.S. Secret Service to expose organized criminal gangs.
• Issue security alerts to customers and launch broader programs so they'll understand the importance of identity theft.
• Treat customers who have been victimized by identity theft with respect and empathy.
• Continually monitor various life cycles of credit accounts at consumer stores to identify unusual activity.
• Give victims an easy way to report identity theft.

Federal Trade Commission Cases 

The FTC has brought one law enforcement action that directly confronted identity theft, FTC v. Jeremy Martinez d/b/a Info World.7 The FTC complaint alleged that Jeremy Martinez, doing business as Info World, maintained Web sites that sold 45 days of access to fake ID templates for $29.99. The site contained "high quality" templates to use in creating fake driver's licenses from 10 states. It also offered a birth certificate template, programs to generate bar codes - required in some states to authenticate drivers' licenses - and a program to falsify SSNs.

The complaint alleged that Martinez was deliberately marketing his site to consumers who were surfing the net to find fake ID documents. Web sites use meta-tags - hidden words that help search engines identify and index site content. Martinez's Meta-tags included "illegal id," "fake id fraud," and "forging documents," according to the FTC complaint.

The FTC charged that selling the fake ID templates violated Section 1028 of the U.S. Code and that by providing false identification templates to others, Martinez provided the "means and instrumentalities" for others to break the law. Immediately after the FTC's filing of the complaint, the court issued a temporary restraining order (TRO) halting the alleged illegal activity, and then a stipulated preliminary injunction continuing the relief granted in the TRO. On May 17, 2001, the court approved Martinez's stipulated settlement with the FTC that permanently bans him from selling false identification documents or identification templates, or assisting others in doing so. The settlement also permanently bars Martinez from providing others with the means and instrumentalities with which to make any false or misleading representations that conceal or alter a person's identity, or that falsely signify that a fake document is real. The stipulation also requires Martinez to pay back $20,000 in illegal earnings from the scheme. The settlement provides an "avalanche" clause making Martinez liable for more than $105,000 if he misrepresented his financial condition to the FTC.

The FTC staff, during "Operation Detect Pretext," first identified the defendants in the Martinez case as possible pretexters when it screened Web sites and print media advertisements to identify firms that offered to obtain and sell asset or bank account information to third parties. The FTC notified these firms that their practices must comply with the anti-pretexting provisions of the Gramm-Leach-Bliley Act. The FTC set up a sting operation to confirm that the three defendants were actually providing the illegal pretexting services they advertised on their Web sites. As a result of these efforts, the FTC filed complaints alleging that the defendants - for fees ranging from $100 to $600 - would obtain bank account balances by calling a bank and pretending to be customers.8

How State and Federal Representatives can Help  

• Prohibit any person or entity, or state or local agency, from (1) requiring any person to provide his or her SSN, and (2) from using any person's SSN for identification purposes, except for social security, tax, credit, or law enforcement purposes.
• Require financial institutions to obtain customers' written consents before sharing or selling their personal information to outside companies or affiliates.
• Require departments of motor vehicles to develop better ways to verify the identity of people who request duplicate or renewal licenses beyond just comparing photographs on record to the person's visual appearance.
• Provide consumer guidance for mitigation management in the case of identity theft, such as the FTC's handbook on identity theft and ID theft affidavits. The FTC provides an online copy of its handbook on identity theft at www.ftc.gov/bcp/conline/
  pubs/credit/idtheft.htm. This site provides information on how to report identity theft, related state and federal laws, and a list of resources to assist victims.

Identity theft can be devastating to its victims. Unlike some crimes, this fraud scheme can continue to haunt its victims for years. Some will never know how or where crooks will use their identities to commit crimes.

While many cases are reported to local law enforcement agencies, these groups often lack the jurisdiction or resources to investigate and prosecute cases. These identity fraudsters can only be pursued and prosecuted through a concerted and cohesive effort by local, state, and federal agencies.

John Langione, CFE, CIA, is a senior manager with Ernst & Young's New York office. Dr. Craig Ehlen, CFE, CPA, is professor of accounting at the University of Southern Indiana. Dr. Robert E. Holtfreter is Distinguished Professor of Accounting & Research at Central Washington University. Dr. Thomas Buckhoff, CFE, CPA, is EideBailly Professor of Forensic Accounting at North Dakota State University. Amy Southwood recently received her master of science degree in accountancy from the University of Southern Indiana. She is a staff accountant at Harding Shymanski & Company in Evansville, Ind.  

1 Press release dated March 30, 2001 by Mervyn M. Mosbacker, United States Attorney, Southern District of Texas.

2 Subtitle B of the Gramm-Leach-Bliley Act provides for both civil and criminal penalties for pretexting or for soliciting others to pretext. 15 U.S.C. §§ 6821, et seq. The Federal Trade Commission only has civil enforcement authority. Subtitle B also directs the Federal Trade Commission to report annually to Congress on the disposition of all enforcement actions. The FTC issued its first annual report on Jan. 12, 2001.

3 18 U.S.C. § 1028(a)(7). The statute further broadens "means of identification" to include "any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual," including, among other things, name, address, social security number, driver's license number, biometric data, access devices (i.e., credit cards), electronic identification number or routing code and telecommunication identifying information. The Identity Theft and Assumption Deterrence Act created a new offense of identity theft, which "prohibits knowingly transfer[ring] or us[ing], without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law." Crimes covered in the act include identification fraud (18 U.S.C. § 1028), credit card fraud (18 U.S.C. § 1029), computer fraud (18 U.S.C. § 1030), mail fraud (18 U.S.C. § 1341), wire fraud (18 U.S.C. § 1343) or financial institution fraud (18 U.S.C. § 1344). All of these federal offenses are felonies that carry fines, criminal forfeiture, and imprisonment up to 30 years.

4 Prepared statement from www.ftc.gov of Charles Harwood, director, Northwest Region, FTC, before the Committee on Labor, Commerce and Financial Institutions, Washington State Senate, Olympia, Wash., Jan. 29, 2001. See S. Rep. No. 105-274, at 4 (1998).

5 15 U.S.C. §§ 6801-6809. In addition to the FTC, the Federal banking agencies, the National Credit Union Administration, the Treasury Department, and the Securities and Exchange Commission have responsibilities under the Gramm-Leach-Bliley Act.

6 FTC staff works with the Identity Theft Subcommittee of the Attorney General's Council on White Collar Crime to coordinate law enforcement strategies and initiatives. FTC staff also coordinates with staff from the Social Security Administration's Inspector General's Office on the handling of social security number misuse complaints, a leading source of identity theft problems.

7 FTC v. Jeremy Martinez d/b/a Info World, No. 00 Civ 12701 (C.D. Cal. Dec. 5, 2000). See, also, FTC v. J.K. Publications, Inc., et al, 99 F. Supp.2d. 1176 (C.D. Cal. April 10, 2000)(granting summary judgment for the FTC in case alleging that defendants obtained consumers' credit card numbers without their knowledge and billed consumers' accounts for unordered or fictitious Internet services), later proceedings at FTC v. J.K. Publications, Inc., et al, 99 Civ 00044 (C.D. Cal. Aug. 30, 2000)(final order awarding $37.5 million in redress); FTC v. Rapp, No. 99-WM-783 (D. Colo. filed April 21, 1999) (alleging that defendants obtained private financial information under false pretenses)(Stipulated Consent Agreement and Final Order entered June 23, 2000).

8 Prepared statement of Charles Harwood, director, Northwest Region, FTC before the Committee on Labor, Commerce and Financial Institutions, Washington State Senate, Olympia, Wash., Jan. 29, 2001. Reference made. See S. Rep. No. 105-274, at 4 (1998).

Appendix 

Identity Theft Protection and Detection Services 

Following are the Web sites of some vendors which provide identity theft protection and detection services: www.econsumer.equifax.com, www.privista.com, www.newstartsecondchance.com, www.creditreporter.com, www.greatwebinfo.com, www.creditreporting.com, www.truecredit.com, www.accnet.com, and http://personalinfomediary.com.

Credit Bureaus 

Following is information on the three major credit bureaus:

Equifax, www.equifax.com
To order a report, call 800-685-1111 or write P.O. Box 740241, Atlanta, GA 30374-0241. To report fraud, call 800-525-6285 and write to the same address.

Experian, www.experian.com
To order a report, call 888-EXPERIAN (397-3742) or write P.O. Box 2104, Allen, TX 75013. To report fraud, call the same number and write P.O. Box 9532, Allen, TX 75013

Trans Union, www.tuc.com
To order a report, call 800-916-8800 or write P.O. Box 1000, Chester, PA 19022. To report fraud, call 800-680-7289 and write Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92634.

Deleting Names from Direct Marketing Lists 

The Direct Marketing Association's (DMA) mail, e-mail and telephone preference services allow consumers to "opt out" of direct mail marketing, e-mail marketing and/or telemarketing solicitations from many national companies. Deleting names from lists also bars them from selling these names to other companies.

To remove names from many national direct mail lists, write: Direct Marketing Association, P.O. Box 9008, Farmingdale, NY 11735-9014 or Preference Service Manager, Direct Marketing Association, 1120 Avenue of the Americas, New York, NY 10036-6700. Via fax, send to (212) 790-1427. To remove your e-mail address from many national direct e-mail lists, visit www.e-mps.org.

To avoid unwanted phone calls from many national marketers, send your name, address, and telephone number to DMA Telephone Preference Service, P.O. Box 9014,
Farmingdale, NY 11735-9014. For more information, visit www.the-dma.org.

Ways to Avoid Giving Out Unnecessary Personal Information

• Don't have SSNs or driver's license numbers printed or handwritten on checks.
• Only list names and numbers and no addresses in the telephone book white pages.
• Never provide personal information (credit card number, driver's license number, SSN, birth date, mother's maiden name) over the phone unless you've initiated the call and know to whom you are speaking.
• Don't allow sales clerks to copy credit card numbers on checks for additional information or to use credit cards as identification.
• Avoid giving credit card numbers over the phone if in a public place.
• Avoid using a SSN as a driver's license number.
• Don't sign up for unfamiliar contests or sweepstakes.
• Never post personal information on an Internet chat room.
• Don't provide information that isn't required.
• Never give anyone online passwords.

Other Ways to Protect Personal Information 

• Ask banks to require personal passwords of anyone accessing accounts.
• Delete names and addresses from marketers' lists.
• Call one of the credit agencies to remove names from lists sold to companies offering pre-approved credit cards.
• Ask stores how they safeguard credit applications. Ensure the applications are treated as secure documents.
• Use a credit card instead of a debit card; debit cards don't have maximum liability for fraudulent use.
• Sign credit cards in permanent ink as soon as they're obtained.
• Don't sign a blank charge slip. Draw a line through all areas for recording charges above the total.
• If a supposed government agency is making an offer, find the phone number in the blue pages of the telephone book, and call the agency to make sure it's valid.
• Before giving information ask how it will be used. For instance, supermarket scan cards enable special sale prices but the store could be selling purchasing histories.
• Use caller ID or an answering machine to screen your calls.
• Consumers should talk about privacy concerns with their children and other household members.

State Laws Related to Privacy and Identity Theft 

Alabama 2001 Al. Pub. Act 312; 2001 Al. SB 144
Alaska 2000 Alaska Sess. Laws 65
Arizona Ariz. Rev. Stat. § 13-2008
Arkansas Ark. Code Ann. § 5-37-227
California Cal. Penal Code § 530.5-530.7
Colorado Colo. Rev. Stat. § 18-5-102
Connecticut 1999 Gen. Stat. § 53(a)-120(a)
Delaware Del. Code Ann. tit. II, ß 854
Florida Fla. Stat. Ann. § 817.568
Georgia Ga. Code Ann. §§ 16-9-121
Idaho Idaho Code § 18-3126
Illinois 720 III. Comp. Stat. 5/16G
Indiana Ind. Code Ann. § 35-43-5-4 (2000)
Iowa Iowa Code § 715A.8
Kansas Kan. Stat. Ann. § 21-4018
Kentucky Ky. Rev. Stat. Ann. § 514.160
Louisiana La. Rev. Stat. Ann. § 14:67.16
Maine Me. Rev. Stat. Ann. § tit. 17-A, ß 354-2A
Maryland Md. Ann. Code art. 27, § 231
Massachusetts Mass. Gen. Laws ch. 266, § 37E
Michigan Mich. Comp. Laws § 750.285
Minnesota Minn. Stat. Ann. § 609.527
Mississippi Miss. Code Ann. § 97-19-85
Missouri Mo. Rev. Stat. § 570.223
Montana H.B. 331, 2001 Leg. (not yet codified)
Nevada Nev. Rev. Stat. § 205.463-465
New Hampshire N.H. Rev. Stat. Ann. § 638:26
New Jersey N.J. Stat. Ann. § 2C:21-17
North Carolina N.C. Gen. Stat. § 14-113.20
North Dakota N.D.C.C. § 12.1-23
Ohio Ohio Rev. Code Ann. 2913.49
Oklahoma Okla. Stat. tit. 21, § 1533.1
Oregon Or. Rev. Stat. § 165.800
Pennsylvania 18 Pa. Cons. State § 4120
Rhode Island R.I. Gen. Laws § 11-49.1-1
South Carolina S.C. Code Ann. § 16-13-500, 501
South Dakota S.D. Codified Laws § 22-30A-3.1.
Tennessee Tenn. Code Ann. § 39-14-150
Texas Tex. Penal Code § 32.51
Utah Utah Code Ann. § 76-6-1101-1104
Virginia VA. Code Ann. § 18.2-186.3
Washington Wash. Rev. Code § 9.35.020 (click on title 9, then chapter 35)
West Virginia W. Va. Code § 61-3-54
Wisconsin Wis. Stat. § 943.201
Wyoming Wyo. Stat. Ann. § 6-3-901
Guam 9 Guam Code Ann. § 46.80
U.S. Virgin Islands 14 VI Code Ann. §§ 3003