Part 4: (Read part 3)
Something was very wrong at the Ford Motor Credit office in Grand Rapids, Michigan, during the early part of 2002. Thousands of credit reports had been slowly stolen from Experian through the automaker’s branch office. Most of the reports weren’t even run on Ford customers. Complaints started coming in from consumers who noticed unusual activity on their credit files. A trace showed the downloads had been going on for 10 months, since April 2001. The leaking data wasn’t discovered until February 2002.
Ford did the right thing, a few months later, once it determined a little more about what was going on. In May, it sent 13,000 letters to victims around the country explaining that their credit reports had been downloaded by a criminal, someone posing as a part of Ford Motor Company. Check your credit report, the letter said; you will likely become a victim of identity theft, if you aren’t already. Contact authorities if you are.
Reports began to flood in from victims, including one elderly woman who only had $1,000 in her bank account but discovered criminals had withdrawn $35,000 from it. The scope of the crime slowly became obvious. Someone had managed to crack the entire credit reporting system. Whoever it was, they could now download the financial history of anyone in the country and arm themselves with all the data they needed to commit massive frauds.
It was a highly organized effort. Whoever ordered the reports had carefully plucked out addresses in affluent neighborhoods all around the country. Upon discovering the leak, Ford changed the codes it used to order credit reports and shut down the criminals’ doorway into the credit reporting world from Grand Rapids. But that hardly put a dent in the crime. Whoever it was, they were still out there ordering credit reports. Another 6,000 credit reports were ordered from the Experian credit bureau by someone using the initials “M. M.” in the name of Washington Mutual Bank from March to May of that year.
But the criminals weren’t just picking on Experian. About 1,100 credit reports had been ordered for Washington Mutual through Equifax, a second credit bureau. They, too, were ordered by “M. M.” In May, “M. M.” moved on again, downloading thousands of credit reports while posing as several smaller companies: MGA Vintage Apartments in Houston, Texas; Dollar Bank in Cleveland, Ohio; the Sarah Bush Lincoln Health Center in Illinois. The FBI became actively involved in the case.
Months would pass before an investigator from Equifax called FBI Special Agent Kevin Barrows with an obvious break. During that delay the equal opportunity criminals continued to scoop up America’s financial secrets. In September, about 4,500 credit reports were ordered from the third of the major credit bureaus, TransUnion. This time, Central Texas Energy Supply’s account had been used to order the reports. Then on October 17, Barrows was told that telephone records had linked “M. M.” to a residence in New Rochelle, New York. Whoever ordered those credit reports was simply calling up Equifax’s 1-800 number for clients and ordering them from home. Six days later, FBI agents searched the New York home of Linus Baptiste, where they found five computers, a pile of credit reports, and a batch of documents bearing the names Equifax, TransUnion, and Experian. Baptiste immediately ratted out his alleged supplier.
Just like Abraham Abdallah, Philip Cummings was 32, overweight, with an odd mixture of smarts and sloppiness. An English immigrant, Cummings was black, over 300 pounds, and never amounted to much more than the telephone help-desk job he landed at tiny Teledata Communications, Inc. in Bayshore, New York, on Long Island in 1999. But the annoying hourly wage job turned out to be a goldmine, seemingly a license to print money, once Cummings made the right friends, authorities allege. Teledata makes “credit prompter boxes,” easy-to-use credit check terminals found at more than 25,000 companies around the country. The terminals make it simple for a car dealership, cell phone shop, or apartment rental office to perform routine credit checks.
As one of hundreds of third-party service providers hooked into the nation’s credit reporting system, Teledata had access to all the credit report data at Experian, Equifax, and TransUnion. And, Baptiste realized, so did Cummings. Simply by using the right codes, Cummings could impersonate almost any company authorized to obtain credit reports from the credit bureaus. He approached Cummings with an idea: I have friends, he said, a few dozen Nigerian friends, who would pay good money for credit reports. And you have codes that can enable us to commit identity theft on virtually anyone. They settled on a price: $60 apiece, split evenly. That set the market price for ruining someone’s financial history.
Eighteen months later, while the credit bureaus took their sweet time checking telephone records, Cummings and Baptiste had allegedly pulled off what authorities called the largest identity theft in history. Cummings wasn’t at Teledata long. He left in March 2000, after spending just a few months at the firm. But court documents say he left with what might as well have been a printing press from the U.S. mint: He had a spreadsheet of user names and passwords to access credit reports at all three credit bureaus.
It’s a dialog box nearly everyone has seen. When a typical home user sits down to their PC at night, their computer offers this simple challenge: supply a user name and a password to log in. That same line of defense was all that stood between Cummings and his 33,000 victims. Simply by applying the right user name and password, Cummings was allegedly able to impersonate firms like Ford, giving him the keys to almost any citizen’s personal financial kingdom. Such golden keys, one might think, would be carefully guarded. They weren’t. “Any help-desk representative has access to confidential passwords and subscriber codes of (Teledata) client companies that would have enabled that employee to download credit reports from all three credit bureaus,” Barrows said in his deposition. Teledata was a disaster waiting to happen.
But it wasn’t only Teledata’s fault; Teledata was merely the first symptom of a very sick system. Even more than two years after Cummings left the firm, the passwords he had allegedly stolen still worked. When a firm finally caught on and changed the codes, the FBI says Cummings just went down the list to the next sucker. None of the companies exercised even the most basic stewardship of such vital information. And the three credit bureaus, who know best the explosive nature of such credit terminals, failed to enforce even the most basic security measures, for examples, by insisting passwords be changed regularly. Meanwhile, those three companies, which were in the best position to notice all the data flying out of their computers, spent months before realizing their system was infiltrated by someone calling from a home in New Rochelle through an 800 number. And that someone was robbing America blind.
Over 33,000 victims were caught up in the scheme the FBI says Cummings masterminded scheme. Hundreds called in to describe the devastating consequences: homes, boats, loans obtained in their names. Uncounted millions of dollars in losses for consumers and businesses; perhaps incalculable losses of time and energy cleaning up the mess. Cummings was indicted by a federal grand jury of 22 counts of conspiracy, wire fraud, computer fraud and forfeiture. He pled not guilty and is awaiting trial. In January 2003, Baptiste pled guilty to four counts of conspiracy, wire fraud, identity fraud, and access device fraud in connection with the scheme.
James Jackson and Abraham Abdallah were merely playing with the system, going on a high-tech financial joyride, always more than willing to leave the stolen cars on the side of the road and walk home. They see themselves a bit like Robin Hoods of the digital age. Perhaps they don’t readily give to the poor, but they can take the rich down a peg or two, and all in a harmless way behind a keyboard and a telephone. Steven Spielberg and Paul Allen were none the worse for wear after their identities were stolen. But America’s real identity thieves, the ones who cause real heartache, they steal from real people. They are rarely caught. And the system makes their work exceedingly easy.
“This is the first time it’s ever happened. . . . it’s a pretty unique situation,” Donald Girard, director of Public Relations for Experian, said after the Cummings incident. Security measures were added in the wake of Cummings’s arrest, he said, but wouldn’t elaborate. But the problem of internal employees abusing the powerful credit terminals had been well known in the industry for at least a decade. In 1994, consumer attorney David Szwak wrote several articles highlighting the issue. He described the 1991 theft of $100,000 by a car salesman in Orlando, Florida, who used his dealership’s terminal to steal credit from a series of consumers around the country with the same name.
ID theft epidemic was predictable and preventable
The flaws in the system were obvious, and Cummings’s alleged scheme was completely predictable. So were the flaws exploited by Jackson and Abdallah. And in fact, so, too, was the entire identity theft epidemic predictable—and preventable. It is an epidemic. Until the middle of 2003, the best estimates suggested a few hundred thousand victims had been hit every year, but quiet rumblings among fraud investigators, along with a never-ending stream of noisy consumer victims, suggested the number was far higher. Experts would tell stories that at any given family gathering, when the question was asked, someone would raise their hand and say they had been hit. Finally, three major studies, including one commissioned by the Federal Trade Commission, shed light on the size of the problem in 2003. Studies since then agree that there are millions of victims each year now, and perhaps as many as 1 in 10 adults have been hit by one form of identity theft. More Americans now are victims of identity theft every year than any other crime.
And why not? It’s easy, lucrative, and almost entirely risk free. A Gartner study in 2001 suggested that as few as 1 in 700 identity thefts are eventually prosecuted. Meanwhile, the payoffs, in time and invisibility, are enormous. In stirring congressional testimony during 2002 support of identity theft legislation, Sen. Diane Feinstein offered powerful examples of now far identity theft can take a criminal. An administrator of Kmart Corporation’s stock option plan was accused of stealing the identity of a retired Kmart executive and exercising 176,000 options in his name. In another case, a Chicago man allegedly killed a homeless man to assume the victim’s identity and avoid pending criminal charges for counterfeiting.
Identity criminals can get away with murder, literally; government officials now outwardly express concern that such digital crimes will be an essential component enabling terrorism. And, in fact, identity theft had an important role to play in the tragedy of September 11. Authorities believe at least 2 of the 19 hijackers initially may have entered the country using stolen passports. An Algerian national was convicted of stealing the identities of 21 members of a health club in Cambridge, Massachusetts, and giving the identities to an individual convicted in the failed plot to bomb Los Angeles International Airport in 1999. There is ample evidence that terrorist groups regularly fund their activities with simple credit card frauds, and there have even been reports that al-Qaeda training manuals encourage it.
Certainly, criminals are to blame for the identity theft crisis. But so are the stewards of our electronic lives, those entrusted with our electronic identities, our digital twin. The institutions designed to protect our identities have let us down and enabled this epidemic. Corporate America had shirked much of its responsibility for the problem, looking the other way while signs of the coming crisis have been in plain view for years. Credit card companies, in their rush to push the “miracle of instant credit” at consumers, in an effort to simply push profit margins a little higher, have created the systematic flaw that allows identity theft to be profitable in the first place.
The real headache
The real headache for most victims, however, is the paperwork nightmare faced once the crime has been committed. Put simply, many victims find their credit is ruined and can spend years fixing the pockmarks left by their imposter. The nation’s credit reporting agencies and their incestuous relationship with the credit card companies, are solely responsible for this most painful revictimization of consumers. Law enforcement, meanwhile, has often been slow to react to the crime, refusing to even take criminal reports from victims in many cases. In others, detectives refused to get involved, citing the complex investigations and rarity of meaningful jail time for convicts. Many government agencies have been even slower to react; our nation’s identification systems, driver’s licenses and Social Security cards, are meaningless relics from the past. Congress has refused to pass meaningful regulation on the companies largely responsible for the mess, with many elected officials choosing instead to side with a lucrative lobbying force. And the Internet has made life easy for criminals, as they can steal the data they need from the comfort of their own homes and, in many cases, can simply trick consumers into handing over personal financial information willingly.
Ten years ago, James Rinaldo Jackson’s pleas for attention to the fundamental systems that enable the crime fell on deaf ears. As a result of that neglect, some 27 million people have endured the emotional and fiscal trauma of dealing with a crime some refer to as financial rape during the past five years. Identity theft is much more than a paperwork headache for victims. The crime has been blamed for everything from divorce to suicide to murder. It threatens happy retirements as well as college student loans. In its very worst form, it can even land innocent people in jail. The trials victims endure can be more surreal and maddening than anything Franz Kafka ever imagined—and their stories must be seen to be believed.
Excerpted from "Your Evil Twin: Behind the Identity Theft Epidemic" by Bob Sullivan. Copyright© 2004 by Bob Sullivan. Excerpted by permission of Wiley & Sons, Inc. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.