Carefully guard your Social Security number. Don’t enter it in Web pages; don’t give it out to companies. Watch your bank statements and credit card bills like a hawk. Shred any documents with financial account numbers on them. It’s all good advice. But for hundreds of thousands of victims who had their personal financial data stolen in the past year, it’s cold comfort. Because most experts will privately concede there really isn’t much you can do to prevent a criminal from stealing your identity.
For two years, a former employee at a small 65-person firm in Long Island software company allegedly managed to raid the nation’s entire credit reporting system. And in the process, if the charges prove true, he could have sold virtually any American’s digital identity.
Philip Cummings spent three months as a help desk worker at tiny Teledata Communications Inc. three years ago. But that was all the time he needed to allegedly set up a simple crime ring that cost consumers at least $2.7 million, and probably much more. Before he was finally arrested by authorities in November, authorities said he had sold the credit reports of 30,000 people. The digital dossiers Cummings gave away included all bank accounts, credit card numbers, even former and current addresses.
Victims suddenly discovered loans had been taken out in their name. Some now owed money on cars, boats, and even houses.
But none of them had heard of Teledata, or Cummings. He allegedly downloaded 13,000 credit reports posing Ford Motor Comp., but victims didn’t necessarily buy a car recently. And many of them had probably followed all the standard advice: they used hard-to-guess bank PINS, they hid their financial documents in a safe. They may even never have shopped on the Internet, nor given out their credit card number over a telephone.
But it didn’t matter, because virtually everyone over 18 is part of the nation’s credit reporting system. So the truth revealed by the discovery of Cummings’ alleged theft is this: There was nothing any of the victims could have done to prevent it. If you had a Social Security number, and you’d ever been involved in any financial transaction that involved credit, Philip Cummings had access to your data.
Your data, sold for only $30
Cummings’ story shined a bright light on the murky world of Internet-age identity thieves. It’s always been easy to steal credit card receipts from restaurant customers or garbage cans. But thanks to the Internet, criminals can steal them by the thousands now; and more importantly, they can sell them by the thousands to other criminals.
Nearly every Internet-based crime, from auction fraud to child pornography to stalking, starts with an identity theft. And thanks to Cummings’ arrest, we now know the crime is so common that complete digital dossiers sell for only $30 a pop on the black market.
Last year, yet again, identity theft topped the list of complaints filed with the Federal Trade Commission, and the news is getting worse. The number of formal complaints doubled during 2002, with some 170,000 reports filed. But that’s just a fraction of the size of the problem, because it only represents victims who took the time to find their way to the FTC and file a report.
Starts with a data leak
Meanwhile, hundreds of thousands of others wonder why their financial life has suddenly been turned upside down, even though they’ve never done anything risky with their personal information.
“At end of the day, other people have custody of your information and it’s very difficult for consumers to control that,” said Betsy Broder, an FTC identity theft expert. “Even when you give the information to legitimate merchants, it’s only as safe as that institution’s safeguards.”
Probably 750,000 people had their identities copied in 2001 and suffered the consequences, said Rob Douglas, CEO of American Privacy Consultants Inc. And while estimates for last year are still being bandied about, several high-profile data leaks suggest the number of victims will easily eclipse 1 million. In one incident alone, the State of California saw its entire employee database, with some 260,000 workers, exposed to a hacker.
Once a consumer finds out their personal data has been leaked, the waiting game begins. Order your credit reports regularly, consumers are told. And simply wait and see if your bank accounts are drained, if car loans are taken out in your name, if your homes are mortgaged and equity stolen right out from under your roof.
But worse still, many consumers aren’t even told when their data is leaked. Dan Clements, who runs consumer advocate Web site CardCops.com, maintains a searchable database of stolen card numbers that have been posted on the Internet expressly because Web sites that leak data almost never tell the victims.
“If I had to guess I’d say only 1 in 100 will come forward and admit, ‘Yes, we’ve lost data,’ and notify their consumers,” Clements said.
He also criticized Visa and Mastercard for heavily promoting “Zero liability” for credit card consumers who shop online. While consumers aren’t liable for fraudulent charges, they are responsible for cleaning up any identity theft issues that arise when their card number is stolen.
“The ‘Zero fraud liability’ on the Net is a fallacy. It’s camouflaging identity theft,” he said. “They’re not educating consumers about identity theft, creating a false sense of security.”
Some lawmakers are starting to take notice. A new law set to take effect in California this July will force companies that have lost data to hackers to come clean to customers. But loopholes that allow companies to stall release of the bad news while incidents are “under investigation” will likely stifle the legislation’s intent, keeping consumers in the dark when their data has been lost.
So it’s not until the credit card company calls with bad news, or an abrupt call from a collections agency comes late at night, that a consumer learns their identity has been stolen. And that’s only the beginning.
If you are a victim
Because it’s up to consumers to watch their own backs and discover fraud on their credit reports, statements, and bills. The good news is most banks and credit card companies are cooperative with victims who call promptly with complaints, come armed with documentation, and are willing to sign affidavits. Generally, most are successful in getting the charges reversed.
That’s not true when a debit card or other check card is used for the heist. Banks have no legal responsibility to refund customers facing debit card losses, and increasingly, financial institutions aren’t refunding debit-connected fraud.
But even without direct financial losses, ID theft victims face a nightmare of laborious paperwork and lost time. Cleaning up a blemished credit report can cost between $500 and $1,000, experts say.
To make things a little easier, the FTC offers a ready-made identity theft affidavit which can be sent to all financial institutions by victims to alert them of potential fraud. It’s available from the agency’s Web site.
What can you do? Not much
But that only helps victims after the fact. What can someone do to stop themselves from becoming a victim in the first place? Not much, says Larry Ponemon, a privacy consultant and former auditor for PricewaterhousCoopers who now audits company computer systems and privacy policies.
“The problem is a little bit in the intractable category,” Ponemon said. “For the most part, we rely on the good intentions of companies (that have customers’ personal data). But the empirical evidence says you cannot rely on that any more. Bad things will happen. ... Sooner or later it’s going happen. I don’t know if there’s really much we can do.”