ID theft is growing. But who are the real criminals–petty thieves or large corporations? Like millions of others, Ramona found out the hard way.
Don’t email banking information to Nigerians promising you $10 million in lottery winnings. Don’t give your credit card numbers to strangers on the phone. Shred documents before recycling.
As identity theft increases, we get such tips almost daily from helpful media, credit card companies and police.
They’re good tips. Unfortunately, we’re rarely informed about the biggest security threats: irresponsible corporations, porous legislation, and non-existent law enforcement.
So Ramona, a local ID theft victim who wishes to withhold her surname (who can blame her?), learned the hard way.
En route to Nevada’s “Burning Man” festival in 2004, Ramona stopped at an IRS office. Carrying dual citizenship, she’d waitressed in Boston before moving back to Victoria in 2002, and was anticipating a belated tax refund to help pay for her vacation. Instead, she got a rude awakening: She’d have to pay taxes on her recent substantial stock market earnings.
But, she protested, she’d never invested in her life.
The IRS officer blithely printed out 17 pages detailing her hundreds of thousands of dollars in stock transactions.
“Imagine me almost falling off my chair,” says Ramona. “I was in so much shock.” Before she left, she was advised to contact a lawyer. “I got really scared.”
Stolen personal identity information has inestimable value. Opening credit card, bank or cell phone accounts, passing cheques, obtaining loans, mortgages, leases or passports, and evading taxes or law enforcement agencies are just some of the uses.
Consequences for individual victims can be serious: debts, shattered credit ratings, false criminal records, inability to obtain employment and years digging out of the hole.
Internationally, we’ve seen massive ID thefts from retailers, credit information companies and online brokers. In Greater Victoria, gas stations, loan services, public schools, doctors’ offices, and the provincial government were all successfully pilfered last year.
Canada Post reports several “incidents” of mail thefts monthly in Victoria alone. Victoria police detective Dan Cottingham calls mail the “number one” source of damaging ID thefts, describing people stealing en masse from apartment buildings, and investigations uncovering “backpacks full” of stolen mail.
Statistics are spottyâ€”only recently did responsibility for ID theft incident recording go to federal anti-fraud agency Phonebusters, and just a tiny percentage are reported to them. Surveys show 14% of Canadians have been victims, increasing 3% yearly. Annual losses are estimated to be $5 billion. These figures correspond to a U.S. Federal Trade Commission survey revealing 9.9 million Americans were victims of ID theft in 2002 alone, resulting in $48 billion in business losses and $5 billion in expenses to victims. Victims typically spend 330 hours clearing their namesâ€”if they clear their names.
If accurate, there are more victims of ID theft in Canada annually than victims of all other thefts combined, and the economic losses apparently surpass losses from all those other thefts combined, too.
Yet the response of governments and businesses to this criminal tidal wave remains, well, bizarrely supportive.
Ramona was beginning to discover that.
At home, she suspiciously noted the account was with Charles Schwab, her estranged American ex-boyfriend’s preferred brokerage.
She called Schwab to close the account. Ironically, she initially couldn’tâ€”she didn’t know the password.
Schwab’s fraud department began investigating. Copies of Ramona’s passport and social security card were on file, along with a well-forged signature. The email contact was similar to her email. The account had even been transferred from Boston to San Francisco at a time when she’d been visiting California. Chillingly, Ramona realized she was dealing with either a consummate pro, or someone who knew her. Or both.
She hesitated contacting her ex-boyfriend. “I was afraid of him.”
Researching online, most ID theft tip sheets advised filing a police report. Lawyers did, too. The ex’s possible involvement looked “dodgy”, one explainedâ€”what if her ex had done it, but said he’d done it for her? What if he had other accounts in her name?
“I was really scared that something would go wrong and I’d end up going to jail,” says Ramona. Crazy thinking? Maybe. But how much crazier, she surmised, than seeing hundreds of thousands of dollars of stock transactions in her name?
She called the police.
Victoria police said the crime wasn’t in their jurisdiction, and wouldn’t take a report. “They told me to call the Boston police.” Boston police directed her to San Francisco police, who replied, “You lose your dog in Boston and you look for him in San Francisco?”
After another round of infuriating calls, she marched into Victoria’s police stationâ€”and was again told to call Boston.
“I finally broke down in tears,” she says. “Then they called the Boston police themselves.”
But when Boston addresses linked to the account proved bogus, says Ramona, Boston police washed their hands of it.
Cottingham says Victoria police will take people’s ID theft reports “if it makes them feel better”, but they “don’t encourage” the practice. Police instead direct victims to security departments at companies where they’ve been victimized, and to follow tips from organizations like credit bureaus and Phonebusters.
“It does sound rather odd,” he admits. “But we don’t often take reports when we don’t actually take action.”
Layers of electronic and geographic anonymity are typical of ID thefts, he explains, so investigations are “just a huge, giant fishing trip.” Unless cases involve organized crime or big dollars, he clarifies, “we just don’t have the resources to follow up on things that the likelihood of solving is so little.”
According to RCMP Sgt. Forestell of BC’s much-ballyhooed Integrated Technological Crime Unit, although small-time, individual ID thefts are the most common, their agency also only investigates large-scale cases. Forestell laments Canada doesn’t have any ID theft criminal laws, anywayâ€”police must rely on various unwieldy, out-of-date laws.
Jay Foley, co-executive director of San Francisco’s ID Theft Resource Center, calls Ramona’s police-jurisdictional runaround “typical”. He grudgingly sympathizes with police under more pressure to deal with violent crimes. Foley adds that, even though in 20% of cases it turns out the victim personally knows the perpetrator, companies dislike the costs of pursuing small-time thieves and embarrassment of court cases exposing their sloppiness checking identities. “They hate to admit they’re that dumb”.
Cottingham confirms most corporate security departments rarely tell police about their ID theft investigations. “They know we’re busy, they’re busy. Ninety percent of it gets written off.”
“The bad guys know this, too,” Cottingham admits. “They know if they do a bunch of smaller ones they’ll usually go undetected or uninvestigated.”
Bewildered and on her own, Ramona proceeded to follow advice and online tips from Foley’s Center. Days rolled into weeks. Her trail twisted through credit bureaus, the U.S. Federal Trade Commission, Social Security Administration, IRS, Passport Office, RCMP, FBI, financial firms and more, as she tried to protect herself and clear her name.[Note: In 2013, an updated link to resources about identity theft from the FTC: http://www.consumer.ftc.gov/features/feature-0014-identity-theft and a helpful-looking resource: http://cards.creditloan.com/id-theft.html]
She lost two months of wages. “It knocked me sideways, and there was no way I could go back to work. I was dealing with it all day long. When I wasn’t working on it, I was just trying to calm down,” she says. “What I learned from it is, if somebody steals your identity, it’s your problem.”
Finally feeling sufficiently protected, she confronted her ex-boyfriend. He confessed with apologies, complicated explanations about tax difficulties, offers of money, and desperate entreaties not to turn him in.
She informed Schwab. Months later, Schwab sent a letter absolving Ramona. Her ex was never charged.
Overall, Ramona was grateful to Schwab’s fraud department. “They were the only ones who actually dealt with it.” Although she notes the account had no debt. “I don’t know what it would have been like if [Schwab] had been owed 50,000 dollars.”
She also harbours ill feelings. “[Schwab] didn’t do anything wrong as far as they were concerned,” she explains. “But I was pissed off that somebody could open an account and do all this without a single person ever going in and signing for anything in person. And they didn’t even check to see that the address exists. I can’t believe it’s so lax.”
In a written response to Focus , Schwab admitted an account could be opened solely through online and mail contact, but explained in general language that their frauds are “extremely rare” and they have “rigorous procedures” for identity verification.
The main issue, the report states, is that fast, easy credit and impulse buying produce huge profits, and companies apparently don’t have “sufficient market incentives” to prevent ID theft and fraud. For example, the report notes Visa and Mastercard take losses of hundreds of millions of dollars annually, but that’s less than 1% of sales.
Legislation is likely required, the report states, because many credit bureaus, ID traders and government agencies don’t even take “reasonable” steps to authenticate who’s overseeing or accessing vital information.
Additionally, many retailers unnecessarily print complete credit card numbers on receipts, while credit companies persistently mail unsolicited pre-approved applicationsâ€”both gold to mail thieves and dumpster divers.
Seventy percent of ID thefts are traced to “leaks” at reputable companies through corrupt employees, adds the report, and companies rarely notify us when our personal information has been stolen from them.
Police provide plenty of homegrown examples.
Victoria gas stations and restaurants have had hundreds of card numbers and PINs stolen by people who used false names to get jobs, then skimmed cards and disappeared, says Cottingham. “Looking at a 17-year-old gas jockey, how many employers really do their due diligence on these kids’ backgrounds?”
Forestell points to online mortgage providers unwittingly behind some Abbotsford grow-ops with no traceable owners. “There doesn’t seem to be as much due diligence done in extending credit as there was once upon a time.”
Even ID-certificate agencies aren’t always careful. Forestell describes a case where dead people’s identities were being recreated. In one instance, a deceased infant in his 30s drove up to the BC Motor Vehicle Branch in a new Mercedes and applied for his first-ever licence. “The person [conducting] the driving test should have been asking more questions,” comments Forestell.
It starts to seem obvious that shredding your recycling is a backwards strategy. Our ID information is everywhere. Why not better control how it’s used?
Indeed, two CMC report “options” for improvements are broadly-effective, slam-dunk solutions.
First, hold creditors liable for irresponsible practices. (After all, it’s not you giving that credit out carelessly in your name.) Simultaneously, allow anyone to lock their own credit reports and control access. These locks could be opened by us for specific companies or periods of timeâ€”you’d be contacted at a designated phone number for your secret PIN. This would prevent any credit from ever being improperly issued in your name, even if your ID was stolen, and would dramatically reduce the lucrativeness of all ID theft.
But Rick Cleary, President of credit information firm Equifax Canada, is hesitant.
“There would be some security advantages to [personal locks],” he agrees, while noting no system is foolproof. “The question is, what’s the flip side in terms of speed and other service issues.”
Centralized corporate departments frequently request tens of thousands or millions of credit updates. Personal locks, controls and contact requirements, Cleary says, could trip that up.
“These things today take seconds. If you change that process and it takes days for some reason, you’re talking about something that could potentially have a very significant impact on how the whole credit reporting and credit granting industry in Canada works,” he asserts. “Whether or not this is a slam dunk I guess depends on where you sit in the equation.”
Nevertheless, allowing personal credit locks is already law in 20 U.S. states, along with most other options in the CMC report.
Foley says U.S. changes were hastened when car and quickie loan companies actually lobbied against allowing even confirmed victims of ID theft to put locks on their credit reports. This blatant disinterest in reducing fraud, says Foley, prompted aghast legislators to start reining in the fast-and-easy credit industry.
But weak support from businesses remains a problem, says Foley. “Have you tried to find a link about locking your credit at Equifax’s [U.S.] website?”
Here, Justice Canada and the CMC are still deliberating. Credit bureaus are actually provincially regulated, but our consumer protection powers and programs were spun off last year to an arms-length agency. BC’s new “Business Practices and Consumer Protection Authority” is paradoxically dependent on businesses for its funding, so perhaps not surprisingly deputy director Linda Foubister says BPCPA isn’t working on ID theft regulations. Government communications personnel wouldn’t confirm or deny if anyone in the provincial government was working on ID theft issues, insisting only the Solicitor General could answer. He didn’t respond by deadline.
Meanwhile, businesses are generating more ways to profit off our personal losses. Paying companies to monitor your credit rating and at least speedily detect when you’ve become a victim of fraud has become a billion-dollar industry. The BC Automobile Association says sales of ID theft insurance have taken off like “wildfire”.
However, diverse financial portfolios and robust credit ratings often make wealthy, powerful people the easiest, juiciest targets. That may push government action.
Originally published in Focus magazine, February 2006.