Identity Theft
Identity Theft
Sections within this essay:
BackgroundHow Identity Theft Occurs
Self-Help Measures
Determine Whether Identity Theft Has Occurred
Obtain a Credit Report
File a Fraud Alert
Submit an ID Theft Affidavit
Report to Local Police
File a Complaint with the Federal Trade Commission
Manage Personal Information
Federal Statutes
Identity Theft and Assumption Deterrence Act
Identity Theft Penalty Enhancement Act
Fair and Accurate Credit Transactions Act
Other Statutes
State Statutes
Credit Card Numbers on Receipts
Credit Card Skimming
Breach of Information
Consumer Report Security Freeze
Anti-Phishing
State Identity Theft Laws
Additional Resources
Organizations
Equifax Information Services, LLC
Experian
Federal Trade Commission
National Conference of State Legislatures
TransUnion
Background
The person becomes the victim of identity theft when someone else uses the person's personal information to commit fraud or other crimes. An individual who commits identity theft may appropriate a name, bank account number, credit card number, social security number, or other personal information. With the increase in the amount of personal information that is exchanged on the Internet, identity theft has developed into a major concern in the United States and abroad.
Both state government and the federal government have enacted a series of statutes that are designed to deter identity theft. Many of these statutes increase penalties or expand the roles that law enforcement officials play in the investigation of identity theft. Other statutes assist victims after their identities have been stolen.
How Identity Theft Occurs
The Federal Trade Commission (FTC), which serves as a clearinghouse for complaints about identity theft, has identified several means by which an identity thief may perpetrate the crime. These include the following:
- Obtaining personal information of others while on the job
- Hacking personal records
- Bribing or conning an employee who has access to personal records
- Stealing a victim's wallet or purse
- Stealing personal information through email, phone, or other means, in a practice known as "phishing"
- Stealing credit or debt card numbers by capturing information in a data storage device, in a practice known as "skimming"
- Obtaining a person's credit report
- Rummaging through a person's trash can or the trash can of a business, in a practice known as "dumpster diving"
- Stealing personal information found in a victim's home
- Stealing mail, including bank and credit card statements, offers for new credit cards, new checks, and tax information
- Completing a change of address form so that the victim's mail is sent to another location
Once an identity thief has obtained the personal information of a victim, the perpetrator may engage in a number of activities. Some of these illegal activities include the following:
- Establishing a phone or wireless service in the name of the victim
- Opening new credit card accounts in the victim's name
- Calling credit card companies to change the billing address of the victim's account (so that the victim will not receive statements)
- Creating counterfeit checks, credit cards, or debit cards
- Authorizing electronic transfers in the victim's name
- Draining bank accounts
- Buying a car or taking out a automobile loan in the victim's name
- Getting a job or filing a fraudulent tax return in the victim's name
- Giving the victim's name to the police during an arrest
Self-Help Measures
Those who have become the victims of identity theft may take certain actions in order to protect themselves. In some situations, a person may not be aware that he has become a victim; in others, a person may suspect that she has been victimized, but needs to determine whether this is so. The information below summarizes the some of the steps that victims or potential victims of identity theft may take.
Determine Whether Identity Theft Has Occurred
In some instances, identity theft will be obvious to the victim. A victim may receive a telephone call from a creditor after an identity thief has opened an account in the victim's name. In other circumstances, the victim may notice unusual charges on his or her credit card statement or unauthorized withdrawals from a checking or savings account.
Even where identity theft is not immediately obvious, a victim may experience other signs that this theft has taken place. For example, the victim may stop receiving bills or other mail, indicating that an identity thief has submitted a change of address form for the victim. Similarly, a victim may be denied credit for no apparent reason or may receive credit cards for which the victim did not apply.
Obtain a Credit Report
Three nationwide consumer credit reporting companies, also referred to as credit bureaus, maintain credit reports about each consumer. These companies maintain such information as how many accounts a consumer has and whether the consumer has paid his or her bills on time. The three companies include the following: Equifax, Experian, and TransUnion. Contact information for these companies is available under "Organizations" at the conclusion of this essay.
Under amendments to the federal Fair Credit Reporting Act, passed in November 2003, each of these credit bureaus must provide every consumer with a free copy of the consumer's credit report. The credit report cannot be obtained directly from the credit bureaus, however. Instead, these reports must be obtained through one of the following: online at www.annualcreditreport.com; via phone at 1-877-322-8228; or by submitting a form to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, Georgia, 30348-5281.
In some instances under federal law, a consumer is entitled to additional free reports, such as when a company denies credit to a consumer. Moreover, some states provide for free access to credit reports. Otherwise, consumers may pay up to $9.95 to order a credit report from one of the reporting services.
File a Fraud Alert
Each of the three major credit bureaus maintains a fraud department. A consumer who is the victim of identity theft should contact the fraud department of one of the credit bureaus and ask that the company place a fraud alert on the consumer's account. Once a consumer has contacted one of these bureaus, this bureau is required to contact the other two.
This fraud alert indicates to a creditor that the creditor must contact the consumer before opening a new account or changing an existing account. If the consumer requests, the credit bureaus may only display the last four digits of the consumer's social security number on the credit reports.
Submit an ID Theft Affidavit
When an identity thief opens a new unauthorized account, the victim may dispute the opening of the account. The Federal Trade Commission has prepared an ID Theft Affidavit that may be used when a consumer reports fraudulent activity and disputes an account. The ID Theft Affidavit is available at http://www.consumer.gov/idtheft/pdf/affidavit.pdf.
Report to Local Police
A victim of identity theft should file a report with the victim's local police or the police in the community where the theft took place. The victim should submit a copy of the police report, or at least the number of the report, to creditors and anyone else who might require proof that the crime has occurred.
File a Complaint with the Federal Trade Commission
A victim should submit a complaint with the FTC, which maintains a database of information regarding identity theft cases. Law enforcement agencies use this database during investigations. The FTC also uses this information in order to gather more data about identity theft in an effort to address the problem as a whole.
Manage Personal Information
The FTC and others warn consumers that they should take active steps to protect their personal information. For credit card, bank, and phone accounts, consumers should create a password that a thief cannot guess. Similarly, a consumer should not give out personal information, via computer or otherwise, to anyone unless the consumer knows with whom he or she is dealing.
Federal Statutes
Congress has enacted a number of statutes that address identity theft. Some of these statutes focus on criminal sanctions for identity theft, while others focus more on protecting the victims of identity theft crimes.
Identity Theft and Assumption Deterrence Act
The Identity Theft and Assumption Deterrence Act was promulgated in 1998 to establish identity theft as a federal crime. Under this law, a person who commits identity theft faces a maximum of 15 years in prison and/or a fine. The maximum term of imprisonment increases under some circumstances, such as when identity theft occurs in connection with drug trafficking or as a means to facilitate international terrorism. The statute also requires the FTC to receive complaints from individuals who have been victims of identity theft (discussed above).
Prior to the enactment of this statute, federal law only applied to the theft of identification documents and not identifying information. The 1998 law extends its application to the theft of "means of identification," which may include any of the following:
- Name
- Social security number
- Date of birth
- Official state or government issued driver's license or identification number
- Alien registration number
- Government passport number
- Employer or taxpayer identification number
- Unique biometric data, including a fingerprint, a voice print, a retina or iris image, or another unique physical representation
- A unique electronic identification number, address, or routing code
- Telecommunication identifying information or access device.
Identity Theft Penalty Enhancement Act
In 2004, President George W. Bush signed the Identity Theft Penalty Enhancement Act. The statute strengthens penalties for those who possess someone else's personal information with the intent to use the information to commit a crime. Penalties are further enhanced when the identity theft is done to commit an act of terrorism.
Fair and Accurate Credit Transactions Act
Congress passed the Fair and Accurate Credit Transactions Act in 2003 in an effort to prevent identity theft, among other purposes. The statute provides that consumers may request that the credit bu-reaus place fraud alerts on their accounts. The act also specifies that only the last five digits of a credit card number may appear on an electronically printed receipt. Moreover, this statute directs the FTC to prepare a model summary of the rights of consumers with respect to procedures to remedy fraud or identity theft.
Other Statutes
Several other federal statutes have been enacted in an effort to combat identity theft. Some of these statutes limit the financial liability of identity theft victims. Others prohibit the release of personal information, including social security numbers.
State Statutes
The various states have enacted several types of statutes that apply to identity theft cases. The following are some of the more common types of identity theft statutes.
Credit Card Numbers on Receipts
As of 2005, the majority of states have enacted pieces of legislation that restrict the number of digits that may be printed on electronic receipts. Most states prohibit merchants from printing more than four or five digits, and several prohibit merchants from printing the card's expiration date. Some statutes limit the type of information that may be displayed in a receipt, restricting such data as a consumer's name or telephone number.
Credit Card Skimming
About half of the states have approved legislation that criminalizes the unauthorized use of encoded credit card information. In some states, such as Texas, the statute requires restaurants and bars to post signs warning employees against fraudulent use of or possession of identifying information.
Breach of Information
Approximately 17 states as of 2005 have enacted statutes that require state agencies and companies to disclose security breaches that involve the potential release of personal information of consumers. In some instances, these breaches have compromised personal information of hundreds of thousands of individuals. These statutes provide notification to those who potentially could be the victims of identity theft as a result of such a breach.
Consumer Report Security Freeze
Some states allow victims of identity theft to demand that credit reporting services freeze the victims' credit reports. The provisions of these statues are similar to those found in the federal Fair and Accurate Credit Transactions Act.
Anti-Phishing
California in 2005 became the first state to enact legislation that addresses phishing, which is a practice of duping Internet users into divulging personal information. Congressional attempts to enact similar legislation failed in Congress in 2004 and 2005.
State Identity Theft Laws
ALABAMA: The Consumer Identity Protection Act makes identity theft either a felony or a misdemeanor, depending on whether the defendant has had a prior conviction and the amount of financial loss involved with the theft.
ALASKA: The state's statute addressing theft by deception makes identity theft either a felony or a misdemeanor, depending on the circumstances.
ARIZONA: The state has enacted legislation addressing credit card numbers on receipts and credit card skimming. The state's statute addressing theft by deception makes identity theft a felony.
ARKANSAS: The state has enacted legislation addressing credit card skimming and breach of information. The state's statute addressing financial identity fraud makes identity theft a felony.
CALIFORNIA: The state has enacted legislation addressing credit card numbers on receipts, credit card skimming and breach of information. The state's statute addressing identity theft provides for both a fine and a jail term.
COLORADO: The state has enacted legislation addressing credit card numbers on receipts.
CONNECTICUT: The state has enacted legislation addressing breach of information. The state's statute addressing identity theft makes identity theft a felony.
DELAWARE: The state has enacted legislation addressing credit card numbers on receipts, credit card skimming, and breach of information. The state's statute addressing identity theft makes identity theft a felony.
FLORIDA: The state has enacted legislation addressing credit card numbers on receipts, credit card skimming, and breach of information. The state's statute addressing criminal use of personal identification information makes identity theft either a felony or a misdemeanor, depending on the circumstances.
GEORGIA: The state has enacted legislation addressing credit card numbers on receipts and breach of information. The state's statute addressing financial identity fraud makes identity theft a crime punishable by either a fine or a term of imprisonment.
HAWAII: The state's statute addressing identity theft makes identity theft a felony.
IDAHO: The state has enacted legislation addressing credit card numbers on receipts and credit card skimming. The state's statute addressing misappropriation of personal identifying information makes identity theft a misdemeanor or a felony, depending on the circumstances.
ILLINOIS: The state has enacted legislation addressing credit card numbers on receipts, credit card skimming and breach of information. The state's statute addressing identity theft makes identity theft a misdemeanor or a felony, depending on the circumstances.
INDIANA: The state has enacted legislation addressing breach of information. The state's statute addressing identity theft makes identity theft a felony.
IOWA: The state has enacted legislation addressing credit card skimming. The state's statute addressing identity theft makes identity theft a misdemeanor or a felony, depending on the circumstances.
KANSAS: The state has enacted legislation addressing credit card numbers on receipts. The state's statute addressing identity theft makes identity theft a felony.
KENTUCKY: The state has enacted legislation addressing credit card numbers on receipts and credit card skimming. The state's statute addressing identity theft makes identity theft a crime subject to a fine or term of imprisonment.
LOUISIANA: The state has enacted legislation addressing credit card numbers on receipts, credit card skimming, and breach of information. The state's statute addressing identity theft makes identity theft a felony.
MAINE: The state has enacted legislation addressing credit card numbers on receipts, credit card skimming, and breach of information. The state's statute addressing misuse of identification makes identity theft a class D crime.
MARYLAND: The state has enacted legislation addressing credit card numbers on receipts. The state's statute addressing identity theft makes identity fraud a misdemeanor or a felony, depending on the circumstances.
MASSACHUSETTS: The state's statute addressing identity theft makes identity theft a felony.
MICHIGAN: The state has enacted legislation addressing credit card skimming. The state's statute addressing identity theft makes identity theft a felony. MINNESOTA: The state has enacted legislation addressing breach of information. The state's statute addressing identity theft makes identity theft a crimepunishable by a fine or jail term.
MISSISSIPPI: The state has enacted legislation addressing credit card skimming. The state's statute addressing fraudulent use of identity makes identity theft a crime punishable by a fine or jail term.
MISSOURI: The state has enacted legislation addressing credit card numbers on receipts and credit card skimming. The state's statute addressing identity theft makes identity theft either a felony or a misdemeanor depending on the circumstances.
MONTANA: The state has enacted legislation addressing breach of information. The state's statute addressing identity theft makes identity theft a crime punishable by a fine or a jail term.
NEBRASKA: The state has enacted legislation addressing credit card numbers on receipts. The state's statute addressing criminal impersonation makes identity theft either a misdemeanor or a felony depending on the circumstances.
NEVADA: The state has enacted legislation addressing credit card numbers on receipts, credit card skimming and breach of information. The state's statute addressing identity theft makes identity theft a felony.
NEW HAMPSHIRE: The state has enacted legislation addressing credit card skimming. The state's statute addressing identity theft makes identity theft a felony.
NEW JERSEY: The state has enacted legislation addressing credit card numbers on receipts, credit card skimming, and breach of information. The state's statute addressing identity theft makes identity theft a crime punishable by fine or jail term.
NEW MEXICO: The state has enacted legislation addressing credit card numbers on receipts. The state's statute addressing identity theft makes identity theft a misdemeanor.
NEW YORK: The state has enacted legislation addressing credit card numbers on receipts and breach of information. The state's statute addressing identity theft makes identity theft either a felony or a misdemeanor, depending on the circumstances.
NORTH CAROLINA: The state has enacted legislation addressing credit card numbers on receipts and breach of information. The state's statute addressing fraudulent identity fraud makes identity theft a felony.
NORTH DAKOTA: The state has enacted legislation addressing credit card numbers on receipts and breach of information. The state's statute addressing identity theft makes identity theft a felony.
OHIO: The state's statute addressing identity theft makes identity theft either a felony or a misdemeanor depending on the circumstances.
OKLAHOMA: The state has enacted legislation addressing credit card numbers on receipts. The state's statute addressing identity theft makes identity theft a felony.
OREGON: The state has enacted legislation addressing credit card numbers on receipts and credit card skimming. The state's statute addressing identity theft makes identity theft a felony.
PENNSYLVANIA: The state's statute addressing identity theft makes identity theft either a felony or a misdemeanor depending on the circumstances.
RHODE ISLAND: The state has enacted legislation addressing credit card numbers on receipts and breach of information. The state's Impersonation and Identity Fraud Act makes identity theft a crime punishable by fine or jail term.
SOUTH CAROLINA: The state's Personal Financial Security Act makes identity theft a felony.
SOUTH DAKOTA: The state has enacted legislation addressing credit card skimming. The state's statute addressing identity theft makes identity theft a misdemeanor.
TENNESSEE: The state has enacted legislation addressing credit card numbers on receipts and breach of information. The state's statute addressing identity theft makes identity theft either a felony or a misdemeanor depending on the circumstances.
TEXAS: The state has enacted legislation addressing credit card numbers on receipts, credit card skimming, and breach of information. The state's statute addressing identity theft makes identity theft a felony.
UTAH: The state has enacted legislation addressing credit card skimming. The state's statute addressing identity theft makes identity theft either a felony or a misdemeanor depending on the circumstances.
VERMONT: The state's statute addressing identity theft makes identity theft either a felony or a misdemeanor depending on the circumstances.
VIRGINIA: The state has enacted legislation addressing credit card numbers on receipts and credit card skimming. The state's statute addressing identity theft makes identity theft either a felony or a misdemeanor depending on the circumstances.
WASHINGTON: The state has enacted legislation addressing credit card numbers on receipts, credit card skimming, and breach of information. The state's statute addressing identity theft makes identity theft a felony.
WEST VIRGINIA: The state has enacted legislation addressing credit card skimming. The state's statute addressing identity theft makes identity theft a felony.
WISCONSIN: The state's statute addressing misappropriation of personal identifying information makes identity theft a felony.
WYOMING: The state has enacted legislation addressing credit card skimming. The state's statute addressing identity theft makes identity theft either a felony or a misdemeanor depending on the circumstances.
Additional Resources
Identity Theft: A Legal Research Guide. Best, Reba A., William S. Hein & Co., Inc., 2004.
"Take Charge: Fighting Back Against Identity Theft." Federal Trade Commission, 2004. Available at http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm.
Organizations
Equifax Information Services, LLC
P.O. Box 740241
Atlanta, GA 30374 USA
Phone: (800) 685-1111
URL: http://www.equifax.com
Experian
P.O. Box 2002
Allen, TX 75013 USA
Phone: (888) 397-3742
URL: http://www.experian.com
Federal Trade Commission
600 Pennsylvania Avenue, N.W.
Washington, DC 20580 USA
URL: http://www.ftc.gov
National Conference of State Legislatures
444 North Capitol Street, N.W., Suite 515
Washington, DC 20001 USA
Phone: (202) 624-5400
Fax: (202) 737-1069
URL: http://www.ncsl.org
TransUnion
P.O. Box 1000
Chester, PA 19022 USA
Phone: (800) 888-4213
URL: http://www.transunion.com/index.jsp
Identity Theft
IDENTITY THEFT
The assumption of a person's identity in order, for instance, to obtain credit; to obtain credit cards from banks and retailers; to steal money from existing accounts; to rent apartments or storage units; to apply for loans; or to establish accounts using another's name.
Computer Help-Desk Worker, Data Collection Company Involved in Major Identity Theft Cases
In 2004 and 2005, a computer help-desk worker and a major data-collection company were involved in major scandals relating to identity theft. The help-desk worker pleaded guilty in 2004 to helping others to steal an estimated 33,000 consumer credit reports. The data-collection company, in an unrelated case, gave scammers access to personal data of an estimated 145,000 people. The cases have demonstrated flaws in U.S. privacy laws, as well as the level of vulnerability that consumers have to electronic fraud .
Phillip A. Cummings took a job as a help-desk worker with Teledata Communications, a small company in Bayshore, New York, in 1999. Teledata manufactures "credit prompter boxes," which are credit-check terminals used by companies to perform routine credit checks. More than 25,000 companies, such as car dealerships and apartment-rental offices, use these terminals to check the credit ratings of applicants. Cummings worked for Teledata until March 2000.
During his employment with the firm, Cummings had access to user names and passwords that could be used to access credit reports. According to court documents, he took a spreadsheet containing user names and passwords with him when he left the firm. Law enforcement officials said that anyone in Cummings's position could have obtained this information. "Any help-desk representative has access to confidential passwords and subscriber codes of (Teledata) client companies that would have enabled that employee to download credit reports from all three credit bureaus," said Kevin Barrows of the Federal Bureau of Investigation.
Cummings sold the user names and passwords to several accomplices, who used these codes to gain access to thousands of credit reports from consumers. One accomplice began to obtain credit reports in 2001, when he posed as a representative of Ford Motor Credit. By the end of 2001, the impostor had acquired about 13,000 credit reports. Accomplices impersonated representatives of dozens of other companies until authorities broke up the crime ring. Authorities said that those who received the credit reports made money through several means. Perpetrators depleted bank accounts; changed addresses on accounts; ordered new checks, new ATM cards, and new credit card accounts; and opened new lines of credit.
Some accomplices had been arrested prior to Cummings. Linus Baptiste was arrested in 2003 and pleaded guilty to fraud and conspiracy charges. Hakeem Muhammad also pleaded guilty to committing fraud, while Emanuel S. Ezediaro was arrested for paying thousands of dollars to Cummings and Baptiste to obtain credit reports. Two others, Eniete Ukpong and Ahmet Ulutas, also pleaded guilty to charges stemming from the scam.
Cummings told the U.S. District Judge George B. Daniels that he "didn't know the magnification" of his actions. Daniels, however, said that the case "emphasized how easy it is to wreck havoc on people's financial and personal lives." The total damages caused by the scheme were estimated at $50 million to $100 million, figures that the judge said were "almost unimaginable." Judge Daniels received statements from more than 300 victims, many of whom had spent months dealing with credit agencies and other authorities.
Judge Daniels sentenced Cummings to 14 years in prison and ordered him to forfeit $1 million in proceeds that he had received from the scheme. Cummings sought leniency from the judge due to a heart condition that he suffers, but Daniels refused.
In an unrelated case, ChoicePoint, a commercial data broker, discovered that it had sold personal information of more than 145,000 U.S. citizens to scammers posing as legitimate small-business clients. The security breach led consumers to file a series of lawsuits, and both the Securities and Exchange Commission and the Federal Trade Commission announced that they were investigating the case.
ChoicePoint provides consumer-data services to government agencies, as well as to insurance and other companies. Most of its clientele consists of larger corporations, although it also serves some smaller businesses. On September 27, 2004, ChoicePoint discovered that some of its small-business customers in the Los Angeles area had engaged in "suspicious activity." Under the California Security Breach Information Act, which became effective on July 1, 2003, ChoicePoint was required to notify California residents that their information had been accessed improperly. The company also notified law enforcement officials.
The discovery led to a public outcry for the company to inform customers outside of California about the breach. By February 2005, the company had notified 110,000 additional people that their records had been accessed. ChoicePoint filed a document with the SEC on March 4, 2005 indicating that the records had been purchased by 50 fraudulent companies between July 1, 2003 and September 2004. The company did not release information about possible breaches that might have occurred prior to July 1, 2003, leading to speculation that more records might have been accessed prior to that date.
The actions of ChoicePoint's top executives in the months that followed the discovery of the improper sales led many to question the company's actions. Between November 2004 and February 2005, the company's CEO sold more than 300,000 shares of company stock, while the company's president sold approximately 130,000 shares. Although the company had worked with law enforcement in California to investigate the case, officials said that the company had been free to disclose the breach as early as January 1. The company did not announce the breach until February 15.
The cases involving ChoicePoint and Phillip Cummings are among a series of incidents involving identity theft in 2004 and 2005. In one case, authorities charged a Red Cross employee and two other people with stealing personal information about 40 blood donors in Philadelphia and with using the information to obtain about $268,000 in cash and goods. In another case, thieves allegedly stole the names and social security numbers of as many as 45,000 former military and intelligence workers from the computer records of Science Application International Corp., a government contractor. Among the potential victims were John M. Deutch, former director of the Central Intelligence Agency, and William Perry, former Secretary of Defense.
Congress Approves Legislation Designed to Curb Identity Theft
President George W. Bush on July 15, 2004 signed into law the Identity Theft Penalty Enhancement Act, Pub. L. No. 108-275, 118 Stat. 831, which increased penalties for those who commit identity theft. The enactment came a year after Congress approved the Fair and Accurate Credit Transactions Act ("FACT Act"), Pub. L. No. 108-159, 117 Stat. 1952 (2003), which allows individuals to obtain credit reports free of charge. The provisions of the FACT Act began to be implemented in 2004.
Identity theft has continued to be a major problem in the U.S. The Federal Trade Commission reported that 161,836 cases of identity theft occurred in 2002, affecting 9.9 million victims. By 2003, the number of cases increased to 214,905. According to an FTC survey, as many as 27.3 million were victims of identity theft between 1999 and 2004. Identity theft has cost businesses and consumers several billion dollars.
Representative John R. Carter (R.-Tex.) introduced the Identity Theft Penalty Enhancement Act in 2003 as H.R. 1731. The Senate considered a similar bill, S. 153, which had been introduced by Senator Dianne Feinstein (D.Cal.). The Senate's version passed with unanimous consent on March 19, 2003. The House Judiciary Committee received both bills on May 5, 2003 and referred them to the Subcommittee on Crime, Terrorism, and Homeland Security. The subcommittee did not take action on the bills until March 2004, when it conducted hearings. After approval by the subcommittee, the Judiciary Committee approved the House bill on May 12, 2004. The bill easily passed in both the House and the Senate in June 2004.
The new law amends Title 18 of the United States Code to create a new crime termed "aggravated identity theft." Under the new law, a person commits this crime by "knowingly transferring, possessing, or using, without lawful authority, a means of identification of another person…." The bill establishes a mandatory sentence of two years in prison for one who commits such a crime and forbids a judge from placing such a person on probation. If a person commits this crime in relation to terrorist acts, the length of the penalty increases to five years.
The statute also includes a provision directed toward "insider" identity theft, which takes place when employees use their insider status to gain access to credit reports or other personal information of their employers' clients or other employees. Another provision of the statute authorizes appropriations to the Justice Department to investigate and prosecute identity theft and related cases.
Carter referred to the bill as "one of the shots taken in a battle that we've got to win…. It's a crime that we need to address and address seriously, both for the protection of the credit of American citizens and for the protection of homeland security." Bush echoed these statements when he signed the bill. "The law I sign today will dramatically strengthen the fight against identity theft and fraud," he said. "Prosecutors across the country report that sentences for these crimes do not reflect the damage done to the victim. Too often, those convicted have been sentenced to little or no time in prison. That changes today."
In December 2003, Bush signed the FACT Act, which was designed to establish a national system of fraud detection. The FACT Act amended the Fair Credit Reporting Act, 15 U.S.C. §§1681 et seq. The statute had an impact on all consumers in 2004 and 2005 because it allowed all consumers to check the accuracy of their credit reports in order to prevent identity theft.
Three nationwide credit bureaus, including Equifax, Experian, and Trans-Union, provide credit reports that banks and other lenders use to research credit histories of consumers. The credit report provides a detail of each consumer's line of credit , including whether the consumer has paid bills on time, whether the consumer has filed for bankruptcy, and similar types of information. The purpose behind providing free credit reports to the consumers is to allow the consumers to spot errors that could have resulted from identity theft.
Under the statute, each consumer became eligible to receive his or her report based on their location. Consumers living in 13 western states could order their reports beginning on December 1, 2004. Consumers in 12 midwestern states could receive their reports beginning on March 1, 2005, followed by consumers in 11 southern states on June 1. Residents of the remaining eastern states, along with residents of the District of Columbia, Puerto Rico, and other U.S. territories can order their reports beginning on September 1, 2005.
The FACT Act established a new National Fraud Alert System. Under this system, when a consumer notifies one credit bureau of an incident of identity theft, the other two bureaus are also notified. The statute additionally contains other provisions, such as one that forbids businesses from disclosing social security numbers and credit card numbers on consumer receipts.
Events that occurred after the passage of these new statutes appear to amplify the need for stronger regulations, according to many commentators. In one case, ChoicePoint, Inc., a leading broker in personal data, reported in February 2005 that it had inadvertently sold personal information about 145,000 people in a series of identity-theft scams. According to one state official, "The ChoicePoint issue makes it clear we are all vulnerable to the misuse of information that is stored technologically."
Other commentators said that these statutes are just the first step, but that other problems must be addressed. For instance, one expert noted that local law enforcement agencies need to have more resources at their disposal in order to catch, prosecute, and convict identity thieves. According to this expert, local law enforcement agencies "don't have money for the equipment to investigate identity theft. The criminals have better equipment than law enforcement does."
Ohio Launches New Identity Theft Program
In December 2004, Ohio launched a pilot program to combat identity theft and to help victims of this crime. With a $400,000 start-up grant from the United States Department of Justice, the Identity Theft Verification Passport Program will help to rehabilitate a victim's credit history. It also provides proof to law enforcement personnel and creditors that a person's identity information has been stolen. If successful, the program will serve as a model for other jurisdictions.
Identity theft is committed when someone uses personal information, such as the name, address, or social security number of another person, in order to commit fraud or other crimes. According to Ohio Attorney General Jim Petro (himself a three-time victim of identity theft), approximately 100,000 Ohioans are victimized by identity theft each year. Nationwide, the number of victims in 2003 was ten million. Businesses, individuals, and law enforcement lose more than $50 billion per year because of the crime. It can take up to two years for a victim to clear up a credit record that has been marred by identity theft.
According to Petro, the effects of identity theft are not measured merely in dollars. It is not unusual for victims to lose job opportunities or to be refused loans for education, housing, or automobiles. When he announced the program, Petro told of an Ohio woman who had been arrested, had had her car impounded, had been sued in a civil lawsuit, and had had her driver's license suspended. All of these things occurred because a former acquaintance had given the victim's name instead of her own when she was involved in a traffic accident.
The first step in the program takes place when a person notifies police that his or her identity has been stolen. Victims must prove not just theft of their identity information, but also that the information has been used for an illegal purpose. In other words, someone who has simply lost a purse or wallet may not obtain assistance under the Passport program. There must be evidence that the identity information was actually used for an illegal purpose, such as to open a credit card account fraudulently.
Once authorities verify the facts, they work with the victim to fill out an application. The victim is fingerprinted, provides a digital signature for the application, and is photographed.
The collected information is sent to the Ohio Attorney General's office. Victims are then issued a card that they can show to creditors and law enforcement authorities. The card proves that a person has been the victim of identity theft.
To prevent further criminal activity, the card has various security features built in. Moreover, it can only be activated through a special verification phone number that the victim must call from another specific phone number. Petro called the card the "cornerstone" of the program.
If someone tries to use a victim's identity again, the card will help to alert law enforcement officials and creditors that a new crime is being attempted. The person claiming to be the identity-theft victim will have his or her identity verified through the digital signature, photograph, and fingerprint. Likewise, the card helps authorities and creditors to identify a person as the victim of the theft and to rule that person out as an offender.
Only the Passport holder's photo appears on the card. The signature information and fingerprint are available through a secure, restricted web site. Law enforcement authorities and creditors use the information on the web site to verify that a person is the victim, rather than the perpetrator, of identity theft. Creditors and law enforcement personnel may also use a special phone number instead of the web site to verify the information.
Under the program, all identity theft victims receive step-by-step instructions on alerting creditors to the fraudulent activity involving their identity. Victims also receive fill-in-the-blank affidavits to send to creditors and credit bureaus.
The program is retroactive. Anyone who was a victim of identity theft in Ohio during the seven years prior to December 14, 2004, may apply to the program. Those who were victimized before December 14, 2004, need to return to the police station where the criminal report was originally filed. At the station, authorities will work with the crime victim to fill out a Passport application. Only Ohio law enforcement personnel are authorized to fill out an application form.
Identity Theft
IDENTITY THEFT
identity theft is the assumption of a person's identity in order, for instance, to obtain credit; to obtain credit cards from banks and retailers; to steal money from existing accounts; to rent apartments or storage units; to apply for loans; or to establish accounts using another's name. An identity thief can steal thousands of dollars in a victim's name without the victim even knowing about it for months or years. Identity thieves are able to accomplish their crimes by doing things such as opening a new credit card account with a false address, or using the victims's name, date of birth, and social security number. When the thief uses the credit card and does not pay the resulting bills, the delinquent account is reported on the victim's credit report.
As increasing numbers of businesses and consumers rely on the internet and other forms of electronic communication to conduct transactions, so too is illegal activity using the very same media on the rise. Fraudulent schemes conducted via the Internet are generally difficult to trace and to prosecute, and they cost individuals and businesses millions of dollars each year.
According to a justice department web site devoted to the topic, internet fraud refers to any type of scheme in which one or more Internet elements are employed in order to put forth "fraudulent solicitations to prospective victims, to conduct fraudulent transactions, or to transmit the proceeds of fraud to financial institutions or to others connected with the scheme." As pointed out in a report prepared by the National White Collar Crime Center and the federal bureau of investigation (FBI), "The Internet Fraud Complaint Center (IFCC) 2001 Internet Fraud Report: January 1, 2001– December 31, 2001," major categories of Inter-net fraud include, but are not limited to, auction or retail fraud, securities fraud, and identity theft.
Securities fraud, also called investment fraud, involves the offer of bogus stocks or high-return investment opportunities, market manipulation schemes, pyramid and Ponzi schemes, or other "get rich quick" offerings.
In its May 2002 issue, Internet Scambusters cited a study by Gartner G2 showing that online merchants lost $700 million to Internet fraud in 2001. By comparison, the report showed that "online fraud losses were 19 times as high as offline fraud." In fact, the study pointed out that in the same year more than 5 percent of those who made purchases via the Internet became victims of credit card fraud.
The IFCC, in its 2001 Internet fraud report, released statistics of complaints that had been received and then referred to law enforcement or regulatory agencies for action. For the 12-month period covered by the report, the IFCC received over 17 million inquiries to its web site, with nearly 50,000 formal complaints lodged. It must be noted, however, that the number of complaints included reports of computer intrusions and unsolicited child pornography.
Significant findings in the report revealed that Internet auction fraud was the most reported offense, comprising 42.8 percent of referred complaints. Besides those mentioned above, top fraud complaints also involved non-delivery of merchandise or payment, credit/debit card fraud, and confidence fraud. While it may seem easy to dismiss these concerns as obvious, the schemes to defraud customers of money or valuable information have become increasingly sophisticated and less discernible to the unsuspecting consumer.
The "IFCC 2001 Internet Report" revealed that 81 percent of those committing acts of fraud were believed to be male, and that nearly 76 percent of those allegedly involved in acts of fraud were individuals. According to the report, California, Texas, Florida, New York, and Illinois were the states in which half of the perpetrators resided. The report also provided a shocking example of just how difficult a task tracking down those involved in Internet fraud can be. According to the report, out of the more than 1,800 investigations initiated from complaints during 2001, only three arrests were made.
One example of the growing sophistication of Internet fraud cases can be seen in a 1997 case brought by the federal trade commission (FTC). FTC v. Audiotex Connection, Inc., CV-97 0726 (E.D.N.Y.), specifically concerned a scam in which Internet consumers were invited to view or to access free computer images. As reported in a February 10, 1998, FTC statement made before a Senate Subcommittee on Investigations of the Governmental Affairs Committee, when viewers attempted to access the images, their computer modems were surreptitiously disconnected from their local Internet Service Providers (ISPs) and were reconnected to the Internet through defendants' expensive international modem connections. Exorbitantly priced long-distance telephone charges continued to accrue until the consumer turned off the computer, even if he or she had exited the defendants' web site and moved elsewhere on the Internet. Approximately 38,000 consumers fell for this scam, losing a collective $2.74 million
A U.S. Department of Justice web site that addresses the major types of Internet fraud reported the following examples of illegal activity carried out using the medium.
Two separate Los Angeles cases demonstrate the intricacies of securities fraud and market manipulation. In the first case, defendants bought 130,000 shares of bogus stock in NEI Webworld, Inc., a bankrupt company whose assets had been liquidated. Defendants in the case then posted e-mail messages on various Internet bulletin boards, claiming that NEI was being acquired by a wireless telecommunications company. Within 45 minutes of the posting, shares increased from $8 to $15 each, during which time defendants "cashed out." The remaining stock was worth 25 cents per share within a 30-minute period. The second example involves a case in which an employee of Pair-Gain Technologies set up a fraudulent Bloomberg News web site and reported false information regarding the company's purchase by a foreign company. The employee then posted bogus E-mail messages on financial news bulletin boards that caused a 30 percent manipulation of PairGain stock prices within hours.
In another example of investment fraud, perpetrators used the Internet, along with telemarketing techniques, to mislead more than 3,000 victims into investing almost $50 million in fraudulent "'general partnerships' involving purported 'high-tech' investments, such as an Internet shopping mall and Internet access providers."
More than 100 U.S. military officers were involved in a case of identity theft. Defendants in the case illegally acquired the names and social security numbers of the military personnel from a web site, then used the Internet to apply for credit cards issued by a Delaware bank. In another case of identity theft and fraud, a defendant stole personal information from the web site of a federal agency, and then used the information to make applications for an online auto loan through a Florida bank.
Finally, the Department of Justice web site gives an example of a widely reported version of credit card fraud. In the elaborate scheme, a perpetrator offers Internet consumers expensive electronics items, such as video cameras, at extremely low prices. As an incentive, they tell consumers that the item will ship before payment is finalized. When terms are agreed to, the perpetrator uses the consumer's name and address, but another party's illegally obtained credit card number, to purchase the item through a legitimate online vendor. Once the consumer has received the item, he or she authorizes credit card payment to the perpetrator. In the meantime, when the credit card holder, whose card number was used to purchase the item, stops payment on the unauthorized order, the vendor attempts to reclaim the merchandise from the consumer. The defrauded consumer, the victim of the credit card theft, and the merchant usually have no simple means of redress, because by the time they catch on, the perpetrator has usually transferred funds into untraceable accounts.
In October 1998, Congress passed the Identity Theft and Assumption Deterrence Act of 1998 (Identity Theft Act) 18 U.S.C. § 1028 to address the problem of identity theft. Specifically, the Act amended 18 U.S.C. § 1028 to make it a federal crime when anyone: knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable State or local law. Violations of the act are investigated by federal investigative agencies such as the u.s. secret service, the FBI, and the U.S. Postal Inspection Service and are prosecuted by the Department of Justice.
The Federal Trade Commission (FTC) is the federal clearinghouse for complaints by victims of identity theft. Although the FTC does not have the authority to bring criminal cases, it assists victims of identity theft by providing them with information to help them to resolve the financial and other problems that can result from identity theft. The FTC also may refer victim complaints to other appropriate government agencies and private organizations for further action.
Consumers can protect themselves from this type of crime by protecting information such as credit card and social security numbers and by shredding mailed offers to obtain credit. They also can check their credit reports for unknown accounts. In the event of identify theft, an alert
can be placed on a credit bureau that notifies consumers of potential fraudulent activity. Consumers who are victims can also write a statement that will appear on their credit reports explaining the criminal activity. Most banks and major credit card companies have fraud departments with staff who are trained to address these situations, but often the consumer feels that the onus is on him or her to prove lack of wrongdoing, and many victims report frustration at having their credit and lives destroyed by identity theft. A number of states have taken action to make identity theft a state crime.
further readings
Collins, Judith M., and and Sandra K. Hoffman. 2003. Identity Theft Victims' Assistance Guide. Flushing, N.Y.: Looseleaf Law Publications.
Newman, John Q. 1999. Identity Theft: the Cybercrime of the New Millenium. Port Townsend, Wash.: Loompanics Unlimited.
Identity Theft
Identity Theft
█ KELLI A. MILLER
Identity theft is among the fastest growing crimes in America. A thief typically steals someone's identity, opens checking and credit card accounts in that person's name, then goes on a spending spree. The rate of identity theft or identity fraud had so escalated in the late 1990s that the Social Security Administration declared it a national crisis.
Identity theft is the most popular—and most profitable—form of consumer fraud. It encompasses all types of crime in which someone illegally obtains and fraudulently uses another person's confidential information, most often for financial gain. A person's Social Security number is valuable to an identity thief. Armed with the Social Security number, a criminal can open a bank account or credit card account, apply for a loan, and remove funds from varying financial accounts. In some cases, criminals have assumed the victim's identity altogether, amassing debt and committing crimes that become a part of the victim's criminal record.
The identity trail. Advanced computer and telecommunication technologies have armed thieves with new ways to obtain large amounts of personal data from afar. Hackers can spy on e-mail and Internet users, silently stealing passwords or banking information. Old-fashioned concepts such as "dumpster diving" still prevail. Thieves sort through garbage for telltale signs of identity such as
cleared checks, bank statements, even junk mail, such as "preapproved" credit cards.
Other criminal tactics include "shoulder surfing" and "skimming." A "shoulder surfing" criminal spies on someone as they type in a Pin number or password at an automatic teller machine (ATM). "Skimming," one of the newest schemes, occurs when a cashier receives a credit card for a purchase, then unknown to the victim, swipes it through a portable device that records the card information.
Consumer advocates estimate that 750,000 people will become victims of identity fraud every year. The statistic is a startling difference from numbers logged just a decade ago. In 1992, the credit reporting agency TransUnion logged about 35,000 identity theft complaints. A decade later, the company received more than a million calls.
Measures can be taken to minimize the risk of identity theft. Security experts recommend carrying a limited number of ID cards and credit cards, signing all new credit cards immediately with permanent ink, steering clear from unsecured Internet sites, and never writing a PIN, password, or Social Security number on credit cards or in briefcases or wallets. Cashiers should be observed as they process an order and personal or account information should not be revealed to anyone without first verifying their identity. Other tips include creating passwords that are not obvious (i.e., do not use birth dates) and checking credit reports periodically for accuracy.
Identity theft affidavit. In many cases, the victim may not realize their identity has been stolen until a negative situation arises. When the crime is finally discovered, the victim must provide proof that they did not create the debt themselves. This involves a laborious process of contacting each and every company where accounts were fraudulently opened. Persons whose identities have been stolen can spend months, even years, remedying the problem. To reduce the burden, the government established the ID Theft Affidavit, a single form that alerts all participating companies about the crime. A number of financial organizations, including the top three credit reporting agencies, endorse the ID Theft Affidavit.
According to the U.S. Federal Trade Commission (FTC) and U.S. General Accounting Office (GAO), the average victim spends anywhere from $1,000 to over $10,000 per incident of identity theft or fraud to reclaim and reestablish identity and credit. Victims of identity fraud should notify all three national credit reporting agencies (Equifax, Experian, TransUnion) immediately and request that their files be flagged with a fraud alert. The crime should also be reported to the police and the FTC, and in some cases, the Social Security Administration, Department of Motor Vehicles, and the U.S. Post Office.
Identity Theft and Assumption Deterrence Act. The threat to privacy has prompted a number of new laws governing fraud. In 1998, Congress passed the Identity Theft and Assumption Deterrence Act. The legislation created a new offense of identity theft, making it a separate crime against the person whose identity was stolen. Prior to this legislation, identity theft was considered a crime only against the company the victim defrauded. Under the Federal identity theft act, it is a crime for any person to "knowingly transfer[ring] or use[ing], without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law." Violators face a maximum term of 15 years in prison, a fine, and criminal forfeiture of any personal property used or intended to be used to commit the offense.
ID thieves are often charged with other violations, including credit card fraud, computer fraud, and mail fraud. These felonies can carry substantial penalties and up to 30 years' imprisonment. The Federal Bureau of Investigation (FBI), the United States Secret Service, and the United States Postal Inspection Service help prosecute identity theft cases. Many states have also enacted legislation regarding identity theft. Arizona led the way with a specific identity theft statute passed in 1996. As the crime's serious threat became evident, more states followed suit. In 1999, 22 states passed identity theft legislation. According to a GAO 2002 report, identity theft can be a felony offense in 45 of the 49 states that have laws to address the problem. Two years after the passage of the federal identity theft act, the Justice Department testified that it had used the statute in 92 cases, according to a GAO report.
The Identity Theft and Assumption Deterrence Act required the FTC to "log and acknowledge the receipt of complaints by individuals who certify that they have a reasonable belief" that someone stole their identity. The act enabled the creation of the Identity Theft Data Clearinghouse, a federal database for tracking complaints. Consumers call a toll-free hotline (1–877-ID-THEFT) to enter their complaint, and have the option to do so anonymously. When established in 1999, the FTC logged about 260 calls per week. In December 2001, the hotline was receiving more than 3,000 contacts a week.
Identity fraud complaints and related information are shared electronically between the FTC and other law enforcement agencies nationwide via the Consumer Sentinel Network, a secure, encrypted website. The network was initially set up in 1997 as a way of tracking telemarketing scams. As of May 2002, 46 federal law enforcement agencies and over 18,000 state and local departments had enrolled in the FTC's Consumer Sentinel Network collaboration. Accessing the Network allows police to analyze identity theft cases and determine if there is a larger pattern of crime. At this time, comprehensive results involving the number of cases prosecuted under the federal identity theft act and state statutes are not available.
█ FURTHER READING:
ELECTRONIC:
Federal Trade Commission. "ID Theft: When Bad Things Happen to Good People." September 2002. <http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm#occurs> (December 11, 2002).
Federal Trade Commission. "Identity Theft." August 7, 2002. <http://www.consumer.gov/idtheft/>(December 01,2002).
Georgia Stop Identity Theft. "What is Identity Theft?" 2002. <http://www.stopidentitytheft.org/prevention.html#what>(December 01, 2002).
ID Theft Resource Center. "ID Theft." October 28, 2002. <http://www.idtheftcenter.org/.> (December 01, 2002).
SEE ALSO
Computer Fraud and Abuse Act of 1986
FBI (United States Federal Bureau of Investigation)
Justice Department, United States Postal Security
Postal Service (USPS), United States
Secret Service, United States
Identity Theft
Identity Theft
What It Means
Identity theft is the act of stealing another person’s identifying information, including his or her name, address, telephone number, Social Security number (SSN), bank account numbers, and credit card numbers. Having obtained some or all of this information about someone, the thief may pose as that person and attempt to carry out financial transactions, such as credit card purchases and bank account withdrawals, in the victim’s name.
To understand identity theft, imagine that a person named Jim accidentally leaves his wallet on the counter at a store and that the wallet is discovered by a second person named Bob. Bob gets Jim’s address from the driver’s license in the wallet and steals some mail from Jim’s mailbox. Bob then goes to a financial institution and presents Jim’s driver’s license, SSN, and the mail that verifies Jim’s current living address. (Assume for the sake of the example that Bob resembles Jim closely enough that the bank representative does not notice anything amiss when looking at the picture on the license.) Bob requests and obtains a loan in Jim’s name. Bob subsequently fails to make the required payments on the loan, and creditors call Jim requesting the missing funds. Jim’s credit rating has been badly damaged, and he must prove to his creditors that the loan was falsely attained. Meanwhile Bob has purchased an expensive new car with the money loaned to him by the bank and driven away without leaving a trace of evidence.
Identity thieves have a number of methods of acquiring information, but the most common involve stealing wallets, watching people enter personal identification numbers (PINs) when they make withdrawals from automated teller machines (ATMs), and using computer technology to obtain people’s confidential personal and financial data. Identity theft often occurs in the workplace, where individuals have access to computer files with confidential employee information.
When Did It Begin
The term identity theft was first coined in around 1992, though such thefts had certainly occurred earlier in varying forms. It was during the 1990s that identity theft became the fastest-growing crime in the United States. In 1992 an average of 3,000 complaints of identity theft per month were registered with TransUnion, one of the three major American credit bureaus (for-profit companies that collect information about a person’s or a business’s financial stability and ability to pay future debts and sell it to such interested parties as banks and credit card companies). By 1997 TransUnion was receiving 47,000 complaints per month. According to U.S. Secret Service reports, nearly 95 percent of the arrests for financial crimes between 1995 and 1997 involved identity theft.
The huge increase in identity theft during the 1990s has been attributed to the development of the Internet and the growing popularity of online shopping (purchasing goods and services over the Internet by entering credit card data into company websites). Since 2000 online security technology has grown more sophisticated, and online shopping with credit cards has become considerably safer and more reliable. Before that time, however, hackers (people who illegally gain access to a person’s or an organization’s computer system) had considerably less difficulty accessing confidential information.
In response to this growing crisis, the United States Congress passed the Identity Theft and Assumption Deterrence Act on October 30, 1998. This act made identity theft a federal crime punishable by up to 15 years in prison, with fines of up to $250,000. Equally important, the act named the person whose identity had been stolen the true victim of the crime. Before this time the financial institutions that had been defrauded were named the victims of the identity theft.
More Detailed Information
Most legal experts agree that identity theft is easier to prevent than to resolve after it has happened. To prevent identity theft, people should avoid giving out personal information, such as birth dates, credit card numbers, and Social Security numbers, except when necessary. They should only share such information with known individuals and reputable institutions. It is recommended that people review monthly bank account and credit card statements double-checking that all transactions are authentic and shred any offers for pre-approved credit cards that arrive in the mail.
A Social Security number gives an identity thief the most access to a person’s private records and offers the greatest opportunity to cause harm. An SSN is a nine-digit number issued to U.S. citizens and residents that allows the government to track individuals for taxation purposes and to allocate retirement payments; employers, creditors, insurance companies, and others often require employees and customers to give their SSN as an identification number. An SSN is very difficult to change or invalidate, whereas if a credit card is stolen, the victim need only call the credit card company and cancel the card to avoid having to pay for any further purchases made on that card. Additionally credit card companies will usually inform their clients if they notice any uncharacteristic purchases, which would include items that the person does not normally buy and purchases made at geographic locations from which the client has never previously bought anything. If someone steals an SSN, however, he or she can obtain a credit card in the victim’s name, request a high credit limit (the amount of money that can be charged to the card), and do considerable financial damage before the victim even knows what has happened.
Furthermore a Social Security card comes with only two personal identifiers: the holder’s name and the number. Because there is no picture on the card, nor any other personal information such as the holder’s height, weight, or eye color, it is very difficult to tell whether or not a person using an SSN is the rightful holder of that SSN. Most institutions do not question that the person offering the number is the rightful holder of that information. Therefore, it is crucial that an individual never reveal an SSN over the phone or in an e-mail. In addition identity theft can result from putting an SSN on an official document, such as a license, a personal check, or a membership card to an institution. It is also unwise to carry an SSN in a wallet because wallets can be lost or stolen.
It is strongly advised that victims of identity theft call local police and keep records of all police reports. The victim should also call the following credit bureaus: Experian (Equifax (and TransUnion (Each of these agencies can take immediate steps to prevent the thief from continuing to cause damage. The final step is to cooperate with any of the agencies who have extended credit to the thief.
Recent Trends
Patterns in reported cases indicate that the instances of identity theft are decreasing but that the amount of money lost per stolen identity is rising. In other words thieves are stealing fewer identities but making more money. In 2003, 10.1 million adults reported that identity fraud crimes had been committed against them. This number dropped to 9.3 million in 2005 and to 8.9 million in 2006. In 2003, however, the reported amount of money lost in identity fraud cases was $52.3 billion. That number rose to $54.4 billion in 2005 and $56.6 billion in 2006. The average amount of money lost per victim of identity theft was $5,249 in 2003, $5,885 in 2005, and $6,383 in 2006.
Identity fraud cases are tending to take longer to resolve, though this pattern has fluctuated over the years. In 2003 the average resolution time was 33 hours per victim. In 2005 the average time was 28 hours, and in 2006 it was 40 hours. Resolution of identity theft does not mean that a suspect has been apprehended. Rather it means that fraudulent transactions have been identified and measures have been taken to discontinue future illegal transactions.
Identity Theft
Identity Theft
A forensic investigation can involve tracing the whereabouts of a person or their finances (a facet of forensic accounting ). Someone who is eluding capture can adopt a new identity or assume the identity of someone else. The mechanisms of identity theft must be familiar to a forensic scientist.
Identity theft is the most popular—and most profitable—form of consumer fraud, and is among the fastest growing crimes in America. It encompasses all types of crime in which someone illegally obtains and fraudulently uses another person's confidential information, most often for financial gain. A person's Social Security number is valuable to an identity thief. Armed with the Social Security number, a criminal can open a bank account or credit card account, apply for a loan, and remove funds from varying financial accounts. In some cases, criminals have assumed the victim's identity altogether, incurring debt in the victim's name and committing crimes that become a part of the victim's criminal record.
The rate of identity theft or identity fraud so escalated in the late 1990s that the Social Security Administration declared it a national crisis.
Advanced computer and telecommunication technologies have armed thieves with new ways to obtain large amounts of personal data from afar. Hackers can spy on e-mail and Internet users, silently stealing passwords or banking information.
Old-fashioned methods also remain effective. "Dumpster diving" thieves sort through garbage for telltale signs of identity such as cleared checks, bank statements, even junk mail, such as "preapproved" credit cards. A "shoulder surfing" criminal spies on someone as they type in a pin number or password at an automatic teller machine (ATM). "Skimming" occurs when a cashier receives a credit card for a purchase, then surreptitiously swipes the card through a portable device that records the card information.
The threat to privacy has prompted a number of new laws governing fraud. In 1998, Congress passed the Identity Theft and Assumption Deterrence Act. The legislation created a new offense of identity theft, making it a separate crime against the person whose identity was stolen. Prior to this legislation, identity theft was considered a crime only against the company the victim defrauded. Under the federal identity theft act, any person "knowingly transferring or using, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law" will be charged with a crime. Violators face a maximum term of 15 years in prison, a fine, and criminal forfeiture of any personal property used or intended to be used to commit the offense.
Identity thieves are often charged with other violations, including credit card fraud, computer fraud, and mail fraud. These felonies can carry substantial penalties and up to 30 years imprisonment. The Federal Bureau of Investigation (FBI ), the United States Secret Service, and the United States Postal Inspection Service help prosecute identity theft cases. Many states have also enacted legislation regarding identity theft. Arizona led the way with a specific identity theft statute passed in 1996. As the crime's serious threat became evident, more states followed suit. In 1999, 22 states passed identity theft legislation. According to a U.S. General Accounting Office (GAO) report published in 2002, identity theft can be a felony offense in 45 of the 49 states that have laws to address the problem. Two years after the passage of the federal identity theft act, the justice department testified that it had used the statute in 92 cases, according to a GAO report.
The Identity Theft and Assumption Deterrence Act requires the Federal Trade Commission (FTC) to "log and acknowledge the receipt of complaints by individuals who certify that they have a reasonable belief" that someone stole their identity. The act enabled the creation of the Identity Theft Data Clearinghouse, a federal database for tracking complaints. Consumers call a toll-free hotline (1-877-ID-THEFT) to enter their complaint, and have the option to do so anonymously. When established in 1999, the FTC logged about 260 calls per week. By 2002, the hotline was receiving more than 3,000 contacts a week.
Identity fraud complaints and related information are shared electronically between the FTC and other law enforcement agencies nationwide via the Consumer Sentinel Network, a secure, encrypted Web site. The network was initially set up in 1997 as a way of tracking telemarketing scams. As of March 2005, more than 1,000 law enforcement agencies in the United States, Canada, and Australia had enrolled in the FTC's Consumer Sentinel Network collaboration. Accessing the Network allows police to analyze identity theft cases and determine if there is a larger pattern of crime. At this time, comprehensive results involving the number of cases prosecuted under the federal identity theft act and state statutes are not available.
see also Codes and ciphers; Computer forensics; Computer hackers; Document forgery; Technology and forensic science.
Identity Theft
IDENTITY THEFT
Fourth Circuit Upholds Verdict Against Equifax
The Fourth Circuit Court of Appeals in December 2007 affirmed a sizable verdict against one of the major credit agencies, Equifax, for the damages caused by the company's failure to correct errors that resulted from an identity theft incident. Although the court reduced the award for emotional distress caused to the victim, the $395,000 total verdict after appeal, including attorneys fees, was one of the largest in this type of case.
Suzanne Sloane on June 25, 2003 gave birth to her second child at Prince William Hospital in Virginia. While she was there, a hospital employee named Shovana Sloan noticed that Suzanne had a similar name and birthday. Shovana obtained Suzanne's social security number and began to obtain credit cards, loans, cash advances, and other goods and services in Suzanne Sloane's name. In two months, Shovana ran up $30,000 in debt in Suzanne Sloane's name.
Suzanne discovered these transactions in January 2004 when Citibank contacted her about the company's cancellation of a credit card that had been issued in her name. Citibank informed her that she needed to contact Equifax to discuss any concerns. She immediately tried to call Equifax, but could not get through. Instead, she visited the company website and obtained her credit report. The information on the credit report allowed her to identify Shovana Sloan's crimes. Suzanne Sloane immediately contacted the police as well as Equifax.
Equifax placed a fraud alert on Sloane's file and told her to “roll up her sleeves” and start contacting creditors about the identity theft. She notified about 20 of them during two days she took off from work. At the direction of several of these creditors, she submitted notarized forms to them for the companies to correct the errors on her credit history.
Despite her efforts, Sloane continued to experience problems stemming from the identity theft for several months after her initial discovery. In March 2004, she was turned down for a pre-qualification letter that she and her husband, Tracey, had planned to use to purchase a vacation home. At this time, the loan officer told Suzanne that her credit score was “terrible” and that she would not be able to obtain credit until she corrected her score with Equifax. Suzanne stopped applying for credit for the next seven months. In October 2004, she and Tracey tried to buy a used car but was again rejected due to problems with Suzanne's credit score. She had further problems in January 2005 when a loan company would only agree to offer her an adjustable rate loan instead of a 30-year fixed loan.
Sloane in March 2005 sent a formal letter to Equifax where she disputed 24 specific items that appeared on her credit report. The company agreed to remove all but two of them from Citifinancial, though Equifax later admitted that it should have removed all of them. Two months later, the two Citifinancial items remained, and the company had also erroneously restored two Washington Mutual accounts that had been previously removed. Over the next several months, Equifax continued to make mistakes, including running a report that contained Shovana Sloan's name but Suzanne Sloane's social security number. More egregiously, in May 2005, Equifax mailed a letter to Suzanne's home that was addressed to the name of Shovana Sloan. The letter indicated that Sloan may have been the victim of identify theft and offered to sell her a service that could monitor her credit file. Suzanne's attorney, A. Hugo Blankingship III, referred to Equifax's actions as “a comedy of errors.”
Suzanne presented evidence of the significant emotional distress that she suffered. Because she and her husband were constantly denied credit, they began to fight. Their marriage deteriorated to the point that Tracey was considering divorce as an option. They began to sleep in separate rooms, and Tracey refused to see a marriage counselor with Suzanne. Suzanne began to suffer from insomnia, and she had difficulty staying awake at work.
Sloane had also had problems with other credit reporting agencies, but those companies had corrected the problems relatively quickly compared with Equifax. On November 4, 2005, she filed suit against Equifax as well as Trans Union, Experian, and CitiFinancial. She alleged that the companies had violated the Fair Credit Reporting Act, 15 U.S.C.A. §§ 1681 et seq. She also sued Prince William Hospital as well as the company that had placed Shovana Sloan at the hospital. Sloane settled against all of the other parties, but Equifax refused to settle the case.
A jury in the U.S. District Court for the Eastern District of Virginia rendered a verdict in favor of Sloane. The jury awarded her $106,000 for economic loss and $245,000 for mental anguish , humiliation, and emotional distress. The court also ordered Equifax to pay $181,083 in attorney's fees. Equifax subsequently appealed the judgment to the Fourth Circuit Court of Appeals, which only partially affirmed the district court's ruling. Sloane v. Equifax Informatoni Servs., Inc., 510 F.3d 495 (4th Cir. 2007).
Equifax did not dispute the jury's findings but instead objected to the damage awards. According to the company, Sloane suffered only a single, indivisible injury, and that the court should have taken into account the settlements she had reached with the other credit reporting agencies. The company also argued that Sloane had not submitted evidence that supported her claim of economic loss. Moreover, Equifax stressed that the jury had made an unreasonable finding by awarding Sloane $245,000 for pain and suffering.
The court determined that the first two arguments were without merit. Though Sloane had suffered similar injuries due to the actions of the other credit reporting agencies, her problems with Equifax occurred both before and after she had problems with the other companies. The court also rejected Equifax's argument that Sloane had not suffered economic loss, for the denials of credit proved that she had suffered such harm.
The court agreed, however, that the jury's award for pain and suffering was excessive. On the other hand, the court had a difficult time identifying what amount would be appropriate. After reviewing published cases dealing with similar types of actions, the court reduced the pain and suffering award from $245,000 to $150,000.
Identity Theft
IDENTITY THEFT
Identity theft refers to stealing and illegally using another person's identity information, including name, date of birth, Social Security number (SSN), address, telephone number, and bank and credit card numbers. Identity theft has become the fastest-growing financial crime in the United States and around the world. As Assistant U.S. Attorney Sean B. Hoar reported, in the United States, 94 percent of financial-crime arrests in 1996 and 1997 involved identity theft, and actual losses to individuals and financial institutions totaled $450 million in 1996 and $745 million in 1997. Over the same period, Master-Card stated that losses because of identity theft represented about 96 percent of its member banks' overall fraud losses ($407 million in 1997).
METHODS OF IDENTITY THEFT
There are many methods of identity theft, but the two most common ones are the physical theft of identification documents and information and computer-based, cyber-space theft. In addition, there are organized crime schemes aimed at stealing personal information.
Physical thefts might include pickpockets stealing purses or wallets for credit cards, driver's licenses, passports, and checkbooks. At automated teller machine (ATM) stations, thieves can peek over people's shoulders when they use credit or debit cards in an attempt to learn the personal identification number associated with the card. Thieves steal mail, garbage, and recycling looking for bank statements, credit card receipts, and other sources of personal information. Even family members have been known to assume the identity of another family member in order to commit financial fraud.
Contact information for three credit bureaus | |||
Credit bureau | Website | Credit report | Fraud unit |
Experian | www.experian.com | 888-397-3742 | 888-397-3742 |
Equifax | www.equifax.com | 800-685-1111 | 888-766-0008 |
TransUnion | www.transunion.com | 800-888-4213 | 800-680-7289 |
On the Internet, thieves use high-tech skills to obtain people's usernames, passwords, credit card numbers, and other valuable information. At businesses and hospitals, employees may access their company networks to steal database files of customer and personnel records for criminal use. Organized crime schemes involve hiring hackers or bribing employees to steal valuable information from corporate databases.
PREVENTING IDENTITY THEFT
To avoid being the victim of identity theft, the following proactive measures should be taken:
- Do not give out personal information except when absolutely necessary
- Avoid having a SSN printed on a driver's license, a personal check, or membership cards
- Refuse to give a SSN over the phone, in an e-mail, or as identification for store purchase and refund
- Exercise caution when using credit or debit cards at ATM stations, stores, restaurants, and online stores; do not let others get access to such information
- Carefully review monthly statements from credit card companies and banks for accuracy; report any problem to them immediately
- Keep personal, financial, and medical records in secure places; shred old documents and mail such as preapproved credit card solicitations, credit card receipts, and bank statements before throwing them away
- Do not place outgoing mail in unlocked mailboxes because a red flag up on the mailbox could attract thieves; promptly remove delivered mail from unlocked mailboxes
STEPS FOR VICTIMS TO TAKE
Victims of identity theft should take the following countermeasures:
- Immediately report the identity theft to the local police, and keep a copy of the police report as evidence
- Immediately call each of the three credit bureaus (see Table 1) and request credit reviews and a 90-Day Initial Security Alert or a 7-Year Fraud Victim Alert to prevent further damages
- Work cooperatively with any creditors of accounts where fraud occurred
see also Crime and Fraud; Cyber Crime
bibliography
Experian. http://www.experian.com
Hoar, Sean B. (2001, March). Identity theft: The crime of the new millennium. United States Attorneys' USA Bulletin, 49 (2). Retrieved November 17, 2005, from http://www.usdoj.gov/criminal/cybercrime/usamarch2001_3.htm
TransUnion. http://www.transunion.com
Jensen J. Zhao
Identity Theft
Identity Theft
The assumption of a person's identity in order, for instance, to obtain credit; to obtain credit cards from banks and retailers; to steal money from existing accounts; to rent apartments or storage units; to apply for loans; or to establish accounts using another's name.
United States v. Choicepoint
ChoicePoint, Inc., one of the largest purveyors of personal information in the United States, agreed in January 2006 to pay a federal fine of $10 million after security breaches exposed the personal information of more than 163,000 customers. In addition, the company required to pay $5 million that will be placed in a compensation fund for consumers. This represents the largest civil penalty in the history of the Federal Trade Commission (FTC).
The number of cases of identity theft that have been directly linked to the ChoicePoint security failures remains uncertain, but the FTC has estimated that more than 800 cases are involved. Money from the compensation fund has been placed in an account and will be distributed to those individuals who can show real damages. Under the terms of the settlement, ChoicePoint did not admit to any of the charges filed against it by the FTC. However, the FTC voted unanimously to accept the terms.
The data-brokerage company, based in Alpharetta, Georgia, unwittingly delivered electronic information including names, addresses, Social Security numbers, financial details, and other personal information to Los Angeles based con artists who were posing as officials in the debt collection, insurance, and check-cashing businesses.
ChoicePoint regularly sells information to intelligence officials, police officers, lawyers, and reporters via the Internet. The company's databases include records with information such as the criminal records and credit histories of almost every adult in the U.S. The tip of the iceberg for the insufficient security at ChoicePoint was discovered in late 2004, when ChoicePoint employees noticed that requests for information from several seemingly legitimate California-based companies were being sent by fax from public businesses, including Kinko's stores.
With help from Los Angeles authorities, ChoicePoint tricked a suspect, Olatunji Oluwatosin, into returning to one of the Kinko's stores, where he was arrested and charged with violating identity theft statutes.
The settlement between ChoicePoint and the FTC sends a message to other companies that deal in personal information that higher standards must be applied to protect consumers, and ChoicePoint has agreed to enact tougher measures to ensure consumer privacy. These measures include verifying the legitimacy of businesses or organizations that request consumer information, making site visits to business locations, and auditing the use of the information by the businesses.
In addition, the terms of the settlement require ChoicePoint to "establish, implement, and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of the personal information it collects from or about consumers," according to an FTC statement. ChoicePoint must also obtain an audit for the security program from a qualified, independent professional every two years for the next twenty years.
The FTC stated that ChoicePoint had violated the Fair Credit Reporting Act by providing consumer information to applicants without verifying who they were and how they intended to use the information. The FTC also charged ChoicePoint with violating the FTC Act by making misleading statements about its privacy policies, including such claims as, "Every ChoicePoint customer must successfully complete a rigorous credentialing process. Choice-Point does not distribute information to the general public and monitors the use of its public record information to ensure appropriate use."
ChoicePoint had neglected to tighten security measures in the past, after receiving subpoenas from law enforcement officials relating to fraudulent activities as far back as 2001.
ChoicePoint chief executive Derek V. Smith said in a statement that the company had begun to implement the policy changes mandated by the terms of the settlement.
"Data security is critical to consumers, and protecting it is a priority for the FTC, as it should be to every business in America," FTC chairman Deborah Platt Majoras said in a statement.
The extent of the use or resale of the Choice-Point information remains unknown, according to authorities investigating the case. However, the fraud appears to have involved multiple states.
The high-profile ChoicePoint case has increased public awareness of the potential for security breaches from data brokers and has raised concerns about the ease of buying and selling personal information online, and the ongoing risk of identity theft as a result.