|
|
|
Technology News | May 2006
Technology and Easy Credit Give Identity Thieves an Edge John Leland & Tom Zeller Jr. - NYTimes
| Rose Seivert, a postal carrier, delivering mail recently to a high-security mailbox in a town house neighborhood in Phoenix. (Jeff Topping/NYTimes) | Phoenix — In a Scottsdale police station last December, a 23-year-old methamphetamine user showed officers a new way to steal identities.
His arrest had been unremarkable. This metropolitan area, which includes Scottsdale and Phoenix, has the highest rate of identity theft complaints in the nation, according to the Federal Trade Commission. Even members of the Scottsdale police force have had their identities stolen.
But the suspect showed officers something they had not seen before. Browsing a government Web site, he pulled up a local divorce document listing the parties' names, addresses and bank account numbers, along with scans of their signatures. With a common software program and some check stationery, the document provided all he needed to print checks in his victims' names — and it was all made available, with some fanfare, by the county recorder's office. The site had thousands of them.
The data were not as rich as some found in stolen mail or trash bins. But for law enforcement officials here, this was another turn in a cat-and-mouse game in which criminals have outpaced most efforts to stop them.
"We're trying to keep up with the technology," said Lt. Craig Chrzanowski, who runs Scottsdale's property crimes division, including a computer crimes unit started two years ago. "But they're getting a lot better."
In an economy that runs increasingly on the instantaneous flow of information and credit — aggressively promoted by banks and credit card companies despite the risks — Phoenix and its surrounding area provide a window on one of the system's unintended consequences.
According to a Federal Trade Commission survey in 2003, about 10 million Americans — 1 in 30 — had their identities stolen in the previous year, with losses to the economy of $48 billion. Subsequent surveys, by Javelin Strategy and Research, a private research company, found that the number of victims had declined to nine million last year but that the losses had risen to $56.6 billion.
In Arizona, one in six adults had their identities stolen in the last five years, about twice the national rate, according to the Javelin survey.
Arizona officials have responded with a preventive mantra: shred all documents and avoid giving Social Security numbers or bank account numbers to strangers over the telephone or the Internet. The State Legislature has passed tougher penalties for people caught stealing or trafficking in stolen identities.
But the real problem, many officials and consumer advocates say, lies elsewhere. In recent years banks have campaigned energetically to extend more credit to more people with fewer hassles, and retailers and consumers have embraced instant, near-anonymous access to credit.
Last year a group of prosecutors, law enforcement officers and security executives from banks and credit card associations met to discuss ways of curbing identity theft. The group had plenty of ideas, including PIN numbers or fingerprint verification for all credit card purchases and a ban on mailings that include blank checks.
But all ran counter to the promotional campaigns of banks and, banks say, to the desires of consumers.
"There's a disconnect between corporate leadership at financial institutions and their security departments," said Brad H. Astrowsky, a former prosecutor who was part of the group. "Marketing people are ruling the day in banking. They can do things to fix the problem, but they have no incentive and motivation to do it. Preventing something from happening is a cost. What's the benefit? It's hard to quantify."
A Hot Spot for Thieves
Several factors converge to make Arizona a hot spot for identity theft. Maricopa County, which includes Phoenix, is one of the fastest-growing counties in the nation, according to the Census Bureau, and its growth exaggerates trends that exist in many communities: a mobile population and high numbers of immigrants and retirees. It also has a heavy traffic in methamphetamine.
Methamphetamine users, whose binges keep them up for days in a row, have the time to sort through trash or old mail for Social Security numbers, bank account numbers or other identifying information, said Andrew P. Thomas, the county attorney. Dealers trade drugs for stolen identities that they use to launder their profits. Nearly half the identity theft cases in Mr. Thomas's office have a connection to methamphetamine, he said.
At the same time, he added, "More than half of the illegal immigrants entering the U.S. come through Arizona," creating a market for fraudulent Social Security numbers and driver's licenses.
Though Arizona passed the nation's first identity theft law in 1996, law officers say they are fighting a crime that is as swift and adaptive as the economy it exploits.
The newest wave of thefts here involves copying the magnetic strip from a victim's credit card onto the back of another. When thieves use the doctored cards, the transactions are charged to their victims' accounts. "Even if the cashier asks for my driver's license, the name on the front is going to match," said Todd C. Lawson, an assistant attorney general in Phoenix who specializes in identity theft prosecutions.
The machine to copy the magnetic strip, Mr. Lawson added, is the one nearly every hotel in America uses to recode room key cards.
And the county's Web site, which earned a place in the Smithsonian's permanent research collection on information technology innovation, has made Social Security numbers and other information, once viewable only by visiting the county recorder's office, accessible to anyone with an Internet connection. Police officers and prosecutors in Phoenix knew of just two cases involving public records, but most victims do not know how their identities are stolen.
For local law enforcement, pursuing even low-tech, small-time thieves is often complicated and expensive. The victim could be in Arizona, the thief in another state and the transactions spread all over the world. "If someone goes on the Internet and buys goods from Bangladesh, do you call witnesses from Bangladesh?" asked Barnett Lotstein, a special assistant county attorney.
Mr. Lawson said, "I don't think we prosecute 5 percent of it."
On a recent afternoon, Lt. Russ Skinner, who runs the county sheriff's computer crimes division, hefted three vinyl binders onto a wooden table. For the detectives in his unit, this is what the "crime of the 21st century" looks like: photographs of litter-strewn hotel rooms, and of a 33-year-old woman in various stages of methamphetamine-fueled decline.
When detectives caught up with her last August, after nearly three months of investigation, the woman was paying other users to steal mail for her — especially preapproved credit offers — and had parlayed those into credit cards or fraudulent accounts in 46 different names. She had secured housing, utilities and a series of small online loans in her victims' names.
"She wasn't the smartest or the most creative," Lieutenant Skinner said. "She just knew how to get it done."
A Connection to Drug Use
In the past, a drug user who needed money might go into a convenience store with a gun, Lieutenant Skinner said. "They're on the surveillance camera. They might get shot. They might get stopped in the parking lot for having a broken taillight," he said. "Now they can just sit at a computer, no one sees them and they can buy whatever they want."
Officials here began to notice a sharp rise in identity theft about five years ago, said Paul K. Charlton, United States attorney for the District of Arizona.
"The first tip-off was that we started to see a lot of mailbox break-ins by tweakers," Mr. Charlton said, referring to methamphetamine users.
When police officers raided home methamphetamine laboratories that were then proliferating on the outskirts of town, they found stacks of stolen mail or notebooks filled with credit card information. They also found thieves were using acetone, an ingredient used in methamphetamine production, to "wash" the ink off checks, a simple means of identity fraud.
These small laboratories lend themselves to identity theft rings, said John C. Horton, a White House aide in the Office of National Drug Control Policy. In a laboratory, one or two people typically have some technical knowledge, and others specialize in procuring materials.
Identity theft rings follow the same pattern, with a handful of grunts stealing mail for one person who knows how to turn the information into credit cards or checks, Mr. Horton said. "It doesn't seem to happen with cocaine or heroin because we don't produce heroin and cocaine in this country," he said. "Meth production is to some degree a social activity in the same way as identity theft."
Though the Arizona police have closed many laboratories, the identity theft rings have survived or multiplied.
From its commercial downtown, Phoenix extends in a patchwork of satellite communities, some so new that the highway connecting them does not appear on the maps in the central post office. In the mid-1990's, as Phoenix's population boomed, the Postal Service created cluster mailboxes that served whole housing developments. Like other conveniences associated with the city's rapid growth, the boxes have proved a boon for identity thieves.
"You can jimmy one open and get everyone's mail at the same time," said Mr. Lawson, the prosecutor. After numerous break-ins, the Postal Service has spent $12 million on reinforced mailboxes, but many communities here still have the old ones.
Some thieves drive around neighborhoods with their laptops until they find a resident's unsecured wireless Internet connection. If the police investigate a fraudulent purchase, they will trace it to the customer with the connection, not to the thief who placed the order.
Since 1994, a Phoenix security officer named Bob Hartle, frustrated by his own experience with identity theft, has led an often lonely campaign for tighter controls on organizations that handle people's data, and curbs on the way credit card companies, banks and stores grant credit.
Data breaches in the last year have exposed the personal information of more than 80 million Americans, according to the Privacy Rights Clearinghouse, a nonprofit organization that follows identity theft. On May 3, a thief stole computer disks holding the names, Social Security numbers and other information of 26.6 million veterans from the residence of a Department of Veterans Affairs employee who had taken the data home without authorization. In most states, organizations are not required to tell consumers if their identities have been compromised.
"It's the sharing of data without necessary safeguards that enables this crime to grow as it has," said Torin Monahan, an assistant professor of justice and social inquiry at Arizona State University. "The response is always 'protect yourself, go to these workshops, get a shredder.' That diverts attention away from the extent to which these are systemic problems."
Seventeen states have passed "credit freeze" laws enabling consumers to prevent banks or credit agencies from issuing new accounts in their names.
But here, as in other states, businesses have successfully opposed such legislation.
"They're fighting us tooth and nail," said Mr. Hartle, who runs ID Theft Services Inc., a nonprofit organization that provides free help for victims.
"Banks, credit card companies, retailers want to make it easy to buy," Mr. Hartle said. "They write off identity theft as a cost of doing business. So whenever legislation comes up that's going to cost them money, they throw themselves against it."
Nessa E. Feddis, senior federal counsel for the American Bankers Association, said freezing credit could create problems for consumers, especially if they needed to get a new cellphone or change residences in a hurry.
"A credit freeze is one of those things that sounds like a good idea, but people don't realize how often they need to use their credit report," Ms. Feddis said. "There's a balance between security and convenience."
She continued, "We all want fraud to go away, but we don't want to take 20 extra minutes every time we do online banking. We like buying airline tickets online, but there's a risk."
Though consumers worry about identity theft, Ms. Feddis said, banks absorb most of the losses.
Credit card companies point to new monitoring systems that have reduced loss from fraud as a percentage of overall transaction volume. At Visa, fraud accounted for 7 cents per $100 in transactions, down from 18 cents per $100 in 1990. "We could have a system reducing fraud to zero basis points, but it wouldn't meet what consumers are demanding," said Rosetta Jones, a Visa spokeswoman. "We need to deliver what consumers want in a way that is secure."
Fritz M. Elmendorf, a spokesman for the Consumer Bankers Association, described a chess match with identity criminals. For example, banks now protect prescreened credit card offers with address-matching technologies that make it harder for thieves to have cards sent to a drop address, Mr. Elmendorf said.
"There are more tools today than ever to ascertain the identity of a credit applicant," he said. "And the industry can point to a lot of things — some of which they won't talk about in detail — to validate people."
In the community of Chandler, southeast of Phoenix, Bobby Joe Harris questioned the efforts of businesses and banks to protect his identity.
Mr. Harris, 60, is a retired police chief. His wife, Judy, is a retired bank manager. Last December, Mrs. Harris was shopping at a Sam's Club store when a cashier said their membership had been canceled. When Mr. Harris tried to reactivate their membership in January, he learned that the store had issued a new credit card on their account to a woman who had said she was the couple's daughter.
"I don't have a daughter," Mr. Harris said. "I told the lady, 'I don't think so.' "
In two phone calls, possibly working with a store employee, the thief had raised the Harrises' credit limit to $10,000 from $3,500 and then to $15,000, and had run up charges of $11,093. No one had called them.
"It was only by luck that we found out," Mr. Harris said.
Seeking Protection
Though like most consumer victims the Harrises did not have to pay the bogus charges, they now pay $220 a year to LifeLock, a protective service that started last September in Phoenix.
The company's core service is simple: Whenever a bank or other business requests to look at a LifeLock subscriber's credit history, the company gets a fraud alert asking to confirm that the customer applied for credit. Federal law empowers consumers to get these alerts on their own, but they must reapply regularly to one of the three companies that issue credit reports.
Other companies offer different protections. None has had to prove that its services are effective.
When the Maricopa County recorder's office began posting records online in 1997, it was one of the first in the country to do so. Since then, legislatures in other states, including New York and Florida, have wrestled with whether — or how — to make their information available online.
A law in Florida requires that all Social Security and financial account numbers be stripped from online records by 2007, although new legislation may delay that another year.
In Phoenix, the county recorder's office posts 8,000 to 10,000 documents a day. Most are innocuous, but some, including divorce decrees and tax lien records, have sensitive information.
"I'm not insensitive to people's fear," said Helen Purcell, the county recorder. "I have the same fear. My information is out there, too." But it is far too late to start editing Social Security numbers or other data from the county Web site, she said. "We have 100 million documents out there now."
In the absence of full security, Arizonans cling to what protections they can. On a recent morning in Ventana Lakes, a development of older residents northwest of Phoenix, Lois Owen and Joan Schanks joined a small procession of neighbors to a community "shredathon" organized by the attorney general's office and AARP. Since the first shredathon last fall, residents around the state have carted 12 tons of paper to the mobile machines, in many cases supplementing the shredding they do at home.
"It's a big relief," Ms. Schanks said as she watched 20 pounds of old bank statements disappear. Yet even with the shredding, the residents here cannot begin to estimate how many people have their personal information, or how tempted any of those individuals may be to sell that information, Mr. Lawson, the prosecutor, said.
"You can take all the precautions you want," he said. "But everyone's exposed to a certain extent." College Door Ajar for Online Criminals Lynn Doan - LATimes
Computer systems at universities across the nation are becoming favorite targets of hackers, and rising numbers of security breaches have exposed the personal information of thousands of students, alumni, employees and even college applicants.
Since January, at least 845,000 people have had sensitive information jeopardized in 29 security failures at colleges nationwide. In these incidents, compiled by identity theft experts who monitor media reports, hackers have gained access to Social Security numbers and, in some cases, medical records.
"There are so many examples within the last year demonstrating that these universities are just real, true, vulnerable targets," said Michael C. Zweiback, an assistant U.S. attorney in Los Angeles who prosecutes hackers. "All of a sudden, it seemed like we were adding on another university every week to look into."
Although comprehensive statistics on breaches of college computer systems aren't collected by a single entity, industry experts agree that the situation is growing worse.
Computer security is an increasing concern for all types of private groups and government agencies. Last week, the Department of Veterans Affairs confirmed that electronic records of up to 26.5 million veterans and some spouses were stolen from the home of a federal employee.
Cyber security officials say hackers are realizing that colleges hold many of the same records as banks. But why hack a bank, one official asked, "when colleges are easier to get into?"
Colleges accounted for the largest percentage, roughly 30%, of computer security breaches reported in the media last year, according to ChoicePoint, a consumer data-collecting firm in Georgia.
FBI Special Agent Kenneth McGuire said that five years ago, his cyber crime unit in Los Angeles worked on one to three college hacking cases at a time. On a recent afternoon, his team was working with six colleges whose systems had been hacked.
Arif Alikhan, who oversees computer hacking cases for the U.S. attorney in Washington, said that when he was chief of cyber crime in Los Angeles between 2001 and 2005, his caseload doubled.
And for the first time in seven years, colleges identified security as the most critical issue facing their computer systems, according to a survey of about 600 colleges released this month by Educause, a nonprofit group that promotes information technology use. In a 2000 survey, security wasn't even among the top five concerns.
Hackers are drawn to colleges for various reasons.
In March, 41 Stanford University applicants hacked into the admissions system to see if they had been accepted. A man accused of hacking into USC's admissions system last year said he was only trying to prove that it was vulnerable.
In December, hackers appear to have broken into a system at the University of Washington to find a place to store their music files.
The openness that's rooted in the nature of academic institutions is partly to blame.
"Students want to be downloading MP3's. Professors want a system for general research," McGuire said. "Whenever you have such large portals to information open, you're going to have vulnerability to attacks."
Erich Kreidler, who teaches an engineering class at USC, said he posts everything online, including grades and final exams. "It's about convenience," he said.
But convenience can have a price.
Last month, the University of Texas discovered illegal access to 197,000 Social Security numbers of students, alumni and employees. Days later, a San Diego man was charged with hacking into the USC admissions system in June 2005.
Ohio University confirmed its third security breach since April, together compromising 360,000 personal records and a number of patented data and intellectual property files.
And Sacred Heart University in Connecticut reported last week that a security breach has compromised the Social Security numbers and some credit card numbers of 135,000 people — some of whom never applied to, worked at or attended the university.
Like many universities, a spokeswoman said, Sacred Heart collects personal information from college entrance exams, college fairs and recruiting firms. Robert M. Wood, chief information security officer at USC, said the college's computer system is scanned by hackers an estimated 500,000 times a day.
"It's pretty much a lot of doorknob rattling," he said. "But occasionally, they find an open door."
USC has reported two security breaches in the last year.
The University of California doesn't track security breaches, but ChoicePoint has logged five hacking incidents at UC campuses since January 2005. The California State University system reported at least 24 breaches since July 2003.
In March, an 18-year-old New Jersey man was convicted of breaking into a dozen systems at San Diego State. He was sentenced to three years' probation and must pay the school $20,000 in restitution.
John Denune, technology security officer for San Diego State, said the 2003 hack exposed the Social Security numbers of more than 200,000 people. The hacker wiggled his way through an outdated system in the drama department to reach the financial aid system.
Targets of hacking have been obscure, such as 1,700-student Anderson College in South Carolina, and well-known, such as Notre Dame. Finding the money to pay for security upgrades has been a major challenge for several schools.
"A university is fighting for every dollar to maintain a good education standard," said Rick Jones, an information security consultant in Los Angeles. "It doesn't necessarily allocate a security budget — at least not until it gets hit a couple times."
One identity theft protection firm in Arizona is catering to the college crowd. LifeLock, which charges consumers $10 a month to protect personal data, ran a full-page newspaper advertisement after the recent University of Texas hack, targeting those affected.
"We told everyone, 'You have been victimized once by the university. Take steps today,' " said Todd Davis, chief executive of LifeLock.
LifeLock has also forged partnerships with the University of Oklahoma and Arizona State University and is in talks with two other institutions.
As hacks ensue, college officials have had no choice but to increase security.
San Diego State doubled its computer security staff after the disastrous hack of 2003, said Denune, the campus security chief.
"Increasing security is expensive, it's time-consuming, and unless someone really sees the threat, it's easily put aside," he said. "This was a wake-up call."
Other colleges now require students to download anti-virus and firewall software before connecting to campus systems.
At Purdue University in Indiana, which reported two security breaches last year and two this year, students must change their passwords monthly to access class schedules, grades and e-mail.
The efforts are part of SecurePurdue, a program the college launched a year ago to counter the rising attacks, said Steve Tally, IT spokesman for the university.
"Universities are very attractive to hackers," he said. "Purdue has a very good name internationally and, unfortunately, it's brought us the kind of attention we don't want."
In 2004, the college began phasing out the use of Social Security numbers to identify students and employees.
In response to last year's hack, USC has reprogrammed its admissions system and requires users to change their passwords more often.
A technical security department created three years ago routinely scans computers connected to USC's network looking for machines that aren't equipped with updated anti-virus software.
At some colleges, new security measures have sparked complaints from students inconvenienced by lengthy virus scans and password prompts. But others say too much security is better than too little.
Tyler Dolezal was one of the 197,000 individuals whose Social Security numbers had been exposed in April's breach at the University of Texas. Dolezal has spent the last month trying to place fraud alerts with credit reporting agencies — a process that turned out to be unexpectedly complex because Dolezal, 18, hasn't established credit.
"These college systems hold really sensitive information on a whole lot of people," Dolezal said. "That needs to be protected as much as possible."
Computer hacking
Since January 2005, 15 universities in California have reported computer security breaches of personal records, affecting 614,080 individuals. Below is a sampling of those incidents:
Campus: USC
Individuals Affected: 270,000
Incident: July 8, 2005: Hack to online application database exposes names, addresses and Social Security numbers of students.
Campus: UC Berkeley
Individuals Affected: 100,000
Incident: March 11, 2005: Stolen computer compromises names and Social Security numbers of students and applicants.
Campus: Sonoma State
Individuals Affected: 61,709
Incident: Aug. 8, 2005: Computer hack exposes names and Social Security numbers of all students, faculty, staff and applicants from 1995 to 2002.
Campus: Cal State Chico
Individuals Affected: 59,000
Incident: March 14, 2005: Computer hack exposes names and Social Security numbers of current, former and prospective students, faculty and staff.
Campus: USC
Individuals Affected: 50,000
Incident: Nov. 11, 2005: Stolen computer server compromises names, Social Security numbers and other personal information of employees, donors and patients of the Keck School of Medicine.
Campus: Cal Poly Pomona
Individuals Affected: 31,077
Incident: July 29, 2005: Hack of two computer servers exposes names and Social Security numbers of current and former faculty, staff, students and applicants.
Campus: Stanford University
Individuals Affected: 10,000
Incident: May 11, 2005: Computer network breach compromises Social Security numbers and other personal information of recruiters and students.
Campus: UC Davis
Individuals Affected: 50
Incident: April 3, 2006: Stolen briefcases compromise names, addresses and Social Security numbers of health clients.
Sources: ChoicePoint |
| |
|