Identity Theft

They could have been anybody's grandparents: a sweet couple in their 70s happily enjoying their golden years. Instead, this retired Air Force officer and his wife spent at least part of 1999 sitting in front of the Maryland legislature, testifying about a crime so traumatic that they refused to provide their real names to the lawmakers before them trying to decide whether to limit the use of the Social Security number as an all-purpose identification number.

Their nightmare began when someone spotted a Social Security number and other personal information on the woman's Air Force dependent card. The information was used to open credit card accounts, apply for car loans, access information about her husband and obtain a Texas driver's license under his identity. By the time the couple realized that an imposter was using and abusing their good names, 33 fraudulent accounts had been opened to the tune of $113,000.

Despite their stellar financial record in the years before this larceny began, the couple cannot get a home mortgage and have been turned down for credit at Kmart and Sam's Club. "We have been through hell for the past three years," the man stated, "and don't see an end to it."

Identity theft is to the Information Age what rum-running and gangland murders were to the Prohibition era. Few formal statistics are kept, but there is little doubt that this type of fraud-which in many states is not even recognized as a punishable offense-already is the country's fastest-growing financial crime.

Trans Union LLC, one of the country's three major credit reporting agencies, reported hearing about approximately 350,000 cases of identity theft through 1998, and Visa reported to the General Accounting Office that U.S. fraud losses among its member banks topped $497 million in fiscal 1997.

Sgt. D.J. Nesel, a detective with the King County Sheriff's Office in Washington, said the crime is overwhelming local police departments. "We could devote our entire sheriff's department to investigating this one crime, and we still

wouldn't have enough resources," he said. "I call it the crime that keeps on giving, because victims are victimized and revictimized over and over and over again."

The causes are numerous: Although the federal government's lax regulation of the Social Security number has jump-started opportunities for criminals, state and local policies have fueled the crime. Nineteen states use the Social Security number for driver's licenses, and local birth record departments often supply birth certificates without any real identity verification, mailing the documents to a requester based on little more than a notarized letter.

"It used to be that when forgers were arrested, the police would find a stack of counterfeit driver's licenses in their briefcases," said Frank Abagnale, a former con man gone straight who advises states on high-tech security measures and combating this crime. "Now they find 10 to 20 legitimate driver's licenses with their pictures and somebody else's names. It's way too easy to defraud the system."

Meanwhile, victim complaints are stacking up in police departments and legislative offices, and alarmed bystanders note that if something effective is not done soon to stop the free flow of personal information and easy credit, the country will be asking one simple question: How can you prove that you really are who you say you are?

Fighting Fire With Fire

Many people in the law enforcement community believe that the only way for states to curb this new brand of information swindling is through the use of information technology.

"The privacy people don't want to hear this, but the key to it is biometrics," Nesel said. "Take a thumbprint, a fingerprint, something to secure that document. I can create or forge anything I want, but I can't steal a piece of you. It's cost-effective, it's efficient, and if you cross-match those prints in the driver's license database, you will just about cut out all this identity theft."

However, many proposed solutions are themselves controversial, particularly when it comes to setting up databases.

Nesel's proposal and others like it have created a firestorm among privacy advocates, who worry that any collection of identity data housed in a database will be used as a national identity system to track and monitor people. "We regard it as a frightening proposal, and we're opposed to it," said Barry Steinhardt, associate director of the American Civil Liberties Union.

Beth Givens, executive director of the Privacy Rights Clearinghouse, has spoken with more than 4,000 victims of identity theft, and she understands law enforcement's frustration with the current system.

"On the one hand, I can agree that the use of some kind of biometrics would be pretty much a foolproof way of determining the authenticity of credit applicants, driver's license applicants and the like, but the cure could well be worse than the disease," she said. "Because in order to get a fully functioning biometrics system in place, you're going to have to have a massive database of everyone's thumbprints, and when you've got that in place, I think we can count on that being used for other purposes, like social control."

The protests have had an impact. Washington state voters defeated a measure that would have required fingerprinting of licensed drivers, and the New York State Assembly didn't even consider the prospect when it put together a landmark identity theft legislative package of 14 bills this summer.

But despite the political danger, New York now takes fingerprints of welfare recipients to cut down on welfare fraud, and some states are implementing biometric measures at their driver's license bureaus. California, Texas, Colorado and Georgia all require drivers to give a thumbprint or fingerprint when they come in to request a new license or renew an old one.

Georgia, which began taking an index fingerprint on all its drivers three years ago, has seen a decline in the number of fraudulent licenses obtained. Texas, on the other hand, has been taking thumbprints for years, but with no database and no ability to cross-match the thumbprints, the system is not good at catching imposters.

Frank Elder, assistant chief of the Driver's License Division of the Texas Department of Public Safety, said the number of cases of identity theft has been rising, but that fingerprinting is helping investigators locate perpetrators at least some of the time.

"Unfortunately, by the time we get involved, it's after the fact," he said. "We can backtrack the file, look at the photo of the suspect and cross-match [his] fingerprint with law enforcement files, but we're dealing with such a paper trail that it's very difficult to catch the perpetrator."

Many imposters are able to flout the system with decidedly low-tech solutions, such as covering their fingers with airplane glue, which when dry covers the skin's ridges and makes fingerprints useless. Abagnale noted that driver's license attendants are not law enforcement agents. "It takes some know-how to get a good print," he said. "You've got to roll it from left to right and if you don't do it just right, you're going to end up with something unreadable."

Many states try to stop fraud by asking for additional pieces of identification, such as a Social Security number and an original birth certificate. Both measures, however, are easily stymied. The driver's license system is not integrated with the Social Security database, so there's no way to determine whether the number given is valid, and even if it is, the imposter likely got the number by stealing it along with other personal information.

In addition, most crooks can easily obtain birth certificates by applying for one and doing their own notarizing or by obtaining information from death records and using that information to obtain birth records. There's no computerized integration between the birth and death records departments.

Birth records departments are aware of the problem, but their solution focuses on the trees rather than the forest, said Abagnale, who has designed high-tech birth certificates for a number of states to guard against counterfeiting and alterations. The documents include high-tech mechanisms that void the document if someone tries to copy it or chemically alter it with bleach, acetone, hydrochlorides or some other substance. Nonetheless, "I tell them, 'This isn't going to stop an imposter from getting someone else's birth certificate,' " he said. "And their response is, 'Well, we know that, but that's another issue.' They don't seem to care about it."

In fact, many crooks-armed with high-tech computers, laser printers and scanners-avoid the whole fraud issue by moving directly to counterfeiting. In response, a large number of driver's license departments have designed high-tech digital documents bearing such security features as holograms, digital photos, magnetic stripes and encryption.

"Unfortunately, though, counterfeiting of driver's licenses is on the rise," said Sgt. Doug Richardson, who heads the Driver's License Fraud Unit at the Georgia State Patrol. He said the bureau has implemented secure digital licenses. "Unfortunately, technology has gotten so good that the crooks can create a pretty reasonable copy. They start out one step behind whatever we've implemented, but they catch up pretty quickly and move ahead of us."

Washington state, after watching its fingerprinting measure get defeated, compromised on the issue by funding a new digital license. The $3 million system, though, will not be built and implemented until 2001.

Nesel and other law enforcement officials have publicly criticized the measure as a huge waste of money. "As soon as someone comes in with an out-of-state license that's been obtained fraudulently or they come in with an original birth certificate in someone else's name, you've automatically crippled the system," Nesel said. "All you're doing is giving a false sense of protection."

Opposing Views, Same Goal

Privacy advocates say that the solution to preventing identity theft is a simple, three-step process: Curb the use of the Social Security number as a unique identifier for business use, a measure that has been introduced in Congress and defeated several times over the past decade; force credit-granting agencies to require more identifiers and shore up their credit card policies; and restrict all selling of personal information by credit bureaus, state and federal agencies, and marketing firms.

But few state officials believe that the federal government is going to get involved. Ultimately, the solution that keeps coming to the fore is a full-scale database with cross-matching capability.

The system, which already has been developed by 3M Corp., would involve a central processing system and a fingerprinting system. When someone wants to renew a driver's license, for example, she would lay her finger on a scanner, and the data would go to the central processing system. If the fingerprint was in the database, it would pull the matching information and a digital photo. If the photo matched the person standing in front of the counter, then a driver's license would be issued. The driver's license would look like a credit card, complete with a magnetic stripe or bar code that contained a digital encryption of the person's thumb print.

But if the person standing at the counter didn't match the digital photo, then that person would be detained on suspicion of fraud.

"Once the system was in place, there would be only one way to fool the system, which would be the first time you applied," Nesel said. "But after that, when you went back to renew under your name or someone else's name, you'd be caught and out of business."

Regardless of how effective such a system would be against fraud, privacy advocates argue fiercely that the information eventually would be misused. They point out that three states-Florida, South Carolina and Colorado-were recently caught selling their databases of digital driver's license photos to Image Data, a company in New Hampshire. The stated use of the photos was to give merchants a way to verify the identity of someone trying to write or cash a personal check. But the ACLU's Steinhardt said that the company's research was funded in part by the Secret Service.

"The real desire there is to create a nationwide photographic database for identification and tracking purposes," he said.

The privacy lobby's strong and united front has sent other states in search of legislative solutions. At least 15 states have introduced legislation that would make identity theft a unique crime with felony-level penalties. Massachusetts passed a sweeping package that provides protections for identity theft victims against having unpaid bills appear on their credit report when the victim has filed a police report and prohibits retailers, credit agencies and the Registry of Motor Vehicles from selling personal information without affirmative consent.

New York also has a number of bills on the table, including ones that would make identity theft a felony, prohibit agencies from selling personal information or digital photos, establish more credit card activation procedures and safeguards, establish new penalties for the misuse of birth and death certificates, and regulate the selling of consumer credit information.

"We are trying to close the loop on certain things that are very obvious," said New York Assemblywoman Audrey Pheffer. "But we'll have to keep adding new laws. Technology is moving so quickly that it's hard for the law to keep up."

Ultimately, privacy advocates and state officials said that states may have to unite and turn up the pressure on the federal government to solve this crime. "It's going to take a federal solution, beginning with changes in the way the Social Security number is used and the free and easy access businesses have to people's credit reports," Abagnale said. "Even with totally secure licenses and biometrics, the best the states can hope for is to Band-Aid the situation. And so the federal government had better take this issue up and soon."

Otherwise, as more and more victims find themselves in the fight of their lives to hang onto and recover their good names, it could end up being too late.

Heather Hayes is a free-lance writer based in Stuarts Draft, Va.

***

Biometrics

Literally, biometrics means "life measurement." It's always been controversial, but as technology continues to march forward, there seems to be no limit to the types of body parts that reveal a person's unique identity. Here are some of the current biometric technologies being considered for use in systems by government agencies, banks and security organizations.

Fingerprinting

Retina scanning

Iris scanning

Voice recognition

Facial recognition

Handwriting analysis

Hand print recognition

Hand vein geometry

***

Educating the Public

New York Attorney General Eliot Spitzer is so concerned about identity theft that a link to a prevention tip sheet holds a prominent position on his office's home page (www.oag.state.ny.us) under "News to Use."

"Unfortunately, public awareness about this crime is very low," an Attorney General's Office spokesperson said. "People just don't realize that it's out there until it happens to them or someone they know. And then, unfortunately, it's too late."

The site (www.oag.state.ny.us/consumer/tips/identity_theft.html) includes a short article that spells out how the crime occurs, how often it happens, what consequences a victim experiences and how to get help. Among the protection tips:

* Be careful who you give personal information to, including such key identifiers as your Social Security number and your mother's maiden name.

* Never provide any personal information, bank account numbers, or credit card information to anyone who contacts you through a telephone solicitation.

* Keep items with personal information in a safe place and keep a list of all credit cards, account numbers, expiration dates, and customer service numbers in a safe but easily accessed place so you can contact creditors if your credit cards are stolen.

* Destroy all ATM and bank receipts, old insurance forms, bank checks, expired credit cards, and any other papers that include personal information-including pre-approved credit card applications.

* Minimize the number of credit cards and items containing personal information that you carry with you.

* Mail letters containing checks, invoices or personal information from the post office mailbox rather than your unsecured home mailbox.

* Give out your Social Security number only when necessary.

* Closely monitor your credit card statements and your credit reports.