Who are you?

Identity theft is a growing problem whose costs are hitting consumers hard. But good solutions remain elusive.

Has this happened to you yet?

• Fortune’s David Kirkpatrick clicked on the Microsoft Word document containing his passwords, code numbers, URLs for work-related websites, and credit card numbers. But when he tried to open it he saw a message that read: "File is in use by another user." As a user of an insecure wireless network, Fitzpatrick’s data was transmitted 150 feet in every direction. He immediately canceled all the credit cards and changed sensitive passwords, including the one for his online banking account. As of mid-April he had not detected any misuse of this potentially stolen information.
• Art Sullivan of Newark, DE is one of 1,000 people in Delaware and nearly 145,000 people nationwide who got a letter in February from ChoicePoint, an information broker. The letters told them identity thieves might have gotten their names, addresses, Social Security numbers and credit reports. So every day since then, Sullivan has been checking his credit report online, thanks to a free year of credit monitoring provided by ChoicePoint. He also took ChoicePoint's suggestion that he put fraud alerts on his credit reports. “They gave me some tools to use so I can do this, I guess, for the rest of my life,” Sullivan said. “It's almost become a part-time job for me.”
• University of California, Berkeley researcher Diana Jones wants to know why her loan application was among those stolen from Berkeley, CA's McKevitt Volvo. Besides suffering the loss of $5,000 from an ATM she had never visited, Jones said, "The perpetrator opened new accounts in my name and charged $16,000 worth of merchandise at Wal-Mart, Target and Trader Joe's in Emeryville, CA. According to Jones, “I have lost hours of time and sleep, and it's been hard on my family.”
• Patricia Nelski of Carlton, MI, still fights to keep her credit record clean after a woman posing as her ran up $50,000 in bills, including a $4,000 loan from a Virginia bank. So Nelski did what the experts recommend - she ordered her credit report. It came back 22 pages long, filled with credit card and other accounts Nelski did not recognize. She isn't sure how the woman got her information, but when she did, she ran with it. Nearly 10 years and a second incident later, Nelski is still fighting to keep those black marks from ruining her credit “All it takes is one unscrupulous person, and your life is a wreck’’ according to Nelski.

In 1982, I wrote a paper on legal and technical issues in database privacy for an MIT Database course. 23 years later, these issues are more pressing than ever. According to a Federal Trade Commission survey released in September 2003, the latest year available, nearly 10 million Americans have been victims of some form of identity theft, resulting in $47.6 billion in damages accruing to businesses. Victims spent an average of 30 hours trying to fix the damage and suffered losses totaling $5 billion.

Some of this theft is unsophisticated -- laptops full of personal data disappear, stolen credit cards get used to make unauthorized purchases -- but a lot occurs online. Thieves hack into a consumer’s bank's computer system and steal their account numbers. Or they send scam e-mails encouraging people to renew their accounts on eBay by providing their name and other details. Or they infect a user’s computer with spyware that can extract information from the user’s hard drive. Having stolen a user’s name, date of birth, address and Social Security number, the theft can take out an auto loan or go on a credit card spree.

There is a big market for the fruits of this poisoned tree – in the form of online crime Web sites. And the government is trying to crack down on them. For example, in October 2004, New Jersey prosecutors, along with the Secret Service and the Department of Justice's Computer Crime and Intellectual Property Section, announced they had shut down three of the major online crime Web sites -- Shadowcrew, Carderplanet and Darkprofits -- and arrested 28 alleged participants who are scheduled to go on trial in October. On Shadowcrew alone, 4,000 members trafficked in 1.5 million stolen credit cards, causing $4 million worth of losses to financial institutions, according to the indictment.

The government hasn’t closed them all down. Social Security numbers can be had for $35 at www.secretinfo.com and $45 at www.iinfosearch.com, where users can also sign up for a report containing an individual's credit-card charges, as well as an e-mail with other “tips, secrets & spy info!”

Here are seven recent cases representing the theft of 3.5 million people’s identities:

• In mid-February 2005, ChoicePoint, the data broker and credit reporting agency with access to 19 billion records, said a criminal ring stole personal information on about 145,000 Americans. Their data had been mistakenly made available to a ring of thieves with apparent ties to Nigerian organized crime.
• LexisNexis, whose subsidiary, Seisint, sells personal data, said thieves might have accessed information on about 310,000 people by using stolen passwords. LexisNexis initially announced about 32,000 suspected thefts of identity data, which soon balloon to 310,000; LexisNexis found that the thieves were using the log-in names assigned to former employees of Seisint customers or were correctly guessing uncomplicated ID and password combinations or accessing customers' systems through a virus. Siesent suffered 57 incidents. And there were two more at other subsidiaries.
• Bank of America lost a backup tape containing Social Security numbers and other vital data on 1.2 million federal workers. As luck would have it, Bank of America's gaffe involved the loss of account records of U.S. senators, and that has helped galvanize Congress to consider taking action.
  HSBC and GM have recently announced that 180,000 holders of their jointly branded credit card should cancel and change their MasterCard credit cards that may have been stored in the retailer's system.
• In April, Retail Ventures also suffered a hack of credit information on customers of more than half of its 175 DSW stores, compromising the personal data of 1.5 million consumers' personal data.
• On April 14th, Manhattan-based Polo Ralph Lauren acknowledged that it was informed last fall that "some credit card information of its customers may have been misappropriated" after learning that data from the magnetic strip was being improperly stored in its point-of-sales system. The company, which purged the stored data, didn't disclose the extent of the breach.
• On April 19, Ameritrade said account information may have been lost for 200,000 customers when a package containing tapes with back-up information on customer accounts went missing. Ameritrade said it was told in February that a package with four data cassettes of current and former Ameritrade account holders' information from 2000 to 2003 was misplaced by a shipping company that Ameritrade uses.

Fears of identity theft are running high among consumers; 59% say they are very concerned, according to a USA TODAY/CNN/Gallup Poll, taken in late February after the ChoicePoint disclosure.

Here are some things you can do to protect yourself:

• Don't carry any document with the number in your wallet or purse. In addition to leaving your Social Security card at home, make sure health-insurance cards or other documents don't have the number on them.
• If your driver's license number is your Social Security number, ask your motor-vehicle department to change it. Don't print the number on your checks.
• If any of your financial-service or insurance providers print your Social Security number on statements or checks that move through the mail, call and ask them to stop.
• Adopt policy of not disclosing your number without requesting an explanation of why disclosure is necessary and will benefit you. Businesses cannot require it, but they can refuse to provide you service if you do not provide it.
• If your number is both an account number and a password for any service, change one or both of them yourself or request the service provider allow you to do so. Do not use your Social Security number as a PIN.
• Check your credit reports once a year from all three of the credit reporting agencies.
• Watch for people who may try to eavesdrop and overhear the information you give out orally.
• Carefully destroy papers you throw out, especially those with sensitive or identifying information. A crosscut paper shredder works best.
• Be suspicious of telephone solicitors. Never provide information unless you have initiated the call.
• Delete without replying to any suspicious e-mail requests.
• Use a locked mailbox to send and receive all mail.
• Reduce the number of pre-approved credit card offers you receive by calling (888) 5OPT-OUT (they will ask for your Social Security number).

If you are a victim of identity theft

• Put a fraud alert on all three credit reports. That warns creditors to contact you before approving any credit applications.
• Call the police. That includes your local police department, as well as police wherever the thief applied for credit. Even if local police can't investigate because the crime happened somewhere else, they can validate victims' identity for other agencies.
• Get your credit reports from the three reporting agencies so you know what accounts have been opened.
• Contact the fraud departments of those creditors and tell them the accounts are bogus. Ask for a transaction record, which shows details of the credit application, including what type of identification the thief is using. Send those to police.
• Keep notes on everyone you speak to, including their name, title, time of the call and what was said.
• Make copies of every letter or affidavit. Send everything by return-receipt mail.
• Stay organized and don't overload police with emotions and irrelevant details.
• Pay attention to the emotional impact of the crime. It can lead to sleeplessness, paranoia, irrational outbursts and even damaged relationships.

Various legislators are trying to pass Federal and state laws to address these problems, including the following:

• Senator Diane Feinstein is trying to pass a Federal law patterned after the California law that gives people the option of doing more than placing a fraud alert on their credit history, which can only be extended beyond 90 days if the threat of fraud is documented; instead, Californians can freeze their credit data indefinitely, so no new loans will be extended to themselves or their shadows. California also requires corporations whose data have been compromised to inform affected individuals. The breach suffered by ChoicePoint, of Alpharetta, GA, became public when ChoicePoint had to comply with California’s law and tell residents their information had been passed onto thieves. Requiring national alerts would heighten awareness and create a bigger safety net for consumers, particularly if it were combined with free annual reviews.
• Senators Charles Schumer and Bill Nelson are introducing a bill in Congress calling for a ban on the sale of Social Security numbers and for tighter controls for companies like ChoicePoint and Seisint.
• New York attorney general Eliot Spitzer called for state legislation aimed at reducing identity theft through regulation of data brokers, consumer opt outs, mandatory data breach disclosure and tougher penalties for identity thieves and hackers.

While government intervention seems to make political sense, the problem will not be solved until the penalties paid by the data leakers – such as Seisint and ChoicePoint – get much higher. Specifically, the problem will not be solved until the penalties for leaking data exceed the costs of the procedural and technological changes required to plug the data leaks. Should that day come, the data leakers will make the investments needed to minimize these penalties and your identity will be safer.

Until then, you are on your own.