In 2013, the FBI arrested a ring of identity thieves responsible for more than $13 million in losses over a two-year period, from 2007 to 2008. Tobechi Onwuhara, a Nigerian national, impersonated victims across the country to scam their credit card companies into transferring millions of dollars from their customers’ home equity line of credit (HELOC) accounts, and the information he and his confederates used to identify victims was primarily collected through public sources. In other words, any efforts by the individual victims to foil the perpetrators would likely have been futile.
How Identity Thieves Access Your Information
Onwuhara’s expertise was his ability to collect and combine disparate pieces of personal and financial information available free or for a fee to anyone from legitimate sources of private information. His skill allowed him to impersonate credit card holders to have open credit lines monetized to his benefit.
Some of his favorite sources of data included:
- ListSource. ListSource is a direct marketing company specializing in “accessing the precise homeowner information you need.” The information enabled Onwuhara to identify people with million-dollar homes and their mortgage information, information necessary to determine whether substantial credit might be available. With that information, he could access public data bases for actual copies of deeds, mortgages, and tax records, even collecting a facsimile of the property owner’s signature for later use.
- Skip-Tracing Sites. For a low monthly fee from sites such as LocatePLUS, information such as assets, phone numbers, property owned, licenses, dates of birth, and Social Security numbers for millions of Americans are readily available. Such sites are primarily used by creditors to locate bond skippers or delinquent accounts. However, they also provide essential information that allowed Onwuhara and his cronies to build an accurate profile of potential victims.
- AnnualCreditReport.com. With the profile of the identified target in hand, the next step was to run a credit check to ensure that a large amount of remaining credit was available. AnnualCreditReport.com site is a joint venture of the big three credit-reporting agencies to help consumers guard against credit theft. However, combined with the other data, the information (credit scores, credit accounts, payment histories) allowed further refinement of the potential target.
- SpoofCard. Ostensibly a site that allows a customer “to protect yourself or pull a prank on a friend,” SpoofCard allows a user to disguise a telephone caller ID, change a voice, or add sounds to a phone call. This capability was key to the scam when Onwuhara or members of his crew would call customer representatives of the various financial institutions to wire money from the credit line anywhere in the world he directed. Since the financial institution might have called the impersonated customer back for security, Onwuhara would have previously called the telephone company and requested that the real person’s number be automatically forwarded to a burn phone (a prepaid cell phone that can’t be traced by a SIM card) held by his crew.
The Onwuhara example demonstrates the effort that thieves will make to steal items of value, the creativity of many criminal minds, and the ubiquitous sources of personal information available in an electronic age. On one hand, Americans are extremely sensitive to collection of private information, especially by government agencies; on the other, consumers readily provide confidential information indiscriminately to social sites, financial institutions, and retailers.
As the economy relies more and more on digital currency, the possibility of even larger thefts – often masterminded and executed by foreign nationals outside the borders of the United States – will only expand. One thing is for certain: If your private information has value to another party, it is at risk of being stolen.
Impersonation, Identity Theft & Identity Fraud
Impersonating a second party for gain is a practice as old as mankind. The Judeo-Christian story of Jacob impersonating his brother Esau (with the aid of his mother Rebekah) to deceive their father Issac for a blessing is perhaps the first written example of identity fraud in history, and the deed has been replicated countless times over the centuries.
Impersonation, identity theft, and identity fraud are often confused, but they are distinctly different:
- Impersonation. Impersonation could be considered a form of identity theft – although performers like Rich Little, Dana Carvey, or Frank Caliendo might disagree – but it is not a crime since no criminal act takes place in collection of the personal information or idiosyncrasies, and it is not used for the impersonator’s personal gain (at least, not directly).
- Identity Theft. Identity theft is stealing and using another person’s confidential information, particularly financial information, to gain credit or have access to their personal resources for personal gain. Identity theft most impacts the person whose identity has been stolen.
- Identity Fraud. Identity fraud is stealing another person’s private information in order to commit a fraud, generally upon a financial institution. Often, identity fraud is preceded by identity theft, but not always. A scammer could create a whole new identity, rather than stealing another person’s demographic or financial data.
Individuals are increasingly aware of (and even paranoid by) the fear of identity theft. A headline of an April 2014 Smithsonian article claims that even “children have to worry about identity theft too.”
According to a 2013 Unisys survey of security trends, more than one-half of Americans worry about credit card fraud and identity theft. It is a concern fueled by increasingly common reports of major security breaches at large retail companies such as Target and Neiman Marcus. Despite the smoke, consumers would be well advised to understand the actual facts associated with personal identity theft and credit card fraud.
Statistically, the average consumer is unlikely to be victimized, and typical individual victims of identity theft suffer less than $100 in damages. Nevertheless, the industry to protect people from identity theft has exploded in the last 10 years; individuals who help consumers manage identity theft protection can now receive a variety of professional designation including certified red flag specialist (CRFS), certified identity risk manager (CIRM), or certified identity protection advisor (CIPA) from the Identity Management Institute.
A recent Google search found more than 30 million references to identity theft, while a January 2013 IBISWorld report on the industry estimated revenues of $4 billion for the 79 companies engaged in the Identity Theft Protection Services market. This is an industry whose revenues are based upon fears of consumers of possible victimization.
Most Likely Identity Theft Victims
According to the National Crime Victimization Survey, about 7% of U.S. population over the age of 16 were victims or attempted victims of identity theft in 2012. The report suggests the following:
- Caucasians are the most likely victims of identity theft (74.9%), as are persons between the ages of 25 and 64 (78.0%) or with incomes greater than $50,000 annually (53.5%).
- Women are slightly more vulnerable than men (52.3%).
- In 2012, approximately 2.2% of identity theft victims suffered an out-of-pocket loss greater than $1,000 or more. An additional 2.5% of the victims had losses between $1 and $250, while 86% of identity theft victims lost $1 or less.
- More than four of five victims (86%) of identity theft resolved any problems within one day or less.
- Almost one-half of victims or attempted victims learned about the identity theft by being contacted by their financial institution concerning “suspicious activity in an account.” An additional 20% noticed fraudulent charges by regularly checking their credit accounts and bank accounts.
The unauthorized use of an existing credit card or bank account accounted for 85% of the incidents. The Identity Management Institute notes that credit card related cases are “easier to resolve and offer the least damage to identity theft victims as consumers are protected by laws, and their liabilities are limited to just $50 which is often waived by the banks as part of their customer service and satisfaction programs.”
Simple Measures to Protect Your Information
Data security, the most effective protection against credit card fraud and identity theft, must be balanced with the conveniences provided through electronic financial records and transactions. As IT systems become more powerful and connectivity over the Internet expands, there are increasing opportunities for criminals to exploit system and human errors, as well as combine diverse sources of seemingly unrelated data to profile and steal valuable information. Fortunately, there are some practical techniques you can use to lower your profile, harden your defenses, and reduce your financial exposure.
1. Use Cash
Get off the grid, and use cash where possible, rather than credit cards, debit cards, or paper checks – especially with businesses that attract potential predators, such as national and regional retail stores and fast-food chains that collect millions of credit card numbers every day. These collections are irresistible targets for hackers and nefarious characters around the world. Using cash prevents digital footprints.
2. Layer Your Purchase Process
Rather than directly using your credit or debit cards for purchases, consider an intermediary such as PayPal or Google Wallet for online or in-store purchases. Intermediary companies are especially cognizant of data breaches, and spend millions of dollars each year to ensure the security of their business. Rather than worry about the data security of Target, Walgreens, or any of the multiple retailers you trade with each month, your personal information is kept on the intermediary’s information network.
3. Review Credit Reports Annually
The Fair Credit Reporting Act requires each of the nationwide credit reporting companies – Equifax, Experion, TransUnion – to provide you with a free copy of your credit report every 12 months. Take advantage of this benefit and be sure that the information provided to others is correct. If you feel especially vulnerable to identify theft, you can enroll in fee programs from each company for constant monitoring.
4. Monitor Bank & Credit Card Accounts
Surprisingly, many people do not take the time to review bank or credit card statements for errors, fraudulent charges, or mistakes. No one knows your financial position better than you do. Virtually every bank and credit card company offers online access allowing you to check transactions on a daily basis. Constant vigilance is your best protection against financial fraud.
5. Use Strong Passwords for Online Accounts
While no password is absolutely uncrackable, creating a strong password can delay all but the most determined criminals. Use a combination of 10 to 12 mixed case letters, numbers, and symbols or a phrase only you would know and can remember. For example, one acquaintance of mine uses the year of his college graduation, the name of his high school football team, and his mother’s first name to create something akin to “marianne87BISON#.”
6. Maintain Up-to-Date Security on Your Computer
Keep your personal computer secure by doing the following:
- Connect to a secure network, especially your router which receives and transmits information to the Internet
- Enable and configure your computer firewall for maximum security
- Install antivirus and anti-spyware software
- Remove any software you do not use
- Disable file sharing and print sharing if you only have one computer on your network
If you are not especially technically oriented, you should consider enlisting the help of a technical consultant to set up your network, computer, and files, as well as periodically confirming that they are optimally configured to provide the protection you seek.
7. Limit Your Exposure on Social Networks and Company Affinity Programs
Realize that information on the Internet never goes away and cannot be modified. Do not put any information on the Internet you would not be comfortable sharing on the front page of your community’s newspaper. Limit the information you provide to your social contacts to noncontroversial, non-financial, and public information only.
Companies understand the more information they have about you, the better they can target their products to your needs. As a consequence, loyalty cards, rewards programs, and memberships in “special status” clubs are frequent lures to capture consumer information. Consider the value of the benefits you will receive from the program before indiscriminately providing personal data to any company.
It is unlikely that complete security in a digital world will ever be possible. However, the consequences of such breaches are often exaggerated by the press and the industry which benefits from the sale and oversight of expensive personal information protection solutions. The best approach for such matters has always been a careful analysis of the risks as they apply to you and a reasoned, unemotional, and appropriate response. The conveniences of a connected digital world cannot be denied, and the use of commonsense security procedures can allow you to gain the benefits without risking your financial security.
What other ways can people protect their identities?