They've Got Your Numbers: Identity Theft
By Kristin W. Davis

Ray and Maureen Mitchell have always been exceptionally cautious with their credit. They shred their credit-card receipts and account statements. They've had their social security numbers removed from their driver's licenses. They don't order merchandise on the Internet. They even pay with cash in restaurants rather than let a waiter take their credit card out of sight. Despite their precautions, they became victims of identity theft -- not once, but twice -- in what turned into a four-year ordeal.

The Mitchells, who live in Ohio, had to tangle with more than 25 creditors, three credit bureaus, multiple police departments, the National Insurance Fraud Bureau, the Ohio Bureau of Motor Vehicles and a check-verification service. Maureen's driver's license was suspended, and $34,000 was withdrawn from the couple's savings accounts. It took more than 400 hours and 30 pounds of paperwork to clear their names.

One of the imposters served only a year in prison; a second is awaiting prosecution. But with their social security numbers and personal information still in the hands of a fraud ring, the Mitchells worry that at any moment they could be victimized all over again. In a report issued last September, the Federal Trade Commission estimated that 27 million Americans have had their identities stolen over the past five years -- one in eight adults.

In 2003 alone, some ten million people were thought to be victims. That's more than 1,100 thefts an hour or three times the number of household burglaries each year. "Your personal data is worth more than your jewels," says Mari Frank, a former victim who's now a victims advocate. The FTC puts the total financial cost at $50 billion a year, most of it borne by businesses. But victims pay dearly in the form of time, frustration, lost opportunity and emotional distress.

In the FTC study, victims reported spending an average of 30 to 60 hours restoring their good names in the wake of bounced checks, loan and credit-card rejections, and debt-collection harassment. Among victims who have sought help from the Identity Theft Resource Center (ITRC), a nonprofit organization in San Diego, the median amount of time spent cleaning up the damage is 120 hours.

Victims in the ITRC study (which includes people whose identities have been stolen by family members or who have had arrest warrants issued in their names) reported emotional scars similar to those suffered by victims of violent crime -- long-term feelings of anger, helplessness and mistrust, disturbed sleep, and a perceived lack of security. "Other than the deaths of our parents, this is the most traumatic thing that has happened in our lives," says Maureen Mitchell. The epidemic shows no sign of abating. Perhaps emboldened by how few cases are prosecuted and how little time offenders serve for nonviolent financial crimes, identity thieves are becoming increasingly brazen and creative. And creditors are making it more difficult for victims to clear their names.

Organized crime

The Mitchells first learned there was trouble in 1999, when a thief used their joint KeyBank MasterCard to order mail-order merchandise. In the two months that followed, imposters used Ray's name and social security number to apply for credit at car dealerships, banks, credit-card companies, department stores and cell-phone providers, running up $150,000 in debts. Three days after Maureen placed fraud alerts on their credit files -- instructing creditors to call the Mitchells before extending credit -- the couple received phone calls from three Chicago-area banks where an imposter had applied in person for personal loans of $5,000, $15,000 and $25,000. The imposter was arrested when he returned to one of the banks to pick up his money. He had 17 aliases and a 23-year criminal history, and was carrying a photo ID with his own picture but Ray's name and social security number.

The Mitchells have no idea how Ray's personal information fell into the hands of a fraud ring. They later saw photos of another man who bought a Ford Expedition using Ray's identity, and yet another who bought a Lincoln Navigator. Although some identity thieves are solo operators, the bulk of the fraud is carried out by organized rings that are adept at stealing, or buying, information in bulk and squeezing as much loot as possible from each stolen identity. That usually means a rash of credit applications in a short period.

To get their hands on social security numbers, credit-card numbers and other vital statistics, fraud rings may plant an employee in a mortgage lender's office, doctor's office or human-resources department. In 2002, in what was dubbed the biggest identity-theft case in U.S. history, more than 30,000 people were victimized by a fraud ring that got its data from a help-desk worker at Teledata Communications, a Long Island software company that worked on computer programs used by retailers to pull consumer credit reports.

In a smaller fraud ring busted last year in the Pittsburgh area, a woman who was hired to clean a municipal tax office stole tax documents that had not been shredded. "The wretched depravity of some identity crimes defies the imagination," Secretary of the Treasury John Snow declared in a speech last June. Snow was referring to an identity-theft ring stretching from New Jersey to California, in which a health-care worker in cahoots with bank insiders and mortgage brokers got the names of terminally ill hospital patients, forged their identities, drained their bank accounts, and then bought houses and cars in their names.

Bribing insiders is also common

Employees of banks and car dealerships, along with government and hospital workers, have all been arrested as identity-theft conspirators. In Birmingham, Ala., a hospital employee earned $100 for each name and social security number she handed over. The victims were children who had been patients, and the buyer used the numbers to file fraudulent tax returns.

Bogus e-mails that try to trick customers into giving out personal information on phony Web sites are "the hottest and most troubling new scam on the Internet," says Jana Monroe, assistant director of the FBI's cyber division. "Web spoofing" schemes have targeted customers of Best Buy, eBay and PayPal, among others. An arduous cleanup Imagine filling out 25 different tax returns, each with different forms and instructions.

That's how Maureen Mitchell describes her efforts to clean up the mess Ray's imposters created. She made hundreds of phone calls, sent dozens of letters -- return receipt requested -- followed by notarized affidavits, statements and handwriting samples. "It seems rather ironic that a criminal could easily fill out a fraudulent application, obtain credit in our names and have our address changed, yet when we tried to dispute fraudulent accounts and have our address 'corrected' back to the real one, we were inundated with paperwork requiring us to prove our identity and address," says Maureen.

When the Mitchells attempted to buy a second home in 2001, a derogatory report resurfaced on Ray's credit history. It was the unpaid bank loan for the Ford Expedition. This time, the Mitchells had just 25 days to expunge the false report or they would lose the house. By then, Maureen had testified before a Senate subcommittee about her experience, and she sought help from a credit-bureau contact she'd made at the hearing. She believes the home purchase would otherwise have fallen through because disputing credit-report errors normally takes longer.

Even when nothing goes awry, the process of clearing your name can be time-consuming and arduous. As soon as you learn you're a victim, you should check your report at each of the three credit bureaus: Equifax, Experian and TransUnion. If you find accounts that aren't yours, dispute them with the bureaus and the credit grantors. Filing a credit-bureau dispute is a formality that protects your rights under the Fair Credit Reporting Act. But no matter what evidence you submit to the credit bureau, the black mark won't go away for good until the credit grantor is convinced that you're not responsible for the debt and has corrected its computer records. To get a company to do that, you usually must file a police report and send a copy to the creditor, along with a notarized affidavit and, in some cases, notarized handwriting samples or a copy of a photo ID.

Unfortunately, publicity about identity theft has led some deadbeats to falsely claim that they are victims, so creditors are increasing their scrutiny. "In the past, companies were more willing to believe you were a victim," says Linda Foley, executive director of the ITRC. Of the 173 victims who participated in the ITRC's survey last year, two-thirds said they had not yet been able to eliminate all the negative items on their credit reports or criminal records, which can sometimes take years. "I had to be tenacious and insistent," says Maureen Mitchell.

One glimmer of hope

This spring the Financial Services Roundtable, a trade group of financial-services companies, plans to launch the Identity Theft Assistance Center, through which victims may report a crime to one bank or creditor and then have the information forwarded to others.

Who's to blame? Sloppy security is at the root of the identity-theft epidemic. Companies don't take sufficient precautions with their customers' personal information, and creditors approve credit-card and loan applications without sufficiently verifying identity. Sometimes they even ignore fraud alerts in a victim's credit report. These companies "rarely have any problem granting credit, even though not a single piece of information supplied on the application is consistent with what's in the credit report," says Tracey Thomas, a former victim who now works for the ITRC. (The crooks who bought the Ford Expedition in Ray Mitchell's name made five errors on the credit application, including misspelling his last name.)

Identity thieves typically use an alternate address on credit applications so that victims won't get the bills. But instead of regarding the change of address as a red flag, creditors "key it in as a new address," says Ian Lyngklip, a Detroit lawyer who represents consumers in credit cases. Addresses are screened to make sure that they are valid residential addresses, that they match other information in the application and that they haven't previously been used for fraud, says Chris Conrad, senior vice-president of fraud management for Bank One. But an address that is different from the one in the credit file or the one that's been solicited is not necessarily a red flag, he says, because someone may have moved or may have a billing statement sent to a different address. "It is a balance between security and convenience for consumers," Conrad says. "We're ensuring that we are granting credit, where prudent, as often as possible."

But the victims of identity theft might attest that being asked to jump through extra hoops to get credit is a minor inconvenience compared with going through an ordeal like the Mitchells'. "Sooner or later everyone is going to be a victim," says Lyngklip.

Recurring nightmare

Once you're a victim, you're always at risk. Fraud rings know that most consumers will take the trouble, no matter how excruciating, to restore their good credit. So they bide their time. Two years after their identities were stolen the first time, the Mitchells got an inkling of fresh trouble when they attempted to take advantage of a credit offer at Best Buy to purchase a refrigerator for their new house. They were turned down. "It was gut-wrenching to realize that our creditworthiness might never truly be restored," says Maureen. Then they got a call from a branch manager at KeyBank, where they kept their checking and savings accounts. Maureen had placed security protocols on their accounts, requiring a photo ID and password for any transactions. In spite of those precautions, an imposter with a photo ID bearing Maureen's name and driver's-license number had made four withdrawals totaling more than $34,000. A fifth attempt had prompted the manager's call, and she placed a security freeze on all the Mitchells' accounts. That shut out the criminal, but it also meant that the Mitchells had no access to their own money to pay their mortgages and their kids' college tuition. Checks they had written earlier bounced, landing their names in a bad-check database. "I was stunned and furious," says Maureen. She still does not know if an insider at the bank compromised her password or if tellers simply ignored the password requirement.

It took the Mitchells several weeks to get their money back and to regain access to their accounts.

The final insult

When Maureen called the Ohio Bureau of Motor Vehicles to ask how an imposter could have obtained a photo ID in her name, she learned that her driver's license had been suspended. In Ohio it is illegal to have a driver's license and a BMV-issued ID card concurrently. So when the imposter applied for the ID, the license was suspended. It took a meeting with a BMV fraud investigator -- and a briefcase full of affidavits and notarized letters -- for Maureen to get a new one.

Kiplinger's Personal Finance Magazine January 2004 License or reprint this article CREDIT & BANKING, This page printed from: http://www.kiplinger.com/magazine/archives/2004/01/idtheft.html, All contents © 2003 The Kiplinger Washington Editors, Byline: By Kristin W. Davis, Reporter: Alison Stevenson.