A scheme that allegedly bilked consumers out of millions of dollars in phony credit card charges and other losses is the largest in a growing number of identity theft cases that have hit consumers, financial services companies and law enforcement agencies.
Philip Cummings, a former help-desk employee with Teledata, a suburban New York City-based software company, was charged with stealing thousands of credit reports and selling them to an accomplice, who in turn sold them to gangs of street criminals who used the reports to obtain credit cards and loot bank accounts.
Teledata sells software that enables banks and other firms to access credit reports from TransUnion, Equifax and Experian, the three major credit-reporting agencies. Cummings allegedly used the passwords and subscriber codes of Teledata's clients, including Ford Motor Credit, Washington Mutual, Dollar Bank and Community Bank of Chaska, Chaska, Minn., to download thousands of credit reports, for which he was paid $30 each.
The scheme was decidedly low-tech in nature. "With a few keystrokes, these men picked the pockets of tens of thousands of Americans and, in the process, stole their money and swiped their security," said James Comey, U.S. attorney for the Southern District of New York.
According to the complaint, the scheme went undetected for two years after Cummings quit Teledata in mid-2000. Cummings would allegedly receive lists of names and Social Security numbers from street criminals, and then download the corresponding credit reports using a laptop and the access codes which he took from with him when he left Teledata.
The scheme began to unravel in February, when Ford Credit discovered that it had been billed by Experian for thousands of credit reports that it could find no record of having authorized. At the same time, Ford Credit began receiving complaints from consumers about credit reports apparently requested by Ford Credit without their knowledge. Officials promptly alerted the FBI and warned consumers to take steps to protect confidential information.
"This was a breach made falsely in our name, and as such it was deeply disturbing," said Melinda Wilson, spokesperson for Ford Credit. "We continue to refine our processes, practices and security to safeguard consumers, whose privacy and trust we value above all else."
Meanwhile, the scheme was spreading to other financial institutions and reporting agencies. Washington Mutual discovered that 6,000 credit reports had been fraudulently obtained from Experian using the passwords of one of its branch offices in Florida and a Tennessee branch of Washington Mutual Finance Co. Other institutions, including Dollar Bank and Community Bank of Chaska, found that credit reports had been fraudulently obtained from Equifax using their passwords.
By exhaustively matching records of incoming telephone calls with the codes used to access the credit reports, authorities determined that the credit reports had been requested from a New Rochelle, N.Y. address, which the FBI raided in October, seizing the laptop allegedly used by Cummings. By that time, some 30,000 credit reports had been reported stolen, with a resulting $2.7 million in fraudulent credit card charges and other losses to financial institutions.
The scheme is the largest in a growing epidemic of identity theft cases. According to a March report by the General Accounting Office, the number of seven-year fraud alerts-one of the most reliable indicators of identity theft-issued by one of the three major credit reporting agencies increased from 65,600 in 1999 to 89,000 in 2000, a 36 percent jump. Allegations involving misuse of Social Security numbers increased from 11,000 in 1998 to 65,000 in 2001, a five-fold increase. And the Federal Trade Commission's Identity Theft Data Clearinghouse received a total of 94,100 complaints from victims (including 16,784 complaints related to Social Security numbers) between November 1999 and September 2001.
As the number of identity theft cases mounts, so have the losses incurred by financial institutions. According to the GAO report, MasterCard and Visa reported that the amount of identity theft-related losses from domestic operations rose from $79.9 million in 1996 to $114.3 million in 2000, a 43 percent increase. (The card associations limit identity theft to two fraud categories-account takeovers and fraudulent applications. If the definition is extended to include all categories of payment card fraud, the associations' total fraud losses from domestic operations rose from $700 million in 1996 to $1 billion in 2000.)
Some 70 percent of security incidents that actually cause loss to enterprises- rather than mere annoyance -involve insiders, according to GartnerGroup.
"This finding should surprise no one. Insiders create an enterprise's products and deliver its services, and efficient access to sensitive information is essential to its efforts to bring profitable products to market," noted Gartner analyst John Pescatore."Enterprises must find the balance between completely open internal access and overprotective security that hurts business."
Background investigations should be required of all employees, including system and security administrators, who will have access to sensitive information, said Pescatore. Server and database access should be granted only to employees who require it for legitimate business purposes. Audit and reporting tools should also be used to review privilege escalation actions.