Identity Thieves

By Julie Rawe

The timing couldn't have been worse. When Jeremy Johnson discovered that someone had applied for a couple of credit cards in his name and had run up a $6,000 tab, it was late September and law-enforcement agencies were busy tracking down terrorists. Johnson, 31, a production assistant at a cable-channel website, called his local precinct in Brooklyn and was told the N.Y.P.D. was so swamped, the detectives couldn't do anything unless he had the perpetrator's name and address.

Johnson knew that identity theft violates both state and federal laws, so he called the FBI and was forwarded to the Secret Service, which investigates counterfeiting and other types of financial fraud. An agent asked whether the case involved more than $25,000. Otherwise, he intimated, he had bigger fish to fry.

Johnson thought investigators were overloaded because of Sept. 11, but police say their response would have been pretty much the same had he called months earlier or phoned a precinct in Kansas City or Key West. In an age of instant credit, when you can apply online and start shopping within 30 seconds, identity theft has become an American epidemic. Calls to the fraud-victims help line at a national credit bureau have nearly doubled from the 522,922 received in 1997, and 86,168 identity-theft cases were reported to the Federal Trade Commission last year, making it the top consumer-fraud complaint. Because law enforcement lacks the manpower to investigate all the small-potatoes cases and creditors shrink from costly prosecution, identity theft remains a lucrative, low-risk crime.

But that may change, as government and industry efforts converge to protect a staple of the U.S. economy: easy credit. Sept. 11 underscored the ways that terrorists use identity theft to slip into U.S. society and fund their operations. Investigators have linked several suspects to credit-card fraud, including the two men with box cutters who were arrested on a train Sept. 12. The terrorist convicted last year in a 1999 plot to blow up Los Angeles International Airport used 13 identities lifted from the membership files of a Boston health club. Potential losses in Secret Service investigations jumped from $850 million in 1998 to $1.4 billion in 2000, prompting some lenders to begin to pool their fraud data.

Like most stories of identity theft, Johnson's is one of initial confusion and lingering anxiety. "How did someone get so much of my personal information, and what's to stop them from using it again?" he asks. "My Social Security number can go from criminal to criminal. I'm screwed for life."

Consumers have to pay only the first $50 of fraudulent charges made on their accounts, and many lenders waive even that amount. But last year credit-fraud victims spent countless hours and an average of $1,173 to restore their credit ratings. And all it takes to get the ball rolling is one crooked telemarketer or someone who fishes a receipt or "preapproved" credit-card offer out of your trash.

Johnson doesn't know how he got targeted. But Discover Card alerted him on Sept. 30 that someone had opened an account in his name. Johnson called the three major credit bureaus and found that two of his credit reports were riddled with errors. Accounts had been opened by someone who gave the wrong birth date and mother's maiden name. When he turned to his local police, a detective told him nothing could be done unless he had the suspect's name and address--implying that Johnson should do a little digging on his own.

This attitude is common at overburdened police departments across the country. At a special identity-theft task force in Los Angeles, each of the nine investigators handles nearly 600 active cases, with a simple case taking about 70 hours to investigate and more complex ones taking three times as long. Each of the nine specialists solves 30 to 40 cases a year, according to team member Ralph Richards. "We're making some headway, but it's a drop in the bucket," he says. "The chances of getting caught are much less than for the guy who steals your VCR."

Johnson was determined to beat those odds. He set about tracing a phone number on a fraudulent application for credit that had been made in his name. And he scored, in part by paying $25 to an online data broker--an information mercenary who may not care whether you're trying to track down a long-lost cousin or steal her identity. Johnson went so far as taking the subway to the suspect's address to match his name to an apartment number, noting there were flower boxes in his windows. "I felt like Angela Lansbury," he says.

When he presented his findings to the police near his home in Brooklyn, they said the case should be handled where the charged goods were delivered, in the Bronx, and the two precincts bounced Johnson back and forth until a report was finally filed in Brooklyn.

Johnson's next battle was obtaining information about the suspect from creditors. Some companies, such as Discover and Gateway, gave Johnson everything on the fraudulent applications. Others, including Zales and American Express, told him next to nothing. "Giving customers some information would hamper our security efforts," says AmEx spokesperson Judy Tenzer. "We consider an investigation a law-enforcement issue," says Maria Mendler, of Zales' lending arm, Citibank.

There are no national figures on prosecution rates for identity theft, but everyone involved agrees they are low and that the only practical alternative is prevention. Victims are advised to place fraud alerts on their credit reports, which flag potential lenders to contact their home or office before approving an application. Two months after Johnson posted these preauthorization advisories, Gateway's lending arm called to say it had rejected a fraudulent application. The same day, American Express phoned to see whether Johnson had received an Optima card--one he hadn't applied for.

This fall the FTC increased its enforcement staff by 50%, to about 50--at a time when the agency's hot line is fielding 12,000 calls a month. Bills have been introduced in Congress that would require credit bureaus to investigate discrepancies in individual reports, penalize lenders for ignoring fraud alerts, truncate card numbers on receipts to prevent "Dumpster diving" and fine companies for refusing to provide relevant documents to identity-theft victims. James Huse Jr., inspector general of the Social Security Administration, supports a bill that would stop the indiscriminate display of Social Security numbers on public documents as well as the sale of the numbers online or by other means.

But companies can't afford to wait around for the feds. In 2000, identity theft cost financial institutions $2.4 billion in direct losses and related expenses, such as technology and consumer education, according to consulting firm Celent Communications. Other experts estimate the broader category of application fraud costs the industry as much as $35 billion a year, or roughly $170 for each credit user in the U.S. Visa and MasterCard have taken both high- and low-tech steps in cutting fraud losses from 16[cents] per $100 transaction in 1990 to 6[cents] in 1999, according to the Nilson Report. But card companies are still looking for ways to stop crooks from "skimming," or copying data encoded on a card's magnetic stripe--the largest source of fraud losses after lost or stolen cards.

Because merchants often end up footing the bill when crooks order online or by phone, a handful of major retailers are beginning to upload mountains of fraud records into a national database. This project will allow Dell Financial Services, for example, to warn Toyota's lending arm before it gets burned by the same guy. Experian, a major credit bureau, is spearheading the American coalition and is also preparing the U.S. launch of its proprietary program, Detect, which identifies fishy new applicants. For mom-and-pop e-tailers, risk-management companies like ClearCommerce and CyberSource license fraud-warning packages for as little as $25 a month.

Businesses are also catering to a widening field of justifiably paranoid consumers. Landlords and employers are flocking to Factual Data Corp., which for a couple of bucks will run Web searches to see whether a potential tenant or new hire is applying with someone else's Social Security number. Pricey monitoring services like Equifax Credit Watch will contact you the same day changes are posted to your credit report.

The onus is on consumers to check their credit reports periodically for errors, especially since a recent Supreme Court decision restricted the time during which they can sue a credit bureau that mistakenly gives their information to a criminal. Consumers have to file suit within two years of the wrongdoing--bad news when the FTC says it takes the average identity-theft victim a year to detect a problem.

Johnson's detective is still waiting for creditors to cough up the necessary paperwork to get the investigation off the ground. In the meantime, Johnson has marked his calendar with six-month reminders to check his credit reports. And he shreds credit-card offers into tiny bits before sprinkling them in different trash cans around the house. "Paranoid?" Johnson says. "I've learned you can't be too careful."