Thursday, January 22, 2004
Copyright © Las Vegas Review-Journal
IDENTITY FRAUD: High-Tech Theft
As more people pay
for products electronically, thieves have easier
access to accounts
By JOAN WHITELY
REVIEW-JOURNAL
Las Vegan Kimberley McGee does online banking, checking her account activity almost daily.
That's how she noticed in late December that during the previous two days someone had mysteriously drained $1,000 out of her bank account using an automated teller machine. That same day, another unauthorized $500 withdrawal -- her bank's daily limit -- occurred.
"I don't take out money by ATM," McGee says. "You never know who's behind you. I don't feel secure."
McGee had not lost, or been robbed of, her checkbook or debit and credit cards. She had been robbed of her financial identity.
In 2002, an estimated 9.9 million Americans were victims of identity theft, at a cost of $47 billion to the victims, businesses and banks, according to the Federal Trade Commission.
As more people do electronic money transactions, criminals have found ways to appropriate bank PINs -- personal identification numbers -- financial routing numbers and other codes to illegally tap funds.
As soon as she suspected identity theft, McGee, 33, an associate editor at What's On magazine, picked up the phone. She called her bank, the police, the convenience stores hosting the ATMs that had been used to access her money, and finally, the owners of the ATM machines.
She encountered a vicious circle. She says the bank first resisted cooperating, insisting she must have lost her ATM card, or loosely shared her PIN with others.
The convenience stores where the withdrawals were made disavowed any role, according to McGee, referring her to three separate ATM owners. The ATM owners declined to let her view video taken of the transactions; their policies were to release footage only to police or a bank.
McGee says police told her that since her bank would reimburse her the amount taken from the ATM transactions, she could not claim to be injured and therefore could not file a police report.
Lt. Steve Franks of the Las Vegas Metropolitan Police Department confirms that his unit, financial crimes, does not take crime reports of this sort from individuals. Instead, police ask banks to file the crime reports. Not all banks do.
"It's cheaper (for them) to pay the loss than to do their civic duty, which is to pursue the criminal," which is time-consuming and costly, Franks says. He urges victimized individuals to demand a crime report from their financial institution for personal records.
It took McGee three weeks of daily calls to the bank -- she says her bank never phoned her once on the matter -- before the institution reimbursed her.
During this period of limbo, McGee also asked around at work, and learned that four co-workers had been recent victims of identity theft. After much discussion, the group concluded the only common factor in their cases was that all had, at different times, frequented the same small restaurant. At that particular restaurant, the equipment for customers to pay by debit was on the employee's side of the counter, instead of the customer's, McGee recalls.
"Skimming" of financial identity probably occurred at the restaurant, staff at the nonprofit Identity Theft Resource Center speculated when McGee's situation was described.
Skimming entails scanning credit, debit or ATM cards -- usually in retail sites -- to "skim" off the financial data encoded on the magnetic stripe. It is different from historical casino skimming, in which crime groups removed cash from a casino's revenues before the money was counted for tax purposes.
The nonprofit identity-theft center started in San Diego in 1999 to assist victims, educate the public and provide ideas when states are mulling laws to fight identity theft. Its founder and co-executive director, Linda Foley, was the victim of identity theft in 1997.
Regardless of whether skimming occurred in McGee's case, the illegal practice is frequently used in identity theft, the center reports.
In skimming crimes, the customer's card is scanned twice: once into the store's device to conduct the transaction, and again into a separate device, usually hand-held, which can fit in an unethical employee's pocket. In some criminal investigations, according to the Identity Theft Resource Center, the skimmer has been found permanently installed side-by-side with the store's equipment, but the employee's chitchat during checkout effectively distracted customers from noticing.
Skimmed numbers stored in the device's memory are used to create "clone" cards for criminals, who obtain cash or credit from the original cardholder's accounts. The pocket-size scanning devices or their components are for sale by mail order, says Jay Foley, who, with his wife, is co-executive director of the center.
McGee says one ATM owner told her his company checks its ATMs daily, to make sure no skimmer has been attached.
Most stores try to prevent skimming by installing card-scanning equipment on the customer's side of the checkout. The card never leaves the customer's hand.
"If it's out of sight, it's out of (the owner's) control," Jay Foley says.
Sit-down restaurants, however, generally have a waiter take the customer's credit card away to process a bill. The Identity Theft Resource Center opposes this approach, and has been lobbying large restaurant chains to do away with the system. It urges them to adopt portable devices that process a bill at the table in front of the customer.
"It's not storing the information. It's transmitting it to the (main) transaction terminal," which is linked to the restaurant's phone line, Jay Foley explains. The new format calls for a wireless network that would need its own security protocols for safe operation.
Skimming is just one way that criminal entrepreneurs can illegally appropriate someone's identity. There are a myriad of other ways, too -- none of which requires the physical possession of a card or wallet.
In some states, including Nevada, a store or gas station receipt may display a customer's full credit-card number, if the purchase was done by credit. Only recently, credit-card issuers have started requiring their licensees -- the merchants who accept the credit cards -- to truncate credit card numbers on receipts. That means a receipt contains only a portion of the entire account number, so that a person who steals or finds a stray receipt can't identify or access the account.
"It's good sound practice" to truncate, Franks says. "Stores are getting sued" by victims of identity theft.
Doctors and lawyers, too, sometimes inadvertently release personal identifying information of their patients and clients. Clark County Clerk Shirley Parraguirre -- whose office is in charge of District Court documents -- has warned that some attorneys carelessly fail to edit or black out personal data such as Social Security numbers in documents they submit to court.
"I recently came across a civil motion where the attached traffic accident report and witness statements contained the Social Security numbers and Nevada driver's license numbers of five separate individuals," Parraguirre wrote in a column published in the December 2003 issue of Communiqué, a newsletter of the Clark County Bar Association.
Medical records that are attached to court petitions often contain Social Security numbers, Parraguirre wrote. "One recently filed petition included the minor's Social Security number on page one. It would be a shame for a minor to reach maturity, only to discover his identity had been stolen and his credit destroyed before he had a chance to get started in life."
According to Parraguirre's column, it is the responsibility of the attorney, not the court, to make sure personal identifiers are removed from court documents.
Employers, also, are sometimes casual with their workers' valuable personal identifying information. The best way to identify employees in records is not by Social Security number, which can be stolen if it routinely appears on work badges, time cards or workplace reports, according to the Identity Theft Resource Center.
The practice of using Social Security numbers as computer passwords in the workplace is another risky procedure.
The center tells consumers not to provide personal information until they are given a valid reason. It recounts a case in which some school districts were asking for the parent's Social Security number when enrolling a child.
"If the child's health insurance number is your (Social Security number), then they might need it for emergency purposes. Otherwise, it doesn't seem reasonable," the center writes in its materials. According to the center, after parents questioned the practice, one district started telling parents that the space was "an optional field" on the enrollment form.
Linda Foley urges consumers not to put a Social Security number on job application forms until the potential employer has expressed serious interest in the candidate. In the space designated for the number, write instead "available upon request" or "see below." Then below, write that the applicant is concerned about the risk of identity theft, but will provide the number when the company wants to start a background search.
Las Vegan McGee says identity theft has changed her life. Identity theft can harm an innocent person's credit history, insurance rates and job prospects.
To minimize her chance of repeat identity theft, she says now she will change her PIN and other private numbers every three months. She will not share any personal numbers with others -- not even letting a friend's mother, for example, know the code to her garage-door opener.
McGee will continue online banking, which enables her to view new transactions daily. A suspicious item -- which could get buried in a monthlong written statement of account activity -- stands out readily when only one day's activity is on the screen at a time.
She says she also is using her debit card less, relying on written checks more.
The center's Linda Foley agrees with most of McGee's measures, but strongly disagrees that written checks are safe. They contain routing numbers, which criminals can use.
Foley prefers to do most of her transactions by credit card or cash. Credit-card transactions are protected in case of fraud by federal law. No central registry of bad checks exists, which means that "merchants are in the dark, too," if a criminal persists in passing checks on an account that has been closed several years.
She does not consider using a debit card as safe as a credit card.
Debit cards bearing a Visa logo are not credit cards, but Visa has a policy of zero-liability for customers in case of fraud with any of its products, including such debit cards. Even so, the bank issuing a debit card with the Visa logo also sets limitations, Jay Foley says.
So check your bank's terms closely, he says. Do not assume that a loss of funds because of fraudulent activity involving a debit card will automatically be reimbursed.
