Wachovia To Pay Huge Fine For Conspiring With Fraudulent Telemarketers

[Editor's Note: today is the anniversary of an important event in U.S. history. May 1, 2008 is the fifth anniversary of "Mission Accomplished" - the day George W. Bush stood proudly on the aircraft carrier USS Abraham Lincoln and declared major combat operations over in Iraq. 140 U.S. military personnel died before May 1, 2003. During March 2008, the number of U.S. military deaths passed 4,000. Today, Osama Bin Laden has not been brought to justice and still remains at large. I think that it is important to judge a President, his administration, and his policies by the results achieved, and not on good intentions. Now, on to today's post.]

You could have labeled today's post, "When A Bank Goes Bad." The New York Times reported on April 26:

"The Wachovia Corporation agreed on Friday to pay as much as $144 million to end an investigation that accuses the bank of allowing telemarketers to use its accounts to steal millions of dollars. The settlement, one of the largest penalties ever demanded by the federal Office of the Comptroller of the Currency, concludes an 18-month inquiry into Wachovia’s relationships with schemes that investigators say stole from thousands of victims, many of them elderly."

The New York Times also reported:

"Though Wachovia did not admit or deny wrongdoing, the investigation found that Wachovia, one of the country’s largest banks, engaged in unsafe practices — failing to conduct suitable due diligence, failing to monitor accounts used by telemarketers and failing to follow normal procedures that would probably have uncovered the thefts. The bank’s actions were “part of a pattern of misconduct” that resulted in Wachovia’s collecting millions of dollars in fees, regulators wrote. Wachovia has agreed to pay a $10 million fine, contribute $8.9 million to consumer education programs and make restitution to victims that could top $125 million."

For consumers, it's tough enough to protect yourself against identity theft and identity fraud. Your bank should not facilitate identity fraud. For background, also read this February 2008 post about Wachovia. The huge fine is great, but jail time should also apply:

"Internal Wachovia e-mail messages and documents collected as part of that lawsuit showed that high-ranking employees long knew about accusations of fraud, but that some bank workers continued to solicit business from the telemarketing companies accused of crimes. “YIKES!!!!” wrote one Wachovia executive in 2005, warning colleagues that an account used by telemarketers had drawn 4,500 complaints. “DOUBLE YIKES!!!!” But Wachovia continued processing fraudulent transactions for that account and others."

That's 4,500 complaints! Not 45, but 4,500! For perspective, the Hannaford data breach included 1,800 cases of fraud. Thankfully:

"The settlement also does not preclude the United States attorney in Philadelphia, Patrick L. Meehan, from prosecuting Wachovia or bank employees. Mr. Meehan’s office is considering a criminal investigation, according to two people close to the matter who spoke on the condition of anonymity because they are not authorized to speak to the media."

Go Meehan! This type of crap will stop when senior executives serve significant jail time. Otherwise, banks will pass along the cost of the fine to consumers and account-holders through more and higher fees or other mechanisms.

'Income Tax Return Identity Fraud' Scam Threatens Some Taxpayers' Refund And Stimulus Checks

Now that April 15 has passed and you have filed your income tax returns, you are probably thinking about how you are going to spend your tax refund checks and stimulus check. Well, most of you will receive your checks, but some may not.

Just when you thought that nothing else could go wrong with identity theft, Phuong Cat Le at the Seattle Post-Intelligencer blog reported about income tax return identity fraud:

"Earlier this week, one of my colleagues sat down at her computer to file her income tax return electronically using TurboTax. Twice, her return was rejected. The message she got back was startling: the IRS already had a tax return filed under her Social Security number. How could this be? She hadn't filed yet."

Phuong's colleague did what any of us would do, and called both the Social Security Administration and the Internal Revenue Service to resolve the problem and receive her checks. Apparently:

"A thief had filed a fraudulent tax return under her name, and would likely get her $1,000 refund, not to mention her $600 economic stimulus payment. Thus began her tedious task of clearing her name: filing a police report, filing a complaint with the Federal Trade Commission, putting a fraud alert on her credit report and mailing in her tax return with copies of her driver's license, police report and other documents to prove her identity."

More importantly, this scam appears to be on the rise:

"... complaints about this type of theft jumped 579 percent, from 3,000 to more than 20,000, between 2002 and 2007, according to an audit released this week by the Treasury Inspector General for Tax Administration. Not only are fraudulent returns on the rise, so are cases where thieves use another person's Social Security number to gain employment."

The IRS has promised a better response to identity theft/fraud, but seems to have started too late and from way behind:

"Finance Committee Chairman Max Baucus, D-Mont., said that on average it takes almost a year for the IRS to sort out who is the real taxpayer when there is an identity issue. "In the meantime the victim's tax accounts get frozen. The IRS issues no refund," he said. 'The taxpayer waits in tax limbo for months and months.' "

The Post-Intelligencer also reported:

"The IRS does not keep track of identity theft incidents and investigates and prosecutes identity theft cases only if they occur in conjunction with other criminal offenses having a large tax impact, according to a report this week from the Treasury Inspector General for Tax Administration."

This is great news for identity criminals, and very troubling news for consumers, especially if you are due a refund. It definitely reinforces the impression that the IRS is focused only on tax collections and not on data security, while it is entirely possible and appropriate to focus on both.

This situation infuriates me. If it infuriates you too, I encourage you to write to your elected officials today and demand that they act immediately to fix data security at the IRS. For those that are interested, read the full report of the audit of IRS tax collection.

Until the IRS fixes its data security holes, it may be a good idea to consult with a tax accountant to adjust your withholding to minimize the chances of a large refund check which could be stolen (and which gives the government an interest-free loan).

House Stealing: The Newest Identity Theft Scam

On March 25, the Federal Bureau of Investigation (FBI) issued a warning to consumers about a new form of fraud. The new threat:

House Stealing = Identity theft + Mortgage Fraud

According to the FBI, here's how the scam works:

"The con artists start by picking out a house to steal—say, YOURS. Next, they assume your identity—getting a hold of your name and personal information (easy enough to do off the Internet) and using that to create fake IDs, social security cards, etc. Then, they go to an office supply store and purchase forms that transfer property. After forging your signature and using the fake IDs, they file these deeds with the proper authorities, and lo and behold, your house is now THEIRS."

With the deed, criminals can sell the house right from under you and pocket the cash. According to the Boston Herald newspaper:

"It’s happened in Dorchester. Police last year arrested three people at the Suffolk County Registry of Deeds after they tried to sell the home of a former nun and Catholic school teacher out from under her. Andre J. Lamerique, 25, of Sharon, Carmella F. Lassegue, 26, of Hyde Park, and Judy A. Bonas, 51, of New York, were charged with conspiracy, identity fraud and aiding and abetting after they allegedly stole the identity of Judy Melody, 65, of Dorchester. A federal postal inspector accuses the trio of using Melody’s identity to purchase homes in Brockton and Halifax. They were caught on Jan. 23, 2007, when they allegedly attempted to use the same scheme to sell Melody’s home. Lamerique is in custody awaiting trial, federal court papers show. Lassegue and Bonas are free on bail."

I find it odd when researchers claim that identity theft instances are decreasing. New trends like House Stealing are direct evidence otherwise. Identity criminals constantly change their tactics, which provides a challenge for researchers and government agencies to track the appropriate statistics to accurately measure identity theft instances. According to the Boston Herald:

"While the FBI does not maintain statistics for specific types of mortgage fraud, they know the crime of home theft is on the rise. In Fiscal 2007, financial institutions alerted law enforcement to 46,717 examples of mortgage fraud suspicious activity reports... Just a part of the way through Fiscal 2008, that figure has nearly reached the 30,000 mark."

Experts predict that mortgage fraud could increase to 60,000 in 2008. The FBI recommends the following to protect yourself from this new scam:

• If you receive a payment book or information from a mortgage company that’s not yours, whether your name is on the envelope or not, don’t just throw it away. Open it, figure out what it says, and follow up with the company that sent it.
• From time to time, it’s also a good idea to check all information pertaining to your house through your county’s deeds office. If you see any paperwork you don’t recognize or any signature that is not yours, look into it.

According to the FBI, this new scam is rare. Of course, contact your local police, the FBI, and file a complaint with the FTC if you have been victimized.

The State Of Missouri Launches New Anit-Fraud Web Site For Consumers

According to the Springfield News-Leader:

"Missourians concerned about fraud have another resource to protect themselves, according to the Missouri Secretary of State’s office. It is a new Web-based Missouri Investor Protection Center, www.MissouriSafeSavings.com created to help educate investors about potential scams... The Web site provides information on wise investing, recognizing and avoiding fraud and exercising investor rights."

The Missouri Secretary of State Office (SOS) built the web site to address the need for increased protection of Missouri seniors and their investments. The site also features:

• Senior Investor Protection Unit: a staff of attorneys, investigators, auditors and education specialists who investigate "new cases with senior-specific issues, provides investor education and holds outreach and education events"
• An online game to raise awareness about fraud scams and threats/li>
• Additional print publication and online resources

Congratulations to the Missouri SOS for providing this site to their residents. A good next step for the Missouri SOS would be to display online companies' data breach notification letters like New Hampshire does, so Missouri residents have a reliable source to see which companies aren't protecting their sensitive data.

Hannaford Data Breach

The Hannaford Brothers grocery chain has received a lot of attention during the last week. On March 18, the Boston Globe reported:

"Hannaford Bros. supermarket chain yesterday said a breach of its computer system potentially exposed 4.2 million credit and debit card numbers and has led to about 1,800 fraud cases to date. The data breach affected customer cards used at more than 270 stores in states including Maine, Massachusetts, New Hampshire, New York, and Vermont, Hannaford said, and lasted from December until early March. The Secret Service is investigating, said spokesmen for Hannaford and the federal agency."

There's no getting around the fact that 4.2 million debit card and credit card numbers are a lot. Not as much as the TJX/TJ Maxx breach and data security debacle, but a lot nonetheless. Hannaford's response:

"A Hannaford spokeswoman, Carol Eleazer, said the company is still investigating the specifics of how data was taken..." In a statement posted to Hannaford's website, chief executive Ronald C. Hodge wrote that the data "was illegally accessed from our computer systems during transmission of card authorization."

During the transmission? An MSNBC report on March 20 seemed to best explain this:

"While thieves have commonly pilfered payment card data sitting in databases maintained by merchants or card processors, the Hannaford episode appears to represent a new line of attack: the first large-scale piracy of card data while the information was in transit. "Catching data on the move is a bit more challenging," said Aaron Bills, chief operating officer at 3Delta Systems Inc., a transaction processing firm in Chantilly, Va. He compared it to robbing a truckload of merchandise: It's easier when the vehicle is parked than when it's zooming down a highway."

Okay, I get it: identity criminals are computer-savvy and smart enough to find holes in computer systems to hack into. The criminals are also fast: within a month they generated at least 1,800 reports of identity and credit card fraud. The MSNBC article also highlighted two important points about the Hannaford data breach. First:

"But the specifics of the crime, revealed this week, included some troubling twists that might expose big holes in the payment industry's security standards. For one thing, Hannaford said this sensitive data were exposed when shoppers swiped their cards at checkout line machines and the information was transmitted to banks for approval."

Second:

"... that Hannaford was found — while the hack was still going on last month — to be in compliance with the security standards required by the Payment Card Industry, a coalition founded by credit card companies. The PCI group sets rules governing such issues as how employees should be screened and precautions against hackers, but it does not audit companies like Hannaford to ensure compliance. That is performed by outside assessors. The identity of Hannaford's auditor was not disclosed.

This is important because:

"The fact that Hannaford could be considered up to snuff and yet still be vulnerable to a big heist raised questions about whether other merchants — and by extension, their customers — are falsely confident about their security."

The MSNBC article added:

"... the [PCI] standards require companies to encrypt data that travels over computer networks "that are easy and common for a hacker to intercept." Whether certain internal networks are "easy and common" to crack is a matter of judgment... Hannaford would not discuss specifics of its security system, so it was unclear to what extent its stores encrypted payment data throughout the transmission process."

That's just peachy. First, the rules aren't strong enough to guarantee compliance. Second, the rules are loose enough to allow retailers to cut corners and not encrypt our sensitive personal data throughout the retailers' entire data transmission process. Why?

"But in practice, encryption often goes unused at certain points in a data-processing chain because the computing power it requires can slow down transactions, especially on older hardware."

One industry expert emphasized as a solution:

"... the biggest lesson is that the banking industry needs to make it harder for thieves to put stolen credit card data to use. Requiring PINs on credit card transactions would remove 75 to 90 percent of the fraud in the system."

InformationWeek reported:

"A retailer's [PCI] compliance status matters: The penalties for noncompliance are significant, and the card brands can fine the retailer while also raising the transaction fees levied for each credit or debit card transaction. A finding of noncompliance also will be potent ammunition for inevitable lawsuits. The big loser: consumers."

Yes, we consumers are the big loser. We consumers end up paying:

• Higher credit card fees and/or higher interest rates from credit card issuers to cover their expenses to issue replacement cards and accounts. While identity theft victims enjoy the $50 credit card liability limit, credit card issuers cover their identity theft expenses by charging higher fees and rates to all credit card holders
• Higher banking fees, because banks must issue replacement debit cards and accounts. A few generous banks may also replace the stolen monies. Banks charge higher fees, and fees on a wider range of transactions, to cover their identity theft expenses, too.

In my opinion, the consequences and fines to retailers still aren't severe enough. In both scenarios above, the companies pass along their increased costs to consumers. While replacement credit cards with $50 maximum liability is great, one year of free credit monitoring for identity theft victims isn't enough.

The good news just kept coming. More stores were affected by the Hannaford breach. Also on March 20, the Albany Times Union reported:

"Independent stores in Ravena and Schaghticoke affiliated with Hannaford were also affected by the recent hacking of customer credit card numbers, the Scarborough, Maine-based supermarket chain said today. The company’s Web site lists more than 20 independents around the Northeast that had credit card information stolen as a result of the security breach. Hannaford supplies the Ravena and Schaghticoke stores, which operate under the Shop ‘n Save name, but does not own them. In September, Hannaford purchased formerly independent stores in West Sand Lake and Voorheesville."

Several class-action lawsuits have already been filed against Hannaford in New Hampshire, Maine and Pennsylvania. What's a consumer to do?

1. Contact your bank and credit card issuer, if you shopped and paid with plastic at Hannaford between Dec. 7, 2007 and March 10, 2008.
2. If you continue to shop at Hannaford, use your credit card and not a debit card to get the best protections. Or use cash.
3. If you are a Hannaford identity theft victim, read closely any correspondence you receive from the company. File a police report for any monies stolen or abuse of your financial accounts. Place a Fraud Alert on your credit reports. Monitor your credit reports closely for abuse, since criminals may use your stolen personal data to try to take out new credit in your name. If Hannaford offers free credit monitoring, accept their offer if you don't already have a credit monitoring service. Watch the news to see if you qualify for any of the class-action lawsuits.
4. Read the I've Been Mugged blog. During the coming weeks, I will post on this blog reviews of several credit monitoring services. There is a link in the top of the right column to sign up for alerts via e-mail.

LifeLock Recommends Stronger Fraud Laws

An earlier post discussed the lawsuit Experian filed against LifeLock. It seems that LifeLock is fighting back. According to the Arizona Republic:

"LifeLock Inc.'s chief executive officer is taking the offensive by proposing sweeping changes to how the three major credit bureaus operate as the company prepares for a potentially bitter legal battle with Experian. Todd Davis, co-founder and CEO of Tempe-based LifeLock, kicked off a multi-state tour this weekend in which he is urging businesses and consumers to demand that their legislators do more to fight identity theft and fraud."

Davis wants Fraud Alerts extended from 90 days to at least one year. According to the news report:

"The fraud alerts are at the heart of a lawsuit that Experian filed against LifeLock almost two weeks ago in U.S. District Court for the Central District of California. LifeLock charges customers $10 per month for its service, which includes signing them up for the temporary alerts with the three credit bureaus every three months."

It's important to note that the credit bureaus are mandated by law to provide the fraud alerts for free to consumers. The credit bureaus also offer for-fee credit monitoring services like LifeLock's service. (See the listing in the right column.) So, Experian's claim that Lifelock charges what Experian is forced to do for free, seems weak since it seems to ignore Experian's credit monitoring services.

The other change proposed by LifeLock:

"Davis said he hopes consumers will pressure their legislators to introduce measures that impose tougher prison standards for people convicted of ID theft and related crimes and limit the use of personal information, among other changes."

The article doesn't explain what Davis means by, "tougher prison standards for people convicted of ID theft..." and by, "...limit the use of personal information." If LifeLock is truly promoting changes for the consumers' benefits, I hope that their proposal includes:

• Restitution by the criminals for identity-theft victims
• Emphasis and funding for law enforcement to pursue identity-theft criminals. (Unfortunately, in the latest FTC report 8% of identity theft victims tried to file a police report and it wasn't taken. That's 8% too much)
• Clearer, consistent legislation across states about what consumers' personal data companies can archive, how they must protect it, and what items must be purged by when
• Consistent "Shine The Light" notification laws across states (requiring retailers to disclose where consumers' personal data is shared)
• Consistent data breach notification laws across states
• Consistent anti-skimming laws across states
• Stronger legislation to protect whistle blowers, and stronger penalties for companies and individuals who abuse them
• Suggestions to to strengthen data security among small businesses

A LifeLock press release mentions the company's tour through several Southeastern states, but doesn't mention any of the above details. Rather, Experian and Lifelock seem to be fighting over who gets the money from consumers in the growing credit monitoring services marketplace. But there's more:

"Davis argues that Experian doesn't want to spend the time or money to help all the consumers seeking protection. "What Experian is counting on is if a consumer has to renew this every 90 days, they won't stick with it," Davis said by telephone from Florida on Monday afternoon."

The news report quoted Equifax spokesman David Rubinger as saying:

"We believe (a 90-day fraud alert) provides ample time for a consumer to determine if they've been a victim of identity theft, and of course it can be renewed in a matter of minutes if they still need more time," Rubinger said.

Hmmmm. I definitely disagree with Rubinger's statement.

I started writing this blog after IBM exposed my personal data in February 2007. As I researched the identity theft issues, I found that current business practices heavily favor companies making money by trading consumers' personal data, while consumers bore an unfair portion of the risks after a data breach.

So far, nothing negative has appeared yet on my credit reports from IBM's data breach. For all I know, the identity thieves could still be trying to break the encryption on IBM's data tapes. Rubinger seems to suggest that after 90 days identity thieves would give up trying to crack the encryption on IBM's data tapes. That assumption sounds totally ridiculous to me. From everything I've read, identity thieves are persistent, so it seems wise to assume a continual threat and act accordingly. Plus, the value of consumers' personal data has a long life.

IBM still hasn't caught the perpetrators and still employs the same delivery service which lost their data tapes over a year ago. Like many other consumers, I placed consecutive Fraud Alerts on my credit reports when I first learned of the IBM data breach. Experian and LifeLock can fight all they want about Fraud Alerts. To me, the stronger tool for consumers is the Security Freeze tool.

But, a Security Freeze won't protect consumers against all types of identity fraud. As a nation, we seem to be in our infancy regarding effective identity theft legislation that balances the needs of both consumers and companies.

2008 Identity Theft Survey - Javelin Research (Part Two)

Yesterday's post discussed the results of the latest identity theft and identity fraud survey in the USA by Javelin Research. In it's report, Javelin recommended the following for consumers to detect identity theft and identity fraud:

• Monitor your bank and credit card account activity regularly. Check the activity online, via phone, or via ATM machine
• Use e-mail or telephone alerts to monitor activity on your accounts. Activity can include deposits, withdrawals, balance transfers, specific charges, address changes, new names added to your accounts
• Javelin emphasizes that the longer it takes a consumer to detect fraud, the greater the amount stolen

Javelin recommends the following for consumers to resolve identity theft and identity fraud:

1. Contact your bank or credit card company immediately
2. Close any accounts that have been compromised
3. Ask your financial provider about fraud resolution teams or services to help you fix your credit and recover any money lost
4. Place a Fraud Alert on your credit reports at all three credit bureaus
5. Know the data breach notification rights in your state. When an employer or prior employer  loses your personal data (or it is stolen), in many states that company is required by law to notify you of that loss/theft. Other rights, such as free credit monitoring services, may also be available to you in your state
6. Consider placing a Security Freeze on your credit reports at all three credit bureaus. this will prevent criminals from opening new accounts and obtaining credit in your name. Some states require a Security Freeze to be free to identity theft victims
7. File a report with the local police
8. Notify the U.S. Federal Trade Commission (FTC). The FTC tracks complaints and identity theft activity
9. Consider signing up for a credit monitoring service, which can help you monitor your credit reports at the three credit bureaus

While all of the above items are solid and valuable recommendations, they focus on financial identity fraud. Unfortunately, there are so many ways criminals can abuse stolen personal data. They can use it to commit medical identity fraud, insurance identity fraud, criminal identity fraud, obtain a fraudulent driver's license, or apply fraudulently for a job, and none of these activities will show up on your credit report.

If that sounds awfully scary, it is. And it should scare you. This is the current state of U.S. business and government systems. A good first step would be to write to your elected officials and ask them what they plan to do about it.

2008 Identity Theft Survey - Javelin Research (Part One)

Last week, I spent some time reading the "2008 Identity Fraud Research Report" by Javelin Strategy And Research. Javelin survey about 5,000 adults and identity-theft victims in the United States. Key findings from the survey:

• There is a difference between "Identity theft" and "Identity Fraud." Identity Theft is when, "your personal information is accessed by someone else without your explicit permission. Identity Fraud occurs when a criminal takes the illegally-obtained information to use it for financial gain."
• The most common ways criminals steal consumers' personal data: lost/stolen wallets (33%); "shoulder surfing" while conducting a transaction (23%); "friendly" theft by family members oro others you know (17%); online (12%); and data breaches (7%).
• Vishing is on the rise. Vishing is a phone-based version of the phishing scam. Vishing is when criminals attempt to trick a consumer into providing personal data over the phone. In some instances, criminals contact consumers fist via e-mail with a bogus phone number for replies

So, what can consumers do to protect themselves? Javelin recommends a 3-step approach (e.g., Prevention, Detection, Resolution) similar to the U.S. Federal Trade Commission (e.g., Deter, Detect, Defend). The basic idea is that consumers should use a range of methods to protect their personal data, since criminals use a variety of methods to steal personal data.

Javelin recommends the following to prevent identity theft and identity fraud:

• Protect your personal computer, laptop, PDA, and mobile phone with paswords
• Do not use PIN numbers or passwords that are easily guessed (e.g., birthdays, your maiden name, your kids' names, your pet's name, etc.)
• Shred sensitive documents before placing them in the trash
• Use a locked mailbox or a Post Office Box for your snail mail
• Do not leave documents with your personal data laying around, especially documents with your bank account numbers or social security number
• Monitor your online accounts (e.g., bank, credit card, retirement, and othe financial accounts) for suspicious or unauthorized activity
• Move your paper financial statements to online accounts. Avoid paying bills with checks, and instead pay via online banking
• Review your credit reports at least once a year. You can visit annualcreditreport.com or call toll-free at (877) 322-8228

Tomorrow: more recommendations by Javelin.

2008 Consumer Fraud and Identity Theft Complaint Data (FTC)

Last week, I took the time to read the latest 90-page identity theft report from the U.S. Federal Trade Commission. The FTC issued the "Consumer Fraud and Identity Theft Complaint Data" report in February 2008. The report covers consumer complaints submitted to the Consumer Sentinel database during January through December 2007. Highlights:

• During 2007, the FTC received 813,899 consumer fraud and identity theft complaints; up 21% over 2006
• During 2007, consumers reported losses of $1.2 billion, slightly more than in 2006
• 3% of consumers lost more than $5,000. About 10% lost between $1,001 and $5,000
• The 5 leading complaint categories were Identity Theft (32%), Shop-at-home/Catalog Sales (8%), Internet Services (5%), Foreign Money Orders (4%), and Prizes/Sweepstakes/Lotteries (4%)
• The payment methods in these complaints included credit cards (33%), wire transfers (28%), bank account debit (17%), personal checks (10%), money orders (7%), and cash advances (3%)
• Total complaints by the age of the consumer: 40 - 49 (23%), 30 - 39 (21%), 50 - 59 (20%), and 20 - 29 (16%)
• Identity theft complaints by age of the consumer: 18-29 (28%), 30 - 39 (23%), 40 - 49 (19%), and 50 - 59 (13%)

It's important to emphasize that the above is based on actual complaints submitted by consumers, and not a survey. In my experience, most consumers do not file complaints with the FTC, so the above numbers are probably far higher.

Regardless, identity theft seems to be a growing problem since both the number of complaints and the amount of losses have increased.

Two really sad aspects to this report are a) the lack of involvement by consumers, and b) the lack of consistent response by law enforcement. 65% of victims did not file a police report. That is both sad and unacceptably high. 27% of victims did file a police report which was accepted by local law enforcement. 8% of victims tried to file a police report and it was not accepted.

Identity criminals probably feel encouraged by those results. Almost two-thirds of victims don't both filing a police report, which could aid inthe capture and prosecution of identity thieves. And, 8% of victims tried to get help from local loaw enforcement and couldn't get that help.

The report also provides statistics for identity theft victims by state:

1. Arizona - 137.1 (identity theft complaints per 100,000 population)
2. California - 120.1
3. Nevada - 114.2
4. Texas - 107.9
5. Florida - 105.6
6. New York - 100.1
7. Georgia - 91.6
8. Colorado - 89.0
9. New Mexico - 87.5
10. Maryland - 85.8

My state, Massachusetts, ranked #23  with 66.5 identity theft complaints per 100,000 population. North Dakota was #50 with 28.5 identity theft complaints per 100,000 population.

I'm not sure how relevant these numbers are since Internet-based identity thievery is largely geography independent

Wachovia Conspires With Telemarketing Fraudsters?

Thanks to Catherine for sharing this New York Times article. This news story caught my eye, not because Wachovia is the fourth largest bank in the USA, but because later this Spring I plan to review and compare the credit monitoring services offered by the major banks.

Anyway, according to the New York Times article, Wachovia did business with (and made big profits from) several telemarketing firms even though the bank allegedly knew in advance that these telemarketers had received numerous complaints:

"Last spring, Wachovia bank was accused in a lawsuit of allowing fraudulent telemarketers to use the bank’s accounts to steal millions of dollars from unsuspecting victims. When asked about the suit, bank executives said they had been unaware of the thefts. But newly released documents from that lawsuit now show that Wachovia had long known about allegations of fraud and that the bank, in fact, solicited business from companies it knew had been accused of telemarketing crimes. Internal Wachovia e-mail, for example, show that high-ranking employees at the nation’s fourth-largest bank frequently warned colleagues about telemarketing frauds routed through its accounts."

Telemarketing fraudsters are usually companies that contact consumers via phone offering a service or product that may not ever be delivered, and/or the consumer is overcharged. And, it gets worse:

"Moreover, executives at other banks, including Bank of America, Wells Fargo, Citizens Bank, the Social Security Administration, and the Justice Department Federal Credit Union also warned Wachovia multiple times that its accounts were being used for fraud, according to the lawsuit against the bank."

A judge will likely rule on this class-action lawsuit during the summer. Want to read more? The Boston Globe and Reuters also covered the story. The Street called the Wachovia story one of the "Five Dumbest things On Wall Street."

Banks handle and store our money. We consumers place a lot of trust in them. So, banks should operate in a manner that is transparent and reinforces consumers' trust. It seems that Wachovia either forgot this or ignored it during its rush to make money.

A New Kind Of Identity Theft?

Last Friday, the CBS television affiliate (WBZ-TV) in Boston ran a news story about, "A New Form of Identity Theft." Apparently, an identity thief targeted and stole money from several women with the same name:

"The identity thief was posing as Lisa White. White never even owned a credit card until someone stole her identity and opened up 17 accounts using her Social Security and drivers license numbers. Now comes Lisa White, of Monson. She too is a victim of identity theft and is trying to cancel some $13,000 of debt someone spent on store accounts using her Social Security and license numbers... Then there's Lisa White from Somerset, who is also stuck with a pile of mystery credit cards. A thief stole her identity and wracked up about $35,000 of dept that she had nothing to do with."

The police haven't caught the identity thief yet, but they do have the thief on video tape. reportedly, about ten people in Massachusetts with the same name have reported problems.

My guess: this isn't a new type of identity theft. Rather, the police haven't yet discovered the connection, which may be very subtle. If all of the victims use the same bank, the police aren't saying. If not that, then it may be an inside job at the Social Security Administration or another equivalent state agency, like the Registry of Motor Vehicles or the Massachusetts Department of Revenue. That would explain why the thief did not steal the victims' existing credit card numbers, but instead opened new lines of credit with the victims' social security numbers.

Online Privacy Concerns Increase

The Associated Press news services reported the results of a new survey by the University of Southern California's Center for the Digital Future:

"Privacy concerns stemming from online shopping rose in 2007, a new study finds, as the loss or theft of credit card information and other personal data soared to unprecedented levels. Sixty-one percent of adult Americans said they were very or extremely concerned about the privacy of personal information when buying online, an increase from 47 percent in 2006. Before last year, that figure had largely been dropping since 2001.  People who do not shop online tend to be more worried, as are newer Internet users, regardless of whether they buy things on the Internet..."

In 2007, about 57% of survey respondents were very or extremely concerned about credit card security. In 2006, the same number was 53 percent. In 2007, about two-thirds of adult Internet users shop online, compared with just 50 percent in 2006. Most spend $100 or less a month, and two-thirds of online shoppers have reduced buying at brick-and-mortar stores. The survey included a random selection of 2,021 Americans contacted from Feb. 28 to Aug. 6, 2007.

More survey results about online usage:

"... online parents are more likely than ever to withhold Internet use as punishment — 62 percent in 2007, compared with 47 percent a year earlier and 32 percent in 2000... Nearly two-thirds of parents, meanwhile, worry about kids participating in online communities and about half believe online predators to be a threat..."

Twice Bitten: Acts of Stupidity Can Lead to Identity Theft

Chris Soghoian has an excellent post in his C/Net Surveillance State blog:

"A British TV presenter has learned the hard way that identity theft is serious, and in the process, become the joke of the moment for privacy bloggers. More importantly, this is the second time in just one year that such a thing has happened."

Soghoian wrote:

"Jeremy Clarkson, host of the BBC show Top Gear, recently wrote an article for the U.K.'s Sunday Times in which he ridiculed the uproar that had occurred after the British government admitted to losing two compact discs containing the personal information on 25 million people. To prove his point that there was no risk of financial fraud for those consumers, he published his bank account details, and instructions on how to locate his address."

Clarkson quickly changed his opinion of identity theft after an identity thief used Clarkson's data to create an automatic bank transfer to the Diabetes UK charity.

Recently, a friend in Oakland called to ask me about Lifelock. Soghoian has clearly "connected the dots," since he also wrote about Lifelock in the same post:

"Todd Davis is the CEO of LifeLock, a company that offers a mostly useless $10 per month identity theft protection service. In an effort to eat his own dogfood, and promote his company's service, Mr. Davis includes his social security number in all of the company's advertisements--see here. A full page ad in this week's USA Today had his SSN listed in big letters. Making a mockery of LifeLock's identity theft protections, a Texas man in 2006 was able to secure a $500 payday loan with Mr. Davis' social security number."

If you are considering Lifelock for a credit monitoring service, I also encourage you to read this Phoenix New Times article before making a decision.

Chase Harasses A Credit Card Fraud Victim

This post at the Consumerist blog is a worthwhile read. Brandon's story highlights how a company can harass an identity theft victim instead of working with the victim to resolve the fraud. Brandon's story:

"In January 2007, I was traveling in Mexico and was mugged, having my wallet and passport stolen. By the time I got back to the hotel and began calling my credit card companies to cancel, the criminal had charged close to $3,000 on my CHASE Circuit City Visa card. I explained to CHASE that the charges were fraud, and they sent me a fraudulent charge affidavit to complete and have notarized. As I couldn't take care of this until I returned from my trip, and had more important things like a passport to worry about, I waited a few weeks before completing the paperwork and during those weeks received those weeks received about 2 calls a day from CHASE urging me to send the documents."

According to the post, Brandon did a lot of things correctly. He completed the necessary documents and communicated with Chase in writing. The post includes a copy of Brandon's correspondence. But, Chase continued harass him for payment.

The best advice (from the Consumerist) is at the end of the post:

"You called and reported the fraud the day of, and yet they're still trying to collect. Under federal law, you have no responsibility for unauthorized charges after reporting loss or theft of a credit card. That you waited a few weeks to send in the papers doesn't matter. Worst case scenario, your maximum liability is $50. Have you sent them a "drop-dead" letter? Or a letter of dispute? Include the information in the preceding paragraph in your letter. You could also try kicking it up to Chase executive customer service: 1-888-622-7547 - extension 4350 or 847-488-6833, or 888-622-7547 x 6833."

Is Second Degree Harassment Appropriate Punishment For This Cyber Crime?

Thanks to Jonathan Feeley for alerting me to this very interesting, if not bizarre, news item from the Boston Globe newspaper:

"A 34-year-old Uncasville woman has been charged with using the Internet to try to get revenge on an old boyfriend by breaking up his marriage. Pilar Stofega has been charged with second-degree harassment and breach of peace and released on $2,500 bond."

What Stofega did:

"... she created phony profiles of the former boyfriend's current wife on some adult Web sites that included the wife's home and work phone numbers and high school yearbook picture."

Stofega did this to create marital problems between her former boyfriend and his wife. Was this identity theft? Or Fraud? Does the punishment fit the crime? To me, Stofega's actions clearly meet the definition of fraud:

"Deceit, trickery, sharp practice, or breach of confidence, perpetrated for profit or to gain some unfair or dishonest advantage." [Source: Dictionary.com]

"Intentional perversion of truth in order to induce another to part with something of value or to surrender a legal right." [Source: Merriam-Webster]

Not all harm to fraud victims is necessarily financial loss. Stofega clearly intended to cause harm by breaking up the victim's (wife's) marriage; plus, perhaps emotional distress to the victim and her husband. One could argue that a divorce would have had financial impacts, too.

Perhaps more importantly, Stofega didn't have the wife's permission to use the wife's identity, phone numbers, and picture to create phony profiles of the wife at social networking sites. So, Stofega's actions seem to meet the standard of identity theft, too... access to personal data the thief shouldn't have access to nor a right to use.

A consumer must be able to control their identity and their personal data. Stofega's crime is enough to give users of social networking sites, like Facebook and My Space, some pause about the personal data they share publicly. (See my prior post about warnings for social networking site users.) The person you date today could fraudulently abuse you online tomorrow.

So, does the punishment fit the crime? I say no. The punishment is not strong enough. What do you think?

Bipartisan Bill Toughens Laws And Penalties For Identity Theft and Fraud

So far, I have not written about Federal identity theft and fraud legislation. That will change starting with this post.

On Tuesday October 16, Senators Patrick Leahy (D-VT) and Arllen Specter (R-Pa.) introduced a new bill, the Identity Theft Enforcement and Restitution Act of 2007 (S 2168), to provide federal prosecutors with new and stronger tools to fight identity theft and online crime. This new bill builds upon prior proposed legislation. Features of the new bill:

• "Give victims of identity theft the ability to seek restitution for the loss of time and money spent restoring credit and remedying the harms of identity theft; "
  
• "Expand the jurisdiction of federal computer fraud statutes to cover small businesses and corporations;"
• "Eliminate the prosecutorial requirement that sensitive identity information must have been stolen through an interstate or foreign communication and instead focuses on whether the victim's computer is used in interstate or foreign commerce, allowing for the prosecutions of cases in which both the identify thief's computer and the victim's computer are located in the same state; "
  
• "Make it a felony to employ spyware or keyloggers to damage ten or more computers regardless of the aggregate amount of damage caused, ensuring that the most egregious identity thieves will not escape with a minimal, or no, sentence;"
• "Eliminate the requirement that the loss resulting from damage to a victim's computer must exceed $5,000; under this bill violations resulting in less than $5,000 damage would be criminalized as misdemeanors; "
  
• "Add the crime of threatening to obtain or release information from a protected computer to the definition of a cyber crime and expands the definition of a cyber crime to include demanding money in relation to a protected computer, where the damage to the victim computer was caused to facilitate the extortion. By expanding this definition, violators of this provision are subject to a criminal fine and up to five years in prison."

Access to restitution. Stronger penalties. Enhanced powers for federal prosecutors. All of this sounds good to me, especially since identity theft crimes do severe damage and are, obviously, premeditated. I also like the bipartisan support of this new bill.