What a remarkably interesting and informative search this was!
Youre correct that identity theft has become quite a problem in the
US. In fact, its the fastest growing crime in America, to which
nearly 200,000 American citizens fall victim each year. According to
the Federal Trade Commission, fully 43 percent of complaints to that
agency are about identity theft. Huge is probably a vast
understatement, when one considers how fast this crime is growing
the numbers are expected to only increase. According to the Aberdeen
Group, this increase is projected to continue at a rate of 300% per
To start, its probably a good idea to understand exactly what
identity theft is. Identity theft is the process of using another
persons identifying information (Social Security number, address,
phone number, drivers license number and any other information the
would-be thief is able to gather) in order to fraudulently obtain
credit cards, access bank accounts, apply for loans, apply for a job,
rent an apartment or even file for bankruptcy in the victims name.
With enough identifying information, a thief can obtain a fake
drivers license or state ID card with your name (but with their
picture!), and use it to open dozens of fraudulent accounts virtually
anywhere. Whats more, the fraudulent activity can continue for years
before being noticed. Most victims do not become aware that theyve
been victimized by identity thieves until they apply for a credit card
or loan and are inexplicably turned down. Often, by the time they
realize what has happened, the thief has already moved on to a new
victim, making it difficult to trace and catch the perpetrators.
When dealing with a complex topic such as this one, I find it easier
to present findings when they are broken down. Since youve asked a
series of questions, youve done part of the breaking down for me. I
shall answer each question individually, and will include source URLs
at the very end of the answer.
1. Why is there so much ID theft despite these tools? Where is the
No tool is foolproof, and while tools such as Equifaxs ID Verify can
be useful, they arent quite as secure as one might think:
Lenders are the most vulnerable to identity theft fraud at new
account opening, where even the most sophisticated forms of
identification (biometrics for example) are of no value. The best way
for lenders to put a dent in this type of loss is to prevent the
stolen identity from being used in the initial loan application
process. The problem with this approach is that technology to
authenticate a persons identity at the point of sale is not mature
and the loss associated with identity theft so random and
unpredictable that financial services institutions (unless they have
been involved in substantial losses of this type) have been unable to
justify the IT expenditureslet alone fund research and development.
Identity Theft: Lenders Are Victims, Too
The number one reason there is so much identity theft in spite of
tools used by lenders to verify identity is probably not going to be a
surprise to you.
The fact is, with enough information gathered from public records and
from other people, thieves can easily circumvent such verifications.
Sometimes, even the consumers themselves are unwittingly complicit!
Those verification tools might be used by bank lenders, but when was
the last time you were asked to verify your identity by a credit card
company in order to obtain an account? My seven year-old gets
pre-approved credit card offers all the time! True confession time:
In college, my cat received a pre-approved credit card offer (we
always put his name on our magazine subscriptions). We sent it in,
with my income information on it. Friedrich J. Schiller-Katze (my
cats full name) got a credit card about 2 weeks later, to our great
startlement. (We cut it up, sent it back and closed the account. But
see how easy it was to get it to begin with?)
So. How do identity thieves get their information and set about
damaging your credit? Youd be surprised at how easily they manage:
-- stealing records from an employer or bribing an employee with
-- posing as a person in a position of authority to obtain information
from employees with access to personal information
-- dumpster diving the practice of fishing through trash, either
that of businesses or residences, to obtain discarded documents.
-- mail theft, including utility bills, credit card statements,
pre-approved credit card offers, tax forms, and bank statements. This
is accomplished by either plain vanilla theft (straight from the box)
or by filling out a forwarding order at the post office to have your
mail sent elsewhere for a while.
-- obtaining copies of public records such as deeds, marriage
certificates, liens, bankruptcy records and business licenses or
applications. This can be done online or through the mail, for
-- theft of purses or wallets. Quick, whats in your wallet? If your
wallets contents resemble this checklist, youre at risk:
MY WALLET or PALM PILOT HAS BEEN LOST OR STOLEN: What should I do?
-- abusing their employers access to credit reports (if the thief
works in a financial institution)
-- posing as a landlord, prospective employer or another person who
may legally access credit reports in order to obtain them
-- pretexting or social engineering, the process by which someone
obtains your sensitive information directly from you simply by
pretending to be someone in a position of authority and asking your
For a scary example, lets turn to Paul Mungo and Bryan Cloughs 1992
tome, Approaching Zero: The Extraordinary World of Hackers,
Phreakers, Virus Writers, and Keyboard Criminals. The prologue deals
with a hacker named Fry Guy hes fifteen, and he steals credit
Hi, this is Joe Boyle from CSA
Credit Systems of America, he had
said, dropping his voice two octaves to sound older a lot older, he
hoped than his fifteen years. He also modulated his natural
midwestern drawl, giving his voice an eastern twang: more big city,
I need to speak to your credit manager
whats the name? Yeah,
Tom. Can you put me through?
Tom, this is Joe Boyle from CSA. Youve been having some trouble
with your account?
Tom hadnt heard of any trouble.
No? Thats really odd
Look, Ive got this report that says youve
been having problems. Maybe theres a mistake somewhere down the
line. Better give me your account number again.
And Tom did, obligingly reeling off the eight-character code that
allowed his company to access the CSA files and confirm customer
credit references. As Fry Guy continued his charade, running through
a phony checklist, Tom, ever helpful, also supplied his stores
confidential CSA password. Then Fry Guy keyed in the information on
his home computer. I dont know whats going on, he finally told
Tom. Ill check around and call you back.
Fry Guy had discovered that by sounding authoritative and
demonstrating his knowledge of computer systems, most of the time
people believed he was who he said he was. And they gave him the
information he asked for, everything from account codes and passwords
to unlisted phone numbers.
[ Excerpted from Approaching Zero: The Extraordinary World of
Hackers, Phreakers, Virus Writers, and Keyboard Criminals, by Paul
Mungo and Bryan Clough. © 1992, Random House, New York. pp. ix-x. ]
Did that make the hair on the back of your neck stand up? It should.
It happens every day.
Even worse, thousands of consumers are swindled each year by
responding to spam that appears to be a legitimate communication from
a company they do business with. They hand over sensitive account and
personal contact information, not realizing until later that theyve
been the victims of identity theft:
Thousands of consumers apparently received an unauthorized and
deceptive email from Best Buy, entitled Fraud Alert, on June 18,
2003. Using concern about a purchase from Best Buy and possible credit
card misuse as bait, the fraudulent email message urged recipients to
go to a special Web site and correct the problem by entering their
Social Security and credit card numbers.
Fraudulent Email Seeks to Capture Consumer Information
Over the past week, users of eBay's online payments service have been
receiving e-mails masquerading as official PayPal alerts, eBay
spokesman Kevin Pursglove confirmed Friday. The messages ask recipents
to submit bank and credit card details.
Tricks involving bogus e-mail posing as legitimate messages from eBay
and PayPal are nothing new. However, the latest spoof e-mail--which
included a PayPal logo, links to PayPal's site and official-looking
fine-print--appeared particularly convincing, said Brenda Frymire, a
PayPal user in San Ramon, Calif., who received the e-mail Thursday.
The e-mails tell recipients that their PayPal accounts have been
randomly selected for maintenance and placed on "Limited Access"
status. The message, which appears to come from firstname.lastname@example.org,
instructs the account holder to enter credit card and bank account
numbers in an online form embedded in the e-mail.
E-mail scam tries to fool PayPal users
Once a con artist has commandeered an account, the process of
defrauding buyers out of potentially tens of thousands of dollars
while evading detection becomes that much easier.
While many of the eBay spoof sites are intended just to take over an
eBay identity, others appear designed to grab the whole identity kit
One site attempts to glean not only the eBay user's name and password,
but the visitor's complete credit card information, billing address,
phone numbers, bank account routing number, checking account number,
social security number, debit card PIN, mother's maiden name, date of
birth, and driver's license number.
Identity Thieves Strike eBay C-Net News
[ For more examples, including copies of the PayPal and eBay scam
Learn How to Avoid Scams and Fraud
Until consumers wise up and stop giving their private information to
anyone who asks (and start shredding or burning their old financial
documents), it would appear that identity theft will always be a
2. How much money do the banks and lenders lose a year on ID theft?
The Federal Trade Commission estimates that US financial institutions
lost more than $343,000,000 to identity theft in 2002. In 2003, the
Tower Group reported that US lenders lose $1 billion, annually.
Estimates by Bostons Aberdeen Group indicate that total US losses may
reach as much as $73.8 billion by the end of 2003, and $2 trillion by
the end of 2005.
3. What data do credit bureaus collect, how updated is it?
Contrary to popular belief, credit bureaus do not collect every minute
detail of a persons life. The information they are permitted to
collect is carefully regulated, and how and to whom the information is
released is likewise carefully regulated.
Americas three credit reporting agencies (TransUnion, Equifax and
Experian) collect your personally identifying information (name,
address, date of birth, Social Security Number), employment
information (where you work, what your position is, how long youve
worked there, what your salary is), banking information (where you
bank, what sort of accounts you have with your bank), information
about any criminal convictions, and information about your credit
accounts. This information includes the name of your creditor, your
account number with that creditor, the amount of the loan or line of
credit, the balance outstanding on the loan or line of credit, the
minimum monthly payment, and your payment habits (whether youre on
time, occasionally late, habitually late or delinquent). The agencies
also keep a record of who has made an inquiry into your credit report.
The following excerpt may be of interest to you:
Consumer credit reports contain information on financial accounts,
and include credit card balances and mortgage information. Credit
reports are used for evaluating eligibility for credit, insurance,
employment, and tenacy; the ability to pay child support; professional
licensing (for instance, to become an attorney); or for any purpose
that a consumer approves.
A consumer credit report will contain basic identifying information
(name, address, previous address, Social Security Number, marital
status, employment information, number of children) along with:
* Financial information: Estimated income, employment, bank accounts,
value of car and home.
* Public records information: Such as arrests, bankrupticies, and tax
* Tradelines: Credit accounts and their status. This will also include
the data subject's payment habits on credit accounts.
* Collection Items: Whether the data subject has unpaid or disputed
* Current Employment and employment history.
* Requests for the credit report: The number of requests for the data
subject's report and the identity of the requestors.
* Narrative information: A statement by the data subject or by the
furnisher regarding disputed items on the credit report.
* Health information.
Certain information about consumers are excluded from the definition
of "credit report." This includes "transaction and experience"
information, that is, records of purchases of goods and services by
the consumer. Additionally, corporations may share credit report
information among affiliates as long as notice and opt-out is provided
to the consumer.
CRAs can also prepare "investigative consumer reports," (ICRs)
dossiers on consumers that include information on character,
reputation, personal characteristics, and mode of living. ICRs are
complied from personal interviews with persons who know the consumer.
Since ICRs include especially sensitive information, the FCRA affords
greater protections for them. For instance, within three days of
requesting an ICR, the requestor must inform the consumer that an ICR
is being compiled. The consumer also can request a statement
explaining the nature and scope of the investigation underlying the
Consumer Credit Reports and Investigative Consumer Reports (ICRs)
Its important to note that the agencies dont actively collect the
data themselves. They serve as passive repositories for the
information that we, the consumer, hand over willingly each and every
time we apply for a loan or credit card. The financial institutions
with which we do business send our information to the credit reporting
agencies, which then compiles it to create a consumer credit file.
How up to date information collected by consumer credit reporting
agencies is depends largely on the creditors reporting habits. The
credit bureaus make changes each month based on information sent to
them by lenders and creditors. This monthly updating process does
not, however, ensure that the information in a credit file is the most
current or even accurate. Credit reporting agencies do not verify the
information they are sent, do not require that creditors send updated
information at regularly specified intervals, and do not attempt to
correct information that may be inaccurate or outdated.
It is up to the individual consumer to ensure that the information on
file is accurate and up to date. This can be achieved by regularly
ordering ones credit reports (all three of them, as the agencies
neither share nor cross-verify information) to check them for
Under the Fair Credit Reporting Act, a consumer may dispute incorrect
information and demand its removal from the credit report. Disputed
items are removed from a consumer credit file while the matter is
being investigated, and may not be considered if a consumer applies
for credit during this time. The credit reporting agency must attempt
to verify the information with the reporting creditor, and must
complete their investigation within 30 days. If the information is
verified as correct, it is reinserted into the credit file. If it is
incorrect or cannot be verified, it must be deleted and the consumers
file must be amended. Additionally, agencies must, at the request of
the consumer, send amended credit reports to any credit grantor who
received the consumers report in the past six months.
4. What other entities like credit bureaus collect this kind of data?
Any institution with which you have a financial relationship can
collect this data it is typically gathered from your consumer credit
report as well as any information you provide on your application
(which is in turn sent to the credit reporting agency). The Internal
Revenue service likewise collects certain data, such as your
identification, employment and financial data. This information is
also gathered by other agencies, but they arent similar to credit
Other agencies that collect similar data include the US Census Bureau,
which compiles demographic information not linked to specific persons,
State Departments of Motor Vehicles (which collect your name, date of
birth, address, phone number, Social Security number, insurance
information and physical description in addition to issuing your
license and plates), and life and auto insurance companies if youve
applied for a policy. The Social Security Administration links your
name, address, date of birth and employment information to you Social
Security number, for the purposes of administering the Social Security
program. Although these agencies do not make this information public,
they are still vulnerable to inside jobs, as well as hacking
If you purchase property, administer an estate, file for a business
license or fictitious name for your business, file for bankruptcy, or
land in court, your personally identifying information associated with
these actions is kept at the County Recorders or Clerk of Courts
office, where the documents may be requested by anyone who wishes to
see them. Certain information (such as Social Security numbers) is
blacked out, but other identifying information is left intact.
Youd be amazed at what a credit card and a couple hours of quality
time with Lexis-Nexis will get for you, no questions asked.
5. What is the nature of most ID theft(is it family and friend theft,
or hackers etc)?
According to PCWorld News, citing remarks made by the FBIs Dennis M.
Lormel, most identity theft is committed by common criminals
strangers who employ a variety of methods to obtain information, from
hacking, taking advantage of company mistakes (such as a company
inadvertantly posting personal financial data or credit card numbers
on a website) to dumpster diving to simple social engineering.
USA Today cites a specific kind of common criminal those who
steal employee records. In fact, theft of employee records is the
leading contributor to identity theft:
The top cause of identity fraud is now theft of records from
employers or other businesses that have records on many individuals,
according to a 2002 report by credit information provider TransUnion.
That beats all other sources, including stolen credit cards, mail
theft and stolen purses or wallets.
Employment records prove ripe source for identity theft
By Stephanie Armour, USA TODAY - 1/23/2003
If you have a job, youre at risk. Ouch.
6. Does the Patriot act or any other act limit the type of data that
bureaus can collect?
If anything, the PATRIOT Act may very well broaden the scope of
information such agencies are permitted to collect, with the intent
(so it is said) to help prevent identity theft:
This extreme example of the dangers of identity theft resulted in the
promulgation of Section 326 of the USA Patriot Act, which mandates the
implementation of a Customer Identification Program (CIP) at all
financial institutions. This essentially is a more rigorous form of
Know Your Customer, with much more explicit procedural stipulations.
As a result, many FIs are scrambling to bring their systems into
compliance. The final requirements are expected to be released in late
February or early March. The following provides a broad overview of
the requirements to date.
* Identity validation: Risk-based procedures to verify the identity of
customers (persons seeking to open accounts and any signatories on the
* Archival of records: Retain identifying information provided by
customers, the methods and results of measures undertaken to verify
identity, and the resolution of any discrepancies in identifying
information obtained. These records must be archived for five years
after account closure.
* Background verification: Determine whether the customer appears on
any list of known or suspected terrorists or terrorist organizations
provided by any federal government agency.
Compliance with these procedures will be challenging. While procedures
can be implemented that require tellers to scrutinize identification,
the actual practice is hard to enforce. Even the most effective policy
cannot totally mitigate the human element-the tired new accounts clerk
who just wants to go home. The most effective way to implement a
Patriot Act-compliant CIP is through technology that will verify the
consumer's identity, record the verification methods employed, and
archive the records.
Identity Theft and the USA Patriot Act
by Julie Conroy-McNelley BankersOnline
Experian offers a Best Practices white paper describing methods to
collect and verify indentifying information, but to view it you must
you guessed it
personally identifying information name,
address, e-mail address and phone number. Im personally uninterested
in providing this information to Experian for the sake of reading
their white paper, but if youd like to check out their recommended
procedure, you can give up your personal information here:
"Know your customers" has never mattered more
The PATRIOT Act also broadens *access* to this information:
For many years, the FBI has had access to credit reports for
counterintelligence purposes. In order to obtain the report, the FBI
has to certify that the information is necessary for "the conduct of
an authorized investigation to protect against international terrorism
or clandestine intelligence activities." FBI access to the credit
report is secret--the CRA is not allowed is disclose that the
consumers' file was accessed. The Attorney General is required to
report semiannually on the requests made by the FBI for credit reports
The USA PATRIOT Act, passed in the wake of the September 11, 2001
terrorist attacks, broadened law enforcement access to credit reports.
15 U.S.C. § 1681v allows any government agency that is authorized to
conduct intelligence or counterintelligence investigations or analysis
of international terrorism to gain access to credit reports. Similar
to the FBI access provision, the agency must certify that the credit
report is necessary for investigation or analysis. The CRA is not
permitted to disclose that the government agency sought the credit
report. But, unlike the FBI provision, requests made under § 1681v do
not have to be disclosed to Congress. It is likely that the FBI will
use this new route to obtain credit reports than the former one
because it lacks the reporting requirement.
Law Enforcement Access to the Credit Report
That said, there are regulations in place to limit the kind of
information that can be collected, how it can be used, and who is
permitted to see it:
The Privacy Act of 1974
The Fair Credit Reporting Act of 1970
(The type of information that can be collected depends on who is
asking for it, and for what purpose, so Ive only provided the laws
themselves. Circumstances vary.)
How this information may be used is rather nicely summed up by EPIC, a
privacy rights organization:
The FCRA limits the use of the credit report to certain purposes.
* Applications for credit, insurance, and rentals for personal, family
or household purposes.
* Employment, which includes hiring, promotion, reassignment or
retention. A CRA may not release a credit report for employment
decisions without consent.
* Court orders, including grand jury subpoenas.
* "Legitimate" business needs in transactions initiated by the
consumer for personal, family, or household purposes.
* Account review. Periodically, banks and other companies review
credit files to determine whether they wish to retain the individual
as a customer.
* Licensing (professional).
* Child support payment determinations.
* Law enforcement access: Government agencies with authority to
investigate terrorism and counterintelligence have secret access to
Specific prior consent is required before consumer reports with
medical information can be released.
Permissible Uses of the Credit Report
Privacy Survival Guide
How Identity Theft Works
Understanding ID Theft
The Identity Theft Evidence Trail
Identity Theft Losses Expected to Hit $2 Trillion by 2005
May 22, 2003 By Sharon Gaudin - Datamation - Earthweb
Protect yourself from identity theft
By Susan Okula - MSN Money
Tackling identity theft - CNN - 11/26/02
Ecommerce News - Identity Theft Picking Up Speed
By Sharon Gaudin - April 7, 2003
CONSUMER LENDERS WEIGH RISK / RETURN IN BATTLE TO
STEM IDENTITY THEFT LOSSES
Identity thieves catch the unwary - The Age - December 31 2002
C-Net News - Identity theft: Fact and fiction
By Jonathan J. Rusch September 18, 2002
FDIC Consumer News - Summer 2000: When a Criminal's Cover Is Your
Credit Reporting Agency
Fair Debt Collection
Credit Reports: What Information Providers Need to Know
Common Credit Report Myths
Federal Consumer Information Center: Consumer Handbook to Credit
Protection Laws -
Credit Histories and Records
Using Consumer Reports: What Landlords Need to Know
The Fair Credit Reporting Act - Full Text
Consumer Reports: What Insurers Need to Know
Using Consumer Reports: What Employers Need to Know
Credit Repair Scams
HOW THE CREDIT REPORTING SYSTEM "WORKS"
Annual Losses To Identity Fraud Top $1 billion
Paul Doocey Apr 16, 2003 - Bank Systems and Technology Online
ID Theft: When Bad Things Happen To Your Good Name
Consumer Watch: Don't Let Them Steal Your Good Name
Identity theft is skyrocketing--and it's even being used to fund
Anne Kandra - From the October 2002 issue of PC World magazine
Internet contributes to rise of identity theft, FTC says
By Cecily Barnes - Staff Writer, CNET News.com August 30, 2000
Q&A on Identity Theft
Final Regulations Implementing Customer Identity Verification
Requirements under Section 326 of the USA PATRIOT Act (US Dept. of
I hope you find this answer to your liking. If you feel I might have
missed something, or if youd just like a little more information,
please dont hesitate to ask for clarification. Ill be happy to
Thank you again for an interesting and engaging project!
Search terms: [ "identity theft" why ], [ "identity theft" losses ],
[ "identity theft" "most common" ], [ "credit bureau" collect
information ], [ "PATRIOT Act" prevent identity theft ], [ "PATRIOT
Act" verify identity ], [ "collect personal information" agencies OR
bureaus OR institutions ], [ Privacy Act ], [ FCRA ]