The growing problem
of ID theft -- Page 2
Ironically, where account security is concerned, the
big players, such as Bank of America and Citibank, may find themselves
at a disadvantage, owing to the difficulty of adapting older "legacy"
databases to today's tighter security configurations. As the headlines
suggest, the bigger they are, the easier they may fall.
"Encryption in a legacy system environment is
much more difficult," says Linden. "Carving out the cardholder's
name and keeping it in a separate database from the card number
and having some sort of algorithm so that you can make a match when
you put the two together is not something that is achievable with
a big, giant checkbook as much as with a technical infrastructure
that is much more fluid. Some of the more medium-size companies
like mine have fresher technological infrastructures. Encryption
is an absolute requirement in my book."
its efforts to cut its exposure to fraud, the credit card industry has been criticized
for being less concerned with cardholder privacy than its own profitability. Frank
says the CardSystems breach is a good example of what she calls their "laissez-fair
"CardSystems was just retaining stuff
that they shouldn't have been retaining. There should have been oversight by Visa
and MasterCard. They say in their contract that you're not supposed to do that,
but if there is no enforcement, no oversight, what the heck are they keeping this
Greater data dangers
If credit card fraud is the tip of the iceberg, the scarier portion
of identity theft is the data piracy that has become pandemic in
recent years. With the advent of the Internet, a sophisticated black
market has sprung up online to buy and sell your personal data without
your knowledge or consent. Some of this comes from public records;
if you've ever had a driver's license or home mortgage, you're in
these databases. Add these readily available identifiers to other
electronic bits and pieces, such as account numbers and Social Security
numbers acquired through more nefarious means, and identity thieves
have the makings of a new identity they can use as they wish.
"If you look
at the kind of information they got from ChoicePoint, well, you don't even know
what's in your ChoicePoint file, do you?" Frank asks. "They go out and
search these databases they purchase until they have 30 or 40 pages on you. I've
seen mine and it has a lot of stuff that is even wrong. That to me is even more
"There is a gang effort out there: You've got
the name guys and the numbers guys and the street-address guys and
the Social-Security guys. We have to continue to have all parties
meet a standard, and at that point it would make it so tough that
these guys would just throw in the towel."
Chris Hoofnagle, senior counsel
with the Electronic Privacy Information
Center, a San Francisco-based nonprofit research center, says credit-granting
institutions such as credit card companies, banks and other lenders have made
it far too easy for identity thieves to obtain credit in somebody else's name.
His solution: a credit freeze that would enable consumers,
not the credit bureaus, to determine who may access their credit
report. The freeze keeps your credit report closed until you agree
to let someone view it. So far, just five states -- California,
Texas, Vermont, Louisiana and Washington -- have given individuals
the power to ice their credit reports, though several more will
do so over the next year.
"The business community has made it clear they
don't like credit freeze, but it already exists in some states,
so it's coming," says Hoofnagle, who also advocates greater
consumer control over the accuracy of their credit reports.
have instituted other prudent practices to prevent ID theft, including eliminating
the use of Social Security numbers as identifiers on driver's licenses.
worrisome for the credit card industry is California's notification law that took
effect in July 2003. It requires companies to notify individuals when any personal
data stored electronically has been compromised. The law has certainly spawned
an increase in reported breaches, though appearances may be misleading.
tend to think that these security breaches have been occurring for some time and
we're just now learning about them," Hoofnagle says. "Companies will
really twist themselves into pretzels trying to avoid giving notice."
Hoofnagle says the business lobby that has been fighting
notification at the state level has now taken its campaign to Washington.
There, it will likely attempt to have its cake and eat it too by
compromising on consumer "protection" legislation that
requires mandatory notification only when the compromised company
thinks the data may be used for fraud. The trump card in this scenario:
the watered-down national legislation would pre-empt the meatier
that battle is waged, your identity remains a highly fluid and marketable commodity
that high-tech thieves may hijack at the click of a mouse.
The best way to avoid exposure is to elect a credit
freeze (if you live in an eligible state) on your credit report
by notifying the three credit reporting agencies (Experian, Equifax
The rest of us can
place a fraud alert on our credit report with any of the credit reporting agencies,
which are then required to notify you should someone attempt to open credit in
Bottom line: Limit your exposure, check your credit
report frequently and urge your congressional representatives to
vote for credit freeze and breach notification initiatives.
MacDonald is a contributing editor based in Mississippi.