• One in six sex offenders lives undetected digital double life, study finds

    N.J. Sex Offender Internet Registry

    The poster child of sex offenders who altered their digital identity is Fran Kuni, who changed his name to Jamie Shepard and was able to get a job as a U.S. Census worker in New Jersey before being busted by a mom who recognized him when he knocked on the door of her home.

    By Bob Sullivan, Columnist, NBC News

    Nearly one in six convicted sex offenders is using sophisticated techniques invented by identity thieves to avoid their legally mandated registration requirements, a new study has found. These digital absconders might be able to avoid post-incarceration restrictions by living near schools and playgrounds, and could possibly gain employment working with children.

    The study, conducted by Utica College and funded by the U.S. Justice Department, estimates that roughly 92,000 of the 570,000 registered sex offenders across the country are systematically manipulating their names, birthdays, Social Security numbers and other personal identifiers so they can live as they want while appearing to satisfy court-imposed or statutory restrictions.

    "These are offenders who are flying under the radar and authorities don't know it," said Don Rebovich, the Utica professor who directed the study. "The authorities really don’t have the resources to keep on checking on these people. Offenders find where the vulnerabilities are in the system and exploit them."

    These digital absconders create two obvious problems. Communities expend energy and resources dealing with offenders who aren't really there -- local police knock on doors and send notices to warn neighbors; public listings are published on the Internet. And sex offenders live where they please as normal adults, without any protective measures kicking in.

    "In the worst-case scenario, by thwarting registration requirements, they could potentially have easier access to children," said Staca Shehan, director of case analysis at the Center for Missing and Exploited Children, who is familiar with the study. "(In) those jurisdictions that have residency restrictions that would not allow (offenders) to live within distance of a school, daycare or park, (they) could avoid that type of requirement."

    While the study found that an average of 16.2 percent of sex offenders manipulate their identities nationally, some states fared worse: Louisiana, Washington, D.C., Nevada, Tennessee and Delaware all had digital absconder rates of higher than 25 percent.

    Officials in Tennessee, Nevada and Delaware challenged the study's conclusions and complained that they had not been contacted by the researchers for additional information that might have clarified the results; officials in the other states did not immediately respond to requests for comment.

    'Strategic' manipulation
    Shehan said there are generally two kinds of sex offender absconders: those who simply fail to keep their records current, and hope they fall through the cracks; and those who are more systematic in their evasion, intentionally altering their identities so they can circumvent the restrictions. 

    "That takes a lot more thought," she said. "They are much more strategic about what they are doing ... and so that's much more concerning."

    In one celebrated case of sex offender identity manipulation, a convict named Frank Kuni changed his name to Jamie Shepard and was able to get a job as a U.S. Census worker in New Jersey. Kuni was recognized by a mom after he knocked on the door of her Pennsauken home, and he was later sentenced to three years in prison. Kuni’s case attracted national headlines because of the fear it created surrounding temporary Census workers.

    The Utica study, believed to be the first attempt to quantify these more strategic absconders, was conducted by Utica College's Center for Identity Management, set up to examine a variety of identity issues in the digital age. Rebovich is director of the center.

    It's well known that some sex offenders neglect their registration requirements, dropping off the grid and accepting only cash-paying jobs to remain hidden. But the Utica study found something more subtle, and perhaps more disturbing -- sex offenders who appear to be satisfying their registration requirements while living a digital double life.

    In a parallel survey of 223 law enforcement agencies from 46 states, Utica found that awareness of ID-theft style registry evasion was low -- only 5 percent of respondents said they knew of an identity manipulation case within their jurisdiction. 

    And nearly 40 percent of the agencies responded that they had zero absconders, suggesting some law enforcement agencies are unaware of the problem.

    The power of the Utica study lies in the use of sophisticated algorithms developed by private firm ID Analytics, a fraud-fighting company used by many large banks and other financial institutions. ID Analytics receives more than 1 billion credit applications and other credit-related events from clients every year. It uses sophisticated software to track the behavior of identity thieves across the credit system, and can find fraud that individual firms miss. It knows, for example, if a criminal uses a systematic series of birthdays or addresses on a set of credit card applications at various banks in an attempt to evade fraud detection. The ID Analytics tool has enough data that it can generally tell the difference between honest typographical errors and systematic fraud attempts. 

    ID Analytics ran sex offender data through its massive database of credit-related events, and found evidence of rampant identity manipulation among the offenders.

    Kristin Helm, a spokeswoman for Tennessee's sex registry, challenged the study's findings, saying that fewer than 1 percent of that state's sex offenders are absconders. Criminals have always used false identities to try to evade police, but law enforcement systems are geared to handle that issue, she said. "Fingerprints obtained by law enforcement identify individuals regardless of a name or Social Security number," she said, adding that names sometimes change for legitimate reasons, too, such as marriage. 

    But Stephen Coggeshall, chief technology officer for ID Analytics, said his technology is well-versed in screening out mundane reasons for identity changes and finding patterns that specifically indicate active evasion is taking place.

    "This goes way beyond typos," he said. "These are people who have slightly adjusted or substantially adjusted their personally identifiable information for a reason. They are actively doing so, and we are observing them use these aliases relatively recently."

    Nevada spokeswoman Julie Butler also questioned the validity of the study, which she had not seen. She said that Nevada uses fingerprints to track sex offenders, so identity manipulation techniques would be ineffective.

    "Our registry is fingerprint-based. We don't base it on date of birth, or Social Security number, or name," Butler said. "They can put down their name as whatever and we still have them in the database."

    But Coggeshall responded that even in states which use fingerprint identification, an identity manipulator would only be discovered when trying to engage in an activity – such as becoming an elementary school teacher – which triggers a fingerprint evaluation. 

    "In general it doesn't help you track where they are or if they're living under an alias at an unregistered location," he said. "It can help to find sex offenders as they enroll in certain groups, but many … groups don't routinely fingerprint new enrollees."

    SSNs connected to multiple people
    Two years ago, using this tool on a database of Social Security numbers, ID Analytics found that rampant evidence of identity theft: 5 million SSNs were connected to three or more U.S. adults in credit applications, and 140,000 were associated with five or more people, indicating almost certain fraud. The tool can also track individual identity manipulators, as ID Analytics calls them, as they attempt various frauds across an array of credit issuers.

    This tool was turned on the sex offender registry problem at the invitation of Utica College in Utica, N.Y., beginning last year. ID Analytics took a large sample -- nearly 100,000 -- of the 570,000 active registered sex offender records and ran them through its credit application database, looking for signs of manipulation.

    The findings were disturbing. In Louisiana, the study found, nearly two-thirds of offenders' records showed signs of manipulation. Rebovich theorized that Louisiana's problem might stem from the aftermath of Hurricane Katrina, which gave some people a golden opportunity to drop off the grid.

    Officials in Louisiana did not immediately respond to requests for comment.

    RankState ExaminedManipulatedPercent
    1La.7,6374,92465
    2D.C.1,25537830.1
    3Nev.3.9221.1328.8
    4Tenn.12,1403,41428
    5Del.3,22325.725.7

    In many cases, the study found, the steps criminals take are subtle -- changing an address from "440 Monroeville Road" to "434 Monroeville Road," for example. In fact, in the majority of cases, digital absconders were much more likely to move across town than across the country. Absconders who fake their address are six times more likely to remain in the same state than to cross state lines, the study found, and 90 percent of those who remain in state stay within 40 miles of their original registered address. In many cases, the data shows, those addresses belong to a family member. That might allow absconders to show up on a moment's notice at their registered address in case local police do a random check, Rebovich said.

    But the address change could also allow them to apply for jobs and housing they would otherwise be unable to qualify for, he said.

    While half of the manipulations involve bad addresses, plenty of other types of evasion are going on, the study found. One subject studied had five names, three Social Security numbers and four dates of birth, for example.

    About 10,000 offenders had used at least four different Social Security numbers, Rebovich said. The evidence indicates this was usually done to evade the court registration requirements rather than commit financial identity theft, the study found.

    One reason sex offenders seem to get away with evasion is that registration requirements are set by states and vary widely. In some states, convicts merely send updates through the U.S. mail to state officials, and are subjected to little, if any, verification. In others, officers try to check on sex offenders, but ofter are assigned hundreds, or even thousands of offenders, to track.

    In other states, such as Florida, there are strict requirements and frequent random inspections, Rebovich said. That shows up in the data -- Florida's digital absconder rate is about half the national average, at 9.4 percent.

    The study was funded by the Justice Department's Bureau of Justice Assistance, which plans on issuing a comprehensive report later this fall. Requests for comment from the Department of Justice went unanswered.

    'System is never going to be perfect'
    Shehan, of the Center for Missing and Exploited Children, said she didn't believe that the potentially high rate of digital absconders means the entire sex offender registry program is broken. In fact, she said the situation has improved since passage of the Child Safety and Protection Act of 2006, which instituted some national standards on offender registries.

    Still, she said it's important that states move to biometric identifiers, such as fingerprints, to maintain more accurate records of offenders and their whereabouts.

    "Criminals are constantly thinking of ways to beat the system," she said. "The system is never going to be perfect."

    Rebovich is hoping the study will spur new methods for checking up on sex offenders, including techniques that would seem familiar to those who work in financial fraud. In a model developed by Utica and ID Analytics, offenders could be given a score, similar to a credit score, which would rate the likelihood that identity manipulation was occurring. 

    "We are trying to develop a predictive model," he said. "So we can turn it into an alert system, so states can do this in real time, if they want to."  

    Coggeshall said such an alert system would have helped police track down Frank Kuni before he was able to get a job with the Census Bureau.

    "In retrospect, we know there are things we would have been able to observe" he said.

    http://on.msnbc.com/topnewsemailsignup">Click here to sign up to receive our Top News email each day.

     *Follow Bob Sullivan on Facebook.

    *Follow Bob Sullivan on Twitter.  

    Comment

    Show more
    Explore related topics: , , , , , , ,

  • Can ID theft victims sue imposters for damages? Not yet, it seems

    Jaimee Napp explains why she filed a civil lawsuit against the imposter who stole her identity and why the court's reaction to her was sadly disappointing.

    By Bob Sullivan, Columnist, NBC News

    OMAHA, Neb. — On the fourth floor of Douglas County Courthouse, Jaimee Napp opened a new front in the war on identity theft. She did something every ID theft victim has probably dreamed of doing: Napp sued her imposter in civil court for damages.

    This first battle didn't go well.

    District Judge John Hartigan interrupted the closing arguments by beginning a debate on the meaning of term "identity theft" ("It's not like someone took her soul."). After Napp's therapist said she was suffering from symptoms consistent with post-traumatic stress disorder, defense attorney Tim Mikulicz said that claim was a "slap in the face to every soldier returning from Iraq."

    Civil court, for now, is unfriendly territory for identity theft victims.

    In fact, a new study being released this week shows that ID theft victims are denied rights granted other crime victims — like restitution hearings or notice of court appearances — in 14 states.

    After a two-year battle for her day in civil court, Rapp spent nearly two hours justifying expenses and allowed her therapist to share intimate details about her sense of paranoia following her bout with ID theft. Legally speaking, it seemed to get her nowhere. 

    There's no question about the guilt of Napp's defendant, Jackie Brown, who was Napp's co-worker in a small Omaha retail shop six years ago. Brown rifled through the firm's files and stole Napp's Social Security number and gave it to her then-boyfriend. The stolen data was then used in attempts to open credit card accounts. Brown said in court Monday that she was a methamphetamine addict at the time and didn't remember many details of the incident. 

    Napp says trauma from the ID theft led her to feeling unsafe at work and led to bouts of paranoia throughout her life. She regularly suspected she was being followed when she drove home from work, often circling the block several times. She suffered nightmares. She entered counseling, ultimately undergoing 44 sessions of treatment for what was diagnosed as post-traumatic stress disorder. Ultimately, she was fired from her job at ConAgra Foods for non-performance. 

    Brown said in court Monday that she spent five months in jail after pleading guilty to theft by deception, then spent none more months in a halfway house after completing a drug treatment program. She said she's now "clean" and has gainful employment.

    Bob Sullivan / msnbc.com

    Jaimee Napp outside the Douglas County Courthouse in Omaha, Neb.

    Napp described the period after the crime as a slow descent into psychological torture. She was worried about all the other co-workers who could access her personal information and worried about possible retribution from her imposter.

    "I felt like I couldn't trust my co-workers, my managers," she said. "I wore an iPod all the time so no one would talk to me. ... I changed my hair color. I sold my car because she knew what kind of car I drive," Napp said. "This incident changed me. ... I wish I could just move on, but this incident will follow me forever."

    While Napp's imposter has not attempted any additional acts of identity theft, a bounced check ended up on Napp's credit record in 2009 after someone paid for gas in nearby Council Bluffs using a check with her Social Security number on it.

    Napp asked the court to grant her damages of $46,000, accounting for out-of-pocket expenses like credit monitoring, the costs of therapy treatments, lost time to deal with the mess and lost wages. 

    It's impossible to predict how the judge might ultimately rule when he hands down his decision in a week or so, but Hartigan's tone during closing arguments gave Napp and her attorney, Harris Kuhn, little hope that she would win.

    "There is no law in Nebraska which makes this an easy argument," Kuhn said. 

    While the logic of forcing someone to pay for damages caused by committing ID theft might seem sound, Kuhn said the only legal argument available to him under Nebraska law was a so-called "conversion" claim, which translates loosely as the civil equivalent of criminal theft. But a conversion claim — which traditionally might involve disputes such as a neighbor's unjustly milking another's cows — requires establishment of damages. Despite 77 pages of receipts, phone bills and health care records, Hartigan seemed unconvinced that any real damages had occurred.

    Napp "has not testified to any loss," he said. "She hasn't been charged more for credit."

    The judge also didn't interrupt during the defense attorney's closing argument, as Mikulicz said Napp should "move on" from the incident.

    "I don't think it's an act to make you jump up and down and say, 'That's outrageous behavior,'" said Mikulicz said. "Again, with all due respect, saying she is suffering from post-traumatic stress disorder is a slap in the face to every soldier who's served in Iraq, in Vietnam, in Korea ... and to every rape victim."

    Napp openly wept as he finished. But later, she was philosophical about her day in court.

    "Even though things didn't go well today, I think I did something great today," she said.

    After two years of therapy, Napp began working as a consultant and slowly gained a reputation as an identity theft victim expert — a path her therapist said was part of her healing process. Napp works for the federal government as an expert consultant on victim rights. She is also head of the Identity Theft Action Council of Nebraska, has testified before Congress and has urged the National Crime Victim Law Institute to study ID theft victims' legal rights.

    That agency's research, released Tuesday, shows that in 14 states, ID theft victims aren't recognized as "victims" under the state's victim rights statute — including Nebraska. In many states, victim status grants a clear legal path for a civil action designed to recover money damages.

    "I just have to keep fighting," Napp said. "I'm hopeful at some point judges will understand and be more educated about this type of crime and there will be different outcomes."

    Follow the Bob Sullivan on Facebook.

    For more frequent updates, follow the Red Tape Tour on Twitter. 

  • Surprise! Merchants say Web fraud is down

    By Bob Sullivan, Columnist, NBC News

    Times are tough -- even for cybercriminals.  Online merchants in the U.S. and Canada report a dramatic 18 percent drop in fraud, down from $4 billion in 2008 to $3.3 billion this year, according to a survey by the security firm CyberSource. Meanwhile, the fraud rate of 1.2 percent of all sales is the lowest in the 11-year history of the survey. Even among international orders, traditionally the bane of Web sites, fraud rates plummeted by 50 percent.

    The news comes just in time for Web shoppers who are pulling out their credit cards and wondering about the safety and security of online holiday gift shopping.

    "We were surprised," said Doug Schwegman, CyberSource's director of market and customer intelligence. "Internally people were thinking that with the recession, fraud would go up, that there would be more people out there with technical skills who needed to put food on the table. But it looks like the merchants stepped up to the plate and got their act together."

    Schwegman said the recession may actually have helped Web site fraud departments in two ways:  prompting online firms to implement tighter fraud controls to chase down every dollar during the tough economy and giving computer security professionals at these Web sites a chance to catch their breath.

    "They've been dealing with double-digit growth for years and when the market slowed down they were able to catch up a little bit," he said.

    But new technologies undoubtedly contributed to the fight against fraud.  This year, a relatively new technique called device fingerprinting, which can make life very difficult for would-be credit card thieves, took hold in the marketplace.

    Device fingerprinting goes far beyond cookies and IP addresses to identify users, employing software to examine a variety of unique identifiers on computers used to order products. These range from the version of Flash software stored on a computer to the time and date stamp of the installed Web browser and the version of BIOS used inside the machine.  Combining these characteristics, the software can positively identify computers with accident rates as low as one in 1 million, Schwegman said.

    The technique is chiefly used to identify criminals who are placing numerous orders with multiple credit cards using a single computer. Traditionally, criminals could use proxy servers or other evasive techniques to place multiple fraud orders when using a cache of stolen cards. Now, it's relatively easy for Web sites to spot multiple orders coming from the same machine.

    Other anti-fraud techniques are common too, including geo-location, which uses IP address to determine a customer's location (used by 52 percent of large merchants); telephone number reverse look-up (33 percent); and shared "negative  lists" of attempted frauds among merchants (23 percent).

    CyberSource

    Despite the apparent success, there's little cause for celebration, Schwegman warned.  This year's cybercrime dip could be an anomaly.

    "It's kind of an arms race. It could be things will bounce back next year (for criminals)," he said.

    And there is another more discouraging explanation for lower e-commerce fraud rates: Serious computer criminals have moved beyond basic credit card fraud to more sophisticated account creation fraud that allows them to steal money directly from banks.  So-called "new account fraud is not counted in the CyberSource survey, Schwegman said.

    Kevin Haley, director at Symantec Security Response, said this migration could explain why merchant fraud was down but overall cybercrime activity spiked, according to Symantec research. Clearly, he said, cybercriminals haven't gone away.

    "In general we're seeing 2009 as a pretty bad year from a security standpoint," he said. "Record levels of spam, a nine fold increase in malware sent through e-mail.  The rises we saw in the things we track are astronomical."

    The price of stolen credit cards in the underground economy was flat, however, supporting CyberSource's research that that Web site fraud is no longer the sexy part of cybercrime.

    And there's more sobering news -- fraud rates remain abysmal among online electronics, Schwegman said.  Electronics sellers still turn down one order of every 18 they receive, the CyberSource survey found, a rate that's consistent with past years and double that of other merchants. Turning away fraud is good, of course.  But with high order rejection rates, there’s always some babies thrown out with the bath water – the more rejections, the more legitimate orders and the more lost sales.

    Meanwhile, heavy losses also hurt consumers, in two ways: through higher prices and more hassles at the checkout counter.  When a site suffers fraud, it conducts more "manual reviews" of orders, which can slow down the purchasing process. Consumers who wish to buy Christmas gifts and have them shipped to the recipient can find they face far more questions when the shipping address and credit card billing address don't match.

    Still, despite the caveats, the drop in overall fraud is meaningful, Schwegman said.

    "The fraud rate was stable for so long, and we are very careful with the methodology, so we think it's significant," he said.  "This isn't a battle that can ever be won outright. But we're certainly going to make life difficult for the bad guys."

    The CyberSource survey involves both customers and non-customers of CyberSource security products; it involved 352 responses from Web sites representing more than $60 billion in annual online sales, and was conducted by Mindwave Research.

    RED TAPE WRESTLING TIPS
    Consumers shopping online for the holidays should be heartened by survey results, as it appears online Web sites are gaining ground on criminals. If it becomes harder to use stolen credit cards, criminals will steal them less often.

    But that doesn't mean shoppers don't have to be vigilant. The security gap between well-known, large e-commerce sites and niche sites continues to widen. So those surfing and buying at smaller Web sites should consider using old-fashioned purchasing tools, Schwegman said.

    "If I'm shopping for a unique gift at a smaller site, that's when I would tend to use more secure payment methods, or maybe even place the order over the phone," he said.

    Symantec's Haley pointed out that, despite years of work battling the problem, phishing remains the number one threat to consumers during the holiday season. The frequency of e-mails from retailers offering consumers receipts or shipping status updates creates a fertile ground for hackers to send fake e-mails soliciting personal information.

    "We'll see things around the Christmas seasons, like e-mails that claim to be from a department store they may really be doing business with," he said. "Users can be tricked to click on a link and give up their credentials. People should be more wary of that kind of attack during this season."

    Become a Red Tape Chronicles Facebook fan and follow RedTapeChron on Twitter.