• Study: ID thieves robbing the grave; 2.5 million dead hit annually

    By Bob Sullivan, Columnist, NBC News

    Ruthless ID thieves are robbing identities even from the grave, a new study has found.

    Nearly 2.5 million dead people are victims of identity theft every year, according to a data analysis by fraud prevention firm ID Analytics being made public Monday.

    The study offers the first hard data about a little-understood aspect of ID theft that can cause unnecessary pain and suffering to family members already dealing with loss.

    ID Analytics works with dozens of credit-granting companies, such as banks and cellphone providers, to find common patterns among fraudsters as they fill out credit applications. The firm has unique insight intro fraud trends, as it screens more than 1 billion such applications annually. For this study, it considered 100 million applications filed during the first three months of 2011 and compared Social Security numbers and other information in those applications against the Social Security Administration's Death Master File, which tracks the identities of people after they die.

    Stephen Coggeshall, chief technology officer at ID Analytics, recently crunched those numbers to look for evidence that criminals were exploiting SSNs attached to the deceased. The results showed a wide-scale problem, much larger than previously believed.

    Roughly 800,000 deceased Americans are deliberately targeted by criminals each year, the study claims.

    In those cases, an imposter armed with a deceased person's SSN, name and birthday tries to fully assume the dead person's identity. ID Analytics has no information about whether or not the attempts were successful, Coggeshall said — only that the personal information was used on an application during a fraud attempt.

    Meanwhile, SSNs attached to 1.6 million more dead adults find their way onto thieves' fraudulent applications through random selection, he said. Many criminals simply guess at SSNs when filling out fraud applications and accidentally use one that's already been issued to someone who's now dead. ID Analytics calls them "identity manipulators" who make arbitrary variations on their own personal information to avoid fraud detection tools and randomly pick an SSN associated with a deceased person.

    "This study brings to light a significant problem, as we see fraudsters intentionally using identities of the deceased at the rate of more than 2,000 per day," Coggeshall said.

    Imposters who exploit the dead are after the same things that all ID thieves crave: theft of cellphone service or the ability to open up new credit cards or take out loans, Coggeshall said.

    There are obvious advantages for criminals when using a dead person's personal information. If the fraud is initially successful, because the normal channel for discovery — a consumer who notices unauthorized charges or accounts on his or her credit history — doesn't exist. Family members or others disposing of an estate can discover the fraud through the arrival of unexpected bills, but the usual hurdles for recovering from such fraud are even higher when a third party must call and ask for corrections.

    Fighting ID theft of the dead should be easier than most other forms of identity fraud. The Social Security Administration frequently updates the Death Master File, which now contains about 40 million SSNs. Firms that issue credit should routinely check their applications against this simple list; several inexpensive products offer this service, and the file is available in several forms online (there's even an app). But clearly, that kind of screening isn't happening, Coggeshall said. Otherwise, criminals wouldn't be trying to exploit the dead so frequently.

    Ironically, if companies don't check SSNs against the Death Master File, it becomes a great source for criminals to obtain identities and SSNs to be exploited.

    "We have no sense of where criminals are getting the numbers, but a certain portion of them probably are coming from public sources, like the Death Master File," Coggeshall said.

    The study also hinted that seriously ill people are being targeted by criminals. There were 2 million cases of SSNs' being used in credit applications, with the SSN holder dying within the next two months.

    "Certainly a good deal of this is not suspicious, but some fraction of these applications may be the misuse of the identities of the dying," Coggeshall said.

    RED TAPE WRESTLING TIPS
    Family members already dealing with a tragedy have plenty to worry about, but identity theft of the dead is a reality they must consider, he said.

    "While this is clearly a problem for businesses, surviving family members can also be the victims of this identity fraud as they are left to manage the estates of their deceased loved ones," Coggeshall said. "It's important for people to monitor their deceased family members' identities for at least one year."

    It's possible for a third party, such as a spouse, to get a credit report for a deceased person, but it's not trivial. The bureaus will want a death certificate as proof the individual has died, and they'll want some evidence that the requester has a right to see the information — such as a marriage license or an order showing he or she is an executor of the estate. That person can request that a "deceased — do not issue credit" notation be placed on the report, but certain hiccups can occur. If a credit account, such as a loan, is in both spouses' names, a "deceased" flag can occasionally cause confusion.

    There's a good discussion of this issue on Experian's website.

    More details on how to freeze a loved one's credit report are available at this BankRate.com story.

    *Follow Bob Sullivan on Facebook.
    *Follow Bob Sullivan on Twitter.

    Comment

    Show more
    Explore related topics: , , ,

  • Credit bureaus upsell ID theft victims, FTC report says

    By Bob Sullivan, Columnist, NBC News

    A new report by the Federal Trade Commission slams the nation's credit bureaus for upselling identity theft prevention services when victims call looking for help.

    The report found that consumers face frustrating voice mail systems that often make it hard to reach a live operator, are confused about their rights and face unnecessary hurdles fixing credit report errors caused by identity thieves. It also pointedly raises the possibility that the new Consumer Financial Protection Bureau could initiate enforcement actions against the bureaus -- Equifax, Experian and TransUnion.

    The report comes as that new agency is about to take on regulation of he credit bureaus, a major shift in the way they are policed. The bureau’s new powers will kick in this summer.

    The FTC’s findings are the result of a years-long survey of 3,000 ID theft victims who had contacted the agency, and a subset of those victims. The study was mandated in 2007 by the Bush administration’s Identity Theft Task Force.

    The survey takers were not scientifically sampled, so the results should not be extrapolated nationally. But they do offer insight into the struggle ID theft victims face when trying to recover from the damage inflicted by their imposters.

    Pestered with pitches
    The news wasn't all bad for the bureaus -- 68 percent of respondents said they were somewhat or very satisfied after their interactions with credit bureaus.  But there were plenty of complaints.  Chief among them: Victims are pestered with pitches when they are simply calling for help.

    "They kept trying to sell me a fraud alert package and I often had to ask to speak to a manager to get them to put a freeze on my credit reports," said one victim quoted in the report.  Another complained:  "It was very difficult to avoid marketing." Several said that, as a result of the pitches, they ended up buying services they felt should have been free.

    "Several consumers in the focus groups complained that they felt pushed into paying for additional services while placing their fraud alert,” the report said. One complained that when attempting to obtain a credit report, the respondent was tricked into signing up at a fee-based credit report website.

    'They should be helping you'
    But at least those folks got through the phone mail tree and reached a live person.  Many victims complained to the FTC that they "spent too much time navigating automated menus and being placed on hold."  One of three victims who called looking for help said it was either somewhat difficult or very difficult to get a human being on the phone.

    "That's because operators are spending too much time selling things people don't need," said Ed Mierzwinski, head of the Public Interest Research Group, a public interest advocacy organization. "The bureaus are supposed to keep your information accurate. When you call to complain, you are a victim of their failure, and they should be helping you, not pitching you to buy their product that won't help you anyway.”

    In 2000, the FTC fined the three bureaus a total of $2.5 million for failing to answer consumer phone calls in a reasonable amount of time, something they are obligated to do under federal law. The FTC didn't say whether it was considering a similar action in light of the complaints in the report, but it did issue a warning to the bureaus.

    "Given these incidents, the Consumer Financial Protection Bureau, which has examination and rulemaking authority in this area, may want to address these practices," the agency said in its conclusion. "In addition, to the extent any marketing of identity theft protection products involves unfair or deceptive practices, the commission retains authority to bring enforcement actions to protect against such conduct."

    Credit bureau TransUnion said that it takes consumer rights seriously.

    "TransUnion was the first credit reporting company to establish a Fraud Victims Assistance Department," said spokesman Clifton O'Neal in a statement to msnbc.com "We established (it) in 1992.  Consumers calling (the number) are always presented with the option to speak to a fraud specialists to assist them and answer any questions.  In addition, consumers can easily place and remove fraud alerts and credit freezes online at TransUnion.com."

    Equifax and Experian didn't immediately respond to requests for comment.

    Confusion
    There were plenty of other signs of dissatisfaction in the FTC report, including confusion over consumer rights. Many consumers didn’t know they could request that ID theft-related items be blocked from credit reports, for example. Others didn’t know the difference between free annual credit reports provided to anyone at http://AnnualCreditReport.com, and the free credit report that ID theft victims can obtain when they call a bureau to report the crime.  Such confusion also leads to unnecessary purchases, the report suggested.

    Only 51 percent said they had received the free credit report they'd asked for from all three credit bureaus after reporting the crime. Some victims said they had to wait "weeks or months," and about 10 percent said none of the three sent a report.

    "(One) participant did not receive the credit report until after the 90-day fraud alert had expired," the report said.

    The biggest complaint involved trouble getting errors fixed: 29 percent said mistakes that landed on their credit reports were not corrected. 

    "(It) was easier for the thief to change my info on my credit report than it has been for me to change it back. It's still not right," said one victim.

    Tortuous process
    Even consumers who were eventually able to beat back mistakes said the process was torturous. One in four said three to five phone calls were required to fix errors, and about the same number said they were "very dissatisfied" with the process -- the highest dissatisfaction rating in the survey.

     "(If) your identity is stolen it becomes a full-time job to get it fixed. Everybody, credit cards, banks, CRA want to pass the buck," said one victim quoted in the report.

    Mierzswinski, who's testified about credit bureau misbehavior before Congress repeatedly during the past 20 years, said he's seen all these complaints before. But he's optimistic that the new consumer agency's power to regulate and sanction the bureaus offers a real chance to address some of the recurring consumer issues.

    "All of us have been disappointed that the bureaus have really skated for a long time and gotten away with a lot of sloppy practices," he said. "The Federal Trade Commission never had the big guns, but the CFPB does. ... We think it will be an exciting time."

    *Follow Bob Sullivan on Facebook     
    *Follow Bob Sullivan on Twitter.

  • Register your kids to stop child ID theft? Utah officials say 'Sign 'em up'

    Victims of child identity theft and their parents are left with an obvious question when they discover the crime: Why would anyone grant credit to a child?

    The answer, for those who find it, is perhaps even more infuriating: Creditors often have no way to know an applicant is a child. Lenders, for example, usually have no idea how old the rightful holder of a Social Security number is. The nation's credit bureaus often don't know either. 

    A new Child Identity Protection program implemented by the Utah state attorney general's office and the credit bureau Trans Union may be able to change that.

    Believed to the first system of its kind, Utah parents can now register their children with the state agency, which will then pass the data along to Trans Union.  In turn, the credit bureau will place the child's SSN in a "high risk" database that warns potential lenders not to issue credit to applicants using that number.

     

    "For the first time, parents can proactively protect their children from being victims of identity theft," said Richard Hamp, the assistant attorney general for Utah who helped create the program. "We're really excited about it."

    The program is currently open only to parents in Utah, but both Utah authorities and Trans Union are already in talks with other states to make it available nationwide.

    Prior to Utah's Child Identity Protection program, concerned parents couldn't do much to protect their kids' credit until after they suspected their kids' identities were stolen. Even then, the available options were often frustrating. Parents could ask a credit bureau if there was an open credit file using their kids' personal information and request that it be closed and the erroneous information expunged. If no credit file existed, they would receive an unsatisfying "no file" response, and be left to wonder if a criminal would open one in the future. 

    Hard data on the incidence of child identity is hard to come by, because the crime can go undetected for a decade or more – until the child turns 17 and applies for credit or a college loan. But there are plenty of indications the crime is on the rise. A study released by fraud-fighting firm ID Analytics in 2011 found that 140,000 kids each year are hit by the fraud; another 500,000 sets of parents and children are "inappropriately sharing" Social Security numbers, hinting at an even more widespread problem, ID Analytics found.

    Hamp was an early advocate of credit freeze laws passed by dozens of states that forced the nation's credit bureaus to offer identity theft victims to "lock" their credit reports from any applications for credit. Seeing the rise in fraud against kids, Hamp began working on legislation that would require the credit bureaus to let parents lock their children's Social Security numbers about two years ago.

    "But Trans Union called and said they'd work with us on a voluntary basis. You don't need to legislate," he said. "I took them up on it."

    Utah already had a leg up in creation of this kind of system, having launched its Identity Theft Reporting System website several years ago. Victims use the system, known as IRIS, to report the crime, and it includes a robust authentication system using various state databases, such as driver's license records. Hamp agreed to use IRIS to authenticate parents who wish to enroll children in an anti-ID theft program. That made Trans Union's part of the work much easier.

    After Utah verifies the identity of the parent and collects a child's personal information, state authorities send the child's SSN and age to the credit bureau. Trans Union then places the information in its "high risk fraud database." If a child ID thief tries to use a kid's SSN while applying for credit, the lender gets a pre-programmed warning message.

    "Initially I wanted a message that said, 'This number belongs to a kid,' but this allowed them to tap into a system they already had and get it done quickly," Hamp said.

    Trans Union and Utah officials held a launch ceremony for the system in late January.

    "We do recommend every parent enroll their children," said Steven Katz, senior director of consumer operations for Trans Union. "There is no downside to it."

    Enrollment is free. Kids are automatically removed from the high-risk database on their 17th birthday, he said. Trans Union has agreed that none of the information entered into the system will be used for marketing purposes.

    "The intention of this program is to assist parents and guardians in preventing ID theft among children, and that’s all the data will be used for," he said. Trans Union will consider sharing the data with the nation’s other credit bureaus, he said, much as the bureaus share fraud alert information now.

    Parents who worry that Trans Union might misuse the data shouldn't allow that to keep them from using the program because "they don't give their kids' data to Trans Union, they give the data to us," Hamp said. "We retain all rights to the data."

    The program isn't perfect, however. ID theft expert Linda Foley, who runs IDTheftInfoSource.com, said she's worried that the system only stops credit-based ID theft.  It's powerless to prevent creation of fake driving licenses, for example. Such a system risks "giving parents a false sense of security," she said.

    Also, because so much of child identity theft is committed by parents, there's a fundamental flaw in the way the program is set up, she said.

    "Since parents enroll kids, those stealing from their kids will not be interested in this opportunity. It needs to cover all children," she said.

    Still, Hamp believes the Child Identity Protection system is a big step in the right direction, and he's urging all parents to consider it. Already, about 1,000 children have been registered, Hamp said. He plans on bumping up participation by partnering with school districts students can be registered en masse.

    "I'm really excited about this," he said. "Instead of having to fight Trans Union, we came up with a mutually acceptable resolution. Is it perfect? No. Are there still going to be problems? Yes. But it's the best thing available for parents to protect their kids."

    *Follow Bob Sullivan on Facebook     
    *Follow Bob Sullivan on Twitter.  

  • Can ID theft victims sue imposters for damages? Not yet, it seems

    Jaimee Napp explains why she filed a civil lawsuit against the imposter who stole her identity and why the court's reaction to her was sadly disappointing.

    By Bob Sullivan, Columnist, NBC News

    OMAHA, Neb. — On the fourth floor of Douglas County Courthouse, Jaimee Napp opened a new front in the war on identity theft. She did something every ID theft victim has probably dreamed of doing: Napp sued her imposter in civil court for damages.

    This first battle didn't go well.

    District Judge John Hartigan interrupted the closing arguments by beginning a debate on the meaning of term "identity theft" ("It's not like someone took her soul."). After Napp's therapist said she was suffering from symptoms consistent with post-traumatic stress disorder, defense attorney Tim Mikulicz said that claim was a "slap in the face to every soldier returning from Iraq."

    Civil court, for now, is unfriendly territory for identity theft victims.

    In fact, a new study being released this week shows that ID theft victims are denied rights granted other crime victims — like restitution hearings or notice of court appearances — in 14 states.

    After a two-year battle for her day in civil court, Rapp spent nearly two hours justifying expenses and allowed her therapist to share intimate details about her sense of paranoia following her bout with ID theft. Legally speaking, it seemed to get her nowhere. 

    There's no question about the guilt of Napp's defendant, Jackie Brown, who was Napp's co-worker in a small Omaha retail shop six years ago. Brown rifled through the firm's files and stole Napp's Social Security number and gave it to her then-boyfriend. The stolen data was then used in attempts to open credit card accounts. Brown said in court Monday that she was a methamphetamine addict at the time and didn't remember many details of the incident. 

    Napp says trauma from the ID theft led her to feeling unsafe at work and led to bouts of paranoia throughout her life. She regularly suspected she was being followed when she drove home from work, often circling the block several times. She suffered nightmares. She entered counseling, ultimately undergoing 44 sessions of treatment for what was diagnosed as post-traumatic stress disorder. Ultimately, she was fired from her job at ConAgra Foods for non-performance. 

    Brown said in court Monday that she spent five months in jail after pleading guilty to theft by deception, then spent none more months in a halfway house after completing a drug treatment program. She said she's now "clean" and has gainful employment.

    Bob Sullivan / msnbc.com

    Jaimee Napp outside the Douglas County Courthouse in Omaha, Neb.

    Napp described the period after the crime as a slow descent into psychological torture. She was worried about all the other co-workers who could access her personal information and worried about possible retribution from her imposter.

    "I felt like I couldn't trust my co-workers, my managers," she said. "I wore an iPod all the time so no one would talk to me. ... I changed my hair color. I sold my car because she knew what kind of car I drive," Napp said. "This incident changed me. ... I wish I could just move on, but this incident will follow me forever."

    While Napp's imposter has not attempted any additional acts of identity theft, a bounced check ended up on Napp's credit record in 2009 after someone paid for gas in nearby Council Bluffs using a check with her Social Security number on it.

    Napp asked the court to grant her damages of $46,000, accounting for out-of-pocket expenses like credit monitoring, the costs of therapy treatments, lost time to deal with the mess and lost wages. 

    It's impossible to predict how the judge might ultimately rule when he hands down his decision in a week or so, but Hartigan's tone during closing arguments gave Napp and her attorney, Harris Kuhn, little hope that she would win.

    "There is no law in Nebraska which makes this an easy argument," Kuhn said. 

    While the logic of forcing someone to pay for damages caused by committing ID theft might seem sound, Kuhn said the only legal argument available to him under Nebraska law was a so-called "conversion" claim, which translates loosely as the civil equivalent of criminal theft. But a conversion claim — which traditionally might involve disputes such as a neighbor's unjustly milking another's cows — requires establishment of damages. Despite 77 pages of receipts, phone bills and health care records, Hartigan seemed unconvinced that any real damages had occurred.

    Napp "has not testified to any loss," he said. "She hasn't been charged more for credit."

    The judge also didn't interrupt during the defense attorney's closing argument, as Mikulicz said Napp should "move on" from the incident.

    "I don't think it's an act to make you jump up and down and say, 'That's outrageous behavior,'" said Mikulicz said. "Again, with all due respect, saying she is suffering from post-traumatic stress disorder is a slap in the face to every soldier who's served in Iraq, in Vietnam, in Korea ... and to every rape victim."

    Napp openly wept as he finished. But later, she was philosophical about her day in court.

    "Even though things didn't go well today, I think I did something great today," she said.

    After two years of therapy, Napp began working as a consultant and slowly gained a reputation as an identity theft victim expert — a path her therapist said was part of her healing process. Napp works for the federal government as an expert consultant on victim rights. She is also head of the Identity Theft Action Council of Nebraska, has testified before Congress and has urged the National Crime Victim Law Institute to study ID theft victims' legal rights.

    That agency's research, released Tuesday, shows that in 14 states, ID theft victims aren't recognized as "victims" under the state's victim rights statute — including Nebraska. In many states, victim status grants a clear legal path for a civil action designed to recover money damages.

    "I just have to keep fighting," Napp said. "I'm hopeful at some point judges will understand and be more educated about this type of crime and there will be different outcomes."

    Follow the Bob Sullivan on Facebook.

    For more frequent updates, follow the Red Tape Tour on Twitter.