What are the odds someone else has used your Social Security number? One in 7.

That's the stunning conclusion of a San Diego company's analysis of 290 million Social Security numbers, which found that 40 million of them have been attached to more than one name. The study, conducted by the fraud-fighting firm ID Analytics, is the first of its kind that's been made available to the public.

We first wrote about the problem of "SSN-only" identity theft five years ago, and estimated that millions of Americans were on the "secret list of identity theft victims" whose SSNs had been misappropriated by an imposter to obtain work or credit.

The IRS often knows when this happens, when the imposter pays taxes. The Social Security Administration knows, too, for the same reason. And the nation's credit bureaus usually know, because the imposter often ends up applying for some form of credit.  Plenty of financial institutions also have access to this information.

But no one is telling you. In short, all these government agencies and financial firms don't think you have a right to know.

We're no closer to finding out who's on that list today, but at least we now know how big the problem is: much bigger than we originally estimated.

ID Analytics is a data collection firm that specializes in helping companies separate imposters from honest consumers.  Its client list is long, and includes many major financial firms as well as the Social Security Administration. Over the past decade, it has amassed files on virtually every American who is active in the financial system. It now tracks 290 million Social Security numbers and nearly 300 million people.

Normally, the company receives credit applications from clients and checks them against its vast database, looking for signs of fraud.  Criminals do crafty things like apply for a credit card at 10 different banks using SSNs that are only one digit away from each other. Or they use slightly different first names or street addresses in an attempt to evade a poor credit history or crime record. Because ID Analytics receives applications from multiple industries, it can spot these signs of fraud in ways that the individual companies cannot.

20 million use more than one SSN
One typical pattern: An imposter uses one name but alternate Social Security numbers in an attempt to circumvent the credit reporting system;  ID Analytics is geared up to spot just that kind of evasion.  It's a tough job, because the incidence of multiple numbers connected to the same name is enormous: Dr. Stephen Coggeshall, chief technology officer at the firm, said 20 million Americans have multiple SSNs associated with their names, or 6 percent of the total population.

That doesn't mean there are 20 million identity thieves out there, even though it might feel like that. In many cases, typos are the culprit, Coggeshall said. Any time a consumer gives an SSN to a company, there's a chance it will be incorrectly entered into its system, and the error will then propagate throughout the credit system. Once that happens, SSN No. 2 is forever connected to the rightful holder of SSN No. 1. The incorrect SSN might belong to a real person, which can cause a headache for both people, or it might be "synthetic" -- an unassigned number that becomes a new entity in the credit system. No one knows how many of these synthetic “people” exist in our credit system, but there are likely millions of them.

It's relatively easy to spot innocent mistakes, Coggeshall said, because the number is used only once in connection with the name. It's easy to spot fraud, too -- any time a person shows up in the system using SSN No. 2, or No. 3, or No. 4, over and over again. Deliberate fraud is responsible for less than half of the 20 million names attached to multiple SSNs, but it is still a large percentage.

"A good fraction of that group, maybe 15 to 20 percent, of these mistakes are deliberate," Coggeshall said. "There are systematic variations, deliberate manipulations. ... I see many people who have a lot of Socials (SSNs)." 

How many? ID Analytics says it has 3 million to 4 million names that have been used to commit identity fraud.

That's an astonishing number, but it pales in comparison to the next figure.

Five million SSNs attached to three or more people
Recently, Coggeshall decided to reverse his research. Instead of looking for people connected to multiple SSNs, which is most useful for businesses, he looked at SSNs that are connected to multiple people, much more interesting to consumers. In other words, how many people in the U.S. are essentially sharing their identities with someone else?

The answer:  40 million. That means nearly one in 7 SSN holders in the U.S. have two or more names attached to their SSN records.

Please note, this is not an estimate conjured up from a sample. This is ID Analytics looking at its own data, picking out SSNs that have more than one name attached and building its own list.  We now know: The secret list of ID theft victims has 40 million people on it.

Coggeshall said it's important to note that not every one of those consumers is hit with fraud. Many are on the list because of typographical errors. For example, if a company incorrectly enters an SSN and the number accidentally belongs to someone else, as explained above, the rightful holder of SSN No. 2 would end up on this list. Coggeshall said he believes many of the 40 million are on the list as the result of such mistakes.

But millions of those SSNs are being used to commit fraud.  Some cases are obvious. More than 140,000 SSNs are associated with five or more people, and 27,000 are connected to 10 or more people, for example.

"Once an SSN is connected to even three people, it's pretty clear something is wrong," he said. The firm found that 5 million SSNs have been connected to three or more people.

In addition to criminals committing financial fraud, there's a more controversial reason that some consumers end up on this list: They are essentially sharing identities with undocumented workers who buy or borrow an SSN in order to fill out necessary paperwork to obtain employment. 

The number of illegal immigrants using Americans' SSNs to obtain work is unknown, but a series of studies provides some hints. 

The Pew Hispanic Center estimates that there are about 12 million unauthorized immigrants in the United States. Those who are working are required to give a SSN to their employer. In 2007, the IRS said it believes 6 million undocumented workers paid federal taxes.  And every year, according to the Social Security Administration, nearly 10 million workers pay taxes using the wrong SSN, ending up in what the agency calls a "no-match" situation.

Again, no study has been conducted to identify precisely how many of those can be attributed to mistakes and how many to undocumented immigrants.  In 2006, the Social Security Administration sampled its records and determined that 12.7 million out of 17.8 million discrepancies were caused by clerical errors. On the other hand, an earlier study by congressional investigators found the majority of filers on the no-match list worked in industries like restaurants and agriculture, where the presence of undocumented workers is high.

Workers who pay taxes using the wrong Social Security number are a boon to government tax revenues.  Social Security taxes paid in such situations don't earn proper "wage credits," because the agency doesn't know whom to give credit to. The funds are tracked in what's called the Earnings Suspense File, which has shown explosive growth this decade.  From 1932-1999, the fund accumulated $300 billion.  By 2005, the most recent data available, the file accounted for nearly $585 billion in uncredited wage credits, ultimately adding roughly $40 billion to the U.S. Treasury during that six-year span.  

The issue of "shared identities" is among the forgotten elements of the immigration debate, but it rears its head once in a while. Recently, two U.S. courts ruled that using someone else's SSN is not an identity theft crime, drawing widespread criticism.

SSN is not a secret
Viewed purely as an identity management problem, Coggeshall said his study produced one clear result: "The Social Security number is not a secret," he said.  "It was never intended to be a secret. In today's world, it is used incorrectly. A lot of businesses have the assumption it's a number known only to you. That's not the case."

Unfortunately, the actual list of victims remains a secret, for now.  ID Analytics has contracts with its data providers that forbid it from sharing the information with the public. 

"The way we've been able to get visibility into the data … is by assuring companies we will not release this data," Coggeshall said. 

The firm has presented some of its findings, including the location of fraud rings, to law enforcement and "that information was well received." But generally the company does not work with law enforcement on specific cases.

"ID Analytics provides a service to our customers and only they can determine whether or not to pursue law enforcement actions," Coggeshall said.

The firm does offer a Web-based tool that allows consumers to get a sense of their risk, called MyIDScore.com, but that only generates a score based on a 1-1,000 scale suggesting the likelihood that someone else might be using your SSN or other elements of your identity.  The tool is free, and consumers can check their score without supplying their SSN, but the website includes advertising for paid identity theft protection services.

Further, even if there's a second SSN connected to your name, your score might not be high -- if ID Analytics believes that incident is an accident, as opposed to a malicious data theft.

And if your score is high? The tool points you to the nonprofit Identity Theft Resource Center and the Federal Trade Commission. Neither of those agencies can tell you if someone else has your SSN either. But they can help you clean up an identity theft mess after the fact.

Consumers who obtain their credit report hoping to see if anyone else might be using their SSN are often disappointed; records of such imposters are often kept on separate reports, sometimes called sub-files, which cannot be view by the rightful holder of the SSN.

Annual Social Security wage earnings statements also don't include the data, because wages earned by workers using their SSNs go into that Earnings Suspense File and don't show up on the report.

The most recent systematic effort to deal with the problem occurred in 2007, but it didn't involve victims. Instead, the Social Security Administration announced it was sending a round of so-called "no-match" letters to businesses with employees whose names and SSNs didn't match on their employment verification forms. Simultaneously, the Department of Homeland Security said it would crack down on companies that didn't respond to the letters. Citing widespread inaccuracy of the data, immigration rights groups sued and managed to stop the process.

Credit bureau Experian, when asked about the report, said that it believes most errors surrounding SSNs involve honest mistakes.

"Social Security numbers can be associated with multiple individuals, and that individuals can have multiple SSNs associated with them. The majority of these conditions are associated with data entry errors during a creditor's reporting process to a credit reporting agency like Experian, or joint account activity related to family members or legitimate associations," said spokeswoman Susan Henson. "Only a small percentage of these conditions are related to malicious intent, and Experian's fraud prevention tools detect and compensate for the majority of these cases."

Credit bureau Equifax declined to comment, and Trans Union did not immediately respond to requests for comment.

Coggeshall said he believes consumers should have the right to know more about what has been called the "secret life" of their SSN, and the recent court cases that seemed to downplay risk of SSN-only ID theft concern him.

"Certainly you are causing harm" to the victim, he said. Even if the number is used only for employment purposes, eventually it "gets around," he said.

But solutions to the problem are hard to come by.  One agency he doesn't blame: The Social Security Administration.

"Certainly, they know there are problems. They are the first to understand this," he said. "It's not a problem of them issuing numbers.  They were never intended to be a unique identifier ... but in the past few decades, businesses have used it because it's easy."

Become a Red Tape Chronicles Facebook fan and follow RedTapeChron on Twitter.

For the first time since the Federal Trade Commission started counting 10 years ago, the number of Americans reporting identity theft dropped in 2009, the agency said Thursday.  The drop was significant – about 10 percent – but doesn't necessarily indicate the crime is disappearing.  The 278,078 reports taken last year still represent more than any year prior to 2008.

Meanwhile, reports of other kinds of fraud to the agency skyrocketed by 24 percent, with consumers telling the FTC they had lost $1.7 billion in those frauds.  The median lost per complaint was $399.

Tops among this "other fraud" category were debt collection firms.  Nearly 10 percent of all complaints taken by the FTC involved debt collection, totaling nearly 120,000.  Debt collection complaints jumped by 11 percent from last year.

Other credit-related complaints also jumped, including complaints about credit cards, which more than tripled from last year.  Complaints labeled "banks and lenders" were up by nearly 50 percent.

The results can be found in the FTCs annual report of top complaints to its Consumer Sentinel database, which was released Wednesday morning. John Krebs, director of the Sentinel database, said the jump in complaints about financial companies should come as no surprise.

"These do seem to be in line with what we've seen given the state of the economy," he said.

Krebs cautioned against viewing the drop in ID theft reports as a trend, because the complaints represent only self-reported information from consumers.  Still, multi-year drops in reports of a particular type of ID theft involving credit card fraud provide a reason for optimism, he said.

"Hopefully some of that represents increased awareness by consumers and increased vigilance by industry," he said.

Once again, most consumers reported their first contact with fraudsters generally arrived via the Internet – 48 percent said e-mail, while another 12 percent said a Web site. Only 10 percent of complainers said their incident began with a phone call, perhaps an indication of the success of the Do Not Call list, Krebs said.

Other notable observations from the FTC data: Nevada is the state with the highest per capita rate of reported "other" fraud, followed by Colorado and New Hampshire.  Florida is the state with the highest per capita rate of reported identity theft complaints, followed by Arizona and Texas.

Credit card fraud (17 percent) was the most common form of reported identity theft, followed by government documents/benefits fraud (16 percent), phone or utilities fraud (15 percent), and employment fraud (13 percent). Other significant categories of identity theft reported by victims were bank fraud (10 percent) and loan fraud (4 percent).

Krebs said it's hard to draw definitive conclusions from the raw data that the agency releases every year, other than to serve as warning to consumers that fraud is alive and well.

"Clearly whether the number goes up or down, ID theft and fraud are still major issues," he said. "The key message is it's still out there, and with each new situation that arises in the economy fraudsters try to take advantage of it."

Krebs urged consumers to maintain a healthy skepticism and to take advantage of educational materials available on the FTC's Web site, including a new video with tips on avoiding fraud and filing complaints.

Become a Red Tape Chronicles Facebook fan and follow RedTapeChron on Twitter.

Identity theft is usually a virtual, intangible crime. The theft often occurs in cyberspace, with criminals ordering merchandise with stolen credit cards, or downloading cash from online bank accounts. The victims rarely know anything has happened until months -- or even years -- later. There's no blood, no shattered glass, no broken locks. Not even the anxiety rush that comes after the brush of a pickpocket.

But identity thieves, in the end, are real people stealing real money and causing real harm. And surprisingly often, they are friends, family members, or co-workers who initiate the crime by stealing personal information found on papers left around offices or homes. The stolen data can be surprisingly easy to come by, as this ID theft "commercial" shows.

In it, a YouTube poster claims to have a cache of stolen data dossiers for sale. He films himself sitting in his car, sifting through what appear to be file folders, perhaps freshly stolen from an office or a dumpster outside an office building. With a shaky hand, he shows some of the files, then announces that he will sell complete data sets for $25 -- or at a discount of 5 for $100 -- to anyone who e-mails him.

You can watch part of the video by clicking above. We've included only a small portion of the video to avoid abetting what appears to be a crime. Here's more of what the salesman had to say in the video:

"I have records for sale. These records include the following: Name. Sex of the individual. Social Security number of the individual. Mother's name. Their current street address," he says.

At this point, a beeper begins to sound in his car, perhaps because his seat belt isn't fastened. Then, he continues to list the items he has for sale. "License number. Their date of birth. Kind of work they are in, the industry that they're in. And their net worth. That's including real estate and any liquid assets. And I could get a good credit read on them as well."

Those details would give an identity thief all the information they'd need to wreak havoc with a victim's credit report, and probably, their financial life,

Without purchasing records from the poster, it is impossible to determine that the records are genuine. But in a short e-mail dialog with msnbc.com, the poster claimed the information was real and said that he could sell us 100 records if we deposited money into his PayPal account.

He did not answer a question posed about the video, which was removed from YouTube a few days after it appeared, but not before msnbc.com viewed it and copied it. A message at the link now says the video was "removed by the user."

Before finishing the sales pitch in the video, the poster includes some fine print:

"These records are not to be used for any illegal purposes. They are for outsourcing marketing materials and anything of that nature," he said.

He then closed with a polite sign off.

"Thank you very much," he said.

Like arriving home to see a broken window, Holli knew something was wrong when she pulled up the statement from her new 401(k) account and saw a stranger's name there. Under her name and account information, she found a second name: Paulino Rodriguez. But was it an accident, random vandalism or a serious crime? She opened the virtual door to her account and sorted through the broken glass. Her worst fears would soon be confirmed.

After some frantic research, Holli pieced together part of the story. Rodriguez, the 401(k) Web site revealed, lived in Escondido, Calif., about 90 minutes south of Holli's home in Fountain Valley. He was a restaurant worker in an Escondido Burger King. This was no prank -- though Holli would soon feel like several government agencies, corporations and a criminal were having fun at her expense. She was a victim of something experts call Social Security number-only identity theft, generally committed by immigrants who don't have the necessary credentials to work legally in the U.S.

Holli wondered what else the imposter had done to her credit and her good name. (Msnbc.com has agreed to conceal Holli's identity in this story.)

Escondido is Ground Zero of the immigration debate. Just a few minutes north of the Mexican border, near San Diego, Escondido is home to thousands of Mexican immigrants who battle their way every day into the country and into gainful employment. Mexicans have been fighting in Escondido for a long time. Not far away, in 1846, U.S. forces were routed in the Battle of San Pasqual during the Mexican-American war, the worst American defeat of the conflict. Today, some say, Mexicans are again overwhelming American forces in a different kind of battle.

For the past three years, Paulino Rodriguez used Holli's Social Security number for the right to work at the Escondido Burger King. Recently, with his wife and four children, he took up residence in a middle-class subdivision on Espanas Glen Street in Escondido, a short block near Interstate 15.

Rodriguez, according U.S. immigration officials, is a Mexican national with no right to work in the United States. But thanks in part to Holli's Social Security number, he had found a decent life for his family in Escondido, which means "hidden" in Spanish. But that that life was safe only if no one found out he was sharing Holli's identity.

Across America, perhaps millions of U.S. citizens are sharing their identities with undocumented workers who are virtually hiding behind Social Security numbers like Rodriguez. The data on the subject are incomplete, but each year nearly 10 million workers pay their taxes using the wrong Social Security number. While this can happen for a variety of reasons, most often it involves restaurant and farm workers, suggesting many of those 10 million workers are employees who are using someone else's SSN to satisfy federal employment requirements.

Information at her fingertips
Holli, a woman in her 50s, panicked one month ago when she saw Rodriguez's name on her 401(k) account, then she started putting the pieces together. It wasn't hard -- she had all of Rodriguez's personal information right there on her screen, including his age: 38. She called his employer, Reddy Restaurants Inc., which supplies workers to Burger King. Holli says she was told that nothing could be done because Rodriguez fulfilled the requirements for employment when he started work -- namely, he supplied what appeared to be a valid Social Security card.

Mike Holly, owner of Reddy, confirmed that Rodriguez was an employee but refused to otherwise discuss the situation.

Holli then called the local police, who took a report but said nothing could be done. She contacted the Social Security Administration, the Federal Trade Commission, even her 401(k) administrator. The message she heard from each was the same: We can't help you. She even went to an attorney, who delivered bad news.

"(He) said since my credit hadn't been affected, they couldn't do anything for me," Holli recalled.

But Holli was persistent. She eventually convinced her local police department to take a report, and to forward it to Escondido police. Then, she pestered the dispatcher in Escondido enough that the file was passed on to the investigations department. Detective Damon Vander Vorst took an interest in the case.

Rodriguez entered the country nearly 20 years ago, public records suggest. It's unclear where in Mexico he grew up, or how he crossed the border. At about the same time, Holli was just starting her career.
Precisely when their lives were blended isn't clear. But about three years ago, Holli remembers getting a funny look from a clerk while she was filling out insurance paperwork at an optometrist's office. "There's someone else's using that (SSN) number," she remembers being told. Then, "I'm not supposed to tell you this, but the name Paulino Rodriguez."

Holli assumed it was an error. But around that same time, Rodriguez signed up with Reddy Restaurants and began working -- using her SSN -- at Burger King.

Holli has no solid information on how her number was stolen, but she has one guess: About five years ago she was laid off from her job and went back to school to finish her college degree in finance. Her school, Long Beach State, used her SSN as her ID number during that time. Her first brush with Rodriguez happened within a few months of her graduation.

Three years passed without incident. Then in April, she opened up the Web site for a new company benefit – a 401(k) plan – and saw the name Paulino Rodriguez again. Holli's heart sank and her quest began. It ended a month later when she talked to Vander Vorst. On May 13, Vander Vorst staked out a home in a gated subdivision named Villas Espanas, waiting for his suspect.

While there is an obvious Latino majority, the neighborhood looks just like any other middle-class San Diego suburb, full of neat white stucco townhomes with red-tile roofs. Most store signs are in English only. A dry cleaner, grocery store, and school are just a few blocks away. During a recent visit by an msnbc.com reporter at midday, the neighborhood was quiet. The subdivision has a large pool; hanging in Rodriguez's front window, three pairs of child-sized goggles were visible from the sidewalk.

Just outside the home, Vander Vorst arrested Rodriguez. Police allege he had falsified Social Security card and work visa.

Getting such documents is hardly an obstacle for illegal immigrants seeking work. Fake Social Security cards and work visas can be purchased in Los Angeles for around $200, law enforcement officials say -- a small investment for the opportunity to work in the United States.

Rodriguez was charged with identity theft and with falsifying government documents, according to Escondido police spokesman Lt. Craig Carter. He was shipped to nearby Vista Detention Facility, where he awaits his fate on the criminal charges. meanwhile, the Immigrations and Customs Enforcement agency has placed a "hold" on him. That means he is "subject to deportation," according to Lauren Mack, a spokeswoman for ICE.

Rodriguez refused an interview request by an MSNBC.com free-lance reporter who visited the jail.

Mixed feelings
Holli had mixed feelings when she began her quest to track down her imposter.

"When all this began a month and a half ago, I was worried I might be ruining his life when all he wanted to do was work," she said. But the bureaucratic tangle had changed her. "Now after spending numerous hours of my time trying to find out what is going on as well as worrying, losing sleep and using my work vacation time, I no longer feel bad for Paulino. He made the choice to steal my number. And the fact that privacy laws keep me from being able to see what he is doing with my number infuriates me."

She also fears possible retribution for her actions; that's why she insisted that msnbc.com preserve her anonymity. She also wants to prevent Rodriguez from finding out who she is. Generally, SSN imposters don't commit full-blown identity theft, and don't know who their victims are – Rodriguez likely never even knew Holli's name.

Immigrant imposters usually just provide a Social Security card to their employer on their first day of work to fulfill what's known as the "I-9" requirement. Since new employment rules took effect in 1983, U.S. workers must supply documentation to prove they are eligible to work; nearly always, a Social Security number is used. While employers can call the Social Security Administration to perform limited verification of the information, that's seldom done. So it's possible -- in fact common -- that employees' names and numbers don't match. When that happens, no one gets credit for the taxes paid by the worker. The money simply ends up in the U.S. Treasury. Since 1983, more than $500 billion in uncredited Social Security wages have been earned by so-called "no match" employees like Rodriguez. That hidden financial benefit for the government is one reason, Holli suspects, that agencies don't act more quickly on reports of SSN-only identity theft.

San Diego-based immigration rights advocate Lilia Velasquez sees similar cases in her practice all the time. Imposters run the spectrum from hardened criminals who ultimately take out loans in the victim's name to well-intentioned Mexicans who are simply doing what they need to do to get a job and feed their families.
"It's not that these people intentionally and maliciously stole someone's name and identity. ... They may feel that they are using the number out of sheer need," she said.

But victims like Holli should do what they need to do to protect their identities, Velasquez said. "That's a situation which needs to be investigated until the issue is resolved."

37 people shared one SSN
If not, what appears to be a simple bout of ID theft can spin out of control. Immigrant workers who successfully use someone else's identity can pass the information around. Three years ago, a Chicago-area victim named Linda Trevino discovered that her Social Security Number had been used by workers at 37 different companies.

When another person is using a consumers' Social Security Number for employment purposes only, there is almost no way to discover the identity theft. The misuse will not show up on a credit report; it won't be detected by credit monitoring. Because the wages earned are not credited to the victim, they won't show up on annual Social Security statements either. In fact, there is no way for anyone to inspect the history of their Social Security Number, or to find out where and when it's been used. Only an anomaly or coincidence – such as having an imposter show up on a 401(k) Web site -- betrays the theft.

That's why this is an important victory for Holli; she's among the first to find her SSN imposter and stop the ID theft. Of course, she has no way of knowing if her identity is now secure, because her number may have been used by other immigrants.

"The fact that I can check my credit but not my whole credit is absurd," she said. "In any case, this is my identifier that follows me around and I should be able to protect myself (and my identifier) by knowing what is attached to it." She plans on urging Congress to fix the problem. Meanwhile, she's left with a sour taste in her mouth -- she acted in self-defense, but worries that some will see her as a villain who caused Rodriguez's arrest. She's angry at the criminal who stole her identity and at the system which put her in this compromising situation.

The future of Rodriguez and his family is unclear. If his children are U.S. citizens, law enforcement officials say, he may be allowed to remain in the U.S.. Otherwise, deportation is a likely outcome, but not right away. Before the immigration issue is settled, he will likely face state criminal ID theft charges in state court.

Jacqueline Dizdul reported from San Diego.

If you think the State Department passport privacy debacle is an oddity, it isn't. Data voyeurism is actually a sign of the times. Low-level employees at government agencies and private companies browse personal information for sport all the time. Outside of the occasional public flogging, little has been done to stop this unnerving practice.

It now appears no candidate will win extra sympathy points for the passport privacy invasion at the State Department, because all of them have been victims. It's too early to know if any of the culprits saw data that could have hurt any of the candidates politically, but that matters little. In fact, let's give all those involved the benefit of the doubt, and say this was merely a database joy ride. The real question is this:

If the State Department can't protect presidential candidates' personal information, how can anyone protect ours?

Data voyeurism stories can be found across the news spectrum. Hospital workers caught browsing celebrities' medical records; cops caught checking out cute women by running their license plate numbers. Computer security expert Avivah Litan, a consultant at Gartner, said most firms don't go to great lengths to keep employees away from such data.

"When I saw this article the first thing that crossed my mind was that this kind of thing happens all the time," she said. "It's not uncommon at all kinds of organizations. It brings up the question of how private our data is. It's not."

Didn't need the data
The State Department incident could have been something much more serious than a computerized peep show. These data thieves could have been looking for information, like Social Security numbers, to commit identity theft. Identity thieves often begin their crimes by obtaining data stolen by employees. One study conducted several years ago by Michigan State University researcher Judy Collins found that in most cases of ID theft traced to an employee, that the employee did not need access to the victim's data to do his or her job.

In other words, there were lax or no internal controls.

Privacy consultant Larry Ponemon recently completed a survey of security professionals about the lack of internal data controls, and his results were alarming: 78 percent said employees at their company have too much access to data, and 69 percent said access rules were poorly enforced. The longer an employee stays at a firm and changes jobs, and the more often that firm changes systems, the more difficult it is manage database access rules.

"Even at the most sophisticated companies, identity management is often an Achilles' heel," he said.

Litan says things don't have to work this way. Employees' access to databases with personal information should be strictly limited. Instead, many workers have blanket permission to look at everything.

"It's called identity access management, or access controls," she said. "No one has to see that information unless they have privileged access."

Either the State Department had no such access rules to data belonging to Sens. Barack Obama, Hillary Clinton and John McCain – which would be crazy, since they are surrounded every day by men in black suits sporting concealed weapons and wireless ear pieces -- or someone with high-access privileges was involved in the data snooping. Both prospects are disturbing. And both could easily happen to you.

Now, which candidate will be the first to support a new, comprehensive privacy law?

You might call it a friends, family and ID thieves plan.

Last year, identity thieves wormed their way into Michael Carner's Sprint account, tacked on 14 new cell phones and began ringing up phone charges. Even though he reported the intrusion, things only got worse. For nearly a year, the real estate agent was hit with late fees, frequent automated collections calls, service interruptions, and a $5,000 bill.

When Carner finally gave up and tried to cancel his account, Sprint had one more piece of bad news: The imposters had extended his service contract for two years, meaning he'd have to pay a $200 early termination fee to get out of his contract.

"It was just maddening," Carner, who lives in O'Fallon, Mo., said. "Common sense should have prevailed, but it never did. ... I wonder how many other people go through this."

Last month, Sprint was still trying to collect about $250 from him. But after receiving inquiries from msnbc.com, the company reduced the balance to zero.

Sprint officials said they couldn't discuss details of a customer's account, citing privacy issues. But spokeswoman Roni Singleton confirmed the company was investigating the situation.

"When a customer accumulates incorrect charges on their account due to fraud, we will always work with the customer to ensure he or she is not charged for anything more than the appropriate balance," she said in an e-mail. "We are investigating the internal handling of Mr. Carner's situation, and we will work directly with him to resolve any remaining issue."

Michael Carner

Carner's fiasco began in February 2007, when someone added the 14 cell phones to his account without his permission. He didn't discover the problem until he was vacationing in Palm Springs two months later.

"I got an automated message from Sprint saying my account was overdue, and if I didn't pay it, 'We'll shut it off,'" he said. "Then it said I had a $3,500 outstanding balance. I called right away and said, 'There must be an accounting error, I never go over $95 a month.' "

Regular service interruptions
Sprint's fraud department spotted the problem immediately, Carner said., but resolving it was another matter.

Sprint began removing fraudulent charges, but only piecemeal. Each month, some fraud charges were refunded, but new ones appeared, and Carner's balance remained at several hundred dollars. Then, the late fees piled up. He wasn't receiving bills – they were going to an address in St. Louis used by the ID thieves -- so he computed the average of his prior 6 months' worth of bills and began sending a check to Sprint for about $95 each month.

He also spent, in total, about 25 hours on the phone getting transferred back and forth between Sprint's fraud department and its billing department, with ample time spent on hold each time.

"That just escalated my blood pressure," he said.

About once each week, he received an automated call from Sprint's collections department, even after he was assured the calls would stop. "That was just harassment," he said.

Worst of all, for a real estate agent who relies heavily on his phone, he suffered regular service interruptions.

He could receive calls, but he couldn't place them -- a common tactic used by cell phone providers to encourage bill payment. "I was exasperated. I need my phone, this was a very serious issue," he said.

ID thief termination fee
At one point, a Sprint operator told him he'd have to pay the remaining fraudulent changes. "We have extended to your account $4,200.00 and there will be no further credits. Pay your balance or we are not reinstating your service," he quoted the operator as saying.

In October, he decided enough was enough and decided to switch cell phone providers. He sent in his last payment of $96 on Nov. 8.

The next month, he received a call saying he still owed $200 because of an early termination fee. Carner thought his contract had expired months earlier, but when he called Sprint he was told the contract had been extended to February 2009 -- two years after the fraud had occurred.

In addition to stealing Carner's identity, the thieves had extended his cell phone contract, he discovered. And Sprint insisted that he had to pay the fee.

"I said to them, 'Produce a signed agreement saying I extended the contract,' but they said they couldn't do that," he said. "I told them 'That's insane. Anybody can extend an agreement on a whim?' "

Bickering over the $200 early termination fee continued through January and February, until Carner contacted msnbc.com. He soon received a call from a "gracious and apologetic" Sprint fraud expert, who immediately eliminated the fee.

Now, Carner says, he's a happy Verizon customer. But he's concerned that other Sprint customers might pay up in a similar situation, just to end the madness.

"Imagine the millions they unjustly collect using these intimidation tactics," he said. "I feel sad and angry for the Sprint masses that find themselves similarly in the middle of an unjust dispute."

Who's to blame for the ID theft epidemic? Surprisingly, given all the attention the subject receives, we know strikingly little about the root causes of the problem. ID theft is often called the fastest-growing crime in America, but there's precious little research into which companies have the worst security measures and which suffer the most data leaks.

Researcher Chris Hoofnagle thinks it's high time we started pointing fingers.

Hoofnagle recently undertook a laborious task: He scoured thousands of ID theft complaints filed with the Federal Trade Commission, looking for company names. His simple question: How often do people tell the FTC that their accounts or information have been stolen from particular companies, and which companies are named most often?

The answer to his query is Bank of America, which averaged 1,117 complaints in the three months he surveyed. Two cell phone companies -- AT&T Wireless and Sprint -- were second and third on the list.

Since BofA is America's biggest bank, and an obvious target for fraud, it's no surprise that it ranked high on the list. Ditto for the large cell phone firms. In fact, Hoofnagle freely admits that his results need to be taken with a big grain of salt.

"The results suffer from a lot of weaknesses," Hoofnagle said. "But it's a start."

Because the data is self-reported, it's likely full of mistakes, he conceded. Also, just because a consumer says their Bank of America account was compromised does not mean the crime began with the bank. It could have started when the customer filled out a phishing e-mail, for example. And it's not fair to compare banks of different sizes, because largest banks would naturally be expected to be named more often.
Hoofnagle tried to normalize the data in a variety of ways, to account for the varying size of the institutions. Eventually he settled on comparing only banks by using total deposits and dividing the number of incidents by a dollar amount.

From another angle, HSBC is No. 1
Even using that trick, Bank of America still ranked high – no. 2 on the list -- with 17 incidents per $1 billion. But using that formula, HSBC ranked first, with 21 incidents per $1 billion.

Betty Reiss of Bank of America said the firm hadn't yet fully analyzed the study, but she pointed to its high potential for errors.

"We take identity theft very seriously, and we provide consumers with tools to fight it," she said.

HSBC declined to be interviewed for this story, but it did issue a statement to MSNBC.com criticizing the study's methodology.

"We can say that customer protection around identity theft is of paramount importance to HSBC. We take fraud of any kind very seriously," the statement read. "We have a range of robust fraud detection and monitoring systems in place for the early identification and prevention of fraud to protect our customers and their accounts."

One could criticize Hoofnagle's list as being basically a list of America's largest companies. As such, perhaps it isn't very useful.

But it's not because Hoofnagle didn't try. A year ago, he began a campaign to get banks to disclose more information about fraud and security. Banks "wouldn't engage on the issue" he said.

Hoofnagle released the study partly in an attempt to goad banks into releasing more data. Consumers have a right to know about fraud rates at banks, he said, because without this information they can't make intelligent decisions about their financial institutions.

"Currently the issue is mediated by commercials, with banks portraying themselves as being more effective against ID theft than other banks," he said. "But none of that is based in reality. It's all based on public relations. And that's not fair to consumers."

Hoofnagle, who is a senior fellow with the Center for Law & Technology at UC-Berkeley, says his goal is to create a real marketplace for identity theft protection.

"I think the disclosure of these problems will drive some competition among banks," he said.

Consumers 'flying in the dark'
Avivah Litan, a researcher with consulting firm Gartner, is equally frustrated by the lack of fraud information from banks. In the past, she has released studies that estimate the losses from identity theft and phishing based on consumer telephone surveys -- another attempt to read the tea leaves of fraud in the absence of real data.

"(Hoofnagle) is frustrated as any researcher or policy influencer would be," she said. "You can't get any data out of the banks. And consumers are flying in the dark right now."

Other results from Hoofnagle's survey:
• Small credit unions barely register in the FTC data, suggesting credit union customers might be at a lower risk of identity theft.
• While great attention is paid to bank ID fraud, wireless firms also suffer from high fraud rates. According to the FTC data, 8 percent of all new account fraud involved telecommunications firms. That's an area which deserves added attention, Hoofnagle said.
• Many consumers blame collection agencies for their bouts with ID theft, probably because often their first indication of the crime is a call from an agency. The AFNI Inc. collection agency cracked the top 20 companies in the FTC data, receiving more complaints than eBay or PayPal. To Hoofnagle, that represents an opportunity. "The collection agencies could act as an early warning sign for identity theft," he said.