The Checkout

Keeping ID Theft Victims in the Dark

This just in: Pretexting is illegal.

Still.

President Bush recently signed the Telephone Records and Privacy Protection Act of 2006 that makes it illegal to use a false identity or other fraudulent means to gain access to an individual's phone records.

(It was illegal before, but now you can go to prison for 10 years for buying, selling or otherwise obtaining personal phone records, unless you're law enforcement.)

In related news, last Friday, Bryan Wagner, a private eye who used pretexting to investigate reporters for Hewlett-Packard, pled guilty to two felony counts.

In the midst of the big headlines, however, one tidbit about pretexting seems to have gone unnoticed. The eagle-eyed folks at HearUsNow.org have come across a letter from the Justice Department to the Federal Communications Commission, which is working on regulations regarding pretexting.

The letter makes a pitch for, of all things, a way to delay notifying consumers when they have been victims of pretexting.

"Allowing for delayed consumer notification in appropriate cases enhances our ability to investigate the circumstances surrounding the loss of the data and, thereby, advances consumer protection," Deputy Attorney General Paul McNulty wrote to the FCC on Dec. 28th.

Telling victims immediately, Justice argued, could tip off criminals, "causing them, among other things, to destroy evidence, change their behavior, and accelerate their illegal use of any data before consumers or company victims can act."

The feds want carriers to hold off telling victims for seven days after notifying the authorities. The only exceptions are if the carrier believes "there is an extraordinary urgent need ... in order to avoid immediate and irreparable harm" or if law enforcement decides that telling consumers won't impede their investigation.

Hmmm. The question is, how would carriers define irreparable harm?

It's not as if there is a great track record of victims being made whole once perpetrators are caught. Consumers often do a better job of protecting their assets and their credit standing by trying to limit the damage as soon as possible. Everyone wants the bad guys caught. But delaying immediate notification of victims seems like a hefty price to pay, no? What do you think?

I'd also like to know whether delaying victim notification in the HP case helped investigators. Anyone out there know and care to share?

If you're curious about how much personal information the average person transmits on a daily basis, even without pretexting PIs on her tail, check out my colleague Ellen Nakashima's story in Tuesday's paper that chronicled the bits of data one woman leaves behind in the course of a normal day. The story's subject isn't some crazy gadget hound who has embedded RFID chips in herself or signed up for one of those GPS-enabled cellphone services that lets her stalk her pals when they're five minutes late for dinner. She's just an ordinary woman -- though maybe a more paranoid one now.

You can find more privacy resources here.

By Annys Shin |  January 17, 2007; 9:46 AM ET Consumer News
Previous: Naturally Confusing | Next: Anticipating Tax Refunds May Cost You

Comments

Please email us to report offensive comments.



If 7 days will prevent the perpetrator from doing it again to someone else, then I am for waiting to tell me. What this person does to my credit can be undone, especially if I have law enforcement behind me. They are my proof that my credit was harmed, so the credit reporting agencies will be more likely to react and correct the damage caused.

As for Ellen Nakashima's story. Her doomsday article is only saved by Kitty Bernard saying "I have no tickets. I obey the law. I would trust them ....... I'm a family person."

The government is not going to look at anyone's data records unless the HAVE too. Don't give them a reason too.

Posted by: Radioactive Sushi | January 17, 2007 10:35 AM

Annys, I'm curious about the Washington Post's policies on pretexting. Are reporters permitted to use pretexts in gathering information for a story?

Posted by: Tom T. | January 17, 2007 11:17 AM

Immediate notification is the answer. I was the victim of identity theft - which was identified by happenstance - I was checking credit card transactions and found fradulent charges. I had to find it because no one else did. Because I was able to piece together the date that it started, I was able to contact the credit card company and law enforcement, who caught some of the folks involved. They were repeat perps.

Yet, despite my involvement, the charges against those individuals were dropped.

Even with that record, it took 18 months to clear up the mess. There were phone accounts opened in the Bronx, there were charges in Miami. Every time I thought it was cleaned up, it came back to bite me. I ended up having 2 debt collection agencies chase me, which was only resolved by sending them photocopies of my identitification papers (passport and driver license) and proof of my residence (tax and utility bills). Who knows how THEY might have used those. And no, a police report was insufficient.

I have no faith in law enforcement to pursue these transaction. I have even less faith that the private businesses involved - credit bureaus being the top one, followed by debt collectors and credit card companies. They don't see it as thier problem.

It cost me about 150 hours and $500-$1000 out-of-pocket to clean up the mess. Had I known sooner - like immediately - it would have been much, much easier to resolve.

Law enforcement should be notifying victims and soliciting their assistance, not the other way around.

You are very, very naive if you think that things are easily undone and that you fully trust the government. I'm usually an optimist, but I've seen the other side. It's very very scary.

Posted by: For Freedom | January 17, 2007 11:18 AM

For Freedom,

I have been the victim of identity theft. And while I am sorry you had to go through what you did, you are the exception to the rule. There are ways to protect yourself from 1) ever being a victim 2) preventing too much damage if it does happen and 3) undoing what was done. They are to many to go into here, but I suggest you research them and learn how to protect yourself.

The problem was the charges were dropped so you lost your edge. You will be stuck with the charges if you have no evidents to support someone else doing it.

Posted by: Radioactive Sushi | January 17, 2007 11:32 AM

An argument for the Death Penalty.

Identity thieves steal everything but our souls; and they'd take that if they could.

Why should we worry about their's?

Posted by: DC | January 17, 2007 11:36 AM

Um, in my case, it was actually a law enforcement person who tipped of the id theft ring by simply calling them and asking what they were doing.

The feds meanwhile, refused to do anything (except the postal investigators) because the US attorneys would not allow them to pursue the case for less than $40,000 proved loss (last I asked it was $75,000).

I did extensive research and in many respects handed them the bad guys on a silver platter and they would not do anything. Much of the ID theft problems exists precisely because law enforcement is devoted to other concerns and banks and credit grantors do not want anything to interfere with the consumer's ability to get caught on an impulse buy.

Unless law enforcement in this area has dramatically improved, which I seriously doubt, I think instant notification to consumers should be the rule.

Posted by: As If | January 17, 2007 11:49 AM

I agree with "for freedom". In August I used my credit card at the CVS down the street from my work. It was the first time I had used it in over a month. A day later somebody had used it and ran it 4 times at a rent a center in Gaithersburg, paid parking tickets in DC, and paid court fines in Annapolis. You would think it would be so easy and simple to catch these people because of what they used my credit card for, but no, it didn't work that way. I spent the larger portion of my work week trying to file a police report and get somebody to pay attention. I live in VA and work in DC but since the transactions took place in DC and MD the police told me I had to file a report in VA. VA won't let you file a report unless the crime happened in VA.

Needless to say it was extremely frustrating. I had to do all the leg work myself. I called and talked to the manager at rent a center and then he told me he thought it was supicious that they had called with a credit card # rather than coming in, and had it run 3 or 4 different times. Then Annapolis didn't want to deal with it because the first transaction wasn't in MD. I'm sure you can guess how responsive the DC police were when I told them that somebody paid parking tickets with my credit card, (if you guessed they couldn't care less, you're right).

Anyway, my credit card company caught it first and shut my card off after the criminals had run up $1,500. They figured it was all fraudulent since they knew I didn't use it that much. I finally was able to file a report with the Annapolis police. I didn't think anything was going to come from it since they were giving me attitude the whole time about having to fill out some paper work. Finally, a couple weeks later, a Secret Service agent called me (apologized on behalf of the Annapolis police) and was very helpful and sympathetic. Unfortunately, they called me a couple more weeks later and told me they couldn't find sufficient evidence (which blew my mind because of the nature of the credit card use) to catch anyone. I would have liked to see the bad guys caught but at least I had enough to clean up my credit card bill. It was a huge inconvenience though, and it still is because I had to put all kinds of safeguards on any kind of financial account I might have.

The whole point is, if I had found a week later, who knows how bad it would've gotten since they managed to do that much damage in a day or two.

Posted by: fraud victim | January 17, 2007 12:03 PM

The problem I had with law inforcement when I was a victim of ID theft is that the "owner" of the SSN is not technically the victim. Yes, it's a pain in the behind to clear up your credit report, but if you do it right, then you can get your life back to what it was and all it costs is some grief and a few hours.

The (financial) victim is the company/utility where the theif created the account and didn't pay the bill. These companies are often reulctanct to pursue charges, so many times nothing happens.

Posted by: Sonya | January 17, 2007 12:09 PM

I agree with Sonya

Posted by: Radioactive Sushi | January 17, 2007 12:40 PM

If you are sucker enough to become a fraud victim, you deserve to feel a little pain.

"I just used my card at CVS" There are two problems with that statement. First, if you did only use it as CVS you would have had to have left one of 2 things behind. The card or the receipt with the card number. People don't grab stuff out of the air. There has to be some trail for the thief to follow.
Second, if you didn't leave one or more of these things behind, you used you card in full view so someone behind you could capture the information on your card.

Sound like people want pity for their own mistakes.

You won't get any from me

Posted by: John | January 17, 2007 1:38 PM

I'm not asking for pity from anybody. My point is that my case was resolved more easily because I was notified early on.

Secondly, they don't print full credit card numbers on receipts for that very reason.

But I guess you're right about using my card in plain view. Next time I'm there I'll tell everybody to stand back 10 feet before I swipe it. Honestly, who do you know who has the ability to glance at a card and remember 16 digits, plus the expiration date, plus the 3 digit security code? The only one I can think of is rainman.

The only reason I brought up CVS is because I had a feeling it was someone who had worked there for a while but then was mysteriously gone the next day.

Posted by: fraud victim | January 17, 2007 1:55 PM

Do you seriously believe that the US government is concerned about the best interests of the individual?

They are perfectly happy to let the average US citizen be a "guinea pig" for criminals to experiment on, so that they can get some free information into the workings of the criminal mind. Sure, they might bring down some web or network of identity thieves, they might even foil some great unknown plot...they might even learn something new. But isn't it better for them to maximize the chances of that happening at our expense, than to make the most out of the cases they already have? Which is easier for them?

This is yet another reason why you cannot trust the government. You have to remember they are people, just like us but with federal authority, working for THEIR own interest. Not the public interest.

Luckily the credit-card companies have an interest in having these people arrested as soon as possible, too.

Posted by: cc | January 17, 2007 2:08 PM

that plus it does cost money and raise a huge stink to notify hundreds of thousands of peple that the security of a company has been breached and the personal information that the company has on record, exploited. I mean, do you even know who has your personal information.

Posted by: cc | January 17, 2007 2:10 PM

ps 7 days is a lot of time for them to steal and abuse someone elses' identity besides yours, don't you think?

Posted by: cc | January 17, 2007 2:13 PM

cc,

Your anger with the government has no merit on this. Spewing garbage only makes you and your opinions look stupid.

Stop being stupid

Posted by: John | January 17, 2007 2:17 PM

TO: fraud victim

You mean to tell us that the person who stole your information used it to pay partking tickets and a court fine and the 'system' did not seem to care? That would seem to be a 'slam-dunk' (to use the phrase that got us into Iraq) for the court to handle.

What are the chances of you bouncing a check to court and never having anything happen to you (concerning the check)? Pretty slim, I would think.

Posted by: blasher | January 17, 2007 3:00 PM

I thought for sure when I saw what the charges were for it would be really easy to find out who had used my card. Why would you pay a ticket on a car that wasn't yours? Why would you pay court fines, of all things, with a stolen credit card? If you're the manager of a store why would you take a credit card # over the phone from the same person 4 times in the same day?! I couldn't believe it when they told me they had insufficient evidence.

I'm amazed they didn't track down the person with the court fines and slam cuffs on their wrists, or impound the car the parking tickets were for.

Then, every jurisdiction I spoke to tried to come up with a reason why it wasn't their problem. I got absolutely nowhere with the DC police. The MD police said they couldn't do anything about it but I finally got them to take a police report. I didn't even talk to the VA police because none of the transactions were there and since the cc was still in my wallet I couldn't definitively say where it had been stolen from. Fortunately, it got passed on to higher authorities but they still couldn't convict them. At least they apologized for the mistreatment of the situation.

Yeah, and I'm positive if I bounced a check to the court they would find a way to find me.

Posted by: fraud victim | January 17, 2007 3:29 PM

I still think that the banks should know who is getting their money and that identity theft is a fraud to make us do their work or take their risks.

However it is nice to know I have company in Korea:

December 14, 2005
Korea Solves the Identity Theft Problem
South Korea gets it:

The South Korean government is introducing legislation that will make it mandatory for financial institutions to compensate customers who have fallen victim to online fraud and identity theft.
The new laws will require financial firms in the country to compensate customers for virtually all financial losses resulting from online identity theft and account hacking, even if the banks are not directly responsible.


Of course, by itself this action doesn't solve identity theft. But in a vibrant capitalist economic market, this action is going to pave the way for technical security improvements that will effectively deal with identity theft.

The good news for the rest of us is that we can watch what happens now.

Posted by: Gary Masters | January 17, 2007 5:33 PM

I still think that the banks should know who is getting their money and that identity theft is a fraud to make us do their work or take their risks.

However it is nice to know I have company in Korea:

December 14, 2005
Korea Solves the Identity Theft Problem
South Korea gets it:

The South Korean government is introducing legislation that will make it mandatory for financial institutions to compensate customers who have fallen victim to online fraud and identity theft.
The new laws will require financial firms in the country to compensate customers for virtually all financial losses resulting from online identity theft and account hacking, even if the banks are not directly responsible.


Of course, by itself this action doesn't solve identity theft. But in a vibrant capitalist economic market, this action is going to pave the way for technical security improvements that will effectively deal with identity theft.

The good news for the rest of us is that we can watch what happens now.

Posted by: Gary Masters | January 17, 2007 5:34 PM

Institutions are interested in consolidating power and protecting themselves, whether it's the U.S. government, the Catholic church or a Fortune 500 corporation. From an institution's perspective, the rights of individuals are secondary.

So now Big Brother -- the same government that claims virtually unlimited power to torture prisoners, tap our phones and open our mail without any sort of due process -- wants to co-opt the telephone carriers into "protecting" us from identity theft? Thank you, but no thank you.

Posted by: Kevin | January 18, 2007 10:05 AM

The comments to this entry are closed.

 
 

© 2010 The Washington Post Company