PrivacyToday.com™
Global Privacy Issues At The Click Of Your Mouse™
Official website of
American Privacy
Consultants™
Home Contact Us Privacy News APC News Services Speeches
Privacy and Anti-Money Laundering Prevention:
How To Handle Statutory Inconsistencies
and Customer Expectations
Money Laundering Enforcement Seminar
American Bankers Association
American Bar Association
October 31, 2000
Emerging Threats To Financial Information Security:
Identity Theft, Pretext, Social Engineering, Forgery, and
Impersonation In The Information Age
Robert Douglas, CEO
American Privacy Consultants
(www.privacytoday.com)
© 2000 Robert Smith Douglas,
III
More hi-tech methods of access to confidential customer account information are being developed by the financial services industry every day. At the same time threats to information security systems are on the rise. The challenge for the financial services industry, security professionals, law enforcement and Congress is to find the appropriate balance between ease of access for legitimate customers to their confidential information and the passage and enforcement of legislation designed to thwart the growing threats to customer information security.
There can be no doubt that confidential customer account information is being accessed and sold every day. In fact, hundreds of web sites, newspapers, magazines, legal and investigative trade journals offer the sale of confidential financial information by private investigators and “information brokers”. (For a detailed examination of fraud and access to financial information see Appendix I: Testimony of Robert Douglas before the U.S. House of Representatives, September 13, 2000)
As an example, the following web page is from docusearch.com:
Bank Account Search
Search
Price
$249.00
Availability
National
Approximate
Return Time
10-18 Business Days*
Requires
Subject's Full Name, Complete Street Address, Social Security Number*
Search Description
Given
a Subject's full name, complete address and social security number, this search
will return the bank name and address, account type, account number, (if
available) and approximate current balance of all located personal accounts. We
access a proprietary database and identify open accounts using the Subject's
SSN, however this search will only identify accounts in the Subject's primary
state the business resides. If you suspect accounts exist in more than the
primary residing state, a separate search request for each state is required,
and should include the Subject's address in that state.
*This search requires the Subjects social security number. If the SSN is
unknown, we will find it for the purposes of this search but it will not be
included in your search result.
NOTE: This search uses the Subject's social security number as the account
identifier, so only primary account holders are returned. Also, be sure to
include any additional information you may have, such as the Subject's home
& work telephone, birthdate, mother's maiden name, etc, in the additional
comments section. This will greatly increase the odds of a successful search.
Responsible Purpose For Search
This search may return sensitive, confidential, and/or private information. For
this reason, DOCUSEARCH.COM requires an explanation stating the purpose for
requesting this search, its' intended use and supporting documentation.
Additionally, we reserve the right to decline to perform any search which we
deem not to be for a legitimate legal purpose or may cause emotional or
physical harm.
ImportantDisclaimer
Financial searches are for informational purposes only, and are not
acceptable as an exhibit or as evidence. Every effort is made to provide a
complete & thorough search result. However, no method of research is 100%
fool-proof and no firm can offer an absolute guarantee that every account will
be found.
*This search requires many hours of research and can't be rushed, as we want to
return thorough, accurate results. Therefore, this is an approximate
return time. (End)
In addition to the sale of account information, advertisements offer mechanical devises designed to thwart information security technology.
As an example, the following pages list items for sale at hackershomepage.com:
SECTION#8 FINANCIAL HACKING
800b MAGNETIC
STRIPE CARD READER/WRITER MAGNETIC STRIPE CARD READER/WRITER This device will allow you to
change the information on magnetic stripe cards, on ALL 3 tracks, both high and
low coercivity. It connects to your computer, either personal or laptop, and
runs using supplied software. You must be running Windows 95, 98 or higher and
have 8mb of RAM. Using this device is simple. Turn on your computer and run the
supplied software. Now, swipe a card through the machine and all the
information on the card will be displayed on the computer including account
number, credit available, balance, name, etc. Next, using your keyboard, change
any and all the information you'd like. Once complete, re-swipe the card
through the machine and now your card will have the new information recorded
onto the magnetic stripe. You can change any information you'd like including
balance and credit information. Magnetic stripe cards are easily recognizable
by the brown or black stripe and are found on credit cards, ATM cards,
transportation cards, security access cards, etc. For a device that will change
the information on smart cards check out item #177. See Photo! Bonus! 802 "Pin Code
Hacker",853...............................................ASSEMBLED...$1,500.00
800c BLANK
MAGNETIC STRIP CARDS These cards are able to be programmed using the above
devices...................................ASSEMBLED...$5.00 each.
800e CARD
PRINTING MACHINE This machine will print to all kinds of plastic cards including,
credit cards, ATM cards, drivers licenses, smart cards, etc. All software is
included to print graphics and text.
TECHNICAL SPECIFICATIONS: Technology: Thermal Transfer, Resolution: 300 DPI,
Printing Speed: 70 per/hr, Printing Orientation: 0o,90o,180o,270o. ,Printing
Area: Full card size, software: IMAGO for Windows or for Macintosh, interface:
Serial RS 232, Communication Protocol: ACK/NACK, Baud Rate: 9600/ 19200/38400,
Bar Codes: EAN 8-EAN 13-2/5S-2/5I-CODE 39-UPCA-Monarc, Card Size: ISO CR-80 86
x 54mm, Card Thickness :0.27 to 0.80mm (self adapting), Card Material: PVC.
ABS, POLYESTER, Power Source : 110-120V, 220-240V, +/- 10%, 50-60 Hz, Weight: 6
Kg, Dimensions: 230mm x 190mm x 190mm. See Photo! Bonus! 853.ASSEMBLED.$4,500.00
800f CARD
EMBOSSING MACHINE This machine embosses all kinds of plastic cards, raising the numbers
and lettering perfectly just like on credit cards. See Photo! Bonus!
853..................................................................ASSEMBLED...$4,500.00
800h PORTABLE 100
CARD READER
This is the device you've heard about and everyone has been asking me to offer.
Some waitresses and store clerks are using this device at work. It will store
100 credit card and magnetic stripe card swipes to memory and is powered by
lithium camera batteries. The size of this device makes it easily concealable
in your pocket. Device can download the information from the swipes to your
computer using the supplied cable and software. The software will also easily
write the information to any magnetic stripe card using item #800b (sold
separately). Download and write to a card in under 20 seconds. Some people have
been known to charge as much as $8,000.00 for this device, but we think that’s
too much. This device can be shipped COD to anywhere in the US. Customers
outside of the US must prepay before it can be shipped. All instructions are
included. See
Photo! Bonus!
802 "Pin Code Hacker",
853.......................................................ASSEMBLED...$1,500.00
800x CREDIT CARD
BUSINESS PACKAGE DEAL Purchase the following 3 items together at a remarkably discounted
price and get in on the lucrative credit card business. Includes: #800b
MAGNETIC STRIPE CARD READER/WRITER, #800h PORTABLE 100 CARD READER, and #828
CREDIT & CALLING CARD NUMBER CAPTURING SYSTEM. All completely assembled,
with instructions and software. Save $650.00. Bonus! 802 "Pin Code
Hacker", 853................ASSEMBLED...$3,300.00
801 UNIVERSAL
INTERFACE HACKING DEVICE The Universal interface is used to connect various devices like GSM
phones, amateur radios, radio scanner, smart cards, smart card emulators,
EEPROM's, PIC's, organizers, magnetic stripe readers/writers to the PC. The
Universal interface has to be connected to a free 25 pin Serial/COM port. In
case your PC has only 9 pin Serial/COM ports, a 9pin-to-25pin Adapter is
needed, which you can find at any computer or office supply store. In order to
connect it to various devices, you need only additional connectors and cables.
We are offering as accessories a small range of various connectors and cables
for multiple applications but will be expanding this accessory product line in
the future. The greatest advantage is the modularity that the interface has. It
has accessories for various applications, that can be combined or used
separately. The needed power supply is taken from the COM/RS232 port and so it
is perfectly suitable for mobile applications (Laptops and Notebooks). You
don't have to carry everything with you, only the accessories that you will
need. The interface was developed for mobile applications. It measures ONLY
55mm*17mm*66mm. The voltage supply (5V) is taken from the serial port. In the
interface is also an integrated 3.579545MHz oscillator, this makes it possible
to use the it as a smart card reader/writer. An inverter is additional
integrated, so the possibility exists to invert all or individual lines. Thus
highest compatibility is ensured, for current and future applications, by the
most diverse adjustment possibilities. With this ability the interface can be
used with a multiplicity of freeware, shareware as well as commercial software
applications. It is suitable for 5V and also for 3.0V applications, full-duplex
(3 lines) is supported as well as half-duplex (2 lines), with and without
handshake. See
Photo!
.................................................................................ASSEMBLED...$595.00
ACCESSORIES for 801
801a SMARTCARD READER/WRITER ATTACHMENT (Compatible with DumbMouse,
Phoenix, SerProg, SmartMouse, PC/SC driver available) Includes both large and
small card slots. This product, in combination with product #801, is exactly
the same as products #177 and #500, except that it includes both the
normal-sized and smaller-sized card sockets, and will also work with software
designed for parallel programmers. The greater advantage with this product is
that it is expandable and compatible with upcoming future technologies. By
using the various settings the interface offers, it is compatible with the
mostly used smart card readers/writers like the Phoenix interface (mostly used
in SatelliteTV applications), DumbMouse, SerProg, SmartMouse and others. With
this compatibility the interface is working with a wide range of freely
available software and drivers. With the interface and the included software
and PC/SC driver, you are able to read/write almost all SmartCards like:
* Memory SmartCards: TeleCards, I2C, 2-wire, 3-wire , MicroWire
* CPU SmartCards: T=0, T=1, and all asynchrone SmartCards with 3.58 MHz clock.
Like: GSM Sim cards, Cashcards, DSS, CryptoFlex, CyberFlex, GPK2000, MPCOS,
MultiFlex, PayFley, Starcos,
* White Wafer Cards (with a PIC16X84), Gold Wafer Cards (PIC16X84+EEPROM
24LC16), MM2 and other compatible.
The disadvantage of most commercial readers/writers is that in most cases they
are using a PIC or similar CPU to communicate with the smart card. In such
cases you are only able to use software that you get with the reader/writer,
and 3rd party software that explicitly supports that particular reader/writer.
The software uses a driver/API that will in most cases not allow you to use or
try some nonstandard commands. This is a limitation, not appreciated by
software developers. Not to mention that you will not be able to use a wide
range of application software available on the Internet. The interface is a
direct reader/writer, communicating directly with the smart card, without
drivers, you can directly and without any limitation access every card. The
interface is the only available smart card reader/writer capable of programming
wafer cards without a power supply. You can program the PIC16X84 and the EEPROM
from the Wafercard using your notebook. Includes software on CD-ROM. See Photo!....ASSEMBLED...$195.00
801b & 801c
SMARTCARD EMULATOR/DATALOGGER ATTACHMENT (compatible with: Season7, ASIM, and datalogger)
Emulates: GSM, Irdeto, VideoCrypt I+II, EuroCrypt, D2Mac, Cashcards. The smart
card emulator is a development tool for the hardware and software developer.
The PCB has the standard smart card dimensions. It is inserted into the
MasterDevice, instead the smart card, and the other end is connected to the PC,
using the interface. With the proper use of emulator software the PC can
emulate a smart card. The connection is Season7 and ASIM compatible. All 8 ISO
contacts are taken to the socket, so the PCB can also be used to
emulate/analyze non-standard smart cards. It can also be connected to the
parallel port, in order to be used with software written for the parallel port.
Beside the "Normal ISO 7816" version we also offer a "small"
SIM version. This version is used mostly for GSM/PCN applications, for phones
that are using the Small SIM format. The smart card emulator/datalogger can
also be used on any device where smart cards are used, like satellite and
network tv decoders and other applications. Includes software on CD-ROM.
801b Normal ISO 7816 version. See Photo!...................ASSEMBLED...$150.00
801c Small SIM version. See Photo!.......................................KIT...$100.00
828 CREDIT &
CALLING CARD NUMBER CAPTURING SYSTEM This system is just like the one recently featured
on TV news that is currently being used at airports and shopping malls, and
netting millions of dollars for its operators. This all-in-one hardware system
will allow you to remotely capture unlimited credit card and calling card
numbers (including PIN numbers and expiration dates) when entered into pay
telephones. You can even capture the names and billing addresses of the card
holders. The system can be used remotely from the comfort of your home, a
payphone, or a cell phone. Information is stored in memory and displayed via
LCD. A REAL money-making system that can net you millions without ever being
caught, and can pay for itself after just a few minutes of use. You can
literally capture hundreds of valid numbers and related information every day,
whenever you want. Can be used in conjunction with #800b to write your own
credit cards. All instructions included. See Photo! Bonus! 802 "Pin Code Hacker",
853...........................................................................ASSEMBLED...$950.00
857 BILL CHANGER
& VENDING MACHINE HACKER/JACKPOTTER This handheld, concealable device will cause
various affects on different machines including BILL CHANGER MACHINES. It’s
portable, battery powered, and measures 2-1/4 inches by 4 inches. Included are
complete instructions on how to obtain free products and to jackpot machines of
coins by a simple push of a button. Many vending machines hold in excess of
$50.00 change, while bill changer machines can hold in excess of $500.00. Device
will work on both 120 and 220 volt systems, making it effective anywhere in the
world. We've now combined features from our now-discontinued Soda Machine
Hacker. Not only will this device jackpot the soda machine, but in many
instances will cause cans of soda to drop down the chute. Bonus!
853..................ASSEMBLED...$375.00
867 EMP
MANIPULATION DEVICE This device is so controversial that we can't tell you what it can be
used for except for the general information in this description. However, ALL
instructions are included with the purchase of this device. This device
drastically affects ALL electronic machines when brought into close proximity
(Within 1 meter or 36 inches approx.) The highly directional pulsed signal can
make you RICH if used in an illegal fashion, which, of course, we do not
recommend. This system includes a "general" antenna but several
specialized antennas are also available.
See Photo! Bonus!
...................................................ASSEMBLED*...$775.00
OPTIONAL ANTENNA PACKAGE FOR
ITEM# 867
867a Antenna the width of paper
currency (works in most countries).
867b Antenna the width of a coin (works in most countries).
867c Antenna the width of a credit card (works in ALL countries). See Photo!
Kit and instructions to build ALL 3 antennas (no soldering
required)...KIT...$175.00
We WILL NOT answer emails from anyone asking about illegal activities, or how to use our products for illegal activities...they will automatically be deleted. All products are designed for testing and exploring the vulnerabilities of CUSTOMER-OWNED equipment, and no illegal use is encouraged or implied. We WILL NOT knowingly sell to anyone with the intent of using our products for illegal activities or uses. It is your responsibility to check the applicable laws in your city, state, and country. (END)
There also can be no doubt that
traditional methods of identity theft coupled with information age ease of
access to citizens biographical information is contributing to increases in
both the number of cases resulting in financial losses and the size of the
losses.
Reuters recently reported a dramatic example of identity theft coupled with financial fraud resulting in substantial losses:
Tuesday September 26, 5:27 pm Eastern Time
By Gail Appleson,
Law Correspondent
NEW YORK, Sept 25
(Reuters) - A Tennessee man has pleaded guilty to using credit card and bank information
stolen from top executives at major corporations to buy diamonds and Rolex
watches, federal prosecutors said on Tuesday.
James Rinaldo
Jackson, 39, of Memphis pleaded guilty to 29 counts of conspiracy, credit card,
mail, wire and bank fraud. Prosecutors said he entered his plea during a
hearing on Monday in Manhattan federal court.
Among the victims
were John Alm, president of Coca-Cola Enterprises, the largest bottler of Coke;
Richard Fuld, chief executive officer of Lehman Brothers Holdings; Stephen
Bollenbach, chief executive of Hilton Hotels Corp., and Gorden Teter, the
former CEO of Wendy's International, who is now deceased.
Other victims
included Dr. James Klinenberg, former administrator of Cedars-Sinai Medical
Centre in Los Angeles and Nackey Loeb, former president of the Union Leader
Corp. and publisher of the Union Leader and New Hampshire Sunday News. Teter,
Klinenberg and Loeb had died shortly before the information was stolen.
Jackson faces a
possible maximum sentence of 30 years in jail and $1 million fine on each of 27
bank, mail and wire fraud charges; five years in prison and a $1 million fine
on the the conspiracy charge, and 20 years in prison and $250,000 fine on the
credit card fraud charge.
The diamonds and
Rolex watches he tried to buy were worth a total of more than $730,000.
During the hearing,
Jackson admitted that between December 1999 and last February he stole
financial information about his victims. Impersonating the victims, he then
contacted their banks and credit card companies to arrange for their billing
addresses to be changed to various hotels in the Memphis, Tenn. area.
He explained to the
court that he had obtained the information by researching his victims in
``Who's Who In America'' and in some cases used the Internet to obtain personal
information about the executives.
Jackson admitted
that he obtained information about Teter by deceiving Wendy's into believing
that he was a potential franchisee. He learned through the Internet that Teter
had died and then obtained personal information about the deceased executive
through a variety of means including the funeral home.
Using the names of
his victims, he contacted jewelry dealers throughout the United States and
bought diamonds and Rolex watches that he had seen on the dealers' Internet Web
sites.
Jackson paid for
purchases by either charging them to the victims' credit card numbers, having
banks wire money from the victims' bank accounts or mailing the dealers
fraudulent checks.
He then had the
jewelry dealers ship the diamonds and watches to the Memphis-area hotels.
Jackson then made reservations at the hotels in the victims' names and notified
the hotels to expect a package delivery. He, sometimes along with an
accomplice, then picked up the packages.
Jackson was arrested on Feb 25 near Memphis by FBI agents who watched him trying to pick up a package addressed to one of his victims. (END)
This case may be dramatic but does not stand alone. Recent figures have placed identity theft coupled with financial fraud as one of the fastest growing crimes in the United States today. Current estimates place the figure at 500,000 cases each year with an average loss of $17,000 per case.
Indeed, the United States Secret Service has begun to note the presence of organized criminal activity in the area of identity theft and financial fraud. (see Appendix II: Testimony of Bruce A. Townsend, Special Agent In Charge, U.S. Secret Service – Financial Crimes Division; before the U.S. House of Representatives, September 13, 2000)
Given the reality of the growing threat to the protection of customer account information, the challenge ahead is for the United States Congress and state legislatures to pass laws empowering state and federal law enforcement to combat these threats without choking off legitimate technological advances and ease of access for legitimate consumers to their own account information.
With the passage of Gramm-Leach-Bliley Congress took a major step in trying to define who will have access to confidential and personal information and at the same time attempted to thwart the use of fraud by identity thieves to illegally access customer information. The federal regulatory agencies are in the process of enacting regulations to enforce the provisions of Gramm-Leach-Bliley as we meet here today.
It is too early to determine how Gramm-Leach-Bliley and the subsequent regulations now under consideration will impact many important areas of privacy surrounding financial information. However, it is not too early to recognize that Gramm-Leach-Bliley has failed in thwarting the efforts of disreputable private investigators and “information brokers” in the advertising and sale of confidential account information as demonstrated above and in my numerous appearances before Congress.
Section 521 of Gramm-Leach-Bliley has a child support exemption provision allowing for the use of fraud against financial institutions in order to obtain customer account information under certain conditions. This one exemption has allowed private investigators to continue to advertise the sale of confidential financial information and has created a hurdle for law enforcement in enforcing Gramm-Leach-Bliley.
Gramm-Leach-Bliley needs to be amended at
once. The narrowly crafted
child-support exemption for the use of fraud is being used as an advertising
shield by private investigators to hide behind while continuing the covert sale
of financial information that falls outside of the GLB exemptions. The provisions of GLB that allow for pretext
in a child support situation state as follows:
Sec. 521 (g) NONAPPLICABILITY
TO COLLECTION OF CHILD SUPPORT JUDGMENTS- No provision of this section shall be
construed to prevent any State-licensed private investigator, or any officer,
employee, or agent of such private investigator, from obtaining customer
information of a financial institution, to the extent reasonably necessary to collect
child support from a person adjudged to have been delinquent in his or her
obligations by a Federal or State court, and to the extent that such action by
a State-licensed private investigator is not unlawful under any other Federal
or State law or regulation, and has been authorized by an order or judgment of
a court of competent jurisdiction.
The operative language is: “No provision of this section shall be
construed to prevent any State-licensed private investigator…from obtaining
customer information of a financial institution...to collect child support from
a person adjudged to have been delinquent in his or her obligations by a
Federal or State court...AND has been authorized by an order or judgment
of a court of competent jurisdiction.” This language clearly means from both the legislative history of
the act and the plain face of the statute that a judge (Court) must
specifically authorize the use of pretext to obtain customer information of “a
financial institution”.
I am not aware of a single case where a
Court has authorized a private investigator to intentionally deceive a
financial institution in order to obtain customer information. It is easy to understand why this has not
happened and most likely never will.
The presumptive evidentiary burden that would be required to obtain such
an order would easily support the issuance of a subpoena to the institution
that the information is being sought from and is being contemplated for
pretext. Unless Congress has evidence
that financial institutions routinely falsify responses to subpoenas it is hard
to fathom why this provision was placed in GLB.
Further, this section states: “to the extent reasonably necessary to
collect child support from a person adjudged to have been delinquent in his or
her obligations by a Federal or State court.”
The legislative history of this exemption was a claim made by some
representatives of the private investigative industry that pretext was needed
as there was no other method available to locate the financial institution
holdings of deadbeat parents who lie to the Courts. This claim was not true at the time, as there are many lawful
ways to pursue overdue non-custodial child support payments and many taxpayer
funded agencies designed to fill that role.
However, even if this argument is accepted as a legitimate historical
reason for the exemption, there is no longer any legislatively justifiable
reason to maintain the exemption given the provisions of the Personal
Responsibility and Work Opportunity Reconciliation Act of 1996 which are
now in effect and mandate that all financial institutions cooperate with the
government by providing the financial information of delinquent child support
parents directly to the Federal government for asset forfeiture.
The following excerpt describing this
procedure is from a front-page article written by Robert O’Harrow, Jr. in the
Sunday, June 27, 1999 edition of the Washington Post:
As part of a new
and aggressive effort to track down parents who owe child support, the
federal government has created a vast computerized data-monitoring system that
includes all individuals with new jobs and the names, addresses, Social
Security numbers and wages of nearly every working adult in the United States.
Government agencies
have long gathered personal information for specific reasons, such as
collecting taxes. But never before have federal officials had the legal
authority and technological ability to locate so many Americans found to be
delinquent parents -- or such potential to keep tabs on Americans accused
of nothing.
The system was
established under a little-known part of the law overhauling welfare three
years ago. It calls for all employers to quickly file reports on every
person they hire and, quarterly, the wages of every worker. States regularly
must report all people seeking unemployment benefits and all child-support
cases.
Starting next
month, the system will reach further. Large banks and other financial
institutions will be obligated to search for data about delinquent parents by
name on behalf of the government, providing authorities with details about bank
accounts, money-market mutual funds and other holdings of those parents.
State officials, meanwhile, have sharply expanded the use of Social Security
numbers. Congress ordered the officials to obtain the nine-digit numbers when
issuing licenses -- such as drivers', doctors' and outdoorsmen's -- in order to
revoke the licenses of delinquents.
Enforcement
officials say the coupling of computer technology with details about
individuals' employment and financial holdings will give them an unparalleled
ability to identify and locate parents who owe child support and, when
necessary, withhold money from their paychecks or freeze their financial assets. (End of excerpt) (Emphasis
added by Robert Douglas)
O’Harrow went on to describe in more detail how the new system operates:
Next month, financial
institutions that operate in multiple states -- such as Crestar Financial
Corp., Charles Schwab & Co. and the State Department Federal Credit Union
-- will begin comparing a list of more than 3 million known delinquents
against their customer accounts. Under federal law, the institutions are
obligated to return the names, Social Security numbers and account details of
delinquents they turn up.
The Administration
for Children and Families will then forward that financial information to the
appropriate states. For security reasons, spokesman Kharfen said, the agency
will not mix the financial data with information about new hires, wages and the
like. Bank account information will be deleted after 90 days.
In a test run
this spring, Wells Fargo & Co. identified 72,000 customers whom states have
identified as delinquents. NationsBank Corp. found 74,000 alleged delinquents
in its test.
Later this year, smaller
companies that operate only in one state will be asked to perform a similar
service. Officials say most of these institutions will compare their files
against the government's. But some operations that don't have enough computing
power -- such as small local banks, credit unions and securities firms -- will
hand over lists of customers to state officials for inspection. States can then
administratively freeze the accounts.
In California,
more than 100 financial institutions have already handed over lists of all
their depositors to state officials, including names, Social Security numbers
and account balances, a state official said.
(End of excerpt) (Emphasis added by Robert Douglas)
Finally, the exemption places GLB in
direct conflict with other federal statutes outlawing wire and mail fraud and
unfair and deceptive trade practices.
The exemption also places GLB in direct conflict with many State laws
and creates nothing short of a judicial quagmire.
Simply put, there is no legitimate reason to continue the child support exemption to Gramm-Leach-Bliley. There is a legitimate reason to strike it from the statute as companies are using it as pretence to advertise their ability to locate financial institution customer information. All the ad need say is the request must be in compliance with applicable laws and that all requests are performed on that basis.
Threats to information security systems of the financial services industry abound. With advancing technology we see the re-emergence of traditional methods of identity theft, pretext and fraud on the rise again. Law enforcement must be aggressive in combating these crimes before citizens become concerned about the safety and integrity of the industry. Congress should not be in the business of creating hurdles to effective law enforcement protection of customers of the financial services industry. Congress should be in the business of assisting the industry and consumers by empowering law enforcement to aggressively prosecute identity thieves of all types.
© 2000 Robert Smith Douglas, III
Statement by Robert Douglas
before the
Committee on Banking and Financial Services
United States House of Representatives
Hearing On
Identity Theft and Related
Financial Privacy Issues
September 13, 2000
My name is Robert Douglas and I am the co-founder and Chief Executive Officer of American Privacy Consultants, Inc. located in Alexandria, Virginia (www.privacytoday.com). American Privacy Consultants assists organizations and businesses understand and implement appropriate privacy policies, strategies, defenses, educational programs, training, and auditing.
I appreciate the opportunity to appear
before this committee once again to address the issue of identity theft,
“pretext calling”, and other deceptive practices still in use by some
“information brokers”, private investigators, judicial judgment collectors and
identity thieves to illegally access the personal and confidential information
of customers of financial institutions.
Unfortunately, in spite of the enactment of legislation drafted by this
Committee to outlaw such practices, these methods not only survive but also
continue to grow in volume, scope, and methodology.
Chairman Leach, I want to personally
thank you and the Committee for your continued willingness and desire to
address this serious issue first by crafting and passing much needed legislation
and now in an oversight capacity. I am
personally aware of the amount of time the Committee members and staff have
invested in this problem over the last three years and as a citizen applaud the
Committee’s willingness to tackle these issues.
I also would like to single out for
recognition Jim Clinger, the Committee’s Senior Counsel and Assistant Staff
Director. Over the last three years I
have had the unique pleasure of working with Jim on a regular basis and he is a
true credit to this Committee and to the United States Congress. Above all he is a true gentleman.
Finally, I would like to thank John
Forbes, Special Agent – United States Customs Service; and, Alison Watson,
Professional Staff Member of the Committee for their work over the last month
in preparation for this hearing.
H.R.
4311
Although I was specifically asked to
address the use of pretext and other deceptive techniques to access
confidential financial information, I would like to make a few brief observations
concerning HR 4311.
There can be little doubt that identity
theft is one of the fasting growing crimes in the United States today. Each year hundreds of thousands of Americans
fall prey to identity thieves. The
financial and credit damage implications are severe for the individual who is
the victim of identity theft.
Additionally, retailers and financial institutions suffer financial
losses as a result of identity theft.
Finally, the nation as a whole suffers in increased prices for retail
products and financial services including the cost of credit.
The advent of the World Wide Web has
brought increased opportunities for identity thieves through ease of access to
personal, biographical data needed to perpetrate identity crimes and facilitates
ordering merchandise absent a face-to-face encounter with a store clerk. These facts require that we examine areas of
weakness that identity thieves exploit.
In 1998 I demonstrated for this Committee
the ease with which an individual can purchase private and confidential
financial information. It is even
easier to obtain the name, address, date of birth, social security number,
mother’s maiden name, phone number, and often the employment of any individual
in the United States today. All of this
information is for sale on the web. In
a nutshell, all the information needed to steal a citizen’s identity and create
financial havoc is available on the Internet for little or no cost.
The largest source of up-to-date
personal, biographical information is credit bureaus. The sale and resale of credit header information by credit
bureaus to private investigators, information brokers and judicial judgment
collection professionals results in this information being accessible to anyone
for a fee. This is big business. Several large companies make millions of
dollars each year reselling personal information gathered by the credit
bureaus.
When citizens apply for credit or enter
into a credit transaction they do not know that their personal, biographical
information is then resold to any individual with a few bucks and a web
browser. If the level of trust in the
Internet is ever to rise from the relatively low position it now occupies, the
sale of personal information must be brought under control. A good place to begin is by curtailing the
sale of credit header information absent a permissible purpose as defined
currently within the FCRA. For that
reason I believe Section 8 of HR 4311 is long overdue.
On July 28, 1998, while appearing before
this Committee, I stated: “All across
the United States information brokers and private investigators are stealing
and selling for profit our fellow citizens personal financial information. The problem is so extensive that no citizen
should have confidence that his or her financial holdings are safe.” Sadly, I return today to inform this Committee
that my statement of 1998 remains true today.
While the illegal access of financial
information continues, progress has been made.
When we last met in July of 1998 four steps were required in order to
stop these practices. First, the
financial services industry needed to understand and take affirmative steps to
combat the threat posed by unscrupulous information brokers, private
investigators, and identity thieves.
Second, tough federal legislation was needed to outlaw the use of
pretext and deception as a means to access confidential financial
information. Third, appropriate federal
regulatory agencies needed to create standards and regulations designed to
assist institutions in the safeguarding of financial information and to reflect
the legislative intent encompassed within any legislation enacted by Congress. Finally, aggressive prosecution of
individuals and companies who steal, buy, and/or sell personal financial
information was required to signal that the integrity of our nation’s financial
system is a law enforcement priority.
The first three sides of the square have been completed.
The financial services industry has made
significant progress in beginning to combat identity theft and pretext through
a sober recognition that this is not a problem that can be ignored if the industry
wishes to maintain a reputation for providing confidentiality to
customers. This recognition has been
acted upon through the use of training programs and educational materials to
begin the education of financial services industry professionals to the threats
posed by identity thieves of all types.
Many financial institutions have begun to enact internal standards
designed to identify and thwart the practices of identity thieves and
infobrokers. Is there more to do? Absolutely.
Is the financial services industry taking the confidentiality of the
records it safeguards on behalf of customers seriously enough to continue to
move forward in this area? I believe
so.
This Committee and Congress moved quickly
to pass legislation designed to punish those who would impersonate others in
order to gain access to private financial records. With the passage of Gramm-Leach-Bliley, there is now federal law
outlawing the use of pretext and other deceptive techniques to gain access to
personal financial information absent several narrowly defined and commonly
misunderstood exceptions.
The federal regulatory agencies with
direct supervisory function of the financial services industry moved quickly in
1998, by means of an advisory letter and other steps, to alert all institutions
to the practices of identity thieves and information brokers. These same agencies are continuing as we
meet here today to develop standards and regulations in keeping with the intent
of Gramm-Leach-Bliley.
With the first three sides of the box either erected or under construction, it is now time to build the final wall through aggressive enforcement action. With the enactment of Gramm-Leach-Bliley last November, I assume that the Federal Trade Commission and appropriate criminal enforcement agencies are now preparing to use the tools Congress and the President handed them.
To my knowledge there has been one federal enforcement action brought by the FTC against an information broker. That civil action was begun prior to the enactment of Gramm-Leach-Bliley under laws designed to thwart “unfair and deceptive trade practices”. Several states, notably Massachusetts, have aggressively pursued illegal information brokers. Again, these actions were taken prior to GLB and under state laws against illegal trade practices. It is time for tough nationwide enforcement of the civil and criminal provisions contained within Gramm-Leach-Bliley.
In the invitation letter I received from
the Committee to testify today I was asked to specifically address three
areas: 1) The extent to which the use
of pretext and other deceptive means continue in spite of the passage of
Gramm-Leach-Bliley; 2) The effectiveness of efforts by the financial services
industry to deter and detect fraudulent attempts to obtain confidential account
information; and, 3) Other threats to financial privacy emerging today.
The Extent To Which Deceptive Practices Continue
Post Gramm-Leach-Bliley
The use of pretext and other means of
deception to trick financial institution employees and customers into
disclosing personal and confidential financial information that I testified
about two years ago continue unabated.
Books have been written about pretext to teach and share common
methods. Discussion groups abound on
the Internet with the trading of new and improved techniques almost on a daily
basis. Classes are held in which
pretext methods are shared for a price.
The techniques are becoming more complex and refined.
Advertisements on the World Wide Web have
doubled in the past two years. Here is
a typical example:
Bank Account Search
Search
Price
$249.00
Availability
National
Approximate
Return Time
10-18 Business Days*
Requires
Subject's Full Name, Complete Street Address, Social Security Number*
Search Description
Given a Subject's full name, complete address and social security number, this
search will return the bank name and address, account type, account number, (if
available) and approximate current balance of all located personal accounts. We
access a proprietary database and identify open accounts using the Subject's
SSN, however this search will only identify accounts in the Subject's primary
state the business resides. If you suspect accounts exist in more than the
primary residing state, a separate search request for each state is required,
and should include the Subject's address in that state.
*This search requires the Subjects social security number. If the SSN is unknown,
we will find it for the purposes of this search but it will not be included in
your search result.
NOTE: This search uses the Subject's social security number as the account
identifier, so only primary account holders are returned. Also, be sure to
include any additional information you may have, such as the Subject's home
& work telephone, birthdate, mother's maiden name, etc, in the additional
comments section. This will greatly increase the odds of a successful search.
Responsible Purpose For Search
This search may return sensitive, confidential, and/or private information. For
this reason, DOCUSEARCH.COM requires an explanation stating the purpose for
requesting this search, its' intended use and supporting documentation.
Additionally, we reserve the right to decline to perform any search which we
deem not to be for a legitimate legal purpose or may cause emotional or
physical harm.
ImportantDisclaimer
Financial searches are for
informational purposes only, and are not acceptable as an exhibit or as
evidence. Every effort is made to provide a complete & thorough search
result. However, no method of research is 100% fool-proof and no firm can offer
an absolute guarantee that every account will be found.
*This search requires many hours of research and can't be rushed, as we want to
return thorough, accurate results. Therefore, this is an approximate
return time. (End)
This advertisement is remarkable in many regards. The ad claims to “access a proprietary database and identify open accounts using the subjects SSN”, yet “this search requires many hours of research and can’t be rushed, as we want to return thorough, accurate results” and the search may require “10-18 business days”. There is no proprietary database available to private investigators or information brokers that by use of the SSN (social security number) banking information can be obtained. In fact this ad used to say the company accessed a “federal database” to obtain the information.
The ad further states: “Also, be sure to include any additional information you may have, such as the Subject's home & work telephone, birthdate, mother's maiden name, etc, in the additional comments section. This will greatly increase the odds of a successful search.” Why would a database accessed by SSN require this personal information? It wouldn’t. But pretext does. Many financial institutions use the mother’s maiden name as a password. Further, some institutions will ask for your home or work phone numbers to verify the account holder. Finally, the phone numbers are often required as part of a pretext contact made directly to the account holder.
The ad also states: “Additionally, we reserve the right to decline to perform any search which we deem not to be for a legitimate legal purpose or may cause emotional or physical harm.” Perhaps this is an attempt to signify that a search request must satisfy GLB and other applicable State and Federal laws. Perhaps not. Here is the transcript of an email contact I had with Docusearch:
From: DOCUSEARCH.COM
To: email
address deleted
Subject: Re:
Information Request
Sent: Mon
3/20/00 1:41 PM
You will first have to
locate his address in the current residence
state. This may be accomplished with a Locate by
Previous Address
Search. Then you can order the Bank Account Search.
At 01:38 PM 3/20/00 , you
wrote:
>------------Begin,
Information Request from visitor-----------
>My Name Is : Rob Douglas
>My Email Address Is :
(deleted)
>My Telephone Number Is :
(deleted)
>My Question Pertains To
: Other: Explain Below
>Comments : I have a
client who is owed a substantial amount of money >by a potential defendant
who left the area and closed his personal and
>corporate bank
accounts. I have an old home address
for the potential
>defendant and know what
state he moved to. What searches would
you
>recommend to locate the
potential defendant and his personal and >corporate bank accounts?
>------------End,
Information Request from visitor -----------
The “>” portions represent the email I
sent to Docusearch using their on-line request form. Three minutes later I received the reply that I could order the
bank account search in a situation that would clearly be illegal under GLB if pretext
were used.
I would hope that members of this
Committee would find the services offered and language of the advertisements by
Docusearch to be as disturbing as I do.
I suspect many of the members of this Committee would wonder why this
firm is allowed to operate in this fashion given the provisions of GLB and the
applicable “unfair and deceptive trade practice” sections of Federal law. The excuse might be offered that this is
just one company that no one in a position of responsibility to address these
practices was aware of. That excuse
would ring hollow.
Docusearch is the company that sold
personal information concerning Amy Boyer to a stalker that resulted in the
murder of Ms. Boyer and the suicide of the stalker. Amy’s parents have testified before Congress and have been widely
covered in the media. In fact, Amy’s
death has led to consideration of legislation by this Congress to outlaw the
sale of social security numbers.
Throughout all this attention Docusearch has made one change to the web
site where it advertises. Docusearch no
longer publicly advertises the sale of social security numbers. But Docusearch continues to do business
selling personal and confidential information.
The attention to Docusearch does not end there. Docusearch was the cover story for Forbes magazine on November 29, 1999. This was seventeen days after President Clinton signed GLB into law. In the article Dan Cohn of Docusearch literally bragged about his abilities to obtain personal information about a subject. Here is the opening quote from the Forbes cover story:
THE PHONE RANG AND A STRANGER
CRACKED SING-SONGY AT THE OTHER END OF the line: "Happy Birthday."
That was spooky--the next day I would turn 37. "Your full name is Adam
Landis Penenberg," the caller continued. "Landis?" My mother's
maiden name. "I'm touched," he said. Then Daniel Cohn, Web detective,
reeled off the rest of my "base identifiers"--my birth date, address
in New York, Social Security number. Just two days earlier I had issued Cohn a
challenge: Starting with my byline, dig up as much information about me as you
can. "That didn't take long," I said.
"It took about
five minutes," Cohn said, cackling back in Boca Raton, Fla. "I'll
have the rest within a week." And the line went dead.
In all of six days
Dan Cohn and his Web detective agency, Docusearch.com, shattered every notion I
had about privacy in this country (or whatever remains of it). Using only a
keyboard and the phone, he was able to uncover the innermost details of my
life--whom I call late at night; how much money I have in the bank; my salary
and rent. He even got my unlisted phone numbers, both of them. (End of excerpt)
One might wonder who Dan Cohn is and whom
he sells this information to. Forbes
answered that as well:
Cohn operates in
this netherworld of private eyes, ex-spooks and ex-cops, retired military men,
accountants and research librarians. Now 39, he grew up in the Philadelphia
suburb of Bryn Mawr, attended Penn State and joined the Navy in 1980 for a
three-year stint. In 1987 Cohn formed his own agency to investigate insurance
fraud and set up shop in Florida. "There was no shortage of work," he
says. He invented a "video periscope" that could rise up through the
roof of a van to record a target's scam.
In 1995 he founded
Docusearch with childhood pal Kenneth Zeiss. They fill up to 100 orders a day
on the Web, and expect $1 million in business this year. Their clients include
lawyers, insurers, private eyes; the Los Angeles Pension Union is a customer,
and Citibank's legal recovery department uses Docusearch to find debtors on the
run.
Cohn, Zeiss and 13
researchers (6 of them licensed P.I.s) work out of the top floor of a dull,
five-story office building in Boca Raton, Fla., sitting in cubicles under a
fluorescent glare and taking orders from 9 a.m. to 4 p.m. Their Web site is
open 24 hours a day, 365 days a year. You click through it and load up an
on-line shopping cart as casually as if you were at Amazon.com. (End of
excerpt)
Amazingly, Cohn admits to the use of
fraud and bribery:
The researchers use sharp sifting methods, but Cohn also admits to misrepresenting who he is and what he is after. He says the law lets licensed investigators use such tricks as "pretext calling," fooling company employees into divulging customer data over the phone (legal in all but a few states). He even claims to have a government source who provides unpublished numbers for a fee, "and you'll never figure out how he is paid because there's no paper trail." (End of excerpt)
The following excerpt reveals methods used by Cohn directly relevant to today’s hearing and HR 4311:
Cohn's first step
into my digital domain was to plug my name into the credit bureaus--Transunion,
Equifax, Experian. In minutes he had my Social Security number, address and
birth date. Credit agencies are
supposed to ensure that their subscribers (retailers, auto dealers, banks,
mortgage companies) have a legitimate need to check credit.
"We physically
visit applicants to make sure they live up to our service agreement," says
David Mooney of Equifax, which keeps records on 200 million Americans and
shares them with 114,000 clients. He says resellers of the data must do the
same. "It's rare that anyone abuses the system." But Cohn says he
gets his data from a reseller, and no one has ever checked up on him.
Armed with my
credit header, Dan Cohn tapped other sites. A week after my birthday, true to
his word, he faxed me a three-page summary of my life. He had pulled up my
utility bills, my two unlisted phone numbers and my finances. (End of excerpt)
And should there be any question as to
the ability of a determined criminal to gain access to confidential information
including financial information, the following excerpt is on point:
He had my latest
phone bill ($108) and a list of long distance calls made from home--including
late-night fiber-optic dalliances (which soon ended) with a woman who traveled
a lot. Cohn also divined the phone numbers of a few of my sources, underground
computer hackers who aren't wanted by the police--but probably should be.
Knowing my Social
Security number and other personal details helped Cohn get access to a Federal
Reserve database that told him where I had deposits. Cohn found accounts I had
forgotten long ago: $503 at Apple Bank for Savings in an account held by a
long-ago landlord as a security deposit; $7 in a dormant savings account at
Chase Manhattan Bank; $1,000 in another Chase account.
A few days later
Cohn struck the mother lode. He located my cash management account, opened a
few months earlier at Merrill Lynch &Co. That gave him a peek at my
balance, direct deposits from work, withdrawals, ATM visits, check numbers with
dates and amounts, and the name of my broker. (End of excerpt)
Cohn is even willing to lead officials to
believe he is a law enforcement officer as this excerpt demonstrates:
How did Cohn get
hold of my Merrill Lynch secrets? Directly from the source. Cohn says he phoned
Merrill Lynch and talked to one of 500 employees who can tap into my data.
"Hi, I'm Dan Cohn, a licensed state investigator conducting an
investigation of an Adam Penenberg," he told the staffer, knowing the
words "licensed" and "state" make it sound like he works
for law enforcement.
Then he recited my
Social Security, birth date and address, "and before I could get out
anything more he spat out your account number." Cohn told the helpful
worker: "I talked to Penenberg's broker, um, I can't remember his
name...."
"Dan
Dunn?" the Merrill Lynch guy asked. "Yeah, Dan Dunn," Cohn said.
The staffer then read Cohn my complete history--balance, deposits, withdrawals,
check numbers and amounts. "You have to talk in the lingo the bank people
talk so they don't even know they are being taken," he says. (End of
excerpt)
But the Forbes reporter (Penenberg) did
some further digging and uncovered what appears to be direct evidence of the
use of impersonation and pretext in the following excerpt:
Sprint, my long
distance carrier, investigated how my account was breached and found that a Mr.
Penenberg had called to inquire about my most recent bill. Cohn says only that
he called his government contact. Whoever made the call, "he posed as you
and had enough information to convince our customer service representative that
he was you," says Russ R. Robinson, a Sprint spokesman. "We want to
make it easy for our customers to do business with us over the phone, so you
are darned if you do and darned if you don't."
Bell Atlantic, my
local phone company, told me a similar tale, only it was a Mrs. Penenberg who
called in on behalf of her husband. I recently attended a conference in Las
Vegas but don't remember having tied the knot. (End of excerpt)
Finally, Cohn believes he is justified in what he does:
Daniel Cohn makes
no apologies for how he earns a living. He sees himself as a data-robbing Robin
Hood. "The problem isn't the amount of information available, it's the
fact that until recently only the wealthy could afford it. That's where we come
in." (End of excerpt)
I have one question. Why are Dan Cohn and Docusearch still in
business?
Docusearch is not alone. There are now more information brokers and
private investigators openly advertising their ability to obtain and sell
financial information then there were in 1998.
These ads continue to be found on the World Wide Web, in the yellow
pages and in legal and investigative trade journals. In fact, there has been an ad running in the local edition of the
Legal Times that can be found in many law firms and federal offices here in
Washington. I suspect copies can be
found at the FBI, U.S. Attorney’s Office, the Department of Justice, and the
Federal Trade Commission.
One phone call to this company determined
they offer the ability to locate an address for an individual for $65 if the
social security number is provided and $115 if the social security number is
not provided. Further, and more to the
point, for $200 they will supply the name of the bank, the type of account
maintained and the balance in the account for the individual specified. There was a further offer extended by the
company to confirm that the funds are available and there would be no charge if
there were only minimal funds in the account.
The scenario presented to the company fell squarely within the four
corners of Gramm-Leach-Bliley that would make the request and provision of the
banking information illegal if accomplished by pretext. The company was informed that a woman was
trying to locate a current address for a live-in boyfriend who had skipped town
with money from her checking account.
There was nothing in the scenario presented that even began to come
close to the exceptions enacted as part of Gramm-Leach-Bliley.
In fact, as the committee is aware, on
August 30th Committee Senior Counsel Jim Clinger, Special Agent John
Forbes, Committee Staff Member Alison Watson and I called numerous private
investigators and information brokers around the country in an effort to
determine how many would sell bank account information and under what
circumstances. We decided that we would
survey the first ten companies that we could reach by phone. The companies were selected randomly by
Special Agent Forbes based upon their advertisements. All of the companies were presented with the scenario outlined
above.
In less than three hours the first ten
companies we reached were all willing to sell us personal bank account
information detailed enough to raise the educated belief that the information
would be obtained by pretext or other deceptive means. Not a single company we reached turned us
down. Not one.
More to the point, two of the companies’
representatives made specific mention of “privacy laws” and “federal statutes”
being a hindrance to their ability to provide the information. However, we were told, they could still
succeed but just “don’t tell anybody” that we had obtained the
information.
One individual referred to the fact that
he had 11 years banking experience and guaranteed that he could find the bank
and that 80% of the time he could get the account number and balance. Several of the companies stated that they
could get us individual transaction records including deposit information.
One offered to teach us how to determine
the amount in the account once he located the bank and account number.
One company stated that it would check
the Federal Reserve section for the part of the country where the individual
was located. This same company claimed
to work for “hundreds and hundreds of attorneys and collection agencies”. Further, they stated that they had found
$1.2 million dollars in an account just the previous day for an attorney. They advised us to wait for the banking
information before going to Court.
Another company stated they would locate
the information if we had a “Court filing judgment” or a letter from an
attorney giving the name of the person the account information was being sought
for and the reason. This company stated
they could find local bank information for $200 and statewide information for
$500 including account numbers and balances.
Several of the companies offered to
locate safety deposit box locations and securities related information. One company charges $175 to locate the name
and address of the bank if you have a judgment. However, the same company offered for $250 to locate all
accounts, account numbers, balances, mutual funds, names on the accounts, dates
of closure if an account was closed, and safety deposit box information if we
didn’t have a judgment.
Here is just one example of the type of
advertising we found:
Welcome to (name omitted).
We can perform bank account and investment searches anywhere in the USA
and the World. Bank account searches
can be used to collect judgements, verify net worth of individuals and
companies, or any other purposes.
We can search:
Bank Accounts
Checking
Savings
Investments
Stocks
Bonds
Commodities
Mutual Funds
Safety deposit boxes
And much, much more…
We can search by:
State
Country
Offshore account searches also available.
Disclaimer: We limit
retrieval to documents or information available from a public entity or public
utility which are intended for public use and do not further elaborate on
that information contained in the public entity or public utility records. Must Be 18 or Older for a Consultation or
Record Search. We take no responsibility and assume no liability for
any privacy claims as we neither utilize, reveal, nor attempt to access any
confidential information concerning the parties involved in the search. We
are not a licensed private investigator, and we do not engage in any activities
for which a license is required… (End of excerpts)
The disclaimer is amazing in light of the fact that this company offered to sell us the amount located in a checking account and the deposit history to the account for $275. I cannot fathom a single way that account balance and deposit transaction records could be “intended for public use”. Indeed this would be a direct revelation of “confidential information”.
No company we reached asked any questions that would logically follow from the passage of Gramm-Leach-Bliley, even when they had disclaimers in the advertisements suggesting that there were restrictions on who could obtain banking information and under what circumstances. Further, in addition to the overt remarks made by several companies to the minor obstacles presented by “federal statutes” and “privacy laws” the advertisements and telephonic presentations bore all the classic signs of pretext operations. These include no-hit/no-fee guarantees; length of time required to complete the search; higher pricing; and types of information being sold.