PrivacyToday.com^™

Global Privacy Issues At The Click Of Your Mouse^™

Official website of

American Privacy Consultants^™

Home Contact Us Privacy News APC News Services Speeches

Privacy and Anti-Money Laundering Prevention:

How To Handle Statutory Inconsistencies

and Customer Expectations

Money Laundering Enforcement Seminar

American Bankers Association

American Bar Association

October 31, 2000

Emerging Threats To Financial Information Security:

Identity Theft, Pretext, Social Engineering, Forgery, and

Impersonation In The Information Age

Robert Douglas, CEO

American Privacy Consultants

(www.privacytoday.com)

More hi-tech methods of access to confidential customer account information are being developed by the financial services industry every day. At the same time threats to information security systems are on the rise. The challenge for the financial services industry, security professionals, law enforcement and Congress is to find the appropriate balance between ease of access for legitimate customers to their confidential information and the passage and enforcement of legislation designed to thwart the growing threats to customer information security.

Access To Confidential Financial Information

There can be no doubt that confidential customer account information is being accessed and sold every day. In fact, hundreds of web sites, newspapers, magazines, legal and investigative trade journals offer the sale of confidential financial information by private investigators and “information brokers”. (For a detailed examination of fraud and access to financial information see Appendix I: Testimony of Robert Douglas before the U.S. House of Representatives, September 13, 2000)

As an example, the following web page is from docusearch.com:

Bank Account Search
Search Price
$249.00

Availability
National
Approximate Return Time
10-18 Business Days*

Requires
Subject's Full Name, Complete Street Address, Social Security Number*

Search Description
Given a Subject's full name, complete address and social security number, this search will return the bank name and address, account type, account number, (if available) and approximate current balance of all located personal accounts. We access a proprietary database and identify open accounts using the Subject's SSN, however this search will only identify accounts in the Subject's primary state the business resides. If you suspect accounts exist in more than the primary residing state, a separate search request for each state is required, and should include the Subject's address in that state.

*This search requires the Subjects social security number. If the SSN is unknown, we will find it for the purposes of this search but it will not be included in your search result.

NOTE: This search uses the Subject's social security number as the account identifier, so only primary account holders are returned. Also, be sure to include any additional information you may have, such as the Subject's home & work telephone, birthdate, mother's maiden name, etc, in the additional comments section. This will greatly increase the odds of a successful search.

Responsible Purpose For Search
This search may return sensitive, confidential, and/or private information. For this reason, DOCUSEARCH.COM requires an explanation stating the purpose for requesting this search, its' intended use and supporting documentation. Additionally, we reserve the right to decline to perform any search which we deem not to be for a legitimate legal purpose or may cause emotional or physical harm.

ImportantDisclaimer
Financial searches are for informational purposes only, and are not acceptable as an exhibit or as evidence. Every effort is made to provide a complete & thorough search result. However, no method of research is 100% fool-proof and no firm can offer an absolute guarantee that every account will be found.

*This search requires many hours of research and can't be rushed, as we want to return thorough, accurate results. Therefore, this is an approximate return time. (End)

In addition to the sale of account information, advertisements offer mechanical devises designed to thwart information security technology.

As an example, the following pages list items for sale at hackershomepage.com:

SECTION#8 FINANCIAL HACKING

800b MAGNETIC STRIPE CARD READER/WRITER MAGNETIC STRIPE CARD READER/WRITER This device will allow you to change the information on magnetic stripe cards, on ALL 3 tracks, both high and low coercivity. It connects to your computer, either personal or laptop, and runs using supplied software. You must be running Windows 95, 98 or higher and have 8mb of RAM. Using this device is simple. Turn on your computer and run the supplied software. Now, swipe a card through the machine and all the information on the card will be displayed on the computer including account number, credit available, balance, name, etc. Next, using your keyboard, change any and all the information you'd like. Once complete, re-swipe the card through the machine and now your card will have the new information recorded onto the magnetic stripe. You can change any information you'd like including balance and credit information. Magnetic stripe cards are easily recognizable by the brown or black stripe and are found on credit cards, ATM cards, transportation cards, security access cards, etc. For a device that will change the information on smart cards check out item #177. See Photo! Bonus! 802 "Pin Code Hacker",853...............................................ASSEMBLED...$1,500.00

800c BLANK MAGNETIC STRIP CARDS These cards are able to be programmed using the above devices...................................ASSEMBLED...$5.00 each.

800e CARD PRINTING MACHINE This machine will print to all kinds of plastic cards including, credit cards, ATM cards, drivers licenses, smart cards, etc. All software is included to print graphics and text.
TECHNICAL SPECIFICATIONS: Technology: Thermal Transfer, Resolution: 300 DPI, Printing Speed: 70 per/hr, Printing Orientation: 0o,90o,180o,270o. ,Printing Area: Full card size, software: IMAGO for Windows or for Macintosh, interface: Serial RS 232, Communication Protocol: ACK/NACK, Baud Rate: 9600/ 19200/38400, Bar Codes: EAN 8-EAN 13-2/5S-2/5I-CODE 39-UPCA-Monarc, Card Size: ISO CR-80 86 x 54mm, Card Thickness :0.27 to 0.80mm (self adapting), Card Material: PVC. ABS, POLYESTER, Power Source : 110-120V, 220-240V, +/- 10%, 50-60 Hz, Weight: 6 Kg, Dimensions: 230mm x 190mm x 190mm. See Photo! Bonus! 853.ASSEMBLED.$4,500.00

800f CARD EMBOSSING MACHINE This machine embosses all kinds of plastic cards, raising the numbers and lettering perfectly just like on credit cards. See Photo! Bonus! 853..................................................................ASSEMBLED...$4,500.00

800h PORTABLE 100 CARD READER This is the device you've heard about and everyone has been asking me to offer. Some waitresses and store clerks are using this device at work. It will store 100 credit card and magnetic stripe card swipes to memory and is powered by lithium camera batteries. The size of this device makes it easily concealable in your pocket. Device can download the information from the swipes to your computer using the supplied cable and software. The software will also easily write the information to any magnetic stripe card using item #800b (sold separately). Download and write to a card in under 20 seconds. Some people have been known to charge as much as $8,000.00 for this device, but we think that’s too much. This device can be shipped COD to anywhere in the US. Customers outside of the US must prepay before it can be shipped. All instructions are included. See Photo! Bonus! 802 "Pin Code Hacker", 853.......................................................ASSEMBLED...$1,500.00

800x CREDIT CARD BUSINESS PACKAGE DEAL Purchase the following 3 items together at a remarkably discounted price and get in on the lucrative credit card business. Includes: #800b MAGNETIC STRIPE CARD READER/WRITER, #800h PORTABLE 100 CARD READER, and #828 CREDIT & CALLING CARD NUMBER CAPTURING SYSTEM. All completely assembled, with instructions and software. Save $650.00. Bonus! 802 "Pin Code Hacker", 853................ASSEMBLED...$3,300.00

801 UNIVERSAL INTERFACE HACKING DEVICE The Universal interface is used to connect various devices like GSM phones, amateur radios, radio scanner, smart cards, smart card emulators, EEPROM's, PIC's, organizers, magnetic stripe readers/writers to the PC. The Universal interface has to be connected to a free 25 pin Serial/COM port. In case your PC has only 9 pin Serial/COM ports, a 9pin-to-25pin Adapter is needed, which you can find at any computer or office supply store. In order to connect it to various devices, you need only additional connectors and cables. We are offering as accessories a small range of various connectors and cables for multiple applications but will be expanding this accessory product line in the future. The greatest advantage is the modularity that the interface has. It has accessories for various applications, that can be combined or used separately. The needed power supply is taken from the COM/RS232 port and so it is perfectly suitable for mobile applications (Laptops and Notebooks). You don't have to carry everything with you, only the accessories that you will need. The interface was developed for mobile applications. It measures ONLY 55mm*17mm*66mm. The voltage supply (5V) is taken from the serial port. In the interface is also an integrated 3.579545MHz oscillator, this makes it possible to use the it as a smart card reader/writer. An inverter is additional integrated, so the possibility exists to invert all or individual lines. Thus highest compatibility is ensured, for current and future applications, by the most diverse adjustment possibilities. With this ability the interface can be used with a multiplicity of freeware, shareware as well as commercial software applications. It is suitable for 5V and also for 3.0V applications, full-duplex (3 lines) is supported as well as half-duplex (2 lines), with and without handshake. See Photo!
.................................................................................ASSEMBLED...$595.00

ACCESSORIES for 801

801a SMARTCARD READER/WRITER ATTACHMENT (Compatible with DumbMouse, Phoenix, SerProg, SmartMouse, PC/SC driver available) Includes both large and small card slots. This product, in combination with product #801, is exactly the same as products #177 and #500, except that it includes both the normal-sized and smaller-sized card sockets, and will also work with software designed for parallel programmers. The greater advantage with this product is that it is expandable and compatible with upcoming future technologies. By using the various settings the interface offers, it is compatible with the mostly used smart card readers/writers like the Phoenix interface (mostly used in SatelliteTV applications), DumbMouse, SerProg, SmartMouse and others. With this compatibility the interface is working with a wide range of freely available software and drivers. With the interface and the included software and PC/SC driver, you are able to read/write almost all SmartCards like:
* Memory SmartCards: TeleCards, I2C, 2-wire, 3-wire , MicroWire
* CPU SmartCards: T=0, T=1, and all asynchrone SmartCards with 3.58 MHz clock. Like: GSM Sim cards, Cashcards, DSS, CryptoFlex, CyberFlex, GPK2000, MPCOS, MultiFlex, PayFley, Starcos,
* White Wafer Cards (with a PIC16X84), Gold Wafer Cards (PIC16X84+EEPROM 24LC16), MM2 and other compatible.
The disadvantage of most commercial readers/writers is that in most cases they are using a PIC or similar CPU to communicate with the smart card. In such cases you are only able to use software that you get with the reader/writer, and 3rd party software that explicitly supports that particular reader/writer. The software uses a driver/API that will in most cases not allow you to use or try some nonstandard commands. This is a limitation, not appreciated by software developers. Not to mention that you will not be able to use a wide range of application software available on the Internet. The interface is a direct reader/writer, communicating directly with the smart card, without drivers, you can directly and without any limitation access every card. The interface is the only available smart card reader/writer capable of programming wafer cards without a power supply. You can program the PIC16X84 and the EEPROM from the Wafercard using your notebook. Includes software on CD-ROM. See Photo!....ASSEMBLED...$195.00

801b & 801c SMARTCARD EMULATOR/DATALOGGER ATTACHMENT (compatible with: Season7, ASIM, and datalogger) Emulates: GSM, Irdeto, VideoCrypt I+II, EuroCrypt, D2Mac, Cashcards. The smart card emulator is a development tool for the hardware and software developer. The PCB has the standard smart card dimensions. It is inserted into the MasterDevice, instead the smart card, and the other end is connected to the PC, using the interface. With the proper use of emulator software the PC can emulate a smart card. The connection is Season7 and ASIM compatible. All 8 ISO contacts are taken to the socket, so the PCB can also be used to emulate/analyze non-standard smart cards. It can also be connected to the parallel port, in order to be used with software written for the parallel port. Beside the "Normal ISO 7816" version we also offer a "small" SIM version. This version is used mostly for GSM/PCN applications, for phones that are using the Small SIM format. The smart card emulator/datalogger can also be used on any device where smart cards are used, like satellite and network tv decoders and other applications. Includes software on CD-ROM.
801b Normal ISO 7816 version. See Photo!...................ASSEMBLED...$150.00
801c Small SIM version. See Photo!.......................................KIT...$100.00

828 CREDIT & CALLING CARD NUMBER CAPTURING SYSTEM This system is just like the one recently featured on TV news that is currently being used at airports and shopping malls, and netting millions of dollars for its operators. This all-in-one hardware system will allow you to remotely capture unlimited credit card and calling card numbers (including PIN numbers and expiration dates) when entered into pay telephones. You can even capture the names and billing addresses of the card holders. The system can be used remotely from the comfort of your home, a payphone, or a cell phone. Information is stored in memory and displayed via LCD. A REAL money-making system that can net you millions without ever being caught, and can pay for itself after just a few minutes of use. You can literally capture hundreds of valid numbers and related information every day, whenever you want. Can be used in conjunction with #800b to write your own credit cards. All instructions included. See Photo! Bonus! 802 "Pin Code Hacker", 853...........................................................................ASSEMBLED...$950.00

857 BILL CHANGER & VENDING MACHINE HACKER/JACKPOTTER This handheld, concealable device will cause various affects on different machines including BILL CHANGER MACHINES. It’s portable, battery powered, and measures 2-1/4 inches by 4 inches. Included are complete instructions on how to obtain free products and to jackpot machines of coins by a simple push of a button. Many vending machines hold in excess of $50.00 change, while bill changer machines can hold in excess of $500.00. Device will work on both 120 and 220 volt systems, making it effective anywhere in the world. We've now combined features from our now-discontinued Soda Machine Hacker. Not only will this device jackpot the soda machine, but in many instances will cause cans of soda to drop down the chute. Bonus! 853..................ASSEMBLED...$375.00

867 EMP MANIPULATION DEVICE This device is so controversial that we can't tell you what it can be used for except for the general information in this description. However, ALL instructions are included with the purchase of this device. This device drastically affects ALL electronic machines when brought into close proximity (Within 1 meter or 36 inches approx.) The highly directional pulsed signal can make you RICH if used in an illegal fashion, which, of course, we do not recommend. This system includes a "general" antenna but several specialized antennas are also available.
See Photo! Bonus! ...................................................ASSEMBLED*...$775.00

OPTIONAL ANTENNA PACKAGE FOR ITEM# 867

867a Antenna the width of paper currency (works in most countries).
867b Antenna the width of a coin (works in most countries).
867c Antenna the width of a credit card (works in ALL countries). See Photo!
Kit and instructions to build ALL 3 antennas (no soldering required)...KIT...$175.00

We WILL NOT answer emails from anyone asking about illegal activities, or how to use our products for illegal activities...they will automatically be deleted. All products are designed for testing and exploring the vulnerabilities of CUSTOMER-OWNED equipment, and no illegal use is encouraged or implied. We WILL NOT knowingly sell to anyone with the intent of using our products for illegal activities or uses. It is your responsibility to check the applicable laws in your city, state, and country. (END)

There also can be no doubt that traditional methods of identity theft coupled with information age ease of access to citizens biographical information is contributing to increases in both the number of cases resulting in financial losses and the size of the losses.

Reuters recently reported a dramatic example of identity theft coupled with financial fraud resulting in substantial losses:

Man pleads guilty to stealing executives' personal data

Tuesday September 26, 5:27 pm Eastern Time

By Gail Appleson, Law Correspondent

NEW YORK, Sept 25 (Reuters) - A Tennessee man has pleaded guilty to using credit card and bank information stolen from top executives at major corporations to buy diamonds and Rolex watches, federal prosecutors said on Tuesday.

James Rinaldo Jackson, 39, of Memphis pleaded guilty to 29 counts of conspiracy, credit card, mail, wire and bank fraud. Prosecutors said he entered his plea during a hearing on Monday in Manhattan federal court.

Among the victims were John Alm, president of Coca-Cola Enterprises, the largest bottler of Coke; Richard Fuld, chief executive officer of Lehman Brothers Holdings; Stephen Bollenbach, chief executive of Hilton Hotels Corp., and Gorden Teter, the former CEO of Wendy's International, who is now deceased.

Other victims included Dr. James Klinenberg, former administrator of Cedars-Sinai Medical Centre in Los Angeles and Nackey Loeb, former president of the Union Leader Corp. and publisher of the Union Leader and New Hampshire Sunday News. Teter, Klinenberg and Loeb had died shortly before the information was stolen.

Jackson faces a possible maximum sentence of 30 years in jail and $1 million fine on each of 27 bank, mail and wire fraud charges; five years in prison and a $1 million fine on the the conspiracy charge, and 20 years in prison and $250,000 fine on the credit card fraud charge.

The diamonds and Rolex watches he tried to buy were worth a total of more than $730,000.

During the hearing, Jackson admitted that between December 1999 and last February he stole financial information about his victims. Impersonating the victims, he then contacted their banks and credit card companies to arrange for their billing addresses to be changed to various hotels in the Memphis, Tenn. area.

He explained to the court that he had obtained the information by researching his victims in ``Who's Who In America'' and in some cases used the Internet to obtain personal information about the executives.

Jackson admitted that he obtained information about Teter by deceiving Wendy's into believing that he was a potential franchisee. He learned through the Internet that Teter had died and then obtained personal information about the deceased executive through a variety of means including the funeral home.

Using the names of his victims, he contacted jewelry dealers throughout the United States and bought diamonds and Rolex watches that he had seen on the dealers' Internet Web sites.

Jackson paid for purchases by either charging them to the victims' credit card numbers, having banks wire money from the victims' bank accounts or mailing the dealers fraudulent checks.

He then had the jewelry dealers ship the diamonds and watches to the Memphis-area hotels. Jackson then made reservations at the hotels in the victims' names and notified the hotels to expect a package delivery. He, sometimes along with an accomplice, then picked up the packages.

Jackson was arrested on Feb 25 near Memphis by FBI agents who watched him trying to pick up a package addressed to one of his victims. (END)

This case may be dramatic but does not stand alone. Recent figures have placed identity theft coupled with financial fraud as one of the fastest growing crimes in the United States today. Current estimates place the figure at 500,000 cases each year with an average loss of $17,000 per case.

Indeed, the United States Secret Service has begun to note the presence of organized criminal activity in the area of identity theft and financial fraud. (see Appendix II: Testimony of Bruce A. Townsend, Special Agent In Charge, U.S. Secret Service – Financial Crimes Division; before the U.S. House of Representatives, September 13, 2000)

Statutory Inconsistencies Create Hurdles To Law Enforcement

Given the reality of the growing threat to the protection of customer account information, the challenge ahead is for the United States Congress and state legislatures to pass laws empowering state and federal law enforcement to combat these threats without choking off legitimate technological advances and ease of access for legitimate consumers to their own account information.

With the passage of Gramm-Leach-Bliley Congress took a major step in trying to define who will have access to confidential and personal information and at the same time attempted to thwart the use of fraud by identity thieves to illegally access customer information. The federal regulatory agencies are in the process of enacting regulations to enforce the provisions of Gramm-Leach-Bliley as we meet here today.

It is too early to determine how Gramm-Leach-Bliley and the subsequent regulations now under consideration will impact many important areas of privacy surrounding financial information. However, it is not too early to recognize that Gramm-Leach-Bliley has failed in thwarting the efforts of disreputable private investigators and “information brokers” in the advertising and sale of confidential account information as demonstrated above and in my numerous appearances before Congress.

Section 521 of Gramm-Leach-Bliley has a child support exemption provision allowing for the use of fraud against financial institutions in order to obtain customer account information under certain conditions. This one exemption has allowed private investigators to continue to advertise the sale of confidential financial information and has created a hurdle for law enforcement in enforcing Gramm-Leach-Bliley.

Gramm-Leach-Bliley needs to be amended at once. The narrowly crafted child-support exemption for the use of fraud is being used as an advertising shield by private investigators to hide behind while continuing the covert sale of financial information that falls outside of the GLB exemptions. The provisions of GLB that allow for pretext in a child support situation state as follows:

Sec. 521 (g) NONAPPLICABILITY TO COLLECTION OF CHILD SUPPORT JUDGMENTS- No provision of this section shall be construed to prevent any State-licensed private investigator, or any officer, employee, or agent of such private investigator, from obtaining customer information of a financial institution, to the extent reasonably necessary to collect child support from a person adjudged to have been delinquent in his or her obligations by a Federal or State court, and to the extent that such action by a State-licensed private investigator is not unlawful under any other Federal or State law or regulation, and has been authorized by an order or judgment of a court of competent jurisdiction.

The operative language is: “No provision of this section shall be construed to prevent any State-licensed private investigator…from obtaining customer information of a financial institution...to collect child support from a person adjudged to have been delinquent in his or her obligations by a Federal or State court...AND has been authorized by an order or judgment of a court of competent jurisdiction.” This language clearly means from both the legislative history of the act and the plain face of the statute that a judge (Court) must specifically authorize the use of pretext to obtain customer information of “a financial institution”.

I am not aware of a single case where a Court has authorized a private investigator to intentionally deceive a financial institution in order to obtain customer information. It is easy to understand why this has not happened and most likely never will. The presumptive evidentiary burden that would be required to obtain such an order would easily support the issuance of a subpoena to the institution that the information is being sought from and is being contemplated for pretext. Unless Congress has evidence that financial institutions routinely falsify responses to subpoenas it is hard to fathom why this provision was placed in GLB.

Further, this section states: “to the extent reasonably necessary to collect child support from a person adjudged to have been delinquent in his or her obligations by a Federal or State court.” The legislative history of this exemption was a claim made by some representatives of the private investigative industry that pretext was needed as there was no other method available to locate the financial institution holdings of deadbeat parents who lie to the Courts. This claim was not true at the time, as there are many lawful ways to pursue overdue non-custodial child support payments and many taxpayer funded agencies designed to fill that role. However, even if this argument is accepted as a legitimate historical reason for the exemption, there is no longer any legislatively justifiable reason to maintain the exemption given the provisions of the Personal Responsibility and Work Opportunity Reconciliation Act of 1996 which are now in effect and mandate that all financial institutions cooperate with the government by providing the financial information of delinquent child support parents directly to the Federal government for asset forfeiture.

The following excerpt describing this procedure is from a front-page article written by Robert O’Harrow, Jr. in the Sunday, June 27, 1999 edition of the Washington Post:

As part of a new and aggressive effort to track down parents who owe child support, the federal government has created a vast computerized data-monitoring system that includes all individuals with new jobs and the names, addresses, Social Security numbers and wages of nearly every working adult in the United States.

Government agencies have long gathered personal information for specific reasons, such as collecting taxes. But never before have federal officials had the legal authority and technological ability to locate so many Americans found to be delinquent parents -- or such potential to keep tabs on Americans accused of nothing.

The system was established under a little-known part of the law overhauling welfare three years ago. It calls for all employers to quickly file reports on every person they hire and, quarterly, the wages of every worker. States regularly must report all people seeking unemployment benefits and all child-support cases.

Starting next month, the system will reach further. Large banks and other financial institutions will be obligated to search for data about delinquent parents by name on behalf of the government, providing authorities with details about bank accounts, money-market mutual funds and other holdings of those parents. State officials, meanwhile, have sharply expanded the use of Social Security numbers. Congress ordered the officials to obtain the nine-digit numbers when issuing licenses -- such as drivers', doctors' and outdoorsmen's -- in order to revoke the licenses of delinquents.

Enforcement officials say the coupling of computer technology with details about individuals' employment and financial holdings will give them an unparalleled ability to identify and locate parents who owe child support and, when necessary, withhold money from their paychecks or freeze their financial assets. (End of excerpt) (Emphasis added by Robert Douglas)

O’Harrow went on to describe in more detail how the new system operates:

Next month, financial institutions that operate in multiple states -- such as Crestar Financial Corp., Charles Schwab & Co. and the State Department Federal Credit Union -- will begin comparing a list of more than 3 million known delinquents against their customer accounts. Under federal law, the institutions are obligated to return the names, Social Security numbers and account details of delinquents they turn up.

The Administration for Children and Families will then forward that financial information to the appropriate states. For security reasons, spokesman Kharfen said, the agency will not mix the financial data with information about new hires, wages and the like. Bank account information will be deleted after 90 days.

In a test run this spring, Wells Fargo & Co. identified 72,000 customers whom states have identified as delinquents. NationsBank Corp. found 74,000 alleged delinquents in its test.

Later this year, smaller companies that operate only in one state will be asked to perform a similar service. Officials say most of these institutions will compare their files against the government's. But some operations that don't have enough computing power -- such as small local banks, credit unions and securities firms -- will hand over lists of customers to state officials for inspection. States can then administratively freeze the accounts.

In California, more than 100 financial institutions have already handed over lists of all their depositors to state officials, including names, Social Security numbers and account balances, a state official said. (End of excerpt) (Emphasis added by Robert Douglas)

Finally, the exemption places GLB in direct conflict with other federal statutes outlawing wire and mail fraud and unfair and deceptive trade practices. The exemption also places GLB in direct conflict with many State laws and creates nothing short of a judicial quagmire.

Conclusion

Threats to information security systems of the financial services industry abound. With advancing technology we see the re-emergence of traditional methods of identity theft, pretext and fraud on the rise again. Law enforcement must be aggressive in combating these crimes before citizens become concerned about the safety and integrity of the industry. Congress should not be in the business of creating hurdles to effective law enforcement protection of customers of the financial services industry. Congress should be in the business of assisting the industry and consumers by empowering law enforcement to aggressively prosecute identity thieves of all types.

Appendix I

Statement by Robert Douglas

before the

Committee on Banking and Financial Services

United States House of Representatives

Hearing On

Identity Theft and Related

Financial Privacy Issues

September 13, 2000

My name is Robert Douglas and I am the co-founder and Chief Executive Officer of American Privacy Consultants, Inc. located in Alexandria, Virginia (www.privacytoday.com). American Privacy Consultants assists organizations and businesses understand and implement appropriate privacy policies, strategies, defenses, educational programs, training, and auditing.

I appreciate the opportunity to appear before this committee once again to address the issue of identity theft, “pretext calling”, and other deceptive practices still in use by some “information brokers”, private investigators, judicial judgment collectors and identity thieves to illegally access the personal and confidential information of customers of financial institutions. Unfortunately, in spite of the enactment of legislation drafted by this Committee to outlaw such practices, these methods not only survive but also continue to grow in volume, scope, and methodology.

Chairman Leach, I want to personally thank you and the Committee for your continued willingness and desire to address this serious issue first by crafting and passing much needed legislation and now in an oversight capacity. I am personally aware of the amount of time the Committee members and staff have invested in this problem over the last three years and as a citizen applaud the Committee’s willingness to tackle these issues.

I also would like to single out for recognition Jim Clinger, the Committee’s Senior Counsel and Assistant Staff Director. Over the last three years I have had the unique pleasure of working with Jim on a regular basis and he is a true credit to this Committee and to the United States Congress. Above all he is a true gentleman.

Finally, I would like to thank John Forbes, Special Agent – United States Customs Service; and, Alison Watson, Professional Staff Member of the Committee for their work over the last month in preparation for this hearing.

H.R. 4311

Although I was specifically asked to address the use of pretext and other deceptive techniques to access confidential financial information, I would like to make a few brief observations concerning HR 4311.

There can be little doubt that identity theft is one of the fasting growing crimes in the United States today. Each year hundreds of thousands of Americans fall prey to identity thieves. The financial and credit damage implications are severe for the individual who is the victim of identity theft. Additionally, retailers and financial institutions suffer financial losses as a result of identity theft. Finally, the nation as a whole suffers in increased prices for retail products and financial services including the cost of credit.

The advent of the World Wide Web has brought increased opportunities for identity thieves through ease of access to personal, biographical data needed to perpetrate identity crimes and facilitates ordering merchandise absent a face-to-face encounter with a store clerk. These facts require that we examine areas of weakness that identity thieves exploit.

In 1998 I demonstrated for this Committee the ease with which an individual can purchase private and confidential financial information. It is even easier to obtain the name, address, date of birth, social security number, mother’s maiden name, phone number, and often the employment of any individual in the United States today. All of this information is for sale on the web. In a nutshell, all the information needed to steal a citizen’s identity and create financial havoc is available on the Internet for little or no cost.

The largest source of up-to-date personal, biographical information is credit bureaus. The sale and resale of credit header information by credit bureaus to private investigators, information brokers and judicial judgment collection professionals results in this information being accessible to anyone for a fee. This is big business. Several large companies make millions of dollars each year reselling personal information gathered by the credit bureaus.

When citizens apply for credit or enter into a credit transaction they do not know that their personal, biographical information is then resold to any individual with a few bucks and a web browser. If the level of trust in the Internet is ever to rise from the relatively low position it now occupies, the sale of personal information must be brought under control. A good place to begin is by curtailing the sale of credit header information absent a permissible purpose as defined currently within the FCRA. For that reason I believe Section 8 of HR 4311 is long overdue.

Pretext and other Deceptive Practices

July 1998 through September 2000

On July 28, 1998, while appearing before this Committee, I stated: “All across the United States information brokers and private investigators are stealing and selling for profit our fellow citizens personal financial information. The problem is so extensive that no citizen should have confidence that his or her financial holdings are safe.” Sadly, I return today to inform this Committee that my statement of 1998 remains true today.

While the illegal access of financial information continues, progress has been made. When we last met in July of 1998 four steps were required in order to stop these practices. First, the financial services industry needed to understand and take affirmative steps to combat the threat posed by unscrupulous information brokers, private investigators, and identity thieves. Second, tough federal legislation was needed to outlaw the use of pretext and deception as a means to access confidential financial information. Third, appropriate federal regulatory agencies needed to create standards and regulations designed to assist institutions in the safeguarding of financial information and to reflect the legislative intent encompassed within any legislation enacted by Congress. Finally, aggressive prosecution of individuals and companies who steal, buy, and/or sell personal financial information was required to signal that the integrity of our nation’s financial system is a law enforcement priority. The first three sides of the square have been completed.

The financial services industry has made significant progress in beginning to combat identity theft and pretext through a sober recognition that this is not a problem that can be ignored if the industry wishes to maintain a reputation for providing confidentiality to customers. This recognition has been acted upon through the use of training programs and educational materials to begin the education of financial services industry professionals to the threats posed by identity thieves of all types. Many financial institutions have begun to enact internal standards designed to identify and thwart the practices of identity thieves and infobrokers. Is there more to do? Absolutely. Is the financial services industry taking the confidentiality of the records it safeguards on behalf of customers seriously enough to continue to move forward in this area? I believe so.

This Committee and Congress moved quickly to pass legislation designed to punish those who would impersonate others in order to gain access to private financial records. With the passage of Gramm-Leach-Bliley, there is now federal law outlawing the use of pretext and other deceptive techniques to gain access to personal financial information absent several narrowly defined and commonly misunderstood exceptions.

The federal regulatory agencies with direct supervisory function of the financial services industry moved quickly in 1998, by means of an advisory letter and other steps, to alert all institutions to the practices of identity thieves and information brokers. These same agencies are continuing as we meet here today to develop standards and regulations in keeping with the intent of Gramm-Leach-Bliley.

With the first three sides of the box either erected or under construction, it is now time to build the final wall through aggressive enforcement action. With the enactment of Gramm-Leach-Bliley last November, I assume that the Federal Trade Commission and appropriate criminal enforcement agencies are now preparing to use the tools Congress and the President handed them.

To my knowledge there has been one federal enforcement action brought by the FTC against an information broker. That civil action was begun prior to the enactment of Gramm-Leach-Bliley under laws designed to thwart “unfair and deceptive trade practices”. Several states, notably Massachusetts, have aggressively pursued illegal information brokers. Again, these actions were taken prior to GLB and under state laws against illegal trade practices. It is time for tough nationwide enforcement of the civil and criminal provisions contained within Gramm-Leach-Bliley.

In the invitation letter I received from the Committee to testify today I was asked to specifically address three areas: 1) The extent to which the use of pretext and other deceptive means continue in spite of the passage of Gramm-Leach-Bliley; 2) The effectiveness of efforts by the financial services industry to deter and detect fraudulent attempts to obtain confidential account information; and, 3) Other threats to financial privacy emerging today.

The Extent To Which Deceptive Practices Continue

Post Gramm-Leach-Bliley

The use of pretext and other means of deception to trick financial institution employees and customers into disclosing personal and confidential financial information that I testified about two years ago continue unabated. Books have been written about pretext to teach and share common methods. Discussion groups abound on the Internet with the trading of new and improved techniques almost on a daily basis. Classes are held in which pretext methods are shared for a price. The techniques are becoming more complex and refined.

Advertisements on the World Wide Web have doubled in the past two years. Here is a typical example:

Bank Account Search

Search Price
$249.00

Availability
National

Approximate Return Time
10-18 Business Days*

Requires
Subject's Full Name, Complete Street Address, Social Security Number*

This advertisement is remarkable in many regards. The ad claims to “access a proprietary database and identify open accounts using the subjects SSN”, yet “this search requires many hours of research and can’t be rushed, as we want to return thorough, accurate results” and the search may require “10-18 business days”. There is no proprietary database available to private investigators or information brokers that by use of the SSN (social security number) banking information can be obtained. In fact this ad used to say the company accessed a “federal database” to obtain the information.

The ad further states: “Also, be sure to include any additional information you may have, such as the Subject's home & work telephone, birthdate, mother's maiden name, etc, in the additional comments section. This will greatly increase the odds of a successful search.” Why would a database accessed by SSN require this personal information? It wouldn’t. But pretext does. Many financial institutions use the mother’s maiden name as a password. Further, some institutions will ask for your home or work phone numbers to verify the account holder. Finally, the phone numbers are often required as part of a pretext contact made directly to the account holder.

The ad also states: “Additionally, we reserve the right to decline to perform any search which we deem not to be for a legitimate legal purpose or may cause emotional or physical harm.” Perhaps this is an attempt to signify that a search request must satisfy GLB and other applicable State and Federal laws. Perhaps not. Here is the transcript of an email contact I had with Docusearch:

From: DOCUSEARCH.COM

To: email address deleted

Subject: Re: Information Request

Sent: Mon 3/20/00 1:41 PM

You will first have to locate his address in the current residence

state. This may be accomplished with a Locate by Previous Address

Search. Then you can order the Bank Account Search.

At 01:38 PM 3/20/00 , you wrote:

>------------Begin, Information Request from visitor-----------

>My Name Is : Rob Douglas

>My Email Address Is : (deleted)

>My Telephone Number Is : (deleted)

>My Question Pertains To : Other: Explain Below

>Comments : I have a client who is owed a substantial amount of money >by a potential defendant who left the area and closed his personal and

>corporate bank accounts. I have an old home address for the potential

>defendant and know what state he moved to. What searches would you

>recommend to locate the potential defendant and his personal and >corporate bank accounts?

>------------End, Information Request from visitor -----------

The “>” portions represent the email I sent to Docusearch using their on-line request form. Three minutes later I received the reply that I could order the bank account search in a situation that would clearly be illegal under GLB if pretext were used.

I would hope that members of this Committee would find the services offered and language of the advertisements by Docusearch to be as disturbing as I do. I suspect many of the members of this Committee would wonder why this firm is allowed to operate in this fashion given the provisions of GLB and the applicable “unfair and deceptive trade practice” sections of Federal law. The excuse might be offered that this is just one company that no one in a position of responsibility to address these practices was aware of. That excuse would ring hollow.

Docusearch is the company that sold personal information concerning Amy Boyer to a stalker that resulted in the murder of Ms. Boyer and the suicide of the stalker. Amy’s parents have testified before Congress and have been widely covered in the media. In fact, Amy’s death has led to consideration of legislation by this Congress to outlaw the sale of social security numbers. Throughout all this attention Docusearch has made one change to the web site where it advertises. Docusearch no longer publicly advertises the sale of social security numbers. But Docusearch continues to do business selling personal and confidential information.

The attention to Docusearch does not end there. Docusearch was the cover story for Forbes magazine on November 29, 1999. This was seventeen days after President Clinton signed GLB into law. In the article Dan Cohn of Docusearch literally bragged about his abilities to obtain personal information about a subject. Here is the opening quote from the Forbes cover story:

THE PHONE RANG AND A STRANGER CRACKED SING-SONGY AT THE OTHER END OF the line: "Happy Birthday." That was spooky--the next day I would turn 37. "Your full name is Adam Landis Penenberg," the caller continued. "Landis?" My mother's maiden name. "I'm touched," he said. Then Daniel Cohn, Web detective, reeled off the rest of my "base identifiers"--my birth date, address in New York, Social Security number. Just two days earlier I had issued Cohn a challenge: Starting with my byline, dig up as much information about me as you can. "That didn't take long," I said.

"It took about five minutes," Cohn said, cackling back in Boca Raton, Fla. "I'll have the rest within a week." And the line went dead.

In all of six days Dan Cohn and his Web detective agency, Docusearch.com, shattered every notion I had about privacy in this country (or whatever remains of it). Using only a keyboard and the phone, he was able to uncover the innermost details of my life--whom I call late at night; how much money I have in the bank; my salary and rent. He even got my unlisted phone numbers, both of them. (End of excerpt)

One might wonder who Dan Cohn is and whom he sells this information to. Forbes answered that as well:

Cohn operates in this netherworld of private eyes, ex-spooks and ex-cops, retired military men, accountants and research librarians. Now 39, he grew up in the Philadelphia suburb of Bryn Mawr, attended Penn State and joined the Navy in 1980 for a three-year stint. In 1987 Cohn formed his own agency to investigate insurance fraud and set up shop in Florida. "There was no shortage of work," he says. He invented a "video periscope" that could rise up through the roof of a van to record a target's scam.

In 1995 he founded Docusearch with childhood pal Kenneth Zeiss. They fill up to 100 orders a day on the Web, and expect $1 million in business this year. Their clients include lawyers, insurers, private eyes; the Los Angeles Pension Union is a customer, and Citibank's legal recovery department uses Docusearch to find debtors on the run.

Cohn, Zeiss and 13 researchers (6 of them licensed P.I.s) work out of the top floor of a dull, five-story office building in Boca Raton, Fla., sitting in cubicles under a fluorescent glare and taking orders from 9 a.m. to 4 p.m. Their Web site is open 24 hours a day, 365 days a year. You click through it and load up an on-line shopping cart as casually as if you were at Amazon.com. (End of excerpt)

Amazingly, Cohn admits to the use of fraud and bribery:

The researchers use sharp sifting methods, but Cohn also admits to misrepresenting who he is and what he is after. He says the law lets licensed investigators use such tricks as "pretext calling," fooling company employees into divulging customer data over the phone (legal in all but a few states). He even claims to have a government source who provides unpublished numbers for a fee, "and you'll never figure out how he is paid because there's no paper trail." (End of excerpt)

The following excerpt reveals methods used by Cohn directly relevant to today’s hearing and HR 4311:

Cohn's first step into my digital domain was to plug my name into the credit bureaus--Transunion, Equifax, Experian. In minutes he had my Social Security number, address and birth date. Credit agencies are supposed to ensure that their subscribers (retailers, auto dealers, banks, mortgage companies) have a legitimate need to check credit.

"We physically visit applicants to make sure they live up to our service agreement," says David Mooney of Equifax, which keeps records on 200 million Americans and shares them with 114,000 clients. He says resellers of the data must do the same. "It's rare that anyone abuses the system." But Cohn says he gets his data from a reseller, and no one has ever checked up on him.

Armed with my credit header, Dan Cohn tapped other sites. A week after my birthday, true to his word, he faxed me a three-page summary of my life. He had pulled up my utility bills, my two unlisted phone numbers and my finances. (End of excerpt)

And should there be any question as to the ability of a determined criminal to gain access to confidential information including financial information, the following excerpt is on point:

He had my latest phone bill ($108) and a list of long distance calls made from home--including late-night fiber-optic dalliances (which soon ended) with a woman who traveled a lot. Cohn also divined the phone numbers of a few of my sources, underground computer hackers who aren't wanted by the police--but probably should be.

Knowing my Social Security number and other personal details helped Cohn get access to a Federal Reserve database that told him where I had deposits. Cohn found accounts I had forgotten long ago: $503 at Apple Bank for Savings in an account held by a long-ago landlord as a security deposit; $7 in a dormant savings account at Chase Manhattan Bank; $1,000 in another Chase account.

A few days later Cohn struck the mother lode. He located my cash management account, opened a few months earlier at Merrill Lynch &Co. That gave him a peek at my balance, direct deposits from work, withdrawals, ATM visits, check numbers with dates and amounts, and the name of my broker. (End of excerpt)

Cohn is even willing to lead officials to believe he is a law enforcement officer as this excerpt demonstrates:

How did Cohn get hold of my Merrill Lynch secrets? Directly from the source. Cohn says he phoned Merrill Lynch and talked to one of 500 employees who can tap into my data. "Hi, I'm Dan Cohn, a licensed state investigator conducting an investigation of an Adam Penenberg," he told the staffer, knowing the words "licensed" and "state" make it sound like he works for law enforcement.

Then he recited my Social Security, birth date and address, "and before I could get out anything more he spat out your account number." Cohn told the helpful worker: "I talked to Penenberg's broker, um, I can't remember his name...."

"Dan Dunn?" the Merrill Lynch guy asked. "Yeah, Dan Dunn," Cohn said. The staffer then read Cohn my complete history--balance, deposits, withdrawals, check numbers and amounts. "You have to talk in the lingo the bank people talk so they don't even know they are being taken," he says. (End of excerpt)

But the Forbes reporter (Penenberg) did some further digging and uncovered what appears to be direct evidence of the use of impersonation and pretext in the following excerpt:

Sprint, my long distance carrier, investigated how my account was breached and found that a Mr. Penenberg had called to inquire about my most recent bill. Cohn says only that he called his government contact. Whoever made the call, "he posed as you and had enough information to convince our customer service representative that he was you," says Russ R. Robinson, a Sprint spokesman. "We want to make it easy for our customers to do business with us over the phone, so you are darned if you do and darned if you don't."

Bell Atlantic, my local phone company, told me a similar tale, only it was a Mrs. Penenberg who called in on behalf of her husband. I recently attended a conference in Las Vegas but don't remember having tied the knot. (End of excerpt)

Finally, Cohn believes he is justified in what he does:

Daniel Cohn makes no apologies for how he earns a living. He sees himself as a data-robbing Robin Hood. "The problem isn't the amount of information available, it's the fact that until recently only the wealthy could afford it. That's where we come in." (End of excerpt)

I have one question. Why are Dan Cohn and Docusearch still in business?

Docusearch is not alone. There are now more information brokers and private investigators openly advertising their ability to obtain and sell financial information then there were in 1998. These ads continue to be found on the World Wide Web, in the yellow pages and in legal and investigative trade journals. In fact, there has been an ad running in the local edition of the Legal Times that can be found in many law firms and federal offices here in Washington. I suspect copies can be found at the FBI, U.S. Attorney’s Office, the Department of Justice, and the Federal Trade Commission.

One phone call to this company determined they offer the ability to locate an address for an individual for $65 if the social security number is provided and $115 if the social security number is not provided. Further, and more to the point, for $200 they will supply the name of the bank, the type of account maintained and the balance in the account for the individual specified. There was a further offer extended by the company to confirm that the funds are available and there would be no charge if there were only minimal funds in the account. The scenario presented to the company fell squarely within the four corners of Gramm-Leach-Bliley that would make the request and provision of the banking information illegal if accomplished by pretext. The company was informed that a woman was trying to locate a current address for a live-in boyfriend who had skipped town with money from her checking account. There was nothing in the scenario presented that even began to come close to the exceptions enacted as part of Gramm-Leach-Bliley.

In fact, as the committee is aware, on August 30^th Committee Senior Counsel Jim Clinger, Special Agent John Forbes, Committee Staff Member Alison Watson and I called numerous private investigators and information brokers around the country in an effort to determine how many would sell bank account information and under what circumstances. We decided that we would survey the first ten companies that we could reach by phone. The companies were selected randomly by Special Agent Forbes based upon their advertisements. All of the companies were presented with the scenario outlined above.

In less than three hours the first ten companies we reached were all willing to sell us personal bank account information detailed enough to raise the educated belief that the information would be obtained by pretext or other deceptive means. Not a single company we reached turned us down. Not one.

More to the point, two of the companies’ representatives made specific mention of “privacy laws” and “federal statutes” being a hindrance to their ability to provide the information. However, we were told, they could still succeed but just “don’t tell anybody” that we had obtained the information.

One individual referred to the fact that he had 11 years banking experience and guaranteed that he could find the bank and that 80% of the time he could get the account number and balance. Several of the companies stated that they could get us individual transaction records including deposit information.

One offered to teach us how to determine the amount in the account once he located the bank and account number.

One company stated that it would check the Federal Reserve section for the part of the country where the individual was located. This same company claimed to work for “hundreds and hundreds of attorneys and collection agencies”. Further, they stated that they had found $1.2 million dollars in an account just the previous day for an attorney. They advised us to wait for the banking information before going to Court.

Another company stated they would locate the information if we had a “Court filing judgment” or a letter from an attorney giving the name of the person the account information was being sought for and the reason. This company stated they could find local bank information for $200 and statewide information for $500 including account numbers and balances.

Several of the companies offered to locate safety deposit box locations and securities related information. One company charges $175 to locate the name and address of the bank if you have a judgment. However, the same company offered for $250 to locate all accounts, account numbers, balances, mutual funds, names on the accounts, dates of closure if an account was closed, and safety deposit box information if we didn’t have a judgment.

Here is just one example of the type of advertising we found:

Welcome to (name omitted). We can perform bank account and investment searches anywhere in the USA and the World. Bank account searches can be used to collect judgements, verify net worth of individuals and companies, or any other purposes.

We can search:

Bank Accounts

Checking

Savings

Investments

Stocks

Bonds

Commodities

Mutual Funds

Safety deposit boxes

And much, much more…

We can search by:

State

Country

Offshore account searches also available.

Disclaimer: We limit retrieval to documents or information available from a public entity or public utility which are intended for public use and do not further elaborate on that information contained in the public entity or public utility records. Must Be 18 or Older for a Consultation or Record Search. We take no responsibility and assume no liability for any privacy claims as we neither utilize, reveal, nor attempt to access any confidential information concerning the parties involved in the search. We are not a licensed private investigator, and we do not engage in any activities for which a license is required… (End of excerpts)

The disclaimer is amazing in light of the fact that this company offered to sell us the amount located in a checking account and the deposit history to the account for $275. I cannot fathom a single way that account balance and deposit transaction records could be “intended for public use”. Indeed this would be a direct revelation of “confidential information”.

No company we reached asked any questions that would logically follow from the passage of Gramm-Leach-Bliley, even when they had disclaimers in the advertisements suggesting that there were restrictions on who could obtain banking information and under what circumstances. Further, in addition to the overt remarks made by several companies to the minor obstacles presented by “federal statutes” and “privacy laws” the advertisements and telephonic presentations bore all the classic signs of pretext operations. These include no-hit/no-fee guarantees; length of time required to complete the search; higher pricing; and types of information being sold.

These results are troubling and point to the inescapable conclusion that there are now criminals hiding behind professional titles such as “information broker”, “private investigator”, and “judicial judgment collector”. I do not make this statement lightly as I was a private investigator for seventeen years and was very proud of my profession. There are thousands of good, honest private investigators, information brokers, and collection professionals working everyday in this country to assist citizens and attorneys at all levels of our judicial system. I receive emails everyday from investigators and brokers who are upset and demoralized because of the practices of some who feel it is easier to steal information instead of using the lawful means that all others who obey the law do. The good, honest professionals are looking to their government to step in and stop these criminals.

Further, many of the information brokers, private investigators, and judicial judgment collectors belong to national trade associations. In fact, many of these association members and their leaders can be found in Internet chat areas trading pretext methods. This begs the question: What are these associations doing to police their membership?

The Effectiveness Of Efforts By The Financial Services Industry

To Deter And Detect Fraudulent Attempts To Obtain

Confidential Account Information

The financial services industry has for many years utilized various methods of combating fraud and protecting the confidentiality of customer information. As I stated in my testimony two years ago, I believe the industry was not aware of the techniques being used by information brokers and investigators to penetrate their security protocols by means of pretext and impersonation. Indeed, most Americans remain ignorant of the practices of unscrupulous information brokers. The financial services industry is traditionally between a rock and a hard place when it comes to information security. Customers want their information to remain confidential. At the same time, they want easy access twenty-four hours a day to that same confidential information. It is this very dilemma that criminals exploit.

The financial services industry is starting to move aggressively to combat the methods and deceptive practices used by identity thieves and infobrokers that seek to illegally gain access to confidential information and in many cases to steal the funds of institution customers. Upgraded and newly developed computer systems and programs work to oversee billions of transactions each day in an effort to identify potentially fraudulent activity. Education and training programs are being modified and instituted to teach all institution employees the signs of identity theft and fraud and what steps to take.

Institutions that have taken steps to determine if information brokers are attempting to access confidential information have found that this is indeed the case. More and more institutions are moving to institute passwords and personal identification numbers (PINS) that provide true access protection. But, many more need to move in that direction. Customers are starting to be notified by institutions concerning the reason and need for certain security protocols. Again, more needs to be done in this area. There is much education, training and work that remains. I am convinced the financial services industry is up to the task.

I have had a birds-eye view of the response of the financial services industry over the past two years. I have worked directly with institutions and professional associations to educate them on the issue of pretext and other deceptive practices used to penetrate information security systems. In each instance I have found that the privacy, administrative and security leaders in the institutions and at association meetings are genuinely concerned about solving this problem and are moving to do so. The financial services industry relies on a reputation for confidentiality to survive. Recent well publicized cases of institutions not protecting customer information both here and abroad illustrate the harm that will quickly be realized by an institution that does not protect customers.

This concern has led, in one instance, to the American Bankers Association distributing to the entire membership an education and basic training program on pretext calling I was asked to author at the association’s initiative. The portion I authored was just a small part of a comprehensive three part series the ABA has distributed to the membership to address the subject of identity theft and privacy in detail over the course of this past year. I believe these materials will aid in thwarting the practices of the Dan Cohns of this world.

I have been asked to speak on a number of occasions to groups of bankers to demonstrate to them how to spot pretext calls, how to educate financial services employees about pretext, and what steps to take at the institution level to thwart information security intrusions. Indeed, you would be hard pressed to find a gathering of bankers anywhere today where the subject of privacy is not addressed at length as a major topic of discussion. Further, the financial services industry did not wait for the passage of GLB to address the issue of pretext. Almost immediately after my testimony in 1998 the ABA was distributing materials and videotapes to any institution concerning pretext and updated information security practices.

It is too early to tell how effectively the defenses now being installed by financial institutions are working to thwart pretext. However, judging by the number of firms advertising the ability to obtain financial information there is still more to be done.

However, unless we end legitimate customer access to account information, there will always be criminals who will attempt to steal that information. The financial services industry needs a helping hand from law enforcement. These criminals must be prosecuted. The message needs to be sent that Federal law enforcement is serious about protecting financial institution customers. It is time to act.

Emerging Threats To Financial Privacy

While the traditional methods of pretext presented before this Committee two years ago continue, there are new emerging threats to the security of information within financial institutions. Those who use creative means to obtain personal information are not resting and waiting to see what Congress or law enforcement will do next to protect the privacy and confidentiality of U.S. citizens. These individuals and companies continue to develop methods to locate citizens and their confidential information. There is much fear that the loss of routinely accessed credit headers will diminish the ability to easily access personal biographical information used as part of a pretext. Therefore, some who seek that information are moving to develop other “sources” and “methods” to develop personal information needed to begin a successful pretext.

The fastest growing method used to “skiptrace” for the current address and other personal information of an individual is to obtain the information from the phone company. Most United States citizens believe that their phone records are private unless obtained by subpoena or other form of Court order. This is especially true for the millions of Americans who pay extra to have a non-published or unlisted phone number. Most citizens would further think that who they call and how long they talk is also a private matter. Most citizens would be wrong.

For years I have seen the sale of private telephone information on the web and in investigative and legal trade journals. These services include the acquisition and sale of non-published and unlisted phone numbers and records; long distance toll records; cellular phone records; pager records; fax records; the current phone number and address for the owner of a disconnected phone, and much more.

While these practices are bad enough, and need to be addressed by Congress and/or law enforcement, the latest development is equally worrisome. Currently, there are presentations of closed, highly secure classes for private investigators and information brokers, teaching the inner workings of the telecommunications industry. These classes are being coupled with databases being developed in the private investigative community to assist in obtaining information held by telecommunications companies. Once obtained this data can then be sold and/or used as part of further identity theft and pretexts used in any number of scenarios, but certainly as the starting point for information gathered as part of a pretext against a financial institution or directly against the financial consumer.

Here is an advertisement being widely distributed for these classes:

NOW! COMING TO LOS ANGELES!

Telecom Secrets Seminar

Using Telecom as a new way

to skiptrace and locate.

Michele “Ma Bell” Yontef, CMI

Telecom Investigations Specialist, Licensed Private Investigator,

Paralegal, Server of Process, Notary, Constable of Court

********************************************************************************************

This is a seminar that will take you from being someone who uses a phone in investigations, to someone who uses the whole telecommunications system to further your investigations. You will gain a comprehensive understanding of the phone system, and how to use that system to get the information you need to close the case. With so many of our “tools of the trade” being taken from us by recent privacy laws, this is a “must attend” seminar. Using Michele's completely legal methods we can continue to obtain the information that is vital to us and to our clients. Don't let yourself or your clients down, learn new and better ways to increase your services and your income.

No recording of any kind will be permitted. There will be extensive security measures. Please contact Vicki for details. All attendees will be required to sign a non-disclosure agreement.

West Coast Professional Services reserves the right to refuse admittance.

These techniques are completely legal, but are being taught only to Investigators and Law Enforcement Officers. Restrictions apply. ************************************************************************************************

A statement from Michele regarding the content:

I will be talking about everything from how to make totally anonymous calls to finding the carrier of any type of line. I will be explaining how things in the Telecom work, so that you will know how to legally maneuver around any obstacle. I will show you how to skip trace and locate like never before, by using the Telecom as a database. I will tell you what the operator knows about you, who can hear you talking on the phone, how to perform all types of procedures, and I will be giving you a ton of vital information in my booklets that accompany the seminar. I will also introduce a new form of searching for skips and will open to you first, my brand new database, that encompasses EVERY numerical search you have ever seen online, plus many more new search ideas that I can teach you about in the seminar as well. For example, did you know that the type of switching your telephone company has you hooked into can allow a listen in on your lines...I will explain how to tell what kind of switching you have, and how it can either lend to the listen in, or block it. I can also show you how to use my database to find that switching for any party, and use it to trace a number to CNA, without ever picking up the phone to pretext anyone! I have brought home missing children, using the secret searches I will disclose to all of you that attend. (End)(Emphasis added)

Here is another widely distributed reference:

Here's an unedited letter from (name deleted), who just experienced the Telecom Secrets Seminar by Michele "Ma Bell" Yontef...

Colleagues:

There are currently three days to prepare yourself, if you are attending the Los Angeles version of the "Telecom secrets" Seminar. You need to practice taking notes, and be ready to absorb the information like a sponge. There is a lot of it, but it's actually very easy to learn. Michele teaches you about how the entire telecommunications system works, then gives you the secrets of how you can use it to do your own non-pubs, CNA's and disconnects, as well as the rationale that leads you to be able to determine the location of some of the toughest skiptrace assignments and locates, you have ever attempted. I sat in awe, writing as furiously as I could, through the six hour session with the Iowa Association of Private Investigators, (IAPI),
provided by Michele, on Friday afternoon. I cannot tell you how valuable this seminar will be to me, in the coming weeks and months, as I develop my skills, using her technique. The best part is that I'd never even thought of
most of this stuff. It is all new, and a wonderful way to expand one's skiptracing skills. It will take practice, but she has given us all a true treasure chest, (and she knows how I love treasure chests! --<grin>), and all the other tools to do the job. The price is an absolute bargain, too!

Please pay particular attention to the reason for her disclaimers and nondisclosure forms. With all the movement and political wrangling of the privacy advocates, (READ - "reactionaries"), we can't afford to have this excellent legal source tainted by the people who would strangle our
profession, and shut off all our sources. End)(Emphasis added)

The reference to “CNA’s” means customer name and address. The reference to “non-pubs” means the ability to obtain the non-published phone number for an individual. The reference to “disconnects” means the ability to locate the new phone number, name and address for someone who disconnected a phone in addition to determining the owner of a previously disconnected phone number.

The database being designed to aid in the acquisition of information maintained by the telecommunications industry has been named “The Last Treasure”. The choice of this name is intentional. It was chosen to mean that this database will be the last method available to locate the overwhelming majority of citizens should the carte blanche acquisition of credit header information be restricted. As with the pretext of financial institutions two years ago, the presenters of these classes and the developers of this database claim that this is all legal. I will leave that to others to decide. As a citizen of this country I am dismayed that my phone records can be bought and sold on the Internet. As a former private investigator that has handled several stalking cases I am well aware of the damage that can be done through the acquisition and sale of this information. As a privacy consultant, I am well aware of the fact that information obtained from the phone company can and is often used to start a financial pretext.

Should there be any doubt concerning the problems that can be created when confidential phone information is obtained, one look no further then a September 9, 2000 article by Lindsey A. Henry for The Des Moines Register:

A West Des Moines woman contends that her ex-husband tracked her down and threatened her after MCI WorldCom gave out her phone number and other information.

Peggy Hill, 33, is suing the long-distance company in federal court in Des Moines. The lawsuit says her ex-husband in Georgia called MCI at least 10 times in June 1999 asking for her billing information and the numbers she had called.

MCI representatives gave him the information and even changed her calling plan at his request, the lawsuit said. (End of Excerpt)

Here was a woman being stalked by her ex-husband and taking precautions, only to be thwarted by the ease with which her phone records were accessed:

Hill thought she had protected herself, her lawsuit says. She moved several times after her divorce in 1992. She paid for an unlisted number. She asked MCI to keep her information confidential, according to the lawsuit.

Only after Hill called to complain did MCI employees flag her account with a warning, according to subpoenaed MCI files.

"Please do not look up numbers for him or give him names of where numbers are dialed to," the notation said. "Peggy is in danger!!!!!! . . . MCI should not have given this man any information!!!!!!" (End of excerpt)

The following claim of rarity when it comes to the release of confidential phone records is laughable given the ease with which Infobrokers buy and sell phone company customer records every day and widely advertise their ability to do so on the Internet:

Sandy Kearney, an investigator for the Iowa attorney general's office, said Hill's situation was rare.

"I hear all the time from telephone companies claiming to not release information without permission," she said.

Hill's lawyer, George LaMarca, said the lawsuit should remind companies of their obligation to protect customers.

"We can't get services without entrusting our most confidential and personal information to companies," LaMarca said. "When we do that, we expect confidentiality. When that trust is breached, companies should expect to pay the consequences." (End of excerpt)

Just as this husband was able to allegedly access his ex-wife’s customer records, identity thieves, private investigators, information brokers and judicial judgment collectors use similar techniques everyday to access these same records. All they need do is impersonate the customer or the relative of a customer. This common knowledge amongst identity criminals is being used as the starting point for access to personally identifiable information that can then be used to access financial information.

This committee will recall the testimony of one of the “Godfathers” of the information broker industry in this very room two years ago. Al Schweitzer instructed us all at that time that one of the most common financial pretexts begins with either a pretext call to the consumer impersonating someone from the phone company, or a pretext call to the phone company to develop personal information to be used as part of a further pretext against the consumer and/or financial institution. The problem continues today and is growing in scope and sophistication.

I would like to ring one final warning bell concerning the use of pretext and deceptive information security penetration practices. These are the very techniques that are used by individuals engaged in corporate espionage. Every day these techniques are used to steal our nation’s corporate and military trade secrets and other forms of confidential information. I know that our military is aware of this as representatives of the Pentagon asked me to present a private briefing after my last appearance here in 1998. I will not disclose in an open forum what I was able to demonstrate in that briefing other than to state that I believe it confirmed concerns on the part of the officials I met with in relation to a threat that could easily put our country at a disadvantage during a time of crisis.

This Committee, which oversees the safety and soundness of our Nation’s financial system, should be concerned about the threat that corporate espionage, both domestic and foreign, poses to the financial well being of our country. This is the “Information Age” and our country is the leader in that regard. It is precisely that leadership position which is driving this unprecedented economic boom we are all witnessing. Information technology advantages are paramount to our continued economic success. This is why information security is all-important to that success. Companies are discovering the need for computer system firewalls, yet are woefully unprepared when it comes to social engineering security penetrations and a laissez faire attitude concerning who information is disclosed to telephonically and otherwise.

Simply put. Loose lips do sink the corporate ships of today and tomorrow. The most infamous computer “hacker” on the planet, Kevin Mitnick, obtained the plans for an unreleased Motorola product by direct “pretext” phone calls to Motorola employees who then faxed him the plans to his home! If you speak to Mr. Mitnick, you will learn that he obtained just as much confidential information via “dumpster diving” and social engineering (pretext) as he ever did by a true computer hack attack.

Another method that is becoming more common is the use of a “Trojan check”. An investigator or broker will create a fictitious business name and open a checking account in that business name. A small check will be mailed to the target as a “rebate” or “prize” stamped on the back “for deposit only”. Once the check has been deposited and is returned to the fictitious company the banking information obtained on the back of the check can be used to further the pretext to determine the amount of funds held in the account. There is great debate in the investigative and broker communities as to the legality of this practice given Gramm-Leach-Bliley and the deceptive trade practices statutes. While the debate continues, so does the practice.

Informal networks of investigators, infobrokers, judgment collectors, and collection professionals are found all over the Internet. It is not uncommon to see requests for “contacts” in financial services institutions. Some collection professionals openly advertise their ability to provide information maintained within their files. Routinely, there are account and file numbers along with the names of targets placed on the Internet for inspection by others to determine if information can be traded or obtained.

Vehicle tracking devices are being offered for sale in order to follow or record the travels of citizens. While not directly relevant to the pretext of financial information, it demonstrates the length that some will go to in order to obtain information on citizens in the United States today.

If law enforcement agencies of State and Federal governments were caught doing these practices absent a constitutionally permissible purpose and/or Court order there would be rioting in the streets. Yet every day these events are carried out by private investigators, information brokers and judgment collectors who have no authority above that of a private citizen and no one blinks. From where I sit, my privacy is just as violated whether the intrusion comes from a person with a badge or not.

What Needs To Be Done

I would like to make some suggestions concerning what needs to be done to continue the battle against the use of fraud and deception to access financial information.

First, we need swift, aggressive, nationwide action by law enforcement to begin criminal investigation and prosecution of those who are thumbing their noses at the provisions of Gramm-Leach-Bliley and other appropriate statutes. I hope the information I provided in 1998 and today supports this conclusion.

Second, GLB needs to be amended. The narrowly crafted child-support exemption for the use of pretext is being used as an advertising shield by private investigators to hide behind while continuing the covert sale of financial information that falls outside of the GLB exemptions. The provisions of GLB that allow for pretext in a child support situation state as follows:

The following excerpt describing this procedure is from a front-page article written by Robert O’Harrow, Jr. in the Sunday, June 27, 1999 edition of the Washington Post:

O’Harrow went on to describe in more detail how the new system operates:

In a test run this spring, Wells Fargo & Co. identified 72,000 customers whom states have identified as delinquents. NationsBank Corp. found 74,000 alleged delinquents in its test.

Simply put, there is no legitimate reason to continue the child support exemption to Gramm-Leach-Bliley. There is a legitimate reason to strike it from the statute as companies are using it as pretence to advertise their ability to locate financial institution customer information. All the ad need say is the request must be in compliance with applicable laws and that all requests are performed on that basis. Once the investigator is comfortable that the requestor is not law enforcement running a sting operation—they sell any information in complete disregard of the law. Our survey proved this ten times over.

Third, financial institutions must continue the work they have started to take every precaution necessary to teach all banking employees about the methods associated with identity theft and pretext so that employees can spot fraudulent acts and know what to do when an act is detected. This will require regular and ongoing education, training and auditing programs to maintain the highest level of information security possible. Infobrokers and identity thieves are constantly developing new techniques and methods. The financial services industry must work to stay abreast of these techniques.

Fourth, the federal regulatory agencies must also continue to stay abreast of information security threats and implement appropriate standards and regulations. Audits need to assess the effectiveness of programs in place.

Finally, this Committee must continue on a regular basis to exercise the appropriate oversight functions necessary to ensure that agencies of the federal government continue to take every step available to stop illegal access of personal and confidential customer information. I know that we are late in the Congressional session and that Chairman Leach will be passing the baton next year. I also am aware that when the baton passes there may be changes in the staff of the Committee. I genuinely hope that no matter who takes up the leadership of the Committee and no matter from which side of the aisle, that there will continue an institutional memory to follow this issue. I truly believe it is of profound import to the health of our financial services industry in this country.

Conclusion

In closing, when I appeared before this Committee in 1998 I recited a long laundry list of the dangers posed by the deceptive methods in use by some private investigators and information brokers to gain illegal access to confidential and protected information. There were some who found it hard to believe that what I claimed was true or as serious as I presented the problem. However, those in the investigative and information broker industries who were practicing these techniques knew that I had spoken honestly and were not pleased to have sunshine illuminating their practices. I soon began fielding phone calls from across the country. The hearing had been carried on C-SPAN. In brief, the attention to these techniques was not well received by some. I was condemned by many and even received two death threats.

I mention this because the information being obtained illegally is in many cases both quite serious and lucrative for those buying and selling it and often places others in physical danger. One needs to look no further than the case of James and Regina Rapp of Touch Tone Services to see that this is true. They were running a million dollar a year operation in Denver Colorado with numerous employees when Denver and Los Angeles law enforcement officers caught up with them along with the FTC. Why so many agencies? A short list of the Rapp’s alleged activities points to the answer.

The following allegations were reported: Touch Tone had accessed and sold information concerning undercover Los Angeles police detectives including their private unlisted phone and pager records to a member of the “Israeli mafia”, placing the lives of the officers, the officers’ families, the officers’ confidential informants, and active organized crime investigations in danger. Touchtone accessed and sold information concerning the murder of Ennis Cosby, son of famed comedian Bill Cosby. Touchtone accessed and sold personal and confidential information regarding the Columbine High School massacre victims and families including home addresses, unlisted home telephone numbers, banking, and credit card records.

Touchtone inserted itself into the Jon Benet Ramsey investigation. Here is a list written by James Rapp to a California private investigator outlining the Rapp’s work in the Jon Benet Ramsey murder investigation:

Here is a list of all Ramsey cases we have been involved with during the past lifetime (sic).

1. Cellular toll records, both for John & Patsy.

2. Land line tolls for the Michigan and Boulder homes.

3. Tolls on the investigative firm.

4. Tolls and home location on the housekeeper, Mr. & Mrs. Mervin Pugh.

5. Credit card tolls on the following:

a. Mr. John Ramsey, AMX & VISA

b. Mr. John Ramsey Jr., AMX.

6. Home location of ex-wife in Georgia, we have number, address & tolls.

7. Banking investigation on Access Graphics, Mr. Ramsey's company, as well as banking information on Mr. Ramsey personal.

8. We have the name, address & number of Mr. Sawyer & Mr. Smith, who sold the pictures to the Golbe (sic), we also have tolls on their phone.

9. The investigative firm of H. Ellis Armstead, we achieved all their land and cellular lines, as well as cellular tolls, they were the investigative firm assisting the Boulder DA's office, as well as assisting the Ramseys.

10. Detective Bill Palmer, Boulder P.D., we achieved personal address and numbers.

11. The public relations individual "Pat Kroton" (sic) for the Ramseys, we achieved the hotel and call detail where he was staying during his assistance to the Ramseys. We also have his direct cellular phone records.

12. We also achieved the son's John Jr.'s SSN and DOB.

13. During all our credit card cases, we acquired all ticket numbers, flight numbers, dates of flights, departing times and arriving times.

14. Friend of the Ramseys, working with the city of Boulder, Mr. Jay Elowskay, we have his personal info.

Of course, all the above have been repeatedly asked for over and over again.

Let me know if I can be of further assistance in this or any matter. (End of letter)

This one company, Touchtone, had a client list of more than 1,200 spread across the country. Another local Montgomery County, Maryland private investigator admitted to obtaining the phone records of Kathleen Willey, a witness in the criminal investigation of President Clinton. These are just two companies. There are dozens of companies still in operation today. There can be little doubt as to the serious implications of the activities of these companies.

Mr. Chairman and members of the Committee, as I leave you today, I hope that the time and effort I have placed in this testimony will serve as a blueprint for further examination by this Congress of matters deserving attention. Thank you.

Appendix II

U.S. Secret Service

Testimony of Mr. Bruce A. Townsend
Special Agent in Charge – Financial Crimes Division

For Presentation to the Committee on
Banking and Financial Services
U.S. House of Representatives

September 13, 2000

Mr. Chairman, members of the Committee, thank you for the opportunity to address the Committee on the subject of identity theft and the Secret Service's efforts to combat this problem. I have prepared a comprehensive statement that will be submitted for the record, and with the Committee's permission, I will summarize my statement at this time.

In addition to providing the highest level of physical protection to our nation's leaders, the Secret Service exercises broad investigative jurisdiction over a variety of financial crimes. As the original guardian of our nation's financial payment systems, the Secret Service has a long history of pursuing those who would victimize our financial institutions and law-abiding citizens. In recent years, the combination of the information technology revolution and the effects of globalization have caused the investigative mission of the Secret Service to evolve in a manner that cannot be overstated.

Today we are faced with a new challenge--that of identity theft. The Secret Service views identity theft as a disturbing combination of old schemes and abuse of emerging technologies. However, it should be clear--this crime is about more than the theft of money or property. This crime is about the theft of things that cannot be so easily replaced--a person's good name, a reputation in the community--years of hard work and commitment to goals. Make no mistake about it; this crime is a particularly invasive crime that can leave victims picking up the pieces of their lives for months or even years afterward.

Mr. Chairman, we in the Secret Service applaud your efforts in convening this hearing today. We stand ready to work with you and all the members of the committee in attacking the crime of identity theft. It is our belief that hearings such as this will be the catalyst to bring together the resources of both state and Federal Governments in a unified response to the identity theft problem.

Congress has already taken an important step in providing increased protection for the victims of identity theft through the enhancements made to Title 18, United States Code, Section 1028, by the Identity Theft and Assumption Deterrence Act, which was signed into law in October of 1998.

This law accomplished four things simultaneously. First, it identified people whose credit had been compromised as true victims. Historically with financial crimes such as bank fraud or credit card fraud, the victim identified by statute, was the person, business or financial institution that lost the money. All too often the victims of identity theft, whose credit was destroyed, were not even recognized as victims. This is no longer the case.

Second, this law established the Federal Trade Commission (FTC) as the one central point of contact for these victims to report all instances of identity theft. This collection of all information involving ID theft cases allows us to identify systemic weaknesses and enables law enforcement to retrieve all investigative data from one central location. It further allows the FTC to provide people with the information and assistance they need in order to take the steps necessary to correct their credit records.

Third, this law provided increased sentencing potential and enhanced asset forfeiture provisions. These enhancements help to reach prosecutorial thresholds and allow for the repatriation of funds to victims.

Lastly, this law closed a loophole in Title 18, United States Code, Section 1028, by making it illegal to steal another person's personal identification information with the intent to commit a violation. Previously, under Section 1028, only the production or possession of false identity documents was prohibited. With advances in technology such as E-Commerce and the Internet, criminals today do not need actual documents to assume an identity.

We believe the enactment of this legislation is an important component in bringing together both the federal and state government, in a focused and unified response to the identity theft problem. Today, law enforcement and regulatory and community assistance organizations have joined forces through a variety of working groups, task forces, and information sharing initiatives to assist the victims of identity theft. Victims no longer have to feel abandoned, with no where to turn.

Policies and procedures are being initiated to expedite the reporting of this crime. Civil remedies are also being created allowing for victims to seek restitution. The Secret Service "Victim Witness Assistance Program" aids identity theft victims by providing resources and contact information for credit bureaus and service programs. The financial community continues to design and implement security measures that minimize the exploitation of true persons names and identification information.

The Secret Service has broad investigative responsibilities relating to financial crimes. Today, some type of false identification is a prerequisite for nearly all financial fraud crimes. False ID's provide anonymity to criminals and allow for repeat victimization of the same individual while perpetrating a variety of fraud schemes. Often, in their attempt to remain anonymous, criminals may randomly assume the identity of another individual through the creation of false identification documents. In these cases, the goal may not be to target an individual for the purposes of stealing his or her identity. Yet, by coincidence, that individual's identity has been compromised through the criminal's use of their personal identifiers.

False identification documents, either altered, counterfeited, or fraudulently obtained, are routinely used with loan and check fraud schemes, and almost all credit card fraud schemes. Ironically, the credit industry through capital investments over the past 10 years has strengthened the integrity of the system through security measures, which effectively thwart some types of direct counterfeiting. Subsequently, criminals no longer simply create names and identities; they must more often rely on the identifiers of real people.

As we enter the next century, the strength of the financial industry has never been greater. A strong economy, burgeoning use of the Internet and advanced technology, coupled with increased spending has led to fierce competition within the financial sector. Although this provides benefits to the consumer through readily available credit, and consumer oriented financial services, it also creates a rich environment for today’s sophisticated criminals, many of whom are organized and operate across international borders.

In addition, information collection has become a common byproduct of the newly emerging e-commerce. Internet purchases credit card sales and other forms of electronic transactions are being captured, stored, and analyzed by entrepreneurs intent on increasing their market share. This has led to an entirely new business sector being created which promotes the buying and selling of personal information.

With the advent of the Internet, companies have been created for the sole purpose of data mining, data warehousing, and brokering of this information. These companies collect a wealth of information about consumers, including information as confidential as their medical histories.

Consumers routinely provide personal, financial and health information to companies engaged in business on the Internet. Consumers may not realize that the information they provide in credit card applications, loan applications, or with merchants they patronize, are valuable commodities in this new age of information trading.

Data collection companies like all businesses are profit motivated, and as such, may be more concerned with generating potential customers rather than the misuse of this information by unscrupulous individuals. This readily available personal information in conjunction with the customer friendly marketing environment has presented ample opportunities for criminals intent on exploiting the situation for economic gain.

The Secret Service has investigated numerous cases where criminals have used other people' s identities to purchase everything from computers to houses. Financial institutions must continually practice due diligence or they will fall victim to the criminal who attempts to obtain a loan or cash a counterfeit check using someone else's identity.

As financial institutions and merchants become more cautious in their approach to "hand to hand" transactions the criminals are looking for other venues to compromise. Today, criminals need look no further than the Internet.

For example, an Internet fraud investigation conducted by the secret service, Department of Defense, Postal Inspection Service, and the Social Security Administration Inspector General's Office highlighted the ease with which criminals can obtain personal information through public sources. These defendants accessed a web site that published the promotion list of high ranking military officers. This site further documented personal information on these officers that was used to fraudulently obtain credit, merchandise, and other services.

In this particular case the financial institution, in an effort to operate in a consumer friendly manner issued credit over the Internet in less than a minute. Approval for credit was granted after conducting a credit check for the applicant who provided a "true name" and matching "true Social Security Number." All other information provided such as the date of birth, address and telephone number, that could have been used for further verification, was fraudulent. The failure of this bank to conduct a more comprehensive verification process resulted in substantial losses and more importantly a long list of high-ranking military officers who became victims of identity fraud.

The Internet provides the anonymity criminals desire. In the past, fraud schemes required false identification documents, and necessitated a "face to face" exchange of information and identity verification. Now with just a laptop and modem, criminals are capable of perpetrating a variety of financial crimes without identity documents through the use of stolen personal information.

The Secret Service has investigated several cases where cyber criminals have hacked into Internet merchant sites and stolen the personal information and credit card account numbers of their customers. These account numbers are then used with supporting personal information to order merchandise to be mailed throughout the world. Most account holders are not aware that their credit card account has been compromised until they receive their billing statement.

Time and time again, criminals have demonstrated the ability to obtain information from businesses conducting commerce on the Internet. This information has been used to facilitate account takeover schemes and other similar frauds. It has become a frightening reality that one individual can literally take over another individual's financial identity without the true victim’s knowledge.

Cyber criminals are also using information hacked from sites on the Internet to extort money from companies. It is not unprecedented for international hackers to hack into business accounts, steal thousands of credit card account numbers along with the accompanying personal identifiers, and then threaten the companies with exposure unless the hackers are paid a substantial amount of money.

The Secret Service continues to attack identity theft by aggressively pursuing our core violations. It is by the successful investigation of criminals involved in financial and computer fraud that we are able to identify and suppress identity theft.

As stated earlier, identity theft, and the use of false identification has become an integral component of most financial criminal activity. In order to be successful in suppressing identity theft we believe law enforcement agencies should continue to focus their energy and available resources on the criminal activities that incorporate the misuse or theft of identification information.

The Secret Service has achieved success through a consistent three -tiered process of aggressive pro-active investigations, identification of systemic weaknesses, and partnerships with the financial sector to adopt fixes to these weaknesses.

The Secret Service's investigative program focuses on three areas of criminal schemes within our core expertise. First, the Secret Service emphasizes the investigation of counterfeit instruments. By counterfeit instruments, I refer to counterfeit currency, counterfeit checks, both commercial and government, counterfeit credit cards, counterfeit stocks or bonds, and virtually any negotiable instrument that can be counterfeited. Many of these schemes would not be possible without the compromise of innocent victim's financial identities. Second, the Secret Service targets organized criminal groups that are engaged in financial crimes on both a national and international scale. Again, we see many of these groups; most notably the Nigerian and Asian organized criminal groups, prolific in their use of stolen financial and personal information to further their financial crime activity.

Finally, we focus our resources on community impact cases. The Secret Service works in concert with the state, county, and local police departments to ensure our resources are being targeted to those criminal areas that are of a high concern to the local citizenry. Further, we work very closely with both federal and local prosecutors to ensure that our investigations are relevant, topical and prosecutable under existing guidelines. No area today is more relevant or topical than that of identity theft.

It has been our experience that the criminal groups involved in these types of crimes routinely operate in a multi-jurisdictional environment. This has created problems for local law enforcement that generally act as the first responders to their criminal activities. By working closely with other federal, state, and local law enforcement, as well as international police agencies we are able to provide a comprehensive network of intelligence sharing, resource sharing, and technical expertise which bridges jurisdictional boundaries.

This partnership approach to law enforcement is exemplified by our financial crimes task forces located throughout the country. Each of these task forces pools the personnel and technical resources and to maximize the expertise of each participating law enforcement agency. A number of these task forces are focused on the Nigerian criminal element operating in this country. As mentioned earlier, this particular ethnic criminal group has historically been involved in a myriad of financial crimes, which incorporate false identification and identity theft.

In addition to our inter-dependant working relationship with law enforcement on all levels, our partnership with the private sector has proved invaluable. Representatives from numerous commercial sectors to include the financial, telecommunications, and computer industries have all pledged their support in finding ways to ensure consumer protection while minimizing corporate losses. The secret service has entered into several cooperative efforts with members of the financial sector to address challenges posed by new and emerging technologies. These initiatives have created some new and innovative approaches to identification verification in business.

Automated teller machines, E-Commerce, online banking, online trading, smart cards, all once considered futuristic concepts, are now a reality. Each of these technologies lends themselves to creating a "faceless society". In order for businesses to be successful, they can no longer rely upon personal contact as a means of identity verification.

One innovative approach that appears to address the problems of identity verification for Internet commerce has been developed and introduced by a member of the financial community. This new product is the first commercial venture by the credit card industry to provide the public with an on line authentication process using chip technology and encryption. Although this product may not end credit card fraud on the Internet, it is the first step in providing a more secure environment in which to conduct Internet commerce.

Efforts such as these provide a foundation by which law enforcement and the private sector can build upon. By applying the technologies used in this product and others being developed for the same purpose, we can systemically eliminate the weaknesses in our economic infrastructure, which allow for the misuse of personal information.

In conjunction with these technological advances, the Secret Service is actively involved with a number of government sponsored initiatives. At the request of the Attorney General, the Secret Service joined an interagency identity theft subcommittee that was established by the Department of Justice.

This group, which is made up of federal and state law enforcement, regulatory agencies, and professional agencies meets regularly to discuss and coordinate investigative and prosecutive strategies as well as consumer education programs.

In addition, under the direction of the President, the Treasury Department, with the assistance of the Secret Service, convened a national summit on the subject of identity theft. This summit brought together various federal, state, and private sector entities to discuss and develop policies that will help to prevent identity theft crimes. Follow-up workshops are scheduled for October of this year to focus on ways of assisting consumers and preventing identity theft.

As you have heard in this testimony some very positive steps are being taken to address and combat identity theft. The Secret Service will always encourage both business and law enforcement to work together to develop an environment in which personal information is securely guarded. In this age of instant access, knowledge is power. We cannot allow today’s criminals to abuse the very systems that were created for the betterment of society. The emotional toll on the lives of those whose identities have been compromised cannot be fully accounted for in dollars and cents. It is all of our responsibilities to protect personal information.

The Secret Service acknowledges that identity theft is a very real problem and pledges its support in the Federal Government's efforts to eliminate it.

This concludes my prepared statement. I would be happy to answer any questions that you or any other member of the committee may have. Thank you.

Home Contact Us Privacy News APC News Services Speeches