Concerns for ID Theft Often Are Unheeded

washingtonpost.com

Concerns for ID Theft Often Are Unheeded

By Robert O'Harrow Jr.
Washington Post Staff Writer
Monday, July 23, 2001; Page A01

Major financial institutions routinely give out confidential customer account information to callers, using security procedures that authorities say are vulnerable to abuse by fraud artists.

Regulators and law enforcement officials warned three years ago that identity thieves and information brokers were tricking clerks into giving them access to individuals' financial information.

They urged banks to require customers to use passwords or codes instead of Social Security numbers, mothers' maiden names and other widely available personal information to identify themselves when calling.

But a review of policies at banks, mutual funds and credit card companies shows that major companies frequently do not require passwords or codes, despite the warnings, because of the expense involved and because officials fear their customers will find the safeguards inconvenient.

Telephone clerks at Chase Bank in New York, for example, shared checking account balances, transaction records and, in some cases, account numbers with callers who provided only a name, Social Security number and mother's maiden name to verify their identities.

Mutual fund companies, such as Vanguard Group Inc., Fidelity Investments and Janus, also sometimes ask for just the names, Social Security numbers, addresses and similar details of callers before turning over transaction histories and account balances, sometimes down to the penny, company officials said.

Recent indictments show that the authentication problem is more than theoretical. In a scheme a judge called "absolutely amazing," an identity thief from Tennessee last year persuaded telephone clerks at banks and credit card companies, including American Express, to share financial information about top executives, including those at Coca-Cola Co. and Lehman Brothers Inc. With those details, the thief was able to buy hundreds of thousands of dollars in diamonds and Rolex watches before being caught and pleading guilty in the case.

A Justice Department official recently described identity theft as one of the nation's fastest-growing white-collar crimes. Some authorities estimate there are 500,000 cases a year.

A privacy consultant who helped write security guidelines for the American Bankers Association estimates that at least half of banks in the country take inadequate steps to authenticate the identity of callers.

"It's not hard at all" for criminals to get confidential information, said Robert Douglas of American Privacy Consultants Inc. in Alexandria. "The banks that don't use PINs or passwords are defeated almost every time."

John Byrne, senior counsel at the American Bankers Association, which has urged its members to use passwords and personal identification numbers, said: "It is very clear that in a perfect world you have to update, modify, maybe even substantially change your security policies because of the criminals trying to gain access, . . . because of the fraud. The reality is the customers demand immediate access to their own information."

Congress and law enforcement officials are struggling over what they can do to better protect individuals from identity theft. Several proposed bills that would limit the sale and use of Social Security numbers, an approach meant to keep the identifiers out of the hands of criminals. And law enforcement authorities have stepped up identity-fraud investigations.

But some regulators and security specialists said financial companies bear responsibility for doing a better job. Although banks and credit card companies generally cover the costs of identity theft, victims often have to deal with bad credit reports and debt collectors pestering them for unpaid bills.

Julie Williams, chief counsel at the Comptroller of the Currency in Washington, said the use of passwords would "substantially reduce the risk of identity theft." She said she believes companies are obligated to use them under new financial-services regulations.

Many companies, including Chase, American Express and Vanguard, instruct telephone clerks to ask callers for account numbers or personal codes that customers use on company Web sites. Officials said clerks sometimes assess the credibility of callers by asking for several details about accounts that only a customer should know, such as the branch where an account was opened.

But if callers do not have those particulars handy, officials said, clerks ask for less-secure identifiers, such as a Social Security number or a mother's maiden name.

Robin Warren, privacy executive at Bank of America Corp., said the bank relies on an array of questions to identify callers and head off fraud. But "we don't want to make it difficult for customers to get access to their accounts," she added. "Customers get irritated." Requiring passwords "would inconvenience a lot of people," Warren said

"For the most part, we try to accommodate our customers," Citibank spokesman Mark Rodgers said. "If someone doesn't have that particular number, we will work with them to screen them."

American Express Co. is changing its policy. Since January it has been urging new customers to choose a password or code that will verify who they are when calling for account information. Spokeswoman Judy Tenzer said the policy was begun without fanfare earlier this year because of growing concerns about identity fraud.

"We strongly believe this will help cut down some of the fraud that is taking place," she said. Customers will be asked to not use their birth dates, Social Security numbers or other commonly available information, she said. "We're trying to give them greater security than that now affords them."

James Rinaldo Jackson, 40, of Memphis, admitted in federal court that he took advantage of that good will when he arranged to buy $730,000 worth of diamonds and watches in the names of corporate executives.

To choose victims, Jackson looked through the "Who's Who In America" reference guide. He bought dossiers about them from information brokers he found on the Internet, paying $50 to $100 for their names, Social Security numbers and other personal details, such as where they had bank accounts.

He then manipulated clerks at American Express, Fifth Third Bank in Ohio, the Bank of New Hampshire and other financial institutions, according to court records and his own testimony. Jackson obtained bank-account and credit card numbers. He convinced the companies to change the billing addresses. He even got banks to wire money to jewelers to pay for some of the valuables.

He said in court that he faced few hurdles when he presented himself as the executives. In one case he posed as Gordon Teter, the late chairman of Wendy's International Inc. In doing so, he convinced the Fifth Third Bank to wire almost $300,000 to diamond and watch merchants, some of them online. He also charged Rolex watches on Teter's Visa card and changed his billing addresses to Jonesboro, Ark.

"Amazing, Mr. Jackson," said U.S. District Court Judge Deborah A. Batts in New York, when Jackson described his exploits at her request. "Absolutely amazing." Jackson pleaded guilty to 29 charges of fraud and is awaiting sentencing.

Robert Dunn, his attorney, said Jackson would have been stopped much earlier had the companies required passwords before sharing customers' information or allowing him to act on the accounts. "That simple screen would have thwarted much of what he was able to accomplish," Dunn said.