Network News

X My Profile
View More Activity

Task Force Shapes ID Theft Policy

A viral epidemic of consumer identity fraud and data theft prompted President Bush last year to create a task force charged with crafting proposals to marshal Uncle Sam's resources to prevent identity fraud, assist victims and more aggressively prosecute those responsible.

The president's task force is co-chaired by U.S. Attorney General Alberto Gonzales and Deborah Platt Majoras, the head of the Federal Trade Commission. It also includes top leaders from a number of other government departments.

At the end of December 2006, the group requested comments on its interim recommendations. It received hundreds of opinions from businesses and consumers, and it is now readying a final set of recommendations to be presented to the White House in the coming weeks.

More than 100 million personal or financial records on Americans have been compromised as a result of data breaches or losses at corporations, government agencies, educational institutions and other entities over the past three years, according to the Privacy Rights Clearinghouse. In addition, more than 10 million Americans were victims of identity fraud in 2006, according to the FTC.

A number of bills are being crafted on Capitol Hill to address the problem, and many of the task force's interim recommendations mirror them closely. For example, the group is debating whether to recommend that national data security requirements be imposed on all commercial entities maintaining sensitive consumer information, and whether a national data breach notification requirement should be adopted.

But other proposed recommendations would go further. The task force is considering whether to call for the creation of a National Identity Theft Law Enforcement Center to serve as a clearinghouse for identity theft complaint data. It would be a central "hub for analysis of that information" that could be used "to provide support for law enforcement at state and federal levels in the investigation, prosecution and prevention of identity theft crimes" and to "enable law enforcement officers from around the country to share, access and search appropriate law enforcement information through remote access."

The task force also suggested tweaking criminal laws to allow prosecutors to better pursue cyber criminals who operate huge networks of remote-controlled, virus infected personal computers, so-called "robot networks" more commonly known as "botnets."

The majority of the malicious code enabling bot masters to control their herds also allows them to steal passwords and record what the victim types on a computer keyboard.

The task force recommended eliminating certain criteria that currently must be met to trigger an investigation. It advocated dismissing the requirement that bot masters' malicious spyware infections cause "damage" to computers and that the loss caused by the attack must exceed $5,000. The group also suggested amending the law to clarify that a victim need not have sustained any monetary loss for prosecutors to pursue a case on their behalf.

Eliminating the monetary threshold that would trigger an investigation could be a meaningful step. Most prosecutors aren't likely to take a case unless it involves at least $50,000 worth of damage.

Security Fix had an opportunity at the RSA Security conference in San Francisco last month to sit down with Chris Painter, deputy chief of the Justice Department's Computer Crime and Intellectual Property Section. Painter said the "existing monetary thresholds we need to meet in order to launch an investigation makes it difficult to always effectively deal with the botnet problem."

A number of state and local law enforcement professionals have called on the government to clarify that identity fraud victims have the right to let law enforcement officials receive ID theft-related documents on their behalf. The task force said it is seriously considering that recommendation.

Jason Jenkins, a detective with the financial and high-tech crimes unit of the Palo Alto, Calif., police department, said victims often "hit a brick wall" when dealing with a financial institution in attempts to gather the relevant information to report to the police. Banks, he said, usually decline to provide victims with any information when they realize fraud exists on the account.

"More often than not we are met with resistance by the institutions who demand a subpoena or search warrant due to privacy issues," Jenkins wrote. "In many instances, law enforcement is unable to gather the necessary details of the crime. If we are lucky and get the information that we are seeking, it is often too late to recover any digital or physical evidence necessary to identity and locate the suspect(s) responsible. Considering that many criminals have traded in their handgun and ski-mask for the tools necessary to commit identity crimes, I believe this epidemic will only get worse. Law enforcement officers should not have to draft a four-page search warrant in order to identify the location where a crime occurred or the account details of a victim who has reported identity theft."

Jenkins' comments were echoed in those submitted by a detective at the Honolulu Police Department and an unidentified U.S. Secret Service agent.

I support an idea offered by Business Software Alliance President Robert Holleyman that was not in the task force recommendations. He said federal racketeering laws should be updated to give U.S. law enforcement greater leeway for investigating and prosecuting organized cyber criminal syndicates. The BSA suggested that the government update the Racketeer Influenced and Corrupt Organizations Act to support racketeering criminal charges against organized cyber crime syndicates from Eastern Europe, Africa, Asia and other regions. The law currently is used mainly to investigate and prosecute domestic mafia and other crime syndicates.

What do you think, dear Security Fix readers? Would these ideas help improve the current situation with identity fraud? Share your thoughts in the comments section below.

By Brian Krebs  |  March 15, 2007; 9:36 AM ET
Categories:  Fraud , From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Tracking the Password Thieves
Next: Stolen Identities Sold Cheap on the Black Market


As a retiree who seldom if ever needs a credit check run against me, I would like to have the ability to freeze my credit file. My understanding is that in so doing, no one could begin charging against my credit cards or borrowing money in my name. Seems simple.

Posted by: Bartolo | March 15, 2007 10:04 AM | Report abuse

Banks, brokerages, other financial institutions, and online businesses should be held liable for failure to prevent fraud. As it is, they have insufficient incentive to implement strong measures to prevent it. Placing a cap on customer liability (similar to the cap on credit card fraud) would put the burden on the only entities that are in a position to solve the problem.

I recently contacted my brokerage service to request that online access to my account be disabled. They had no way to do that! And access was granted to me over the phone based on answers to a few questions that could be known or discovered by a criminal with a little research. I had set up a personal security question with a strong random key as the answer, but they did not even ask that question because the answer looked odd to them, and they reverted to the standard questions. According to the representative, that was standard practice by all 150 of the phone reps.

These companies are holding the life savings of millions of people. They need to be held responsible for protecting them.

Posted by: Alan | March 15, 2007 10:10 AM | Report abuse

I applaud any efforts to combat identity fraud by the government. However, with the Internet being so international, how will we reach those criminals outside the U.S. when other countries may not have similar laws or lack the motivation to enforce the law that do exist?

Also, it seems to me that even while we are pursuing heavy-weight options such as more investigation and prosecution, we are ignoring certain low-hanging fruits in the battle against ID thieves. For example, if the government would establish a "do-not-scam" notification database where people can voluntarily register (similar to the national do-not-call list) to receive a daily email summary of their credit/debit card transactions, that could greatly reduce card fraud in this country. The major credit card issuers should be required to supply the data for anyone who is registered with the database and there should be a simple way to report fraud. And any merchant involved in a fraudulent transaction should be then be given notice so that a refund can be issued right away. All this can still coexist with the existing process. The do-not-call registry has worked very well so far and I believe a do-not-scam database can be equally effective. But perhaps this too will first have to be done at the state level and then later at the national level when there's enough momentum. I think I'll go email my state representative now.

Posted by: Qian Wang | March 15, 2007 10:30 AM | Report abuse

You can request a freeze on your credit.

My solution for identity theft problems (also, computer security problems in general): Insurance. You go to get id theft insurance, the insurance company looks at who you do business with and sets the rates accordingly. This gives you an incentive ot go with institutions that have a history of not suffering breaches, and gives institutions an incentive to tighten up their practices.

Posted by: wiredog | March 15, 2007 11:28 AM | Report abuse

Financial institutions should be MANDATED to protect your information and should be severely FINED when they breach that trust. I recently had an incident occur where my broker sent my 1099 (with name, address, SSN etc) to some unknown party. So this person now has all my personal info and all my financial transactions for 2006. As I get all my statements etc electronically, there was no need for a 1099 to even be printed. This was human error vice computer problems. And the only response I got was OOPS!

Posted by: JD | March 15, 2007 11:36 AM | Report abuse

The first commenter had the idea. We're focusing on the wrong target - ID theft wouldn't be possible without the bureaucratic oligopoly maintained by the three credit reporting agencies. Consider: the majority of what we're calling "identity theft" would be simple credit card fraud 20 years ago. The real negative impact comes from the fact that information compiled on you by these agencies is only reviewable annually, there is no appeal process, and while anyone can submit negative information, credit reporting agencies are under no obligation to make it as easy for you to remove it. I know the law says otherwise, but the remedy is beyond the means of the average consumer - sue the agency.

This problem doesn't exist in Europe, where such a monopoly on your personal information doesn't exist - in fact, it's prohibited by law. Sure, you can't walk into any department store and walk out five minutes later with a $2,500 line of credit. But hasn't the time come that we need to balance convenience against risk?

Posted by: WB | March 15, 2007 12:43 PM | Report abuse

@ wiredog:

Very interesting comment re risk analysis by insurance carriers vs. breach experience of financial institutions.

Can you provide quotable source for proof of this practice?

I teach courses in this material and would appreciate citation.


BTW @ bartolo: Freeze on your credit report will not, in itself, prevent unauthorized charges on your existing credit cards.

Posted by: CITRMS | March 15, 2007 1:13 PM | Report abuse

A National Identity Theft Law Enforcement Center is a step in the right direction.

ID thieves count on information remaining within police jurisdictional boundaries. ID theft activity often takes place within organized rings of thieves covering a large geographical area. Collecting data at a single repository could help to identify patterns that reveal ID theft networks.

A first step should be to consider consolidating/connecting the data collections already in place and scattered about the country.

There is no total solution that will eliminate ID theft. Our goal should be protecting victims and increasing the difficulty, risk and consequences of committing ID theft. A consolidated data repository works toward these goals.

Posted by: The real Danny Lents - | March 15, 2007 1:25 PM | Report abuse

This is a very important practical matter you are reporting on with bigger implications that just identity theft. *** Where do we start to ensure the integrity and security of the Internet, at the OS, software, hardware, law-enforcement, regulation, the business, the user? Oh, what a mess!
Great reporting and stay the steady course, please.

Posted by: egalitaire | March 15, 2007 1:42 PM | Report abuse

"You can request a freeze on your credit."

This is true only in about half of the states. In addition, the big 3 credit bureaus are trying to rescind the state laws, making it illegal to freeze your own credit.

This is a simple step to reduce the value of having your SS# stolen.

Posted by: Moike | March 15, 2007 1:59 PM | Report abuse

This is a really tiny part of the problem, but I am so tired of financial institutions sending my account number out in marketing promo's - transfer balances, upgrade your credit card, etc.

Posted by: K | March 15, 2007 4:35 PM | Report abuse

Developing a common understanding of the root causes of online identity theft per the Federal Trade Commission and FINCEN statistics leads one to intellectual property issues and related regulations for the financial sector that are not being applied. Online identity theft is a circular problem beginning with the fraudulent use of trademarks in the form of domain names that are used in downstream federal and state crimes that include email spam, fake web sites and phishing sites. These, in turn, are used to attack online consumers and IT systems for access to customer identifying information resulting in identity theft losses for consumers and the banking industry. Federal regulations direct banks to implement IT Governance and to safeguard bank assets, including intellectual property, against federal and state crimes. IP owners are enacting IT Governance standards but are failing to enact IP Governance standards for safeguarding their brands, domain names and customers from emails, fake web sites and phishing sites using fraudulent domain names. IP Owners need to step forward and take ownership of their IP Governance obligations thus minimizing online identity theft attacks against consumers, IT systems and related pressures on law enforcement, profits and their reputations. No new regulations are required. By applying GLBA 501(b) and FDICIA Section 112 in safeguarding IP, IP owners can turn the tide in the cyber war, minimize the fuel enabling online identity theft thus protecting consumers online and their internet channels. Research available:

Posted by: Beckwith Miller | March 15, 2007 6:13 PM | Report abuse

I suspect BAC had a major penetration of their credit card customers because:
a. They notified me of two $400.00 prox chrges that had been supposedly made but there was zero merchant info or reference info. by computerized phone.

b. It will take them several weeks to replace my card - Amex.

c. The wait time was outrageously long on the phone as opposed to the normal irritatingly long wait.

d. The BAC rep was vague re the whole mess.

Posted by: dan martin | March 16, 2007 10:52 AM | Report abuse

I would like to see an ID security system established by banking institutions where not only a "pin nuber" is used but simulataneously a thumb print is scanned (also)when applying for cash or approving any trans action on visa cards.
At the same time the thumb or finger print would be compared with the print data from a local local center.
This is a simple additional procedure that the Banks can implement for increased security against identity theft, but the Banks appear too lazy to do so ! ( unless forced to do so).

Posted by: Andy Tarc | March 16, 2007 12:07 PM | Report abuse

I agree with the sentiments that we will not be able to fight groups outside the US very well. I know that improving security will never stop the errors people make but i do believe it will severely limit the amount identity theft. Companies need to understand that they will have to pay significant penalties for not protecting personal information. If they realize this they may begin investing in more advanced security software and training programs.

Posted by: Michael | March 16, 2007 1:14 PM | Report abuse

Fraud crimes will continue to grow until we exploit ID KEY (memory stick) system which will make both the signature and PIN number systems reliable as follows.

ID KEY will activate printer to print ID sticker (small sticker with person's image and name printed on it) which can be attached to the document and countersigned to personalise signature. Current signature system is like passports without photos and that is why it is so difficult to deter and prosecute fraudsters. Why would anyone get tempted to misuse this system when they know that in the event of crime we will know who they are?

ID KEY will be needed to activate ATMs, Why would anyone get tempted to use stolen or skimmed cards when they know that ATM will not get activated without the use of Card Key Code stored in ID KEY.

Why are we looking for complex systems when this simple system can make fraud crimes a thing of past?

From these details it is obvious why rather than deterring other systems will only divert fraud crimes to other sectors.

Details on ID KEY system are on website

Posted by: Yogesh Raja | March 18, 2007 3:47 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company