Early last year, New York restaurant dishwasher Abraham Abdullah, was caught after six months of swindling the rich and famous out of millions of dollars. Armed with a copy of the Forbes list of America's wealthiest people, Abdullah used his local library's computer, a WAP mobile phone and fake documents to steal the identities of celebrities, including Steven Spielberg and Oprah Winfrey, and rifle their accounts. Press reports seized on the fact that he was a high-school drop-out, and on the apparent ease with which he was able to dupe prestigious financial names, such as Merrill Lynch and Goldman Sachs.
The scam has since become a high-profile example of an increasingly serious problem - identity theft. And it's hitting the UK at an alarming rate. Government statistics released in March place the cost of identity fraud to British business and individuals at around £1.2bn a year. Cifas, the Credit Industry Fraud Avoidance System, reported a 55% increase in identity fraud in the first three months of 2002 alone, having already identified a 122% increase in 2001. In the words of KPMG's head of forensics Adam Bates, 'trust no one'.
And he should know. Bates had £3,000 taken out of his account while he was abroad and in full possession of his credit cards. 'I had to ring up the bank and say “What's going on here? Somebody has obviously managed to get a duplicate of my Switch card”. They asked me whether I had been to a petrol station recently, which is often how they think people are stealing credit or debit card details.'
In this case, Bates was a victim of card-notpresent fraud (CNP fraud). According to the Association for Payment Clearing Services (APACS), this fraudulent activity cost the UK banking and retail sectors a hefty £95.7m last year. Unscrupulous characters need only a card number, sort code and expiry date in order to make extravagant internet, telephone or mail order purchases. But identity theft can be a little more sinister, and its scope is far ranging, with people opening up bank accounts, setting up loans, siphoning funds (as in Abdullah's case) and using unsuspecting victims' previously untarnished history to acquire anything from benefits to driving licences and passports.
And 'you don't have to be a hi-tech thief to do it,' Bates says. He cites a whole raft of possibilities open to determined crooks, such as diverting post, copying card details passed over in restaurants, shops and bars, or hacking into insecure websites. Fraudsters intent on stealing an identity can even obtain simple information from websites such as Friends Reunited or genealogy.com - information that will allow thieves to get past the initial security checks.A load of old rubbish
These measures might seem a little complicated, but bin raiding certainly isn't. Criminals can get all the information they need just from rifling through people's rubbish, and Experian, the credit reference agency, says this potentially lucrative phenomenon is on the increase. In its recent survey, 75% of local authorities said bin raiding was regularly taking place in their area, and 80% of those said the problem was getting worse. In spite of this, consumers are heedlessly throwing away personal financial information and are providing fraudsters with rich pickings.
Further research by Experian found that as many as one in every five bins in Nottingham contained a whole credit or debit card number that could be linked to an individual, and 80% of these had an associated expiry date. One in every five bins contained a bank account number and sort code that could be related to the full name and address of a household member. One in six bins contained a whole utility bill, and one in four contained other official letters, many of which could have been used as a form of identity validation.
'It's staggering what people throw away in this country,' Experian's head of fraud Gareth Jones comments. 'From one bin, there was an individual's full name, address, date of birth, bank account number, sort code, employment details and medical information. This person had also thrown away a whole benefit book, utility bill and other official letters that might be used to corroborate identity. There was also significant information about this person contained in a completed passport application. Armed with this information, a fraudster could easily construct an entirely fake identity with which to defraud dozens of organisations.'
Apart from the obvious financial losses, identity theft can have far- reaching implications for the victim, as Experian spokesman Bruno Rost explains. 'It's a serious issue and it can take a long time to sort out. Not least because all the credit organisations involved are victims as well. You have to be sure that the person is a genuine victim and that can sometimes take a long time to unravel.' It also means that the victim could end up with a black mark on their credit record.Saving your name
According to PricewaterhouseCoopers' cyber crime specialist Neal Ysart, the UK is one of the easiest places to commit fraud. However, he does believe that oganisations are vigilant. 'Credit companies are fighting very, very hard to raise the public's awareness. Organisations are putting more and more stringent measures in place. They're asking more questions and are encouraging people to change their password on a regular basis.'
Barclays, for example, has moved away from the standard mother's maiden name or date of birth approach to security checks, and is probing its customers for more detailed information. Where cards could once have been intercepted in the post, the bank now asks individuals to collect them from local branches, and people who want to open an account must produce two items of identification before a customer services officer. Another measure, which banks and credit card companies are using more and more, is to examine trends in the account. For example, if an account-user is known to be a cautious spender, then the bank will flag any extravagant purchases.
The government is also taking the issue of identity theft extremely seriously. It is planning to publish a consultation paper in the next few months, which will explore a number of ' potential initiatives that could close the gap in current procedures'. The Home Office proposes making identity theft a specific offence, which - unless the perpetrator is caught fraudulently using someone else's details - has previously escaped the strong arm of the law. It also wants to set up a database of known or suspected fraudsters and to establish a database of stolen identity documents that can be checked in order to verify forms of ID.
The banking industry is looking to introduce a system whereby customers key in a PIN ( personal identification number), rather than sign a receipt, after their credit or debit card has been swiped. The system has long been established in France, and, according to Ysart, has substantially reduced credit/debit card fraud. But consumers in the UK will have to wait until 2005 before this system is fully in place.Loopholes in the law
In the meantime, there are still 'gaps in current procedures'. For example, many organisations rely on credit reference agencies Experian and Equifax to verify consumers' identities, and these agencies rely on information from the electoral roll. But a landmark High Court decision last year threw a spanner in the works, after retired accountant Brian Robertson took Wakefield City Council to court. He claimed the local authority was infringing his human rights to privacy because it had provided his electoral roll details to private marketing companies. The court found in his favour and, as a result, local authorities no longer give information to any commercial organisations, including credit reference agencies.
'With 10% of the population moving at any one time, the opportunity for people to obtain credit is far more difficult,' says Rost. 'At the same time, the opportunity to commit identity fraud is growing. People can just say they've moved address and then they present other forms of collateral ID, which can easily be faked or stolen.'
There is also the issue of organisations failing to inform individuals that their identity has been compromised. At present, there is no legal obligation for a bank to notify the victim of impersonation, yet many will register the fraud with Cifas. Cifas allows member organisations to exchange information about accounts, which means that once a 'marker' has been placed on an individual's file, it becomes increasingly difficult for that person to obtain credit.
Interestingly, head of cyber risk management at the Risk Advisory Group, Bob Fletcher, believes that the issue of identity theft has been 'over-hyped', although he does agree that the phenomenon is growing. 'This won't go down too well with the consultancy profession, which has a natural inclination to hype these things up, but my judgment is that this type of fraud has stayed at a level of intensely irritating personal crime. But there is nothing to indicate that the issue has spread to affect corporates or banks.'
Similarly, catching and prosecuting an identity thief can prove time-consuming and costly, which means that financial institutions and the police can be reluctant to pursue such criminals. 'It's a bit of a soft crime,' Rost says.
The key, then, would be for the individual to prevent identity theft from happening in the first place. Antoinette Pincott, a partner at accountants Grant Thornton, notes that organisations today appear to be handing credit out on a plate, which suggests that it really is up to individuals to be vigilant given that the reviews and checks undertaken may therefore be less than thorough. Barclays says it foots the bill in cases where fraud is identified to have taken place, and is adamant that the customer would not be asked to pay. But Rost believes this could change. 'You could argue that the customer has been slightly negligent in allowing their details to be compromised. At the moment, the consumer might pay up to £50, but more often than not, that gets waived. But with the increase in fraud, we foresee a time where the consumer will end up paying more and more. And there will be circumstances where banks and retailers will be reluctant to foot the bill.'
Protect yourself Do
- Check bank statements thoroughly and retain receipts. Be aware of missing statements
- Redirect post from the day you move
- Obtain copies of your credit file from Experian (www.experian.com) or Equifax (www.equifax.com)
- Consider buying a personal shredder
- Photocopy your passport or driving licence
- Use different passwords and PINs for different accounts
- Use the Mailing Preference Service to stop junk mail (www.mpsonline.org.uk)
- Throw away whole receipts, bank statements, utility bills or any document that could compromise your identity
- Allow credit/debit cards to be taken out of sight
- Answer security questions in public areas, whereyou will be overheard, eg, over a mobile phone