Susan Glasser and Peter Baker are veteran political journalists who closely covered the presidency of Donald Trump, he as the New York Times chief White House correspondent, she as a…
Guest Host: Susan Page
More than 17 million Americans reported last year that their identity had been stolen. That’s 7 percent of the nation’s adult population. Complicated passwords and aggressive virus protection are no longer enough to protect consumers. Security breaches at Target, JPMorgan Chase and the U.S. Office of Personnel Management have resulted in the theft of billions of personal records, including fingerprints. Electronic medical records are also being hacked. Diane and guests discuss how to make yourself less vulnerable to hackers and what do to if your sensitive data is stolen.
- Adam Levin Founder of Identity Theft 911 and chairman of credit.com; former Director of the New Jersey Division of Consumer Affairs; author, "Swiped: How to Protect Yourself In A World Full of Scammers, Phishers, And Identity Thieves"
- Allison Lefrak Senior attorney, Federal Trade Commission's Division of Privacy and Identity Protection
- Andrea Peterson Technology reporter, The Washington Post
- Jim Crowell Chief, U.S. Attorney's Office Criminal Division for the state of Maryland.
MS. SUSAN PAGEThanks for joining us. I'm Susan Page of USA Today sitting in for Diane Rehm. She'll be back tomorrow. Identity theft has become the number one consumer complaint filed with the federal trade commission. Having your personal data stolen and used without your permission can be frightening. But consumer advocates say you're not powerless.
MS. SUSAN PAGEWith me in the studio to talk about what you can do to protect yourself, Allison Lefrak with the Federal Trade Commission, Adam Levin with Identity Theft 911, Andrea Peterson with The Washington Post and Jim Crowell with the US attorney's office criminal division for the state of Maryland. Welcome to "The Diane Rehm Show."
MR. JAMES CROWELLThank you for having us.
MS. ALLISON LEFRAKThank you.
MS. ANDREA PETERSONThanks for having us.
PAGEWe're going to invite our listeners to join our conversation later in this hour. You can call our toll-free number, 1-800-433-8850. Perhaps you've been a victim of identity theft yourself. We'll be interested in hearing how that went for you and what you did about it. You can always send us an email at email@example.com or find us on Facebook or Twitter.
PAGEWell, Allison, let's start with the basics. How big is this problem?
LEFRAKWell, as you said, identity theft has been the number one consumer complaint with the Federal Trade Commission for 15 years running. In 2014, more than 300,000 complaints were received by the FTC with regard to identity theft. And the Bureau of justice statistics has found that 17.6 million people experienced at least one incident of identity theft last year so that's 7 percent of the U.S. population. So it's definitely a huge issue.
PAGESo 7 percent of the U.S. population in a year were a victim of identity theft.
PAGEThat's extraordinary. So Adam, not enough to have a secure password. We've had people's data hacked at company's like Target.
MR. ADAM LEVINBiggest problem now is we're living in a new paradigm and as a result of this, breaches have become the third certainty in life behind death and taxes. If you read the different reports that have come out, anywhere upwards of 1 billion files have been improperly accessed by people who were not authorized to have access to those files. So that means that literally, each of us, in our lifetime will become a victim of identity theft if not a victim of several forms of identity theft.
PAGEAnd Andrea, talk about the breach at the U.S. office of personnel management. That was a huge case. What happened there?
PETERSONYou know, the details exactly what happened the government's been a little unclear about, but we do know that over 20 million people had some very sensitive information about them compromised. We're talking about, like, potentially work history, things like Social Security numbers, but perhaps almost more alarmingly, over 5 million people, the government has said, had their fingerprints actually stolen.
PETERSONAnd that's a huge deal going forward because we're increasingly seeing that fingerprints and other kinds of biometric markers are being used to really authenticate who you are and those people will never really know now in the future if they can actually use that as a form of validation and authentication going forward.
PAGEAnd this was 20 million or more people who worked for the government now or worked for them in the past?
PETERSONCurrent and former federal employees.
PAGEOkay, so -- yes, go ahead.
PETERSONAnd people who applied for security clearances. We're talking about background check information and in some cases that could reveal, like, very intimate details, like sexual histories and drug use.
PAGESo Jim, if people aren't worried enough yet by this conversation, tell us about what's happening even with snail mail. It doesn't have to be online.
CROWELLIt doesn't have to be online. What we see is individuals doing dumpster diving where you get your ordinary mail and we all get these applications, pre-approved credit applications and people ordinarily just throw them in the recycle bin and not thinking what the consequences of that are. And, unfortunately, fraudsters, rings are taking that data and they're applying for those loans in your name.
CROWELLThey taking your data and they're exploiting all of that for their benefit.
PAGESo sometimes this data is not used by the person who stole it. It's sold to other people who want to exploit it. Adam, tell us how that works.
LEVINWell, it's done through a variety of means. A lot of it's sold on the dark web or the deep web, depending upon where they're selling it.
PAGEAnd what is the dark web?
LEVINThe dark web, it is part of the internet, but it's places that most people don't go because things aren't properly catalogued and it's not susceptible to being scanned by the spiders of the different search engines. But it's there, the deep web is really a more criminal version of it. There are card rooms there, for instance, where they sell credit card, debit card information. And they're becoming so sophisticated, they're actually selling this information by zip code, which makes it even harder for bank systems, which are looking for out of pattern spending, to be able to find out what it is, where it is and to be able to point it out to you.
PAGEGo ahead, Jim.
CROWELLAnd if I could piggyback on what we're seeing in the criminal context, individual rings will obtain that credit card information online. There are huge swaths of this data, stolen identification information in eastern Europe and in China, that is brought in and local rings then who have obtained individual information then recard and recode individual credit cards in the name and perhaps in local individuals' names, names that they've obtained through snail mail, for example.
CROWELLAnd they have these individual credit card information so they're running up that credit card information throughout the local area, running it up and then expending those funds and then you're left, on your Social Security number, with a debt.
PAGESo that happened to me a couple of years ago where our mail -- we, at that point, didn't have a locked mailbox, which we subsequently got, after the cows had left the barn. And somebody had stolen credit card offers we got, sent them in, then watched the mail for the return card, took that, ran up a bunch of charges. But I'll tell you, when we discovered this, we weren't liable for -- we didn't have to pay anything.
PAGEWe had to clean it up. We had to get rid -- to tell that there was something going on here. So what are your -- if this happens to you, what are your, legally, what are your protections? What are you obliged to pay or to do if someone's stolen your identity and gotten credit cards?
CROWELLWell, one of the things you need to do is contact the financial industry -- service's company immediately, your bank, your credit card company. Notify them of a problem. Credit cards have zero liability. Debit cards theoretically have zero liability, but it also depends upon how quickly you notify the financial institution that there's a problem. If you wait too long, you could be liable for 500. You could be liable for literally the balance of your entire bank account if thieves rifle through it.
CROWELLAnd even if the bank agrees with you, and here's the rub, with a credit card, because it's their money, not yours, you really see no interruption in your availability of credit as long as you notify them. With a debit card, money actually comes out of your account and it could take the bank a few days to get that money back again if they agree with you. And if that's money you needed for groceries or rent or mortgage or tuition, you could end up with late fees. You could have a problem.
LEVINAnd that's the real issue is the temporal concern is that too often we are not checking our ordinary credit. We are not looking at our credit reports and so, particularly vulnerable individuals, such as children, those Social Security numbers are exploited. Too often, parents aren't necessarily checking the Social Security numbers of their children and individuals will take those Social Security numbers. We've prosecuted a number of cases where individuals took that Social Security numbers of infants in Maryland and then racked up hundreds and hundreds of thousands of dollars in debt on that Social Security number to the point where that child wasn't even able to walk, but already had a terrible credit report.
PAGEWhat are the -- how do they get the Social Security numbers of infants?
LEVINWe have seen the exploitation of healthcare information. There are insiders who sometimes work at healthcare providers that take that identification information, some of our most intimate information is given to our healthcare providers, our name, our Social Security number, our blood type, our home phone, where we were born, all of that identifying information and we include some of our children's information in that and that is taken and then sold and exploited.
PETERSONYeah, you now, one of the areas that is increasingly becoming a huge deal when it comes to identity theft is medical fraud. HHS actually tracks data breaches and as of March this year, when I did some reporting on that, they had had data on 120 million people that was compromised and over 1100 separate breaches. Like, not all of those are going to be cyber attacks. Sometimes it's an employee, you know, loses a laptop that has a bunch of customer information on it.
PETERSONBut it still shows that, like, this is an area that has a lot of very sensitive information available that's not necessarily meeting the security standards that I think a lot of consumers would hope are there.
LEFRAKYes. I just wanted to piggyback on Jim's point with regard to child identity theft. Just to get an idea for the scope of the problem, a recent Carnegie Mellon Sci-lab study found that 10.2 percent of over 40,000 children in the study has someone else using their Social Security number. And one thing...
PAGE10 percent of kids have somebody else using their Social Security number.
LEFRAK10 percent of kids in this survey and there were 40,000 children included. And one of the preventative measures that we're recommending now is that for consumers who live in states that have passed a law allowing parents to proactively freeze their children's credit, that they go ahead and take advantage of that, that is in place in 18 states. And to find out whether or not you live in one of those states, you can go to the FTC's website.
PAGESo now that we've terrified everybody, we're going to come back after a short break. We're going to give people some very specific tips about what you can do to protect yourself against having your identity stolen. And we hope to hear from you about your own experiences in this area. If you've had your identity stolen, how did you handle it? What were the consequences for that?
PAGEWe'll take your calls, 1-800-433-8850. Our phone lines are open. You can always send us an email to firstname.lastname@example.org. Stay with us.
PAGEWelcome back. I'm Susan Page of USA Today, sitting in for Diane Rehm. We're talking about the problem of identity theft. The numbers are incredible. Seven percent of American adults reported identity theft in the past year. Ten percent of children in the United States have somebody else using their Social Security number. And we're joined in the studio by Allison Lefrak. She's a senior attorney with the Federal Trade Commission, with the Division of Privacy and Identity Protection. And Adam Levin, he is founder of Identity Theft 911, chairman of credit.com. He's the former director of the New Jersey Division of Consumer Affairs, and he has a new book out. It's called "Swiped: How to Protect Yourself In A World Full of Scammers, Phishers, and Identity Thieves"
PAGEAnd Andrea Peterson, she's a technology reporter at The Washington Post. Finally, Jim Crowell. He's chief of the U.S. Attorney's Office Criminal Division for the state of Maryland. So with all this expertise around the table, let's give people some tips on what they really ought to be doing to protect themselves and their families from the problem of identity theft. Let's just go around the table. Allison, let's start with you. What would you advise people to do?
LEFRAKSure, the number one tip that I would make to consumers is to remind them that they're entitled to a free credit report every year, one from each of the three credit reporting companies. So I would encourage consumers to, three times a year, order their free credit report, which they can do on annualcreditreport.com or by calling 1-877-322-8228. Order the report, read it, ensure it's accurate and contact the CRA, the credit reporting company, if you see something that's amiss.
PAGEAnd why is that a smart thing to do?
LEFRAKBecause consumers need to be proactive in monitoring their credit. It's an equal opportunity crime. Anyone can be a victim at any time. And you need to take ownership of your credit and be sure to ensure that there is nothing inaccurate that may appear on your report.
PAGEAnd so a credit report will tell if somebody has made charges, for instance, in your name that you don't recognize.
PAGEYeah, so Adam, give us a smart tip.
LEVINWell also, in just playing on what Allison said, which is very important, is your credit report can be your resume, or it can be a rap sheet, and you have a great deal of control over that, and that's why it's so important to be vigilant.
PAGEWell, how can your credit report hurt you if it's wrong?
LEVINWell, it can hurt you if it's wrong because it can show that you were late on payments when you weren't, when you in fact were on time. It can show that you're using way too much of your credit. One of the reasons why you're using too much of your credit, it isn't you using your credit. Someone has basically stolen your identity. So what I talk about in "Swiped" is that you have to really reduce this now to what I call the three M's, and that is you need to minimize your risk of exposure, and I give a list of things, you need to monitor, and there are a variety of ways to do it, and you need to manage the damage.
LEVINAnd just as a quick note, one of the very effective ways to manage the damage is there are many institutions out there right now that as part of your relationship with them, many insurance companies, credit unions, some of the smaller banks, HR departments where you work, they have a program to help people through identity incidents, but if you don't ask, you're not going to know.
PAGEAndrea, give us a tip you'd give to our listeners.
PETERSONSo mine's actually going to be about credit reporting agencies, but it is not just getting the credit reports but actually proactively freezing your credit. You can call up these agencies and say, hey, I'm not going to be applying for loans anytime soon, I don't want to have any new credit cards, I don't want any new accounts in my name. If you freeze your credit, which you can do with all, like, the three big major agencies, that will actually prevent at least one kind of financial fraud, which is new account fraud. It'll stop somebody from being able to open new accounts in your name.
PAGEAnd you decide I want to start a new credit card, I want to apply for one, then you let them know that that's actually you.
PAGESo Jim, give us a tip for something smart for people to do.
CROWELLI think everyone needs to adopt a mindset of a need-to-know approach to your personal data. I think it needs to be the way in which you approach all of your personal information. If someone is asking for -- if your bank is looking for your mother's maiden name, that's appropriate to provide them with that name, but if you get a call from somebody asking for that same information, saying they're from the bank, or they're from a credit card company, they don't need to know that information. Protect yourself from this crime.
PAGEAnd you mentioned that the state of Maryland is one of the states that has now allowed -- given parents some new tools to use to protect their kids.
CROWELLIndeed they have. In January of 2013, the law took effect, which permits parents to freeze the credit lines, essentially, on the Social Security numbers of their children. And we see that. That's been very effective in Maryland in cutting back on the risk that we have to our children, and I think one of the topics that we've discussed, as well, is that the same vulnerable victims exist in our increasingly elderly population that also need protection, as well.
PAGEAnd why are the elderly particularly targeted?
CROWELLUnfortunately as mom and dad age, sometimes the kids go and visit them. Sometimes mom and dad get busy with their kids. They're doing things, and grandma and grandpa spend less time -- they spend a lot of time alone. And so individuals who are fraudsters will target them purposefully. They will come at them, befriend them. They will obtain their information. They will divert their mail. They may not be as conscious about looking at their mail as often. They can divert their mail and have it sent to another address. And so they're not thinking about these topics as often.
LEFRAKThat's exactly right. This is Allison. The number of identity theft victims aged 65 or older increased to 2.6 million in 2014, up from 2.1 million in 2012. And one other reason that seniors are particularly vulnerable is often their Medicare number is the same as their Social Security number, and that's a number that obviously they're using frequently and disclosing to a number of people.
PAGEYou know, it's interesting, Kay from Silver Spring has just called us, making just that point. She writes, your Medicare ID is your Social Security number. That is crazy. Shouldn't that be changed?
LEVINWell, it is in fact in the process of being changed, if we live that long. The government has, they've passed a law now that over a period of time it's going to be phased out, like in the military it's being phased out, like with the health insurers they started phasing out. Unfortunately based on all the breaches of health insurers in the past year, they may have phased it out on your card. They forgot to basically mask it or encrypt it in their files, and their files were breached.
LEVINSo it's part of a process. What makes no sense is how long it's taken us to get here.
PAGEWell when I first got a DC driver's license, it had my Social Security number on it. It was only a couple years ago that that was changed to be a discrete number. But let's talk to Gene calling us from Raleigh, North Carolina. Gene, thanks for holding on.
GENEThat's my pleasure. My situation is I have a mentally handicapped son that is in his 40s, but his mental capacity is pre-teen. Now a couple years ago, he was going to work in a sheltered workshop, and the workshop deposited any pay directly into a bank account. So I went to my bank to open an account for him and gave them his Social Security number and name and all the information they wanted, and they would not give us an account because he had a bad credit check.
GENEI went home and started checking and went through all kinds of hoops to jump through with all three credit unions or credit reporting agencies, because I was not him. Now, I am his legal guardian and his father, but I could not prove that over the telephone. So I had to send certified copies of my guardianship papers, took months to get any action, and the only action I could get -- well, he was reported as living in New York with a credit card with a $700-plus outstanding balance that was over a year old, credit applications in Texas and Nevada.
GENEHe has never lived outside the state of North Carolina. He had never even visited the state of New York, much less the city. He had never visited Texas or Nevada. The only recourse that I had, the only thing I could get the credit agencies to do was to put a hold on all future applications.
PAGEAll right, that freeze that we were talking about. Now did you get this straightened out? Does he have a bank account now?
GENEI have a bank account jointly with him, but they still would not give him an account.
PAGENow that's amazing, Gene, because of course we know he was not using credit himself. Jim, you're nodding your head that his experience, and also the hoops that Gene had to go through to take care of this sound pretty familiar.
CROWELLIt does, and it's just the sad -- another sad story about what we hear too often about vulnerable victims being exploited and taken advantage of. We can -- from a law enforcement side, we look to and try to bring down these rings that are taking advantage of our -- some of our most vulnerable individuals. It sounds like this young man is just that very person, and that's a real sad story.
PAGEGene, thanks so much for your call.
LEVINThis is also one of the reasons why people should do two things, that's very important. First is they should check their accounts on a daily basis, just to make sure that every transaction they see is theirs.
PAGENow what do you mean check your accounts?
LEVINCheck your bank account, check your credit card account. The truth is you do have online access. Now if you say that's going to take a lot of time, you can do something else. You can sign up with your financial institutions and your credit card companies to what's called transactional monitoring alerts, and they will notify you for free, because it's in their best interest that you know as quickly as you can, they will notify you anytime there is activity in your account. If you see it, you'll know whether or not it was you, but that's why -- this is part of why you need to pay attention in this new paradigm because these things are going to happen.
PAGEHere's an email from Dana. Dana writes, I see advertisements for identity theft insurance online and on TV. What can you tell me about these companies? Are they successful in preventing identity theft? Are they successful in resolving and clearing someone's identity after an identity theft? I'm 34 years old, and I am genuinely concerned about it, and I want to know if paying a monthly service is worth it. Allison, are these a smart investment for people?
LEFRAKWell, I can speak to -- I'm not sure if it's the exact same thing that she's emailing about, but credit monitoring companies, many of them are legitimate companies. But the point that I'd like to make is we're seeing a lot of fraudsters in this area right now. And so people should be very careful about working with credit monitoring companies. First of all, much of what they do is things that consumers can do on their own, but if they do want assistance, they need to really be diligent before signing up with one of these companies, and some key signs that the company may not be legitimate is if they insist on payment before doing any work, or they try to tell the consumer not to contact the CRA directly.
PAGEWhat's the -- what is the CRA?
LEFRAKThe Credit Reporting Agency. Or if they -- some of them use phrases such that they'll sell you a new credit identity. So they really -- consumers need to be cautious. They need to make sure that their legal rights are explained in writing before signing up. And so just to be very careful before doing that.
PETERSONYou know, another point that I think is important to make is that these services can be very helpful for some, but they are also only going to catch when things have actually already gone wrong. So it's not going to help you sort of prevent, typically, a problem from happening. It'll just help you catch it once there's already been an incident.
PAGEAdam, do you think these services make sense?
LEVINSome of them do. Some of them don't. But there is a very helpful guide. In addition to the information on the FTC site, if you go to Consumer Federation of America has a site called idtheftinfo.org, where they have a working group that focuses on identity theft service providers. A number of them have signed up. A number of them are vetted. And they give you a list of all of the questions you should be asking and things you should be thinking about before you choose an identity theft service provider. And one of the services has to do with credit monitoring and identity monitoring.
PAGEBut Jim, I wonder, if you can do -- get all this stuff yourself for free, it's an obligation, you know, your credit card company will do it, you can put a freeze with the credit agencies, why pay a monthly fee to a service agency to do it?
CROWELLI think that's up to an individual choice. The consequences of at least not being proactive with your own identifying information are so catastrophic. We see it time and again where individuals are not, as Adam and Allison and Andrea have repeatedly said, if we have to be looking after ourselves. What we see too often is people not paying attention to their credit and then on the backside finding out that they've been the victim of identity theft.
PAGEI'm Susan Page, and you're listening to the Diane Rehm Show. We'll go take another caller, go to Mooresville, North Carolina, and talk to Dennis. Dennis, you're on the air.
DENNISWell, thank you for taking my call, Susan.
DENNISIt was quite a shock for my wife and me to find out, when we received a check that was a refund from the IRS for about $8,000, and we hadn't even filed our tax return yet.
DENNISWell, needless to say we were more intelligent than that. We didn't cash the check and then began the process of finding out that of course our identity had been stolen. And fortunately, the bank that originally was going to have that check deposited in it checked the Social Security number, which was ours, and then they changed the check and sent it to us. So whoever was perpetrating the fraud did not benefit from that.
DENNISBut one other point about culpability for financial institutions, this happened to me also. My credit card company at holiday time would send me a thing called convenience checks, and they said just take this check to your local business and buy what you want for the holidays and use this, and it'll go on our credit card. Well, that comes to my mailbox. I happened to relocate one time, and the person that moved into the rental property I left got those convenience checks and went out and spent $1,500 on my credit card.
DENNISNow I don't think the banks should be sending those out anymore. Don't know if they still do, but they can be culpable in some of these instances, as well.
PAGEThat sounds like a terrible experience, Dennis. Thanks for calling and sharing it with us. Here's an email from Elizabeth, who writes another -- about another issue with the IRS. She says, it's long and complicated, but the bottom line, I had this experience, this issue with the IRS that they are finally calling identity theft. Someone else had filed a return in my name and Social Security number. I've seen no impact on my credit report, no false charges on my accounts, nothing out of the ordinary. So why would someone file a return in my name and Social Security number?
LEVINThe real reason is because they're looking for a refund, and there are three problems that you face. One is you're waiting for your refund, it doesn't show up. The second is you press the send button, and your return is rejected because someone filed a return in your name, looking for your refund. And the third is that your Social Security number has been stolen and is being used in connection with illegal employment, and the money that's being generated, the revenue, is being reported to your Social Security number. So when you file your return, you get a deficiency notice from the IRS, saying to you that you owe way more than you thought you did because you earned way more than you reported you did because you had no idea that someone had stolen your identity.
LEFRAKWe're also seeing people who are claiming your child as their dependent. And one quick tip on tax identity theft. One thing you can do, I know it's hard, is to file as early as possible because if you file first, then you prevent a scammer from filing in your name.
PAGEAlthough it seems like there ought to be a better way to not have your tax return hijacked than having to file early. Is it safer to file on paper rather than to use the online tax filing, or does that matter?
CROWELLIt speaks to that. There are always points of compromise. The IRS' online Web is more secure than the mailings in my view. I think it's a more secure operation. But we are seeing where tax ID theft, simple schemes where two guys who are actually incarcerated obtained Social Security identifying information of children, apply for tax refunds, and they were able to get $16 million back from the IRS for wholly fictitious, fraudulent returns.
PAGEAnd these were people who were in prison at the time?
PAGEThat seems quite extraordinary. Well, we're going to take another short break. When we come back, we'll continue our conversation. We look forward to hearing your stories. Give us a call, 800-433-8850. Or send us an email at email@example.com. And we also want to continue to talk about some tips, some things you can do to protect yourselves and your family from identity theft. Stay with us.
PAGEWelcome back. I'm Susan Page of USA Today, sitting in for Diane Rehm. And we're joined in the studio this hour by Jim Crowell, he's chief of the U.S. Attorney's Office Criminal Division for the state of Maryland, by Andrea Peterson, technology reporter at The Washington Post, Adam Levin, he's the author of a new book. It's called, "Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves." And Allison Lefrak, she's a senior attorney with the Federal Trade Commission's Division of Privacy and Identity Protection.
PAGELet's go to the phones and take another caller. We'll talk to George, calling us from Annapolis. He's got a story we'd like to hear. George, please go ahead.
GEORGEHey, good morning. Yeah, this -- and really short here. I had -- I got a bill from Dell that I had bought a monitor. This is the short version. A monitor, it was $2,500. This was when monitors were very expensive. I called Dell and I said, Dell, I'd never made such -- I'd never made this purchase. So they, you know, they took my report and they asked me to call the police and make a police report. The police came to my house. The monitor had been delivered to Baltimore.
GEORGEYou know, it was proven that it wasn't mine. I never got it. So the bill was excused and I asked the police officer what's gonna happen now. And they said nothing, 'cause Dell was not going to prosecute and you have no losses. So that's it. I mean, if they don't prosecute and they go after these crimes, and most companies will just write it off. So we're all paying for this no crime/no victim situation. But that's basically it. I mean, I think that companies should be made to prosecute.
PAGEYou know, George, we had the same experience when I -- when the credit cards were stolen from our mailbox, my husband and myself. And we were, like, ready to prosecute. We were ready to prosecute them ourselves. And we had the same experience with the police just not being interested in pursuing. What's the story, Jim?
CROWELLOne of the things that we try to do, particularly on the federal level, is we have an identity theft working group that meets once a month. And we get these individual one-offs of hundreds of videos, photos of fraudsters using stolen credit information, stolen identifying information at various retailers throughout Maryland and throughout the region.
CROWELLAnd what we do is sit down and we start to piece together that analysis and put together and identify these rings. 'Cause these are rarely individuals doing off. They're usually large-scale rings, 10, 15, 20 defendants. And they are individually working off of a lieutenant who is running them for a larger crew. And so what we try to do is build a case, try and get at those larger, and really the upper-level management of these larger fraudsters.
PAGEBut does that mean it just doesn't make sense for local police to try to go after individual cases like the case that George was talking about?
CROWELLThey certainly can, but with limited resources it's difficult to assign a full -- an officer to that type of case where there's no loss.
PAGELet's go to Anthony. He's calling us from Cleveland, Ohio. Anthony, thanks so much for joining us on "The Diane Rehm Show."
ANTHONYYes, thank you. We hear a lot of information about how to protect one's self against these criminals, but I'm just curious, you know, without giving away the secrets or anything, of course, but what measures are the powers that be that are going after these criminals actually taking? What are the -- what kinds of techniques are used to try to locate these criminals?
PAGEAnthony, thanks so much for your call. Are there things that we think lawmakers should do? Are there measures Congress should pass or the president should propose, Allison, do you think, that would help address this problem?
LEFRAKWell, there is often legislation that gets proposed to address with -- to address some of these issues. Our commissioners at the FTC and our bureau director testify before Congress regularly on draft data security legislation, for example. And also the FTC did put a report in May of 2014, a data broker report, which is a commissioned report finding that data brokers are operating with a fundamental lack of transparency.
LEFRAKAnd the report recommends that Congress consider enacting legislation to make those practices more visible to consumers and give consumers greater control over the immense amount of personal information that's being collected.
PAGEAndrea, are there things that are pending to -- that -- to try to take steps by -- the government taking steps to try to address this problem?
PETERSONYou know, the government themselves is trying to look at measures to protect data within government. But it's really hard to see any sort of legislative action coming just because of the general (unintelligible) that we seem to be having.
PAGEAdam, is there anything that you think would make sense to do?
LEVINWell, there are a number of states that have been extremely aggressive, Maryland one, in terms of data protection. Massachusetts, Florida, they passed very strong data protection laws. The big concern about a lot of companies in America is you have 47 separate jurisdictions that have breached notifications laws and more and more data security laws and they can't quite figure out which one they have to follow. And each one has separate requirements. It is a legislative mess right now. And Congress doesn't seem to be helping. That's the problem.
PAGELet's -- there's a couple of emailers and callers have come up with very specific question. Here's an email from Kathleen. "I'm reluctant to use credit cards for online purchases. Does using PayPal give me a layer of protection?" Does it offer more protection than just using a credit card?
LEVINI think credit cards offer you the most protection. And, of course, more credit cards are going now to tokenization, which is the best. Where you don't have to give out the kind of information you used to have to give out.
LEVINThat's where a code is created and codes change every time that a transaction is done. There's also virtual credit cards that financial institutions use that are -- they're changing numbers. One misconception we have in this country is these new -- they were supposed to be chip and pin, now they're actually chip and signature, that even if they do help bring down fraud where cards are present, unfortunately when you shop online they don't help you because you still have to give them all the information. So we're still living in a world where the promise is greater than reality and everything is a work in progress.
PAGESo that -- we actually have a tweet from Brian that asks that, "How does the new chip/pin security protocol help prevent fraudulent charges?" It only works if you're -- it's an in-person charge, not an online charge.
LEVINIt's really card present. And it's supposed to be based on the fact that it's a change in code and that it's in -- theoretically impossible to counterfeit. But so many people are shopping online, it doesn't matter.
CROWELLIt does get to an issue though of what has historically been a point of compromise. If we go to a restaurant and we hand over our credit card to a waiter or waitress, they take it in the back. We've often prosecuted enumerable cases in which magnetic code readers are then taking an imprint of that credit card information. That information's then -- you bring back, you sign your credit card, you give them a tip, and then you move on about your way. You sign and go on. Your credit card information is then sold. And it is stolen and it's off to the races…
PAGEAnd it's by the waiters? It's not the -- a restaurant thing typically?
PAGEIt would just be -- you're saying, Andrea, sometimes it's the restaurant.
PETERSONNo. I'm saying that it's potentially anyone who's able to compromise that specific system, which may not even be an employee of the restaurant.
PAGESo should you not let -- for this particular problem of waiters stealing your information by taking your credit back, should you not allow the card out of your eyesight or what should you do about that?
CROWELLI was a waiter in high school. I hope not. I think it's part of the process. I think you're gonna have to do that. But one of the things I've seen -- I've traveled internationally this past summer and it was a new experience. In Canada they actually bring a card reader to your table, the waiter does.
LEVINLike Europe, yes.
CROWELLAnd then you actually insert the chip into that. And they were explaining -- I asked them. I was kind of curious about it. And they explained that this is the wave of the future of waiters and waitresses actually bringing the credit card reader to your table so that it's never out of your hands. You see the chip, you have your credit card, your information is inserted into this little machine. And it's -- and you -- there's no point of compromise at that.
PAGEAll right. I've seen that in foreign countries. I've never seen that here. Allison, you wanted to weigh in.
LEFRAKI just wanted to circle back to the point of, you know, what is the government doing about this? And just wanted to make the point that data breaches are really one of the leading causes of identity theft. The Identity Theft Resource Center found in 2014 that hacking incidents represented the leading cause of data breach incidents.
LEFRAKThat's 29 percent of the breaches that were tracked by the Identity Theft Resource Center. And since the '90s the FTC has been grappling with data security issues. We've brought more than 50 enforcement actions related to data security since 2001. And we're educated -- we're constantly out there educating businesses and consumers about data security.
PETERSONAnd related to this point of data security is that oftentimes the relationship now is that consumers are just having to trust whoever they're interacting with. Really, like you're giving -- whenever you have a transaction, whenever you sign up for something online, you're giving over a bunch of information about yourself. And you are really putting trust in that company that they're going to be able to secure it long term. And I think we're finding from the breaches in recent years that that trust is not necessarily earned.
PETERSONI mean, I also think it plays into one of the reasons the -- when you look at survey research about how much control consumers feel like they have about their data, it's basically none. PEW Research Center in one of their most recent reports said that 91 percent of American adults say that consumers have lost control over how their personal information is collected and used by companies.
PAGESo you talked earlier about medical information and medical records being an area that's increasingly targeted by fraudsters. So, Adam, what should you do when it comes to your medical records to try to protect them?
LEVINWell, a few things. First, when you go to the new doctor and they ask you for your social security number, don't give it to them. I mean, they have your insurance information. In many cases you can't leave the doctor's office without them getting an imprint of your credit card. I once said to a doctor, why do you do it? And he said, well, 'cause that's what we always have done. And -- or the other one was great. Well, if you die I need your social security number.
LEVINI said then call my lawyer. I'll give you my lawyer's phone number. Another thing is that when you get explanation of benefits statements, read them. The insurance company sends you, whenever there's a treatment or a procedure, read it. I mean, we had one person that we worked with, 72-year-old grandmother that on one day she was billed by two laboratories. One for a pregnancy test and two for a sperm viability test, which, you know, she was a victim of fraud and Medicare missed it. And so, you know, she worked with them. It was finally resolved. But this is the kind of stuff you have to do.
LEFRAKWe're also seeing a lot of Affordable Care Act scams now. So consumers really need to be careful and rely only on government resources when they're seeking help signing up for coverage under the ACA.
PAGEWe -- here's an emailer who asks, "How can we stop receiving new credit card offers?" Since that's one of the ways, when it comes to snail mail in particular, that you could be a victim of fraud. What can you do about that?
LEVINWell, there's a, you can go to one -- I'm not sure of all the different numbers, but there's an opt out site that you can go to where you can opt out. Also through the credit reporting agencies there are certain ways you can communicate with them and ask to opt out. If you're in military service you can get an active duty military alert, where you can opt out of receiving these pre-approved offers.
LEVINAnd in reference to that prior call we got about the convenience checks, they are the crack cocaine of the credit industry. And I say to people if you don't want to use them, if you get them, shred them immediately. Do not throw them out. Someone will use them.
PAGEYou know, I've never heard of convenience checks. This is just a way to try to get you to spend more money at Christmas, is that the deal?
LEVINWell, not only at Christmas, any, you know, if you have a home improvement you want to do, if you want to take that special vacation. They neglect to tell you when you get a convenience check, oftentimes you're paying at the cash advance rate, not at the normal charge rate. So it's way more expensive.
PAGEI'm Susan Page and you're listening to "The Diane Rehm Show." Let's go to Burlington, N.C., and talk to Greg. Greg, hi.
GREGHi. Just a quick comment and a question. Several years ago I had identity theft on my computer through phishing. It was what I thought was a homepage of my internet provider. It was actually phishing done. And they stole my social security number. And I got in touch with the internet provider and said, yeah, it wasn't us. And they suggested I get a police report, which I did. Which I submitted to the credit bureaus.
GREGNow, they tell me it was good for seven years. Two questions, what happens after seven years? Number one. And the second question is, does that, getting in touch with the credit bureaus, does that stop any applications for loans like a second mortgage or a new home, something like that?
PAGEAll right. First, Adam, explain to us what phishing is, and that to mean phishing with a P-H, not with a F.
LEVINYes. Well, and there's phishing and there's spear-phishing. Phishing is, dear card holder, spear-phishing is dear Susan. So it's a little bit more personal, but it's done as if it is a government agency or a business with whom you have a relationship. And remember that when Target and Home Depot and Neiman Marcus hacked, there were a lot of databases involved and a lot of email addresses that got out there.
LEVINSo never click on a link, never go anywhere where one of these emails tell you to go. What you need to do if you want to communicate with your financial institution, confirm the right email address and communicate with them, only operate in secure environments, flip over your credit or debit card, get the phone number on the back, call customer service. These are the kinds of things -- never authenticate yourself unless you are control of the conversation or the interaction and you know exactly who you're talking to.
PAGEJim, what about Greg's question? What happens after seven years?
CROWELLI believe -- my understanding is that credit reports then clear out the older seven-year debt at that point. If there is something that's showing up on your credit report, at that point it's extinguished.
PAGEHere's another email. Kathy, in Loveland, Ohio, asks, "I have two children, a six-year-old and an infant. How can I check to see if their social security number has been stolen or compromised?" Allison, how can you go about checking that?
LEFRAKShe can call one of the three credit reporting agencies. Actually she could contact all three of them and ask that question and get that information.
PAGEAnd we have a link on our website, drshow.org, that links -- that gives you information about those three -- three websites of the credit agencies that you can take a look at. "Please have your guests," here's another question from Tara by email. "Please have your guests suggest a legitimate place to freeze your child's credit. I live in Connecticut. I looked online. It's so confusing to find out who might be legit and who might be nefarious." So what do you recommend that they do?
CROWELLThe three credit reporting -- go each of the credit -- Experian, Transunion and Equifax. They have a method by which you can freeze your credit. You know, in the old days it used to be three days before you froze, three days to thaw, now it's almost instant. And as part of some of the credit fraud monitoring programs that's included as a feature. So just, you know, read the information, read the features, and freeze. Because freeze is the safest.
PAGEBut the basic message we're getting here is that you've gotta be very active. You've gotta be very proactive yourself if you're gonna avoid being a victim of identity theft.
LEVINAnd not only proactive for yourself. Because we have vulnerable victims that are being exploited, it's -- you need to be proactive for your children, you need to be proactive for your elderly parents or anyone in your custody or your care.
PAGELet's close with this email from Laura, in Bloomfield Hills, Mich. She writes, "I am a victim of identity theft. My social security number, name, address, and other identifying information was stolen from my doctor's computer system. The thieves opened several credit cards and at least six cellphone accounts in my name. Now I've learned that the cellphone company where the fraudulent accounts were opened has also suffered a security breach.
PAGE"Now my information has likely been stolen again. My credit was impeccable prior to these events. Now it is dropped almost 300 points. The police department report basically told me, good luck, there's not much they can do. I have spent countless hours trying to resolve this situation. It seems that there is no end in sight." This is a story you have heard before.
LEFRAKIt is. And I would actually urge her to go to identitytheft.gov, which is a new checklist style resource that the FTC has rolled out, which help people through every step of the process in recovering from identity theft. So I would strongly urge her to take a look at that.
PAGELaura, we hope things work out for you. We're sorry for all the trouble that this has meant for you, through no fault of your own basically. Well, we're out of time. I want to thank our guests for joining us. Allison Lefrak from the Federal Trade Commission. Adam Levin, author of "Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves." Andrea Peterson from The Washington Post. Jim Crowell from the U.S. Attorney's Office Criminal Division for the state of Maryland. Thank you all so much for offering your expertise today.
LEFRAKThank you, Susan.
PAGEI'm Susan Page of USA Today, sitting in for Diane Rehm. She'll be back tomorrow. Thanks for listening.
Most Recent Shows
For months it looked like Russia was waging – and winning -- a battle of attrition. But last week Ukrainian forces made dramatic gains on the battlefield, retaking vast areas…
From McCarthyism to January Sixth, best-selling author David Corn says the G.O.P has a long history of using paranoia, grievance, and tribalism for political gain. His new book is "American Psychosis."
Anthropologist Anita Hannig discusses her new book, "The Day I Die," an intimate investigation of assisted death in America.