Grand Theft Identity

Once records are stolen, they are passed on or sold in fleeting digital dark alleys--chat rooms or instant-messaging sessions where transactions are quickly, stealthily enacted. Sometimes the crooks are sufficiently brazen to post their offerings on Web sites that are sort of fraudster eBays. At one site posted by a member of the Shadowcrew organization (which was shut down by the Feds last year in the biggest ID-theft bust to date, code-named Operation Firewall), $200 gets 300 credit cards without the CW2 security codes printed on the back of the card. If you want card numbers with the security code, it will cost you $200 for 50 of them. If you want the fraudster equivalent of a Happy Meal--a card packaged with the owner's Social Security number and date of birth--that will cost you $40 apiece.

After fraudsters buy the purloined numbers, they commonly use them to grab goodies as fast as possible. It's kind of a high-tech form of supermarket sweepstakes, where the crook keeps stealing until the fraud-management software of the credit-card companies kicks in. "The method is smash-and-grab," says Cybertrust VP Bryan Sartin. "The turnaround time is amazing."

As bad as the recent exposures have been, they may well wind up helping spur some very long-needed reform. Though identity theft is a devilishly difficult crime to fight, the key to fighting these huge cyber-raids is making the databases that hold our private records more secure. "We have not built a culture of strong security around our data," says FTC chairman Majoras, and a big reason is that the companies charged with safeguarding the information don't suffer the consequences when it's compromised. For instance, ChoicePoint CEO Derek Smith got a $1.8 million bonus for the company's performance last year--after it sold the information to thieves. And credit-card firms that use CardSystems are continuing to work with the company. "They've been extremely cooperative in working with us and other entities to address the vulnerabilities in their system," says MasterCard spokesperson Sharon Gamsin.

Sen. Dianne Feinstein is sponsoring a bill that would set a national standard for mandatory disclosure when consumer rec-ords are compromised. (The American Bankers Association opposes it: "Unnecessary warnings could create a cry-wolf attitude," says the lobbying group's John Hall.) But that's only a first step. "The notification law works by shaming the companies, and while that can be a good incentive, it's dependent on publicity," says Bruce Schneier, founder of the Counterpane security firm. "Since we're seeing so many big breaches, there's a higher standard for something to be newsworthy."

A stronger solution would make the companies liable for its failings. Sens. Charles Schumer and Bill Nelson hope to pass a bill that, among other things, would slap fines on companies that lose records. Other approaches would invoke penalties if companies did not follow what are known as best practices in protecting information, like regular security audits and use of encryption. (White House Press Secretary Scott McClellan says ID theft "is a major issue for the administration," but while the president did sign legislation for tougher sentencing of credit-card crooks, the Bush team has not thrown its support behind efforts to force tighter security on the handling of personal data.) If Congress doesn't do it, maybe the legal system will; a class-action suit is underway in the ChoicePoint breach, and Melvyn Weiss (famous for his stock-fraud litigation) says "the phone has been buzzing" with potential clients whose secrets were lost by corporations. In general, anything that increases the cost of losing information to the company, as opposed to the consumer, would give firms an incentive to protect consumer secrets as closely as they do their cash. (Government databases should also be fortified; an April GAO probe found that the IRS's computers were vulnerable to data thieves.)

Identity theft would also be more difficult if companies weren't so dependent on using people's Social Security numbers, the skeleton key for ID crooks. "It was never meant to be an identifier to the general public," says Rep. E. Clay Shaw Jr. of Florida, who for the fourth time is introducing a bill to limit its use. And Senator Feinstein would like to give consumers the power to keep their records out of databases. "Companies have no right to use your personal data without your permission," she says. Industry advocates claim that this would severely slow down the rapid pace of commerce we're accustomed to, but the "opt-in" approach is the law in Europe.