MSN's online bill-payment service was the canary in my identity-theft coal mine. It started its cautionary whistling last week with a series of four letters I received at home over four days. First, MSN was pleased that I had signed up for its bill-pay service. Then it expressed concern that the credit-card number I had given them wasn't valid. Finally, it told me it was suspending my account. We had moved from delight to disdain and divorce in less than a week; it felt like one of my old relationships.
But there was one little problem: I hadn't opened up any account with MSN. When I called to settle the matter, they told me someone was using my name and address. I was bemused but unconcerned.
Then the phone started to ring. Another bogus account had been opened up in my name at Chase bank. And one at Wells Fargo. And another at an online bill-pay service in Ireland.
Still, I wasn't overly worried. It seemed like a prank. I knew what precautions to take. I called the three major credit bureaus--Equifax, TransUnion and Experian--and put a fraud alert on my credit report. One shock: these three companies, which make millions charging us $10 a pop to see our own credit histories, don't even offer the courtesy of a human voice on the other end of the line. I ended up recording my personal data, the very stuff I was trying to protect, on a machine somewhere in voicemail hell.
For the bigger picture, I called my MSNBC.com colleague and identity-theft expert Bob Sullivan, the author of "Your Evil Twin: Behind the Identity Theft Epidemic." One of the fake accounts opened in my name listed an address in Seattle, and Bob told me that much of the identity-theft crime concentrated in the Pacific Northwest was related to methamphetamine trafficking. I mentioned to him I wasn't too troubled by this saga. It wasn't going to cost me any money. Cleaning up the mess would take time; at worst, it would be a diversion from my ongoing investigation into the mysterious theft of my car.
Identity theft has been the fastest-growing crime in America for three years. Last year, there were 10 million victims, costing $53 billion in losses, according to the Federal Trade Commission. Some $48 billion of that was borne by the financial-services industry, which pledges to cover defrauded customers. They figure it's a cost of doing business in today's promiscuous but profitable credit environment, where Americans sign up for new credit cards everywhere from the baseball stadium to the meat aisle at the local supermarket. But I had always been careful with my personal information, ripping up receipts and encrypting my wireless Internet communications. What did I have to worry about?
After I spoke to Bob, I called my credit-card company. I asked if there were any unusual charges. Actually, there were. More than $500 worth of them. Apparently "Brad Stone" had gone on a digital binge, downloading Quicken ($69.95) from Intuit.com, Microsoft Money ($79.95) from MSN.com and ordering up $100 in credit reports from Equifax. "Brad Stone" was most profligate at Real.com, opening up three different accounts under my name and treating himself to, among other things, an online Playboy TV subscription. I hope I enjoyed it. Actually, I was becoming annoyed, not just at my lusty alter ego but at these lax e-commerce operators. I was already a Real.com subscriber under my own e-mail address. Yet someone else had signed up with my name, on the same credit card, using three suspicious e-mail addresses, like firstname.lastname@example.org . Nice fraud protection, guys.
In any event, I now knew that he had my credit card number and suspected he had my Social Security number as well. I cancelled the card and spent a day shutting down all the bogus accounts (longest wait time to talk to a real person: Intuit, 45 minutes.) Why, I wondered, is it so easy to sign up for these things yet so difficult to disentangle yourself from them? Again: it reminded me of my old relationships.
Little did I know, my troubles were just beginning. This week, I received an e-mail from a fellow named Michael in Seattle (he asked that his last name be withheld.) "I am not for a moment accusing you of any wrongdoing in any of these shenanigans," his message began. He went on to wonder if I was having any identity-theft problems. Um, funny he should ask. I called him and his saga went like this: last month, someone stole five outgoing checks from his mailbox. Apparently, they took the account and routing numbers off his checks and cooked up five fraudulent replacements, probably using check-printing software widely available on the Internet. These checks were obvious forgeries; they stated that "absence of endorsement is guaranteed," so no signature was required. One of those checks, subsequently returned to Michael, was used to pay my American Express bill for $150.
After hanging up with Michael, I took a closer look at my American Express statement; bizarrely, there was a mysterious $150 credit on my account, then a "returned check" debit 20 days later for the same amount, plus a fee punishing me for the invalid check. I called American Express and canceled that card too. Since this was looking suspicious, I decide to file a report with the San Francisco police as a precaution in case investigators came knocking on my door. Then I called identity-theft consultant Rob Douglas, who told me that the credit industry has started to talk a good identity-theft game--for example, in the amusing Citibank ads where victims speak in the voices of their ID thieves. But the actual assistance credit-card companies offer is woefully inadequate.
"There's still a wide canyon between what people think are the protections afforded them versus reality," Douglas says. The best defense is for consumers to be vigilant about their own credit reports, checking them every few months, and to hawkishly protect their personal information by shredding financial statements and keeping your Social Security number private.
Douglas also told me that California and Texas recently passed laws allowing consumers to put a total freeze on their credit reports (Vermont and Louisiana are joining the group next year). With a freeze, no one can even look at your credit report without a secret PIN code. Of course, the three credit bureaus see this as a burden and don't advertise the service. I had to visit the Web site of California's Office of Privacy Protection [www.privacy.ca.gov] to print out the letters needed to set up the freeze.
I still have more questions than answers to this caper. How did someone get my credit-card and Social Security numbers? What else does he know about me? What precautions could I have taken to prevent it? I'm sure of only one thing: I'm buying a shredder.
Personal invitation: my identity thief is welcome to write this column next week. Please e-mail me at email@example.com.