(Illustrations by Ariel Schrag)
On Wednesday, Nov. 6, of last year, I, Raphael Kohan, walked into a Walmart in Secaucus, N.J., just beyond the Lincoln Tunnel from Midtown Manhattan. What happened inside is unclear, whether I browsed the flat-screens, test-drove a few laptops or overdosed on free samples of Red Baron Buffalo Style Boneless Wyngz. But this much is known: While at the superstore, I was approved for a Walmart Discover card with a $2,900 spending limit, on which I made $1,506.56 worth of purchases. The next day, I returned to the same store and nearly maxed out the rest.
To those who know me, including me, this behavior might seem odd. For one, I’m not a big spender, and while I don’t always show up for work at 9, 10 or even 11 a.m., I also don’t usually go on shopping sprees at Walmart during the middle of the workweek.
For instance, the following Monday afternoon, I, Raphael Kohan—but please, call me Rafi—was sitting at my desk in an office building on West 44th Street when my cell phone buzzed with an unfamiliar number.
“Hello?” I answered.
The woman on the other end, who identified herself as an employee of Macy’s, asked me, Raphael Kohan, if I were Raphael Kohan, which until that moment I had been in the habit of confidently answering “yes.” The woman’s tone became concerned as she informed me that I, Raphael Kohan, was at that very moment in one of the department store’s Florida locations trying to make a purchase on my new Macy’s card.
Of course, I suggested that she arrest me or whomever was shopping in my name. Instead, she transferred me to a man in “credit services” who asked a series of highly personal questions. I nearly blurted out the answers to his queries—my date of birth, my address, my Social Security number—before panic wore off and skepticism kicked in.
“I’m sorry,” I said, “but I don’t think I can continue this conversation.” Through the phone line, the rep seemed to shrug. Before hanging up, he mentioned that Macy’s had noticed other inquiries on my credit, by Walmart and Sears, when the store had done a credit check, which I might want to look into.
I did. Based on the Social Security number I provided to call-center reps at both Walmart and Sears, however, no accounts were showing up. This bolstered my suspicion that the Macy’s call had been a phishing attempt to extract sensitive information. (Good try, criminals!) And yet, I couldn’t help but wonder after a letter I had recently received from TD Bank, where I have an account. The letter said something about a bank employee improperly obtaining my personal information. Something about sharing it with an unauthorized party. Huh. Where was that letter?
***
Unlike offenses such as murder or armed robbery, identity theft can seem an abstraction, a “crime at a distance,” as one expert I spoke to put it. Was that why I initially ignored the TD Bank letter when it was delivered in October?
After the Macy’s call, I placed 90-day fraud alerts on my credit files, while ordering reports from the major credit bureaus, Experian, TransUnion and Equifax. I also filed a complaint with the FTC. But it was only that Friday, after returning home to a wallet’s worth of credit cards from Walmart, American Eagle and Kohl’s, plus a letter from Best Buy promising my new card’s arrival “within the next several days,” that I took my head out of the sand and realized the Macy’s call had been no phishing attempt. I’d become a statistic.
And what statistics we are! Last year, an identity was stolen every two seconds, according to Javelin Strategy & Research, which released its 10th annual Identity Fraud Report last month. Meanwhile, a recent report by the Bureau of Justice Statistics found that 7 percent of Americans 16 or older were victims of personal identity theft in 2012, more than twice the Federal Trade Commission’s previous estimates.
Those numbers are frightening, to be sure, but they aren’t authoritative. In fact, it would be impossible to nail down any definitive figures when it comes to identity crime, especially since so many folks either never realize they’ve been victimized or simply don’t bother reporting it.
The next morning, I examined the damage by signing up for two years of credit monitoring, courtesy of TD Bank. I was angry, naturally, but also confused: Why hadn’t the Walmart and Sears accounts shown up when I first called their credit-services hotlines? (I didn’t have the card yet, but Sears was right there on my report.)
Whatever the reason, I spent the next few hours on the phone with my new credit-monitoring service, pointing out the fraudulent accounts and inquiries (which are requests to view your credit and can negatively impact your credit score). While it felt good to be claiming some level of control, this was mostly futile, as the retailers handed me from one unhelpful customer-service agent to the next, while I repeated my sob story like a panhandler passing through a train:
“Hello. My name is Raphael Kohan, and I have been the recent victim of identity theft.”
“Hello. My name is Raphael Kohan, and I have been the recent victim of identity theft.”
Many of those I spoke to insisted I was not showing up in their databases, that my Social Security number was clean. But then why is there an account on my credit report, I demanded. And why am I being sent your credit cards? To which I received the vocal equivalent of vacant stares.
Adding to the strangeness of the situation was the need to use my full given first name, Raphael, which, truthfully, had always felt like someone else’s name. It was the name I used on driver’s licenses and passports, the name teachers called out on the first day of school and the name my mom screamed down the hall whenever I was misbehaving. But it wasn’t me.
Eventually, someone from Walmart connected me with GE Capital, the bank that issues the store’s Discover cards. (As I later learned, talking to anyone but the fraud department of a credit issuer is a waste of time.) I was finally getting somewhere!
And then things got weird.
***
Thanks to last year’s monster Target and Neiman Marcus hackings, data breaches have gobbled up most of the recent headlines when it comes to identity theft. The method is only one of many, though. Whether it’s by stealing your wallet, skimming your debit card at the ATM or un-shredding documents in your trash, there are seemingly endless ways to swipe your cash or otherwise masquerade as you.
The results often have a comically gruesome touch. Lisa Schifferle, an attorney with the FTC, told me a story about a pregnant woman who after having her identity stolen showed up at the hospital in labor and was turned away because, according to the hospital’s records, she had already had a baby six months earlier. Another expert, professor Donald Rebovich of Utica College, told me about a man whose identity was stolen by a sex offender, causing him to show up on sex-offender watch lists.
“I have never witnessed a more simplistic crime than stealing someone’s identity,” says Frank Abagnale, Jr., whose teenage exploits were the inspiration behind Leonardo DiCaprio’s character in Catch Me if You Can. “If I can become you, what I do as you is simply limited to my imagination.”
These days, there may be no one in America who knows more about identity fraud than Mr. Abagnale. For the past 38 years, he has worked with countless organizations, including the government, as a secure documents and fraud specialist. “I would have thought that technology would have made it more difficult, but the truth is technology breeds crime,” says Mr. Abagnale, who started writing about identity theft as a next-generation crime for the F.B.I. in 1988. “When I forged checks, I needed a Heidelberg printing press. The press cost $1 million!”
In fact, identity theft goes way back. The very first case can be traced to the Book of Genesis, when Jacob stole his brother Esau’s birthright by impersonating his hairy arms. More recently, identity crime emerged with the advent of Social Security, or so theorizes Mr. Rebovich, who also runs the Center for Identity Management and Information Protection, which sounds like an organization ripped straight from a Charlie Kaufman script. “Another landmark would be the birth of the Internet,” he says.
According to Ms. Schifferle, identity theft, which wasn’t even considered a federal crime until the Identity Theft and Assumption Deterrence Act in 1998, has been on an upward trend since the inception of the Consumer Sentinel Network, the FTC’s database of consumer complaints. “Identity theft has been the No. 1 complaint for the past decade,” she says.
In addition to increasing the ease of acquiring data and the volume of what’s available, technology has also expanded the scope of how far a victim’s information can travel and not just geographically. (We all know not to trust the Nigerian prince.) Once your identity is compromised, there’s a good chance your personal info will change hands, possibly multiple times, since so many identity thieves trade plundered data.
“The cyberunderground is rich with information,” explains Vikas Bhatia, who runs Kalki Consulting, a New York City-based cybersecurity firm. There are “carding” sites, where credit and debit card data are swapped in bulk, both domestically and to countries where U.S. law enforcement doesn’t have jurisdiction. There are Craigslist-type sites, where a criminal can request exactly whose information he’s after—say, a male from Brooklyn. And there is even an underground eBay.
“You think you’re dealing with one identity thief. In actuality, there are many of them,” says John Otero, a retired NYPD officer who went on to create BlackStorm Cyber Security.
Information swaps aren’t limited to the Internet, either. According to Mr. Rebovich, a series of recent criminal prosecutions revealed that identity thieves in Florida were throwing regular ol’ shindigs. “They would actually have little parties, where they would trade and sell information,” he says.
***
By Tuesday afternoon, when I went to file a police report at the NYPD’s 76th Precinct, I had already logged 20-plus hours talking to various reps, agents and creditors on the phone, and I was nervous how actual human beings would react to my increasingly weird tale. From the first woman I spoke to at GE Capital, I learned why I was having such trouble closing—or even locating—so many of these fraudulent accounts: The criminal, whoever he was, had changed one digit of my Social Security number. “They do look similar,” she said.
She couldn’t explain why a faulty Social Security number would have been approved, let alone appear on my credit report. She also refused to tell me this alternate number (or even which digit had been altered), even though this number was now attached to the accounts that were attached to my credit file, leaving me to deal with an ongoing maze of Kafka-esque absurdity when it came to places like Sears and Best Buy.
Without the exact Social Security number associated with those accounts, or the account numbers (since the physical cards had not yet shown up), I was unable to convince reps from either retailer that I was who I said I was: namely, me.
I was also having a difficult time dealing with TD Bank, which I felt needed to take responsibility for my predicament. When I called one Alan Nossen, a senior vice president of retail banking whose name appeared on the letter informing me of the breach, a receptionist assured me that someone from my “home” branch would be in touch. It felt like a brush-off.
Not all my interactions were so fraught. In response to one friendly overture, a woman from the credit-monitoring service confided that she had her identity stolen when she was 10, only learning about it years later when she was trying—and failing—to rent her first apartment. “I’m just now picking up the pieces,” she said.
***
“Identity theft is an easy crime to commit, unfortunately,” Mr. Rebovich says. This is partly due to advancing technologies, but also to a degree of leniency that has been baked into the system. “The dollar amounts are so great, and law enforcement is so limited,” says Mr. Abagnale, that agencies and corporations have to pick and choose whom to pursue—usually the bigger fish.
But even if they did go after everyone, they would be chasing smoke trails much of the time. “We know, anecdotally, that in many cases, people don’t know how it happened, so extrapolate from that, and there’s very little chance of catching anyone,” says Karen Barney, of the Identity Theft Resource Center, a national nonprofit that assists victims. “I was a victim in 2001, and I have absolutely no idea.”
According to Mr. Otero, who worked such cases for the NYPD, companies like Target and TD Bank might not have even notified their customers of a breach 10 years ago. “That was one of the biggest problems,” he says. “The companies would reimburse the individuals [if they came forward], but it would have just been buried and billed as the cost of doing business—and it’s a cost that’s passed on to the consumer. Totally.”
Mr. Bhatia believes educating future business leaders about the importance of cybersecurity is the answer, because so many seem to be ignoring the fact that a few dollars spent today could save tenfold tomorrow. “It’s not a revenue center,” he bemoans.
Mr. Abagnale goes a step further. “If the government said tomorrow to corporations, ‘I’m no longer allowing you to write these losses off your taxes,’ you would see a tremendous turnaround in how they put a dent in fraud,” he says. “Now, they’re not motivated, and the criminal knows that.”
As for the government, they’re even worse than the corporations, adds Mr. Abagnale. Last year alone, the I.R.S. paid out $4 billion in fraudulent tax returns. “It’s really frustrating. The government doesn’t want to spend a few million dollars on technology, but they don’t care about $4 billion of taxpayers’ money,” he says. “The criminal must sit back and say, ‘Boy, these people make my life so easy.’ I always ask myself where they were 40 years ago, when I needed them!”
***
So who’s getting fat on our systemic apathy? Pretty much everyone.
“You would think these must be some really sophisticated criminals,” Mr. Abagnale says of the I.R.S. scam. “Turns out it was just a motorcycle street gang in Tampa, Fla.” The I.R.S. only caught wind of their caper when postal carriers noticed thousands of tax returns being delivered to the same addresses and notified the postmaster.
Bikers aren’t the only ones leaving street crime behind. Heith Copes is an associate professor at the University of Alabama at Birmingham who is also affiliated with Mr. Rebovich’s Center for Identity Management and Information Protection. For his research, he has spent time interviewing identity-theft inmates. “What he found was a number of these offenders transfer their criminal life from street crime to identity crime, because they think it’s safer for them. There’s not any physical risk, and they can make more money,” says Mr. Rebovich.
In New York City, violent-crime rates are falling to historic lows while identity-crime rates skyrocket, even as District Attorney Cyrus Vance, Jr., has created a Cybercrime and Identity Theft Bureau and supported Penal Law 191, which was intended to modernize the criminalization of identity theft so that not all infractions, regardless of number of victims or amount stolen, would be seen the same in the eyes of the law. (The resolution died in committee last year.)
Critics call the current penalties for identity crime a slap on the wrist. “If I say, ‘Hey, if I give you $26 million, will you spend 18 months in prison?’” Mr. Abagnale says. “It’s nothing! There’s no deterrent.”
There is also a growing connection between identity theft and the drug trade. Mr. Rebovich says the biggest overlap exists in the use and trafficking of methamphetamine. “We’re not sure why,” he says. “There are two types of offenders. One has a meth addiction and supports that addiction by committing identity crimes. The other is actually trafficking in methamphetamine, and they steal identities so that it seems like they’re not the ones doing this.”
Is identity theft really that easy, I wonder?
“Yeah,” Mr. Rebovich laughs. “So easy a tweaker can do it.”
***
In the weeks that followed, I began to dread coming home from work, never knowing what new identity-reclaiming chores awaited in the mailbox.
Toys “R” Us. Staples. J. C. Penney. The Children’s Place. Macy’s. T-Mobile. Sony. And yes, even Target.
The web of new accounts, denied accounts, inquiries and phone numbers grew ever larger. I continued to call the retailers, banks, credit bureaus and credit monitors, scrupulously documenting every exchange, but each time I thought I had my arms around the situation, some new piece of information would arrive to show I’d been victimized again.
When I finally got someone to at least tell me which digit of my Social Security number had been changed, for instance, I discovered my credit reports had gone on the fritz, with alternate spellings of my name, and even alternate addresses and phone numbers.
Amid all this, my anger at TD Bank grew. Since the beginning of this fiasco, the bank had made the most minimal declarations of responsibility. One day, however, there was a phone call, from the branch manager assigned to my case.
“Hello, Raphael? This is Raffaele.” (That’s right—the branch manager and I had the same name.)
His offer, to compensate me for the struggle I was now engaged in for my financial future, for the loss my very identity: “Credit monitoring,” Raffaele told me. And only for three additional years.
“We like to think of ourselves as good stewards of our own ship, which makes it shocking when something happens,” says Dr. Charles Nelson, a psychologist who works with identity theft victims. “Some people lose their religious beliefs. Some lose their sense of purpose and identity—who they are.”
With any loss, he adds, grief and fear are common reactions. “No two victims are the same,” he says. “We’ve had people who were suicidal.”
To recover, do things that are rewarding and bring satisfaction, says Nelson. I mention how therapeutic I find ironing.
“Write that in your article!” he says. “It’s like that old saying: If something traumatic happens, don’t forget to sweep your porch.”
***
The turning point arrived with the Best Buy card. With that account number finally in-hand, I was escorted through the electronic giant’s customer-service labyrinth to a woman named Suzanne from Citibank’s Identity Theft Solutions, and Suzanne was the goddamn man.
For the first time, it felt like someone was grabbing the situation by the horns. Because Citibank, the credit issuer for Best Buy, works closely with TransUnion, Suzanne conferenced in a rep from that credit bureau and instructed the rep to remove all the fraudulent accounts and inquiries. Just like that. For several other creditors, she supplied me with direct lines to their fraud departments.
It was almost too easy.
Aside from a few straggling accounts, all I had left was to fill out affidavits making my fraud claims legally binding, then comb through my credit reports with each bureau, ensuring no funkiness remained.
The only problem: My Equifax report still hadn’t shown up. For weeks, I had been dialing every number for the credit bureau I could find online, but they all funneled to the same automated recording. By Googling Equifax, along with the city in which it’s based, Atlanta, however, I turned up a physical address and a new phone number. Success! When a human answered, I was soon connected with a woman named Jeanine, who assured me my report was en route and told me to be patient.
“It’s good that you placed a fraud alert,” Jeanine said then, almost as an afterthought, “but you know that’s only a minimum level of protection.”
Say what, Jeanine? My insecurities began to bubble.
“Yeah,” she continued. “We would recommend putting a lock on your file for a maximum level of protection. That’s part of a package called Equifax ID Patrol.”
But I already had credit monitoring.
“That will only protect your Experian report,” she said.
Which is when it hit me: Jeanine was trying to sell me something!
***
Throughout this process, I dealt so often with the credit bureaus, where so much hung in the balance, that I actually began to recognize their different personality traits.
Thanks to Suzanne, TransUnion was efficient and responsive. Experian was kind of ineffectual, much like its credit-monitoring service, to which I had been given membership. As for Equifax? Well, Equifax was like that absent dad who rolls into town drunk on Christmas Eve, after his family spent a decade tracking his movements, sending unrequited letters. And just when it seems like he’s back for good, ready to be a responsible husband and a loving father, he asks to borrow 50 bucks.
I cleared what felt like a final hurdle when I called T-Mobile and correctly guessed the alternate Social Security number. “Ooh, I found it!” screamed the rep. He looked through my file and described how the criminal had apparently come into one of the company’s stores with a Pennsylvania driver’s license, posing as me.
Armed with that new information, I was able to close and dispute the straggling accounts and inquiries. I still didn’t understand why they had shown up on my report in the first place, when the most basic piece of identifying data—the Social Security number—was not mine, but I actually grew to be grateful that they did.
As Mr. Abagnale explained it to me, my theft is consistent with a relatively new form of identity crime, a variation of new account fraud known as “synthetic identity theft.” (He wrote a white paper about it for the F.B.I. in 2007.) “All three credit bureaus build tolerance into their system for mistakes, for errors, for poor penmanship,” he says, meaning that when a credit application appears with your name, slightly misspelled, or an address that inverts the house number or a Social Security number that is one digit off, the computers match it to your file anyway. So the credit gets approved, even though it typically won’t appear on your credit reports, because, as he wrote in the white paper, “only entries that exactly match a consumer’s … appear on these reports.”
“This creates what we call secondary files, which may not be picked up by monitoring services,” he says, and the criminal is able to build credit on that secondary file, before inevitably defaulting. That’s when the debt typically gets sold to a collection agency, and the collection agency performs “the exact reverse process. They look through the closest match to that file, and then they’re calling you.”
ID Analytics is a San Diego-based company that does work with the Center for Identity, specializing in synthetic identity crimes. “They’re finding what they call identity fraud rings appearing in different parts of the country,” says Mr. Rebovich. “Groups of six to 12 people working together to manipulate their identities for criminal purposes.”
In some cases, he adds, these groups are actually whole families. What they can’t figure out is why so many of these groups are in the rural Southeast. “They estimate there are 10,000 to 12,000 rings in the country, with the concentration in rural areas of states like Alabama, Mississippi and Georgia,” he says. “That’s something that’s an unusual trend. But I do think you’re going to see more cases where it’s not individuals. It’s going to be groups. Not organized crime, but organizational crime or group crime.”
And while tax fraud seems unlikely to diminish anytime soon, many of the experts I spoke with predicted that medical identity fraud, which is already “huge,” in Mr. Bhatia’s words, is about to explode as a crime du jour, thanks to the HITECH Act, which stipulates that all health care providers that accept Medicare or Medicaid (an overwhelming majority) must computerize their medical data by next year or suffer financial penalties. “The small to mid-size organizations are going to be targets,” warns Mr. Rebovich, “because they may not have the funds to properly secure that information, and I think offenders know this.” (A rush to digitize without optimizing security may also be to blame for the recent tax fraud frenzy, he adds.)
“Identity theft could happen to anyone and everyone, but criminals always prey on the weak,” says Mr. Bhatia, whose firm recently produced a how-to guide to cybersecurity for the mayor’s office. “Fourteen percent of small business owners in New York will be victims of identity theft. Why? Because they have a lax security posture.”
***
Sometime after the New Year, I started to receive resolution letters in the mail. Praise be to the Credit Overlords. All the investigations were landing in my favor, and the fraudulent accounts were disappearing from my credit reports. (As of this writing, I am still haggling with Equifax over a few fraudulent inquiries.)
But the truth is it never ends.
An identity theft victim needs to remain vigilant long after the initial mess appears cleaned up. Unexpected dings to one’s credit score may materialize down the line. And you never know who else has acquired your information or how and when they might try to use it again.
As Mr. Rebovich put it, “The big part for victims can come later.”
So what can be done on an individual level to prevent identity crime? Start by ordering your free credit reports and regularly checking your bank and credit card statements. Also, be aware of how much information you share on social media. “You never want to state on your Facebook page where you were born or your date of birth,” says Mr. Abagnale.
Purchase a Microcut document shredder and/or enlist in credit (or even identity) monitoring services. And be careful how often you use your debit card. “When you’re playing with a credit card, you’re playing with their money,” says Mr. Otero. “When you’re playing with a debit card, you’re playing with your money.”
Mr. Rebovich also insists we all need to do a better job securing our smartphones. “I think you’re going to see more attacks through iPhones than home computers,” he says.
Meanwhile, should you learn that your information has leaked as part of a data breach (Target? Kickstarter?), don’t just assume you’ll be O.K.—one out of three people who received a data breach letter became victims last year, according to the Identity Fraud Study. Be proactive. Place fraud alerts on your credit files, and be extra vigilant in monitoring your accounts. You can even consider implementing a security freeze.
***
While reporting this story, I reached out again to Alan Nossen of TD Bank. I wanted to understand more about the breach. This time, Mr. Nossen agreed to speak with me but as “a consumer, not a reporter.” Mr. Nossen seemed a decent man, and he asked about my experience, where I felt TD Bank had come up short. We spoke for a while.
As for my own queries, he directed me toward the corporate and public affairs department, putting me in touch with Lauren Moyer, a public relations associate. On the phone, I ticked off all my questions but immediately sensed she would provide nothing of substance. When I asked after an internal investigation, which was mentioned in the breach letter, Ms. Moyer cut me off.
“We cannot disclose the findings of the internal investigation, because it’s a matter of privacy, for both our customers and employees,” she said.
Getting nowhere, I tried a different tack.
“Have you ever had your identity stolen, Lauren?” I asked.
“I have not.”
“Well, it stinks,” I said. And then, though I suspected she was still going to tell me nothing, I opened up to Ms. Moyer, to see if I couldn’t stir some sort of earnest interaction. I explained how, more than anything, a victim just wants to see the gears turning again, to feel like things are in order, which was why figuring out what had happened, breach-wise, might be a big step toward recovery. Would she help me?
“O.K.,” she sighed. “I can look into that for you.”
Later that day, Ms. Moyer officially replied to my queries over email, with some boilerplate bullshit:
“At TD Bank, protecting our customers’ financial assets and confidential information is important to us and something we take very seriously,” she wrote. “This was an isolated incident, and the employee is no longer with the bank. We notified impacted customers and worked with those who may have had their personal information compromised.”
I followed up, pressing her on what the bank felt its long-term responsibility was to “impacted customers.” I asked how many other “isolated” incidents there had been, since I knew eight individuals were charged last October in a separate identity theft ring that targeted TD Bank customers in New Jersey. (Also that month, TD caught serious flak for waiting more than half a year to report the March loss of two backup tapes that contained the personal information of approximately 260,000 customers.)
She replied, “We have no additional comments aside from what we provided earlier.”
And after that, silence. I tried not to take it personally.