What it's like to have your identity stolen
It was a four-day shopping binge across New York City that quickly racked up $30,000 in charges on Jonathan Franklin鈥檚 credit card 鈥 a haul that included clothes from Versace and gear from the Apple Store.
But Mr. Franklin, a New Jersey business executive, didn鈥檛 buy any of it.
Franklin only heard about the purchases when a fraud investigator with his credit card vendor called and and ticked off the laundry list of luxury items showing up on his account.
It took a moment for it all to register. But then 鈥渢he full magnitude hit,鈥 he said. 鈥淭his nauseous feeling of, what if I was going to be held responsible for these charges?鈥
Franklin, whose name has been changed in this story, is one of the tens of millions of Americans whose identities were stolen in recent years. Roughly 12.7 million US consumers were victims of some kind of identity fraud last year, according to Javelin Strategy & Research, a business research firm. It's a staggering number, but perhaps no听surprise as increasingly sophisticated hackers target online databases that store personal information such as Social Security numbers and bank account details. Last year, 761 security breaches听exposed听more than 83 million records, according to the听.
Aware of the dangers of identity theft, the questions started racing through Franklin鈥檚 head: Had there been 10 credit cards taken out in his name, all maxed out? And why was the fraud investigator only calling him now?
The fraud investigator said that Fidelity, where Franklin鈥檚 account was located, had repeatedly tried to reach him, to no avail. This puzzled Franklin. He and his wife had been home with out-of-town guests over the weekend. They went out to dinner, and visited New York City, but largely stayed in the house.
Then Franklin remembered that just before the weekend his daughter had tried to calling their home. Her call was transferred to an answering machine with someone else鈥檚 voice on it. All it said was, 鈥淟eave me a message.鈥
Franklin knew about the glitch but figured it was weather related. 鈥淲e didn鈥檛 immediately react and get on the phone with the phone company because, hey, who uses the home phone anymore?鈥
But it wasn鈥檛 the weather. The criminals who stole Franklin鈥檚 identity had actually called Comcast and convinced them to put in place a forwarding phone number for that home line. They had enough of his information to satisfy the typical security systems in place.
Hearing all this, his wife was scared. 鈥淪hould I be concerned,鈥 his wife asked, 鈥渇or my personal safety?
鈥淚f they have all this information 鈥 and our address 鈥 what keeps them from doing a home invasion instead of a virtual invasion?鈥 she asked.
Twenty years earlier, the Franklins鈥 home had been broken into. He and his wife were living in Ohio at the time.
They only found out about the robbery when police contacted them, saying they found pictures of their daughter in a raid on a suspected pedophile鈥檚 house. The officers later told the Franklins the suspect had likely seen playground equipment at their house and deduced kids lived there. He stole loose cash and pictures of their daughter, nephews and other kids from the top of their TV stand.
In many ways, this crime 鈥 which the Franklins missed coming, and needed someone else to point out after the fact 鈥 felt no different than the identity theft. 鈥淭hat sick feeling of, 鈥榃ow, someone knows my personal information and broke into my world and stole or tried to steal from me,鈥欌 Franklin said, 鈥渨asn鈥檛 any different getting physically robbed than being virtually robbed.鈥
The Criminal Mind
According to fraud investigators, the identity thieves who eventually stole money from Franklin started small, only gradually building up to the credit card heist.
First, they likely trolled public databases to find Franklin鈥檚 birthday, his address in New Jersey, his phone number. To do this, they could have used cheap background search tools or credit reports. They also had his Social Security number, which the thief either obtained by hacking into a database that stored this information personally, or buying it off the black market. Using this, they were able to answer Franklin鈥檚 online security questions for his home equity line of credit.
No one had noticed that first breach until the hackers submitted unusual requests to the credit union, and tried to have the statements forwarded to a new address.
When Affinity Federal Credit Union alerted Franklin, he was relieved to hear no money was stolen. But the credit union recommended he work with IDT911, a fraud protection company with a relationship to the biotech company where he works in New Jersey. With the company鈥檚 help, Franklin put a freeze on his credit and put all the security systems in place on his accounts at Goldman Sachs 鈥 including a private banker assigned to call or e-mail him if there were any unusual requests.
鈥淲e thought it was over pretty quickly and there wasn鈥檛 any real damage,鈥 Franklin said. 鈥淲e just kind of said, 鈥極K this is scary 鈥 but not that big a deal.鈥 鈥
But there was one card Franklin was supposed to close after that initial breach to his credit line in December, right before the holidays.
The credit card was linked to a college savings plan. When he spent money, the bonuses would be credited to help foot the bill for his daughter鈥檚 education instead of, say, airline miles. He hadn鈥檛 touched the card since his daughter graduated the summer before. When the initial breach happened at the credit union months before, Franklin completely forgot about it. It was completely separate from his primary accounts.
Three months later, when his guard was down, that was the card the hacker targeted. Despite Franklin鈥檚 efforts to secure his digital presence, the thieves were able to use it to buy $30,000 worth of luxury items.
When you least expect it
Fidelity quickly agreed to听cover the fraudulent credit card charges. Still, Franklin became obsessive; it took him two weeks to figure out almost all the avenues an attacker could compromise. He closed down almost all his credit cards.
Even though he never paid the $30,000, Franklin will have to worry about the consequences of his data being exposed.
鈥淚f they have your Social Security Number, your name, address and date of birth, they can do whatever they want, for as long as they want,鈥 says Adam Levin, chairman of IDT911, the company helping Franklin recover from his identity theft.
For instance, identity thieves can submit false tax returns in your name and steal refund money, or get medical care in your name. 鈥淵ou go in for an appendectomy, and are told you can鈥檛 be pre-certified for two appendectomies 鈥 somebody already did it a long time ago,鈥 Mr. Levin said, using an example from past cases. Thieves can commit crimes and give false identification, creating new victims with arrest records they don鈥檛 know about. 鈥淵ou鈥檙e driving along the road, pulled over for a busted tail light,鈥 Levin said, 鈥渁nd all of the sudden you鈥檙e surrounded by guys with guns saying, 鈥楪et on the ground.鈥欌
Franklin鈥檚 identity thief waited three months to strike his credit card after infiltrating his home equity credit line. But hackers often wait longer 鈥 even years 鈥 after an initial digital break-in to impersonate their victims. It鈥檚 part of a strategy, Levin says, to wait until people relax their monitoring of online accounts and think the threat is gone.
Franklin is deeply afraid the saga is not over. 鈥淭here鈥檚 this underlying sense of anxiety we鈥檙e still not through this. With the amount of information they have, and the skills they obviously possess, this could just be a recurring thing for, God, who knows how long.鈥
With security breaches proliferating 鈥 from Anthem health care, to JP Morgan, and retailers such as Target and Home Depot 鈥 there鈥檚 an abundance of personal information flowing to the black market. 鈥淵ou have to assume, unfortunately, that somebody鈥檚 got your information,鈥 Levin, who is also founder of听Credit.com. 鈥淎nd the truth is, once they have your Social Security number, they have an option on your life. It鈥檚 purely their decision as to when they wish to use it. Your information could have been sold, and sold again.鈥
The perfect crime
Despite the emotional toll the theft took on him and his family, Franklin was dismayed to see how the credit companies and retailers viewed identity theft as a 鈥渧ictimless crime.鈥
Going through the process to wipe the charges, Franklin came to understand the competing priorities. 鈥淢y primary concern is to protect my personal financial situation,鈥 he said. The credit card company鈥檚 concern, he said, was to get reimbursed for those fraudulent charges from the retailer. The retailer will investigate whether they met all their responsibilities. If so, their business accident insurance would kick in and cover the cost. 鈥淚t became apparent to me that everybody wants to cover their loss,鈥 he said, 鈥渁nd as long as their loss is covered they move on to [handling] tomorrow鈥檚 fraud.鈥
It is harder for Franklin to move on, however, knowing his identity thief still has control over his personal information. He asked multiple investigators about how he could help hold the thief accountable.
The investigators said he could file a police report if he wanted, but because it was not a physical attack or robbery, it wouldn鈥檛 be at the top of the police force鈥檚 list. 鈥淸The investigator said] 鈥楬onestly, most police departments are so overburdened, relatively low level white collar crime is not something that鈥檚 going to illicit a very strong response,鈥欌 Franklin said.
A police report wasn鈥檛 even required by the credit company to get the charges cleared. 鈥淓verybody was realistic,鈥 he says, about the prospects for criminal action. He鈥檚 looking into filing a complaint with the Federal Trade Commission. 鈥淏ut it鈥檚 kind of like, who am I going to accuse of the crime?鈥
There鈥檚 no business, no individual to name, Franklin notes. The police, fraud experts say, often face the same issue: These cybercriminals are incredibly tough to track, and even if found, may be outside the local jurisdiction or even the US.
鈥淚n some way, I鈥檓 seeking some sense of justice,鈥 Franklin said. 鈥淏ut it鈥檚 likely not going to happen.鈥
The silver lining, however, to the proliferation of breaches that expose people鈥檚 personal information is that there are more solutions available for consumers to protect themselves from the most damaging consequences of identity theft 鈥 from credit monitoring, fraud detection, and even instant alert services that can give potential victims warning when thieves are in the process of opening new accounts. Also, identity theft resolution services are increasingly available through insurance companies, credit unions, or through the workplace.
'It could have been anybody'
Franklin often thinks about his hacker. He empathizes with him. 鈥淗e鈥檚 clearly talented at being a thief,鈥 he says. His digital skills, clearly, are on point 鈥 and could likely earn him a legitimate job with a high salary. 鈥淲hat a shame they don鈥檛 apply that time, talent, and energy into something redeeming,鈥 he laments.
Franklin鈥檚 identity thief knows his name, his old passwords, his Social Security number, his address 鈥 enough information to hold his money and phone line captive for days.
All Franklin knows about his attacker, however, is the sound of his voice. He had called to hear the mysterious voicemail when his daughter initially told him about the phone problems. In Franklin鈥檚 mind, is his identity thief a hooded geek hunched over a computer? A sinister criminal from another country?
鈥淔rom the voice on the answering machine, it sounded just like a regular guy. It sounded like a middle-aged, gruff-sounding American guy saying, 鈥楲eave me a message.鈥欌 Franklin said. 鈥淚n some ways, that鈥檚 more disturbing, because it could have been anybody.鈥
Franklin has one regret: He didn鈥檛 leave him a voicemail, when he had the chance. 鈥淵ou can imagine what I would have said.鈥
*Names have been changed to protect the victims of identity theft
Passcode produced this package of stories听for the听 conference听on the identity economy, hosted by the University of Texas at Austin's Center for Identity.听
听
