ChoicePoint Sting Highlights Identity Theft Issue

ChoicePoint Data Cache Became a Powder Keg (WaPo, A01)

The man on the phone called himself James Garrett. Speaking with a lilting accent, the man said he was an executive with a Los Angeles company called M.B.S Financial. He told an employee at ChoicePoint Inc. that he wanted to open an online account with the company to receive electronic reports on people.

It was the kind of request that ChoicePoint, one of the nation’s largest information services, gets all the time. Thousands of corporate and government clients rely on the company to provide them with publicly available information on people for help in hiring, fraud detection, journalist research, national security and debt collection. But the man’s call last fall was different, according to a detective’s description of the encounter and testimony presented in a later court hearing. Unknown to ChoicePoint, the caller was not Garrett, an actor in the Los Angeles area. Police said he was a con artist involved in a vast identity-theft scam that succeeded in making off with records of at least 145,000 people. The real Garrett was just another victim.

The imposter’s attempt to gain access to even more files would not only expose the scam, but spark a national outrage and congressional hearings over whether the nation’s growing commercial data industry is doing enough to guard personal information.

[…]

ChoicePoint, based in Alpharetta, Ga., has assembled a huge trove of personal data in recent years. Much of that information, such as court rulings, driver records and real estate details, comes from government agencies. The company also purchases information from the three major credit bureaus and other information services. Its ability to create and electronically transmit exhaustive dossiers on people makes it a favorite of many Fortune 500 companies, government agencies and law enforcement and Homeland Security authorities. Today, it has more than 100,000 customers and revenue approaching $1 billion, a large proportion based on the resale of details about individuals. Before granting service, ChoicePoint typically requires a photocopy of a driver’s license and business records on file with a state or local government agency. A ChoicePoint employee would then verify that such a person and company exists. Identity thieves skirted this system by using fake IDs and by setting up front companies on paper, registered with government agencies in phony names, according to court and company records.

Kevin Drum is right: this is “scary stuff.” Especially since, if the details in this story are accurate, it appears that ChoicePoint actually had a reasonably rigorous system for protecting the privacy of the data. Since time immemorial, we have made legal proceedings, real estate transactions, and other activities regulated by government “public.” One wonders whether this still makes sense.

We live in a society in which we are simultaneously anonymous and yet information on us is ubiquitous. We’re relatively anonymous because we are incredibly mobile and insular. Few of us know our neighbors, let alone most of the people in town. While that provides a certain type of privacy, it also makes identity theft much easier than if we lived in small communities generation after generation. This is exacerbated by the fact that a few key pieces of information (Social Security number, mother’s maiden name, and date of birth) are the keys to our financial lives. Since we have to give up that data simply to rent a movie, it’s a wonder identity theft isn’t more common.

In related news, it appears as though some ChoicePoint executives sold massive amounts of their stock just before news of this scandal broke. Ironically, the penalties for that will be much more severe than for potentially ruining thousands of lives.

Update (0846): Two stories on the NYT website highlight the general issue of information security.

Efforts to Hide Sensitive Data Pit 9/11 Concerns Against Safety (rss)

They are just pieces of cardboard, and they cover less than a square foot on the side of railroad tank car. But behind them lies a post-9/11 competition between public safety and national security. For decades, emergency-response teams approaching train wrecks have peered at the signs through binoculars to see what dangerous chemicals might be leaking. But federal officials will soon decide on a proposal to remove the placards from all tank cars. Their fear is that terrorists could use them to lock in on targets for highly toxic attacks.

The idea has sparked an outcry from firefighters and rail workers, who say removing the signs could endanger their lives. They say federal officials seem more focused on guarding against a terrorist attack than on the daily threat of accidents. “There’s this feeling that you have to secure everything possible in every way possible for every possible kind of terrorist attack,” Garry L. Briese, executive director of the International Association of Fire Chiefs, said.

The dispute illustrates a growing push to mask sensitive data about the nation’s industrial base from the prying eyes of potential terrorists. In the tug of war over tank cars and other industrial information, critics question whether the move toward secrecy is overwhelming safety concerns and even chilling debates over how to eliminate the vulnerabilities. People who live near chemical and nuclear plants, dams and oil and gas pipelines complain that it has become harder to find out about disaster plans and environmental hazards, and some have sued for more information. Engineering reports have been stripped from government Web sites, and several agencies are creating new controls on sensitive information that go far beyond the wide-ranging classification system built in the cold war.

The desire to make it harder for terrorists to locate these targets is understandable but this implementation is foolish. Far more people are likely to be endangered from accidents here than terrorists. Aside from amateurs, terrorists are likely to do their homework, including possibly infiltrating these companies (how hard is it to get a CDL and a job driving a hazmat truck?).

In the ID Wars, the Fakes Gain (rss)

Early last month, after being shut down by the police for two days for serving underage drinkers, the owners of the West End, a Manhattan bar and restaurant near Columbia University, deployed a new weapon in their continuing battle against fake ID’s: an E-Seek scanner, a high-tech age-verification device designed to tell a real driver’s license from a fake in a simple swipe. But if the arrival of this fake-ID devourer – its manufacturer makes a similar hand-held model called the Buster – was supposed to strike fear in the hearts of aspiring beer guzzlers in the freshman and sophomore classes at Columbia, it hasn’t had quite that effect. “Within a week I could be beating the West End no problem,” said a Columbia student who claims to have forged over 400 driver’s licenses but said he stopped for fear of being arrested (and wanted his name withheld for the same reason). “If you know how to use Photoshop and a simple Epson printer, you can print ID’s in your dorm room.”

The age-old battle of wits pitting police officers and bar owners on the one hand against under-age drinkers on the other is as lively as ever, though it has entered a new technologically advanced phase. Gone are the days of the art major down the hall who was a wizard with an X-Acto knife, a stencil and some super glue. Using Internet resources and sophisticated computer graphics software, college students are forging drivers’ licenses of startlingly good quality, complete with shimmering holograms, special inks and data encoding that can fool the police and even occasionally the latest generation of scanners. To hear law enforcement officers tell it, in the fake-ID arms race the kids are winning. “They’re definitely a step ahead of us,” said Steven Ernst, the district administrator in San Diego for the California Alcoholic Beverage Control Department. “In terms of the color, the typeset and the hologram they’re real, real good. Most can’t be picked out by the naked eye.”

While getting a fake ID is a right of passage for many young people who want no more than access to the occasional six-pack or campus pub, the potential security threat posed by forged drivers’ licenses – most prominently, the threat of access to commercial airliners – has cast the old barroom conflict in a new light. “People think of fake ID’s for buying beer or cigarettes when you’re 19,” said Sgt. William Planeta, who runs the New York Police Department’s document fraud squad. “But it has a lot of different implications in a post-9/11 world. You can use that fake ID to do all sorts of things.”

Biometric data is the most readily-available solution, but of course that presents security and other concerns of its own.

FILED UNDER: General
James Joyner
About James Joyner
James Joyner is Professor and Department Head of Security Studies at Marine Corps University's Command and Staff College and a nonresident senior fellow at the Scowcroft Center for Strategy and Security at the Atlantic Council. He's a former Army officer and Desert Storm vet. Views expressed here are his own. Follow James on Twitter @DrJJoyner.