Mr. Chairman, members of the Subcommittee, thank you for the opportunity to address this
Subcommittee concerning the subject of identity fraud and the Secret Service's efforts to combat
this systemic problem.
My name is James Bauer, and I am representing the United States Secret Service in my capacity
as the Deputy Assistant Director assigned to the Office of Investigations of the Secret Service.
Since its inception in 1865 the Secret Service has been involved in the investigation of
counterfeit monetary instruments which affect the integrity and well being of this nation's
financial and payment systems. As a law enforcement bureau within the Department of the
Treasury, the Secret Service has remained abreast in its investigative authority commensurate
with the evolution of payment systems from cash to plastic and electronic media. The illegal use
of personal identifiers and other related data often available through electronic media has lead to
a burgeoning phenomena, often referred to, today, as identity fraud.
To combat problems relating to evolving domestic and global payment systems, the Secret
Service has investigative jurisdiction over credit card and other access device fraud, fraudulent
identification, and financial fraud involving computer access. Recent trends in criminal activity
have taught us that these crimes are often committed simultaneously and in conjunction with
other fraud related activity as well as more violent crimes. Just as in 1865 the proliferation of
counterfeit currency threatened the economy, so too in 1998 glaring loopholes or weaknesses in
our system of payments could threaten the long term well being of our financial system.
The Secret Service has broad investigative responsibilities relating to financial crimes. In this
testimony, we will concentrate on the methods through which identity theft and false
identification are being increasingly used to commit fraud. People's lives are significantly
disrupted when they become victims of identity fraud. Increasingly our system of commerce
depends on personal identification information to facilitate transactions.
Acts of stealing or interfering with the use of personal identifiers such as (social security
numbers, credit cards or personal identifications) range from simple to complex. Identifiers
have been compromised by:
Theft of identifiers for purposes of committing financial crimes
Today, some type of false identification is a prerequisite for nearly all financial crimes. It
provides anonymity to criminals and allows for the repeat victimization of the same individual
while perpetrating a variety of fraud schemes. Often, in their attempts to remain anonymous,
criminals may randomly assume the identity of another individual through the creation of false
identification documents. In these cases, the goal may not be to target an individual for purposes
of stealing his identity. Yet, by coincidence, that individual's identity has been compromised
through the criminal's use of his or her personal identifiers.
The USSS currently investigates a myriad of financial crimes relating to identification documents. In 1982, with the passage of the Comprehensive Crime Control Act, the Service expanded its investigative mission to include, the manufacturing and distribution of identification documents. The USSS routinely investigates financial crimes predicated upon the use of fraudulent documents such as:
The use of these instruments to perpetrate fraud has often evolved from the isolated use of a
single fraudulent document into the outright use of someone else's identity. Through the use of
sophisticated "desktop publishing" equipment, such as computers and color laser copiers,
criminals are easily able to create falsified documents based on someone else's identity.
False identification documents altered, counterfeit, or fraudulently obtained, are routinely used
with loan and check fraud schemes and almost all credit card fraud schemes. Ironically the
credit industry, through capital investments over the past ten years, has strengthened the integrity
of the system through security measures which effectively thwart some types of direct
counterfeiting. Thus, criminals no longer simply create names and identities, they must rely on
the identifiers of real people. The compromising of real identities has become the weakest link
in the chain in the world of financial fraud.
To address this problem the USSS has created a counterfeit instrument database to link cases of
common origin through a forensic and investigative analysis. These investigations are often
national and international in scope, but efforts are limited because they are directed primarily
towards finished documents. All too often, real people have already been victimized by criminals
who merely procure identifying data in order to apply for genuine documents, credit, or other
benefits and services.
Although various forms of identification can be used to compromise the identity of someone else, the social security number appears to be the most popular. Historically, the USSS has seen social security numbers stolen and misused for the following purposes:
The totality of identity fraud/theft involving Social Security numbers is currently unknown
because this type of criminal activity is not always reported accurately. Criminals misuse social
security numbers because the number has become a form of identification. Historically, Social
Security numbers were established as a means to coordinate payment and receipt of Social
Security benefits, and were expressly not intended to be used as a form of identification. Yet in
practice it is one of the most popular and widely used forms of identification today, and it is
unlikely this will change in the near future.
The Information Age and Identity Fraud
In a series of recent "Washington Post" articles dated March 8-10, 1998, it was reported that
personal information is being released to marketers, database managers, and other interested
parties by various uncoordinated state and local agencies. It appears that numerous Department
of Motor Vehicle Agencies (DMVS) provide personal information in the form of mailing lists.
For a fee, DMVS conduct customized searches of driver's license and car registration records,
which often contain detailed personal data to include unlisted addresses and medical conditions.
According to the same "Washington Post" article, one state agency earned approximately $12.9
million in revenue in exchange for motor vehicle agency generated mailing list information.
Criminals can also obtain information such as property deeds and court case data which often
contain personal information. This information is made available to brokers, who in turn sell it
to interested parties. These documents often contain personal data such as, unlisted telephone
numbers, Social Security numbers, physical description (height, weight etc...). Most of this
information has always been in the public record. However, access to it has been limited to
those individuals who are familiar with complicated county court indices. Now that this
information can be found on the Internet, anyone with a computer and Internet access can readily
obtain this information. Thus, information previously not commonly available to the criminal
element is now merely a keystroke away. Combined with the unprecedented value of personal
identifiers to criminals, this easy accessibility sometimes becomes a recipe for fraud.
Companies created for data mining and data warehousing, (which are designed to gather, link,
and sell personal consumer information for marketing purposes) unintentionally expose this
information to criminals. Like all businesses, these companies are profit motivated, and, as such,
may be more concerned with generating potential customers than with protecting the use of this
information from unscrupulous individuals. These data warehouses often obtain their
information from consumers themselves, who may not realize that the information they provide
in credit card applications or with the merchants they patronize, are valuable commodities in this
new age of information trading.
The "Washington Post" article mentions that there are approximately 1,000 data warehouses,
which is ten times the amount that existed just five years ago. Information brokering is here to
stay and will probably increase in the near future. The "Washington Post" also recognizes the
fact that there are few laws restricting the collection of data, and Federal agencies have only been
able to combat this problem by advising the industry to exercise due diligence.
Not all identity fraud results in direct monetary loss. The "Washington Post" article described a
situation where an individual had his wallet stolen and his identity later compromised. The
criminal who stole the wallet was later apprehended for committing additional crimes. When
questioned by the authorities, he identified himself as the individual from whom he had stolen
the wallet, and he had the identification to prove it. A criminal record was established for the
criminal in the original victim's name. As a result, the victim suffered numerous problems,
including repeated rejections by potential employers.
The article also mentioned a Secret Service case in Houston, Texas, involving an individual who applied for and received a credit bureau account. With this account, he was allowed to gain access to one of the top three credit bureaus where he downloaded approximately 500 credit reports. With this information, he committed identity fraud which incurred losses to various victims, not to mention the aggravation the victims suffered when attempting to correct their own credit histories. Unfortunately, this criminal was sentenced to only two years probation and a $500.00 fine.
IDENTITY FRAUD THROUGH THE INTERNET
I would now like to discuss identity fraud perpetrated through the Internet. Previously, I
mentioned that fraud schemes require the use of false identification documents, and they
necessitated a "face to face" exchange of information and identity verification. Increasingly,
development of the Internet has fostered the continued evolution of criminal behavior. This new
electronic medium provides an environment for unsavory characters to conduct a variety of fraud
schemes without identity documents through the use of stolen personal information. We must
realize that the Internet has vulnerabilities which can allow confidential business information and
sensitive personal information to be compromised and used in furtherance of criminal schemes.
Criminals have demonstrated their ability to obtain information from businesses conducting
commerce on the Internet. This information has been used for purposes of perpetrating account
takeover schemes and other similar fraud. It is a frightening thought that an individual can
literally take over one's credit card and/or bank account, and, as a result, their credit history,
without the subscriber knowing it.
As mentioned earlier, the credit industry, in conjunction with law enforcement, has designed and
implemented security measures which minimize the random creation of false names and account
numbers to perpetrate credit card fraud. These security measures necessitate a real name and
legitimate biographical information . Criminals recognize this and will go to any length, to
include Internet abuse, as a means of stealing the identity of someone else to commit fraud.
This was the case in an investigation into an account takeover scheme conducted by the Secret
Service which resulted in the arrest of a bank employee, after it was learned that, while working
online, using the company's Internet access code, the employee was retrieving clients' accounts,
changing their mailing addresses and sending newly issued credit cards with their true identities
to himself.
In an intrusion/extortion case the Secret Service recently investigated, individuals hacked into an
Internet service provider (ISP). This ISP provided Internet service to some 10,000 customers in
south Florida. The hacker was able to compromise the system and shut down 8 of the 10 servers
on the provider's system.
In addition to the disruption of the service, the hackers also obtained the personal information
and credit card numbers of the 10,000 customers. Communication between the owners of the
Internet company and the hackers was conducted via e-mail. Using some traditional and some
technically sophisticated investigative methods, the Secret Service was able to determine the
hackers were communicating through the compromised accounts.
The hackers sent a message, demanding $30,000 in exchange for the customer information and
security information regarding their Internet servers. The hackers demanded the money be
delivered to a mail drop located in Germany. Working with the German authorities through our
office in Bonn, surveillance was established at the mail drop. After the pickup, one individual
was arrested. Two other individuals were consequently identified and all three confessed to the
hacking and extortion.
Steps toward addressing identity fraud through the Internet should start with the Internet service
providers' commitment to provide for the security of information and transactions and avoiding
unnecessary risks.
In addition, Internet service providers should not establish and instantaneously authorize an
account or e-mail address for their customers based solely on a credit card number provided by
that customer over the telephone or transmitted via computer. The ISP should authenticate the
credit card and the user prior to allowing access. Merchants conducting business on the Internet
should know their customers, and service providers should take steps to know their merchants.
THE ROLE OF FEDERAL LAW
Traditional Federal Statutes such as Title 18, United States Code, section 1028 (fraudulent use
and production of identification documents), section 1029 (access device fraud), section 1030
(computer fraud), section 1343 (wire fraud), section 1831 (economic espionage), and section
1956 (money laundering) are currently in use to prosecute various forms of fraud.
Since the ultimate goal when committing identity fraud is to achieve anonymity and/or obtain
financial gain, the predicate offense of stealing one's identity to create counterfeit and/or
fictitious documents has gained little or no attention. The focus is usually on the ultimate
criminal objective, i.e., fraudulent identification documents, credit card fraud, bank fraud,
insurance fraud, rather than the means to the end, e.g., the act of stealing someone else's identity
to perpetrate the above crimes.
At present time, law enforcement must wait for an overt fraudulent act or creation of a fraudulent
document before it can intercede. In addition, some prosecutorial guidelines established require
an individual to possess more than one fraudulent identification document before he/she can be
prosecuted. The idea of identity theft as a violation would enable law enforcement to prevent
the fraud before it starts. It is a proactive answer to what is being handled in a reactive manner.
At the federal level this would allow for investigations and prosecutions of organized criminal
groups. This could serve as a model to state and local agencies granting relief to victims by
providing a mechanism by which to report identity theft.
Historically, the USSS has been forced to investigate these cases based upon existing federal
statutes which address fraudulent financial instruments whether they are counterfeit, fictitious,
and/or stolen. Prosecution of these offenders is often predicated upon the defendant's sentencing
exposure. In fraud cases, the sentencing guidelines are based upon dollar losses and/or attempted
dollar losses. Currently, if an individual's identity has been compromised in furtherance of the
criminal activity, that individual's victimization is not considered when sentencing is
contemplated. The fact that the perpetrator uses the identity of others, and thereby creates
additional victims, is serious enough and should be dealt with. As presently structured, the Secret
Service believes the anguish, emotional trauma, and lost time of the victim are not factored in
when addressing the consequences of identity fraud cases.
CONCLUSION
Although the Secret Service does not have all the answers in solving identity fraud, the following
three pronged approach to combat fraud may prove useful when dealing with identity theft.
As mentioned earlier, various businesses have resorted to accepting credit cards and checks in
lieu of cash payment for goods and services. Problems begin when businesses fail to exercise
due diligence in knowing their customers. Many criminals take advantage of this loophole and
perpetrate a crime predicated upon fraudulent identification. These businesses need to have
more diligent procedures when verifying the information that is backing the financial instrument
being used.
Industry (financial community) entities involved in commerce where identifiers or credit is
issued need to protect identifiers from being misused.
In addition, credit card companies and credit card issuing banks need to know their merchants. Many times fraud is perpetrated by collusive merchants who seek the opportunity to defraud customers by obtaining the personal identifiers and credit card account numbers generated during a transaction at the point of sale terminal. These collusive merchants then exploit these victims by either using their personal and/or credit card account information or by selling the information to others who will commit fraud.
Various programs addressing these issues are already commonly in place and it is in the best
interest of banks, merchants, etc... to monitor and strengthen those programs to prevent losses.
But more consideration and security need to be added at the beginning of the chain; verification
that the presenter of biographical information is indeed, the owner.
It is likely that the private sector will revert to some form of positive identification to ensure
entry into commerce is granted legitimately. Technical solutions may be difficult in the short
run. In the interim, other steps must be taken to secure and verify information. The credit and
reporting industries have shown an ability born out of necessity, to devise elaborate and effective
programs to protect their interests. But they still need to safeguard existing information in order
to protect the well-being of the general public. The private sector must assume a more active role
in this arena. If voluntary compliance does not evolve, regulatory action should be examined and
considered. This is a legitimate concern of Government because our financial system depends on
a safe, reliable system of payments.
In conclusion, in our research, we have not found sources able to accurately define the volume of
identity fraud; however, anecdotal information from all sources indicates it is prolific.
We do not believe, nor are we in the business of, inhibiting the free flow of information, so
important to a free society. We do believe that those identified as using personal information for
nefarious purposes should be subject to punishment commensurate with the crime. The concepts
of criminal prosecution for the perpetrators, restitution for victims, and ethical responsibility for
those earning a living through the use of personal information are noble goals.
As I have previously said, the financial losses that have been suffered by individuals, financial
institutions, and private corporations as a result of these criminal schemes, appear to be steadily
increasing. The emotional toll on the lives of those whose identity has been compromised cannot
be fully accounted for in dollars and cents. At this point, that anguish and frustration may have
more value than the dollars lost. Just as our system of commerce has evolved and changed in
the past fifty years, so too must the rules governing conduct in our society change. We urgently
need to recognize and assign a societal value to personal identifiers, just as there is now value
assigned to those items by the criminal element.
Accordingly, the Secret Service will continue to aggressively pursue investigations in this area.
This concludes my prepared statement. I would be happy to answer any questions that you or any other member of the subcommittee may have.