http://www.latimes.com/business/la-fi-scam14mar14,0,2533939.story
Low-Tech Methods Used in Data Theft
By David Colker
Times Staff Writer
Executives at besieged information broker ChoicePoint Inc. have said they
had no idea how vulnerable the company was to the identity thieves who
recently tapped into personal data on 145,000 Americans, igniting a
national furor over privacy.
Chairman Derek Smith told CNBC last week, for instance, that management
"never realized the sophistication organized crime" would demonstrate in
order to access ChoicePoint files.
But documents in a criminal case against a brother-and-sister team
that pulled a similar scam several years ago suggest that penetrating
ChoicePoint's defenses could take little more than a home computer, a
fax machine and a bottle of Wite-Out.
"This is an old-fashioned kind of thing," said Deputy Special Agent
Dale Pupillo of the U.S. Secret Service, which investigates cases of
credit card fraud and identity theft. Hackers capable of stealing data
electronically increasingly pose a threat, but "this was kind of
low-tech."
That worries consumer advocates and lawmakers. Several members of
Congress have proposed laws that would require data brokers to
establish effective security systems to keep the Social Security
numbers and other confidential data they gather and store out of the
hands of fraud artists.
ChoicePoint executives declined to be interviewed for this article but
issued a statement reiterating the company's view that recent data
thefts from ChoicePoint and rival information broker LexisNexis
provide "ample proof of the seriousness and sophistication of this
type of fraud."
Both ChoicePoint and LexisNexis, a unit of Reed Elsevier, have said
they will institute new policies to ensure that only government
agencies and legitimate businesses can gain access to their data,
which are used to verify employment applications, screen credit
applicants and investigate security risks.
But it might not be wise to trust the companies to police themselves,
said Edmund Mierzwinski, consumer program director for the advocacy
organization U.S. Public Interest Research Group.
"I question whether companies [that have been] so cavalier with
confidential consumer information will really change their attitude
without tough new laws and a lot of lawsuits," Mierzwinski said.
Court documents in the 2002 case of Bibiana and Adedayo Benson who
were convicted and sentenced to federal prison shed light on what it
took to steal data from ChoicePoint and open fraudulent credit card
and bank accounts in the names of unknowing victims.
The case, which led to at least $1 million in losses, attracted no
public attention at the time. Like the most recent security breach, it
involved con artists using simple and time-tested methods to hoodwink
the data broker.
According to the court records, Bibiana Benson applied for a
ChoicePoint account in the name of Christine Lorraine Burton on April
2, 2000.
To get the account, Benson needed two things: Burton's Social Security
number and a professional or business license. ChoicePoint requires a
copy of "business or professional licensing," according to its current
application form, because information obtained from its databases may
be used only for "business reasons."
Benson had the Social Security number. (The documents don't say how
she obtained it, but authorities say there was evidence her brother
was involved in identity theft before the ChoicePoint infiltration.)
The California real estate broker's license in Burton's name was a
fake. Benson faxed the license to ChoicePoint along with the
application form.
The real Christine Burton, who was living in a small town in Indiana,
told a Secret Service investigator that she had no real estate license
and never had resided in California, and the California Department of
Real Estate said there was no license on record in Burton's name.
But it's easy to fake a document such as a real estate license if it
only has to withstand scrutiny as a fax, forgery expert James Black
said.
"Piece of cake," said Black, who has testified in many forgery
cases. "All you need is a [valid] license form, Wite-Out and a copy
machine."
Investigators discovered the fake real estate license when they
searched Bibiana Benson's home, the court records show. There is no
indication in the records whether ChoicePoint attempted to check on
the authenticity of the license.
Benson who pleaded guilty in September 2002 to a felony count of
unlawful use of identification told an investigator after her arrest
that she was working with a ring of identity thieves.
She said ring members would give her names, often taken from building
mailboxes, and that she would then do the research using her online
account with ChoicePoint, securing the Social Security numbers and
other information needed to steal people's identities.
Ring members paid $45 to $65 per record, she said. ChoicePoint
accounts given to investigators showed she examined at least 7,000
personal data files in a two-year period.
Her brother Adedayo, who pleaded guilty to three felony counts, used
the information to establish fraudulent accounts.
The first step was to rent mailboxes at private mailbox companies in
the San Fernando Valley and Beverly Hills.
Then he would apply for credit cards in the name of consumers whose
data his sister had stolen, using the mailboxes as the return address,
the court records show.
"Once I took over the box," he told investigators after his arrest, "I
just called the bank and asked them to send me a credit card to the
mailbox number. I called several banks."
He would then use the card to buy expensive goods and take out cash
advances.
The court documents detail only a few of his purchases; one receipt
from Circuit City is for two laptop computers.
Another part of the scam was producing fake driver's licenses. One
that Adedayo Benson used, complete with his picture, was in the name
of Dale Patterson.
Investigators determined that the person whose identity was lifted for
the card was a woman whose full name was Dale Veronica Patterson.
Forgery expert Black said that obtaining fake driver's licenses was
one of the least challenging jobs for the fraud ring.
"We could go over to MacArthur Park," Black said, referring to the
Mid-Wilshire area park that has long had crime problems, "and come
back about an hour later with 10 fake licenses, with pictures.
"It's an old game."
If you want other stories on this topic, search the Archives at
latimes.com/archives.
Copyright 2005 Los Angeles Times
NOTE: For more telecom/internet/networking/computer news from the daily
media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra . Hundreds of new articles daily.
*** FAIR USE NOTICE. This message contains copyrighted material the
use of which has not been specifically authorized by the copyright
owner. This Internet discussion group is making it available without
profit to group members who have expressed a prior interest in
receiving the included information in their efforts to advance the
understanding of literary, educational, political, and economic
issues, for non-profit research and educational purposes only. I
believe that this constitutes a 'fair use' of the copyrighted material
as provided for in section 107 of the U.S. Copyright Law. If you wish
to use this copyrighted material for purposes of your own that go
beyond 'fair use,' you must obtain permission from the copyright
owner, in this instance, Los Angeles Times.
For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml
Marcus Didius Falco (falco_marcus_didius@yahoo.co.uk)