How the Secret Service is fighting identity theft.
Identity theft grew from one million victims to 17.7 million between 2012 and 2014 — but not all of it is happening online.
For me, this story began when my identity was stolen for the third time. The first incident took place when I was in college and someone began using my ATM card halfway across the country to buy stuff at a store I’d never heard of. The second (and most serious) incident took place in my 20s, when a woman walked into a bank in New Jersey and used a copy of my driver’s license to empty my account. Then, a few months ago, someone stole my identity on Twitter, creating an account with my same name, same Twitter bio, same photo of my beloved late grandmother, and began tweeting as me.
In order to get the other Alina’s account shut down, Twitter asked me to provide proof of my identity. I scanned in my driver’s license, sent it to the ominously titled “Trust and Safety” division. All along, I couldn’t help thinking, What if they rule against me? What if they decide that I’m not the real Alina Simone…? I mean, there’s your essence — your soul, your immutable true self, etc. — but then there’s also the qualifying proof of your “identity” in the eyes of government and other institutions. And if you think about it, the two are tethered by a relatively slim cord. A few pieces of paper, really. Information that you’ve probably doled out dozens of times.
Twitter eventually decreed that I was, indeed, me and had the rogue Alina’s account shut down, but the cumulative weight of these incidents made me wonder: Am I some kind of identity slut, leaving all my bits and pieces hanging out all over the place? Am I just unlucky?
Or is this the new normal?
The man who could answer my questions about how personal information is stolen, what then happens to it and how to best maintain your identity chastity, turned out to be a recently decommissioned Secret Serviceman named Sean McCleskey.
Most people associate the Secret Service with protecting the president, his family and presidential hopefuls like Donald Trump [whose code name, you’ll be unsurprised to learn, is “Mogul.”] But even though the Secret Service was established in 1865, protecting the president didn’t become part of the agency’s mission until 1901, after President William McKinley became the third sitting president to be assassinated.
The first sitting president to be assassinated was Abraham Lincoln, the same man who created the Secret Service, albeit for an entirely different purpose: to combat counterfeiting. In 1865, counterfeit bills accounted for somewhere between a third to one half of all U.S. currency. This surfeit of fake cash threatened to swamp the supply of real money, thereby undermining faith in the entire US economy. During economic panic that followed the civil war, powerful lobbies even urged a return to the gold standard.
In its first year, the Secret Service shut down more than 200 counterfeiting shops, helping put an end to the “Golden Age of Counterfeiting.” Its mission eventually expanded to include investigating land fraud, smugglers, mail robbers, the Ku Klux Clan, and “non-conforming distillers.” Today’s Secret Service is still busting currency counterfeiters, but have expanded their focus to include cyber security, protecting the country’s online banking system, and combating the counterfeiting of personal information: Identity theft.
One could argue that 2016, identity is money. Or at least, that every conceivable iteration of it can be converted into cash. How much does a US credit card (with the track data embedded in the cvc strip on the back) sell for on the street or dark web? About $12. Counterfeit social security cards? Anywhere from $250-$400. Health records? $50 per record. A social media account? Also $50. Bank account credentials? $1000, but goes up depending on how much money is in the account. Oh, and a child’s ID is worth much more than an older persons. They have virgin credit and, unlike adults, aren’t actually using any accounts.
And just like back in 1865, the sheer quantity of security breaches and mass hacks of personal records, also conjures a dystopian scenario. What if one day, the number of stolen identities on the web threatens to swamp those of real and verifiable people? Could we lose our trust in the Internet? Cease sending money via PayPal? Put the kibosh on online databases of vulnerable medical, educational and governmental records? Return, so to speak, to the analog “gold standard” of information — paper?
When Sean McCleskey first joined the Secret Service in 1998, he knew financial crime would be his beat. “White collar, suit and tie” stuff, he figured.
“And then I find myself in a housing project fighting a 20 year old kid who’s hyped up on drugs. It was dangerous. It was all the time. It was going in there and hoping to God I wasn’t going to get killed.”
This was financial crime.
“When most people think of identity theft, they think, ‘Oh, it’s just paper.’ They think of a hacker sitting in his room, over in China or Russia. And that does happen — there’s plenty of very sophisticated people out there doing this — but there’s also this seedy underbelly of identity theft. And in fact, it’s this very violent, very dangerous world.”
There are different kinds of bad guys who steal personal info, Sean explains. There are hackers, who just like to “test the system.” There are foreign governments stealing for espionage purposes. There are criminal organizations intent on selling this information on the dark web. Then you have the foot soldiers of identity theft, drug addicts and former prison gang members, hustling to earn enough cash to eat each day. Theirs is the analog beat: lifting paper records from businesses, schools, medical offices, mailboxes — even prisons — and selling them piecemeal for cash.
It’s a pipeline that doesn’t stop with the first buyer. As the information gets further and further “downstream” from the original source, these stolen bits of identity become currency for other illegal activity. “I’ll sell you four credit card records for a place to crash tonight.” Or for drugs. Or for sex. Sean calls this stockpiled identity info the “thieves’ 401k plans.”
Compared to other goods that you can steal and quickly turn around for cash, personal records are an alluring alternative. Unlike dealing hard drugs or weapons, you don’t have to deal with dangerous middlemen. And being caught with someone’s dental case file is considerably less bad than getting busted with a stolen handgun. Oftentimes criminals don’t even have to go to the effort of actual stealing. Companies do very little to secure their physical archives; expired employee records often just get tossed in the trash.
So while the media hype always centers on huge data breaches like the Sony hack, companies and individuals ignore securing physical records at their peril. One recent study found that 50% of unauthorized data-disclosure incidents involved the theft of paper records.
It’s not that digital breaches aren’t a threat to consumer safety. “That’s not a good thing, nobody would say that it is.” Sean says. “But I’m a little less worried about that, than if somebody steals 10 medical files out of my doctor’s office and one of those is mine because chances are, I am going to get victimized. When they have a smaller amount of records, your chance of getting hit is much greater.”
(Medical records, by the way, turn out to be the mother lode of ID theft. The financial information is all there, but also compromising health info — think blackmail — family information, job information…)
And whereas the clients of major commercial and public institutions are often informed when an online breach occurs, victims of paperwork theft will likely never learn their records went missing. In one case involving the physical theft of credit card records from a San Antonio hotel, the police discovered members of the Aryan Brotherhood (one of the groups involved in the heist) were still tapping the same accounts eight years after the heist occurred.
Sean left the Secret Service last April to work for the Center for Identity at the University of Texas, which combines education, advocacy and research to help keep government, industry and consumers one step ahead of the rogue army of mini-mes. The Center even has its own crime lab (staffed by grad students and often redolent of stale Cheetos) that focuses on mass-hacks, things like carding rings attacking an entire network. They’ve created a video game called “Beat the Thief” to help kids avoid ID theft, a Masters of Science in Identity Management and Security program, (the first of its kind in the country), and are helping companies navigate the hidden shoals of the dark web by indentifying vulnerabilities in their identity ecosystems.
Despite the best efforts of groups like CoI, the problem of identity theft keeps growing. When the Bureau of Justice last released statistics in 2014, the number of Americans who had been victimized was 17.7 million, up one million from 2012. That’s 7% of the U.S. population.
Of course the future, we’ve all heard, is in sight: biometrics technology that can recognize our irises, fingerprints or faces, and rid us once and for all of password keychains. Patent applications filed last year by Apple show the company is looking to turn the iPhone’s screen itself into a fingerprint sensor. And this past October, China unveiled the world’s first face-recognition ATM, a machine that can distinguish between identical twins and can identify you are whether or not you are wearing a hat or glasses. (Plastic surgery, however, would require an updated photograph.)
Bringing identity back to the body may seem like the ultimate technological checkmate to identity theft, but consumer privacy groups have grown increasingly concerned about what companies will do to secure all this biometric data. Imagine how much harder it would be to prove your identity if someone lifts, not your credit card number or Twitter passcode, but your actual fingers, face or eyes?
The U.S. Department of Congress has been trying to develop a “facial recognition code of conduct” for businesses, but last year, all of the privacy advocacy groups involved in the process, which included the American Civil Liberties Union and the Consumer Federation of America, quit en masse. When a draft of the code was released this March, the coalition slammed it as a lobbyist-driven push to implement “vague proposals without any real safeguards for biometric data.”
So while we wait to find out how biometric data will be used in the future, how do we stop Voldemort from Xeroxing our identity in the present? Well, the vast majority of personal information, Sean points out, is made public by those who own it: You. These days it is common protocol for retailers to ask for your email address or phone number at check out, information that can be whisked away on a thumb drive, along with your credit card data. And we forget how much an innocent tweet or FB post can reveal.
Take those pesky Knowledge-based Authentication questions that banks and other institutions ask you to fill out as a safeguard against theft. We tend to pick the stock questions that are easiest to remember — things like, “Where did you go to Elementary school?” or “What was your mother’s maiden name?” — but the answers to these stock questions can likely be easily found online, through social media profiles with flimsy privacy settings, or Classmates.com or just a quick Google search.
I didn’t believe Sean when he told me this — why the hell would my grade school be mentioned on the Internet? — so I decided to do an experiment and Googled my name and “elementary school.” The answer was listed right there in the second search result.
The solution, of course, is to take an extra minute to create a unique question whose answer lies within you, not online. It’s to say “No,” to the nice checkout people who ask for your phone number rather than reflexively handing it out. It’s to “hover before you click.” It is to replace your easily recallable password with something closer to “Hfskq&%M(#!” And, if you’re Sean McCleskey, it’s to only deposit your mail inside a US Post Office. He’s caught too many ID thieves “fishing” for mail using contraptions made from cardboard and sticky-tack, or simply stealing the entire box and driving away.
Is identity theft the new normal? I hope not. All I do know is that simply being yourself has never been more exhausting.
Unhackable is an Intel Security publication on Medium. Click here to learn more about celebrating #PasswordDay and simplifying the passwords in your life.