By Alex Salkever So it has come to this. On Nov. 25, federal prosecutors charged three men with operating an identity-theft ring that had stolen credit reports of more than 30,000 people -- the largest case in history. The defendants include a computer help-desk employee at a Long Island software outfit who had access to sensitive passwords for banks and credit companies. The ring allegedly emptied bank accounts, took out loans with stolen identities, and ran up fraudulent charges on credit cards.
The most appalling part of the whole mess? Most of the damage could easily have been prevented if the credit agencies adopted the common-sense practice of directly notifying individuals whenever a change on his or her report occurs, and whenever a third party accesses their credit report. Yes, it might cost the credit agencies more in overhead. But credit agencies spread such costs around to customers, banks, car dealerships, and others that pay to access consumer credit ratings. How hard is that?
GLARING HOLES. This criminal case has many security experts worried because it points up some glaring weaknesses in credit reporting. Your credit information -- in effect, your financial identity -- can easily be stolen by alert thieves with access to sensitive information. Yet, credit agencies don't share with individuals what's going on with their credit reports -- unless consumers ask. This anomaly will become a national economic issue as identity theft grows.
That's the bad news. The good news is that the solution is pretty simple. Tighten up internal handling of credit information, while making individual reports even more transparent to consumers -- in real time if possible, with password-protected access, just like banks and other financial institutions.
Truth is, identity theft remains more an offline problem. Someone steals your mail. A restaurant worker double-swipes your credit card. That's theft, pure and simple, and not the stuff of a national crisis. But when identity thieves get sophisticated and use the power of the digital revolution to leverage their operations, such fraud could become massive. Many financial institutions pull thousands of credit reports each day. And most of them have Web access to credit reports. So if a thief were able to score a password from a big bank, it would be fairly simple to write a computer program allowing someone to log in with the bank's ID and download thousands of these reports in a heartbeat.
INEXCUSABLE RESISTANCE. Identity theft's direct cost is already considerable -- police estimated that the latest ring defrauded victims of at least $2.7 million, and investigators aren't done counting. Indirect costs could be even higher in lost productivity. If the problem isn't checked, many thousands of victims over the next decade will have to take on the equivalent of a second full-time job cleaning up their credit histories. This latest case had 30,000 victims -- that's the size of Cisco Systems' workforce.
Consumers can now pay between $70 and $80 a year to receive timely e-mail updates of any activity on their credit report. An important step toward fuller disclosure, yes, but more should be done. There are three main credit agencies today -- TransUnion, Equifax, and Experian. As anyone trying to get a credit card these days can attest, credit approvals and denials are coming faster and faster thanks to high-speed data links.
A savvy thief could do a lot of damage by applying for a credit card or loan and using a report through, say, TransUnion, but not Equifax or Experian. Even if you're paying Equifax for the updates, you might not find out until it's too late. Yet, the three credit agencies have resisted creating a unified format to allow consumers to easily observe changes in any of the three profiles. If credit agencies won't act, then the federal government should step in and mandate changes.
Then, there's the issue of snail mail vs. e-mail for notifying consumers of suspicious activity involving their credit history. More than half the U.S. population now has an e-mail address, and such correspondence is free. The rest of the country could be contacted via regular mail -- an expensive process, but one that should be considered a cost of doing business.
On their Web sites, each of the three credit-reporting agencies should offer to send consumers an e-mail notification whenever their credit reports change. They could even charge a nominal fee for the service. The fees that Equifax and Experian now charge for timely updates are way too high. This shouldn't be a profit center. In the Digital Age, this should be a universally available service, just like a dial tone.
SECURING ACCESS. As I have pointed out in past columns, American Express provides an ideal model. Whenever someone makes an account change, Amex sends a letter informing its customer of it. If the customer changes address, Amex sends a letter to both the old and the new addresses. That would tip off a customer to any untoward changes. Applied to e-mail, the same principle works beautifully. Yet credit agencies don't collect e-mail addresses. That, too, should change. All credit agencies would have to do is send out letters to consumers requesting their e-mail address. A consumer response would be voluntary.
None of this is to say the credit-reporting outfits aren't concerned. Equifax played a major role in helping to break up the Long Island identity-theft ring. After years of consumer complaints and government prodding, they're allowing individuals easier access to their credit histories than ever before. But the age of ubiquitous connectivity and high-speed information movement means high-speed identity crime will likely become more damaging. The best way to combat this scourge is by making access to credit histories tougher for thieves -- and easier for individuals. Salkever is Technology editor for BusinessWeek Online and covers computer security issues weekly in his Security Net column