Identity Theft Gets Personal

When a Debit Card Number Is Stolen, America's New Crime Wave Hits Home

By Nancy Trejos Washington Post Staff Writer Sunday, January 13, 2008; F01

It had been a pleasant Saturday afternoon until I got the dreadful cellphone call. The woman on the other end said she was from Bank of America. I immediately thought she was going to offer me another credit card. I told her I was busy.

Wait, she said. Are you at a Pacers Running Store in Arlington trying to buy $812.18 worth of merchandise?

No, I said.

Someone claiming to be you is there doing just that, she told me. My heart raced. The rent was due soon -- this was not a good time for money to disappear.

Suddenly I was a personal-finance writer whose finances were a mess thanks to an identity thief.

I took solace in the fact that millions of other people have had the same sinking feeling. In fact, 8.3 million, or nearly 4 percent, of American adults were victims of identity theft in 2005, according to the latest figures from the Federal Trade Commission, which enforces identity theft laws. Of those victims, 1.8 million had accounts opened or other types of fraud committed with stolen information. The rest had their credit cards or other financial accounts hijacked.

It is one of the nation's fastest growing crimes, so pervasive that President Bush has established a task force to combat it. That group issued recommendations last year, including reducing the unnecessary use of Social Security numbers by federal agencies and creating a National Identity Theft Law Enforcement Center to help local agencies coordinate investigations. Federal lawmakers also have taken notice, introducing legislation to protect Social Security numbers.

"Unfortunately, the way things are set up today, there is way too much information available in way too many places," said Adam Levin, chairman of Identity Theft 911 and a former director of New Jersey's Division of Consumer Affairs.

Theft Trail Leads to Debit Card

While there is much the federal government can do, and much the private sector should do, I realized that there was also much that I could do to better protect myself. I set out to figure out how this happened and how I could keep it from happening again.

In my case, it was a debit card that was compromised. In my unsuccessful quest to keep myself debt-free, I avoid using credit cards whenever possible. So I end up using my debit card for purchases big and small. That way, I have reasoned, I am spending money I actually have. When I want to indulge in a new purse or treat a friend to dinner or buy a latte, I whip out the debit card. Apparently, that's not the wisest thing to do if you want to protect your bank account.

I also learned that if someone fraudulently uses your credit card, you are reimbursed for nearly all the money lost. That may not be so with a debit card, especially if you do not notice it right away. According to the Electronic Fund Transfer Act, your liability is capped at $50 if you notify your bank in the first two business days. After that, you could lose up to $500. If you wait 60 days, you could lose it all. "You are more protected with credit cards than debit cards," said Levin, whose San Francisco company specializes in identity-theft prevention and consumer education.

Luckily, Bank of America seemed willing to work with me. During that initial, alarming phone call, the employee put me on hold while she talked to the Pacers Running Store merchant. The store clerk had grown suspicious when a woman showed up to pick up a phone order and could not produce the debit card. The clerk called my bank.

While waiting on the line, I looked in my wallet -- and there it was: my debit card, supposedly safe and sound. I then went onto Bank of America's Web site to check my account. There was an $812.18 charge pending. The bank employee clicked back to me. She said the transaction had already gone through even though the suspected thief ran out of the store without taking the merchandise. Don't worry, she said. I would get my money back in a few days.

I started to relax. Then the bank employee told me something else that put me back in a panic. The impostor had an awful lot of information about me, she said: my full name, address, phone number, even the security code on the back of my debit card. Could it be someone I know? she asked. An ex-boyfriend?

Great, I thought, it's bad enough that some of my exes did what they did to become my exes. Now they might be robbing me too?

She asked me if I wanted my debit card canceled and reissued with a new number. I did.

File a Complaint, Request a Fraud Alert

She then instructed me what to do next. I learned that because the thief had so much of my information, she might be able to open other accounts in my name. First step: File a complaint with the FTC and call one of the three credit bureaus -- Equifax, Experian and TransUnion -- to request a fraud alert.

I thanked the bank employee and proceeded to figure out how to clean up this disaster. I got online and looked at the balance in another bank account I had. Well, at least, I could cover the rent.

But I couldn't shake that uneasy feeling. Brian Lapidus, chief operating officer of Kroll Fraud Solutions of Nashville, summed it up well. "That's a pretty scary feeling if someone was in your space. What's more personal [than] your identity?"

I filed the FTC complaint, which I would need to present to the police, the FTC Web site informed me. I then sought the fraud alert. This measure would require creditors to take extra steps to verify my identity, such as calling me or asking to meet me in person, in case my impostor tried to open credit cards in my name.

To place a fraud alert, you only have to contact one of the three credit bureaus. In turn, the agency you contact will contact the other two. I called Equifax. The automated system asked me to key in the numeric portion of my address, my phone number and other identifying information.

Then I had to decide whether I wanted the alert to stay on for 90 days or for seven years; both options were free. Ninety days didn't seem a long time to me and seven years seemed too long. Steven R. Katz, a spokesman for TransUnion, said few people request seven-year alerts because that can be a hassle. "You put it on four years ago when you thought you had a problem and four years later you have absolutely no problems and you're at a car dealership trying to buy a car, and you've forgotten about it," he said.

David Rubinger, a spokesman for Equifax, said I could keep extending the 90-day alert.

There was another option: a security freeze, which all three credit bureaus started offering recently. With a freeze, creditors cannot access your credit reports or scores unless you ask that the freeze be lifted. A security freeze is free if you have a police report proving that you are a victim. If you are not a victim, fees vary by state for the cost to freeze and thaw your report. Unlike the alert, you have to contact each credit bureau to request a freeze.

Considering that I feared even committing to a seven-year alert, I decided against a freeze. Instead, I chose the 90-day alert. Safeguard Credit: Monitor Reports

One simple way to protect your credit reports is to monitor them regularly, even if you have not been a victim of fraud, said the experts I consulted. Credit bureaus and other private companies have monitoring services that range in price, but you can also do it on your own. Ordinarily, we are all entitled to one free copy of our credit report from each bureau once a year. (Experts say you should ask for your report from each bureau at different points in the year, not all at once, so you can get a snapshot of your credit history snapshots over time.) As a fraud victim, you are entitled to one more free copy once you request an alert. I assumed that the report would be automatically sent to me. Not so. I had to call back each credit bureau to specifically ask for a report.

Why the extra step?

"Some people already have their copies by the time they put the alert on," said Maxine Sweet, vice president of public education for Experian. Plus, she said, some people simply don't want their report.

I was not one of those people even though, as one expert pointed out, any misuse of my debit card would not show up on my credit report.

Once I got that out of the way, I decided to play detective. The bank said my impostor had given the store a phone number.

I enlisted a friend to call the number. A woman picked up. "Do you know a Nancy Trejos?" my friend asked. The woman said no.

Is this your phone? he asked. "My son just bought this cellphone. He's 11 years old."

Did anyone come home with several pairs of new sneakers recently?

"I don't even know what you're talking about," she said.

We gave up after a few more questions.

How to Minimize Risks

The next day, a Wednesday, I visited the police. The FTC Web site warns that some police stations are not willing to take identity theft reports. But at the Arlington police station, I met Officer Garnell Stewart, who was eager to hear my story. It all started, I told him, with the Bank of America phone call.

Stop right there, he said. Did the woman ask for any information, such as the personal identification number for my debit card? Did she ask for a Social Security number?

I remembered her asking for the first three digits of my Social Security number but not my PIN.

He asked: How did I know she was really calling from the bank? The next time, he said, ask the person if you can call him or her back and call the phone number on the back of your card. "You just never know," he said.

I felt so dumb -- but it turned out I was lucky. The woman really was calling from Bank of America.

Stewart gave me other tips. Don't carry too many credit cards, debit cards or other information with personal information in my wallet. Don't use the debit card so much. If you need to use a debit card, have one with a small amount of money in the account to minimize how much of cash can be stolen. Use a marker to write a note on the back of your card asking that the merchant request an identification card. And think about asking your bank for a new card number every couple of years.

But after talking to a few other experts, I realized that there is only so much you really can do.

"There are lots of ways that consumers can minimize their risks but I would hesitate to say that someone can completely immunize themselves from identity theft," said Betsy Broder, assistant director in the FTC's Division of Privacy and Identity Protection. "That's because you're not the only one who has your data."

10% of Victims Lose at Least $1,200

Back at the police station, Stewart said a detective might follow up with me -- or not.

I was on my way to moving on when, a few weeks later, I got a surprising phone call from a Fairfax County detective.

She said she had found someone in possession of my debit-card number while conducting another investigation. As far as I know, it was not one of my ex-boyfriends.

She asked me to think back to all the places I had used my card. Safeway maybe? As a single, working woman, I don't cook. The last time I had been to a supermarket, frankly, was to buy bags of ice for a party. A doctor's office? I e-mailed her my bank statement so she could see where I have used my card.

Late last month, I received a call from another detective. The police might be close to charging at least one person in my case, he said. Both detectives asked me not to write much more about the investigation because it was ongoing.

In the end, I realized how lucky I was -- I didn't lose money. According to the FTC, 10 percent of victims lose $1,200 or more. I received my credit reports by mail and so far, they contain nothing suspicious, though I will keep monitoring them. And the person or people who stole my information might actually get charged with a crime. How often does that happen, I asked some experts.

"People don't get caught," said Broder. "There are 8 million cases and we know there are not 8 million prosecutions in a given year."