IHT : The Freakonomics Of Identity Theft

Tuesday, March 13, 2007

Stephen J. Dubner and Steven D. Levitt are the authors of “Freakonomics.”  Following are excerpts from their article in the International Herald Tribune on Identity Theft entitled “Identity Crisis : Counting the Cost of a ‘Chargeback’”.  I always wondered who was ultimately liable for fraudulent purchases…

Steven Peisner stabbed excitedly at his computer keyboard, trolling through a chat room where identity fraudsters buy and sell names, addresses, Social Security numbers and PINs.  Some of the hustlers are American, but others are from Russia, India, the Philippines, Nigeria, Vietnam, Iran — any place, really, where young men and computers cohabit.  How does this market work?  If someone has just hacked a hospital database and come away with 10,000 “fulls” (a full set of personal information, down to your mother’s maiden name), he’ll post his asking price (typically $10 to $30 per full, depending on the freshness), along with a sampling of the data to prove its legitimacy.  Fraudsters also post specific queries.  “Here’s one,” Peisner said, reading from his screen: “ ‘Need female WU confirmer. Your share: 40 percent.’  That means they need someone to go to the Western Union office in some coffee shop in Romania to pick up the cash — because Vlad can do a lot of things, but he can’t be Amy Weiss from Manhattan Beach, Calif.”  There are as many varieties of identity theft today as there are varieties of, say, mushrooms.  And there are nearly as many misconceptions — about the scope of the problem, the incentives to stop it and how its costs are borne…..For those so inclined, identity theft remains an extraordinarily appealing crime.  In his new book, “Stealing Your Life,” the reformed fraudster Frank Abagnale calls identity theft an “elementary” crime with “enormous” upside and a “minuscule” chance of being caught.

Most police departments don’t have the staffing or know-how to even pursue the perpetrators; the F.B.I., meanwhile, usually won’t get involved unless the fraud reaches $100,000.  Which raises an obvious question: If law enforcement doesn’t care about identity theft, who does?  The answer would also seem obvious: You, the potential victim.  But according to the Javelin data, people probably worry way too much about identity theft.  73% of victims incur no out-of-pocket expenses whatsoever; the unlucky minority loses, on average, $2,000 — hardly chump change but far less than the scare stories would have us believe.  And in more than half the cases of identity theft, the thief is not a stranger at all but rather a relative, friend or co-worker.  So while you were being frightened into never again using a credit card, and perhaps shredding your child’s report card, most of the cost of identity theft was actually being paid by someone else.  Surely, then, it is the banks and credit-card companies that are desperate to stop the problem?  Sgt. Robert Berardi, who runs the Los Angeles County Sheriff Department’s ID Theft Task Force, has found otherwise.  “The banks are in conflict between security and making a profit,” he says.  In an industry that is reluctant to add even an ounce of friction to a customer’s purchase, Berardi says identity theft is seen as simply the cost of doing business.  Indeed, a recent report by TowerGroup, a research firm owned by MasterCard Worldwide, noted that “banks are not yet ready to dedicate resources to solving any ID theft problem.”  So if the banks, the consumer and the police aren’t sufficiently incentivized to stop identity theft, who is?  The merchant.  That is what Peisner, a 44-year-old veteran of the credit-card business, has discovered.  “Let’s say one of these hackers takes the information they find in a chat room,” he says.  “He goes to the Sony Web site, buys a laptop computer for $1,000, and a month later the actual cardholder gets the billing statement.  He calls up his bank and says, ‘I didn’t order a computer from Sony.’  At that point, the credit-card issuer, let’s say Citibank, sends a ‘chargeback’ through the interchange system to the acquiring bank, and that $1,000 is taken right out of Sony’s bank account, and they also get hit with a $25 chargeback fee.”  So the merchant has lost the money from the sale (as well as the laptop) while paying the chargeback fee, other bank fees and processing and shipping costs.  “If you’re a merchant,” Peisner says, “you have all the liability.”  And, therefore, all the incentive to stop the crime. 

That is why Peisner recently started a company, Sell It Safe, which aims to help merchants and banks screen their customers in online and telephone transactions.  His main weapon is a massive live database of stolen personal information, which a merchant can instantaneously check to learn whether Amy Weiss is really Amy Weiss or if perhaps she is really Vlad.  In an era when information flows like water, Peisner is hoping to add a filter onto a few million faucets.  Along the way, he has become a good Samaritan.  When he comes upon stolen data in a hacker chat room, Social Security numbers and passwords strewn about like underwear after a burglary, he often personally calls the victims.  He reads off enough information to convince them of their misfortune and advises them to notify the police and the bank.  Usually, they assume at first that he is a hustler himself, or at least a nut.  But ultimately they are grateful.  Peisner is helping them out, after all, and he doesn’t gloat…..In a recent academic paper called “Why Phishing Works,” three computer scientists (one from Harvard and two from Berkeley) ran a study and found that “the best phishing site was able to fool more than 90% of participants.”  Fortunately, most phishing sites are not designed by top-tier computer scientists with good English skills.  One day recently, Peisner discovered a fake Bank of America Web site that asked for a customer’s account number, online ID, PIN, Social Security number and address.  Only at the end of the form was the site’s illegitimacy — and the creator’s foreign origin — revealed, when it asked for information that should have baffled any American customer: “Father Maiden Name.”

Reference : http://www.nytimes.com/2007/03/11/magazine/11wwlnfreak.t.html?ei=5088&en=e041bb1125b99a37&ex=1331265600

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: