Identity theft raises questions about security

With the announcement Monday of the breakup of a New York identity theft ring that absconded with the sensitive financial data of over 30,000 U.S. consumers, attention has quickly turned to lax security in the systems that lenders use to obtain information from credit bureaus such as Experian Information Solutions, Trans Union LLC and Equifax.

Top on the list of questions raised by the crime is the role that loose security at Teledata Communications Inc. (TCI) may have played in the identity theft scheme.

TCI makes the software, workstations, and laptop devices that businesses use to retrieve credit reports from the three major credit bureaus. TCI employed Philip Cummings between May 1999 and March 2000, according to a statement released by the company. Cummings worked on the help desk at TCI, assisting the banks and lending organizations that used TCI’s software with problems related to the company’s products.

During his time of employment, Cummings is alleged to have used his access to TCI customer accounts to copy the passwords and subscriber codes used by a number of different businesses, including banks and mortgage companies such as Ford Motor Credit Corp.

That information was then used by Cummings and others to pose as legitimate financial institution officials and download the personal credit history of thousands of consumers over a two-year time span, according to a complaint unsealed by James Comey, U.S. Attorney for the Southern District of New York. Cummings then sold those reports, according to the U.S. Attorney’s office.

Even more alarming than the theft of passwords, Cummings appears to have been able to continue to use the information gleaned from his work at TCI long after he resigned from the company in March of 2000, even providing one of his co-conspirators with a laptop outfitted with TCI software and supplied with passwords to download credit reports at will.

In a statement, TCI acknowledged that it had employed Cummings, but declined to comment on the pending prosecution of its former employee.

A spokesman for the U.S. Attorney’s Office said that TCI was cooperating with the investigation but declined to answer questions about when the company became aware of the fraud or whether TCI property was used in perpetrating the identity theft.

Behind TCI’s apparently lax security is an even more troubling question about the security standards set by the three major credit monitoring organizations: Experian, Equifax, and Trans Union, security experts say.

All three companies were targeted by Cummings and his co-conspirators. Each of those companies allows customers using TCI’s software to download consumer credit reports from its massive databases with a valid password and a subscriber code that is unique to a particular lender or branch location.

However, with both pieces of data apparently accessible to TCI help desk employees, all three credit agencies were left vulnerable to an “insider” attack either from TCI or from one of TCI’s customers, experts say.

“What it really shows is the vulnerability of the system overall,” said Chris Kelly, an analyst at Forrester Research.

“For the past several years consumer privacy attention has been focused on the Internet. But it appears that the way this information was taken was a low-tech solution – (Cummings) just had access to these codes.”

Despite the sensitivity of the information contained in their databases, the three major consumer credit agencies did not appear to have robust protections in place for accessing that data from the outside, experts said.

“It has been well known in the security industry that passwords are the weakest form of protection,” said Randy Vanderhoof, executive director of the Smart Card Alliance, an industry advocacy group for smart card technology.

“Once a password is issued, there’s no way to determine whether that password has been passed around to other individuals.”

The complaints filed against Cummings and his co-conspirators show that they took full advantage of this.

After moving from New York to Georgia, Cummings is alleged to have travelled for a while between the two states to meet with Linus Baptiste, a co-conspirator who is now cooperating with authorities, and download credit reports. Subsequently, Cummings set Baptiste up with his own laptop containing the software, while continuing to hold on to customer passwords and subscriber codes.

As Baptiste’s activities caught the attention of lending organizations and passwords were changed, Cummings would supply Baptiste with new subscriber codes and passwords for one of the three agencies over the phone, enabling him to continue downloading credit reports.

Cummings and co-conspirator Baptiste are alleged to have dialled in to the three major credit agencies from New York, while posing as officials from legitimate companies in Ohio, Texas, Florida, Michigan and other states.

Vanderhoof said that the use of technology such as smartcards – sophisticated security cards, often containing embedded chips, that can store a range of information, from passwords to biometric information – would have made such a system unworkable.

Such cards would have required a card owner to be physically present, along with a card reader, whenever the TCI software was used and reports were downloaded, and thus would have prevented the easy dissemination of password information that enabled such a large number of consumer accounts to be compromised, according to Vanderhoof.

They also would have provided a single point of access that could be easily closed when fraud was first detected, Vanderhoof said.

In the end it was the greed, rather than internal controls, that exposed the theft ring. According to a spokesman for the U.S. Attorney’s Office, the fraud was first discovered when a branch of the Ford Motor Credit Corp. contacted the U.S. Federal Bureau of Investigation after being charged by Experian for more than 15,000 unauthorized downloads.

Once informed of the illegal downloads, Experian and the other agencies were able to identify the source of the fraud only after searching their databases for requests for large batches or reports and correlating that activity to the compromised subscriber codes.

A review of telephone records tied the unauthorized downloads back to telephone numbers belonging to Baptiste and others involved in the plot, according to the complaints unsealed on Monday.

Neither Experian nor Equifax returned phone calls requesting comment and it is unclear what steps, if any, are being taken to address the loopholes exposed by Cummings, Baptiste and their partners.

In the meantime, Vanderhoof said that the magnitude of the identity theft may prompt the federal government to take a closer look at the credit reporting industry, much as highly publicized leaks of patient information by hospitals and insurance companies prompted the creation of the Health Insurance Portability and Accountability Act (HIPAA) in 1996.

“As a result of HIPAA, the health care industry has had to invest in a whole new technology infrastructure to protect patient information. It seems like it will be a similar fate in the financial markets and credit reporting industry if this type of fraud is not cut off,” Vanderhoof said.

But for the time being, Forrester Research’s Kelly said that the theft of so many credit reports from the nation’s leading credit agencies puts even more of the onus on consumers to make sure that their own financial information has not been compromised.

Kelly recommended that all consumers order an updated copy of their credit report. In some states, citizens are entitled to one free copy of their credit report each calendar year, Kelly said.

Once they receive their report, consumers should make sure that there isn’t any unsuspected activity on those reports, such as new credit cards being issued or large balances that are unaccounted for, according to Kelly.

“The important thing is to spot the activity before it gets out of control,” Kelly said.