On November 6 last year, I, Raphael Kohan, walked into a Walmart in Secaucus, N.J., just beyond the Lincoln Tunnel from Midtown Manhattan. What happened inside is unclear, whether I browsed the flat-screens, test-drove a few laptops or overdosed on free samples of Red Baron Buffalo Style Boneless Wyngz. But this much is known: While at the superstore, I was approved for a Walmart Discover card with a $2,900 spending limit, on which I made $1,506.56 worth of purchases. The next day, I returned to the same store and nearly maxed out the rest.
To those who know me, including me, this behavior might seem odd. For one, I’m not a big spender, and while I don’t always show up for work at 9, 10 or even 11 a.m., I also don’t usually go on shopping sprees at Walmart during the middle of the workweek.
The following Monday, I, Raphael Kohan—but please, call me Rafi—was at work when my cellphone buzzed with an unfamiliar number.
“Hello?” I answered.
The woman on the other end, who identified herself as an employee of Macy’s, asked me if I were Raphael Kohan, which until that moment I had been in the habit of confidently answering “yes.” The woman’s tone became concerned as she informed me that I was at that very moment in one of the department store’s Florida locations trying to make a purchase on my new Macy’s card.
Of course, I suggested that she arrest me or whomever was shopping in my name. Instead, she transferred me to a man in “credit services” who asked a series of highly personal questions. I nearly blurted out the answers to his queries—my date of birth, my address, my Social Security number—before panic wore off and skepticism kicked in.
“I’m sorry,” I said, “but I don’t think I can continue this conversation.” Through the phone line, the rep seemed to shrug. Before hanging up, he mentioned that Macy’s had noticed other inquiries on my credit, by Walmart and Sears, that I might want to look into.
I did. Based on the Social Security number I provided to call-center reps at both Walmart and Sears, however, no accounts were showing up. This bolstered my suspicion that the Macy’s call had been a phishing attempt to extract sensitive information. And yet, I couldn’t help but wonder after a letter I had recently received from TD Bank, where I have an account. The letter said something about a bank employee improperly obtaining my personal information. Something about sharing it with an unauthorized party. Huh. Where was that letter?
After the macy’s call, I placed 90-day fraud alerts on my credit files, while ordering reports from the major credit bureaus: Experian, TransUnion and Equifax. I also filed a complaint with the Federal Trade Commission. But it was only after returning home to a wallet’s worth of credit cards from Walmart, American Eagle and Kohl’s, plus a letter from Best Buy promising my new card’s arrival “within the next several days,” that I took my head out of the sand and realized the Macy’s call had been no phishing attempt.
I’d become a statistic.
And what statistics we are! Last year, an identity was stolen every two seconds, according to Javelin Strategy & Research, which released its 10th annual Identity Fraud Report this year. Meanwhile, a recent report by the Bureau of Justice Statistics found that 7 percent of Americans 16 or older were victims of personal identity theft in 2012, more than twice the FTC’s previous estimates.
The next morning, I examined the damage by signing up for two years of credit monitoring, courtesy of TD Bank. I was angry, naturally, but also confused: Why hadn’t the Walmart and Sears accounts shown up when I first called their credit-services hotlines? (I didn’t have the card yet, but Sears was there on my report.)
Whatever the reason, I spent the next few hours on the phone with my new credit-monitoring service, pointing out the fraudulent accounts and inquiries (which are requests to view your credit and can negatively impact your credit score). While it felt good to be claiming some level of control, this was mostly futile, as the retailers handed me from one unhelpful customer-service agent to the next.
Eventually, someone from Walmart connected me with GE Capital, the bank that issues the store’s Discover cards. (As I later learned, talking to anyone but the fraud department of a credit issuer is a waste of time.) I was finally getting somewhere!
And then things got weird.
Thanks to last year’s monster Target and Neiman Marcus hackings, data breaches have gobbled up most of the recent headlines when it comes to identity theft. The method is only one of many, though. Whether it’s by stealing your wallet, skimming your debit card at the ATM or un-shredding documents in your trash, there are seemingly endless ways for someone to swipe your cash or otherwise masquerade as you.
“I have never witnessed a more simplistic crime than stealing someone’s identity,” says Frank Abagnale Jr., whose teenage exploits were the inspiration behind Leonardo DiCaprio’s character in Catch Me If You Can. “If I can become you, what I do as you is simply limited to my imagination.”
These days, there may be no one in America who knows more about identity fraud than Abagnale. For the past 38 years, he has worked with countless organizations, including the government, as a secure documents and fraud specialist. “I would have thought that technology would have made it more difficult, but the truth is technology breeds crime,” says Abagnale, who started writing about identity theft as a next-generation crime for the FBI in 1988. “When I forged checks, I needed a Heidelberg printing press. The press cost $1 million!”
When I went to file a police report at the New York Police Department’s 76th Precinct, I had already logged 20-plus hours talking to various reps, agents and creditors on the phone, and I was nervous how actual human beings would react to my increasingly weird tale. From the first woman I spoke to at GE Capital, I learned why I was having such trouble closing—or even locating—so many of these fraudulent accounts: The criminal, whoever he was, had changed one digit of my Social Security number. “They do look similar,” she said.
She couldn’t explain why a faulty Social Security number would have been approved, let alone appear on my credit report. She also refused to tell me this alternate number (or even which digit had been altered), even though this number was now attached to the accounts that were attached to my credit file, leaving me to deal with an ongoing maze of Kafka-esque absurdity when it came to places like Sears and Best Buy.
When I finally got someone to at least tell me which digit of my Social Security number had been changed, for instance, I discovered my credit reports had gone on the fritz, with alternate spellings of my name, and even alternate addresses and phone numbers.
The turning point arrived with the Best Buy card. With that account number finally in-hand, I was escorted through the electronic giant’s customer-service labyrinth to a woman named Suzanne from Citibank’s Identity Theft Solutions.
For the first time, it felt like someone was grabbing the situation by the horns. Because Citibank, the credit issuer for Best Buy, works closely with TransUnion, Suzanne conferenced in a rep from that credit bureau and instructed the rep to remove all the fraudulent accounts and inquiries. Just like that. For several other creditors, she supplied me with direct lines to their fraud departments.
It was almost too easy.
Aside from a few straggling accounts, all I had left was to fill out affidavits making my fraud claims legally binding, then comb through my credit reports with each bureau, ensuring no funkiness remained.
The only problem: My Equifax report still hadn’t shown up. For weeks, I had been dialing every number for the credit bureau I could find online, but they all funneled to the same automated recording. By Googling Equifax, along with the city in which it’s based, Atlanta, however, I turned up a physical address and a new phone number. Success! When a human answered, I was soon connected with a woman named Jeanine, who assured me my report was en route and told me to be patient.
“It’s good that you placed a fraud alert,” Jeanine said, “but you know that’s only a minimum level of protection. We would recommend putting a lock on your file for maximum protection. That’s part of a package called Equifax ID Patrol.”
But I already had credit monitoring.
“That will only protect your Experian report,” she said.
Which is when it hit me: Jeanine was trying to sell me something!
Throughout this process, I dealt so often with the credit bureaus, where so much hung in the balance, that I actually began to recognize their different personality traits.
Thanks to Suzanne, TransUnion was efficient and responsive. Experian was kind of ineffectual, much like its credit-monitoring service, to which I had been given a membership. As for Equifax? Well, Equifax was like that absent dad who rolls into town drunk on Christmas Eve, after his family spent a decade tracking his movements, sending unrequited letters. And just when it seems like he’s back for good, ready to be a responsible husband and a loving father, he asks to borrow 50 bucks.
I cleared what felt like a final hurdle when I called T-Mobile and correctly guessed the alternate Social Security number. “Ooh, I found it!” screamed the rep. He looked through my file and described how the criminal had apparently come into one of the company’s stores with a Pennsylvania driver’s license, posing as me.
Armed with that new information, I was able to close and dispute the straggling accounts and inquiries. I still didn’t understand why they had shown up on my report in the first place, when the most basic piece of identifying data—the Social Security number—was not mine, but I actually grew to be grateful that they did.
As Abagnale explained to me, my theft is consistent with a relatively new form of identity crime, a variation of new-account fraud known as “synthetic identity theft.” (He wrote about it for the FBI in 2007.) “All three credit bureaus build tolerance into their system for mistakes, for errors, for poor penmanship,” he says, meaning that when a credit application appears with your name, slightly misspelled, or an address that inverts the house number or a Social Security number that is one digit off, the computers match it to your file anyway. So the credit gets approved, even though it typically won’t appear on your credit reports, because, as he wrote in the FBI paper, “only entries that exactly match a consumer’s … appear on these reports.”
“This creates what we call secondary files, which may not be picked up by monitoring services,” he says, and the criminal is able to build credit on that secondary file, before inevitably defaulting. That’s when the debt typically gets sold to a collection agency, and the collection agency performs “the exact reverse process. They look through the closest match to that file, and then they’re calling you.”
Sometime in January, I started to receive resolution letters in the mail. Praise be to the Credit Overlords. All the investigations were landing in my favor, and the fraudulent accounts were disappearing from my credit reports.
But the truth is it never ends.
An identity-theft victim needs to remain vigilant long after the initial mess appears cleaned up. Unexpected dings to one’s credit score may materialize down the line. And you never know who else has acquired your information or how and when they might try to use it again.
So what can be done on an individual level to prevent identity crime? Start by ordering your free credit reports and regularly checking your bank and credit-card statements. Also, be aware of how much information you share on social media. “You never want to state on your Facebook page where you were born or your date of birth,” Abagnale says.
Purchase a Microcut document shredder and/or enlist in credit (or even identity) monitoring services. And be careful how often you use your debit card. “When you’re playing with a credit card, you’re playing with their money,” says John Otero, a retired NYPD officer who went on to create BlackStorm Cyber Security. “When you’re playing with a debit card, you’re playing with your money.”
Meanwhile, should you learn that your information has leaked as part of a data breach, don’t just assume you’ll be OK—one out of three people who received a data-breach letter became victims last year, according to the Identity Fraud Study. Be proactive. Place fraud alerts on your credit files, and be extra vigilant in monitoring your accounts. You can even consider implementing a security freeze.
While reporting this story, I reached out to Alan Nossen, senior vice president of retail for TD Bank. Nossen agreed to speak with me, but as “a consumer, not a reporter.” We spoke for a while, before he directed me toward the corporate and public affairs department, putting me in touch with Lauren Moyer, a public relations associate. On the phone, I ticked off all my questions but immediately sensed she would provide nothing of substance. When I asked about an internal investigation, which was mentioned in the breach letter, Moyer cut me off.
“We cannot disclose the findings of the internal investigation, because it’s a matter of privacy, for both our customers and employees,” she said.
Getting nowhere, I tried a different tack: “Have you ever had your identity stolen, Lauren?” I asked.
“I have not.”
“Well, it stinks,” I said. And then, though I suspected she was still going to tell me nothing, I opened up to Moyer, to see if I couldn’t stir some sort of earnest interaction. I explained how, more than anything, a victim just wants to see the gears turning again, to feel like things are in order, which was why figuring out what had happened, breach-wise, might be a big step toward recovery. Would she help me?
“OK,” she sighed. “I can look into that for you.”
Later that day, Moyer officially replied to my queries over email, with some boilerplate bullshit:
“At TD Bank, protecting our customers’ financial assets and confidential information is important to us and something we take very seriously,” she wrote. “This was an isolated incident, and the employee is no longer with the bank. We notified impacted customers and worked with those who may have had their personal information compromised.”
I followed up, pressing her on what the bank felt its long-term responsibility was to “impacted customers.” I asked how many other “isolated” incidents there had been, since I knew eight individuals were charged last October in a separate identity-theft ring that targeted TD Bank customers in New Jersey.
She replied, “We have no additional comments aside from what we provided earlier.”
And after that, silence. I tried not to take it personally.
Excerpted from a feature from the New York Observer. Read the full story here.