Statement by Robert Douglas
Committee on Banking and Financial Services
United States House of Representatives
Identity Theft and Related
Financial Privacy Issues
September 13, 2000
My name is Robert Douglas and I am the co-founder and Chief Executive Officer of American Privacy Consultants, Inc. located in Alexandria, Virginia (www.privacytoday.com). American Privacy Consultants assists organizations and businesses understand and implement appropriate privacy policies, strategies, defenses, educational programs, training, and auditing.
I appreciate the opportunity to appear before this committee once again to address the issue of identity theft, "pretext calling", and other deceptive practices still in use by some "information brokers", private investigators, judicial judgment collectors and identity thieves to illegally access the personal and confidential information of customers of financial institutions. Unfortunately, in spite of the enactment of legislation drafted by this Committee to outlaw such practices, these methods not only survive but also continue to grow in volume, scope, and methodology.
Chairman Leach, I want to personally thank you and the Committee for your continued willingness and desire to address this serious issue first by crafting and passing much needed legislation and now in an oversight capacity. I am personally aware of the amount of time the Committee members and staff have invested in this problem over the last three years and as a citizen applaud the Committees willingness to tackle these issues.
I also would like to single out for recognition Jim Clinger, the Committees Senior Counsel and Assistant Staff Director. Over the last three years I have had the unique pleasure of working with Jim on a regular basis and he is a true credit to this Committee and to the United States Congress. Above all he is a true gentleman.
Finally, I would like to thank John Forbes, Special Agent United States Customs Service; and, Alison Watson, Professional Staff Member of the Committee for their work over the last month in preparation for this hearing.
Although I was specifically asked to address the use of pretext and other deceptive techniques to access confidential financial information, I would like to make a few brief observations concerning HR 4311.
There can be little doubt that identity theft is one of the fasting growing crimes in the United States today. Each year hundreds of thousands of Americans fall prey to identity thieves. The financial and credit damage implications are severe for the individual who is the victim of identity theft. Additionally, retailers and financial institutions suffer financial losses as a result of identity theft. Finally, the nation as a whole suffers in increased prices for retail products and financial services including the cost of credit.
The advent of the World Wide Web has brought increased opportunities for identity thieves through ease of access to personal, biographical data needed to perpetrate identity crimes and facilitates ordering merchandise absent a face-to-face encounter with a store clerk. These facts require that we examine areas of weakness that identity thieves exploit.
In 1998 I demonstrated for this Committee the ease with which an individual can purchase private and confidential financial information. It is even easier to obtain the name, address, date of birth, social security number, mothers maiden name, phone number, and often the employment of any individual in the United States today. All of this information is for sale on the web. In a nutshell, all the information needed to steal a citizens identity and create financial havoc is available on the Internet for little or no cost.
The largest source of up-to-date personal, biographical information is credit bureaus. The sale and resale of credit header information by credit bureaus to private investigators, information brokers and judicial judgment collection professionals results in this information being accessible to anyone for a fee. This is big business. Several large companies make millions of dollars each year reselling personal information gathered by the credit bureaus.
When citizens apply for credit or enter into a credit transaction they do not know that their personal, biographical information is then resold to any individual with a few bucks and a web browser. If the level of trust in the Internet is ever to rise from the relatively low position it now occupies, the sale of personal information must be brought under control. A good place to begin is by curtailing the sale of credit header information absent a permissible purpose as defined currently within the FCRA. For that reason I believe Section 8 of HR 4311 is long overdue.
Pretext and other Deceptive Practices
July 1998 through September 2000
On July 28, 1998, while appearing before this Committee, I stated: "All across the United States information brokers and private investigators are stealing and selling for profit our fellow citizens personal financial information. The problem is so extensive that no citizen should have confidence that his or her financial holdings are safe." Sadly, I return today to inform this Committee that my statement of 1998 remains true today.
While the illegal access of financial information continues, progress has been made. When we last met in July of 1998 four steps were required in order to stop these practices. First, the financial services industry needed to understand and take affirmative steps to combat the threat posed by unscrupulous information brokers, private investigators, and identity thieves. Second, tough federal legislation was needed to outlaw the use of pretext and deception as a means to access confidential financial information. Third, appropriate federal regulatory agencies needed to create standards and regulations designed to assist institutions in the safeguarding of financial information and to reflect the legislative intent encompassed within any legislation enacted by Congress. Finally, aggressive prosecution of individuals and companies who steal, buy, and/or sell personal financial information was required to signal that the integrity of our nations financial system is a law enforcement priority. The first three sides of the square have been completed.
The financial services industry has made significant progress in beginning to combat identity theft and pretext through a sober recognition that this is not a problem that can be ignored if the industry wishes to maintain a reputation for providing confidentiality to customers. This recognition has been acted upon through the use of training programs and educational materials to begin the education of financial services industry professionals to the threats posed by identity thieves of all types. Many financial institutions have begun to enact internal standards designed to identify and thwart the practices of identity thieves and infobrokers. Is there more to do? Absolutely. Is the financial services industry taking the confidentiality of the records it safeguards on behalf of customers seriously enough to continue to move forward in this area? I believe so.
This Committee and Congress moved quickly to pass legislation designed to punish those who would impersonate others in order to gain access to private financial records. With the passage of Gramm-Leach-Bliley, there is now federal law outlawing the use of pretext and other deceptive techniques to gain access to personal financial information absent several narrowly defined and commonly misunderstood exceptions.
The federal regulatory agencies with direct supervisory function of the financial services industry moved quickly in 1998, by means of an advisory letter and other steps, to alert all institutions to the practices of identity thieves and information brokers. These same agencies are continuing as we meet here today to develop standards and regulations in keeping with the intent of Gramm-Leach-Bliley.
With the first three sides of the box either erected or under construction, it is now time to build the final wall through aggressive enforcement action. With the enactment of Gramm-Leach-Bliley last November, I assume that the Federal Trade Commission and appropriate criminal enforcement agencies are now preparing to use the tools Congress and the President handed them.
To my knowledge there has been one federal enforcement action brought by the FTC against an information broker. That civil action was begun prior to the enactment of Gramm-Leach-Bliley under laws designed to thwart "unfair and deceptive trade practices". Several states, notably Massachusetts, have aggressively pursued illegal information brokers. Again, these actions were taken prior to GLB and under state laws against illegal trade practices. It is time for tough nationwide enforcement of the civil and criminal provisions contained within Gramm-Leach-Bliley.
In the invitation letter I received from the Committee to testify today I was asked to specifically address three areas: 1) The extent to which the use of pretext and other deceptive means continue in spite of the passage of Gramm-Leach-Bliley; 2) The effectiveness of efforts by the financial services industry to deter and detect fraudulent attempts to obtain confidential account information; and, 3) Other threats to financial privacy emerging today.
The Extent To Which Deceptive Practices Continue
The use of pretext and other means of deception to trick financial institution employees and customers into disclosing personal and confidential financial information that I testified about two years ago continue unabated. Books have been written about pretext to teach and share common methods. Discussion groups abound on the Internet with the trading of new and improved techniques almost on a daily basis. Classes are held in which pretext methods are shared for a price. The techniques are becoming more complex and refined.
Advertisements on the World Wide Web have doubled in the past two years. Here is a typical example:
Bank Account Search
Approximate Return Time
10-18 Business Days*
Subject's Full Name, Complete Street Address, Social Security Number*
Given a Subject's full name, complete address and social security number, this search will return the bank name and address, account type, account number, (if available) and approximate current balance of all located personal accounts. We access a proprietary database and identify open accounts using the Subject's SSN, however this search will only identify accounts in the Subject's primary state the business resides. If you suspect accounts exist in more than the primary residing state, a separate search request for each state is required, and should include the Subject's address in that state.
*This search requires the Subjects social security number. If the SSN is unknown, we will find it for the purposes of this search but it will not be included in your search result.
NOTE: This search uses the Subject's social security number as the account identifier, so only primary account holders are returned. Also, be sure to include any additional information you may have, such as the Subject's home & work telephone, birthdate, mother's maiden name, etc, in the additional comments section. This will greatly increase the odds of a successful search.
Responsible Purpose For Search
This search may return sensitive, confidential, and/or private information. For this reason, DOCUSEARCH.COM requires an explanation stating the purpose for requesting this search, its' intended use and supporting documentation. Additionally, we reserve the right to decline to perform any search which we deem not to be for a legitimate legal purpose or may cause emotional or physical harm.
Financial searches are for informational purposes only, and are not acceptable as an exhibit or as evidence. Every effort is made to provide a complete & thorough search result. However, no method of research is 100% fool-proof and no firm can offer an absolute guarantee that every account will be found.
*This search requires many hours of research and can't be rushed, as we want to return thorough, accurate results. Therefore, this is an approximate return time. (End)
This advertisement is remarkable in many regards. The ad claims to "access a proprietary database and identify open accounts using the subjects SSN", yet "this search requires many hours of research and cant be rushed, as we want to return thorough, accurate results" and the search may require "10-18 business days". There is no proprietary database available to private investigators or information brokers that by use of the SSN (social security number) banking information can be obtained. In fact this ad used to say the company accessed a "federal database" to obtain the information.
The ad further states: "Also, be sure to include any additional information you may have, such as the Subject's home & work telephone, birthdate, mother's maiden name, etc, in the additional comments section. This will greatly increase the odds of a successful search." Why would a database accessed by SSN require this personal information? It wouldnt. But pretext does. Many financial institutions use the mothers maiden name as a password. Further, some institutions will ask for your home or work phone numbers to verify the account holder. Finally, the phone numbers are often required as part of a pretext contact made directly to the account holder.
The ad also states: "Additionally, we reserve the right to decline to perform any search which we deem not to be for a legitimate legal purpose or may cause emotional or physical harm." Perhaps this is an attempt to signify that a search request must satisfy GLB and other applicable State and Federal laws. Perhaps not. Here is the transcript of an email contact I had with Docusearch:
To: email address deleted
Subject: Re: Information Request
Sent: Mon 3/20/00 1:41 PM
You will first have to locate his address in the current residence state. This may be
accomplished with a Locate by Previous Address
Search. Then you can order the Bank Account Search.
At 01:38 PM 3/20/00 , you wrote:
>------------Begin, Information Request from visitor-----------
>My Name Is : Rob Douglas
>My Email Address Is : (deleted)
>My Telephone Number Is : (deleted)
>My Question Pertains To : Other: Explain Below
>Comments : I have a client who is owed a substantial amount of money
>by a potential defendant who left the area and closed his personal and
>corporate bank accounts. I have an old home address for the potential
>defendant and know what state he moved to. What searches would you
>recommend to locate the potential defendant and his personal and
>corporate bank accounts?
>------------End, Information Request from visitor -----------
The ">" portions represent the email I sent to Docusearch using their on-line request form. Three minutes later I received the reply that I could order the bank account search in a situation that would clearly be illegal under GLB if pretext were used.
I would hope that members of this Committee would find the services offered and language of the advertisements by Docusearch to be as disturbing as I do. I suspect many of the members of this Committee would wonder why this firm is allowed to operate in this fashion given the provisions of GLB and the applicable "unfair and deceptive trade practice" sections of Federal law. The excuse might be offered that this is just one company that no one in a position of responsibility to address these practices was aware of. That excuse would ring hollow.
Docusearch is the company that sold personal information concerning Amy Boyer to a stalker that resulted in the murder of Ms. Boyer and the suicide of the stalker. Amys parents have testified before Congress and have been widely covered in the media. In fact, Amys death has led to consideration of legislation by this Congress to outlaw the sale of social security numbers. Throughout all this attention Docusearch has made one change to the web site where it advertises. Docusearch no longer publicly advertises the sale of social security numbers. But Docusearch continues to do business selling personal and confidential information.
The attention to Docusearch does not end there. Docusearch was the cover story for Forbes magazine on November 29, 1999. This was seventeen days after President Clinton signed GLB into law. In the article Dan Cohn of Docusearch literally bragged about his abilities to obtain personal information about a subject. Here is the opening quote from the Forbes cover story:
THE PHONE RANG AND A STRANGER CRACKED SING-SONGY AT THE OTHER END OF the line: "Happy Birthday." That was spooky--the next day I would turn 37. "Your full name is Adam Landis Penenberg," the caller continued. "Landis?" My mother's maiden name. "I'm touched," he said. Then Daniel Cohn, Web detective, reeled off the rest of my "base identifiers"--my birth date, address in New York, Social Security number. Just two days earlier I had issued Cohn a challenge: Starting with my byline, dig up as much information about me as you can. "That didn't take long," I said.
"It took about five minutes," Cohn said, cackling back in Boca Raton, Fla. "I'll have the rest within a week." And the line went dead.
In all of six days Dan Cohn and his Web detective agency, Docusearch.com, shattered every notion I had about privacy in this country (or whatever remains of it). Using only a keyboard and the phone, he was able to uncover the innermost details of my life--whom I call late at night; how much money I have in the bank; my salary and rent. He even got my unlisted phone numbers, both of them. (End of excerpt)
One might wonder who Dan Cohn is and whom he sells this information to. Forbes answered that as well:
Cohn operates in this netherworld of private eyes, ex-spooks and ex-cops, retired military men, accountants and research librarians. Now 39, he grew up in the Philadelphia suburb of Bryn Mawr, attended Penn State and joined the Navy in 1980 for a three-year stint. In 1987 Cohn formed his own agency to investigate insurance fraud and set up shop in Florida. "There was no shortage of work," he says. He invented a "video periscope" that could rise up through the roof of a van to record a target's scam.
In 1995 he founded Docusearch with childhood pal Kenneth Zeiss. They fill up to 100 orders a day on the Web, and expect $1 million in business this year. Their clients include lawyers, insurers, private eyes; the Los Angeles Pension Union is a customer, and Citibank's legal recovery department uses Docusearch to find debtors on the run.
Cohn, Zeiss and 13 researchers (6 of them licensed P.I.s) work out of the top floor of a dull, five-story office building in Boca Raton, Fla., sitting in cubicles under a fluorescent glare and taking orders from 9 a.m. to 4 p.m. Their Web site is open 24 hours a day, 365 days a year. You click through it and load up an on-line shopping cart as casually as if you were at Amazon.com. (End of excerpt)
Amazingly, Cohn admits to the use of fraud and bribery:
The researchers use sharp sifting methods, but Cohn also admits to misrepresenting who he is and what he is after. He says the law lets licensed investigators use such tricks as "pretext calling," fooling company employees into divulging customer data over the phone (legal in all but a few states). He even claims to have a government source who provides unpublished numbers for a fee, "and you'll never figure out how he is paid because there's no paper trail." (End of excerpt)
The following excerpt reveals methods used by Cohn directly relevant to todays hearing and HR 4311:
Cohn's first step into my digital domain was to plug my name into the credit bureaus--Transunion, Equifax, Experian. In minutes he had my Social Security number, address and birth date. Credit agencies are supposed to ensure that their subscribers (retailers, auto dealers, banks, mortgage companies) have a legitimate need to check credit.
"We physically visit applicants to make sure they live up to our service agreement," says David Mooney of Equifax, which keeps records on 200 million Americans and shares them with 114,000 clients. He says resellers of the data must do the same. "It's rare that anyone abuses the system." But Cohn says he gets his data from a reseller, and no one has ever checked up on him.
Armed with my credit header, Dan Cohn tapped other sites. A week after my birthday, true to his word, he faxed me a three-page summary of my life. He had pulled up my utility bills, my two unlisted phone numbers and my finances. (End of excerpt)
And should there be any question as to the ability of a determined criminal to gain access to confidential information including financial information, the following excerpt is on point:
He had my latest phone bill ($108) and a list of long distance calls made from home--including late-night fiber-optic dalliances (which soon ended) with a woman who traveled a lot. Cohn also divined the phone numbers of a few of my sources, underground computer hackers who aren't wanted by the police--but probably should be.
Knowing my Social Security number and other personal details helped Cohn get access to a Federal Reserve database that told him where I had deposits. Cohn found accounts I had forgotten long ago: $503 at Apple Bank for Savings in an account held by a long-ago landlord as a security deposit; $7 in a dormant savings account at Chase Manhattan Bank; $1,000 in another Chase account.
A few days later Cohn struck the mother lode. He located my cash management account, opened a few months earlier at Merrill Lynch &Co. That gave him a peek at my balance, direct deposits from work, withdrawals, ATM visits, check numbers with dates and amounts, and the name of my broker. (End of excerpt)
Cohn is even willing to lead officials to believe he is a law enforcement officer as this excerpt demonstrates:
How did Cohn get hold of my Merrill Lynch secrets? Directly from the source. Cohn says he phoned Merrill Lynch and talked to one of 500 employees who can tap into my data. "Hi, I'm Dan Cohn, a licensed state investigator conducting an investigation of an Adam Penenberg," he told the staffer, knowing the words "licensed" and "state" make it sound like he works for law enforcement.
Then he recited my Social Security, birth date and address, "and before I could get out anything more he spat out your account number." Cohn told the helpful worker: "I talked to Penenberg's broker, um, I can't remember his name...."
"Dan Dunn?" the Merrill Lynch guy asked. "Yeah, Dan Dunn," Cohn said. The staffer then read Cohn my complete history--balance, deposits, withdrawals, check numbers and amounts. "You have to talk in the lingo the bank people talk so they don't even know they are being taken," he says. (End of excerpt)
But the Forbes reporter (Penenberg) did some further digging and uncovered what appears to be direct evidence of the use of impersonation and pretext in the following excerpt:
Sprint, my long distance carrier, investigated how my account was breached and found that a Mr. Penenberg had called to inquire about my most recent bill. Cohn says only that he called his government contact. Whoever made the call, "he posed as you and had enough information to convince our customer service representative that he was you," says Russ R. Robinson, a Sprint spokesman. "We want to make it easy for our customers to do business with us over the phone, so you are darned if you do and darned if you don't."
Bell Atlantic, my local phone company, told me a similar tale, only it was a Mrs. Penenberg who called in on behalf of her husband. I recently attended a conference in Las Vegas but don't remember having tied the knot. (End of excerpt)Finally, Cohn believes he is justified in what he does:
Daniel Cohn makes no apologies for how he earns a living. He sees himself as a data-robbing Robin Hood. "The problem isn't the amount of information available, it's the fact that until recently only the wealthy could afford it. That's where we come in." (End of excerpt)
I have one question. Why are Dan Cohn and Docusearch still in business?
Docusearch is not alone. There are now more information brokers and private investigators openly advertising their ability to obtain and sell financial information then there were in 1998. These ads continue to be found on the World Wide Web, in the yellow pages and in legal and investigative trade journals. In fact, there has been an ad running in the local edition of the Legal Times that can be found in many law firms and federal offices here in Washington. I suspect copies can be found at the FBI, U.S. Attorneys Office, the Department of Justice, and the Federal Trade Commission.
One phone call to this company determined they offer the ability to locate an address for an individual for $65 if the social security number is provided and $115 if the social security number is not provided. Further, and more to the point, for $200 they will supply the name of the bank, the type of account maintained and the balance in the account for the individual specified. There was a further offer extended by the company to confirm that the funds are available and there would be no charge if there were only minimal funds in the account. The scenario presented to the company fell squarely within the four corners of Gramm-Leach-Bliley that would make the request and provision of the banking information illegal if accomplished by pretext. The company was informed that a woman was trying to locate a current address for a live-in boyfriend who had skipped town with money from her checking account. There was nothing in the scenario presented that even began to come close to the exceptions enacted as part of Gramm-Leach-Bliley.
In fact, as the committee is aware, on August 30th Committee Senior Counsel Jim Clinger, Special Agent John Forbes, Committee Staff Member Alison Watson and I called numerous private investigators and information brokers around the country in an effort to determine how many would sell bank account information and under what circumstances. We decided that we would survey the first ten companies that we could reach by phone. The companies were selected randomly by Special Agent Forbes based upon their advertisements. All of the companies were presented with the scenario outlined above.
In less than three hours the first ten companies we reached were all willing to sell us personal bank account information detailed enough to raise the educated belief that the information would be obtained by pretext or other deceptive means. Not a single company we reached turned us down. Not one.
More to the point, two of the companies representatives made specific mention of "privacy laws" and "federal statutes" being a hindrance to their ability to provide the information. However, we were told, they could still succeed but just "dont tell anybody" that we had obtained the information.
One individual referred to the fact that he had 11 years banking experience and guaranteed that he could find the bank and that 80% of the time he could get the account number and balance. Several of the companies stated that they could get us individual transaction records including deposit information.
One offered to teach us how to determine the amount in the account once he located the bank and account number.
One company stated that it would check the Federal Reserve section for the part of the country where the individual was located. This same company claimed to work for "hundreds and hundreds of attorneys and collection agencies". Further, they stated that they had found $1.2 million dollars in an account just the previous day for an attorney. They advised us to wait for the banking information before going to Court.
Another company stated they would locate the information if we had a "Court filing judgment" or a letter from an attorney giving the name of the person the account information was being sought for and the reason. This company stated they could find local bank information for $200 and statewide information for $500 including account numbers and balances.
Several of the companies offered to locate safety deposit box locations and securities related information. One company charges $175 to locate the name and address of the bank if you have a judgment. However, the same company offered for $250 to locate all accounts, account numbers, balances, mutual funds, names on the accounts, dates of closure if an account was closed, and safety deposit box information if we didnt have a judgment.
Here is just one example of the type of advertising we found:
Welcome to (name omitted). We can perform bank account and investment searches anywhere in the USA and the World. Bank account searches can be used to collect judgements, verify net worth of individuals and companies, or any other purposes.
We can search:
Safety deposit boxes
And much, much more
We can search by:
Offshore account searches also available.
Disclaimer: We limit retrieval to documents or information available from a public entity or public utility which are intended for public use and do not further elaborate on that information contained in the public entity or public utility records. Must Be 18 or Older for a Consultation or Record Search. We take no responsibility and assume no liability for any privacy claims as we neither utilize, reveal, nor attempt to access any confidential information concerning the parties involved in the search. We are not a licensed private investigator, and we do not engage in any activities for which a license is required (End of excerpts)
The disclaimer is amazing in light of the fact that this company offered to sell us the amount located in a checking account and the deposit history to the account for $275. I cannot fathom a single way that account balance and deposit transaction records could be "intended for public use". Indeed this would be a direct revelation of "confidential information".
No company we reached asked any questions that would logically follow from the passage of Gramm-Leach-Bliley, even when they had disclaimers in the advertisements suggesting that there were restrictions on who could obtain banking information and under what circumstances. Further, in addition to the overt remarks made by several companies to the minor obstacles presented by "federal statutes" and "privacy laws" the advertisements and telephonic presentations bore all the classic signs of pretext operations. These include no-hit/no-fee guarantees; length of time required to complete the search; higher pricing; and types of information being sold.
These results are troubling and point to the inescapable conclusion that there are now criminals hiding behind professional titles such as "information broker", "private investigator", and "judicial judgment collector". I do not make this statement lightly as I was a private investigator for seventeen years and was very proud of my profession. There are thousands of good, honest private investigators, information brokers, and collection professionals working everyday in this country to assist citizens and attorneys at all levels of our judicial system. I receive emails everyday from investigators and brokers who are upset and demoralized because of the practices of some who feel it is easier to steal information instead of using the lawful means that all others who obey the law do. The good, honest professionals are looking to their government to step in and stop these criminals.
Further, many of the information brokers, private investigators, and judicial judgment collectors belong to national trade associations. In fact, many of these association members and their leaders can be found in Internet chat areas trading pretext methods. This begs the question: What are these associations doing to police their membership?
The Effectiveness Of Efforts By The Financial Services Industry
To Deter And Detect Fraudulent Attempts To Obtain
Confidential Account Information
The financial services industry has for many years utilized various methods of combating fraud and protecting the confidentiality of customer information. As I stated in my testimony two years ago, I believe the industry was not aware of the techniques being used by information brokers and investigators to penetrate their security protocols by means of pretext and impersonation. Indeed, most Americans remain ignorant of the practices of unscrupulous information brokers. The financial services industry is traditionally between a rock and a hard place when it comes to information security. Customers want their information to remain confidential. At the same time, they want easy access twenty-four hours a day to that same confidential information. It is this very dilemma that criminals exploit.
The financial services industry is starting to move aggressively to combat the methods and deceptive practices used by identity thieves and infobrokers that seek to illegally gain access to confidential information and in many cases to steal the funds of institution customers. Upgraded and newly developed computer systems and programs work to oversee billions of transactions each day in an effort to identify potentially fraudulent activity. Education and training programs are being modified and instituted to teach all institution employees the signs of identity theft and fraud and what steps to take.
Institutions that have taken steps to determine if information brokers are attempting to access confidential information have found that this is indeed the case. More and more institutions are moving to institute passwords and personal identification numbers (PINS) that provide true access protection. But, many more need to move in that direction. Customers are starting to be notified by institutions concerning the reason and need for certain security protocols. Again, more needs to be done in this area. There is much education, training and work that remains. I am convinced the financial services industry is up to the task.
I have had a birds-eye view of the response of the financial services industry over the past two years. I have worked directly with institutions and professional associations to educate them on the issue of pretext and other deceptive practices used to penetrate information security systems. In each instance I have found that the privacy, administrative and security leaders in the institutions and at association meetings are genuinely concerned about solving this problem and are moving to do so. The financial services industry relies on a reputation for confidentiality to survive. Recent well publicized cases of institutions not protecting customer information both here and abroad illustrate the harm that will quickly be realized by an institution that does not protect customers.
This concern has led, in one instance, to the American Bankers Association distributing to the entire membership an education and basic training program on pretext calling I was asked to author at the associations initiative. The portion I authored was just a small part of a comprehensive three part series the ABA has distributed to the membership to address the subject of identity theft and privacy in detail over the course of this past year. I believe these materials will aid in thwarting the practices of the Dan Cohns of this world.
I have been asked to speak on a number of occasions to groups of bankers to demonstrate to them how to spot pretext calls, how to educate financial services employees about pretext, and what steps to take at the institution level to thwart information security intrusions. Indeed, you would be hard pressed to find a gathering of bankers anywhere today where the subject of privacy is not addressed at length as a major topic of discussion. Further, the financial services industry did not wait for the passage of GLB to address the issue of pretext. Almost immediately after my testimony in 1998 the ABA was distributing materials and videotapes to any institution concerning pretext and updated information security practices.
It is too early to tell how effectively the defenses now being installed by financial institutions are working to thwart pretext. However, judging by the number of firms advertising the ability to obtain financial information there is still more to be done.
However, unless we end legitimate customer access to account information, there will always be criminals who will attempt to steal that information. The financial services industry needs a helping hand from law enforcement. These criminals must be prosecuted. The message needs to be sent that Federal law enforcement is serious about protecting financial institution customers. It is time to act.
Emerging Threats To Financial Privacy
While the traditional methods of pretext presented before this Committee two years ago continue, there are new emerging threats to the security of information within financial institutions. Those who use creative means to obtain personal information are not resting and waiting to see what Congress or law enforcement will do next to protect the privacy and confidentiality of U.S. citizens. These individuals and companies continue to develop methods to locate citizens and their confidential information. There is much fear that the loss of routinely accessed credit headers will diminish the ability to easily access personal biographical information used as part of a pretext. Therefore, some who seek that information are moving to develop other "sources" and "methods" to develop personal information needed to begin a successful pretext.
The fastest growing method used to "skiptrace" for the current address and other personal information of an individual is to obtain the information from the phone company. Most United States citizens believe that their phone records are private unless obtained by subpoena or other form of Court order. This is especially true for the millions of Americans who pay extra to have a non-published or unlisted phone number. Most citizens would further think that who they call and how long they talk is also a private matter. Most citizens would be wrong.
For years I have seen the sale of private telephone information on the web and in investigative and legal trade journals. These services include the acquisition and sale of non-published and unlisted phone numbers and records; long distance toll records; cellular phone records; pager records; fax records; the current phone number and address for the owner of a disconnected phone, and much more.
While these practices are bad enough, and need to be addressed by Congress and/or law enforcement, the latest development is equally worrisome. Currently, there are presentations of closed, highly secure classes for private investigators and information brokers, teaching the inner workings of the telecommunications industry. These classes are being coupled with databases being developed in the private investigative community to assist in obtaining information held by telecommunications companies. Once obtained this data can then be sold and/or used as part of further identity theft and pretexts used in any number of scenarios, but certainly as the starting point for information gathered as part of a pretext against a financial institution or directly against the financial consumer.
Here is an advertisement being widely distributed for these classes:
NOW! COMING TO LOS ANGELES!
Telecom Secrets Seminar
Using Telecom as a new way
to skiptrace and locate.
Michele "Ma Bell" Yontef, CMI
Telecom Investigations Specialist, Licensed Private Investigator,
Paralegal, Server of Process, Notary, Constable of Court
This is a seminar that will take you from being someone who uses a phone in investigations, to someone who uses the whole telecommunications system to further your investigations. You will gain a comprehensive understanding of the phone system, and how to use that system to get the information you need to close the case. With so many of our "tools of the trade" being taken from us by recent privacy laws, this is a "must attend" seminar. Using Michele's completely legal methods we can continue to obtain the information that is vital to us and to our clients. Don't let yourself or your clients down, learn new and better ways to increase your services and your income.
No recording of any kind will be permitted. There will be extensive
security measures. Please contact Vicki for details. All attendees will be required to
sign a non-disclosure agreement.
West Coast Professional Services reserves the right to refuse admittance.
These techniques are completely legal, but are being taught only to Investigators and Law Enforcement Officers. Restrictions apply. ************************************************************************************************
A statement from Michele regarding the content:
I will be talking about everything from how to make totally anonymous calls to finding the carrier of any type of line. I will be explaining how things in the Telecom work, so that you will know how to legally maneuver around any obstacle. I will show you how to skip trace and locate like never before, by using the Telecom as a database. I will tell you what the operator knows about you, who can hear you talking on the phone, how to perform all types of procedures, and I will be giving you a ton of vital information in my booklets that accompany the seminar. I will also introduce a new form of searching for skips and will open to you first, my brand new database, that encompasses EVERY numerical search you have ever seen online, plus many more new search ideas that I can teach you about in the seminar as well. For example, did you know that the type of switching your telephone company has you hooked into can allow a listen in on your lines...I will explain how to tell what kind of switching you have, and how it can either lend to the listen in, or block it. I can also show you how to use my database to find that switching for any party, and use it to trace a number to CNA, without ever picking up the phone to pretext anyone! I have brought home missing children, using the secret searches I will disclose to all of you that attend. (End)(Emphasis added)
Here is another widely distributed reference:
Here's an unedited letter from (name deleted), who just experienced the Telecom Secrets Seminar by Michele "Ma Bell" Yontef...
There are currently three days to prepare yourself, if you are attending the Los Angeles version of the "Telecom secrets" Seminar. You need to
Please pay particular attention to the reason for her disclaimers andnondisclosure forms. With all the movement and political wrangling of the privacy advocates, (READ - "reactionaries"), we can't afford to have this excellent legal source tainted by the people who would strangle our
The reference to "CNAs" means customer name and address. The reference to "non-pubs" means the ability to obtain the non-published phone number for an individual. The reference to "disconnects" means the ability to locate the new phone number, name and address for someone who disconnected a phone in addition to determining the owner of a previously disconnected phone number.
The database being designed to aid in the acquisition of information maintained by the telecommunications industry has been named "The Last Treasure". The choice of this name is intentional. It was chosen to mean that this database will be the last method available to locate the overwhelming majority of citizens should the carte blanche acquisition of credit header information be restricted. As with the pretext of financial institutions two years ago, the presenters of these classes and the developers of this database claim that this is all legal. I will leave that to others to decide. As a citizen of this country I am dismayed that my phone records can be bought and sold on the Internet. As a former private investigator that has handled several stalking cases I am well aware of the damage that can be done through the acquisition and sale of this information. As a privacy consultant, I am well aware of the fact that information obtained from the phone company can and is often used to start a financial pretext.
Should there be any doubt concerning the problems that can be created when confidential phone information is obtained, one look no further then a September 9, 2000 article by Lindsey A. Henry for The Des Moines Register:
A West Des Moines woman contends that her ex-husband tracked her down and threatened her after MCI WorldCom gave out her phone number and other information.
Peggy Hill, 33, is suing the long-distance company in federal court in Des Moines. The lawsuit says her ex-husband in Georgia called MCI at least 10 times in June 1999 asking for her billing information and the numbers she had called.
MCI representatives gave him the information and even changed her calling plan at his request, the lawsuit said. (End of Excerpt)
Here was a woman being stalked by her ex-husband and taking precautions, only to be thwarted by the ease with which her phone records were accessed:
Hill thought she had protected herself, her lawsuit says. She moved several times after her divorce in 1992. She paid for an unlisted number. She asked MCI to keep her information confidential, according to the lawsuit.
Only after Hill called to complain did MCI employees flag her account with a warning, according to subpoenaed MCI files.
"Please do not look up numbers for him or give him names of where numbers are dialed to," the notation said. "Peggy is in danger!!!!!! . . . MCI should not have given this man any information!!!!!!" (End of excerpt)
The following claim of rarity when it comes to the release of confidential phone records is laughable given the ease with which Infobrokers buy and sell phone company customer records every day and widely advertise their ability to do so on the Internet:
Sandy Kearney, an investigator for the Iowa attorney general's office, said Hill's situation was rare.
"I hear all the time from telephone companies claiming to not release information without permission," she said.
Hill's lawyer, George LaMarca, said the lawsuit should remind companies of their obligation to protect customers.
"We can't get services without entrusting our most confidential and personal information to companies," LaMarca said. "When we do that, we expect confidentiality. When that trust is breached, companies should expect to pay the consequences." (End of excerpt)
Just as this husband was able to allegedly access his ex-wifes customer records, identity thieves, private investigators, information brokers and judicial judgment collectors use similar techniques everyday to access these same records. All they need do is impersonate the customer or the relative of a customer. This common knowledge amongst identity criminals is being used as the starting point for access to personally identifiable information that can then be used to access financial information.
This committee will recall the testimony of one of the "Godfathers" of the information broker industry in this very room two years ago. Al Schweitzer instructed us all at that time that one of the most common financial pretexts begins with either a pretext call to the consumer impersonating someone from the phone company, or a pretext call to the phone company to develop personal information to be used as part of a further pretext against the consumer and/or financial institution. The problem continues today and is growing in scope and sophistication.
I would like to ring one final warning bell concerning the use of pretext and deceptive information security penetration practices. These are the very techniques that are used by individuals engaged in corporate espionage. Every day these techniques are used to steal our nations corporate and military trade secrets and other forms of confidential information. I know that our military is aware of this as representatives of the Pentagon asked me to present a private briefing after my last appearance here in 1998. I will not disclose in an open forum what I was able to demonstrate in that briefing other than to state that I believe it confirmed concerns on the part of the officials I met with in relation to a threat that could easily put our country at a disadvantage during a time of crisis.
This Committee, which oversees the safety and soundness of our Nations financial system, should be concerned about the threat that corporate espionage, both domestic and foreign, poses to the financial well being of our country. This is the "Information Age" and our country is the leader in that regard. It is precisely that leadership position which is driving this unprecedented economic boom we are all witnessing. Information technology advantages are paramount to our continued economic success. This is why information security is all-important to that success. Companies are discovering the need for computer system firewalls, yet are woefully unprepared when it comes to social engineering security penetrations and a laissez faire attitude concerning who information is disclosed to telephonically and otherwise.
Simply put. Loose lips do sink the corporate ships of today and tomorrow. The most infamous computer "hacker" on the planet, Kevin Mitnick, obtained the plans for an unreleased Motorola product by direct "pretext" phone calls to Motorola employees who then faxed him the plans to his home! If you speak to Mr. Mitnick, you will learn that he obtained just as much confidential information via "dumpster diving" and social engineering (pretext) as he ever did by a true computer hack attack.
Another method that is becoming more common is the use of a "Trojan check". An investigator or broker will create a fictitious business name and open a checking account in that business name. A small check will be mailed to the target as a "rebate" or "prize" stamped on the back "for deposit only". Once the check has been deposited and is returned to the fictitious company the banking information obtained on the back of the check can be used to further the pretext to determine the amount of funds held in the account. There is great debate in the investigative and broker communities as to the legality of this practice given Gramm-Leach-Bliley and the deceptive trade practices statutes. While the debate continues, so does the practice.
Informal networks of investigators, infobrokers, judgment collectors, and collection professionals are found all over the Internet. It is not uncommon to see requests for "contacts" in financial services institutions. Some collection professionals openly advertise their ability to provide information maintained within their files. Routinely, there are account and file numbers along with the names of targets placed on the Internet for inspection by others to determine if information can be traded or obtained.
Vehicle tracking devices are being offered for sale in order to follow or record the travels of citizens. While not directly relevant to the pretext of financial information, it demonstrates the length that some will go to in order to obtain information on citizens in the United States today.
If law enforcement agencies of State and Federal governments were caught doing these practices absent a constitutionally permissible purpose and/or Court order there would be rioting in the streets. Yet every day these events are carried out by private investigators, information brokers and judgment collectors who have no authority above that of a private citizen and no one blinks. From where I sit, my privacy is just as violated whether the intrusion comes from a person with a badge or not.
What Needs To Be Done
I would like to make some suggestions concerning what needs to be done to continue the battle against the use of fraud and deception to access financial information.
First, we need swift, aggressive, nationwide action by law enforcement to begin criminal investigation and prosecution of those who are thumbing their noses at the provisions of Gramm-Leach-Bliley and other appropriate statutes. I hope the information I provided in 1998 and today supports this conclusion.
Second, GLB needs to be amended. The narrowly crafted child-support exemption for the use of pretext is being used as an advertising shield by private investigators to hide behind while continuing the covert sale of financial information that falls outside of the GLB exemptions. The provisions of GLB that allow for pretext in a child support situation state as follows:
Sec. 521 (g) NONAPPLICABILITY TO COLLECTION OF CHILD SUPPORT JUDGMENTS- No provision of this section shall be construed to prevent any State-licensed private investigator, or any officer, employee, or agent of such private investigator, from obtaining customer information of a financial institution, to the extent reasonably necessary to collect child support from a person adjudged to have been delinquent in his or her obligations by a Federal or State court, and to the extent that such action by a State-licensed private investigator is not unlawful under any other Federal or State law or regulation, and has been authorized by an order or judgment of a court of competent jurisdiction.
The operative language is: "No provision of this section shall be construed to prevent any State-licensed private investigator from obtaining customer information of a financial institution...to collect child support from a person adjudged to have been delinquent in his or her obligations by a Federal or State court...AND has been authorized by an order or judgment of a court of competent jurisdiction." This language clearly means from both the legislative history of the act and the plain face of the statute that a judge (Court) must specifically authorize the use of pretext to obtain customer information of "a financial institution".
I am not aware of a single case where a Court has authorized a private investigator to intentionally deceive a financial institution in order to obtain customer information. It is easy to understand why this has not happened and most likely never will. The presumptive evidentiary burden that would be required to obtain such an order would easily support the issuance of a subpoena to the institution that the information is being sought from and is being contemplated for pretext. Unless Congress has evidence that financial institutions routinely falsify responses to subpoenas it is hard to fathom why this provision was placed in GLB.
Further, this section states: "to the extent reasonably necessary to collect child support from a person adjudged to have been delinquent in his or her obligations by a Federal or State court." The legislative history of this exemption was a claim made by some representatives of the private investigative industry that pretext was needed as there was no other method available to locate the financial institution holdings of deadbeat parents who lie to the Courts. This claim was not true at the time, as there are many lawful ways to pursue overdue non-custodial child support payments and many taxpayer funded agencies designed to fill that role. However, even if this argument is accepted as a legitimate historical reason for the exemption, there is no longer any legislatively justifiable reason to maintain the exemption given the provisions of the Personal Responsibility and Work Opportunity Reconciliation Act of 1996 which are now in effect and mandate that all financial institutions cooperate with the government by providing the financial information of delinquent child support parents directly to the Federal government for asset forfeiture.
The following excerpt describing this procedure is from a front-page article written by Robert OHarrow, Jr. in the Sunday, June 27, 1999 edition of the Washington Post:
As part of a new and aggressive effort to track down parents who owe child support, the federal government has created a vast computerized data-monitoring system that includes all individuals with new jobs and the names, addresses, Social Security numbers and wages of nearly every working adult in the United States.
Government agencies have long gathered personal information for specific reasons, such as collecting taxes. But never before have federal officials had the legal authority and technological ability to locate so many Americans found to be delinquent parents -- or such potential to keep tabs on Americans accused of nothing.
The system was established under a little-known part of the law overhauling welfare three years ago. It calls for all employers to quickly file reports on every person they hire and, quarterly, the wages of every worker. States regularly must report all people seeking unemployment benefits and all child-support cases.
Starting next month, the system will reach further. Large banks and other financial institutions will be obligated to search for data about delinquent parents by name on behalf of the government, providing authorities with details about bank accounts, money-market mutual funds and other holdings of those parents. State officials, meanwhile, have sharply expanded the use of Social Security numbers. Congress ordered the officials to obtain the nine-digit numbers when issuing licenses -- such as drivers', doctors' and outdoorsmen's -- in order to revoke the licenses of delinquents.
Enforcement officials say the coupling of computer technology with details about individuals' employment and financial holdings will give them an unparalleled ability to identify and locate parents who owe child support and, when necessary, withhold money from their paychecks or freeze their financial assets. (End of excerpt) (Emphasis added by Robert Douglas)
OHarrow went on to describe in more detail how the new system operates:
Next month, financial institutions that operate in multiple states -- such as Crestar Financial Corp., Charles Schwab & Co. and the State Department Federal Credit Union -- will begin comparing a list of more than 3 million known delinquents against their customer accounts. Under federal law, the institutions are obligated to return the names, Social Security numbers and account details of delinquents they turn up.
The Administration for Children and Families will then forward that financial information to the appropriate states. For security reasons, spokesman Kharfen said, the agency will not mix the financial data with information about new hires, wages and the like. Bank account information will be deleted after 90 days.
In a test run this spring, Wells Fargo & Co. identified 72,000 customers whom states have identified as delinquents. NationsBank Corp. found 74,000 alleged delinquents in its test.
Later this year, smaller companies that operate only in one state will be asked to perform a similar service. Officials say most of these institutions will compare their files against the government's. But some operations that don't have enough computing power -- such as small local banks, credit unions and securities firms -- will hand over lists of customers to state officials for inspection. States can then administratively freeze the accounts.
In California, more than 100 financial institutions have already handed over lists of all their depositors to state officials, including names, Social Security numbers and account balances, a state official said. (End of excerpt) (Emphasis added by Robert Douglas)
Finally, the exemption places GLB in direct conflict with other federal statutes outlawing wire and mail fraud and unfair and deceptive trade practices. The exemption also places GLB in direct conflict with many State laws and creates nothing short of a judicial quagmire.
Simply put, there is no legitimate reason to continue the child support exemption to Gramm-Leach-Bliley. There is a legitimate reason to strike it from the statute as companies are using it as pretence to advertise their ability to locate financial institution customer information. All the ad need say is the request must be in compliance with applicable laws and that all requests are performed on that basis. Once the investigator is comfortable that the requestor is not law enforcement running a sting operationthey sell any information in complete disregard of the law. Our survey proved this ten times over.
Third, financial institutions must continue the work they have started to take every precaution necessary to teach all banking employees about the methods associated with identity theft and pretext so that employees can spot fraudulent acts and know what to do when an act is detected. This will require regular and ongoing education, training and auditing programs to maintain the highest level of information security possible. Infobrokers and identity thieves are constantly developing new techniques and methods. The financial services industry must work to stay abreast of these techniques.
Fourth, the federal regulatory agencies must also continue to stay abreast of information security threats and implement appropriate standards and regulations. Audits need to assess the effectiveness of programs in place.
Finally, this Committee must continue on a regular basis to exercise the appropriate oversight functions necessary to ensure that agencies of the federal government continue to take every step available to stop illegal access of personal and confidential customer information. I know that we are late in the Congressional session and that Chairman Leach will be passing the baton next year. I also am aware that when the baton passes there may be changes in the staff of the Committee. I genuinely hope that no matter who takes up the leadership of the Committee and no matter from which side of the aisle, that there will continue an institutional memory to follow this issue. I truly believe it is of profound import to the health of our financial services industry in this country.
In closing, when I appeared before this Committee in 1998 I recited a long laundry list of the dangers posed by the deceptive methods in use by some private investigators and information brokers to gain illegal access to confidential and protected information. There were some who found it hard to believe that what I claimed was true or as serious as I presented the problem. However, those in the investigative and information broker industries who were practicing these techniques knew that I had spoken honestly and were not pleased to have sunshine illuminating their practices. I soon began fielding phone calls from across the country. The hearing had been carried on C-SPAN. In brief, the attention to these techniques was not well received by some. I was condemned by many and even received two death threats.
I mention this because the information being obtained illegally is in many cases both quite serious and lucrative for those buying and selling it and often places others in physical danger. One needs to look no further than the case of James and Regina Rapp of Touch Tone Services to see that this is true. They were running a million dollar a year operation in Denver Colorado with numerous employees when Denver and Los Angeles law enforcement officers caught up with them along with the FTC. Why so many agencies? A short list of the Rapps alleged activities points to the answer.
The following allegations were reported: Touch Tone had accessed and sold information concerning undercover Los Angeles police detectives including their private unlisted phone and pager records to a member of the "Israeli mafia", placing the lives of the officers, the officers families, the officers confidential informants, and active organized crime investigations in danger. Touchtone accessed and sold information concerning the murder of Ennis Cosby, son of famed comedian Bill Cosby. Touchtone accessed and sold personal and confidential information regarding the Columbine High School massacre victims and families including home addresses, unlisted home telephone numbers, banking, and credit card records.
Touchtone inserted itself into the Jon Benet Ramsey investigation. Here is a list written by James Rapp to a California private investigator outlining the Rapps work in the Jon Benet Ramsey murder investigation:
Here is a list of all Ramsey cases we have been involved with during the past lifetime (sic).
1. Cellular toll records, both for John & Patsy.
2. Land line tolls for the Michigan and Boulder homes.
3. Tolls on the investigative firm.
4. Tolls and home location on the housekeeper, Mr. & Mrs. Mervin Pugh.
5. Credit card tolls on the following:
a. Mr. John Ramsey, AMX & VISA
b. Mr. John Ramsey Jr., AMX.
6. Home location of ex-wife in Georgia, we have number, address & tolls.
7. Banking investigation on Access Graphics, Mr. Ramsey's company, as well as banking information on Mr. Ramsey personal.
8. We have the name, address & number of Mr. Sawyer & Mr. Smith, who sold the pictures to the Golbe (sic), we also have tolls on their phone.
9. The investigative firm of H. Ellis Armstead, we achieved all their land and cellular lines, as well as cellular tolls, they were the investigative firm assisting the Boulder DA's office, as well as assisting the Ramseys.
10. Detective Bill Palmer, Boulder P.D., we achieved personal address and numbers.
11. The public relations individual "Pat Kroton" (sic) for the Ramseys, we achieved the hotel and call detail where he was staying during his assistance to the Ramseys. We also have his direct cellular phone records.
12. We also achieved the son's John Jr.'s SSN and DOB.
13. During all our credit card cases, we acquired all ticket numbers, flight numbers, dates of flights, departing times and arriving times.
14. Friend of the Ramseys, working with the city of Boulder, Mr. Jay Elowskay, we have his personal info.
Of course, all the above have been repeatedly asked for over and over again.
Let me know if I can be of further assistance in this or any matter. (End of letter)
This one company, Touchtone, had a client list of more than 1,200 spread across the country. Another local Montgomery County, Maryland private investigator admitted to obtaining the phone records of Kathleen Willey, a witness in the criminal investigation of President Clinton. These are just two companies. There are dozens of companies still in operation today. There can be little doubt as to the serious implications of the activities of these companies.
Mr. Chairman and members of the Committee, as I leave you today, I hope that the time and effort I have placed in this testimony will serve as a blueprint for further examination by this Congress of matters deserving attention. Thank you.