Ever wish you were somebody else? Well, thieves have been making it happen at a more rapid pace, hijacking the identities of mutual fund customers and other patrons of the financial services industry and reeking havoc at an alarming rate.
The fund industry has had its collective consciousness concentrated squarely on the scandals the last eight months, but identity theft has become the fastest-growing crime in the country, according to the Identity Theft Resource Center, a San Diego-based not-for-profit organization. The crime may quickly place fund firms in an uncomfortable position if they have to notify customers about security breaches and risk a further loss in confidence by the investing public. Some state governments are now requiring firms to alert customers of security breeches.
International Data Corp., a Framingham, Mass.-based consulting firm, says on its Web site that electronic identity theft cost banks and mutual fund firms more than $4 billion last year. The Federal Trade Commission said it received nearly 215,000 complaints of identity theft in 2003, a 32% increase from 162,000 the year before. However, those are just the number of complaints reported to the agency and do not include a tally for the countless victims who never file reports.
Estimates of the actual numbers are mind numbing. The FTC estimates that there are almost 10 million new cases each year of identity theft. Gartner, a global information technology research and analysis firm based in Stamford, Conn., said seven million U.S. adults became victims of identity theft in the 12 months leading up to June 2003. That translates into 3.4% of the nation's consumers and more than 19,000 victims each day.
Bryan Fite, an expert in Internet and systems security, said that hackers are using viruses to penetrate firms' internal systems to gain access to identification information and databases. "The virus grabs all the info it can collect from a machine and puts it in a public forum," Fite said, noting that the culled information is often posted in a Web chat or what he equated to the Internet's version of a classified section of a newspaper.
By now, most television watchers have seen the Citi Identity Theft Solutions commercials. One spot depicts an elderly woman cleaning her swimming pool, but when she opens her mouth, the viewers hear the voice of a hillbilly who has apparently swiped her identity. He talks about how he purchased mud flaps with naked women on them for his truck using the elderly woman's credit. Another dubs the voice of a teenage boy talking about how he will now have money to make his "girl robot."
While credit card fraud is a leading cause of identity theft, it is by no means the only vulnerability. Criminals are unlikely to open up a mutual fund account like they would a credit card account with a lifted identity. Opening a long-term account would increase a criminal's risk of being caught, and right now the odds are in their favor.
The vulnerabilities in the fund industry lay with the sensitive individual identifying information possessed by each firm for every account, that, if not safeguarded properly, can lead to criminal activity.
In fact, one of the largest identity theft scams in history involved some well-known brokerage houses and banks such as Fidelity Investments, Merrill Lynch, Goldman Sachs and Bear Sterns. A Brooklyn busboy gained access to account and credit card information of some of the richest people in America, including Oprah Winfrey and Ted Turner.
The perpetrator was caught when he requested to transfer $10 million out of the account of Thomas Siebel, founder of Siebel Systems. Siebel was notified of the transaction because it would have created an imbalance in his account.
Not all identity theft schemes are pulled off by computer geniuses and hackers, though. Unbelievably, criminals often obtain information they can use to steal identities by a method authorities call "dumpster diving." Basically, financial services firms are not always as diligent as they should be when disposing of records they no longer want to keep. Bundles of documents that are placed in a dumpster behind banks or brokerages can be swiped.
Mutual fund firms have access to very sensitive information," said Mari Frank, a privacy consultant, author of the Identity-Theft Survival Kit and a victim of the crime herself. "But, in their zest for worrying about the technology, firms totally forget about offline access." Frank suggests firms limit the amount of information that they do collect, encrypt files when possible, and make sure hard copies of documents are destroyed when they are no longer needed. She hires a firm to shred documents, but makes them do it at her office, she said.
Diana Moneta, principal of Investigative Consultants International, a New York-based global risk consultant, said "the vulnerability in the fund industry and financial services industry, is with the people themselves." She said that often people leave post-its with passwords in plain sight of others. Moneta also noted that often a large number of people have access to sensitive information, even lower-level employees who don't need access.
Moneta suggests that firms limit the number of people who touch sensitive information and make sure to do thorough background checks of anyone who will have access to personal information of clients. Dirty employees can sell or distribute personal information, such as Social Security numbers, mother's maiden name, passwords, etc., to hundreds, if not thousands of other criminals.
Further contributing to identity theft is the sharing and selling of information between financial services firms and outsourcing, experts say. Foreign countries often have even looser regulations and enforcement of identity theft than here in the U.S., and tracking down criminals in foreign nations is often a headache for authorities.
Despite one sparsely attended conference session in the fall of last year, the Investment Company Institute said it has not conducted any major studies or provided any sort of concerted education effort among its member firms. "Identity theft can happen in so many ways, but for the mutual fund industry to think they're immune would be a big mistake," Frank said.
Copyright 2004 Thomson Media Inc. All Rights Reserved.