It was a four-day shopping binge across New York City that quickly racked up $30,000 in charges on Jonathan Franklin’s credit card – a haul that included clothes from Versace and gear from the Apple Store.
But Mr. Franklin, a New Jersey business executive, didn’t buy any of it.
Franklin only heard about the purchases when a fraud investigator with his credit card vendor called and and ticked off the laundry list of luxury items showing up on his account.
It took a moment for it all to register. But then “the full magnitude hit,” he said. “This nauseous feeling of, what if I was going to be held responsible for these charges?”
Franklin, whose name has been changed in this story, is one of the tens of millions of Americans whose identities were stolen in recent years. Roughly 12.7 million US consumers were victims of some kind of identity fraud last year, according to Javelin Strategy & Research, a business research firm. It's a staggering number, but perhaps no surprise as increasingly sophisticated hackers target online databases that store personal information such as Social Security numbers and bank account details. Last year, 761 security breaches exposed more than 83 million records, according to the Identity Theft Resource Center.
Aware of the dangers of identity theft, the questions started racing through Franklin’s head: Had there been 10 credit cards taken out in his name, all maxed out? And why was the fraud investigator only calling him now?
The fraud investigator said that Fidelity, where Franklin’s account was located, had repeatedly tried to reach him, to no avail. This puzzled Franklin. He and his wife had been home with out-of-town guests over the weekend. They went out to dinner, and visited New York City, but largely stayed in the house.
Then Franklin remembered that just before the weekend his daughter had tried to calling their home. Her call was transferred to an answering machine with someone else’s voice on it. All it said was, “Leave me a message.”
Franklin knew about the glitch but figured it was weather related. “We didn’t immediately react and get on the phone with the phone company because, hey, who uses the home phone anymore?”
But it wasn’t the weather. The criminals who stole Franklin’s identity had actually called Comcast and convinced them to put in place a forwarding phone number for that home line. They had enough of his information to satisfy the typical security systems in place.
Hearing all this, his wife was scared. “Should I be concerned,” his wife asked, “for my personal safety?
“If they have all this information – and our address – what keeps them from doing a home invasion instead of a virtual invasion?” she asked.
Twenty years earlier, the Franklins’ home had been broken into. He and his wife were living in Ohio at the time.
They only found out about the robbery when police contacted them, saying they found pictures of their daughter in a raid on a suspected pedophile’s house. The officers later told the Franklins the suspect had likely seen playground equipment at their house and deduced kids lived there. He stole loose cash and pictures of their daughter, nephews and other kids from the top of their TV stand.
In many ways, this crime – which the Franklins missed coming, and needed someone else to point out after the fact – felt no different than the identity theft. “That sick feeling of, ‘Wow, someone knows my personal information and broke into my world and stole or tried to steal from me,’” Franklin said, “wasn’t any different getting physically robbed than being virtually robbed.”
The Criminal Mind
According to fraud investigators, the identity thieves who eventually stole money from Franklin started small, only gradually building up to the credit card heist.
First, they likely trolled public databases to find Franklin’s birthday, his address in New Jersey, his phone number. To do this, they could have used cheap background search tools or credit reports. They also had his Social Security number, which the thief either obtained by hacking into a database that stored this information personally, or buying it off the black market. Using this, they were able to answer Franklin’s online security questions for his home equity line of credit.
No one had noticed that first breach until the hackers submitted unusual requests to the credit union, and tried to have the statements forwarded to a new address.
When Affinity Federal Credit Union alerted Franklin, he was relieved to hear no money was stolen. But the credit union recommended he work with IDT911, a fraud protection company with a relationship to the biotech company where he works in New Jersey. With the company’s help, Franklin put a freeze on his credit and put all the security systems in place on his accounts at Goldman Sachs – including a private banker assigned to call or e-mail him if there were any unusual requests.
“We thought it was over pretty quickly and there wasn’t any real damage,” Franklin said. “We just kind of said, ‘OK this is scary – but not that big a deal.’ ”
But there was one card Franklin was supposed to close after that initial breach to his credit line in December, right before the holidays.
The credit card was linked to a college savings plan. When he spent money, the bonuses would be credited to help foot the bill for his daughter’s education instead of, say, airline miles. He hadn’t touched the card since his daughter graduated the summer before. When the initial breach happened at the credit union months before, Franklin completely forgot about it. It was completely separate from his primary accounts.
Three months later, when his guard was down, that was the card the hacker targeted. Despite Franklin’s efforts to secure his digital presence, the thieves were able to use it to buy $30,000 worth of luxury items.
When you least expect it
Fidelity quickly agreed to cover the fraudulent credit card charges. Still, Franklin became obsessive; it took him two weeks to figure out almost all the avenues an attacker could compromise. He closed down almost all his credit cards.
Even though he never paid the $30,000, Franklin will have to worry about the consequences of his data being exposed.
“If they have your Social Security Number, your name, address and date of birth, they can do whatever they want, for as long as they want,” says Adam Levin, chairman of IDT911, the company helping Franklin recover from his identity theft.
For instance, identity thieves can submit false tax returns in your name and steal refund money, or get medical care in your name. “You go in for an appendectomy, and are told you can’t be pre-certified for two appendectomies – somebody already did it a long time ago,” Mr. Levin said, using an example from past cases. Thieves can commit crimes and give false identification, creating new victims with arrest records they don’t know about. “You’re driving along the road, pulled over for a busted tail light,” Levin said, “and all of the sudden you’re surrounded by guys with guns saying, ‘Get on the ground.’”
Franklin’s identity thief waited three months to strike his credit card after infiltrating his home equity credit line. But hackers often wait longer – even years – after an initial digital break-in to impersonate their victims. It’s part of a strategy, Levin says, to wait until people relax their monitoring of online accounts and think the threat is gone.
Franklin is deeply afraid the saga is not over. “There’s this underlying sense of anxiety we’re still not through this. With the amount of information they have, and the skills they obviously possess, this could just be a recurring thing for, God, who knows how long.”
With security breaches proliferating – from Anthem health care, to JP Morgan, and retailers such as Target and Home Depot – there’s an abundance of personal information flowing to the black market. “You have to assume, unfortunately, that somebody’s got your information,” Levin, who is also founder of Credit.com. “And the truth is, once they have your Social Security number, they have an option on your life. It’s purely their decision as to when they wish to use it. Your information could have been sold, and sold again.”
The perfect crime
Despite the emotional toll the theft took on him and his family, Franklin was dismayed to see how the credit companies and retailers viewed identity theft as a “victimless crime.”
Going through the process to wipe the charges, Franklin came to understand the competing priorities. “My primary concern is to protect my personal financial situation,” he said. The credit card company’s concern, he said, was to get reimbursed for those fraudulent charges from the retailer. The retailer will investigate whether they met all their responsibilities. If so, their business accident insurance would kick in and cover the cost. “It became apparent to me that everybody wants to cover their loss,” he said, “and as long as their loss is covered they move on to [handling] tomorrow’s fraud.”
It is harder for Franklin to move on, however, knowing his identity thief still has control over his personal information. He asked multiple investigators about how he could help hold the thief accountable.
The investigators said he could file a police report if he wanted, but because it was not a physical attack or robbery, it wouldn’t be at the top of the police force’s list. “[The investigator said] ‘Honestly, most police departments are so overburdened, relatively low level white collar crime is not something that’s going to illicit a very strong response,’” Franklin said.
A police report wasn’t even required by the credit company to get the charges cleared. “Everybody was realistic,” he says, about the prospects for criminal action. He’s looking into filing a complaint with the Federal Trade Commission. “But it’s kind of like, who am I going to accuse of the crime?”
There’s no business, no individual to name, Franklin notes. The police, fraud experts say, often face the same issue: These cybercriminals are incredibly tough to track, and even if found, may be outside the local jurisdiction or even the US.
“In some way, I’m seeking some sense of justice,” Franklin said. “But it’s likely not going to happen.”
The silver lining, however, to the proliferation of breaches that expose people’s personal information is that there are more solutions available for consumers to protect themselves from the most damaging consequences of identity theft – from credit monitoring, fraud detection, and even instant alert services that can give potential victims warning when thieves are in the process of opening new accounts. Also, identity theft resolution services are increasingly available through insurance companies, credit unions, or through the workplace.
'It could have been anybody'
Franklin often thinks about his hacker. He empathizes with him. “He’s clearly talented at being a thief,” he says. His digital skills, clearly, are on point – and could likely earn him a legitimate job with a high salary. “What a shame they don’t apply that time, talent, and energy into something redeeming,” he laments.
Franklin’s identity thief knows his name, his old passwords, his Social Security number, his address – enough information to hold his money and phone line captive for days.
All Franklin knows about his attacker, however, is the sound of his voice. He had called to hear the mysterious voicemail when his daughter initially told him about the phone problems. In Franklin’s mind, is his identity thief a hooded geek hunched over a computer? A sinister criminal from another country?
“From the voice on the answering machine, it sounded just like a regular guy. It sounded like a middle-aged, gruff-sounding American guy saying, ‘Leave me a message.’” Franklin said. “In some ways, that’s more disturbing, because it could have been anybody.”
Franklin has one regret: He didn’t leave him a voicemail, when he had the chance. “You can imagine what I would have said.”
*Names have been changed to protect the victims of identity theft