By JONATHAN D. EPSTEIN
News Business Reporter
Banks, retailers, insurers and others are taking steps to tighten security and reduce the use of
Social Security numbers to protect consumer information and prevent identity theft.
The efforts are part of the battle against a growing crime that can strike people almost a random:
the buying goods and services on credit using someone else's identity.
Consumer advocates have long complained that companies are collecting and storing too much
information on consumers. They also say the information isn't protected well enough from theft or
misuse by would-be criminals both outside and inside the companies.
In particular, advocates criticize the rampant use of Social Security numbers for employee or
customer identification.
Originally intended for Social Security benefits, the nine-digit number has been commonly used on
health insurance cards, employee IDs, driver's licenses and for passwords. Companies ask for it by
phone. Even government agencies use it.
Social Security numbers are one of four primary requirements for obtaining loans, getting credit
cards, opening bank accounts or even receiving other nonfinancial services.
Together with a name, address, and phone number, the Social Security number can give a thief enough
to open credit in someone else's name.
"It's very important to get away from using the Social Security number," said Jay Foley,
co-executive director of the Identity Theft Resource Center, a San Diego nonprofit. "There's too
many liability issues for the companies that do use it."
Two of Western New York's big three health insurers are dropping the use of Social Security numbers
for member identification this year, switching instead to random numbers. Several local banks have
also stopped using them for passwords and other uses, except where necessary.
Even so, the numbers and plenty of other information can be found online by people willing to take
the time and spend some money.
"I don't even know if stopping the use of Social Security numbers will solve the problem," said
Robert Hammond Jr., the Riverside, Calif.-based author of "Identity Theft: How to Protect Your Most
Valuable Asset."
"That number is out there in so many ways, that if someone really wants it, they can find it," he
said.
According to a September 2003 study for the Federal Trade Commission, an estimated 10 million
Americans are victims of identity theft each year, costing businesses and consumers about $50
billion. Almost all of that is absorbed by businesses.
April Riley, a 53-year-old Erie County Medical Center nurse, recently discovered she was a victim
when she received a letter from cell phone company T-Mobile. Someone had opened an account with five
phones in her name, prompting T-Mobile to get suspicious and close it.
She then received seven credit cards in the mail that she hadn't applied for from clothing retailers
such as Macy's, Limited, and Ashley. All were opened at stores in Georgia, and were charged to their
limit. She also got a letter from a jeweler, thanking her for her $3,500 purchase, and letters from
retailers that denied her credit.
Most accounts are now closed. She filed a police report, and alerted the credit bureaus.
"It's a hassle," she said. "I've worked so hard for what I have. And then you're always wondering
what else do they know and what else can they get of mine?"
Last year, the FTC received 635,173 actual consumer fraud complaints, of which 39 percent were
identity theft. The Buffalo area reported 682 identity theft cases, ranking it 44th among
metropolitan areas nationally, and third in the state behind New York City and Rochester.
In the past, criminals obtained information by "dumpster-diving" in the trash, retrieving employment
or credit applications with Social Security numbers, names, addresses and other information. But as
companies have amassed billions of computer records, thieves have been hacking into computer
systems.
Data has also been stolen by employees. And thieves send out mass "phishing" e-mails to millions of
consumers or set up fake Web sites, pretending to be familiar companies to trick people into
divulging information.
Experts say consumers should take steps to prevent identity theft. But recent losses of information
from retailers, banks and data firms raise questions about their responsibility, and draw attention
to what is being done to prevent such losses.
Already, 13 states - but not New York - prohibit the use of Social Security numbers for
identification. Schools are shifting away from it as well.
The new federal Medicare law requires insurers to move away from using the numbers for Medicare
plans. And the national Blue Cross Blue Shield Association, which licenses the Blues plans, mandates
that its companies stop using Social Security numbers for ID by year-end.
HealthNow New York's Blue Cross Blue Shield of Western New York said it's adopting secure numbers in
late May, although it will take several months to get new insurance cards to its 900,000 members.
The move will be done by year-end, said Donald Ingalls, vice president of government affairs and
community relations.
It will still use Social Security numbers for enrollment and to coordinate benefits.
Univera Healthcare in February began converting to letters and numbers that don't repeat. The
insurer finished in mid-March, and is mailing new cards.
Its Rochester parent, Lifetime Healthcare Cos., has been making the change for two years at its
Excellus Blue Cross Blue Shield unit. Lifetime has 2 million members.
"It's been a long and complicated process, and we want to make sure we get it right," said Jim
Redmond, spokesman for Excellus, which processes 51 million claims a year.
Independent Health Association still uses Social Security numbers for most of a member's ID, but may
change to a random code. For now, at a member's request, it will black out much of the ID number
with "X"s, even on cards.
"We've been listening to our customers and recognized that we needed to change," said Bob Hoover,
senior vice president, chief information officer and corporate security officer. "You read the paper
on a daily basis, and this is a real issue."
Even banks like HSBC Bank USA, KeyCorp, and Citizens Financial Group no longer use Social Security
numbers as account passwords for online or telephone banking. Instead, they use codes chosen
randomly or by customers, or ask only for the last four digits.
But banks still need the full number for credit checks and tax purposes, and must ask for it under
the USA Patriot Act when a new account is opened. And lenders say that without the Social Security
or another consistent number, fraud will only increase because verifying identity will be even
harder.
However, the efforts go beyond the use of the Social Security number. In the last year, information
on more than 2 million consumers was lost or stolen from data firms ChoicePoint and LexisNexis,
California State University, Bank of America and three other banks, and retailers BJ's Wholesale
Clubs, Polo Ralph Lauren and DSW Shoe Warehouse.
Critics say some of this could have been prevented. Visa and MasterCard bar retailers from storing
data from magnetic stripes of credit cards. Yet some of the data was stolen from retailers.
They also say companies should be responsible for alerting consumers to risks. California now
requires companies that have had security breaches to divulge that to consumers. And in March,
regulators began requiring banks to disclose if private information is stolen and is likely to be
misused.
"You can't just put it on the companies, but they have a lot of responsibility because they're the
ones using this data," Hammond said.
Companies say they're responding. "It's almost impossible to create a perfect system, so there are
still going to be some breaches from time to time," said J. Craig Sherman, spokesman for the
National Retail Federation. "But the recent incidents have companies looking to see where they can
plug as many holes as possible."
Retailers, insurers, lenders and others have enhanced computer "firewalls," passwords and security
procedures, on their own or in response to laws like the Health Insurance Portability and
Accountability Act.
"The hackers have a lot of free time, and they're out there developing programs to gain access to
our systems," said Hoover of Independent Health, which hires Computer Task Group to audit its
security and policies. "You have to put up a wall that makes it harder."
Health insurers must train employees on confidentiality, limit how much information they give out
and to whom, and verify identities. Confidential documents must be cleared off desks daily and
locked up.
"This is not a one-shot deal," said David McDowell, senior vice president and chief information
officer for Lifetime, which has spent as much as $20 million since 2001 on privacy, and $1 million a
year to upgrade security. "This is something that started many years ago and goes on forever."
Computer terminals also must be "locked" if someone leaves their desk, so that information is not
accessible until a password is re-entered. Anything sent to medical offices must be encrypted. And
visitors are not allowed where personal information is available.
In the banking world, KeyCorp screens all outgoing e-mail messages, blocking those containing what
appear to be account or Social Security numbers. It also limits how much data can be sent out.
Paper documents that are not needed are shredded. Any remaining documents are locked up in vaults or
long-term storage sites with limited access.
"It's becoming crystal clear that more and more companies are paying attention to the identity theft
issues, but there's still a lot of work to be done," Foley said.
e-mail:
jepstein@buffnews.comTips to prevent identity theft
* Don't carry Social Security card
* Shred documents with personal information
* Check credit reports with all three major credit bureaus at least once a year (Experion, Equifax,
and TransUnion)
* Check bills for accuracy
* Don't use obvious passwords, like your mother's maiden name, and don't keep them written in your
wallet or purse
* Don't give personal information over the phone unless you make the call
* Don't respond to email requests from companies to verify your information; they're probably
fraudulent
* Report lost credit card, driver's license, or Social Security card immediately
If you are the victim of fraud or identity theft
* Contact credit card companies and banks immediately and close the account
* Report the fraud to the three major credit bureaus
* Report the crime to the police, and obtain a report number from them
* Contact the Federal Trade Commission at (877) ID-THEFT
Source: News research
Copyright 1999 - 2005 - The Buffalo News
http://www.buffalonews.com/editorial/20050522/1030147.asp
