It Takes a Village to Catch a Thief
Law enforcement officials partner across organizational lines to fight identity theft. But they face multiple challenges: lack of funding, evolving technology and the fast-growing nature of the crime.
Thursday, July 14, 2011
The investigation by the Bay Area Identity Theft Task Force began after a City of Oakland employee found out that someone using another name had cashed a check with her account information on it. Four months later, in mid-May, the case ended with the shutdown of what Oakland police called the biggest identity theft operation they had ever seen—a “one-stop shop” allegedly run by Mishel Caviness-Williams out of her Hayward apartment.
The list of items seized by authorities read like a page from an identity theft how-to manual. It included card printers, laptops, thousands of pages of blank checks with no bank name or account information on them and more than 900 blank cards that could be used to manufacture fraudulent ATM, debit and credit cards. Also taken from the apartment were documents containing the names, Social Security numbers and birth dates of thousands of individuals, along with ID cards and credit cards from possible victims who lived in other states.
In a particularly cinematic stroke, police also found phony driver’s licenses containing Caviness-Williams’s photo—but with different names.
The Bay Area task force’s work provides a vivid example of how law enforcement officials are partnering across organizational lines to make identity theft a priority. The task force included the U.S. Secret Service, Oakland police and other agencies. Caviness-Williams was charged with 20 counts of identity theft, forgery, forgery of a driver’s license and grand theft stemming from one victim’s loss.
Among other things, collaboration between agencies enhances information sharing, promotes efficiency in investigations and helps when it comes to sorting through jurisdictional issues—one of the more confusing aspects of identity theft. (Consider: Who assumes an investigation when a San Francisco resident goes to her local police with a report of fraudulent credit card charges committed in New York?)
“Pure identity theft is best handled through local reporting and task force investigation, meaning multilayered organizations—task forces with state, local and federal investigators teaming up,” said Bill McSweeney, chief of detectives for the Los Angeles County Sheriff’s Department.
McSweeney’s office is the lead agency for the Los Angeles Regional High-Tech Task Force, a cybercrimes investigative and forensics unit serving the greater L.A. metro area. While some parts of the U.S. have identity-theft-specific task forces, the L.A. regional task force is among the many that investigate identity theft in connection with related crimes.
In New England, for example, the Connecticut Financial Crimes Task Force routinely makes arrests that include charges of aggravated identity theft along with others such as bank fraud. A survey of their cases in 2010 and 2011 finds several in which criminals created counterfeit bank cards using information stolen via “skimming devices” installed at ATMs and the card-swipe access devices used by banks to control entry to ATM lobby doors. The counterfeit cards were then used to withdraw funds from customers’ accounts.
“The task force concept is the best thing that has happened to law enforcement in years,” said Dick Hudak, a CyberScout board member and managing partner of Resort Security Consulting Inc., a firm that provides security solutions to hotels and expert testimony in liability cases. “It’s effective in response to terrorism, bank robberies, theft from interstate shipment and other crimes. It’s critical in identity theft resolution. The collaborative approach to law enforcement is essential in this day and age in which borders between states and international lines are virtually open, and the Internet makes borders almost irrelevant.”
Of course, not every police department has the budget for creating specialized, joint task forces. (Or, as in the case of the L.A. group, is funded by the state.) Much greater priority is placed on homicides and other violent crimes. What’s more, as identity thieves become more sophisticated in their schemes, significant financial resources must also be put toward improving police investigative techniques, providing niche training for law enforcement and raising public awareness.
“The issue—more than solving any given case and catching any particular offender—is the overwhelming volume,” McSweeney said. “At some point, you say, ‘We can’t investigate our way out of this.’ The volume builds much faster than our capacity to deal with it, and it is becoming a whole new and severe resource question.”
More than 8 million Americans fall victim to identity theft annually, costing consumers and businesses tens of billions of dollars each year, according to Javelin Strategy & Research.
Somewhat perversely, the recent string of high-profile data breaches may be what’s needed to change attitudes in a lasting way.
In the wake of the incidents at Sony and Epsilon—which compromised the personal information of millions of Americans—lawmakers immediately called for reform. Sen. Richard Blumenthal, a Connecticut Democrat, sent a letter to U.S. Attorney General Eric Holder in late April requesting an investigation into the Epsilon data leak. In early May, a House subcommittee held a hearing titled “Threat of Data Theft to the American Consumer.” The hearing examined the risks related to data breaches, the state of ongoing investigations, current industry data security practices and available technology. President Obama, meanwhile, has proposed the adoption of a federal data-breach notification policy.
Whether all the attention will translate into legislative action—and into the loosening of purse strings—remains to be seen. But without funding to attack the problem, McSweeney sees only more cases piling up for investigators. The solution then?
“Prevention,” he said. “Education for anybody that has the potential to put sensitive information in public view. We have to caution them about keeping their vital information as private as they can and not carelessly making it available for others to see.”
© CyberScout, LLC. All Rights Reserved.