For lawmakers, identity theft a kettle of phish

President Bush is set to sign into law a bill that mandates minimum sentences for ID fraudsters, including Net-reliant "phishers."

Stay on top of the latest tech news with our free IT News Digest e-newsletter, delivered each weekday. Automatically sign up today!

By Declan McCullagh
Staff Writer, CNET

The latest innovation in identity fraud typically begins with an unexpected e-mail message from a financial institution proclaiming something like: "Your account information needs to be updated due to inactive members, frauds and spoof reports."

Anyone who clicks on the included hyperlink and types in their personal details is unwittingly connecting not to their own bank, but to a scam artist engaged in the for illegally obtained credit card numbers, bank account information, and Social Security numbers.

President Bush is scheduled to sign on Thursday a bill that would boost criminal penalties against phishing and many other forms of identity fraud, also called identity theft. Known as the , or ITPEA, the measure sets up punishment guidelines for anyone who possesses someone else's identification-related information with intent to commit a crime.

Though solid numbers are hard to come by, identity fraud has been called the fastest-growing crime in the United States, affecting millions of Americans at a cost of billions of dollars a year. The Federal Trade Commission that 10 million Americans become victims of identity fraud a year, while researcher Gartner at around 7 million.

It's a problem that appears to be growing quickly. The Social Security Administration says reports of misuse of Social Security numbers have leaped from about 11,000 in 1998 to 65,000 in the 2001 fiscal year. Bank fraud is also on the rise, according to the FBI, which warns that terrorists have relied on false identification documents.

"Once it is damaged, it can take years to completely clear one's credit history, and in the meantime, the obstacles pile up," said House Judiciary Chairman F. James Sensenbrenner, R-Wisc., after the House of Representatives in June. "Purchasing large items like cars and homes becomes almost impossible because the victim is unable to qualify for a decent loan rate—if he or she qualifies at all."

Mandatory minimums
By mandating minimum prison sentences, ITPEA is designed to deter the type of identity fraudsters who have been prosecuted but have received little jail time. A House report says one woman, Dolores Rodriguez, surreptitiously worked under her husband's SSN while receiving more than $80,000 in disability benefits—but was sentenced only to home confinement and probation. In another case, after Diana Fergerson pleaded guilty to stealing another person's identity and obtaining credit and Social Security benefits, she was sentenced to five years probation and restitution.

ITPEA would toughen those penalties. It says that anyone who, while engaged in any of a long list of crimes, knowingly "transfers, possesses, or uses, without lawful authority" someone else's identification will be sentenced to an extra prison term of two years with no possibility of probation. Committing identity fraud while engaged in sometimes associated with terrorism—such as aircraft destruction, arson, airport violence or kidnapping top government officials—gets an automatic extra five years.

In addition, ITPEA rewrites of the current law, which restricts only transferring or using someone else's ID. That 1998 law was part of Congress' to tackle identity fraud. After Bush signs ITPEA, merely possessing the "identification of another person with the intent to commit, or to aid or abet" a crime will be illegal.

Chris Hoofnagle, deputy director of the in Washington, D.C., says that ITPEA is intended to encourage prosecutors to bring more ID fraud cases.

"A big problem in identity theft comes from lack of enforcement," Hoofnagle said. "There are problems with state authorities who tend not to want to deal with the problem. If you're a Washington, D.C., resident and someone in California steals your identity, both Washington and California police will play ping-pong with your case to avoid dealing with it. They have other priorities. Enforcement at a federal level may deter the crime and provide the opportunity to capture thieves who are evading state enforcement."

But ITPEA's mandatory minimum prison terms have irked some Democrats, who say judges should be granted considerable leeway when handing out sentences.

"Congress is not in a better position to determine what the appropriate sentences are in individual cases before the crime occurs than a judge is when he has heard the evidence," , D-Va., said at a House committee meeting on May 12. "Mandatory minimum sentences not only defeat the rational sentencing system that Congress adopted, but (they also) make no sense in our separation-of-powers scheme of governance. Moreover, the notion that mandating a two- or five-year sentence to someone who is willing to risk a 15-year sentence already is not likely to add any deterrence."

Phishing season over?
Though not all the reasons for the reported rise in identity fraud are clear, most appear to stem from relying on SSNs as a means of identification, coupled with the dramatic growth in credit card use in the past 20 years. The U.S. Justice Department Americans to be extremely cautious before divulging their SSNs.

Laptops can be rich sources of personal data for thieves, as the University of California recently, warning 145,000 blood donors that they could be at risk for identity theft due to a stolen university laptop. In 2002, the IRS it lost 2,300 computers that potentially contained personal information about American taxpayers. In addition, persistent bugs in Microsoft Windows and Internet Explorer to seize control of a PC and read all the information on it.

Phishing, or sending spam that impersonates a legitimate business, is one of the biggest worries of e-commerce companies. Security firm MessageLabs phishing messages were almost nonexistent in September 2003 but have become a huge problem since then.

MasterCard International last month that it was going to try to track down the culprits and shut down Web sites that pose as its own, and EarthLink is taking steps to to the fraudulent Web sites. Some privacy advocates recommend that consumers open a new e-mail account just for business-related purposes and never use it for general correspondence.

For now, though, identity fraudsters appear to be traditionalists: A report released last year by the Federal Trade Commission said only 3 percent of people who reported identity fraud cited misuse of their Internet accounts.

Editor's Picks

Free Newsletters, In your Inbox