Friday, March 18, 2016

An Identity Theft Story (Part 2)

Having now determined that I had been the victim of equipment gaming, it was time to initiate the steps to rectify the situation. First, I completed a form on the Federal Trade Commission website for victims of identity theft. In addition to the form, the site provides letter templates that you can send to businesses where the fraud was perpetrated.

Here are some things that I have learned since the fraud occurred:

AT&T is Terrible

I faxed their subpoena compliance department 17 pages of documents 2 days after receiving a collections letter on the fraudulent account. Three phone calls and 4 business days later I was given a “File Code” and I specifically asked if all of the required documents were received, complete, and readable. I was told yes. Four days after that I called to check on progress and Amber told me that my case was closed out because the faxed copy of my driver’s license was not readable (and if there is one thing AT&T is obviously a stickler for it is a positive I.D.) I refaxed it, and was told my case was reopened and being escalated (to a dumpster, most likely).

Two days after having my case escalated, I called back and spoke to Amber again who informed me that she had received an e-mail from her superior indicating that I had to have a subpoena. I reiterated that this was not the case with a Fair Credit Reporting Act 609(e) request. She then responded that all the documents I sought had been “destroyed.” I asked if it was common policy to send someone a collections letter for $5,000 and then immediately delete any evidence that said person owed the money in the first place. I was placed on a brief hold while I assume they finished shredding everything. It was like Enron over there.

Next on the line was supervisor Diana. informed me that the case would need to be escalated yet again (to the executive dumpster) and that she would get back with me when she had some information. Over the next 15 days, I placed several phone calls and spoke to 5 different individuals attempting to ascertain the status of what was deemed (depending on whom I spoke to) either a common monotonous task that took a long time due to the volume they received or the most outrageous documents request they had ever heard of which also took a long time due to its unprecedented nature.

Eventually, over 1 month and 16 phone calls later, I received the packet from Palm Beach, Florida. The suspect presented no identification, gave a pre-paid burner phone from a different state as his home number, and misspelled my first name. None of this apparently hindered his ability to walk out of the store with five gold iPhone 6s Plus 128 GB models charged to me. He even financed the activation fee on my credit.

Sprint is Semi-terrible

I faxed Sprint the same 17-page request on the same day that I faxed it to AT&T. I called three times over the next few days and was informed that they had issued a letter to tell me that the faxed copy of my driver’s license was unreadable. I incredulously asked why they would generate a letter, place it in an envelope, and then pay to mail to me for the purpose of informing me that page 14 of the fax needed to be resent. My cell phone number was on the form. Chris was apologetic and informed me that there was one woman who handled these requests and that she worked different hours.

Seven days later, I called back and spoke to supervisor Joann who informed me that the information I had requested would not be provided because it was “proprietary to Sprint.” She indicated that I would need a subpoena. I again explained the delicate intricacies of the FCRA 609(e) and that no subpoena was required. All she could tell me was that someone posing as me walked into the store, took possession of 2 gold iPhone 6s Plus 128 GB handsets, and left. According to Joann, the crack team at Sprint’s Fraud Department sensed something was amiss and cancelled the account the very same day.

Four days after that I received a letter from Sprint indicating that I had attempted to open a new account with them on the very same day I spoke to supervisor Joann. I called and spoke to Maria who told me that the letter had been auto-generated when the fraudulent account was closed. She then went on to directly contradict supervisor Joann by telling me that the individual had setup the account over the phone, walked in the store to pick up the phones, and the account had remained open until the day I spoke with Joann. As with AT&T, no photo identification was requested or presented to open the account or pick up the phones. I have had a tougher time purchasing Sudafed than it took this guy to get $11,000 worth of product.

T-Mobile was the easiest to deal with as I simply mailed them a copy of the request and they sent back what I requested. In this instance, the suspect spelled my name correctly but was one number off on my social security number. It would appear that all of the carriers have an intrinsic hint system in place for suspicious customers.

Sir, what was your social security number?


You’re getting warmer…….


So close!

Is the last number a 9?

Well done sir! Next we just need your first name.


Is it spelled like Victoria……..


This time my unauthorized surrogate walked away with 4 more gold iPhone 6s Plus 128 GB models. Unlike their competitors, they did record a driver’s license number.

You are probably asking yourself why I had to spend so much time to piece this puzzle together when I had already filled out a police report. Isn’t this their job? Well yes, but as a taxpaying citizen I also realized that someone fencing some gold iPhones in another state was not exactly a top priority. Plus, the fact that the report was filed in a different state than the crime was committed adds another layer of jurisdictional complexity. Let’s just say that there is a reason that cellular equipment gaming has never been picked up as a Law & Order storyline. They just haven’t made any good revenge action movies where the motivating factor is a slightly tarnished credit score. I have come up with some titles in case it catches on:

I can't believe they just handed me this......

  • Death Wish VI: Beacon Score Beat-Down
  • Dirty Harry/Clean Credit
  • L for Larceny (Remember, remember the apathetic cellular vendor..)
  • Hard to Kill/Easy to Impersonate
  • The Punisher III: Collection Notice

That being said, there are reasons that equipment gaming is such a lucrative and low-risk criminal enterprise:

1.      The victim is usually only interested in ensuring that they are not held responsible for the charges and the providers rarely fight this.
2.      The providers rarely fight this because they are not out any services and the equipment cost is recouped from the retail outlet or claimed under a corporate fraud insurance policy.
3.      Because the fraudulent charges never really affect the company’s bottom line, they have no real incentive to implement measures (such as photo ID verification) to prevent reoccurrence.

What you have is, essentially, a victimless crime with neither the defrauded company nor victimized individual left with an incentive to press for discovery and prosecution of the criminal. The identity is dropped before their mark gets the first bill and by that time the cell phones are probably overseas anyway.

The lesson here is that you can, through perseverance and thinly-veiled allusions to legal counsel, get the information due to you through the FCRA. Also, it would appear that crime not only pays, but in this case comes with only a negligible risk of punishment.

Friday, March 4, 2016

An Identity Theft Story (Part 1)

It was just another Saturday afternoon stroll to the mailbox. Or so I thought. As I shuffled through the usual junk mail, I noticed an envelope brandishing a rather serious font. It was addressed to a common misspelling of my name and when I opened it I found a collections letter from AT&T Wireless. According to the letter, I owed them over $5,100 and if I did not pay the balance I would be “referred to a third party collector” which could result in a “negative reference” on my credit report.

The correspondence was troubling on many levels, not the least of which was the fact that I don’t have AT&T wireless service and have become quite adept at spelling my own first name. I rushed inside, called the number on the letter, and was informed that just before Christmas I had walked into an AT&T store in an Atlanta suburb and taken possession of $5,000 worth of iPhone 6s Plus handsets on credit. After emphatically reassuring the representative that this scenario was rather unlikely, I was transferred to the Joshua in the fraud department.
Joshua informed me that he would put in a request to classify the account as fraudulent and would have a letter sent to the three credit reporting agencies to remove any negative credit references resulting from the activity. I spent the next several hours pulling my credit statements and filing a police report. It would appear that I had become the victim of what is known as “equipment gaming.” The entire idea is to open new wireless accounts under stolen identities in order to procure expensive wireless handsets under a deferred payment plan. There are variations on the logistics of these schemes, but a typical scenario might play out like this:

1.      Jimmy works at my current wireless carrier and has access to the credit files of customers. He peruses through them and makes note of ones with reasonably high beacon scores.

2.      Jimmy then distributes this customer information to Bobby who, either in-person or through a surrogate, walks into a wireless store and opens a new account under the assumed identity.

3.      Citing the transaction as a gift, they decline having the equipment opened and activated in the store so that it can be immediately resold. Because the credit score is sufficiently high, there are given the phones with no money down.

Eventually a bill gets to the mark and the ruse is up, but by this time the phones have already been unloaded and the identity dumped in favor of the next victim. Since they were never activated (at least within the United States) the carrier has no way to track them.

Skilled practitioners will utilize identities based in another state (to reduce the risk of immediate discovery and hinder a streamlined investigation) and patronize affiliate wireless stores as they tend to be slightly more lax than their carrier-owned counterparts when it comes to identity verification. The aforementioned scenario would also explain why the perpetrator never took the chance of attempting to open an account at my current wireless carrier or operated outside the confines of wireless service.

When the smoke cleared, my identity had been used to open three different accounts in Atlanta and the surrounding area over a two-week period. Over $11,000 worth of iPhones had been handed to someone claiming to be me by T-Mobile, Sprint, and AT&T. Under normal circumstances this would have been an unpleasant development, but my wife and I were in the middle of refinancing our home so I could not place a credit freeze on the account while I sorted it out. I then had to subject myself to a financial enema with the lender as we went line by line through my credit history so I could explain to them why I had an insatiable appetite for wireless service.

Over the next week I filled out forms, called credit reporting agencies, and received ridiculous answers to basic inquiries. I learned that the moment you claim fraud on an account, the representatives of the offending wireless carriers take a vow of silence (I imagine in an effort to limit further liability). After running into a wall with AT&T, I decided to call the actual store that had opened the fraudulent account to ascertain if they might remember someone traveling hundreds of miles to purchase five flagship iPhones and refusing to have them activated. I found myself conversing with manager Manny. The conversation went something like this:

Me - I have been the victim of identity theft and I was told that someone posing as me had come into your store on a specific date and opened this account.
Manny – Sir, it appears that our fraud department conducted an investigation and determined that the account you are referencing was not legitimate therefore I am unable to answer any of your questions.
Me I understand that but I am trying to determine if someone is running around with a forged government ID of me and if you remember anything about them it would be helpf……..
Manny – Sir, as I stated before, it appears that our fraud department conducted an investigation and determined that the account you are referencing was not legitimate therefore I am unable to answer any of your questions.
Me – First of all, their “investigation” consisted of me calling them and telling them that the account was fraudulent so let’s not pretend this is The Da Vinci Code. Secondly, I am simply asking if you happen to remember who took possession of these phones. Certainly someone taking possession of $5,000 of unopened phones issued with out of state numbers would have been unusual.
Manny – Sir, we are located in a very affluent part of Atlanta and this sort of thing happens all the time. We had a gentleman come in just the other day and take possession of two-dozen iPhones on credit to hand out to employees as a bonus.
(At this point in the conversation I was torn between reacting to the insinuation that my abject poverty would prevent me from understanding the bulk purchasing of electronics and the desire to find out where this generous customer worked so that I could fill out an application)
Me – Ok, well certainly it would be memorable if someone was able to recite their address, birthday, and social security number from memory but then be unable to correctly spell their first name. That had to stick out.
Manny – Not really, we have no way of knowing how someone spells their first name.
Me – Isn’t it on the credit file?
Manny – It just matches a last name and a social and we are given a green light or a red light.
Me – (somewhat incredulous) Well did his ID have it misspelled or was it correct!?
Manny – We don’t notate such information.
Me – Can you at least give me the driver’s license number he provided so I can see if it matches my own?
Manny – We don’t record any of that information to protect privacy.
Me – (teetering on the edge of sanity) Well, that is reassuring. It seems to have worked out well so far. Did you even check for ID?
Manny – That is our policy.
Me – That is not what I asked.
Manny – Sir, I understand that this is inconvenient for you…
It was at this point I contemplated driving down to the Georgia community that poverty forgot and leaving a flaming bag of feces on what I could only imagine was the cobblestone walkway in front of Manny’s store. We continued on in this vein and Manny refused to even tell me if they had cameras insisting that he “could not compromise the security infrastructure of his store.” I thought that this seemed a little disingenuous considering that he was located in an open-air strip-mall and he shared a wall with Pizza Hut, but I felt it was best that I end the conversation before things digressed further.

It turns out that this was only the beginning of a long journey of corporate obfuscation, one that I was allowed to take thanks to provision 609(e) of the Fair Credit Reporting Act. The provision allows identity theft victims (without a subpoena) to request (with proper paperwork and ID) any and all information regarding the fraudulent transactions including invoices, credit applications, and account statements. It sounded great in theory…….