I learned something new recently.
I have a doppelgänger. Somebody out there does a passable impersonation of me.
This enterprising imposter successfully applied for a credit card in my name. Then merrily maxed it out.
Except here is the thing. According to the National Fraud Intelligence Bureau, I am not the victim of a crime.
“The use of another person’s identification details (or the use of false identification details), often referred to as ‘identity theft’, is not an offence in law. We can only record a crime report on behalf of companies or organisations which incur a loss as a result of the misuse of your identity.”
My doppelgänger effectively robbed the stores at which they used the credit card to purchase things.
Nor as visible as a ram raid.
Not as dramatic as an armed robbery.
Yet the financial outcome is the same.
The card issuer is also the victim of a crime. They were conned into extending credit to someone who had no intention of paying back. There were more than 82,000 instances of fraudulent credit cards being issued in the United Kingdom last year.
Yet the doppelgänger’s credit card appears on my credit report.
Its very existence impacts my credit rating.
The bills for those fraudulent purchases arrive in my letterbox.
That card’s credit limit reduces the amount I could otherwise borrow.
If left undealt with, the debt collectors that the card issuer employs would start harassing me. Ultimately leading to county court judgements, and all the negative impacts they would bring to my employment prospects.
I may not be the victim of a crime, but I am certainly the recipient of a hospital pass. The time, hassle, and inconvenience of getting this investigated and resolved is entirely mine.
An inconvenient truth of identity fraud is that an impersonated party rarely discovers how their doppelgänger came to select them. Was it personal? Opportunistic? Systematic?
Nor are they ever likely to learn exactly where the information required to do so was obtained. Did they lose their wallet? Have their mail intercepted? Passwords compromised? Unshredded trash raided?
Perhaps they responded to a phishing scam or were socially engineered?
Or, was the failing through no fault of their own? A data leak at the bank? Changes in default privacy settings at a social media company? Some errant code inserted into the website of an online store? The result of a hack on a cloud storage provider?
It doesn’t take much.
Opening a bank account in someone’s name requires providing personal details, proof of identity, and recent proof of residence. Challenging to obtain, but not impossible.
A former financial services client used to store the passport scans of thousands of customers on an unsecured file store that was accessible by anyone with a network login. The CEO and the cleaners. Consultants and temps.
Not good. Not uncommon either.
Applying for a credit card requires even less.
Each question adds friction to an application.
Any request for additional information deviates from the happy path.
My retail banking clients referred to a punter who expressed an interest in willingly signing up to pay ruinous interest rates so that they can spend money they didn’t have as a “golden goose”. A gift that keeps on giving. The card issuer wants to do as little as possible to dissuade them.
No need to supply proof of identity.
Little interest in proof of residency.
In an alarming race to the bottom, some issuers turn their lack of due diligence into a competitive advantage. Marketing boasts of “instant approvals” and “decisions within minutes” are rife.
Companies House provides a honey pot for identity theft. Which is ironic, given the first line visible on their website clearly states “Companies House does not verify the accuracy of the information filed”.
Every company director, past and present, have their full name, nationality, partial date of birth, and sometimes their postal address published in an easily searchable public record.
Data broking companies have sprung up to take this type of public information, then enrich it by linking it to information screen scraped from social media sites like LinkedIn and Facebook.
Others have become adept at sourcing contact details for people. Want to know a politician’s mobile phone number or a celebrity’s home address? They can hook you up, for a nominal fee.
Algorithms take care of the heavy lifting. Gaps can usually be socially engineered upon demand.
Data breaches provide another honey pot of personal data. A who’s who of organisations large and small have leaked the sensitive data of their customers all over the internet.
The “have I been pwned?” service allows people to see whether their information has featured amongst the billions of compromised records exposed across more than 400 major data breaches. A quick search revealed that at the time of writing I had appeared in half a dozen such breaches, ranging from Dropbox to LinkedIn.
One of those data enrichment firms mentioned above prominently featured in the breach list, having leaked the personal details of more than 1,200,000,000 people in 2019. According to the search, they unhelpfully leaked some combination of my name, email addresses, telephone numbers, geographic location, employment history, and social media profiles to anyone with internet access.
After receiving the doppelgänger’s bill, I attempted to get in touch with the card issuer.
Predictably, they had a premium rate customer service line, the obligatory voice recording announcement that due the pandemic lockdown their operations had been disrupted, and a warning that the expected wait would be more than two hours. Some enterprising management consultant had transformed customer support into a profit centre!
A bit of research later, I turned up the (standard rate) number of their fraud investigation department, buried on a pre-pandemic archived version of their web site’s customer support page.
When I called that number I received a different recording, announcing that their fraud reporting line had been suspended due to the pandemic lockdown. They were now only processing complaints submitted via email.
After two weeks, and much chasing, I had received only radio silence from the card issuer’s fraud investigations team.
What I did have was copies of the chat transcripts with their offshore customer support live chat operators. This proved to be a frustrating and surreal experience. To their way of thinking, I was not the customer because I had not opened the credit card account. Therefore “privacy concerns” prevented them from discussing the activities of other customers with me.
I decided to try a different approach.
A suspicion was forming that the card issuer’s fraud investigations department may not exist. A ghost from the internet’s memory, or a figment of my hopeful imagination.
Was it another profit maximising device? Like the fabled loss adjusting department, who automatically rejected all insurance claims the first three times they were submitted. Only persistent policyholders, who really wanted it, had their claims investigated.
After having learned how easy it had been for my doppelgänger to obtain my personal details, I decided to apply similar tactics to learn the contact details of the card issuer’s Chief Executive Officer.
I wish I could tell you that I donned the obligatory hoodie. Slouched in a darkened room. Feverishly typed on the latest Macbook. The display flashing metaphors of transcendence, flying through a virtual world made of pipes, cracking safes, and opening padlocks. Dramatic sounding doof-doof dance music with a heavy baseline thundered out of oversized headphones.
That after a couple of minutes of Hollywood-style hacking, I was able to call the CEO’s personal mobile phone number. It would be answered by an affable old Irishman who instantly took an interest in my case and moved mountains at the click of his fingers to make my problems go away.
Alas, that would be a lie.
Instead, I searched LinkedIn for folks who worked at the card issuer. Scrolled through the list until I found the Head of Compliance. Used the contact details contained in their profile to initiate contact.
Shortly afterwards, I received an acknowledgement that my previous communications had been received and my case now being processed. The response outlined an eight week Service Level Agreement to investigate the matter, after which I could escalate things to the Financial Ombudsman Service if I remained unhappy.
Apart from flagging the fraudulent card to the consumer credit agencies, and filing an Action Fraud report, there isn’t much more a person can do to have an incidence of identity theft resolved.
A few days later, I was attempting to sign into my account with an online retailer. A new workflow had been added to combat identity fraud. Customers were required to demonstrate that they still controlled the email address associated with their account. A One Time Password would be emailed out.
This struck me as slightly odd.
If a bad actor had gained control of the email account, then wouldn’t they receive the one time password? These days our email accounts are the skeleton key to our entire online identity.
After waiting a few minutes for an email that didn’t arrive, I thought to check my spam folder. The one time password message sat at the top of a long list of dubious promises of instant riches.
Immediately below it was another message that caught my attention.
The subject line contained the line “I know your password is:” followed by a unique and distinctly memorable password I had indeed used.
Curious, I read the body of the message.
It was a blackmail threat.
The sender claimed to have compromised my computer with malware. They had remotely activated the webcam to record a compromising video of me playing with my joystick. Send $2000 worth of bitcoin within 24 hours of receipt or the video would be distributed to all my social media contacts and everyone in my address book.
The password was one I had used back in my university days, some 20 years ago. Weak by today’s standards. Witty at the time, an inside joke. I hadn’t used it anywhere else. Recycling may be good for the environment, but it is terrible for online security!
I did a quick bit of online research. Sure enough, my former university had suffered a data breach. Their student services system, containing nearly 20 years worth of personal data on every student and staff member, had been hacked and its content stolen.
Now that content was turning up in an amateurish blackmail scam.
I hadn’t been notified of the breach, but then in the subsequent years I’ve changed email address and moved house several times over. The university would have long since lost track of me.
Which made me pause for a moment.
The university would only hold my ancient email address. Yet the blackmail demand was sent to my current address.
Someone had gone to the effort of joining the two together. A data merging and enriching exercise.
That troubled me. Having spent a couple of decades torturing data for a living, I know this would be a straight forward technical exercise to perform. The required datasets aren’t all that hard to find.
Yet this meant it was more than an opportunistic endeavour undertaken spontaneously.
It required planning. Resources. Investment in specialist skills and tooling.
In other words, it was a business.
An unsophisticated, poorly executed one. Today.
How long before somebody decides to approach this type of attack systematically?
Bring a level of professionalism and sophistication to operations? Similar to the maturing of the drugs trade portrayed in “Narcos”, or the way Moneyball changed sporting team recruitment and retention decision making?
Not long, I suspect.
A natural outcome of “know your customer” regulatory checks is an evidence trail of personal information.
Any good sales-led organisation seeks to maximise cross-sell/up-sell activities by establishing a “single view of customer”. Continuously building and enriching datasets about their leads, prospects, and customers.
Both of these common business activities create attractive honey pots for identity thieves.
The standard “best practice” advice for protecting yourself from identity fraud consists of:
- Shred paper based documents containing personal information.
- Use unique, strong passwords that nobody (yourself included) can remember.
- Use a password manager tool to securely generate and store those passwords.
- Use hardware based two-factor authentication wherever possible.
Good advice as far as it goes.
Yet none of those things would have prevented my doppelgänger from obtaining the credit card in my name.
The required personal information would be held by dozens of educational, financial services, government, retail, and tourism organisations I have done business with over the years.
Every one of whom is budget constrained. Fighting a daily commercial battle to weigh up the risks of a data breach versus the vast cost of addressing generations worth of accumulated technical debt and security vulnerabilities.
Ask a seasoned Information Security Manager about preventing identity theft, and you will receive a brief talk about cross-cut shredders, password managers, and not oversharing on social media.
Ask for more, and they will give a wry grin. Shrug. Admit there is little an individual can proactively do to prevent identity fraud from happening as a result of data breaches.
All you can do is pay attention to your statements and credit reports, then act quickly when the issues do occur.
As a friend once eloquently put it:
“You can have lots of safety/security features that will help if you get hit by Doris in her Ford Fiesta, but nothing can save you if you get hit by an 18 wheeler at 60mph”
It isn’t much, but it is what there is.
Update: The card issuer fraud investigators eventually conceded that my doppelgänger and myself were in fact two entirely different people. The card was cancelled. The account closed. My credit report cleaned up.
- Companies House (2020), ‘Search the register‘
- Dmitracova, D. (2019), ‘Identity fraud in UK at record high as number of cases surges to almost 190,000’, The Independent
- Financial Ombudsman Service (2020), ‘Fraud and scams‘
- Hunt, T. (2020), ‘;–have i been pwned?‘
- Information Commissioner’s Office (2020), ‘Identity Theft‘
- Lewis, M. (2004), ‘Moneyball‘, WW Norton Company
- Metropolitan Police (2020), ‘The Little Book of Big Scams‘, 5th Edition
- National Fraud and Cyber Crime Reporting Centre (2020), ‘Reporting a fraud’, Action Fraud
- Netflix (2015), ‘Narcos‘
- u/ACheetoBandito (2020), ‘A Fat Guide to Cybersecurity’, Reddit
- Which? (2020), ‘What is identity theft?‘