How Identity Thieves Took My Wife for a Ride

The first sign of trouble was the arrival of envelopes from the New York State Department of Labor, all about my wife’s previous earnings and recent unemployment filing. The second was the cheery “Welcome to Progressive” package, telling her how great it was to have her with the company now that she had bought her new auto insurance policy.

Except she hadn’t applied for insurance or unemployment.

And so we were off and running, learning about the ingenious ways that thieves outwit financial services companies and how a credit freeze doesn’t mean you’re frozen solid.

We even made a new friend, Shiran Pasternak, a software engineer who lives 30 miles away. His name was on the Progressive policy document, which listed him as the person who was supposedly going to pay the bill.

The blame rests with what now seems to have been an enormous security hole. For the better part of a year, scammers have been exploiting the auto-fill features on car insurers’ websites that are intended to make it easier to apply for a policy. The sites can allow people who possess only basic information — a name, an address and a few other bits of data that they may have stolen elsewhere, depending on the insurance company — to extract more detailed information, such as driver’s license numbers.

From there, it’s a short jump to submitting a fake unemployment claim, which was what happened to us.

Unemployment fraud — of this and other sorts — has become so pervasive that the cost to taxpayers could run into tens of billions of dollars before the pandemic ends. In both California and Washington it’s sufficiently rampant that the states have temporarily suspended claims just to try to catch up with it all.

The scope of the auto-insurance-linked problem isn’t clear. New York State has issued three alerts about these “systemic and aggressive” campaigns of thievery — and urged companies to fix the “cybersecurity flaws” responsible. Progressive said the fraud affected less than 1 percent of its book of business in New York, the only state where it has encountered a problem. But just last week, California posted the sheepish note that GEICO has sent. A company representative said letters had gone out to 140,000 or so potential victims it knew about.

But it took my family many days to wrap our heads around this. Part of the reason: It seemed that it never should have happened to us in the first place.

My wife and I maintain security freezes on our credit reports. In theory at least, a freeze shuts down access to your credit file so that any company looking to check it before doing business with you has to wait until you temporarily thaw your file. Identity thieves shouldn’t be able to open accounts in your name with companies that require a peek at your credit history first.

Insurance companies routinely check your credit when signing you up, so it was baffling that Progressive would have issued my wife a policy without her thawing her file. But it listed TransUnion as “the financial responsibility vendor” — an amusing euphemism if you know how long consumer advocates have been complaining because insurance companies use credit data to set rates — and sure enough, my wife’s frozen credit file indicated that Progressive had pinged it this month.

How? Incredibly, an exception often allows insurance companies to check your credit even if you want nothing to do with them. As we learned, that exception meant that Progressive could help itself to my wife’s file — which in turn helped someone pick the pocket of the State of New York and its taxpayers, like us.

In its wisdom, Progressive considered my wife responsible enough to warrant coverage. Fortunately for us, Mr. Pasternak was paying! The second page of our welcome packet said that “the authorization you gave for your first installment payment” was to come from a bank account with his name on it.

So meet our new best friend. With a name like Shiran Pasternak, he was a quick internet search away. Was he the thief? We wondered. But if he was, he was doing a pretty good job of hiding it. Like my wife, he had a “Welcome to Progressive” package and notes from the state about a mysterious unemployment claim that he had never filed. (The bank account and routing numbers in his Progressive packet were identical to ours, but neither had any connection to institutions where any of us do our financial business. Because the numbers were truncated, it was impossible to figure out if they came from a third person or were made up.)

Once we put all of that together, Mr. Pasternak — coincidentally a former New York Times employee — breathed a sigh of partial relief up in Irvington, N.Y., and let me push forward finding out what had happened to all of us.

Here’s how it works.

Automobile insurers — even the ones you don’t use — already know a lot about you. They share claims information among themselves to help weed out unprofitable or reckless customers who try to jump to another provider. They can also get access to your driver’s license number, your current auto policy data, and the make and model of your vehicle. Often, they buy this information from states (which end up sending money right back out when the buyers are careless and unemployment fraud proliferates).

The insurers want to make applying for a policy as easy as possible. So once you start entering information, they like to help you along and fill in some of those blanks for you. For some unfortunate victims, it was as simple for the scammers as copying down the driver’s license number that popped up, although it usually required more technical know-how.

Regulators at the New York State Department of Financial Services believe that these scams have been going on since at least July, according its series of public warnings. Insurance companies were noticing lots of abandoned quotes on their websites, where fraudsters could sometimes enter just enough information to get access to the data they wanted.

A variety of techniques have been employed, including extracting data from the websites’ code, using web developer tools meant for debugging and calling live agents with enough other information to persuade them that it is fine to simply offer up the driver’s license digits.

Eventually, how-to guides that aspiring criminals could buy began appearing on cybercrime forums. And in an ominous sign, thieves are also touting the tactical wherewithal to extract similar data from mortgage lenders and credit reporting bureaus.

In my wife’s case, the swindlers opened a policy outright. According to Progressive, the problem was not prepopulating data in an application. Instead, thieves extracted the driver’s license information from bar codes on the customer identification cards the company had issued for the policies.

Progressive said that companies in New York had to provide those by law and that it was required to embed the driver’s license numbers in the bar codes. “The fraud ring is very capable and sophisticated,” a spokesman, Jeff Sibel, said in an email. In another one, he added that its members were “quick to adapt.”

But we might never have come to this point if my wife’s security freeze had kept the company from peeking at her credit report. According to Gilbert Schwartz, a regulatory lawyer in Washington, D.C., some state laws do prevent that. With all the others, the argument was that the possibility for identity theft or fraud via insurance policies was remote enough that such restrictions were unnecessary. So much for that idea.

What a world. We all have to live in it, alas. So there are a few morals to this story.

First, open your mail. I’m glad we didn’t let ours sit around for weeks (this month, at least).

Second, keep an eye on your credit reports. TransUnion, which eventually wiped Progressive’s inquiry off my wife’s account, reminds everyone that you’re currently able to look at them weekly, for free, via annualcreditreport.com. (Usually, free reports from the major bureaus are available much less frequently.)

Then, get yourself a credit freeze with Equifax, Experian and TransUnion — even though it didn’t keep strange things from happening in this instance. Why? Well, it’s obvious yet again that the thieves win enough rounds in the ongoing identity crimes boxing match that keeping any defenses up is worthwhile.

When I filled Mr. Pasternak in on all of this, he took umbrage at the technical sloppiness that seems rampant, since he plies that trade himself.

“We get lectured constantly about security and data privacy,” he said. “Doing something like this is more than egregious. It’s really poor design.”

He also got a bit meta. “This is just a societal observation, but the fact that we’ve made Social Security numbers and driver’s licenses these things that are supposed to be kept secret, maybe there is a flaw in depending on that?”

More than maybe. By turning this data into identity totems, we’ve created a persistent danger that we may never fully eliminate.

So freeze your credit file. Mr. Pasternak hadn’t done so. Now he has.

Source: Read Full Article