ID Fraud Protection: Loophole to get it free discussion

OwenA

The effects of being a victim of impersonation can be far more distressing than being a victim of fraud. It is, perhaps, unfortunate, that the term ‘identity fraud’ is sometimes used to describe an occasion when a person’s personal details are used improperly to obtain services or goods in their name. In law I was never the subject of fraud, I was a victim of impersonation.

The case of a student who was the victim of impersonation was reported in the press a few days ago. In 2012 she had her identity used on two separate occasions by criminals intent on obtaining money from a well known loan company. When the first case was discovered the company agreed that it would not damage her credit record however, a short time later a criminal used her identity again to obtain more money. Unfortunately, the company failed to notify her about the second theft and when she later applied for a credit card she found the defaults on both the first and second loans had been lodged against her name. Her application for a card was turned down, which caused her substantial problems.

The student was a completely innocent victim of impersonation but the reaction of the loan company was not unusual. Proper explanations as to how the situation had arisen were not forthcoming and it turned out the company had previously registered the names of hundreds of people in similar circumstances as loan defaulters. Questions have been raised as to how effective the companies identity checks can really be when loans are rushed out within minutes of an application and perhaps the same question could be raised over the speed in which telephones ‘on’ network companies are sold. 20 20 Mobile (which has recently been taken over) had this statement on its website at thetime I was dealing with the Tesco Phone Shop;

a retail sales advisor is able to progress a customer order from initial credit application to SIM activation in matter of minutes.

It would appear the student had to spend a considerable amount of time sorting out credit problems and direct financial compensation for time lost as a result of administrative mistakes is rarely (if ever) offered in circumstances similar to the one she experienced. The amount of wasted time and aggravation is, however, probably considerable. It is worth reading the article ‘Fraudsters sail past Tesco security to open mobile account in stolen names’ in ‘The Guardian’. An old article but still relevant.


http://www.theguardian.com/money/2012/jun/29/identity-fraud-tesco-mobile

OwenA

The article from the Guardian (see post 82) showed parallels between that case and my own even though Tesco Mobile was responsible for the security checks on Mr Firth and his partner and the Tesco Phone shop was responsible for those done on the application in my name. In an undated letter received from the Tesco Phone shop in the same month as the Guardian article was published I was told that;

All 3 contracts were applied for through the Tesco Phone Shop Telesales team.

and

We do also carry out an AVS/CV2 check on a debit/credit card which was also provided by the imposter, which would have been in your name and under your address.

Despite this statement Tesco then consistently refused to give me any information about this card and eventually tried to terminate matters by saying that it had been fair and reasonable and would make no further comment.

Well it did make further comment after the ICO became involved. In March 2013 was told by Tesco the details of this card had not been kept. This is apparently a matter of Tesco policy. The question then arises as to whether the card details entered to make a purchase belonged to me. In a letter sent in October 2011 the Tesco Phone shop said it hoped I was enjoying the phone;

you recently bought from Tesco Phone Shop.

When something is purchased money changes hands, yet none of the accounts which could have been used to support the sale had money taken from them.

Fast forward to August 2013. By this time I was intent on stopping the same situation arising again and wanted Tesco to block any applications made in my name. In a letter dated the 29th Tesco Telecoms, which I presume is a kind of umbrella over the Tesco Phone shop, Tesco Mobile and the Branded department, no reference was made to the sale of the phones. Instead I was told;

I was very disappointed to learn that your details were used fraudulently through our Phone Shop Website to order mobile phone contracts with Vodafone and Orange.

I pointed out that the card which Tesco asserted had been used for phone purchase had nothing to do with the NatWest account information supplied to Vodafone and Orange to open the contracts. Curious that details of the card had not been kept when those of the NatWest account had. As I understand it there would be no prohibition on keeping such information under the Data Protection Act, and so, if my understanding is correct, it is a matter of business choice by Tesco not to keep this information. Of course this policy means a victim of impersonation has no way of knowing if criminals have their card information that would pass an AVS/CV2check. They simply have to take Tesco’s word for it.

It maybe worthwhile reading this article on ID theft from The Guardian. The title is ‘Mobile phone fraudsters leave victims paying for multiple contracts’ Once again it is old but worth reading – it is quite possible you or someone you know could be a victim in the same way Mr Lambert was. Impossible to say how much has changed in the interim.

http://www.theguardian.com/money/2012/aug/03/mobile-phone-fraudsters-multiple-contracts

OwenA

After being unsuccessful in finding out any details of the card which Tesco implied had been used to support an application to buy phones in my name from the Tesco Phone shop (see post 83) I wanted to prevent same situation occurring again. Under section10 of the Data Protection Act an individual has the right to object to an organisation processing their information if it is likely to cause 'unwarranted damage and distress'. I therefore contacted the company and made an objection to processing on the basis that;

My house might be put under surveillance and I could return from a trip abroad ……. to find my credit rating had been impacted because network companies, supplied with information byTesco, had had no response to their letters and had called in debt collecting agencies.

I certainly think that having criminals watching your home, which must have happened in October 2011 if Tesco policy was being adhered to, would be distressing to most people and the consequences of a sudden downgrade of my credit rating could certainly be financially damaging in certain circumstances.

I kept the ICO informed of my objection and was told that if an organisation refuses to comply because it considers the objection is not justified it is up to the individual to take the matter to court for a final determination.

Tesco’s response to my objection did not say whether it considered my position was justified or not. Instead I had this statement;

In relation to the fraudulent account that was taken out there is no way for our Fraud Team to block your details being used again on our system.

and that there was no way in which;

any guarantees could be given in relation to your information being used via our Phone Shops.

I don’t see how this could be interpreted in any other way than Tesco asserting that, even if a court found in my favour, the company would not be able to comply with that determination. It should be remembered that 02, which had processed an application through its own portal, had already said it would block applications in my name. Tesco knew this at the time it rejected my objection.

Initially the only option that appeared open to me was to go to court. However, the ICO recommended that before I took such a step I should take legal advice. After reflecting on this and realising I could open the door to an expensive process in which there was no guarantee of a positive result I decided not to pursue the matter in this way. After all, a company that can afford to loose £1.2 billion, as Tesco did when it rid itself of the Fresh and Easy chain last year, would certainly be able to employ a much more expensive legal team than I could afford.

OwenA

The issue of whether or not Tesco ever had details of a debit card in my name (see post above) is not relevant just to myself or Tesco but to Vodafone and Orange (EE) too. And, of course, to everyone who finds themself in the same situation as I did. When I raised the matter of information retention with Vodafone the company stated that keeping the card details used to verify my identity and buy the phones was not covered by Ofcom’s General Condition 23.4 that governs the processing of information used in selling mobile phone services by a Mobile Service Retailer. This is the view that Tesco, as the Mobile Service Retailer, also took. Both companies, according to Ofcom, are correct in their interpretation. I presume EE holds the same view.

When EE was pursuing me for money it made this threat;

If we do not receive immediate payment your service will be disconnected from the network ……. Disconnection will also affect your credit rating and your ability to receive credit in the future.

Like 02, Vodafone and EE would have called in the debt collectors within a few weeks, yet when this letter was sent EE must have known, had it looked closely at the processes Tesco used in selling phones ‘on’ the Orange network, that there was no way it could prove, in court, that it had any more personal data of mine than that in the public domain. And by public domain I mean information which is easily accessible from open source material, such as electoral rolls. I think this is the generally accepted meaning of that term. However, Tesco evidently takes the view that stolen debit card details are also in the public domain. This is the only way I can interpret this sentence from a letter the company sent me;

As the customer has gained your personal data this would imply this is in the public domain…

Note the way the word customer, rather than thief, fraudster or criminal, was used. Presumably a mistake but indicative, in my view, of the reluctance of Tesco to treat victims of impersonation as anything other than customers. When I complained to O2 that it was writing to me as acustomer, which I clearly was not, an apology was made but I have never had such an apology from Tesco.

OwenA

The hacking of eBay customers accounts, which evidently occurred about two months ago, might well have put about 15,000,000 people in the UK at risk of being victims of impersonation. This could lead their personal data being used in an attempt to defraud companies, such as Tesco, which sell mobile phones ‘on’ a network. The last letter (see posts above) I had from Tesco recommended I register with CIFAS and said;

CIFAS were set up to help consumers when their personal identification details have been misused by afraudster

The acronym CIFAS stands for Credit Industry Fraud Avoidance System which actually describes why it was set up. The organisation was not established to help consumers – the aim was to help stop members being defrauded. However, CIFAS does offer Protective Registration for individuals. The ‘Joining CIFAS’ page on the CIFAS website ask the question Are you at risk of identity fraud and wish to guard against it?

According to eBay the stolen data included a customers’ name, encrypted password, email address, physical address, phone number and date of birth. I would think it reasonable to presume the stolen information will, sometime or other, be used for criminal purposes. Like many other customers I have changed my eBay password and am fortunate I didn’t use the same password elsewhere. Many other people probably did.


I would say the theft of eBay information means it is a fair presumtion that some, perhaps all, eBay customers are now at greater risk of being impersonated by criminals attempting to defraud other companies of goods and services. They could well be the target of a direct, attempted fraud too. I don’t see how either eBay or CIFAS or any other organisation could argue this is not the case. I think it would be unreasonable to ask eBay customers to pay the cost of Protective Registration, or for CIFAS to refuse to offer it. Clearly there is a good case for those who want that service to have the joining fee paid for by eBay.

eagleeye

i have got cap1 identity alert and noodle free monthly alert as well.None of these things triggered or registered a fraud event where someone used my address but third person details to obtain a ee mobile phone contract at phones4u .

These thieves have become smarter now as techniques they use are more advanced then equifax /experian fraud alerts.The phones4u said that i will be held liable and nothing else they can do apart from informing ee.I informed ee as dd /insurance letters started arriving at my house addressed to someone else.They cancelled these contracts as they were obtained by using someone else details fraudulently under my address.It really surprises me that equifax/experian/noddle alert didn't even register a single thing at my home address.

Buzby

I'd be surprised if they did. It wasn't your fault your address was misused - since frauds are perpetrated by individuals NOT residing at the target address, (which may well have been a random event) why should the actual resident be inconvenienced with having to leap through hoops to prove they are the actual resident?

There is a block of flats in my city has gained the reputation for having the biggest amount of address/mail order fraud - ranging from mobile contracts to deliveries being misappropriated. Why should residents - who for the most part, may be blameless - be stigmatised for nothing that they have done?

VictimOfImpersonation

Buzby wrote: »

I'd be surprised if they did. It wasn't your fault your address was misused - since frauds are perpetrated by individuals NOT residing at the target address, (which may well have been a random event) why should the actual resident be inconvenienced with having to leap through hoops to prove they are the actual resident?

There is a block of flats in my city has gained the reputation for having the biggest amount of address/mail order fraud - ranging from mobile contracts to deliveries being misappropriated. Why should residents - who for the most part, may be blameless - be stigmatised for nothing that they have done?

Stigmatised is an evocative word. Evading stigmatisation is no excuse for being blind to the enhanced risk of identity fraud at blocks of flats.

I agree that living in a block of flats should not be seen as a second class place to live where more troublesome rules apply to residents applying for credit, but we, and credit providers should certainly not allow ourselves to be blind to the enhanced risk.

There are tens of thousands of flats letterboxes being farmed constantly by the low level foot-sloggers in the identity fraud game. They have their rounds same as the free newspaper delivery people, the taxi card postbox poppers, the opportunistic "call me I'm a cleaner" flyer droppers, and the pizza leaflet people - hell who knows - they may even sometimes be the same people !

A big problem is that everywhere, personal postboxes are wholly unfit for purpose if purpose now includes receiving 100kg of junk mail per postbox per year.

Postmen routinely pull out the junk before they stuff in the next batch of official post. Many letterboxes don't even require any deviousness to extract a fresh bank statement before the addressee ever knows it is missing, or a new credit card that the addressee did not even know was coming.

Royal Mail have priced themselves well out of people wanting to use their "Keepsafe" service for holding back mail when the addressee is away. ("Keepsafe" is expensive). So people generally don't use the service and letterboxes overflow.

Even if your own letterbox does not overflow, the fact that so many do means that even if a policeman was walking past as someone was pulling out mail from the outside of a box, chances are they would think it was normal!

There has been half an attempt by Royal Mail to give us the option to register to stop junkmail, but there are so many different organisations and individuals using our postboxes that the registration service has no effect.

For example, BT have laughably (if we don't just cry) just issued what they call "The Phone Book" to our addresses. They did not use Royal Mail to deliver them.

Naturally the Phone Book in 2014 is a mere shadow of its former self - at one stage, no delivery man in their right mind would attempt to stuff a phone book into a letter box. Not so now. But what's it for anyway? You can't even use it as a doorstopper now.

How many actually even get taken out of their plastic wrapper? One in a hundred? How much BT money is wasted inproducing the damned things - how many trees chopped down. The carbon footprint is scandalous.

If the intended recipient comes home and sees The Phone Book sticking half in and half out of his mailbox before the postie arrives, then it goes straight in the bin. If the postie gets there first he tugs once and drops, tugs once and drops, tugs once and drops - can we expect them to do anything else ? They have official mail and official junk to deliver!

No - the latest MSE article barely scratches the surface on ID Fraud unfortunately. It has linked to this old thread and it has no doubt got a few more Capital One customers to activate their free alert service which is good, but I am here to tell you that even that is a gimmick. You cannot rely on it to protect you. All it is (if you are not using it already) is a fresh pair of glasses to look at one out of the three main CRA files on yourself. It will not alert you to many impersonations because CRA data is not reliable and credit providers and CRAs are not careful enough in the way they handle our personal data. They miss obvious impersonations. They are part of the impersonation problem. They cannot tell interactions with impersonators from interactions with us much of the time and they are not rectifying that fast enough.

OwenA

The failure to quickly sort out problems is not restricted to Credit Reference Agencies, but goes right across the board. Even if someone has been the victim of impersonation once there is no guarantee the same situation won’t arise again with the same company. For example, one letter, sent after much correspondence and two years after I had been a victim of impersonation through the Tesco Phone shop, stated;

I would like to assure you we have put appropriate security measures in place and endeavour to prevent any reoccurrences of the same nature.

Given my experiences with this company I was dubious about the quality of these ‘endeavours’ and indeed in the next letter I was informed the Tesco Fraud Team could not block my details being used on their system again and it could not be guaranteed that there would not be any reoccurrences.

In CityAM this morning the acting director of Big Brother Watch gave her opinion that;

Citizens should have clarity, transparency and better rights when it comes to stopping firms collecting data without proper consent or holding onto information for an unjustifiable length of time.

This view was a comment on the recent European Court of Justice ruling on the ‘right to be forgotten’ but it is, in my opinion, relevant to the case of victims of impersonation too. If an individual has been the subject of impersonation through the acceptance of information by a company or companies then I see no reason why that individual, at no cost to themselves, should not be able to instruct those companies to put a block on further application for any goods or service using their personal data. 02 did this (see post 84), Tesco refuses.

Along with the ‘right to be forgotten’ there should be ‘a right to block’. Companies could not complain about this as, although it will cost them money in the first instance, they will be protecting themselves, not the individual, from fraud.

I think it should also be a legal requirement for a company to let a victim of impersonation know, as soon as the impersonation is identified, the process through which the crime was committed. It was more that six months after I was impersonated that I found out, by chance, the process of buying phones from the Tesco Phone shop required validation through a debit or credit card. Whether Tesco actually had any details of a card belonging to me is a moot point. This question, posed to the company in July 2013, received no answer;

… I would be obliged if you would confirm unequivocally that Tesco actually used(not would have) a card in my name to authorise dispatch of the phones (not to open a network account). If Tesco cannot confirm that then please be clear about that too.

Rose180

What is the difference between credit card protection and identity fraud protection?