While we cannot return the SSN to its simple status of a half-century ago, we can ensure that identity thieves and other criminals cannot walk into a municipal court house and walk out again with the means of committing state-facilitated identity theft. The cost to the victims of identity theft, and to all of us, is too great. And the potential for these numbers to be used to commit acts of violence and terrorism is unthinkable.
And in an earlier testimony on the same topic a year earlier, Huse had suggested a more specific solution to the risks posed by SSN misuse:
5 8
C H A P T E R 3
With certain legislated exceptions, no private citizen, no business interest and no ministerial government agency should be able to sell, display, purchase or obtain any individual’s SSN, nor should they be able to use any individual’s SSN to obtain other personal information about the individual.
D R I V E R ’ S L I C E N S E S
While the Social Security number is the cornerstone of ID theft, a driver’s license is the
most practical
tool
of the crooked trade.
In the U.S., driver’s licenses are issued by individual states, so regulating them is logistically more difficult than regulating SSNs. In April 2002 congressional testimony, Betty Serian—Vice Chair of the American Association of Motor Vehicle Administrators—described the ID theft problems that driver’s licenses pose:
the driver’s license has become the most requested form of ID in the U.S. and Canada.
For example, financial institutions require it to open an account, retail outlets ask for it when you want to pay by check, and the airlines demand it before you board a plane. In a recent (April 2002) poll conducted by Public Opinion Strategies, 83 percent of the American public noted that they used their driver’s license for purposes other than driving.
The U.S. has more than 200 different, valid forms of driver’s licenses and ID cards in circulation. In addition, each of the 50 states and D.C. have
different
5 9
T H E P R O B L E M S C A U S E D B Y E X I S T I N G I D T O O L S
practices for issuing licenses
. Although the current system allows for reciprocity among the states, it lacks uniformity. Individuals looking to under-mine the system can shop around for licenses in those states that have the weakest security and background checks.
The lack of standard security features on a driver’s license allows ID thieves to
exploit the system
. While all states use a variety of security techniques, it is difficult for law enforcement and for those issuing a new license to verify the validity of a license from another state—not to mention the identity of the person holding the license.
The American Association of Motor Vehicle Adminstrators (AAMVA) has been investigating, implementing and operating information systems since the late 1980s. Through its technology subsidiary, AAMVAnet, the association manages and operates the Commercial Driver’s License Information System (CDLIS), which is designed as a clearinghouse for commercial drivers. CDLIS was designed to limit any given commercial driver to one and only one commercial driver’s license and it has worked well for this purpose.
In the mid-1990s, AAMVA began exploring the pos-sibility of having a clearinghouse of all drivers within
the U.S. in order to better control the problem driver
population.
The AAMVA recommends that driver’s licenses should
6 0
C H A P T E R 3
have
common identification features
, so that departments of motor vehicles (DMVs) will be able to recognize fraudulent cards more quickly and easily.
The AAMVA has also asked that driver’s license databases be
linked state to state
. Law enforcement officials would be able to access personal identification such as name and address and would also have access to the license holder’s driver history.
The Security Industry Association’s (SIA) Homeland Security Advisory Council has also recommended that Congress enact legislation to set national standards.
Among the baseline standards, the SIA suggests: •
uniform appearances such as types of ink, paper, size and shape; •
data to be included on the card’s database, including a photograph, address, date of birth and a digitally-imprinted thumb print;
•
incorporated technology such as holograms, microchips, magnetic stripes, barcodes, proximity cards and readers; •
production requirements such as material specifications; and •
protocols and conditions for identification issuance such as
background
checks
, or the establishment of a two-day waiting period.
Driver’s licenses use photographs, height, age, weight and address to verify that the cardholder is actually who he claims to be. But biometrics, such as finger-6 1
T H E P R O B L E M S C A U S E D B Y E X I S T I N G I D T O O L S
prints and digital signatures, can add additional layers of security that traditional identification documents cannot.
Security technology providers propose that magnetic stripes, barcodes or
electronic “smart” chips
be integrated in driver’s licenses to hold identification information. Since these technologies locate an individual’s data on the license itself—instead of at a central DMV computer system—they make ID theft more difficult.
From the DMVs’ perspective, moving away from central databases and toward smart cards is similar to
the move in corporate America from mainframe computers to networked stations. The decentralized system is just as powerful (if not more so) and much
less susceptible to crashes and other malfunctions.
H O W C R O O K S G E T F A K E L I C E N S E S
ID thieves can get usable driver’s licenses illegally in various ways:
•
Purchase a counterfeit license; •
Obtain (most often by theft) and altering an existing license; •
Obtain a valid license by presenting fraudulent breeder documents and employing other devices usually provided by middlemen; or •
Exploit loopholes
that permit undocumented residents to obtain a valid driver’s
6 2
C H A P T E R 3
license legally.
These are all tactics for getting or altering legitimate licenses. Beyond these tactics, there are thousands of ways to obtain simple fake licenses. Web sites offering “novelty IDs” abound on the Internet, often with foreign locations, such as the Czech Re-public or Australia. To any savvy computer user, many sites sell driver’s license templates—some for all 50 states—for as low as $75.
Fake driver’s licenses were supposed to go away
once states began issuing new secure driver’s licenses and IDs that feature digitized photos, signatures, holograms and bar codes. But crooks are
making authentic-looking counterfeits and most store
clerks don’t check closely enough for security features.
Fake IDs used to support stolen credit cards or kite stolen checks can be made on a computer and based on the new secure format. No more slicing lamina-tion with razor blades, altering birth dates and gluing grainy pictures to a stolen ID.
Fakes can differ from the real thing in tint, print size, holograms and sharpness of the image. But all are features the
average cashier probably will not
check
if there is a line behind the crook.
Police from Washington state to Florida have seized
rooms of computer equipment, stolen IDs, stolen
6 3
T H E P R O B L E M S C A U S E D B Y E X I S T I N G I D T O O L S
checks and records.
The officers confiscate the usual equipment of any home-based business: desktop and laptop computers, printers, fax machines, scanners, digital cameras, graphics and bookkeeping software, photo quality paper. The unusual finds are the
media of ID theft
: stolen checkbooks, sheets of blank checks and several credit cards.
Newer ID cards also come with other security features—invisible markings that show up under black light…or barcodes that convey driver data. Police and businesses eventually will be able to scan the bar codes instead of bothering with the front.
Prices are higher for everyone. In Washington state, before new-format licenses were launched in 2000, the fees for driver’s licenses increased from $14 for four years to $25 for five years. The fee for a state ID
card rose to $15 from $4.
W H A T S T A T E S A R E D O I N G
While the federal
Drivers Privacy Protection Act
prevents DMVs from selling personal information to commercial entities, the information is often shared with other government agencies and—eventually, sometimes—with private sector firms.
But most states are trying to shore up the security.
Among license administrators, North Carolina has the reputation for the loosest identity document standards.
Supposedly, some 388,000 people hold North Caro-6 4
C H A P T E R 3
lina licenses emblazoned with the Social Security number 999-99-9999. DMV clerks there enter that number if applicants don’t provide another one. In the early 2000s, North Carolina’s license security issues were so bad that Florida—generally considered the second-most lax state in the U.S.—denied reciprocity to North Carolina license holders.
In the summer of 2002, New Jersey’s DMV announced reforms, from heightened security at motor vehicle offices to better-trained employees to the design of more
tamper-resistant driver’s licenses
.
But the agency’s existing security problems, which officials outlined along with proposed improvements, illustrated the enormous challenge suddenly facing agencies that many states have overlooked and underfunded for decades.
New Jersey was one of the last states without a
digitized photograph on its license; in fact, as recently as late 2002, New Jersey drivers could opt to
have no photograph at all. In short, New Jersey
licenses were easy to forge.
Security at motor vehicle offices around New Jersey ranged from spotty to minimal, giving criminals relatively easy access to driver’s license
production equipment
, title certificates and other documents that were “the key components in crimes such as identity theft and insurance fraud,” according to a report released by DMV officials. A state police assessment had found “numerous security failures, [including] easy access to
6 5
T H E P R O B L E M S C A U S E D B Y E X I S T I N G I D T O O L S
valuable documents through open and unlocked doors as well as non-secure storage areas.”
The 2002 reforms were meant to change all of that.
Detailed background checks of agency employees by the state police had led to some firings and many more voluntary resignations. During that summer, 27
workers were fired for suspected fraud and other transgressions.
Among other steps the New Jersey DMV was taking: •
Requiring all license applicants to supply more than one form of identification.
•
Planning the purchase of ultraviolet lights and illuminated magnifiers for each office to help in the detection of counterfeit documents.
•
Seeking new or increased fees to pay for upgraded security.
In September 2002, for the second time that year, thieves broke into a driver’s license office in Naples, Florida. They only got a half-used roll of film. In February, the crooks had been more successful, making off with 5,500 blank cards that could be made into high-quality fake licenses.
The breakins seemed part of a larger scheme. About the same time as the second breakin, thieves had broken into a state office a couple hours to the north of Naples and stolen a computer that included graphics used in Florida driver’s licenses. And, within a few days of
that
theft, a license camera had been stolen from a state office near Miami.
6 6
C H A P T E R 3
Throughout Florida, low-end fake licenses sell for
$50 to $100; but high-end fakes, like ones made
with stolen state equipment, could sell for as much
as $1,000.
During the summer of 2002, hundreds of Colorado residents were advised to watch their credit after burglars made off with driver’s licenses and personal information in two separate burglaries at state DMV
offices. The breakins, which took place a week apart, occurred at DMV offices in suburban locations outside of Denver. Investigators suspected that the crimes had been committed by the same people.
In the first breakin, the thieves escaped undetected with nearly 300
expired driver’s licenses
, which had been turned in for renewals, and $40,000 worth of equipment, including a machine that records fingerprints and signatures and prints licenses.
In the second breakin, the thieves stole about 420
expired licenses—as well as a smaller amount of computer equipment and forms that license applicants filled out verifying their personal information.
In the weeks after the breakins, the Colorado DMV
installed enhanced security systems at its busiest offices; and department officials began phasing in a centralized program for licensing. Under that program, isolated motor vehicles offices would stop printing licenses on site; information would be sent to a centralized printing facility and licenses mailed to applicants’ homes. Also, the DMV distributed
new stamp-6 7
T H E P R O B L E M S C A U S E D B Y E X I S T I N G I D T O O L S
ing tools
that allowed clerks to punch the word “void” into old licenses.
In October—about two months after the suburban breakins—Deputy Colorado Attorney General Don Quick announced that his office had indicted a suspect. Glenn Allen Wilhite faced nine felony counts of burglary, theft,
theft by receiving, forgery and conspiracy
in the burglaries of the DMV offices.
Most of the stolen equipment and expired IDs had been recovered in a search of Wilhite’s Denver home.