My experience of identity theft and how it could have been prevented

My experience of identity theft and how it could have been prevented

Tom Chantler

UPDATE

My story was featured in an article in the Mail on Sunday on 25th October 2015. You can read it online at http://dailym.ai/1WbtlBM.

Summary

I've been buying quite a lot of expensive mobile phones on two-year contracts lately, such as the iPhone 6 and the Galaxy S6 Edge. Except I haven't really, somebody else has been doing it on my behalf. They've even kept the phones for me too.

Yes, I have become a victim of identity theft. A couple of days ago I heard that the number of victims of identity theft in the UK has risen by almost a third this year and I can well believe it. At first I was a bit upset that it had happened to me, but since these crimes are generally random it's best simply to treat it as a minor inconvenience, to deal with it promptly and not to take it personally.

Let's see what happened to me, how I resolved it and how you might be able to prevent it from happening to you.

Background

Last week I received a letter from EE welcoming me to my new pay monthly mobile phone account. Since I hadn't opened an account with EE, I telephoned them immediately and informed them that somebody else must have stolen my details and used them to open an account. A day or so later I received a letter from Vodafone along the same lines and on Tuesday I received yet another communication of a similar nature, this time from O2 and also a letter about Geek Squad insurance which had been set up in my name, presumably since one of the accounts had been opened in a branch of Carphone Warehouse.

All of these accounts were opened in high street stores just under two weeks ago. It wasn't done online; a real person pretended to be me.

In each case, I telephoned the company concerned as soon as I received the letter and they each told me that they believed what I was telling them and that unfortunately this kind of crime is very common. They were all very nice and helpful and said they'd close the accounts, I wouldn't be liable for any losses and that their fraud departments would contact me in due course.

In my case, my bank account and credit card details were not compromised. Without going into too much detail, suffice it to say that any direct debits that were set up used an invalid combination of name, address (both mine) and bank details (not mine) which I confirmed by telephoning the bank concerned and which would have been declined.

Sign up with Experian, Equifax, Noddle or Call Credit

If you're the victim of identity fraud, you should sign up with Experian, Equifax or Noddle (part of Call Credit) for a few months so that you can keep an eye on your credit file to see if any further searches or changes have been carried out in your name. Noddle is slightly different in that you can see your credit file and have it updated on a monthly basis for free, whereas Experian and Equifax offer a time-limited free trial during which you can see numerous updates of your credit file. Call Credit also offer a premium service called Credit Compass.

As soon as I received the first letter I signed up to Noddle and additionally signed up for free trials with Experian and Equifax. You could stagger your free trials to maximise your free coverage and give you a chance to try them both out. I will probably maintain my subscriptions for a few months just to keep an eye on things. Each company seems to hold pretty much the same information about me and I think an account with any of them would be fine. However, at the moment I need the information to be updated more regularly than once a month, so a free Noddle account on its own is not sufficient.

CIFAS - Credit Industry Fraud Avoidance System

O2 also said they would add me to the CIFAS register, which neither EE nor Vodafone had offered, despite being members of the scheme. So thank you to O2.

When you are on the CIFAS register a flag is applied to your credit file and thus you are subject to extra scrutiny when applying for credit. I wonder why everybody isn't subjected to this extra scrutiny all the time. I telephoned CIFAS and they said that people weren't usually on the register for a prolonged period, just when they were at heightened risk of identity fraud. They also told me that some companies will pay to place you on the register for varying time periods from a few months up to several years. That's encouraging.

You can join the CIFAS register yourself for £20 for a year if you want to.

If you are registered on CIFAS it's quite easy to see on your credit report. When you log in you'll see something like this:

Equifax:
CIFAS Equifax

Experian:

CIFAS Experian

In each case you can see when you were added to the register, why and by whom.

Reporting the fraud on the Action Fraud website

Since a couple of the companies concerned said I ought to report the matter to the police, I decided to see if I could do that without too much trouble. It was actually quite straightforward. I went to the Action Fraud website, clicked Report Fraud, filled in the form and ended up with a reference number.

Let's have a look at a couple of the options I was presented with.

First this:

Action Fraud Choose Fraud Type - Identity Fraud

Then this:

Action Fraud Choose Fraud Type - Telecomms

Pretty simple and fairly unambiguous.

The Action Fraud website is quite good and has some good advice. For example, the video about spotting an ATM that's been tampered with is nice and short, but also quite informative.

A slightly humorous interlude

Something that amused me and is slightly ironic (and not in the ten thousand spoons when all you need is a knife way) is that if you go to the Action Fraud website using https using Chrome you get this:

Action Fraud not secure

Specifically this bit:

Action Fraud not secure - detail

Don't worry though, the actual process of reporting the fraud is secure and has a proper SSL certificate.

Action Fraud is secure really

I still think they should have protected the whole site with a valid certificate, but they've protected the important part, so it's not really a problem.

Okay, let's get back to the identity theft.

Minor rant

You shouldn't let people open credit accounts just using a name, address and date of birth since that information is essentially in the public domain.

I asked each of the companies what kind of information had been used to impersonate me, but they said that they couldn't tell me since everything had now been passed on to the fraud department. Fair enough.

Since I haven't lost any photo identification (and besides, I have a fairly distinctive appearance) and it seems extremely unlikely that anybody would bother to create a convincing fake photo ID just to scam a few mobile phones, I am forced to conclude that the fraudsters probably just provided some "proof" of address. I'm guessing it was just a utility bill or similar which will have been faked since I shred all of mine as I am super anal about that sort of thing (if you don't know what super anal means, I'd advise against googling it as it potentially has two meanings. I'm using the term to mean that I am extremely fastidious).

But that's not the main issue. I daresay lots of people can provide some evidence that somebody else lives at somebody else's house. That should be deemed irrelevant in the absence of photographic identification.

Steps you can take to protect yourself

In my case, there was only one thing I could have done, which was to have joined the CIFAS register beforehand voluntarily. That's pretty annoying, but sadly true.

Obvious steps you can take to help are things like making sure you shred documents before you discard them and not leaving personal information lying around.

What about online identity theft?

That's a huge subject and worthy of at least one article which will be forthcoming in due course. A couple of suggestions in the meantime: use two-factor authentication where you can and change your passwords regularly (and don't use the same password for more than one account). Expect more on this topic soon.

An unworkable solution - this is not a serious suggestion

Wouldn't it be cool if you had some kind of biometric identification? Not the normal sort though. There are lots of reasons people don't want this and why it wouldn't be cool, but what would be cool would be a way of proving that you really are who you say you are. Imagine if there was some kind of biometric database which could only be used to prove if you were who you said you were, but couldn't be used to ascertain your identity otherwise. i.e. If you claim to be a person then somebody could scan your necessary part (or parts) and it would say yes or no. So if you were lying, it wouldn't say who you actually were, just that you weren't the person you were purporting to be. Of course this isn't really feasible as such a system would inevitably be misused at some point. Don't overthink this one, it's not really a very good idea.

A real solution - a request for better identity verification

If each of the companies had insisted on seeing photographic identification and had checked it properly these crimes would have been prevented. If everyone agreed that a person's name, address and date of birth are in the public domain then they'd have to use different information as proof of identity. Furthermore if every company acted as if they'd just seen the CIFAS flag on your credit file, most identity theft could be prevented.

Conclusion

Identity fraud is on the rise and was the dominant fraud threat of the first quarter of 2015. It can affect you without you doing anything wrong. If it happens to you it might seem a bit upsetting at first, but it's very rare for it to be targeted so it's best just to deal with it promptly and move on. If you think you're at significant risk of becoming a victim, you can join CIFAS for £20 for a year which will increase the scrutiny required for you to obtain credit and thus will prevent a lot of identity fraud.

My experience with identity fraud came about when a person impersonated me in a number of high street stores. We'll look at online identity fraud in a future post, but in the meantime if you want to comment on this article then please do so below.