The availability of everyone's personal data, either from leaky credit bureaus such as Equifax or underground cybercriminal markets, has put us at a crossroads. Impersonating another person, especially over the phone or online, is startlingly easy.
Two recent fraudulent uses of my personal details provided surprises about how two major U.S. telecom companies, Verizon and Sprint, approach the risk.
In early November, my Experian credit record showed queries from both companies. I haven't lived in the U.S. in 18 years and have no use for a phone there. It turns out, both companies accepted orders of high-priced mobile phones in my name without ever checking a physical ID.
In late September, someone ordered three iPhone 7s and two Samsung Galaxy S8s from Verizon's telesales unit. The phones were due to be shipped overnight to a U.S. residence I use for correspondence. A last-minute call from Verizon's fraud department prevented the phones from being shipped.
But with Sprint, the fraudsters scored. In late August, someone ordered four Samsung S8s through telesales, which were shipped to my U.S. address. The package never arrived, but UPS handily provided me the proof of delivery, which included a scan of my forged signature.
A deeper look into both situations reveals that despite a rampant ID theft landscape, Sprint and Verizon appear to be far too trusting when it comes to telesales.
To be clear, both of these fraudulent incidents are ultimately my fault. As a computer security writer, I'd been long aware of the importance of placing a freeze on credit records with Experian, Equifax, TransUnion and Innovis. With a freeze in place, entities can't see the record and won't extend credit.
I'd tried to place a credit freeze before with the agencies. But as anyone who has tangled with credit agencies before knows, the process can be clunky. Trying to do this while living in Australia added another layer of difficulty. I gave up.
I felt a new sense of urgency after the Equifax breach. In early September, Equifax revealed a breach affecting 145.5 million people in the U.S. It was the result of the exploitation of a software vulnerability that should have been patched sooner (see Equifax Ex-CEO Blames 'Human Error, Tech Failures' for Breach).
Experts have long pointed out that basic ID information - such as name, Social Security number, address and birth date - have long been traded by fraudsters on underground forums. Unfortunately, many companies still merely use this information to authenticate people.
Sprint 'Checks and Balances'
Sprint started sending me late account notices in October. I tried calling their fraud department, which proved to be essentially unreachable. Ironically, a customer service representative told me that if I wanted further information on my account, I'd need to bring my driver's license to a retail Sprint store.
I contacted Sprint's press office. A spokeswoman was refreshingly forthright on the company's processes around telesales. Shockingly, identification is not required.
The fraudster supplied my U.S. address, name and presumably a Social Security number, which was enough for Sprint to pull my credit record from Experian. With my credit record in good standing, Sprint shipped the four Samsung S8s.
I asked Sprint's press office how the company tries to detect ID fraudsters. A Sprint spokeswoman contends the company has "a system of checks and balances in place for these kinds of transactions, which is done through the credit application process. The information provided to our telesales agents is systematically reviewed and rated based on certain attributes within the data. Unfortunately, so that our security measures aren't compromised, I can't offer specifics about those attributes or how they're ranked."
But this explanation falls short: A credit bureau check provides confidence that someone is likely to pay their bill rather than they are who they say they are. Sprint's in-store checks are better: The company scans driver's licenses and uses anti-fraud technology to try to detect fake ones.
UPS delivered the phones. But since the 6-pound package never arrived on the doorstep, someone must have intercepted the driver.
As a side note, UPS told me it didn't ask for the signer's ID because that's only required when someone has ordered guns or alcohol. So of two companies that transact and ship high-value items - Sprint and UPS - neither actually checked a physical ID.
In contrast, delivery drivers in the U.K. always check ID cards or passports when delivering mobile phones.
A last-minute call to my U.S. phone number alerted me to the Verizon order, which was due to be sent overnight. If I hadn't called back, the order would have most likely gone through.
"The system actually called this and thought there was something strange about it," a Verizon customer service representative told me. "It alarmed a couple of times."
Still, the order had progressed that far on the back of only basic identity information, such as name, address and Social Security number. The customer service representative said if the fraudster had contacted Verizon instead of me and confirmed the order, it would have been sent.
I asked Verizon's press office how it verifies new customers placing orders by phone. Although a Verizon spokesman said he'd look into it, repeated queries went unanswered.
The lack of ID verification may be a business choice. For example, if ID theft-related fraud amounts a tiny percentage all telesales transactions, it may be considered an acceptable business risk.
What that view discounts, however, is the stress and costs that are shifted onto ID theft victims. I was lucky: Sprint quickly sent notices to credit bureaus to wipe the debt from my record, and Verizon's order never went through.
But erasing incorrect credit information is a painstaking process, and it's fundamentally unfair. Obviously, freezing a credit record is the best way to prevent credit fraud. But Sprint and Verizon still owe it to people who aren't their customers to be more diligent and not allow virtually ID-less transactions.