In his career, Frank Abagnale has been an airline pilot, a college professor, a lawyer and a pediatrician, and that was before his 21st birthday. In his youth, Abagnale was a master forger and imposter, cashing about $2.5 million in forged checks to finance his jet-setting lifestyle. When he was finally apprehended, he spent a total of five years in French, Swedish and U.S. prisons after which he cowrote a book based on his adventures called Catch Me If You Can
, prompting the Steven Spielberg movie of the same name. Today, Abagnale has parlayed his knowledge of forgery into a successful consulting practice. He is considered one of the world's foremost authorities on check fraud, embezzlement and secure documents, and he lectures and consults extensively for the FBI. We recently spoke to Abagnale about the growing problem of identity theft and what CSOs should be doing to counter this rapidly spreading crime.
CSO: Identity theft is often thought of as just a crime against consumers. Is that accurate?
Frank Abagnale: Identity theft is a crime against consumers, businesses, financial institutions and retailers. In 2002, there were nearly 9.9 million victims of identity theft. Banks, credit card companies and retailers lost more than $47 billion that we can attribute directly to identity theft.
It's common for a bank or credit card company to write off a debt and then find out months later that it was caused by identity theft. Rather than report it as fraud, they simply write it off as a bad debt. Every security executive should be concerned about protecting the identity of his customers, clients, members and employees.
Everyone is in an uproar about the $87 billion [as the cost to rebuild] Iraq. Consider this: White-collar crime in America is now at $600 billion annually, almost twice the budget of the entire Defense Department. These are real losses in income and tax revenue that ultimately come out of consumers' pockets in the form of increases in fees, goods and services. The $87 billion is a deficit against the budget. The $600 billion comes directly out of the pocket of every man, woman and child in America. I think it's time we get concerned about white-collar crime.
What can security executives do to prevent their customers from being victimized? What precautions should they institute internally?
When we ask an embezzler how he accessed the company's e-mail or building, the most common answer is, "I was let go six months ago, but they never removed my privileges."
One of the biggest problems we have today is the failure of companies to recognize the necessity for identity management. Why is it that a teller, who is working part time at a bank, has access to the balance of my account, my Social Security number, date of birth, private banking information, employer's name, my position at my company and information about my family? Why is it that a volunteer working at a hospital has access to my medical records? Why wouldn't every company and institution have a program in place to control access to information so that software would not allow certain levels of employees to be able to access this information? What if tomorrow, XYZ Co. were to lay off 20,000 employees? It would take an average of nine months to remove the employees' e-mail privileges, pass privileges, phone privileges, card entry-access privileges and credit card privileges. Software exists that allows the company in a matter of seconds to delete those 20,000 employees' privileges and in seconds restore them.
The Internet has clearly taken identity theft to a new level. What kinds of crimes are possible now that you wouldn't have been able to pull off when you were practicing fraud?
Today, anyone can go on the Internet and find out 22 pieces of information about any individual with no more than their name and address. I can even tell you who lives in your house that is not related to you, who lives next door or across the street from you. We've allowed so much private information about us to be placed in public files and on the Internet that anyone can compile your profile in minutes. What I did 35 years ago is now 2,000 times easier.
What's the next step on the continuum? What crimes will plague us five years from now as a result of the increased availability of personally identifiable information and technology?
Five years from now, we can expect more of the same. Technology breeds crime; it always has and it always will. Crimes will get faster, harder to detect. They will be faceless and committed from thousands of miles away. We will constantly need to develop technology to fight technology that is being misused by criminals.
What do you think the Department of Homeland Security needs to do to prevent identity theft and falsification by potential terrorists?
In my opinion, the Department of Homeland Security and the Transportation Security Administration need to start profiling. That may not be politically correct, but it is correct. The time and energy spent searching 5-year-olds or 80-year-olds is ridiculous when we know what type of person we're looking for.
If the country were to institute a national ID, what kinds of security measures would it include to be more effective than the IDs that college kids have been reproducing for years?
I don't think we'll ever have a national ID program. We've talked about it for more than 30 years. Privacy is very important to Americans, and it should be. I strongly believe in the technology to make a document almost impossible to counterfeit. However, nothing is impossible to re-create if someone has created it. I tell my clients that if you believe you have a foolproof system, you have failed to take into consideration the creativity of fools. That said, there are some wonderful technologies from many companies that can be put into documents, both plastic and paper, to make them extremely secure. They can be costly, but if you are going to do it, you have to do it the only way...the right way.