Despite warnings, most states slow to confront corporate ID theft

How easy is it to steal the identity of a business? Just ask Roger Lee Shoss and Nicolette Loisel, two Houston-based attorneys who turned hijacking the identities of publicly traded companies into a cottage industry.

According to the Department of Justice, the two took advantage of loose public- and private filing systems for more than a year, fooling regulators in Ireland, the UK and the U.S. and stealthily taking control of dozens of dormant firms. The scam calls attention to a little-known, but growing problem in the U.S. and elsewhere: business identity theft, and the way that lax business filing systems aid would-be thieves.

[ 68 great ideas for running a security department ]

By all accounts, Shoss and Loisel were masters of the art of corporate identity theft. According to a federal indictment, the two were part of a three person legal team operating within an octopus-like international conspiracy spanning the U.S., U.K. and Spain. After using online business registries to identify dormant, publicly-traded companies in the U.S., Shoss and Loisel would resurrect the firms: filing certificates of amendment for the firms' articles of incorporation that folded the existing, publicly traded firm into sham shell companies they had set up.

By manipulating business registration systems in Florida and Delaware as well as filing systems at organizations like NASDAQ and the SEC, the scammers took control of the companies and then obtained legitimate CUSIP numbers and stock trading symbols that were then used to push the worthless stock on unsuspecting investors. In all, the scheme raked in close to $100 million through bogus stock sales of 54 separate firms to gullible investors, mostly in the UK, before regulators and law enforcement got wise to it.

The scheme was larger in scope than similar business identity theft operations, but not unusual in its details. The success of the perpetrators underscores the gulf in awareness that exists between the well-known problem of consumer identity theft, and the lesser known problem of business (or corporate) identity theft, according to experts interviewed by ITworld. "This is something that goes on quite regularly," said Ricky Harper, the Director of Florida's Division of Corporations.

Harper said that business identity theft is often a lurking problem that slips under the radar of both state officials and law enforcement. Harper said that officials himself included often don't know what to look for. "I was asked by our previous Secretary of State, Curt Browning, to look into the problem. I read some articles on it but didn't see much evidence of it here in Florida," Harper told ITworld.

Then Harper said a case came across his desk that woke him up to the corporate identity theft problem. "We had a business and aviation company - that had been dissolved by the owners. It was then reinstated by some identity thieves. Soon after, they applied for a $140,000 federal fuel tax credit, which was delivered as a check. The scammers and the money disappeared and the previous owners only learned about it when the IRS came knocking on their door."

Harper said that, when learned about the scam, he realized that the Division of Corporations wasn't looking for the right clues. Rather than trying to identify fraudulent filings, the Division instructed its employees to start looking for innocuous-seeming changes that correlated with business identity theft scams. Those included sudden changes in the registered agent or mailing address of a company. "Once people started looking for that, we discovered a fairly high amount of (identity theft)," Harper said.

In the last decade, secretaries of state across the U.S. have moved business registries and filing systems online as a convenience to taxpayers and also to save money. Unfortunately, that move online hasn't gone hand-in-hand with tighter security. Lax business registration systems are the norm in the U.S., and they're also a common denominator in business identity theft scams, say officials in other states that have confronted the problem.

In Florida, officials at the Division of Corporations uncovered 40 known cases of fraudulent business filings with damages of up to $360,000 in one case, said Karen Ellis who was hired by the State of Florida in May to spearhead its efforts to stem the business identity fraud and abuse.

Ellis says that poor communication between law enforcement and secretaries of state, who often manage corporate filings, is one major obstacle to stopping identity theft. Since starting work for the State of Florida in May, Ellis says that she has improved communication between the Division and law enforcement. But bigger changes that can actually stop identity theft have been slower coming, she said. "Right now in Florida we still have fair faith filing. That means I can get on a computer and go and alter things on an LLC, NPO or corporation. I just need to send in the form and pay my $25 charge for the amendment," she said. "We've left ourselves wide open."

The loose security around business filings is no accident. In many states, secretaries of state are confined by law to a "ministerial" role with regard to business filings, without the authority to question the details of filings that meet the state's guidelines. When fraud occurs, secretaries of state are often hamstrung in investigating suspicious filings, according to a January, 2012 report by the National Association of Secretaries of State (NASS).

That means that, despite increased awareness of the problem of identity theft, would-be identity thieves can easily exploit online registries of corporations to glean the information needed to impersonate the firm, and then abuse Web- and fax-based filing systems to hijack the firms' identities without concern about getting caught.

In Oregon, the problem has been identity thieves reinstating old mining companies to steal their corporate identity, said Tom Wrosch, that state's Commercial Registries Manager. In response, the state set up limits on how long a company could be dormant before it is reinstated, he said.

Colorado Secretary of State Scott Gessler said that his state has seen a spike in cases of corporate identity theft stretching back to 2009 and 2010, under his predecessor. The problem was big enough to become an issue in a hotly contested political race for the Secretary of State's seat, with Gessler promising to be more aggressive in combating corporate identity thieves if elected.

Since winning the race, he said he has made good on his campaign promise: getting legislative approval and funding to expand an existing program to notify business owners by e-mail if their business registration information changed. Business owners in Colorado can now protect their business filings with a password protection -- the first such system in the nation.

"The password feature is straightforward, but it's new and unusual in the context of central business registries," Gessler said. The system went live in January and, to date, just over 26,000 businesses have registered for Secure Business Filing accounts, according to data provided by the Secretary of State's office. The system is voluntary for business owners and Gessler admits that cajoling established businesses to set up an account has been a challenge. But Colorado has made it a default option when citizens set up a new business, with most taking advantage of the feature.

The data, so far, is encouraging. Reports of business identity theft average about six per month so far in 2012, down from an average of 11 per month in 2011 and 18 a month in 2010.

But Colorado is the exception rather than the rule. Even with greater attention to business identity theft, most states have little or any security built into their business registries. In states like California, for example, the form to amend a limited liability company (LLC) can be downloaded from the Secretary of State's Web page and mailed- or faxed in with payment, but no proof of identity. That allows identity thieves to act without fear of getting caught.

Texas doesn't provide either an e-mail notification program or a way to password protect a business entity record, though the state is constantly reviewing its procedures in an effort to maintain the security of business records and appropriate public access to them, said Richard Parsons, the Communications Director for Secretary of State Hope Andrade.

Even states that have implemented security features often fall short of the mark. Massachusetts' Secretary of State's office has password protected online filing. However, scammers can obtain a user name and password from the Secretary of State's office with nothing more than a valid e-mail address and the name of the LLC or LLP they are targeting.

Don Huntting, the president of Huntting Investigative Services in Westlake Village, California said that California, like other states, is behind the curve, with state agencies mired in bureaucracy and slow to process changes in business filings - let alone spot fraud in real time. He said that, in his state, it often falls to banks, which have higher standards of proof when setting up business accounts - to actually spot and stop business identity theft fraud. "The state is dropping the ball," Huntting said.

Wrosch of Oregon said the same is true in his state, acknowledging that the state's business registry can be manipulated or out of date, and shouldn't be the final word on the ownership of a company.

"We tell businesses: if you're relying on our database to show ownership or authority (of a company), then you're enabling business identity theft. Our registry is not the best indicator or the sole indicator of who is the owner or person in charge of a business."

Business identity theft wouldn't be a problem, he said, if "the people who had the money whether that's a bank or a credit card company didn't rely on the business registration ... what they see on our system."

That's a shocking admission, but Wrosch's sentiment is backed up by data. The firm Dun & Bradstreet estimates that approximately 20 percent of the registration data in government databases is inaccurate, complicating tax collection and enabling fraud.

Besides, Wrosch said, business identity theft isn't a front burner issue in his state. "We're not hearing about it from local law enforcement or anecdotally," he said. That could be because there are no crimes to report, or because businesses are loath to admit when they've been defrauded. Whatever the case, with few reports, it's hard to justify dedicating the resources and money to address the problem, Wrosch said. Add to that the fact that, in many states, implementing new and more secure business registries requires legislative action of some kind to approve the additional budget to fund the new system. In Colorado, despite public attention to the problem, it's still a year to win funding to implement business registry security features, said Secretary of State Gessler.

A 2011 position paper by the firm Dunn & Bradstreet said that online business registries have improved the speed and ease of registration over older, paper-based processes and can "strengthen agencies' mission capabilities in such areas as regulation and oversight, collection of revenue and fees, transparency, and economic development." But state agencies must fix the problem of what D&B called "inadequate data-quality checks" that have "enabled criminals to use government websites to steal the identities of legitimate businesses to perpetrate crimes."

The firm said states should take a number of steps to secure their filing systems and make them more akin to private sector systems. Those steps include proving the identity of those registering a new business or attempting to alter data for an existing firm, then providing them with a unique identifier and password to limit access to that data. But states will also need to invest significantly in support, management and oversight to ensure the continued integrity of their business registries and the data in them, D&B said.

The NASS also recommended a series of changes in their report, chief among them the establishment of cyber security policies and practices to secure online business records and prevent unauthorized changes. NASS also called for better reporting and tracking of business identity thefts and new laws that empower secretaries of state to investigate fraudulent filings, raise the burden of proof for those seeking to resurrect a dissolved business entity and impose stiff penalties for cases of proven business identity theft.

The efforts of NASS and others appear to be working. Colorado's Secretary of State, Scott Gessler, who chairs the NASS Business Identity Theft Taskforce, said that awareness of the problem has grown tremendously in the states where NASS has held workshops. "We have a lot of people who are interested in doing the things we're doing in Colorado," he said.

That's as it should be because criminals will be quick to shift from higher- to lower security states when changes start to be implemented. "I tell my counterparts in other states that there's no question that if we stymie crooks in our state, they're coming your way instead," Gessler said.

Constant vigilance of data quality is required

Information is dynamic. In the next 60 minutes:

251 businesses will have a suit, lien or judgment filed against them58 business addresses will change246 business telephone numbers will change or be disconnected81 directorship (CEO, CFO, etc.) changes will occur41 new businesses will open their doors7 businesses will file for bankruptcy11 companies will change their names

So in a year:

21 percent of CEO's will change20 percent of all addresses change18 percent of telephone numbers will change17 percent of business names will change

Source: href=" " target="new">Dunn & Bradstreet analysis of public sector registration data files, 2011.

Copyright © 2012 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)