This essay is going to scare you. There is a better-than-average chance that, at some point in the last several years, your personal information was stolen. Not something small like a credit card account, but the good stuff, your Social Security number coupled with your birthdate.
In fairness to thieves, we have all made this very easy for them to do. You and I hand over this information every time we apply for credit or a loan, open a bank account, check our credit score (Hello, Equifax, old friend), or do any of the other filling-out-of-forms drudgery that goes along with the modern consumer-financial economy.
The good news? With so much stolen information in circulation, there’s almost certainly an oversupply of raw materials for fraud and an undersupply of willing criminals. But for the unlucky few, those of you who graduate from “data breach victim” to “identity theft victim,” I’m sorry. This is going to hurt. I know. Because it’s my story, too.
My identity was stolen in 2013, though I didn’t find out until later. It started in Florida—which has more than its fair share of scams—but our economy of convenience is such that it really could have happened anywhere. The details of the theft are laid out in a federal indictment against a man named Marlen Manukyan. Using a fake driver’s license—my name, his photo—he went from bank to bank over three days in August that year setting up accounts at TD Bank, Bank of America, and Wells Fargo. He registered a business with the Florida Department of State and opened another Wells Fargo account for his—well, I guess “our”—new company. He told the bank he was in auto sales.
A few days afterward, over Craigslist, he sold an RV to two people in Sugar Land, Texas. The Texans wired $39,960 to him. Four days later he wired their money to Russia. The Texans never got their RV. The Sunny Isles Beach police called me a few months later. They wanted to know if I’d ever lived in Florida—I hadn’t—and told me they were investigating a case of identity theft.
At the time, I didn’t worry too much about it. So, some criminal in Florida had a fake ID with my name on it, but the police were on top of it. I’d need to watch my credit reports for a while, maybe call and dispute a few transactions. Annoying, but manageable.
The trouble is that there were many other traces of Manukyan-as-me, as I’d find out later: a Bank of America credit card with charges at a water park, a Whole Foods, some sushi, and a meal at a chain restaurant. There was also an address in the Miami area in my name.
The extent of the damage—and the years it would take to clean it up—started to emerge not long after the cops first contacted me. I was pulled aside by agents at John F. Kennedy International Airport while waiting to board a flight for London. A voice had come over a loudspeaker in the lounge: I was wanted at the front desk. Two men with badges asked me where I was going and why. They searched my bag. Was I carrying any monetary instruments, any cash? Yes, I was: a single, tattered dollar. They wrote it down in their notes.
Variations of the same routine happened again and again over the next few years. I’d exit or enter the country and be sent for extra screening, interrogated, and searched. Once, I was pulled off the jetway as I was about to board. Other times I was sent to a room with people waiting to be questioned before they could enter the U.S. One agent pulled from my bag a bottle of pills in an old, unmarked medicine bottle—Advil that I’d put aside to travel with. I told him what it was. “Don’t do this again,” he told me. Unmarked medication was a flag. He had to put it in his notes.
The border agents were always polite, always had a bland answer for how I’d ended up on a list—but they always went through my belongings. My girlfriend got used to these detours. We’d travel together, and I’d be pulled aside. “See you in an hour or so,” I’d tell her. (She married me anyway!)
Manukyan’s wreckage, however, began to intrude into my financial life: For example, I was denied a new credit card. I began to realize how bad it was when my wife and I went to a Wells Fargo to open a joint account. “Welcome back, Mr. Armstrong. I see you already have several accounts with us,” the teller said. I’d never set foot inside a Wells Fargo.
The intersection of my legitimate life with Manukyan’s impersonation of it had destroyed my credit, which was rated poor, and put my profile on a security watchlist somewhere in the government. It had made it impossible for me to get a new credit card, and when my wife and I went to apply for a mortgage, our agent at the bank told us not to even bother including my name and assets. Identity theft isn’t just an inconvenience; it shut me out of the most basic parts of the consumer-financial system. Our financial identity is a spool of fishing line left carelessly in a drawer. You pull it back out one day, and it’s become knotted into a mess. You can try to untangle the line, but you can’t just cut it or throw it away. Our system ties you to the mess forever.
Attempting to get through to credit agencies, I spent a year calling banks and credit card companies. Each had a byzantine maze of customer service representatives, forms, and affidavits. I mailed packets to financial institutions with copies of my passport, driver’s license, and utility bills. I have an inch-thick folder of documents, a record of the double life created in my name and my attempt to take it back: old credit card records, credit reports, the indictment against Manukyan, a form I sent to the Transportation Security Administration to get a redress number so I could travel freely.
Some episodes were comic—or absurd. After I explained my story over the phone to a woman at Bank of America Corp., she thanked me for being a customer, which I’d never been. The bank then sent me a tax benefit filing for credit card debts it had written off after Manukyan was arrested and they went unpaid. They even refunded me fees erroneously charged to Manukyan.
Since my identity was stolen in 2013, breach after breach has exposed the vulnerability of the systems that guard the private information we casually hand over to companies, health-care providers, and government. Social Security numbers are the keys to the kingdom. In this country, people get a unique number when they’re born, and the Social Security Administration tells them it’s secret and valuable. Then we use that number to pay taxes, to get government benefits, to apply to college, to get a mortgage, to apply for a car loan, to open a bank account, to track our credit. We’re asked to hand over this number again and again to institutions that have failed to guard it. It’s convenient: Look at almost any online credit card application. All you really need is a name, a date of birth, and a Social Security number. You can apply online and find out whether you’re approved in a few minutes. But it’s also convenient for the commission of fraud.
In 2018 almost half of the 1,244 data breaches in the U.S. exposed Social Security numbers, according to the Identity Theft Resource Center. The Capital One Financial Corp. breach in July affected 100 million profiles. The company said relatively few Social Security numbers were taken— 140,000 of them. Many of those were probably already compromised in Equifax Inc.’s 2017 breach. That was the big one, exposing 147 million people. The Federal Trade Commission said almost anyone who had a credit profile in America was probably exposed. With every breach, these institutions assure victims they’ve identified the problem and are working with top security experts and law enforcement. But then there’s always another breach, just a little ways down the digital road.
The suggested remedy to identity theft is to freeze your credit. That makes it harder for a thief to open an account in your name. But what else? Two-factor authentication for bank and credit card accounts would be a start. Banks should probably make it harder to get a new credit card than to log in to Gmail. Creating a web of multichannel identity verification using devices we carry around all day already—conveniently equipped with fingerprint scanners—would likely make some types of fraud more difficult.
The credit bureaus almost certainly need to change. The unequal and unjust difference between how easy it was for somebody to commit fraud using my identity in a few days and the years it took me to unwind it needs to end. Equifax’s settlement of a few bucks with victims or several years of credit monitoring is nice, but it’s hardly fair compensation to anyone who has to deal with serious identity theft and has to attempt to repair their credit. Our banks and credit bureaus’ interactions with victims are, in my experience, built around making it extremely difficult to talk to a real person or find the resources to repair damage.
The U.S. Department of Justice asked me to testify in Manukyan’s case. He was scheduled to go on trial in Miami in January 2017. I agreed to go for the chance to see the man who had taken over a part of my life. A government-paid trip to the beach in the middle of winter felt like nice compensation. Perhaps I’d stop at the water park where he’d spent the day using the credit card with my name on it. But a few days before the trial, I got a call from the prosecutor’s office. Manukyan, who was in the country illegally, took a plea and went to prison without a trial. He spent less than two years behind bars before being scheduled to be released and deported late last year. That’s all I know of his fate.
I revisited my credit reports while writing this piece. It’s been six years since Manukyan stole my identity, and finally the damage he did seems to be gone. The addresses on the reports are really where I grew up, really where I lived after college, really where I met my wife, really where we live now after moving out of New York City. My credit is rated very good, and I expect I could get a loan or open a new bank account if I wanted to.
But I still wonder. I’m afraid of what I may hear if I walk into a bank I’ve never used before and talk to the teller. “Welcome back, Mr. Armstrong. We’re glad you’ve decided to do business with us again.”
Story cited here.