Among the victims: Mari J. Frank, an attorney and the author of From Victim to Victor: A Step-by-Step Guide for Ending the Nightmare of Identity Theft (Porpoise Press, 1998). She explains, "[In 1996], I got a call from a bank that I'd never heard of asking why I'd never paid my $11,000 bill. I found out that my impostor had gotten over $50,000 in my name. She had rented a car and totaled it, and I was being sued by Thrifty Car Rental. She was posing as an attorney and had stolen my business cards from our office. It was a total nightmare. It was terrifying. And at the time there was no law making identity theft a crime, so when I called my local sheriff's department, they told me that I wasn't a victim and there was nothing I could do."

'Swipe' Your Card?

Welcome to the world of zero privacy, where the information that unlocks your life and your bank account is readily available. "I could find out your mother's maiden name on the Internet," says Frank. "I could buy your Social Security number on the Internet for $25 to $40." And that sort of info can be had for free offline, she says, by dumpster diving, pilfering residential garbage, or scouring the dump. (In practice, we found nefarious data mining wasn't a cakewalk—our dumpster-diving intern encountered heightened security at such sites.)

After "500 hours and five boxes of correspondence," Frank finally managed to clear her name. She also testified before Congress in support of the 1998 Identity Theft and Assumption Deterrence Act. Though new laws help, the experts warn that you won't get a vigorous investigation until the fraud involved reaches seven figures.

The biggest problem in enforcement, says Jerry Coleman, an assistant district attorney in the city and county of San Francisco, is getting enough investigators to work the exploding number of fraud-related cases. "In Los Angeles," he says, "the average investigator has more than 400 of these cases. That makes it very hard to do the footwork to catch these people in the act, which is what it takes to make a decent arrest."

For the boom in identity theft and its lesser variation, credit card fraud, thank toothless financial regulation and efficient technology.

In a white paper from Hypercom, a leading provider of electronic payment systems, company chairman and CTO George Wallner warns that the rise in skimming—surreptitiously swiping credit cards through an unauthorized handheld reader, increasingly common in restaurants—poses a serious threat to the credit card industry. A new development—mini bugs secreted into credit card terminals—makes the problem worse. "Skimming" is reportedly so severe that travelers in countries with a high fraud risk, like Russia and Malaysia, are being advised not to use credit cards.

The picture isn't any brighter for businesses. In addition to occasionally facilitating identity theft—by throwing away records rather than destroying them, for example—a company can have its identity stolen too.

"There are schemes where someone will steal a corporation's identity and acquire huge amounts of merchandise in that corporation's name," says Coleman, "like massive amounts of computer equipment sent to a drop site and paid for on the true corporation's account." Hospitals particularly, he says, have seen medical provider and patient data stolen, with entire faux clinics set up in storefronts solely to fraudulently bill insurers for fictitious services—using real patients' and doctors' names.

He also points to what the FBI calls cyberjacking, in which hackers— typically from eastern Europe, the former Soviet states, or China—break into a corporate site to find customer credit card numbers and then extort the company into paying them to plug the security leaks and not use the stolen data.

Burn Your Checkbook

While technological countermeasures such as chip-based credit cards and tamper-proof terminals (along with further legal remedies) are in the works, efforts to dam the flow of personal information that feeds such fraud have met with fierce resistance from the financial industry and marketers. "The truth of the matter is that the financial industry is facilitating the crime," says Frank.

Coleman expresses a similar sentiment. "We have found in recent years that some legislation to combat this is passed but some is actually lobbied against by banks and merchants, because it's too expensive or too complicated in their minds, or it makes easy credit less easy," he says.

While Betsy Broder, assistant director of the FTC's Bureau of Consumer Protection, acknowledges that merchants don't like the idea of stricter controls on personal information because tighter credit might mean fewer sales, she suggests that marketplace incentives may work just as well as new laws. "One incentive for businesses [to protect personal data] might be that it's good business to do so," she says. "At a certain point the marketplace is going to encourage businesses to provide greater protection to consumers. Why? Because consumers want it. Because if they feel they are unnecessarily exposed to identity theft they will take their business elsewhere."