Colorado's Secretary of State and other officials are warning the state's 800,000 or so registered businesses to watch out for scammers who have been forging business identities to make fraudulent purchases from several big-box retailers in recent months.
So far, at least 35 businesses in the state have had their corporate identities misused to open fraudulent credit accounts at retailers such as Home Depot, Lowe's, Office Depot, Apple and Dell. According to the Colorado Bureau of Investigation (CBI), the scammers so far have made at least $750,000 in fraudulent purchases from Home Depot alone after opening up lines of credit there using forged corporate identities.
Five people in California have been arrested in connection with the scam, said Robert Brown, agent in charge of the fraud unit at the CBI.
It's unclear how many other businesses may have been affected. But the problem appears to be growing, with several more groups likely involved in similar scams, Brown said. Since news of the corporate identity theft in Colorado became public, law enforcement authorities in Texas have reported at least one similar incident.
The corporate identity thefts itself were possible because of what appears to have been a surprisingly wide open business registration system at the Colorado Secretary of State's Office. As with every other state, Colorado requires companies doing business in the state to register details of their business. Like other states, the business registration details, which include the name of the registered agent of the company, its full local address and other information, are a public record that can be viewed by anyone.
In Colorado's case, however, not only does the state allow anyone to view the record -- it also allows just about anyone to alter or update it. The state site requires no username or password for access to a company's registration information, which means that anyone with access to the site can make changes.
The identity thieves used this hole to alter the contact and other registration information for several companies. According to Brown, many of the companies targeted appear to have been smaller and medium-sized firms and, in some cases, defunct companies. Once the registration information was changed, the scammers then used the forged identity to make online applications for lines of credit with the retailers.
Richard Coolidge, a spokesman for Colorado Secretary of State Bernie Buescher, said the state's decision not to use passwords and usernames to control access to the registration data goes back more than 10 years. It's designed to make the system easy to use and was put in place at a time when identity theft was not a rampant problem. Businesses can, however, sign up for an e-mail notification that alerts them to any changes made to their registration data. According to Coolidge, though there are no controls for editing the registration data, in Colorado it is a felony for someone to make unauthorized changes.
Following the discovery of the scam, the state is asking businesses to be vigilant about their registration data and make sure that no unauthorized changes are being made to it. The state is also telling businesses to sign up for the e-mail notification system so that they can get alerted of any changes.
For now, there are no plans to implement a username and password to control access to the data because the budget for that has yet to be approved. That will be discussed when Colorado's legislative session resumes in January. Coolidge estimated that the state will need to hire between five and seven additional employees to handle password help issues if tighter access controls are added.
According to Brown, state authorities were alerted to the scam earlier this year when a company reported being contacted by Home Depot about purchases totaling nearly $250,000 that had been made in its name. A review of the online credit application made on the company's behalf was done by Citibank which underwrites the lines of credits offered by Home Depot.
The review showed that someone had altered the company's registration information and changed its location from Boulder, Colo. to a virtual office in Aurora, Colo. The owners of the virtual office in Aurora were instructed to forward all mail received on the company's behalf to another virtual office address in Harbor City, Calif.
The individuals behind the scheme used their Home Depot line of credit to make online purchases of a large number of household appliances including refrigerators, TVs and other electronic items. They also purchased a large amount of copper wiring from Home Depot.
In most cases, the scammers made in-store pickups using "street urchins" to go into a store location and collect the items, he said.
Brown said that Colorado, as a precautionary measure, has implemented a system to alert authorities when a company's address information has been changed or updated. That will let authorities match a company's registered address against the addresses of roughly 10,000 virtual offices around the country.
Companies concerned about identity theft need to monitor their registration information and understand what kind of public access their state allows to the information, he said. Companies should also consider becoming registering with organizations such as Dun & Bradstreet and Standard and Poor, which maintain reliable and up-to-date registration information and alerts companies of any changes.
Don Childears, president of the Colorado Bankers Association (CBA), expressed frustration at the situation and said that a lot of it was enabled by the open access to registration data at the Secretary of State's site. The scam has already cost retailers and banks substantial amounts and will end up tarnishing the credit worthiness of businesses whose identities were misused, he said.
At the same time, the fraud was detected relatively quickly because of ID theft prevention mechanisms the CBA has put in place in conjunction with the CBI, he said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.