Computerworld - Colorado's Secretary of State and other officials are warning the state's 800,000 or so registered businesses to watch out for scammers who have been forging business identities to make fraudulent purchases from several big-box retailers in recent months.
So far, at least 35 businesses in the state have had their corporate identities misused to open fraudulent credit accounts at retailers such as Home Depot, Lowe's, Office Depot, Apple and Dell. According to the Colorado Bureau of Investigation (CBI), the scammers so far have made at least $750,000 in fraudulent purchases from Home Depot alone after opening up lines of credit there using forged corporate identities.
Five people in California have been arrested in connection with the scam, said Robert Brown, agent in charge of the fraud unit at the CBI.
It's unclear how many other businesses may have been affected. But the problem appears to be growing, with several more groups likely involved in similar scams, Brown said. Since news of the corporate identity theft in Colorado became public, law enforcement authorities in Texas have reported at least one similar incident.
The corporate identity thefts itself were possible because of what appears to have been a surprisingly wide open business registration system at the Colorado Secretary of State's Office. As with every other state, Colorado requires companies doing business in the state to register details of their business. Like other states, the business registration details, which include the name of the registered agent of the company, its full local address and other information, are a public record that can be viewed by anyone.
In Colorado's case, however, not only does the state allow anyone to view the record -- it also allows just about anyone to alter or update it. The state site requires no username or password for access to a company's registration information, which means that anyone with access to the site can make changes.
The identity thieves used this hole to alter the contact and other registration information for several companies. According to Brown, many of the companies targeted appear to have been smaller and medium-sized firms and, in some cases, defunct companies. Once the registration information was changed, the scammers then used the forged identity to make online applications for lines of credit with the retailers.
Richard Coolidge, a spokesman for Colorado Secretary of State Bernie Buescher, said the state's decision not to use passwords and usernames to control access to the registration data goes back more than 10 years. It's designed to make the system easy to use and was put in place at a time when identity theft was not a rampant problem. Businesses can, however, sign up for an e-mail notification that alerts them to any changes made to their registration data. According to Coolidge, though there are no controls for editing the registration data, in Colorado it is a felony for someone to make unauthorized changes.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
