Identity theft is one of America's fastest-growing crimes and a particularly vexing one for victims. Beyond feeling personally violated, they are left trying to clean up nasty credit messes and sullied reputations. But the truth is, this epidemic could be curbed if banks and merchants would simply step up and plug their security leaks.

ON THE DAY THAT Rhonda Wilson, freelance writer and editor, turned 31, her alter ego, Rhonda Wilson, thief and deadbeat, was born.

It was three years ago, on her birthday, that Wilson accidentally left her wallet at the checkout counter in a Dallas supermarket. "The next day I was on the phone first thing, canceling my credit card and ATM card," recalls Wilson, who goes by Ronnie. But the more problematic loss, as it turned out, was her Southern Methodist University young alumni card. It had her Social Security number on it.

Using that number, a woman named Heather Nicole Brown went on to land credit, mostly online, more than two dozen times while pretending to be Wilson. Soon Wilson received a bill from Sears for $675 in charges she'd never made, and that was just the beginning she eventually discovered more than $15,000 in fraudulent debts in her name. When Brown disappeared with a U-Haul truck, it was Wilson who got the notice from the collection agency. And when Brown failed to pay a traffic ticket, guess whom police issued an arrest warrant for?

Brown was caught in June 2001, but the fallout continues for Wilson. This fall, she says, a prospective employer decided not to hire her after she told them about her fraud experience. "The interviewer's face just fell," says Wilson. "As far as they were concerned, that meant I'd automatically flunk the background check. And they have to wonder, 'Is she going to take time away from work to deal with this?'"

Identity theft has been around since Old Testament days. In Genesis, Jacob impersonates his brother Esau to filch his inheritance. But in recent years, as personal data has become more accessible, the crime has escalated into a full-scale epidemic. An estimated 700,000 people got stung in 2001, more than twice as many as in 1997, and their impersonators ran up $11.9 billion in bad charges.

Increasingly ingenious criminals have extended ID theft's consequences beyond mere shopping sprees:

• An Ohio woman learned two years ago that a thief in Florida had impersonated her to pay for a hospital stay while having a baby. (The thief even registered her as the mother on the birth certificate, a legal complication that cost the victim $5,000 to untangle.)
• In the past year, federal authorities have caught hundreds of illegal immigrants who allegedly used stolen Social Security numbers to get jobs at airports around the country under false identities jobs that granted them access to secure areas.
• A retired Kmart executive in Michigan found out in the summer of 2001 that his stock options had been exercised by scammers, to the tune of $212,000.

In any identity theft, victims and other consumers are left to clean up the mess. Though creditors are required to eat fraud losses, how do you think they recoup them? Largely by passing them on, through higher fees, prices and interest rates. And for the victims, identity theft sets off a migraine-caliber headache that can last for years. (Many people don't find out they've been scammed until they get turned down for a mortgage or another loan.) To clear your name, you have to spend tedious hours proving to banks, credit bureaus and merchants that you are who you say you are and not the guy who skipped out on the bills for the Boxster. Before long, your life is something straight outta Kafka.

Here's the really frustrating thing about identity theft: Even if you're vigilant about protecting your personal data, this isn't a battle you can win on your own. Much of corporate America is handling your sensitive information with all the discretion of a drunken sailor. The No. 1 culprit? "The financial industry," says Mari Frank, an attorney who develops data-privacy guidelines for California's Department of Consumer Affairs. "They're not just not stopping [fraud], they're facilitating it."

In their rush to land customers, financial institutions mail out billions of preapproved credit offers and "convenience checks" every year. Any one of these junk mail discards can give a thief all the tools he needs to scam you. Meanwhile, employers and other businesses that collect Social Security numbers and other sensitive data about you data that crooks can exploit often leave this information undefended, in some cases not even bothering to shred it when they're done with it. And because many retailers and other credit issuers would rather risk a financial ding than lose a potential customer, they ignore even the most explicit signs of credit fraud, such as mismatched addresses or misspelled names.

Bottom line: Businesses have decided it's simply cheaper to ignore fraud than to fight it. But consumer advocates, fraud investigators and victims find that stance outrageous and irresponsible. Businesses should be plugging their security holes, not turning a blind eye to the problem. That in mind, we offer them eight remedies for curbing the identity-theft crisis.

When you mess up, 'fess up.
Late in 2001 a worker at the Pewaukee, Wis., branch of Bank One slipped the account information and Social Security numbers of at least 250 people to a Chicago thief. The bank caught the worker and fired her, but said nothing of the incident to the victims. It wasn't until eight months later, after a local retiree found out that a sporty new Jaguar had been bought in his name and after a television station gave the story heavy play that Bank One started informing other victims.

The bank has since changed its policies to require prompt disclosure of any security breaches, but not enough financial institutions have followed suit. Companies hate to admit it when they've been hit. After all, such a confession makes them fat targets for negligence suits. But the sooner an identity-theft victim finds out he's vulnerable, the better he can protect himself. Two House members from Wisconsin, Democrat Jerry Kleczka and Republican Paul Ryan, plan to introduce a federal bill in January or February that would require financial institutions to notify customers if their data gets heisted. Dear Congress: Show consumers you care and pass this legislation.

Stop treating our data like trash.
Rogue employees are among the main perpetrators of ID theft. But that doesn't stop companies from being eye-poppingly sloppy about protecting data, whether it belongs to their workers or their customers. In one 1999 scam, 25 former employees of a small company bought by Ligand Pharmaceuticals, a San Diego biotech, found out that crooks were using their names to get credit cards, buy cars and even rent apartments. The crimes were traced to a scheming Ligand clerical worker who had stumbled across old personnel records including addresses and Social Security numbers forgotten in a storage room. (Ligand later settled a negligence lawsuit with 14 of the victims.)

One low-tech tool for fighting this problem costs 69 bucks at office-supply stores: It's called a shredder. But only three states Georgia, Wisconsin and California require companies to shred personal financial information they're discarding, and only Georgia fines them substantially when they don't. Georgia's model deserves adoption nationwide. Companies should also take better care of personal data before it's thrown away. That means keeping paper records under lock and key, protecting electronic records with passwords and doing thorough background checks on any employee who handles that kind of data.

End the credit bureau double standard.
TransUnion, Experian and Equifax, the big credit-reporting agencies, collect data concerning just about every steady financial relationship in your life every charge card balance, every cell-phone account, every car loan. That means your credit report contains everything a crook needs to open accounts in your name. But here's the surprising twist: In many cases, thieves can access those reports more easily than you can.

Ever try to view your own report online? It can feel as complicated as applying to college. You'll have to answer at least three questions and often more on such topics as your recent purchases, the size of your mortgage and what month you opened your Visa account. And if you've moved recently, you'll have to jump through even more hoops.

Fair enough. It shouldn't be easy. But credit issuers face no such hurdles in obtaining your financial history. After signing up with the bureaus, they're given passwords for carte blanche access. Once they log on, all they need to obtain your credit data is your name and Social Security number. That means those access codes are digital gold for would-be scammers. Investigators say one theft ring recently got hold of Ford Motor Credit's Experian passwords and used them to obtain the data of more than 13,000 consumers. Smaller businesses can be especially sloppy with their access codes. "A lot of cases come from used-car lots," says Christopher Green, a Seattle attorney who specializes in credit-fraud cases. "They just stick the password right on the computer with a Post-it, and anybody in the dealership can hop right on and get addresses, birth dates, the works." While the agencies aren't responsible for creditors' negligence, they need to put a stop to this data double standard. Our solution is to make merchants work as hard as we do to get our data. Smilin' Stan at the SUV dealership should have to answer the same questions we do before he can access our reports. That would ensure he has our cooperation. And if Stan gets the answers wrong, the credit bureaus should go into defensive mode and call the consumer whose account is being pulled, to ask whether that's really him down at the car lot.

States and the federal government could also emulate a new law that goes into effect Jan. 1 in California. Consumers there will be able to "freeze" their credit reports, preventing creditors from accessing the data unless the consumer notified the credit bureaus in advance that he was planning to apply for something.

Treat "mistakes" like warnings.
Ronnie Wilson, the Texas ID theft victim, figures any one of Heather Brown's dozens of credit applications should have tipped off an attentive employee that something was wrong. "She didn't spell my name right, my street name, she even got my birthday wrong," says Wilson. But because Brown had Wilson's driver's license and Social Security number, she was virtually never questioned. "That just shocked me silly."

Sloppy mistakes aren't the only red flags that get ignored. When an ID thief applies for credit in your name, he'll almost always give a false address and phone number so that you won't find out. But infuriatingly, businesses often don't notice or care if there's a discrepancy with what's listed in the credit report.

Creditors and credit bureaus could cut off scams like these by notifying you when someone requests an address change for your account with a mailing as the post office does, or with an e-mail or a phone call. That way, you'll realize sooner rather than later if someone's trying to pull something crooked in your name. California used to require banks and credit card issuers to do this, but financial-industry lobbyists got that law watered down, complaining about costs.

Fraud alerts mean no, not maybe.
After a hospital receptionist in Berkeley, Calif., stole Tracey Thomas's Social Security number off an insurance form in 1999, she did what the police told her to do. She filed fraud alerts with the three major credit agencies. In an ideal world, any creditor that pulled her report would have seen the alert and contacted Thomas if someone applied for credit in her name. In reality, fraud alerts are about as effective as France's Maginot Line in World War II. "Credit has been issued in my name four times [to impostors] since I placed alerts on my credit files, and only once have I ever been contacted," marvels Thomas. "Even when I applied for a mortgage for myself over the phone nobody mentioned the alert."

Federal law requires credit agencies to let consumers post alerts on their reports. But the law doesn't require creditors to pay attention to them, and it doesn't prescribe any punishment for careless businesses that miss them. Some creditors pull up just the credit score on their screens and may not even see the alert. Even when they do, credit issuers still sometimes ignore it. "Businesses figure, only 1 to 5% of sales turn out to be fraud, so why risk losing a deal?" notes Linda Foley, executive director of the Identity Theft Resource Center, a victims' advocacy group based in San Diego.

If fraud alerts are meant to be a genuine line of defense, let's give them some teeth. Regulators should require creditors to set up their systems so that they'll always see the alert and should make them subject to fines if they ignore the warning.

Give our socials some security.
Once a crook has a stranger's Social Security number, he's hard to stop. It's the key for getting credit reports, a driver's license and the other building blocks of a fake identity. So here's a question for government agencies and businesses alike: When are you going to stop scattering our socials around in public like so much digital confetti? Employers that put them on paychecks, medical insurers that include them on ID cards and states that include them on drivers' licenses are all putting you at risk. So are the companies who insist on collecting the digits as part of doing business with customers. In the past year, Ronnie Wilson, the Texas victim, has been asked for her Social Security number by a video-rental store and by an entry for a sweepstakes at a home show.

A few states are starting to crack down on this practice. By July 2005, whenever an individual asks them not to, companies in California will have to stop putting that person's Social Security number on ID cards, publicly displaying it or requiring its use as a password. We'd like to see these laws go a step further. Let's keep companies from printing these numbers on paychecks, or on any document that gets sent through the mail. And if companies or state agencies insist on using them as passwords, don't let them be the only password. Combine them with a unique code, one that a crook is less likely to find in a filing cabinet or on the Internet.

Passwords, please.
When Mari Frank, the privacy attorney, recently renewed her American Express Platinum Card, a sales rep told her that the creditor was tightening its security. "He says, 'Now we're going to use your mother's birthday as your password,'" Frank recalls. "They're thinking they're making some big strides. But that birth date is on my birth certificate, a public record that anybody can find. As security, this is a joke to me."

Almost all the data that banks and creditors use to verify your identity mother's maiden name, birthday, address floats around somewhere in public records where a determined scammer can find it. That's why many privacy experts now recommend requiring passwords for any bank or credit card transaction; not just ATM visits, but everyday purchases and teller withdrawals.

Financial institutions have begun to make this an option for customers, but because it's not standard, they've been known to let their guard down. Maureen Mitchell, an Ohio ID theft victim, saw her bank accounts raided for almost $35,000 in 2001, after she'd set up a code word, because the tellers didn't ask for it. "I still don't know whether they were complicit or just inept," Mitchell says. Our demand to banks: If a customer opts for a password, then make sure your people take it seriously.

And when you set up these passwords for customers, require ones that are tough to crack. The PINs assigned by many banks and credit card issuers consist of just four numbers, making the password one of just 10,000 possible combinations a relatively easy decoding task for a sophisticated ID thief armed with cheap and legal "cracker" software. To create a stronger password, you need a longer string of characters, one that is randomly generated and includes both letters and numbers. At eight characters, that produces 218 trillion possible combinations.

Let us really opt out.
Sometime over the past two years, you received "opt out" letters from your banks and credit card issuers. If you're one of the few consumers who didn't mistake them for junk mail and managed to decipher the legalese enough to send in a response, you may now believe, understandably, that those institutions can't sell your personal data and contact information to telemarketers, merchants or one another.

Wrong! Thanks to a loophole in the federal Gramm-Leach-Bliley Act, which governs information-sharing in the finance industry, banks can still sell the data to any company designated as an "affiliate." In practice, any firm that signs a formal marketing agreement with your bank can qualify. A big national bank can easily have 2,000 affiliates or more. Congress should make closing that loophole a priority so that when we opt out our data truly stays put. If banks think that sounds too draconian, here's a compromise, recently floated in California: Let institutions share data only if they have the same corporate ownership.

Then again, you can't blame customers for wondering, Why should it be our responsibility to opt out at all? We'd love to see more states follow the lead of North Dakota, whose citizens voted in June to reinstate an opt-in law that bars financial institutions from selling data without first getting explicit permission from their customers. Vermont and New Mexico also have laws that put the onus on businesses, and consumer groups in California are campaigning to get an opt-in measure on that state's 2004 ballot.

It may take a long fight to make opt-in the nationwide standard. But if members of Congress really represent voters, and not just whichever lobbyist can buy them the fanciest lunches, they owe it to us to take on the financial industry. There's a lot more than the nuisance of junk mail at stake. As long as identity thieves can use our personal information to harm us, we deserve as much control as we can get over where that data goes.

Additional reporting by Nkiru Asika Oluwasanmi