Privacy on the web and credit fraud. What do companies know about their visitors?

In my industry (national credit bureau), I have to accept that our customers -who are big lenders like Chase, GMAC, Citibank, etc - are going to have their own consumers (Joe Public) who will fall victim to fraud.

Joe Public gets his credit report, and learns that he has two defaulted credit cards in excess of 15,000 bucks that he never opened. He always had stellar credit and goes to the credit card companies and explains that he feels he was a victim of fraud, and the charges they have in his name aren’t his.

The creditors put up some resistance, and basically drop some burden of proof on the alledged victim. The creditor and the victim speak on the phone, and the fraud department of the creditor tells the victim that the accounts were opened on-line at their web sites. Someone might have applied with the victims stolen identity and had credit accounts opened under a new address.

This happens enough that when I hear this, I always am left to wonder:

If some fraudster pops into Bankwhatever.com and fills out the two or three pages of paperwork, and gets a card approved in someone else’s name, doesn’t Bankwhatever know information about the applicant that goes beyond what they typed in on the form?

Can a webite/webhost know what ISP the fraudster came from? How about the fraudster’s ID from his PC or ISP (even though it might be bogus), or if they were on a network, isn’t there a way to go all the way back to the source computer?

Know, I know in many cases criminals cover their tracks, but in many cases, they don’t, or don’t know they even have tracks to cover.

Should I be pissed at creditors? DO they know information about the people that fill out applications at their websites that isn’t just the “form” info? CAN they make an effort to use this info and track down fraudsters?

What tools do they have (technical tools) that can get them info about people visiting their sites? And this goes beyond just banks site…

…or are site visitors pretty stealthy?

What’s the dope?

Speaking generally about web forms, the server can determine your IP address/domain name, browser type, and the page you were on previous to the current page if the browser passed “referer” information. No modern browser should leak much more than this.

Not all servers will log this info, but if they properly logged the user’s IP address and timestamp, and if the IP refers to a dynamic address from a commercial ISP, and if that ISP keeps access logs, then it might be possible to determine the actual user from the billing records of the ISP. If the IP refers to a specific network machine (static IP), you might be able to determine the user’s name from the access logs on that machine. You’re likely to need a subpoena to get some of this information.

Note that the IP, browser info, etc. is just sent as part of the HTTP header, so it would be trivial to spoof if the user wanted to cover their tracks. Even if the user isn’t that sophisticated, the IP might refer to a proxy server or other redirect that makes further tracing very difficult or impossible.