Slashdot Log In
Cringely on Identity Theft
Posted by
michael
on Fri Sep 12, 2003 10:29 AM
from the who-ordered-all-this-porn dept.
from the who-ordered-all-this-porn dept.
Boiled Frog writes "Prompted by the theft of his mail, Cringely investigates how easy it is to steal identities from government publications. In this article he explains how he got the identities of 300,000 people which he calculates to be valued at $65 billion dollars. If Cringely can do it, anyone can."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Article is spot on. Happened to me.. (Score:5, Informative)
In San Francisco, when some people move out, they throw all this crap they don't need anymore on the curb. I saw this thoughout the city, time and time again, so when it came time for me to move, I did the same.
I got rid of almost everything! This included, tons of old papers - possibly old pay stubs. Big NO NO! At one point, I even noticed some people looking through the big pile. "Just people who like crap", I thought.
Six months later, the Postmaster General Attorney's office in San Jose calls me saying they've arrested someone on postal fraud that had my name and info in his little black book. It was under a section that basically was ready to have a drivers license and social security card issued in my name with this guy's picture!
To make a long story short, the guy went to prison and I had to notify all agencies where I had any type of id or credit/bank card to put a watch on them for the next six months.
My lesson learned: shread everything.
However, online, this is a totally different issue and the only thing I can suggest and do about that is to check into companies and try to make sure they are responsible about how they store your credit-card information. I've personally written to all the online companies I use to ask as how they protect my information. If it ever seemed like they weren't up to snuff, I explained my concerns and asked for some sort of reassurences. Although, I must admit, that's not the best thing and sometimes letters to the BBB and other groups/agencies are necessary.
Re:Article is spot on. Happened to me.. (Score:5, Informative)
Good to hear this person actually went to jail. I should add that the other thing you should do is check your credit history and cancel all old credit cards that you may not even know are still active. A friend of mine had someone get access to three old credit cards that he had cut up, but had not actually cancelled the accounts. A couple of years later he was surprised to find the companies were telling him he owed $30k worth of charges.
Parent
How often they get caught (Score:5, Interesting)
So you have a much better than 99.9% chance to just do it to your heart's content and walk away with the money. That's pretty freakin' scary. A crime where you never have to see your victims, never have to face any consequences, and make tons of money. Can you imagine what would happen if a misguided Robin Hood decided to popularize the techniques and teach them to America's poor? Would the entire banking industry collapse at once? With a million people doing it simultaneously you would obviously overload the already overloaded investigative ability of the gov't and probably change the ration to 1 in 100,000 getting caught.
Parent
Re:How often they get caught (Score:5, Funny)
Can you imagine what would happen if a misguided Robin Hood decided to popularize the techniques and teach them to America's poor?
Tyler Durden?
Durden?
Durden?
Parent
Re:How often they get caught (Score:5, Insightful)
I've heard the rate at which people who commit identity theft get caught is around 1 in 7000.
So you have a much better than 99.9% chance to just do it to your heart's content and walk away with the money. That's pretty freakin' scary. A crime where you never have to see your victims, never have to face any consequences, and make tons of money. Can you imagine what would happen if a misguided Robin Hood decided to popularize the techniques and teach them to America's poor? Would the entire banking industry collapse at once? With a million people doing it simultaneously you would obviously overload the already overloaded investigative ability of the gov't and probably change the ration to 1 in 100,000 getting caught.
This is because the police refuse to even investigate these crimes. Most of the id thieves we hear about getting caught were actually caught committing some other crime (or pursued therefore). In one of the previous slashdot articles, they had a police officer in charge of ID theft investigations who essentially admitted he sat on his butt all day and answered the phone telling people they were SOL. He said that they even told him who or where the thief was and that did not get him out of his chair.
The big misconception is that ID theft is all the victim's fault, much like the oft-repeated myth that you can only get worms/viruses by clicking on attachments. The claim is that id theft only happens when people are carelesswith their trash. That is the old way, but it is easier than that now. As Cringely points out, you can get all the info you need for massive id theft for a minimal fee, like $20, or free.
Of course the most amusing part of all this is that Al Qaeda has been using id theft techniques for decades. If I were a terrorist, that would be the first thing on my list besides cashing in on nigerian spam scams. After all, what terrorist would not want billions of untraceable dollars, untraceable connections to the internet and cellular networks, and a free ride on the passport train to paradise? Yet our illustrious leaders are still keystone kopping it through life instead of actually doing something to fight these threats.
Parent
Re:Article is spot on. Happened to me.. (Score:5, Informative)
Parent
Re:Article is spot on. Happened to me.. (Score:5, Informative)
Parent
Re:Article is spot on. Happened to me.. (Score:5, Interesting)
The scary part was that if I hadn't called these guys up, I never would have known about the identity theft. How often does something like that occur, where the situation gets resolved but the intended victim is never informed???
Parent
How I Deal With Identity Theft (Score:5, Funny)
Parent
Re:Article is spot on. Happened to me.. (Score:5, Funny)
EXCEPT the DICTIONARY!
Parent
wait until this happens to you (Score:5, Informative)
With the key, you just drive it off the shopping mall lot. And there's no sign of forced entry, so the insurance company says "you left the key in the ignition, tough for your claim. Happened to us on vacation. And 10 year old clean cars are in more demand for the body parts, it isn't just the new Hondas.
Tape over that damned number.
Parent
VIN numbers (Score:5, Informative)
http://www.snopes.com/crime/warnings/vin.asp [snopes.com]
As stated in the link, I highly doubt anyone can just steal a car of the shopping mall lot. It takes too long to get a key made. You will be home by then. Also, I think covering the VIN number may be illegal in some states/countries.
Parent
Re:Article is spot on. Happened to me.. (Score:5, Insightful)
It's the basic question of:
When someone is running a business, and profiting handsomely from it - should they, or should they not, be responsible for the safety of their customers?
It's already been established that Automakers should be responsible for defects in their products which compromise car-owner safety.
The airlines, of course, have dodged responsibility for the lax security they provided which enabled 9/11. Instead of a slap on the wrist, they were rewarded with hundreds of millions of taxpayer dollars in bailouts - and union-busting government arbitration - and, eventually, bankruptcy protection. Wow. I wish I had a business that the government was that generous to.
But I guess Alaska Air has been getting slapped around for negligent maintenance.
Now, if you spend $10,000 on a Microsoft server to protect your data, and it falls prey to a security glitch, we all know that Microsoft can't be held responsible.
Who's held responsible?
In the Old West - banks were often robbed. And stagecoach deliveries of funds. People were afraid to put their money into banks because if the bank was robbed, their savings would be lost with no recourse. Banks didn't take the responsibility of hiring enough security to prevent robberies. It would have made their business much less profitable.
Then the US Government created the FDIC insurace act, which insured bank deposits, and made bank robbery a federal crime, so robbers couldn't simply cross state lines to escape justice.
It was *not* a constutional duty of the government to do so - unless you check the preamble, and read the phrase ". .
The question here is - would government be overstepping it's constitutional boundries by going in and protecting our personal data in the hands of corporations?
That's a matter of opinion.
Would the government be overstepping it's constitutional boundries by mandating that companies, in posession of citizens' personal data, be responsible for taking appropriate measures to secure that data?
Possibly - but in today's political climate, it would definately NOT be a Republican to suggest such.
What problem would be solved?
Citizens would be protected - that's a nice thing. And falls right in line with "...provide for the common defense..."
Public faith in ecommerce would arise, which might stimulate the economy - which wouldn't be a bad thing.
A solution is out there. But there are right ways to do this, and wrong ways. I'm certain that the wrong thing to do would be the neoconservative lassez-faire approach. And that's probably the approach our current set of (s)elected officials will choose.
Parent
Re:Article is spot on. Happened to me.. (Score:5, Informative)
This is different from the "security alert" that most people tell you to put on your credit report when fraud happens.
With a "security alert," basically it's just a notification to creditors that they should be careful. They can still get your credit report. Apparently, many creditors ignore this warning so you are not guaranteed that someone else isn't applying for credit in your name.
With a "security freeze," no one can get your credit report (with a few exclusions such as the police with a court order). It's much much safer.
The credit report agency sends you a PIN that you use to temporarily or permanently remove the security freeze. For example, if you are applying for a mortgage in the next 15 days, you can remove the security freeze for 15 days, and it will be put back on once that period of time is up.
The credit report agencies do not want people to know about this option because if everyone takes advantage of it then their whole system fails.
Under California law, there is no charge for a security freeze on your credit reports IF you have ALREADY been the vicitim of fraud. (Someone used some of my checks and stole my credit card number before, so I qualify). If you have not ALREADY been a victim, you can pay some ridiculous amount to have it put on (on the order of $50/year).
I believe Texas may have a similar law (because my letter including the PIN from one of the agencies said "security freezes are only available in California and Texas" and that if I move out of CA then I have to notify them so that they can remove the security freeze).
For the last year, I played the credit report agencies' game. I PAID THEM $80/year to get access to MY OWN INFORMATION to make sure no one was using my credit fraudulently. When I renewed a couple of months ago, they changed their policy and limited the number of times a year you could view your credit report. So I dropped them, and was going to sign up with a competitor (still playing the game) when I found out about the security freeze.
For more info:
http://www.privacy.ca.gov/financial/cfreeze.htm
http://www.fightidentitytheft.com/legislation_c
Of course, if you are not in California (or Texas I think), then you can try seeing if your representatives in DC will make this a national requirement.
Joey
Parent
Identity theft is indeed a big problem (Score:5, Funny)
Watch out - this could happen to you.
Are you dissing Cringely? (Score:4, Interesting)
Office of Redundancy Office (Score:5, Funny)
Come on editors, I know it's early on the West Coast, but really.
I'm Robert X Cringley (Score:4, Funny)
Will the REAL Robert X. Cringely please stand up? (Score:5, Informative)
Parent
Re:Will the REAL Robert X. Cringely please stand u (Score:4, Informative)
Parent
Which goes to show you... (Score:5, Informative)
Don't have to worry about such things.
Re:Which goes to show you... (Score:5, Informative)
Good idea but many places won't deliver to a PO Box as they've been used for fraud for eons. They want a brick & mortar delivery point.
Parent
Re:Which goes to show you... (Score:4, Informative)
123 This St. # 666
They'll take and sign for packages for you, too.
Parent
$65 billion? Ridiculous! (Score:4, Funny)
Credit monitoring services (Score:5, Informative)
True Credit [truecredit.com] turned out to be the cheapest at $11/quarter for the basic service. This is not a referral link, and I'm not affiliated with them in any way. Just sharing information.
Murder is easy too (Score:5, Insightful)
Worried about ID theft? Keep a close eye on your credit card bills, credit scores, etc.. Buy a paper shredder. Shred all bank statements and whatnot before you throw them out. Internet-shminternet, dumpster diving is the fastest way to someone's finances. Get the carbons at the gas station, or stores where they still use the old carbon-thinger credit card machine.
Cringely is a blowhard trying to scare people, but frankly this isn't news. Using the 'net really doesn't make this easier - it's always been easy.
I knew someone who got screwed big time by a gas station who would keep the carbons, and double bill her every time she filled up, the cash going straight into the owners pocket. She was a dope for letting it go on so long, as she never bothered scrutinizing her Visa bills. Turned out the station was owned by a Russian mobster. This was long before the world wide weeb.
Re:Murder is easy too (Score:5, Insightful)
The article's point is that ID theft on a large scale requires more than dumpster diving or a crooked gas station, and he's pointing out that what ID Theives are doing to cause a 4 to 5 billion dollar problem one person at a time can be easily automated and there's a 300,000 name database of ssn's and dob's waiting to happen.
Did I already say RTFA?
Parent
Re:Murder is easy too (Score:4, Insightful)
OK, so when I leave my house in the morning, I shouldn't lock the door right? I mean, if someone is going to break in, that lock isn't going to stop them, so what's the point?
And if I see someone in my office parking lot monkeying around with my car, I should just leave them alone. I mean, if they're gonna steal it, there's nothing I can do to stop them, right?
And if I'm asleep at night, and I hear someone breaking into my house, I should just lay in bed, close my eyes, and go to my happy place. There's nothing I can do to prevent my house from being robbed or stop them from killing me.
That's a bunch of crap. Criminals prey on the weak, and they're oppertunists. The less oppertunities you give them, the less likely you are to be a victim. Not only can crime be prevented, but YOU PERSONALLY, can prevent crime if you have enough sense to do it.
Parent
Money isn't the issue (Score:5, Informative)
You have to apply for coverage, and show evidence that your ID was in deed stolen. That can take months or years! And a lot of effort goes into all that. One of the worst parts is trying to restore your credit rating. While the whole process really shouldn't cost very much money ( $1000) it costs a quarter of your life to repair all the damage.
Re:Money isn't the issue (Score:4, Insightful)
Parent
65 Billion Dollars? (Score:5, Funny)
Avoiding the Post Office. (Score:5, Informative)
"Why would we replace your book?"
"BECAUSE YOU LOST IT????"
This is exactly why I use Fed Ex or UPS when ordering things. They can track your packages and they take responsibility when they screw up. Perhaps the Postal Service could take a lesson?
Re:Avoiding the Post Office. (Score:5, Informative)
Fed-Ex or UPS won't replace your item if you didn't get insurance, either.
We just got a PC shipped back to us from the field by UPS. The box was smashed, and the machine looks like CowboyNeal sat on it. Picking it up I could hear all the fancy shmance electromonical doodads rattling around inside the twisted case.
UPS won't do shit about it, because the fool didn't pay the 5 bucks for insurance.
Parent
UK line of defence against Identity Theft (Score:5, Interesting)
http://www.cifas.org.uk
The service is operated on behalf of the UK financial institutions by Equifax; and will add a layer of authorisation to your name / address combinarion when arranging credit etc. It probably means that you won't be able to buy stuff on instant credit; but the for the hassle that identity theft can bring I think it's worth it. Registration costs 12 quid for 12 months.
Personally i'm amazed that institutions will lend large amounts of money without a definite proof of your identity; but I guess that's consumer forces for you - Dixons want you to be able to walk out of their store with that 32" wide screen TV purchased on instant credit. For all the sales that brings; they absorb the liability.
One Problem (Score:5, Insightful)
SSN used as identifer (Score:5, Interesting)
In the article it is mentioned that your Social Security Number is used as a universal identifier and as "proof" of identity.
This is not a good thing.
I work in the medical records/medical billing industry and a patient's SSN is one of the vital bits of information we collect and use to help index records.
Also the patient's date of birth.
For billing purposes, we need the patient's home address.
The health insurance company also needs all this information. In fact, if we don't supply all of the patient's personal information, they often don't pay claims.
We try to protect private information. We have yearly training, and monthly filers reminding us of the importance of protecting confidential infromatin. We have every bit of discarded paper shreded, and we have pretty good locks on our doors, and we have a fairly paranoid firewall, but the truly determined employee could always get their hands on thousands of patient records with everything needed for identity theft.
It's probably the same way at Hospitals and Insuance companies too. Too many people have access to private information, and the social and technological controls on it are too weak.
I hope that no one who has access to my personal information decides to do a bit of creative fundraising.
I don't have any answers, but we ought to think of solutions pretty soon.
Re:SSN used as identifer (Score:5, Insightful)
On par with your workplace, I did a contract gig for a major HMO around Minnesota last year. The amount of information I had at my fingertips was amazing, considering I didn't need ANY of it for my job (Desktop Analyst). A close friend of mine works for the same HMO doing data-entry, and since he's in the billing department, he has free reign to people's entire credit and medical history, along with all the other goodies that any peon could exploit easily. I've asked him before how easy it'd be to print out a file on someone and take over their identity. The answer? "Easier than you'd believe."
Scary shit indeed. One last thing that still boggles my mind is how many times I use my debit card and get the customer copy with my full account number on it. Seriously, it's usually at places where people throw them away right away...gas stations, grocery stores, and restraunts are the big 3 that I've noticed. Make sure to rip those little bastards to shreds once you walk out the door.
Parent
I have the solution (Score:5, Funny)
Then no one will want to steal your ID
Stealing bank details (Score:5, Interesting)
For instance, E-Gold members (and others) have been receiving emails like this
Dear e-gold user.
At 09.05.2003 our company was attacked by unknown
persons. Out administrators is working on the database restoring.
If you have an active account, please check if it is still active, your
current balance is right and all transactions can be processed.
If you find that your account is inactive, please letus know
immediately at e-mail service@e-gold.com
To check your account, please click on the link below:
https://e-gold.com/sci_asp/payments.asp
It looks official, doesn't it? And the link looks ok too. But it is an html email, and the actual link went to a page located at e-gold2.com, which looked exactly like the real e-gold site. Thus the fraudsters were able to get peoples log-on details. More here [e-gold.com].
In the UK, many people have been receiving emails that look as if they are from Barclays bank (one of the biggest in the UK). It is a similar scam to the e-gold one. More here [theregister.co.uk].
I myself have recieved and email asking me to update my ebay account details. Only on close inspection did I realise that it was a fraud.
I find this extremely worrying. Personally I am probably like many Slashdotters - paranoid about security and difficult to catch out. However most people aren't like that, and this new type of scam email is an extremely worrying development, because it could catch a lot of people out. People really need to be informed about this type of scam, but I've yet to see much in the press about it. Any journalists reading..?
Re:Stealing bank details (Score:4, Funny)
There are a lot of people in this world who aren't as intelligent and perceptive like you so obviously are!
This is no better than the usual spam.
I disagree strongly. Getting an email that looks as if it is coming from a bank or service you subscribe to is not the same as getting an email about enlarging your penis.
(I'm being generous letting them off w. the "unknown persons" bit b/c, while it's bad grammar (person == singular, people == plural), but "person or persons unknown" has made it into the vernacular)..
You, sir, are a bit of a twat.
Parent
Scary websites... (Score:4, Informative)
My wife and I tried buying something on the web on this one particular site. It asked me to register since I was buying stuff for the first time there. Filled up everything on the "new account" page and hit "register me". The page came back in error saying the id I was trying to register was already taken so I had to try another one. Not so bad. What was bad though was THE PAGE RE-LOADED WITH ALL THE FIELDS IN IT PRE-FILLED WITH THAT ALREADY-EXISTING USER ID's DETAILS! Address, phone number, first/last names everything on there for the taking.
Scaaary. We politely backed out of the site and decided to buy elsewhere.
Watch for Wrong Solution (Score:5, Insightful)
Public records are better if you want to be a crook because the Freedom of Information Act makes them completely available.
Cringely was quite correct when he identified two parts of the problem: the ubiquity of using SSN as both an identifier and as authorization (or using credit card numbers this way).
It would really be much better if the institutions we dealt with would accept identities and authorizations that were only valid for the specific transactions we conducted with them.
But no, "people can't remember all those numbers". Well, people ought to have a private key that is really private, and public keys that anyone can use to verify that person X really authorized some transaction Y.
But rely upon government to come out with a bad solution to this problem.
The FoIA safeguards, which are important to keeping government transparent and more accountable to the people, will be abolished (as they have already been for various cases deemed to involve national security or "terrorism"), to "increase security for the citizens".
We'll be trading a great deal in terms of liberty and knowledge of whether our government is acting properly for very little in the way of security.
It happens more than you think! (Score:5, Informative)
Xerox/scan all your bank cards, credit cards, drivers license, etc front and back. Write down all the contact info and make sure you keep a copy in a safe place. NOT YOUR WALLET! If anything is lost or stolen call immediately!
Open a second bank account to use for online transactions. I transfer only the amount of money I need to cover gas, lunch, online stuff to it. I don't use an ATM card on my primary checking/savings. If someone grabs a carbon, they don't get access to anymore than the few bucks I keep as a buffer.
And as many have and will say here: Don't give out your SSN, check your credit report regularly for new lines of credit and shred early - shred often!
Cause and Prevention (Score:5, Informative)
There is certainly a degree of catch-22 involved between convenience and security. When my wallet was stolen with license and SS card (dumb to carry both but I recently needed them starting a new job)a few years back, I was glad that I was able to get a new drivers license with no identification except a birth certificate copy I was able to get with just my SS number and no identification - but the ease of doing so certainly gave me pause for thought.
In addition to the sound advice of shredding, a good idea is to lock your credit reports from being issued without your consent and opting out of pre-approved CC offers. Instructions for both at this article - http://abcnews.go.com/sections/scitech/TechTV/tec
I'm just thankful my house has a mail slot that drops into an inaccessible bin inside the home.
Re:Cause and Prevention (Score:4, Interesting)
I'm not certain about all of what you said.
My mother worked in a state university admissions department in the 1960s and 1970s, and was a programmer and operator of their computer. One year, they had two applicants apply under than same social security number. They were able to verify that both people owned the same number! Turned out, the US Government didn't guarantee the uniqueness of the SSN-- it ALONG WITH YOUR NAME AND BIRTHDAY were your taxpayer unique ID. But the university had no way of admitting both students as they wanted to under the same SSN, so they asked one of them to get a new one. It wasn't hard once the Social Security Administration figured out why.
Times have changed and computers have proliferated, and I've only done some casual investigation, but I've never found any guarantee by the US government that the SSN is unique.
Parent
Locking mailboxes? (Score:4, Informative)
I found this place that sells a "locking mailbox": http://www.oregontrailbox.com/
I think I'm going to get one from them. If you come across anything better, or have experience, please reply.
Stolen credit card number (Score:5, Insightful)
In conclusion I still don't know if the original number was real or not.It could have been the card thieves trying to trick me. After getting the new card, I checked my credit report an month later to verify nothing new had been opened. The lesson I learned is to never use a number you cannot authenticate when doing sensitive stuff like this.
We do not have identities. (Score:5, Insightful)
Are people really suggesting that this information be "secret"? The SSN is not meant to be secreat, can not really be secret, and every SSN card says explicitly that it is not meant to be secret.
Surely we are not suggesting that one's name, address, and telephone number be secret.
The problem is that this non-secret, non-unique information is used to identify people for many significant transactions. I.E. Driver's license, Mortgages, Credit Cards, etc...
The other problem is many people are opposed to instituting any kind of authoritative nation wide identification system.
Put aside your libertarian angst for a second and imagine if we did have a national DNA registry that positively and uniquely identified everyone. Sure we have all seen Gattaca and imagine ways of forging DNA derived identification, but it would be much harder.
Much harder than the current system where all the tokens we use to identify ourselves are from non-secret, non-uniquely identifying information sources.
Re:You want some wine with that cheese? (Score:5, Insightful)
Yeah, cause this will never come back to bite you in the ass. I'm quite sure that when your employer finds out that you gave them a fraudulent SSN, you'll all just have a great big laugh over it, and they won't be calling the Department of Homeland Security or anything.
Parent
Re:You want some wine with that cheese? (Score:5, Informative)
Your employer is the one entity which is required to ask for your SSN -- it's used to pay your FICA and Medicare taxes, as well as to route your employer's contribution to your account. Those taxes? Well, if Social Security is still around when you retire, they're what sets your benefit level...
Parent