Slashdot Log In
ID Theft Made Easy
Posted by
CowboyNeal
on Mon Mar 28, 2005 12:26 PM
from the buying-in dept.
from the buying-in dept.
chiagoo writes "You may remember that 70% of the time, people will reveal their passwords for chocolate. Well, at this year's Infosecurity Europe, it was revealed that 92% of the 200 attendees surveyed would gladly trade enough information to steal their identities for a chance to win theater tickets. Social engineering at its best. Why spend time writing bots and rootkits when people will give you what you want for a piece of candy or a ticket to see The Pacifier?"
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
No matter how careful you are, you aren't enough! (Score:5, Interesting)
I refuse to do business with any Lakeville Liquor store in Lakeville, MN because they require a license swipe to verify my birthday. While they claim on a sign on the counter that they respect my privacy what does that really mean? Do the clerks know that those machines can store an XLS spreadsheet of all the information scanned? Do they know if those that own/operate the stores use that information later? Perhaps it's just to CYOA if some question arises from authorities later but how can I be so sure? I can't so I drive the two and a half miles out of my way to get my wine/beer somewhere else that doesn't scan. I make sure to tell the clerks that I buy there because they don't scan. Most don't care but perhaps someone will overhear me.
The manager at the Lakeville store sure did. I asked "are you going to scan that?" and when the clerk said she was I told her I would like my license back and that I was sorry that I couldn't do business with them. The clerk had no problems with it but the manager muttered that I was an "asshole" under his breath. Somehow I'm the asshole for protecting my privacy. If only more people would refuse to hand over their personal information. What happens if someone robbed the liquor store and stole the little scan box along with the register, would you be a bit more concerned then?
How about the gas station that writes down your license plate information when you purchase gas w/o paying at the pump. It's just for their economic safety they say. Do you know how much information you can get on the owner of a car from their license plate? What happens if I go inside, buy a few items, and pay w/my credit card? They now have my CC # and my personal information. That's enough for ID theft as well. I saw the clerk write down my license plate and I asked them for the paper when I left. They were a little confused as to how I knew they did that and they were VERY confused as to why I would want that back. I didn't feel the need to educate them on it though.
Even I am not immune to this sort of scamming for info. While out drinking with friends (drunk actually) I was approached by an attractive female working for Marlboro. She would give me cheap cigarette coupons and a free Zippo lighter if I let them give me a survey. Drunk, distracted, and clueless, I swiped my license and took the survey. I have been getting coupons and various "gifts" in the mail since. I could have been completely duped by these people and not had a single clue. Luckily they were who they said they were and I'm not seeing any miscellaneous charges being rung up by any cigarette companies trying to cover their lawsuits with my money. Anyone (no matter how careful) can be owned. By the way - I don't even smoke cigarettes.
So, just because we know a company (or its representatives) we should not trust them with our personal information and the more people that are willing to trade over their private/personal information for a bottle of wine, a 12 pack of cheap beer, or a free Zippo might want to think twice.
Re:No matter how careful you are, you aren't enoug (Score:5, Interesting)
Nightclubs do that. When they scan your license, it stores your name/address/birthday for a mailing list. Big events are a mass mailing...and birthdays get you a "get in for free" pass.
Parent
Re:No matter how careful you are, you aren't enoug (Score:5, Informative)
Crobar, a giant club in Manhattan, does this. While I normally wouldn't have gone to a place like that, I was on the guest-list (read: free admission), and so I wasn't concerned at all when I handed them my license. Since then I've received numerous mailings from them. I wonder what else they're doing with my personal information.
What I've also heard since then, though I've not been able to confirm it, is that they use this information to keep track of you. If you start a problem and are kicked out of the club, it's an effective lifetime ban (though I'm not sure how they'll be able to scan your ID as they're kicking you out). Furthermore, they share this information with other clubs, so that if you start a problem in one place, you're essentially banned from every club in the area.
Never again will I allow my license to be electronically scanned. If every bar and club in town adopts this technology, I'll have to go back to drinking 40's on the stoop.
Parent
Re:No matter how careful you are, you aren't enoug (Score:5, Insightful)
They can get very little, actually, without access to police computers. Even if they could, it's no different from just driving around. You proudly display your license plate to hundreds of people each day. In light of this, it's not very easy to get much information from them, and it requires police cooperation. That gas station doesn't punch in the plate and go vigilante on you, they call the police and give the plate numbers to the police.
The gas station writing down your information is totally different from someone scanning your ID. Scanning your ID is a much more private process, and it requires your cooperation. However, anyone can write down a plate number. It's not even remotely the same, and it's definately not a security risk.
Parent
Re:No matter how careful you are, you aren't enoug (Score:3, Interesting)
You could not be more wrong. You can get a ton of information including name, address, previous addresses, DOB, etc. This isn't from some police database either. It's records that are available through individuals that have access to databases like Lexis Nexis.
Even if they could, it's no different from just driving around. You proudly display your license plate to hundreds of people each day.
But I don't display my CC # right nex
Re:No matter how careful you are, you aren't enoug (Score:4, Informative)
There are some areas where you can search for information about people, but that's just a law directory, with info about lawyers. There's also a biographical search, but that only includes politicians and business executives. I tried looking myself up, for example, and found nothing.
Parent
Re:No matter how careful you are, you aren't enoug (Score:5, Insightful)
A driver's license it there to privatly identify to those you show it to, a choice you make.
Your social security number should not be used for identification except to services (taxes, social security) that require it.
If you are mad that too much information is available to someone just by your license plate, fight to change what information is linked to it, don't get pissed at some schmuck for writing down a number that is plastered on both ends of the outside of your car!
Parent
Re:No matter how careful you are, you aren't enoug (Score:4, Funny)
Yeah, the copper zippo! I have one. And I love that they send me the coupons, decks of cards, CDs, all kinds of cool stuff. If they're going to be my choice of cancer providers, at least they can give me cool shit to get buried with.
Parent
Re:No matter how careful you are, you aren't enoug (Score:3, Funny)
Re:No matter how careful you are, you aren't enoug (Score:5, Interesting)
The last few times I've used short-term parking at the LAX airport, I've been asked to pull forward so their camera can get my license plate in view, and I notice they record it in a log. Every time this happens, I question why they do it and their response is "for security." I don't understand how their recording of my license plate increases security. Nowadays, any question you ask at an airport is answered with "it's for security purposes" or "increased security."
I understand that you can write down any license plate number in a parking lot or on the road and you can easily track people that way. I just didn't like the way they told me my plate number was logged for security. One time when I asked and pressed for a better answer I was given something more realistic. I was told that people frequently try to cheat the parking garage by getting a new ticket just before they leave. (park for a week, get a new ticket 10 minutes before you exit and pay $2.00). They occasionally run audits and record license plates during the night to track who is parked in their lot. Upon exiting, if your plate is logged in the system as "parked" and you have a 10 minute old ticket, it raises a red flag.
Of course, I'm sure there are ways that an electronic log of me being parked at the airport for a week could possibly be used against me.
While out drinking with friends (drunk actually) I was approached by an attractive female working for Marlboro. She would give me cheap cigarette coupons and a free Zippo lighter if I let them give me a survey. Drunk, distracted, and clueless, I swiped my license and took the survey.
I've done the same thing before. I wanted the free Zippo to give to my brother. They were walking around with a portable device that scanned the license and accepted the signature electronically. If you read the line where you sign, it says "I CERTIFY THAT I AM A SMOKER 21 YEARS OF AGE OR OLDER". I'm not a smoker, but I signed anyway to get the freebie. I always wonder if insurance companies could get their hands on that info and use it against people. Fortunately for me, the address on my license is incorrect, so no junk mail for me.
Parent
Re:No matter how careful you are, you aren't enoug (Score:4, Funny)
"Laaaaaaa, beeeeeeeer. gimme gimme gimme!"
"Thank you for your information and here is your beer. Now, if you'd be so kind as to sign over your power of attorney we'll give you a SECOND 6-PACK."
People (and I am including myself in this) are idiots, we'd give up tons of our rights for a quick little gift.
Parent
Re:No matter how careful you are, you aren't enoug (Score:5, Interesting)
Now here's the important part. The check is made out to "Wife's Name or Bearer". That's right. "Or Bearer" which means that anyone who happened to come upon that check could cash it, automatically starting a monthly charge on her CC without her knowledge. Yeah that's the way to protect her card from fraudulent charges. Way to go!
Needless to say, we are complaining to them and closing the account with that company.
Ender-
Parent
Any good info though (Score:5, Interesting)
Yeah it is cool to think that 92% of the people you have enough info to steal their identity. But lets put theory to practice and see how much of the 92% gave real information.
For me any form online I was born in 1900. My zip code is 12345, usually 666 Elm street, Amityville, NY. Phone number is 1-800-328-7448 and call anytime. I would make of 250,000+ or anything thing they have in the list that is higher. My occupation is the first drop down. Oh and my email address is who you are @mailinater.com. If the site looks up the information than I just go the governors web site and copy that info and use that. So I bet if you run a web site and you found that one than you probably could cross reference that info back to me and I would only say good job.
So I speculate that the 92% you have data from that you'll have 25% techices that give you 100% BS. It will occur to the general population once more and more people get burned to keep quiet.
Re:Any good info though (Score:5, Insightful)
Parent
Re:Any good info though (Score:5, Informative)
FYI, the official city for postal code 12345 is Schenectady, NY.
Parent
Re:Any good info though (Score:5, Funny)
Oh, this is Slashdot. Never mind.
Parent
Re:Any good info though (Score:5, Funny)
Parent
Re:Any good info though (Score:5, Insightful)
Its unreasonable to expect people to keep something private they are required to give out so frequently. It don't make sense.
Parent
Re:Any good info though (Score:5, Insightful)
All someone has to do is convince you that they need that kind of information, regardless of the truth of the matter. There is a famous saying (that I'm about to butcher) in the security world: there should always be three factor identifcation - something you carry (like an id), something you know (like a password), and something you own/are (like a fingerprint or dna). While the first two are in place, with driver's licenses and maiden names and what not, there is no widespread biometric database. And we all know how keen slashdotters are on that
Parent
Re:Any good info though (Score:4, Interesting)
The problem with SSNs has nothing to do with the uses you've listed. It's an ID that is intended to identify you to the government. Tax forms, health care, etc are valid reasons for the government to need a unique identifier. What isn't valid is the credit card companies piggy-backing off the government's ID system. That usage (applying for credit cards) is the primary reason why SSNs are problematic and people's identities are stolen. Without that usage, SSNs would be mostly harmless.
Identity theft is a huge problem, but its one that needs to be primarily addressed within the banking industry. Addressing it in other ways is simply letting them off the hook. If they got their act together, you could tell your SSN to anyone you wanted without fear of it being used illegally.
Parent
Money made easy (Score:3, Interesting)
Moral of the story (Score:5, Insightful)
Re:Moral of the story (Score:3, Insightful)
The answer is training for users, in a fashion that is understandable explaining at least some of the details of security and concepts. And it must be repeated, and done in different fashions to have as wide an exposure as possible and as wide an impact as possible ('loose lips sink ships', anyone?)
But this is
a) Hard
b) expensive
c) hard to measure the impact of
This means th
Free identity theft protection (Score:5, Funny)
Re:Free identity theft protection (Score:5, Interesting)
They included a preprinted check with my name on it for $5 ready for cashing. Pre-perforated and everything.
Way deep in the very small print on the back was the line that if I actually did cash this check, then I would be agreeing to have $69.95 automatically billed to my credit card each year for 'identity theft protection'.
Before this scam they sent me checks already made out to 'CASH' with my name and card number already preprinted on it. All I had to do was sign my name on the back and fill in the amount.
I'm sure glad my sleazy meth-shooting junkie neighbors didn't find that one in my mailbox.
I wish that I could get all this nitwit chickenshit from the credit card companies to stop. I'd cancel the card, but I need it maybe once a year for car and hotel rentals.
Citi Corp. must make a ton of money off the American yahoos with all these schemes. Maybe even enough to cover the interest on all their bad loans to third world dictators enabling them to keep the Bongo Congo Mercedes dealership fat and happy.
Parent
ah, social engineering (Score:5, Interesting)
With friends like you... (Score:5, Funny)
Parent
Bogus data (Score:5, Interesting)
Whenever I have spare time I go out of my way to answer surveys like these with bogus data. Like they say "It'll only take a couple of minutes of your time Sir!"
I consider it an important and useful civic act to poison the noosphere with false data in order to throw off the pundits, pollsters, advertisers and fraudsters.
Re:Bogus data (Score:4, Funny)
Name: Andrew Nonymuss
Occupation: Executive Assisstant to the Vice Peon of Menial Affairs
Income: 400,000 zorkmids (I don't know what that is in dollars
Age: 39.14246575342465753424657534246575
Ethnic: Some of the above, but in no particular order.
Have you bought any of our products before? Only when I couldn't find anything else to disembowel a Kodiak Marmoset with.
Were you satisfied with it? Why don't you ask the Marmoset?
Would you buy any of our products again? Only if it's that or be stoned by an angry mob.
Parent
This is truly sad (Score:5, Funny)
Re:This is truly sad (Score:5, Informative)
Tickets to something like Phantom can cost from hundreds to thousands of dollars for good seats, depending on the city. However, they will almost certainly get you laid.
I wouldn't even stop walking for free movie tickets.
Parent
Information is king. (Score:5, Insightful)
Telemarketing / Teleservices (Score:5, Interesting)
Flash some useless piece of shit on TV, get Chuck Norris to pretend like he uses it, and people will fall all over themselves to give you all their personal information. I bet I could even ask for their SSN on a Super Duper Blender call and they would cough it up.
AC (Score:5, Funny)
Re:AC (Score:5, Funny)
Actually, I just post a lot
Parent
rootkit (Score:4, Funny)
must write rootkits, to allow for future logins. don't want to be handing out candy, for each time i want to login into a system.
biometrics (Score:3, Insightful)
I know fingerprints can be foiled with rubber or BREATHING, but if you combine that with voice print or retinal scan, it should be pretty secure, even today. Add in facial recognition, and you've got a secure environment.
All authentication mechanisms are just hurdles. You have to hope your hurdles are high enough to obstruct the level of cracker that is after your information.
I have convinced people at work that making people change their passwords every month totally backfires; it causes utter INsecurity when the people can't remember the password because they have to change it all the time. They end up putting it on post-it notes in drawers next to the desk. I understand the motive, to increase the time it takes to brute-force the password, but when the users are going to do this in reaction to this because they have so many to remember, then you have zero security.
In short, we NEED biometrics, and we need them widely available and cheap.
Re:biometrics - isn't this still vulnerable to MIM (Score:4, Informative)
I've had the same issue with signing my name on electronic signature pads (I do it, I just don't like it). Once I do that, it can't be hard to take my signature that is on file and simply move it to a different location in your database and attach it to a different transaction can it? Then you print out a copy of the receipt for that new transaction and BAM!! There's my signature. And since it's electronic, I MUST have signed for it. Why there's even a timestamp. Let's see who has electronic copies of my signature...oh, FedEx, UPS, Airborne Express, DHS, damn near every place I've ever used my debit card, and the list goes on.
Granted, a regular ink signature can be faked, but everyone accepts that. For some reason, when you tack on the word "electronic", everyone suddenly seems to drop their guard and simply accept its authenticity as the gospel even though it's usually even LESS secure. Don't even get me started on "electronic voting"
Parent
Re:biometrics (Score:5, Insightful)
I'd rather give up my wallet in a mugging than have to fork over MY EYE.
Seriously, I have a feeling that biometrics will just be spoofed. I'm sure I read an article about Gummy Bears and foiling a finger-print scanner. As long as there are people in charge of information, social engineering will be able to cut through all of these countermeasures.
Parent
giving up passwords (Score:4, Insightful)
What passwords? Did they check them? This doesn't sound too credible.
I would definitely give out my password... (Score:5, Insightful)
and other personal data, just for a bit of candy. Heck, I'd do it for free. I just wouldn't give them the correct password. I'd also make sure that the personal data I gave them was total BS.
So how do we know that the seemingly credulous participants in the survey weren't lying?
Free Chocolate (Score:5, Funny)
ASSISTANCE REQUIRED FOR ACQUISITION OF MASS QUANITY OF CHOCOLATE
I write to inform you of my desire to acquire large quanities of chocolate in your country on behalf of the Director of Contracts and Finance Allocations of the Federal Ministry of Works and Housing in Nigeria.
Considering his very strategic and influential
position, he would want the transaction to be as
strictly confidential as possible. He further wants his identity to remain undisclosed at least for now, until the completion of the transaction. Hence our desire to have an overseas agent.
I have therefore been directed to inquire if you would agree to act as our overseas agent in order to actualize this transaction.
The deal, in brief, is that the funds with which we intend to carry out our proposed investments in your country is presently in a coded account at the Nigerian Apex Bank (i.e. the Central Bank of Nigeria) and we need your assistance and password to transfer the funds to your country in a convenient bank account that will be provided by you before we can put the funds into use in your country.
This is NOTHING (Score:5, Informative)
You know those self-checkout stations they have now? Each and every one of them was spitting out paper slips non-stop that were records of the day's transactions. My roommate snapped a photo.
Each and every slip had the full credit card number, the expiration date, and a copy of the cardholder's signature.
They were unattended, and the workers had placed plastic bags to catch the slips as they fell out of the machines.
There must have been hundreds...
At just one Wal-Mart...
Out of thousands of stores.
Re:This is NOTHING (Score:5, Insightful)
Wait until winter. Burn as fuel. Stir around the ashes. Easy-peasy-lemon-cheesy. No need for cross-cutting shredders.
Wait.. Wait, forget I said that. As luck has it, I have a "data destruction" company. I've got some really advanced cross-cutting shredders, right here, siree! Just fork over your metric loads of privacy-sensitive information, and a few hundred bucks for disposal, and go and have a good night's sleep. And if people from the credit-card company call, saying some-one's been using your cards out-of-state, just remember they're most likely identity thieves trying to scam you into giving them your personal information. After all, all your data was safely destroyed....
Parent
The participants answered questions (Score:3, Insightful)
Wait one damn minute (Score:3, Funny)
I don't know, what are you supposed to do? (Score:3, Insightful)
I'm about as close to paranoid about my personal information as anyone I know and my identity was stolen about 5 weeks ago. I give out practically nothing and it still happened. The part that drives you up the wall is how nobody seems to really give a crap about it. The police yawn, write the report, and leave. The stores all want an affidavit and then go away. Your bank gives you a new account and returns your money. Aside from the pile of paperwork I had, and am still having to deal with it doesn't seem to bother anyone that this happens. This money must have come from somewhere right?
I know I got all my cash back but I'd bring back roadside crucifixion in a heartbeat if I could get my hands on the guy who wrote $5K worth of checks using my info.
The writeup is wrong (Score:3, Informative)
It's 92% of a sample of 200 random Londoners, not 200 of the people who attended Infosecurity Europe.
Who's the dummy? (Score:5, Insightful)
flaw here. Are people really stupid
to provide a handful of facts about
themselves? Or are the banks stupid
to accept a handful of facts as
evidence of authorization to access
an account?
Seems to me this whole "identity theft"
is an exercise in blaming people for the
banks' failures. I haven't had my
"identity stolen" -- whatever that's
supposed to mean. No, the bank has been
tricked, defrauded into giving up my
money to someone who happens to know my
mother's maiden name. That's the bank's
policies hurting the bank's ability to
do its job -- keep my money safe. That's
not my problem.
Calling it "identity theft" and holding
me responsible for preventing it is just
an attempt to turn the banks' problem into
my problem -- one they are happy to help
me solve for a fee of $10 a month.
No, thanks, I decline to pay a monthly
fee to do the bank's work for it.
Re:Trade pwd 4 sex (Score:5, Funny)
Actually, I did that once. My girlfriend and I were having a fight because she accused me of not trusting her. As a show of trust and good faith, I told her my main password for important stuff. Shortly afterwards, we had make-up sex. After she fell asleep, I went and changed my passwords.
Parent