Cringely on Identity Theft

Boiled Frog writes "Prompted by the theft of his mail, Cringely investigates how easy it is to steal identities from government publications. In this article he explains how he got the identities of 300,000 people which he calculates to be valued at $65 billion dollars. If Cringely can do it, anyone can."

Article is spot on. Happened to me..

[Lysol]

I had my identity stolen about 8 years ago. It suuuuuked!

In San Francisco, when some people move out, they throw all this crap they don't need anymore on the curb. I saw this thoughout the city, time and time again, so when it came time for me to move, I did the same.

I got rid of almost everything! This included, tons of old papers - possibly old pay stubs. Big NO NO! At one point, I even noticed some people looking through the big pile. "Just people who like crap", I thought.

Six months later, the Postmaster General Attorney's office in San Jose calls me saying they've arrested someone on postal fraud that had my name and info in his little black book. It was under a section that basically was ready to have a drivers license and social security card issued in my name with this guy's picture!

To make a long story short, the guy went to prison and I had to notify all agencies where I had any type of id or credit/bank card to put a watch on them for the next six months.

My lesson learned: shread everything.

However, online, this is a totally different issue and the only thing I can suggest and do about that is to check into companies and try to make sure they are responsible about how they store your credit-card information. I've personally written to all the online companies I use to ask as how they protect my information. If it ever seemed like they weren't up to snuff, I explained my concerns and asked for some sort of reassurences. Although, I must admit, that's not the best thing and sometimes letters to the BBB and other groups/agencies are necessary.

This is really scary

[ViolentGreen]

There is so much personal information out there and some people are so uninformed about who not to give this information to or how to secure the information that they have been given. This problem will only get worse. I for one have no idea how to deal with it.

Which goes to show you...

[Flabby Boohoo]

why you use a PO box, like I do.

Don't have to worry about such things.

Re:Article is spot on. Happened to me..

[BWJones]

To make a long story short, the guy went to prison and I had to notify all agencies where I had any type of id or credit/bank card to put a watch on them for the next six months.

Good to hear this person actually went to jail. I should add that the other thing you should do is check your credit history and cancel all old credit cards that you may not even know are still active. A friend of mine had someone get access to three old credit cards that he had cut up, but had not actually cancelled the accounts. A couple of years later he was surprised to find the companies were telling him he owed $30k worth of charges.

Credit monitoring services

[jargoone]

I'm usually not paranoid, but talk of identity theft, and nearly being a victim (copied credit card when I visited Mexico), convinced me subscribe to a credit monitoring service. They notify you right away of changes to your profile, and give you free periodic credit reports. I'm trying to start a small business, so it's more important now than ever.

True Credit [truecredit.com] turned out to be the cheapest at $11/quarter for the basic service. This is not a referral link, and I'm not affiliated with them in any way. Just sharing information.

Money isn't the issue

[Doesn't_Comment_Code]

Most instutions will cover your butt now if you get your ID stolen. So it isn't the money that costs you, its the work.

You have to apply for coverage, and show evidence that your ID was in deed stolen. That can take months or years! And a lot of effort goes into all that. One of the worst parts is trying to restore your credit rating. While the whole process really shouldn't cost very much money ( $1000) it costs a quarter of your life to repair all the damage.

Re:Office of Redundancy Office -- RTFA

[mgessner]

Did you even read the article? He specifically mentions that figure.

It comes from his ability to gather X number of names, and each name has an estimated rip-off values (as computed by the U.S. Secret Service) of $217,000 (which was an average computed from a sample of identity thefts in one study).

Next time, RTFA.

Avoiding the Post Office.

[BWJones]

From the article:"No, I mean what are you going to do about replacing my book?"

"Why would we replace your book?"

"BECAUSE YOU LOST IT????"

This is exactly why I use Fed Ex or UPS when ordering things. They can track your packages and they take responsibility when they screw up. Perhaps the Postal Service could take a lesson?

Re:Avoiding the Post Office.

[stratjakt]

Priority mail with insurance.

Fed-Ex or UPS won't replace your item if you didn't get insurance, either.

We just got a PC shipped back to us from the field by UPS. The box was smashed, and the machine looks like CowboyNeal sat on it. Picking it up I could hear all the fancy shmance electromonical doodads rattling around inside the twisted case.

UPS won't do shit about it, because the fool didn't pay the 5 bucks for insurance.

Re:Article is spot on. Happened to me..

[nairb107]

Or keep an eye on the old ones. You don't want to cancel older accounts, especially if they had a good history b/c that in effect shortens your credit history and lowers your credit score. Be careful not to screw your own credit record while trying to prevent other from doing the same.

Re:Which goes to show you...

[grub]

Good idea but many places won't deliver to a PO Box as they've been used for fraud for eons. They want a brick & mortar delivery point.

Scary websites...

[Cassanova]

My wife and I tried buying something on the web on this one particular site. It asked me to register since I was buying stuff for the first time there. Filled up everything on the "new account" page and hit "register me". The page came back in error saying the id I was trying to register was already taken so I had to try another one. Not so bad. What was bad though was THE PAGE RE-LOADED WITH ALL THE FIELDS IN IT PRE-FILLED WITH THAT ALREADY-EXISTING USER ID's DETAILS! Address, phone number, first/last names everything on there for the taking.

Scaaary. We politely backed out of the site and decided to buy elsewhere.

Mobile Phone Companies Require SS#

[popo]

Recently I signed a new cellphone contract and they *would not* allow me to sign the contract without giving them my SS# (which I imagine is for a credit check). What's the legality of that? Is there any way to avoid handing over SS#'s in these situations? Its terrifying that cell-phone services have huge databases of millions of Social Security numbers.

Anyone?

Re:Avoiding the Post Office.

[Dan Ost]

FedEx insures everything up to $100. If you want more insurance, you can
get it by paying a little more for it (note the "Declared Value" field
on the FedEx Airway bill).

Re:You want some wine with that cheese?

[YU Nicks NE Way]

I don't suppose you thought about the fact that the suggestion is hilariously funny?

Your employer is the one entity which is required to ask for your SSN -- it's used to pay your FICA and Medicare taxes, as well as to route your employer's contribution to your account. Those taxes? Well, if Social Security is still around when you retire, they're what sets your benefit level...

Re:Are you dissing Cringely?

[The Old Burke]

I you had RTFA, you would have seen that he said it himself...

It happens more than you think!

[mr_resident]

After I had my ID swiped by a ID-less loser, I started taking precautions:

Xerox/scan all your bank cards, credit cards, drivers license, etc front and back. Write down all the contact info and make sure you keep a copy in a safe place. NOT YOUR WALLET! If anything is lost or stolen call immediately!

Open a second bank account to use for online transactions. I transfer only the amount of money I need to cover gas, lunch, online stuff to it. I don't use an ATM card on my primary checking/savings. If someone grabs a carbon, they don't get access to anymore than the few bucks I keep as a buffer.

And as many have and will say here: Don't give out your SSN, check your credit report regularly for new lines of credit and shred early - shred often!

Re:Which goes to show you...

[jargoone]

Go to one of those shipping/copy places like Mailboxes, Etc. Lots of those have boxes, so your address will be their address, with a number after it, like

123 This St. # 666

They'll take and sign for packages for you, too.

Re:Article is spot on. Happened to me..

[The_K4]

Wrong. A closed account still shows on your credit report, It won't drop off for 4 years. It will show as "closed" but will indicate your history. Run your own report some time and look at the non-revolving accounts! By leaving it open you lower your avaliable credit. Also having a large number of open accounts LOWERS your score! It's better to have 2-4 cards with high credit limits then 7-10 with average limits, and will give you a better score. I closed 3 old cards that I never used, my credit score went UP and then the 3 cards I still had all offered to raise my limits. If you have old cards taht you don't/won't use...>CLOSE THEM! they hurt you alot more then they help.

Will the REAL Robert X. Cringely please stand up?

[camusflage]

You're closer to the truth than I think you knew.. I dare you to ask PBS and Infoworld who Robert X. Cringely is. From an old wired article:

Unfortunately, in 1995, as PBS was editing Triumph of the Nerds, InfoWorld fired [Mark] Stephens [who had written the Cringely column for years--ed] - which was sort of like firing Mary Ann Evans from being George Eliot. InfoWorld thought that it ought to have exclusive dibs on the Cringely name. (In a spooky twist, if anyone really owns the rights to the Cringely name, it is probably Cringely's girlfriend's father, who put an imaginary "Al Cringely" scapegoat on his PR firm's masthead decades ago. The surname was eventually imported by InfoWorld.) Cringely still feels the betrayal deeply - first because, as he sees it, InfoWorld dismissed him without warning, and second, because they accused him of trademark infringement for continuing to use the name that he had done so much to build. "InfoWorld sued me," he says, still sounding incredulous. The case was settled out of court; InfoWorld kept the trademark, and today, another scribe's Cringely column appears in its pages every week. But the company was ordered to pay Cringely's court costs, and he was given license to use the coveted name professionally - "As long as he doesn't use it in computer publications," InfoWorld's editor, Sandy Reed, who fired him, clarifies. "PBS we don't compete with."The lowly Cringely, as ever, somehow came out on top.

Cause and Prevention

[nanojath]

One of the issues not often addressed is the misuse (in my opinion, and some would argue by its original intention) of the Social Security number as a universal identifier in so many public and private functions. It happens for convenience - the SS # is government issued, unique and relatively difficult to spoof, so it's handy. But it shouldn't be allowed. The SS # should be used by the government for tax identification and issuance of SS and related benefits only. Unfortunately nobody wants to open this huge can of worms.

There is certainly a degree of catch-22 involved between convenience and security. When my wallet was stolen with license and SS card (dumb to carry both but I recently needed them starting a new job)a few years back, I was glad that I was able to get a new drivers license with no identification except a birth certificate copy I was able to get with just my SS number and no identification - but the ease of doing so certainly gave me pause for thought.

In addition to the sound advice of shredding, a good idea is to lock your credit reports from being issued without your consent and opting out of pre-approved CC offers. Instructions for both at this article - http://abcnews.go.com/sections/scitech/TechTV/tech tv_fraudprevent030815.html

I'm just thankful my house has a mail slot that drops into an inaccessible bin inside the home.

wait until this happens to you

[Anonymous Coward]

The newest scam are VINs, the vehicle identification number. Once you have that and the proper books, you can cut keys.

With the key, you just drive it off the shopping mall lot. And there's no sign of forced entry, so the insurance company says "you left the key in the ignition, tough for your claim. Happened to us on vacation. And 10 year old clean cars are in more demand for the body parts, it isn't just the new Hondas.

Tape over that damned number.

Re:You want some wine with that cheese?

[YU Nicks NE Way]

Social security is not a voluntary system. Your employer is required to make contributions to your account; failing to do so is a federal offense. Failing to make your own contributions is merely tax evasion. (FICA is not a contribution, it is a tax, and it is so named under the federal code.)

Re:Avoiding the Post Office.

[Cpt_Kirks]

Goddamn UPS won't even ring the doorbell. They just dump the package on the porch, even if they are supposed to get a signature.

I nearly tripped over my new DVD burner on my way in the house the other day, and my wife had been home ALL DAY!

Locking mailboxes?

[semanticgap]

Something that he doesn't mention but immediately came to mind - I live in a house and have one of those curb-side mailboxes. Anyone can swing by soon after the mailman does his delivery and go through my mail.

I found this place that sells a "locking mailbox": http://www.oregontrailbox.com/
I think I'm going to get one from them. If you come across anything better, or have experience, please reply.

Re:Article is spot on. Happened to me..

[Sapwatso]

Not entierly complete either. Sometimes closing accounts can hurt your credit score too, for example if there were recent late payments on the account, or if closing the account makes your (credit in use)/(avalible credit) ratio too large. Bottom line is that the credit score calculation is very complex. If you are concerned with it enough to open or close accounts to change your score, you should probably consult a financial planner. (IANAFP)

Wrong, stupid.

[LibertineR]

The primary benefit of a shredder, is that the Crackhead is going to take my neighbors's trash instead of mine, and save himself the trouble of piecing my mail back together. Besides, the only shredder someone should buy is a CROSSCUT Shredder which will turn your papers into 1/4 inch chunks that no one could reconnect in a month.

It's same philosophy as Car alarms. They dont prevent theft, they just encourage you to take the other guy's car because it's less trouble.

Re:Mobile Phone Companies Require SS#

[Aidtopia]

I questioned the sales rep when I was in the same situation. He said that it's used for nothing but the credit check.

Then I got my first bill and saw that the first half of the account number was a significant portion of my SSN. I suppose that could be a 1/10000 coincidence.

Re:Mobile Phone Companies Require SS#

[Anonymous Coward]

Legally they can't require it under federal law, which limits the circumstances in which an SS# can be required to a handful of cases (such as employment). However, there is no effective enforcement, and usually the CSR or sales rep taking the order has been trained that the SS# is required, period, so unless you make a big stink, they won't give you a phone without one.

Re:Will the REAL Robert X. Cringely please stand u

[redplasticcup]

here's a link [wired.com] to that Wired article. Pretty interesting reading, I hadn't known that the Infoworld Cringely was fake.

How far to go to protect your identity?

[Blademan007]

I've tried to make it as secure as possible:
- Limit giving out personal info to anyone
- Cross-shred [cfsshreds.com] anything with info on it
- Give out 867-5309 [project80s.com] as my phone number ;)

But, ever tried not to provide your social etc for:
- Doctor's office (They will want payment at time of visits). I've begged with them not to use my SS#, but it's an easy and unique identifier, they said.
- Electric company (They wanted $300 cash in lieu of a SS#)

I agree with the first poster about the mailbox, but outside of apartments or high-rises, how many lockable mailboxes have you ever seen? I'd like to, but it's probably against my HOA anyway.

We provide much of the information that could be used against us, as a convenience for ourselves.

YANAL

[Pii]

You are not a lawyer, and neither am I, but instead of simply accepting what I hear, sometimes I like to check into things, especially before I go giving other people advice.

An employer is not required by law to obtain an employees Social Security number. The law requires only that they ask for it. (How can they be required to obtain an employees SSN, when in fact, there is no legal requirement that a person obtain an SSN in the first place?)

Take a look at this [networkusa.org].

Here's a relevant excerpt (And please ignore the religious component... That's not the point.):

Employment is a form of contractual agreement. Generally, the same points made in the previous answer regarding contractual agreements also apply here. If the terms of employment include a requirement that the employee must supply their social security number then there are basically four options available: 1) supply the requested SSN; 2) ask to work out another arrangement where the SSN isn't required; 3) don't work for that company; or, 4) sue the business in court.

An employee or job applicant may be able to receive protection from coerced submission of a SSN for employment purposes by relying on federal anti-discrimination laws. The Civil Rights Act of 1964 Section 703(a)(1), Title VII, 42 U.S.C. Section 2000e-2(a)(1) makes it unlawful to discriminate against any employee or perspective employee on the bases of his or her religion. (This is in addition to the basic Constitutional First Amendment protection of the free exercise of religion.)

In 1992 a complaint was filed with the Equal Employment Opportunity Commission (EEOC) by a Mr. Hanson, wherein he claimed as a "Christian Fundamentalist" he could not obtain or use a SSN. The EEOC filed suit against the business that fired Mr. Hanson on his behalf. The suit claimed that firing Mr. Hanson due to his not having or getting a SSN constituted discrimination due to his religious belief. The business claimed that they were required to either force Mr. Hanson to get a SSN or fire him because they were required by certain IRS Code sections and regulations to report all employees' SSNs on certain IRS forms. The business also responded that it was required by federal law to report all employees' SSNs to the Immigration and Naturalization Service (INS).

The EEOC countered that the only requirement imposed upon a businesses by the various tax laws was that employers must "request" an employee's or potential employee's taxpayer identification number, and that there was be no penalty for a business not succeeding in obtaining one. The EEOC, itself a federal government agency, stated in its "Plaintiff's Response to Defendant's Motion to Dismiss" that:

"the Internal Revenue Code and the regulations promulgated pursuant to the code do not contain an absolute requirement that an employer provide an employee social security number to the IRS."

The EEOC further argued that employers were permitted to use any one of several acceptable forms of identification and employment eligibility verification other than a SSN and still comply with the Immigration Reform Act requirements.

The Court denied the employer's motion to dismiss the complaint. A settlement was later reached in which Mr. Hanson was awarded back-pay. The Court's final decree setting out the terms of the settlement stated that:

"The [employer] shall be permanently enjoined from terminating an employee for failure to provide a social security number because of religious beliefs."

A sincerely held religious belief may serve as a valid basis for objecting to requirements for a social security number for employment purposes. A business could be found guilty of discrimination for taking adverse action against an employee or applicant due to their refusal to use or obtain a SSN.

VIN numbers

[afniv]

Read more on VIN numbers and stoen cars at snopes.com:

http://www.snopes.com/crime/warnings/vin.asp [snopes.com]

As stated in the link, I highly doubt anyone can just steal a car of the shopping mall lot. It takes too long to get a key made. You will be home by then. Also, I think covering the VIN number may be illegal in some states/countries.

800-Ask-USPS

[iamweezman]

I've been working for Convergys, the customer service for USPS. When you call 1-800-ask-usps, you just might get me. I get a call every 3 minutes or so, and out of an 8 hour day, I get at least 5 calls a day from someone that most likely has a case of stolen mail where identity theft could be an issue. Multiply those 5 calls by the some 800 others I work with and you can see how big a problem this is.

What is the post office going to do? Nothing. hundreds of thousands of mailpieces, some containing financial and personal information, goes through some of the larger metro Post Offices everyday. You think your carrier is going to remember anything about that one piece of mail from you know who that should have been there last week? The postal inspectors will look into the obvious more severe cases, but the have their limitations also. FBI doesn't even look into every case either.

As far as getting reimbursed for one shipment from Amazon, read above to understand why Cringley repeats the "we'll investigate it phrase", something I say everyday.

If you think that FedEx or UPS will solve the problems, then you might be right. Of course you get what you pay for. If you pay for the same type of delivery from USPS, express mail, then you also get tracking, insurance for up to $100, service to a PO box (if needed), and all for less. If you look for minimal cost, expect minimal service.

Re:wait until this happens to you

[RowdyReptile]

Hmm, that seems like decent advice. But what about the idea of etching your VIN [idsticker.com] on all your car's windows to help recover it in case of theft?

Re:Article is spot on. Happened to me..

[bug506]

I'm not sure if you are still in California, but if you are you can get a "security freeze" put on your credit report.

This is different from the "security alert" that most people tell you to put on your credit report when fraud happens.

With a "security alert," basically it's just a notification to creditors that they should be careful. They can still get your credit report. Apparently, many creditors ignore this warning so you are not guaranteed that someone else isn't applying for credit in your name.

With a "security freeze," no one can get your credit report (with a few exclusions such as the police with a court order). It's much much safer.

The credit report agency sends you a PIN that you use to temporarily or permanently remove the security freeze. For example, if you are applying for a mortgage in the next 15 days, you can remove the security freeze for 15 days, and it will be put back on once that period of time is up.

The credit report agencies do not want people to know about this option because if everyone takes advantage of it then their whole system fails.

Under California law, there is no charge for a security freeze on your credit reports IF you have ALREADY been the vicitim of fraud. (Someone used some of my checks and stole my credit card number before, so I qualify). If you have not ALREADY been a victim, you can pay some ridiculous amount to have it put on (on the order of $50/year).

I believe Texas may have a similar law (because my letter including the PIN from one of the agencies said "security freezes are only available in California and Texas" and that if I move out of CA then I have to notify them so that they can remove the security freeze).

For the last year, I played the credit report agencies' game. I PAID THEM $80/year to get access to MY OWN INFORMATION to make sure no one was using my credit fraudulently. When I renewed a couple of months ago, they changed their policy and limited the number of times a year you could view your credit report. So I dropped them, and was going to sign up with a competitor (still playing the game) when I found out about the security freeze.

For more info:

http://www.privacy.ca.gov/financial/cfreeze.htm

http://www.fightidentitytheft.com/legislation_ca li fornia_sb168.html

Of course, if you are not in California (or Texas I think), then you can try seeing if your representatives in DC will make this a national requirement.

Joey

Re:wait until this happens to you

[mttlg]

Tape over that damned number.

Go ahead, if you don't care about violating federal law and giving the police a reason to believe that the car has been stolen. From U.S. Supreme Court case NEW YORK v. CLASS, 475 U.S. 106 (1986) [findlaw.com]:

To facilitate the VIN's usefulness for these laudable governmental purposes, federal law requires that the VIN be placed in the plain view of someone outside the automobile: [475 U.S. 106, 112]

"The VIN for passenger cars [manufactured after 1969] shall be located inside the passenger compartment. It shall be readable, without moving any part of the vehicle, through the vehicle glazing under daylight lighting conditions by an observer having 20/20 vision (Snellen) whose eye point is located outside the vehicle adjacent to the left windshield pillar. Each character in the VIN subject to this paragraph shall have a minimum height of 4 mm." 49 CFR 571.115 (S4.6) (1984) (emphasis added).

Re:We do not have identities.

[MenTaLguY]

Well, two problems with using DNA as a secret for identification purposes:

A. DNA is not unique -- consider identical twins, for example

B. DNA is not secret either; certainly no more secret than fingerprints. You leave piles of copies in the form of hair and shed skin cells whereever you go.

Re:Avoiding the Post Office.

[evilviper]

Goddamn UPS won't even ring the doorbell. They just dump the package on the porch, even if they are supposed to get a signature.

I've had dozens upon dozens of packages from UPS (as well as Fedex) and had to give my signature on every last one of the packages that required it. Never has a single package been left, if it required a signature. You need to take this up with your local office, since it sounds like you just have a single UPS delivery person that isn't doing their job.

easier than you think..

[ehrichweiss]

Identity theft [peoplehacking.com] is amazingly simple and with the rise of the information age, identity theft's ease will increase all the more.

Today everyone puts confidential information [peoplehacking.com] on forms, etc. and submits them "securely". Well, SSL is a good start but the biggest cause of identity theft is the human factor. For those of you who have a Paypal [peoplehacking.com] account, maybe you got an email in the past couple months that said your account was being verified..blah..blah... Have any idea how many people fall for that crap? I train [peoplehacking.com] people for a living to teach them how to stop this type of information theft and yet my own family still calls me up to ask if it was bad for them to have entered all their personal information [peoplehacking.com] in a piece of email.

Kinda reminds me of when the popups started appearing that looked like Wintendoze had an error but were really adverts for some corporate sleezeball to sell his lame software...pfft.

I just have three words

[spacecomputer]

Selective Service Administration