Cringely on Identity Theft

Boiled Frog writes "Prompted by the theft of his mail, Cringely investigates how easy it is to steal identities from government publications. In this article he explains how he got the identities of 300,000 people which he calculates to be valued at $65 billion dollars. If Cringely can do it, anyone can."

Are you dissing Cringely?

[3.5 stripes]

I mean, he's no H4Xx0R god or anything, but he seems to be fairly knowledgable.

Re:Article is spot on. Happened to me..

[TopShelf]

I was somewhat luckier. On the same day, I got a notice from a small long-distance telephone company saying I had an account that was being sent to collections, as well as another note saying that the account had been closed and that no further action was necessary. When I called, it turned out someone had used a credit card number in my name to set up an account and wrack up charges, and was eventually recognized as a fraud and everything was closed out.

The scary part was that if I hadn't called these guys up, I never would have known about the identity theft. How often does something like that occur, where the situation gets resolved but the intended victim is never informed???

UK line of defence against Identity Theft

[Boss, Pointy Haired]

If you're in the UK; you can register your name / address combination with CIFAS:

http://www.cifas.org.uk

The service is operated on behalf of the UK financial institutions by Equifax; and will add a layer of authorisation to your name / address combinarion when arranging credit etc. It probably means that you won't be able to buy stuff on instant credit; but the for the hassle that identity theft can bring I think it's worth it. Registration costs 12 quid for 12 months.

Personally i'm amazed that institutions will lend large amounts of money without a definite proof of your identity; but I guess that's consumer forces for you - Dixons want you to be able to walk out of their store with that 32" wide screen TV purchased on instant credit. For all the sales that brings; they absorb the liability.

SSN used as identifer

[Cade144]

In the article it is mentioned that your Social Security Number is used as a universal identifier and as "proof" of identity.
This is not a good thing.

I work in the medical records/medical billing industry and a patient's SSN is one of the vital bits of information we collect and use to help index records.
Also the patient's date of birth.
For billing purposes, we need the patient's home address.
The health insurance company also needs all this information. In fact, if we don't supply all of the patient's personal information, they often don't pay claims.

We try to protect private information. We have yearly training, and monthly filers reminding us of the importance of protecting confidential infromatin. We have every bit of discarded paper shreded, and we have pretty good locks on our doors, and we have a fairly paranoid firewall, but the truly determined employee could always get their hands on thousands of patient records with everything needed for identity theft.

It's probably the same way at Hospitals and Insuance companies too. Too many people have access to private information, and the social and technological controls on it are too weak.

I hope that no one who has access to my personal information decides to do a bit of creative fundraising.

I don't have any answers, but we ought to think of solutions pretty soon.

Stealing bank details

[pubjames]

In the last couple of months there have been an increasing amount of very sophisticated email scams.

For instance, E-Gold members (and others) have been receiving emails like this

Dear e-gold user.

At 09.05.2003 our company was attacked by unknown
persons. Out administrators is working on the database restoring.
If you have an active account, please check if it is still active, your
current balance is right and all transactions can be processed.
If you find that your account is inactive, please letus know
immediately at e-mail service@e-gold.com
To check your account, please click on the link below:
https://e-gold.com/sci_asp/payments.asp

It looks official, doesn't it? And the link looks ok too. But it is an html email, and the actual link went to a page located at e-gold2.com, which looked exactly like the real e-gold site. Thus the fraudsters were able to get peoples log-on details. More here [e-gold.com].

In the UK, many people have been receiving emails that look as if they are from Barclays bank (one of the biggest in the UK). It is a similar scam to the e-gold one. More here [theregister.co.uk].

I myself have recieved and email asking me to update my ebay account details. Only on close inspection did I realise that it was a fraud.

I find this extremely worrying. Personally I am probably like many Slashdotters - paranoid about security and difficult to catch out. However most people aren't like that, and this new type of scam email is an extremely worrying development, because it could catch a lot of people out. People really need to be informed about this type of scam, but I've yet to see much in the press about it. Any journalists reading..?

Social Security Numbers should be public

[Anonymous Coward]

SSN should never be used as a validator. They should be treated as part of a person's name, distinguishing them from other people with the same name.

If the govt announce that by 2006, they were going to publish everyone's name and SSN, and if you currently use SSN as a validator, you need to change now or face fines of $100k/day, maybe we could do something about this.

But I doubt it will happen.

Re:SSN used as identifer

[Anonymous Coward]

The first step is to understand something very simple; identifiers and passwords are *very* different.

A good identifier is stable, like a Social Security Number, or even your mother's maiden name (something that never changes).

A good password changes from time to time, and is not widely known, *not* like a Social Security number, or your mother's maiden name.

One of the problems is that so few people at the managerial level to set policy understand how terrible an idea it is to use something long-standing (or permanent, like mother's maiden name) as a password.

Knowledge of an identifier is useful to do work, but is *not* useful for authentication. Knowledge of a password is useful for authentication.

It really isn't rocket science, but, it also is not widely known, for whatever reason.

Re:Article is spot on. Happened to me..

[Worminater]

At least theres luck for some people.

My unkle had his identity stolen 3 years ago, and that wasnt fun to go through:-p

He had a problem with his leg during a business trip, stopped off in some midwest town, and the hospital he stayed at somehow mishandled his information.

A bit later there were bills coming in from all over the place with no one knowing where from.

Its been 3 years, 2 years of fairly constant struggle, and to this day he still doesn't have it completely back, which is a frightening though if you ask me.

That easy to steal, and hes STILL not in the clear 3 years later? Scary though:-p

Re:Cash, hmm?

[stratjakt]

Not true. At least, not true in the legal sense, here in the US.

Look at a piece of currency, see where it says "This note is legal tender for all debts private and public". That means the law says this is money, and if you "tender" it to pay a "debt", it must be accepted.

Thats why currency came to being - back in the olden times every bank printed their own "currency" and noone would accept it because noone knew what was legit and what wasnt. So you had the era of people carrying around little pouches of gold dust, and a shot of whiskey costing a "pinch", and of course bartenders with giant oversized ham-fists.

The feds stepped in to fix it and said "this is money, this is how you pay people, and they may not refuse it".

Of course, you can always go buy a postal money order.

Re:Article is spot on. Happened to me..

[Anonymous Coward]

nice "history" lesson. however, fdic was created during the great depression to prevent mass withdrawals from bankrupting banks.

How often they get caught

[MemeRot]

I've heard the rate at which people who commit identity theft get caught is around 1 in 7000.

So you have a much better than 99.9% chance to just do it to your heart's content and walk away with the money. That's pretty freakin' scary. A crime where you never have to see your victims, never have to face any consequences, and make tons of money. Can you imagine what would happen if a misguided Robin Hood decided to popularize the techniques and teach them to America's poor? Would the entire banking industry collapse at once? With a million people doing it simultaneously you would obviously overload the already overloaded investigative ability of the gov't and probably change the ration to 1 in 100,000 getting caught.

Re:Cause and Prevention

[chrysrobyn]

One of the issues not often addressed is the misuse (in my opinion, and some would argue by its original intention) of the Social Security number as a universal identifier in so many public and private functions. It happens for convenience - the SS # is government issued, unique and relatively difficult to spoof, so it's handy.

I'm not certain about all of what you said.

My mother worked in a state university admissions department in the 1960s and 1970s, and was a programmer and operator of their computer. One year, they had two applicants apply under than same social security number. They were able to verify that both people owned the same number! Turned out, the US Government didn't guarantee the uniqueness of the SSN-- it ALONG WITH YOUR NAME AND BIRTHDAY were your taxpayer unique ID. But the university had no way of admitting both students as they wanted to under the same SSN, so they asked one of them to get a new one. It wasn't hard once the Social Security Administration figured out why.

Times have changed and computers have proliferated, and I've only done some casual investigation, but I've never found any guarantee by the US government that the SSN is unique.

I don't understand.

[hanwen]

When I want to {open a bank-account,get a credit-card,get a drivers license} over here in Holland, I have to show my passport (which shows my photo and my SSN).

New passports are only given out by the city-hall, and you have to turn over the old one, or show signed police-statements that you lost the previous one. (I suppose that they will corroborate with my home-address which is also known at the city hall for lost passports)

How come photo-ids aren't required in the US?

These aren't the scooters you are looking for...

[phildog]

Last night when I got home from work there were two electric scooters waiting in front of my garage. They had just been delivered by FedEx. I was surprised, because I hadn't ordered any scooters lately (ever) and wasn't expecting any. I drew up a very short list called "Friends of the scooter" who might have sent them as gifts, but alas, no luck after a few quick phone calls. So my hunch was either a)credit card fraud or b)computer glitch from company I had already ordered from.

I called the scooter merchant this morning, and sure enough, someone had used my wife's AmEx card number to order the scooters and ship them to an address just a few miles away. Thankfully, as the nice owner of the scooter co. informed me, they have a policy of only shipping to the billing address and the sweaty-toothed madman didn't get his precious scooters. Ha!

So since the nice owner of the scooter co. shared the IP address of the person who made the order, and being a huge internet nerd, I have already traced the origin (via nslookup) to an AOL user who was logged in and using AOL at 11:53am on 9/7/03. I might just have the means to track this guy down. I'm turning this over to the credit card company immediately, but the "sue everybody" American in me wants to go after this bastard for mental anguish, lost time returning the scooters, making this post, etc., and emotional damage to my 3 year-old daughter who was understandably excited about the scooters (perhaps even as excited as me!).

What do you think?

Story repeated at my blog [tarponcreek.com]

Re:Article is spot on. Happened to me..

[wcb4]

when I went to buy my first car, I had several issues with the credit report that came back, stating that I had had credit problem years ago. The only problem was that these credit problems were from when I was about 10, and there is no way I had credit problems then. The problem was that I am the 4th (hence my username) and there were credit issues from my father and grandfather on my credit report. I had to show that a problem had been cleared before I could buy the car. I told the salesperson that the problem was my grandfather's not mine, and he said quite simply it is easier to show a final payment statement that it was taken care of that to get it removed from your report, so just show its been done and deal with the credit report later. I guess I should not have named my child the 5th, huh? (luckily his daddy has good credit ;-)

Even a half-assed scheme could prevent most cases

[JohnDenver]

You cant prevent crimes from happening, you can only improve the ability to catch the criminals, and reduce the damages.

Sure you can, especially when the current security system is virtually non-existant.

My proposal is simple:

* 2 key-pairs are issued every individual by the DMV
* The first (public) key is freely given to everybody
* The second (private) key is stored on a chip in a credit-card sized pocket calculator like device, or smart card. ($5-$10 device which is paid by the driver upon issuance)

When you need to prove your identity, you will be challenged with a random number, which can only be encrypted with the private key and verified by the public key.

* Challenger gives you random number
* Your encrypt device encrypts number with private key
* Challenger verifies encryption with public key.

In the event a private key is comprimised, the corrisponding public key will be published on a public database (which keys institutions should be required to check) and a new private key will be issued.

The encryption community has come up with many solutions for this problem over the last few decades, and I know the consumer electronics and card issuance industry (which I used to work) would love nothing more than the government to stop dragging it's heels and select one of the many drafted standards.

We can solve this problem without creating another government institution or delegating it to one corporatation.

Why aren't nerds pushing for an open and honest solution to this problem? Aren't solving problems like this a nerd's wetdream?

Like I said before, even a half-assed scheme would be better than our current social-security passwords.

Don't like my solution? What are your ideas?

Re:Article is spot on. Happened to me..

[MikeFM]

I've worked at quite a few companies that handle important customer data and to be honest not one of them made any effort to protect that data either from employees or crackers. Management doesn't care and if an employee raises an alert (even internally) they are likely to get fired. 300,000 people is nothing. I've had access to millions of people's data. Actually I still do since I know for a fact these companies haven't made any effort to protect the data since I left and I was the one who put what security that does exist into place. I bet most even still use the passwords I placed on the servers.

Even worse is that they would fire, without fair cause, a person that was already underpaid (thus broke) without taking care to finally fix their security. If I was a thief I could be very well off. I'm sure a lot of other IT/programmer types have similar experiences. I'm sure that not all of us are behaving ourselves with the economy the way it is.

I still shop with vendors I know are storing my data but I'm careful with how much I give them. I don't use checks. I don't use credit cards. I do use a debit card but I was careful to get one that couldn't spend more than was actually in my account and I'm careful not to put more into the account than I'm expecting to use right away. That still leaves me open to damage but at least it controls the damage. I buy with cash or COD when it's possible (my last computer came from iDot.com because they allow purchase by COD).

Re:Article is spot on. Happened to me..

[Anonymous Coward]

I can't speak for the law in your neck of the woods, but here in Canada, I work in the fraud shop of a major bank. I can assure you that we make every possible attempt to notify the victim, as this gives us final closure on the fact that a *fraud* has occurred, and isn't merely credit abuse.

We make a thorough check for the "legit" before we can actually write something off as fraud.

Re:Locking mailboxes?

[bill_mcgonigle]

I'm a satisfied owner of a Heavybilt [steelmailbox.com] Country Estate. It's of very high quality and I put brass numbers on it with brass screws so I don't have to worry about it for 30 years or so, barring galvanic difficulties. I suspect their self-locking model would be as good or better.

Re:This is not correct

[Fulcrum of Evil]

This is not correct. Despite this, financial advisors repeat this like a mantra.

It's partially correct. By leaving a bunch of available credit around (unused credit cards), you increase your accessible credit. When deciding whether to extend credit to you, creditors usually look at this number. Old credit cards that you never closed => larger amount of available credit (that you don't use) => lower amount of credit that you do use.

Re:Article is spot on. Happened to me..

[FreedomOfSpea-MMNnnf]

Happened to me too. Worse off than you. I was getting financial assistance for my tuition at a tech school while I was laid off after the tech bust.

Some fuck took my check out of my mailbox and forged my signiture and put the check into HER OWN bank account (using her own bank card). I had to apply to get a new check issued from the government which caused an insulting investigation:

"Look MR. X we have your signiture right on the cheque..." Of course I was happy to go and prove that my nasty assed grade 3 sig is much different from the bubbly and (in my mind) obviously female forgery.

Long story short. They issued me another cheque, but not before my tech school sent the collection agency after me (god bless em') and ruined my credit. The bank where the check was cashed refuses to do an investigation into the person who stole it for what ever reason (probably bad publicity), even though they used their bank card and an automated teller. They reimbursed the government and in their mind's it is case closed.

BUT IT WAS MY IDENTITY THAT WAS STOLEN! Not the bank's who couldn't give two shits about a few measly thousand bucks anyway.

Anybody want to go to court with me on 16 Septembe

[metrazol]

The same mail theft leading to attempted identity theft thing happened to me last year. Even better, the guy's court date is coming up in LA. Anybody want to Slashmob the jerk's trial?

Short version is, my entire family goes to Morocco and Italy for a month. While we're gone, the person who was supposed to be picking up the mail, ehm, forgot, let's say. So, when the morons at our escrow company decided to send the DEED to the house in regular ol' 1st class mail, not certified, not registered, and sure as hell without calling first, some nutbar picked it up.

Thank god he was too stupid to realize he was holding a $1,000,000+ piece of paper, with loan documents that included SSNs, account numbers, dates or birth, and (don't ask) mother's maiden names.

Re:wait until this happens to you

[tgd]

A pro theif wouldn't waste the time to do that. Most car models have 20-30 different keys, thats it. Someone with dealer contacts can *easily* get a keychain of all the possible keys for a given model in a given year. Doesn't take long in a car to run through 20-30 keys to open the door.

Whats interesting, too, is you can do the math on the number of colors of your car, and the average number of keys per model (generally 20) and figure out the odds of you accidentally driving off with someone else's car in a parking lot.

Happened to me once when I was a kid -- we came out, got in the car and started it, and I told my Mom someone had broken into the car and stolen everything because the car was spotless (and ours certainly wasn't).

Our car was two rows over.

Re:I don't understand.

[frater_corvus]

As to opening a bank account, every one I've opened required a photo ID. Getting a credit card doesn't. Neither does a driver's license, but that's because most states use the driver's license as your state issued ID card. Unless you have a previously issued state ID, you'll need some other form of identification to get a driver's license. In the case of my nephew, it was a simple notarized copy of his birth certificate.

What really bothers me are the security sheep that complain whenever I ask to see a photo ID when they make a charge on a credit card. At my previous place of employment, I was fortunate that every employee was like-security minded, so I received back-up from my fellow employees up to the lead manager. The common excuse:

"You can't ask to see my ID, that's an invasion of my privacy!"

My canned response: "I check photo IDs with every credit card transaction to help prevent credit card fraud by verifying the names and signatures on both cards and the photograph. It's also within the store's right to refuse method of payment; if you don't want to show a photo ID, I'll gladly accept cash..."

Granted, just looking at an ID is not 100%, but it's a small step in the right direction in my opinion. There have been many times where a spouse was using the other's card. Being a security freak, and seeing that the last names were the same but the first differed, I'd ask that the husband or wife come in to do the signing, since this wasn't their card to make purchases on. Most people had no problem with that. I'm still wavering on the whole copying driver's license information on check purchases issue. While it helps the store track the customer ( supposedly ), it'd just as likely help anyone who obtained the check as well.

By LAW use of SSN is illegal in most circumstances

[Presence1]

When the original Social Security act was written, many wre concerned about creating an Ad Hoc national ID number. So, it wa written into the original act that the SSN would ONLY be used for purposes related to taxation and administration of the social security system.

IT IS ILLEGAL FOR ANYONE ELSE TO DEMAND YOUR SSN.

This means that anytime you are being paid, receiving money, or itmes that may result in tax credits, it is legal, so everything related to employment, prize winnings, interest payments, etc is fine.

However, fo insurance comanies, doctors offices, Departments of Motor Vehicles, and even the police, it is illigal for them to demand it, although they can request it.

But, you must be insistent and sometimes a bit devious to effect this.

When you are signing up for any insurance or signing up with a doctor or medical office, the SSN is the first thing they demand. With the insurance company, if on paper, just enter "Issue New ID" in the SSN field. If talkng to a person, they will tell you that they need the SSN to proceed. Insist that this is illegal, that they have other procedures, and ask to speak to their manager. The person will resist for some time, then come back sheepishly and tell you that they can issue another number. For doctors offices, give them the number that the Insurance company issued, as if it was the real number.

For DMV, you usually have to check for some special exception on a form or even get a special excemption form, and you may have to forego some kind of conveniences, e.g., you may have to go to the office to renew, instead of them sending the card.

With the police it is a bit more tricky, especially when some officer in Junior Gestapo mode is demanding your info at a traffic stop. I've found that they appreciate neither being told the fact that they have no right to demand that information, nor being asked if they are going to be paying me something. The best route is to simply say "I don't remember it exactly, and I don't want to risk giving you false information", which they cannot really argue with (they don't know that it only takes you 4 seconds to permanently memorize any 47 digit sequence you encounter ;)

All of this is well worth avoiding all the extra links that could be made by anyone fishing in your data.

Compare with Europe

[sanders_muc]

Did you know that the crime of identity theft ist virtually unknown in Europe (at least in Germany, where I live)?

And there are some obvious reasons for this:

- Nobody in Europe has mail boxes without a lock. European mailbox are usually flat, upright, rectangular boxes with a slit on the top of the front where the mailman drops the letters and they fall down a slide so you cannot get them out without using either very long pliers or, of course, the key to unlock the door at the back.

- No bank would give you a checking account or a credit without checking your ID card and making a photo copy of it and noting the number. (Remember that in most European countries (except e.g. the UK) every citizen is required to have a national ID card which you show whenever somebody has to be sure of your ID. (These cards have all kinds of witty security features to make them really hard to counterfeit.)

- All laws and courts agree that a reasonbable proof that somebody did make a business transaction is a signature on a piece of paper, or at least some computer record showing that the customer has entered a secret PIN. 'Secret' meaning, that nobody else should be able to know it. (PINs are printed out by the banks' computer systems and put in a sealed envelope without any employees being able to look at them.)

- Especially, if you told a court that a business transaction was valid because you checked the caller's identity on phone by asking for his SSN (or some lcoal equivalent of this), his date of birth or his mother's maiden name, the judge would probably only laugh at you.

While staying for half a year in California, I was quite astonished about the lax way of checking identities common in th US.

(For example, I got liability insurance for the used car I bought by just phoning the company. The guy asked for my Visa card number, then said 'Fine. Your car insurance is valid starting now, i.e. 4:13 pm.' That was great and convenient, but after all, I still prefer the European way, where they'll first ask 'So, how do we know, that this was your credit card number, and not taken from some receipt you picked out of a trash can?'. As the very least they would want proof of your address so that they can send you a court summons in case you tried a fraud.)

Re:wait until this happens to you

[xpccx]

I'd like to see the number of different codes for wireless key entry. A buddy of mine and I were walking out to his car one night. When he used the wireless key to unlock his car, it also unlocked another car two to three spots over. We looked around thinking the other owner must be nearby and the two just happened to to unlock the car at the same time. But no one else was in the lot. We sat there for the next minute or so locking and unlocking both cars with one remote.

We thought it was kind of funny until we realized that the owner of the other car could do the same thing.

Re:How often they get caught

[Master of Transhuman]

Reminds me of the sci-fi story, "Little Heroes", where the cyber-revolutionaries were distributing hacker programs called "bedbugs" to the poor for free which were used to nickel-and-dime the US Treasury and the IRS to death!

Could happen.