Cringely on Identity Theft 630
Boiled Frog writes "Prompted by the theft of his mail, Cringely investigates how easy it is to steal identities from government publications. In this article he explains how he got the identities of 300,000 people which he calculates to be valued at $65 billion dollars. If Cringely can do it, anyone can."
Are you dissing Cringely? (Score:4, Interesting)
Re:Article is spot on. Happened to me.. (Score:5, Interesting)
The scary part was that if I hadn't called these guys up, I never would have known about the identity theft. How often does something like that occur, where the situation gets resolved but the intended victim is never informed???
UK line of defence against Identity Theft (Score:5, Interesting)
http://www.cifas.org.uk
The service is operated on behalf of the UK financial institutions by Equifax; and will add a layer of authorisation to your name / address combinarion when arranging credit etc. It probably means that you won't be able to buy stuff on instant credit; but the for the hassle that identity theft can bring I think it's worth it. Registration costs 12 quid for 12 months.
Personally i'm amazed that institutions will lend large amounts of money without a definite proof of your identity; but I guess that's consumer forces for you - Dixons want you to be able to walk out of their store with that 32" wide screen TV purchased on instant credit. For all the sales that brings; they absorb the liability.
SSN used as identifer (Score:5, Interesting)
In the article it is mentioned that your Social Security Number is used as a universal identifier and as "proof" of identity.
This is not a good thing.
I work in the medical records/medical billing industry and a patient's SSN is one of the vital bits of information we collect and use to help index records.
Also the patient's date of birth.
For billing purposes, we need the patient's home address.
The health insurance company also needs all this information. In fact, if we don't supply all of the patient's personal information, they often don't pay claims.
We try to protect private information. We have yearly training, and monthly filers reminding us of the importance of protecting confidential infromatin. We have every bit of discarded paper shreded, and we have pretty good locks on our doors, and we have a fairly paranoid firewall, but the truly determined employee could always get their hands on thousands of patient records with everything needed for identity theft.
It's probably the same way at Hospitals and Insuance companies too. Too many people have access to private information, and the social and technological controls on it are too weak.
I hope that no one who has access to my personal information decides to do a bit of creative fundraising.
I don't have any answers, but we ought to think of solutions pretty soon.
Stealing bank details (Score:5, Interesting)
For instance, E-Gold members (and others) have been receiving emails like this
Dear e-gold user.
At 09.05.2003 our company was attacked by unknown
persons. Out administrators is working on the database restoring.
If you have an active account, please check if it is still active, your
current balance is right and all transactions can be processed.
If you find that your account is inactive, please letus know
immediately at e-mail service@e-gold.com
To check your account, please click on the link below:
https://e-gold.com/sci_asp/payments.asp
It looks official, doesn't it? And the link looks ok too. But it is an html email, and the actual link went to a page located at e-gold2.com, which looked exactly like the real e-gold site. Thus the fraudsters were able to get peoples log-on details. More here [e-gold.com].
In the UK, many people have been receiving emails that look as if they are from Barclays bank (one of the biggest in the UK). It is a similar scam to the e-gold one. More here [theregister.co.uk].
I myself have recieved and email asking me to update my ebay account details. Only on close inspection did I realise that it was a fraud.
I find this extremely worrying. Personally I am probably like many Slashdotters - paranoid about security and difficult to catch out. However most people aren't like that, and this new type of scam email is an extremely worrying development, because it could catch a lot of people out. People really need to be informed about this type of scam, but I've yet to see much in the press about it. Any journalists reading..?
Social Security Numbers should be public (Score:1, Interesting)
If the govt announce that by 2006, they were going to publish everyone's name and SSN, and if you currently use SSN as a validator, you need to change now or face fines of $100k/day, maybe we could do something about this.
But I doubt it will happen.
Re:SSN used as identifer (Score:1, Interesting)
A good identifier is stable, like a Social Security Number, or even your mother's maiden name (something that never changes).
A good password changes from time to time, and is not widely known, *not* like a Social Security number, or your mother's maiden name.
One of the problems is that so few people at the managerial level to set policy understand how terrible an idea it is to use something long-standing (or permanent, like mother's maiden name) as a password.
Knowledge of an identifier is useful to do work, but is *not* useful for authentication. Knowledge of a password is useful for authentication.
It really isn't rocket science, but, it also is not widely known, for whatever reason.
Re:Article is spot on. Happened to me.. (Score:2, Interesting)
My unkle had his identity stolen 3 years ago, and that wasnt fun to go through:-p
He had a problem with his leg during a business trip, stopped off in some midwest town, and the hospital he stayed at somehow mishandled his information.
A bit later there were bills coming in from all over the place with no one knowing where from.
Its been 3 years, 2 years of fairly constant struggle, and to this day he still doesn't have it completely back, which is a frightening though if you ask me.
That easy to steal, and hes STILL not in the clear 3 years later? Scary though:-p
Re:Cash, hmm? (Score:2, Interesting)
Look at a piece of currency, see where it says "This note is legal tender for all debts private and public". That means the law says this is money, and if you "tender" it to pay a "debt", it must be accepted.
Thats why currency came to being - back in the olden times every bank printed their own "currency" and noone would accept it because noone knew what was legit and what wasnt. So you had the era of people carrying around little pouches of gold dust, and a shot of whiskey costing a "pinch", and of course bartenders with giant oversized ham-fists.
The feds stepped in to fix it and said "this is money, this is how you pay people, and they may not refuse it".
Of course, you can always go buy a postal money order.
Re:Article is spot on. Happened to me.. (Score:1, Interesting)
How often they get caught (Score:5, Interesting)
So you have a much better than 99.9% chance to just do it to your heart's content and walk away with the money. That's pretty freakin' scary. A crime where you never have to see your victims, never have to face any consequences, and make tons of money. Can you imagine what would happen if a misguided Robin Hood decided to popularize the techniques and teach them to America's poor? Would the entire banking industry collapse at once? With a million people doing it simultaneously you would obviously overload the already overloaded investigative ability of the gov't and probably change the ration to 1 in 100,000 getting caught.
Re:Cause and Prevention (Score:4, Interesting)
I'm not certain about all of what you said.
My mother worked in a state university admissions department in the 1960s and 1970s, and was a programmer and operator of their computer. One year, they had two applicants apply under than same social security number. They were able to verify that both people owned the same number! Turned out, the US Government didn't guarantee the uniqueness of the SSN-- it ALONG WITH YOUR NAME AND BIRTHDAY were your taxpayer unique ID. But the university had no way of admitting both students as they wanted to under the same SSN, so they asked one of them to get a new one. It wasn't hard once the Social Security Administration figured out why.
Times have changed and computers have proliferated, and I've only done some casual investigation, but I've never found any guarantee by the US government that the SSN is unique.
I don't understand. (Score:3, Interesting)
New passports are only given out by the city-hall, and you have to turn over the old one, or show signed police-statements that you lost the previous one. (I suppose that they will corroborate with my home-address which is also known at the city hall for lost passports)
How come photo-ids aren't required in the US?
These aren't the scooters you are looking for... (Score:4, Interesting)
I called the scooter merchant this morning, and sure enough, someone had used my wife's AmEx card number to order the scooters and ship them to an address just a few miles away. Thankfully, as the nice owner of the scooter co. informed me, they have a policy of only shipping to the billing address and the sweaty-toothed madman didn't get his precious scooters. Ha!
So since the nice owner of the scooter co. shared the IP address of the person who made the order, and being a huge internet nerd, I have already traced the origin (via nslookup) to an AOL user who was logged in and using AOL at 11:53am on 9/7/03. I might just have the means to track this guy down. I'm turning this over to the credit card company immediately, but the "sue everybody" American in me wants to go after this bastard for mental anguish, lost time returning the scooters, making this post, etc., and emotional damage to my 3 year-old daughter who was understandably excited about the scooters (perhaps even as excited as me!).
What do you think?
Story repeated at my blog [tarponcreek.com]
Re:Article is spot on. Happened to me.. (Score:2, Interesting)
Even a half-assed scheme could prevent most cases (Score:4, Interesting)
Sure you can, especially when the current security system is virtually non-existant.
My proposal is simple:
* 2 key-pairs are issued every individual by the DMV
* The first (public) key is freely given to everybody
* The second (private) key is stored on a chip in a credit-card sized pocket calculator like device, or smart card. ($5-$10 device which is paid by the driver upon issuance)
When you need to prove your identity, you will be challenged with a random number, which can only be encrypted with the private key and verified by the public key.
* Challenger gives you random number
* Your encrypt device encrypts number with private key
* Challenger verifies encryption with public key.
In the event a private key is comprimised, the corrisponding public key will be published on a public database (which keys institutions should be required to check) and a new private key will be issued.
The encryption community has come up with many solutions for this problem over the last few decades, and I know the consumer electronics and card issuance industry (which I used to work) would love nothing more than the government to stop dragging it's heels and select one of the many drafted standards.
We can solve this problem without creating another government institution or delegating it to one corporatation.
Why aren't nerds pushing for an open and honest solution to this problem? Aren't solving problems like this a nerd's wetdream?
Like I said before, even a half-assed scheme would be better than our current social-security passwords.
Don't like my solution? What are your ideas?
Re:Article is spot on. Happened to me.. (Score:4, Interesting)
Even worse is that they would fire, without fair cause, a person that was already underpaid (thus broke) without taking care to finally fix their security. If I was a thief I could be very well off. I'm sure a lot of other IT/programmer types have similar experiences. I'm sure that not all of us are behaving ourselves with the economy the way it is.
I still shop with vendors I know are storing my data but I'm careful with how much I give them. I don't use checks. I don't use credit cards. I do use a debit card but I was careful to get one that couldn't spend more than was actually in my account and I'm careful not to put more into the account than I'm expecting to use right away. That still leaves me open to damage but at least it controls the damage. I buy with cash or COD when it's possible (my last computer came from iDot.com because they allow purchase by COD).
Re:Article is spot on. Happened to me.. (Score:2, Interesting)
We make a thorough check for the "legit" before we can actually write something off as fraud.
Re:Locking mailboxes? (Score:4, Interesting)
Re:This is not correct (Score:4, Interesting)
This is not correct. Despite this, financial advisors repeat this like a mantra.
It's partially correct. By leaving a bunch of available credit around (unused credit cards), you increase your accessible credit. When deciding whether to extend credit to you, creditors usually look at this number. Old credit cards that you never closed => larger amount of available credit (that you don't use) => lower amount of credit that you do use.
Re:Article is spot on. Happened to me.. (Score:2, Interesting)
Some fuck took my check out of my mailbox and forged my signiture and put the check into HER OWN bank account (using her own bank card). I had to apply to get a new check issued from the government which caused an insulting investigation:
"Look MR. X we have your signiture right on the cheque..." Of course I was happy to go and prove that my nasty assed grade 3 sig is much different from the bubbly and (in my mind) obviously female forgery.
Long story short. They issued me another cheque, but not before my tech school sent the collection agency after me (god bless em') and ruined my credit. The bank where the check was cashed refuses to do an investigation into the person who stole it for what ever reason (probably bad publicity), even though they used their bank card and an automated teller. They reimbursed the government and in their mind's it is case closed.
BUT IT WAS MY IDENTITY THAT WAS STOLEN! Not the bank's who couldn't give two shits about a few measly thousand bucks anyway.
Anybody want to go to court with me on 16 Septembe (Score:2, Interesting)
Short version is, my entire family goes to Morocco and Italy for a month. While we're gone, the person who was supposed to be picking up the mail, ehm, forgot, let's say. So, when the morons at our escrow company decided to send the DEED to the house in regular ol' 1st class mail, not certified, not registered, and sure as hell without calling first, some nutbar picked it up.
Thank god he was too stupid to realize he was holding a $1,000,000+ piece of paper, with loan documents that included SSNs, account numbers, dates or birth, and (don't ask) mother's maiden names.
Re:wait until this happens to you (Score:3, Interesting)
Whats interesting, too, is you can do the math on the number of colors of your car, and the average number of keys per model (generally 20) and figure out the odds of you accidentally driving off with someone else's car in a parking lot.
Happened to me once when I was a kid -- we came out, got in the car and started it, and I told my Mom someone had broken into the car and stolen everything because the car was spotless (and ours certainly wasn't).
Our car was two rows over.
Re:I don't understand. (Score:2, Interesting)
What really bothers me are the security sheep that complain whenever I ask to see a photo ID when they make a charge on a credit card. At my previous place of employment, I was fortunate that every employee was like-security minded, so I received back-up from my fellow employees up to the lead manager. The common excuse:
"You can't ask to see my ID, that's an invasion of my privacy!"
My canned response: "I check photo IDs with every credit card transaction to help prevent credit card fraud by verifying the names and signatures on both cards and the photograph. It's also within the store's right to refuse method of payment; if you don't want to show a photo ID, I'll gladly accept cash..."
Granted, just looking at an ID is not 100%, but it's a small step in the right direction in my opinion. There have been many times where a spouse was using the other's card. Being a security freak, and seeing that the last names were the same but the first differed, I'd ask that the husband or wife come in to do the signing, since this wasn't their card to make purchases on. Most people had no problem with that. I'm still wavering on the whole copying driver's license information on check purchases issue. While it helps the store track the customer ( supposedly ), it'd just as likely help anyone who obtained the check as well.
By LAW use of SSN is illegal in most circumstances (Score:2, Interesting)
IT IS ILLEGAL FOR ANYONE ELSE TO DEMAND YOUR SSN.
This means that anytime you are being paid, receiving money, or itmes that may result in tax credits, it is legal, so everything related to employment, prize winnings, interest payments, etc is fine.
However, fo insurance comanies, doctors offices, Departments of Motor Vehicles, and even the police, it is illigal for them to demand it, although they can request it.
But, you must be insistent and sometimes a bit devious to effect this.
When you are signing up for any insurance or signing up with a doctor or medical office, the SSN is the first thing they demand. With the insurance company, if on paper, just enter "Issue New ID" in the SSN field. If talkng to a person, they will tell you that they need the SSN to proceed. Insist that this is illegal, that they have other procedures, and ask to speak to their manager. The person will resist for some time, then come back sheepishly and tell you that they can issue another number. For doctors offices, give them the number that the Insurance company issued, as if it was the real number.
For DMV, you usually have to check for some special exception on a form or even get a special excemption form, and you may have to forego some kind of conveniences, e.g., you may have to go to the office to renew, instead of them sending the card.
With the police it is a bit more tricky, especially when some officer in Junior Gestapo mode is demanding your info at a traffic stop. I've found that they appreciate neither being told the fact that they have no right to demand that information, nor being asked if they are going to be paying me something. The best route is to simply say "I don't remember it exactly, and I don't want to risk giving you false information", which they cannot really argue with (they don't know that it only takes you 4 seconds to permanently memorize any 47 digit sequence you encounter
All of this is well worth avoiding all the extra links that could be made by anyone fishing in your data.
Compare with Europe (Score:4, Interesting)
And there are some obvious reasons for this:
- Nobody in Europe has mail boxes without a lock. European mailbox are usually flat, upright, rectangular boxes with a slit on the top of the front where the mailman drops the letters and they fall down a slide so you cannot get them out without using either very long pliers or, of course, the key to unlock the door at the back.
- No bank would give you a checking account or a credit without checking your ID card and making a photo copy of it and noting the number. (Remember that in most European countries (except e.g. the UK) every citizen is required to have a national ID card which you show whenever somebody has to be sure of your ID. (These cards have all kinds of witty security features to make them really hard to counterfeit.)
- All laws and courts agree that a reasonbable proof that somebody did make a business transaction is a signature on a piece of paper, or at least some computer record showing that the customer has entered a secret PIN. 'Secret' meaning, that nobody else should be able to know it. (PINs are printed out by the banks' computer systems and put in a sealed envelope without any employees being able to look at them.)
- Especially, if you told a court that a business transaction was valid because you checked the caller's identity on phone by asking for his SSN (or some lcoal equivalent of this), his date of birth or his mother's maiden name, the judge would probably only laugh at you.
While staying for half a year in California, I was quite astonished about the lax way of checking identities common in th US.
(For example, I got liability insurance for the used car I bought by just phoning the company. The guy asked for my Visa card number, then said 'Fine. Your car insurance is valid starting now, i.e. 4:13 pm.' That was great and convenient, but after all, I still prefer the European way, where they'll first ask 'So, how do we know, that this was your credit card number, and not taken from some receipt you picked out of a trash can?'. As the very least they would want proof of your address so that they can send you a court summons in case you tried a fraud.)
Re:wait until this happens to you (Score:4, Interesting)
We thought it was kind of funny until we realized that the owner of the other car could do the same thing.
Re:How often they get caught (Score:3, Interesting)
Could happen.