Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Security The Almighty Buck United States

Cringely on Identity Theft 630

Boiled Frog writes "Prompted by the theft of his mail, Cringely investigates how easy it is to steal identities from government publications. In this article he explains how he got the identities of 300,000 people which he calculates to be valued at $65 billion dollars. If Cringely can do it, anyone can."
This discussion has been archived. No new comments can be posted.

Cringely on Identity Theft

Comments Filter:
  • by Lysol ( 11150 ) * on Friday September 12, 2003 @11:30AM (#6942839)
    I had my identity stolen about 8 years ago. It suuuuuked!

    In San Francisco, when some people move out, they throw all this crap they don't need anymore on the curb. I saw this thoughout the city, time and time again, so when it came time for me to move, I did the same.

    I got rid of almost everything! This included, tons of old papers - possibly old pay stubs. Big NO NO! At one point, I even noticed some people looking through the big pile. "Just people who like crap", I thought.

    Six months later, the Postmaster General Attorney's office in San Jose calls me saying they've arrested someone on postal fraud that had my name and info in his little black book. It was under a section that basically was ready to have a drivers license and social security card issued in my name with this guy's picture!

    To make a long story short, the guy went to prison and I had to notify all agencies where I had any type of id or credit/bank card to put a watch on them for the next six months.

    My lesson learned: shread everything.

    However, online, this is a totally different issue and the only thing I can suggest and do about that is to check into companies and try to make sure they are responsible about how they store your credit-card information. I've personally written to all the online companies I use to ask as how they protect my information. If it ever seemed like they weren't up to snuff, I explained my concerns and asked for some sort of reassurences. Although, I must admit, that's not the best thing and sometimes letters to the BBB and other groups/agencies are necessary.
    • by BWJones ( 18351 ) on Friday September 12, 2003 @11:36AM (#6942910) Homepage Journal
      To make a long story short, the guy went to prison and I had to notify all agencies where I had any type of id or credit/bank card to put a watch on them for the next six months.

      Good to hear this person actually went to jail. I should add that the other thing you should do is check your credit history and cancel all old credit cards that you may not even know are still active. A friend of mine had someone get access to three old credit cards that he had cut up, but had not actually cancelled the accounts. A couple of years later he was surprised to find the companies were telling him he owed $30k worth of charges.

      • Or keep an eye on the old ones. You don't want to cancel older accounts, especially if they had a good history b/c that in effect shortens your credit history and lowers your credit score. Be careful not to screw your own credit record while trying to prevent other from doing the same.
        • by The_K4 ( 627653 ) on Friday September 12, 2003 @12:00PM (#6943211)
          Wrong. A closed account still shows on your credit report, It won't drop off for 4 years. It will show as "closed" but will indicate your history. Run your own report some time and look at the non-revolving accounts! By leaving it open you lower your avaliable credit. Also having a large number of open accounts LOWERS your score! It's better to have 2-4 cards with high credit limits then 7-10 with average limits, and will give you a better score. I closed 3 old cards that I never used, my credit score went UP and then the 3 cards I still had all offered to raise my limits. If you have old cards taht you don't/won't use...>CLOSE THEM! they hurt you alot more then they help.
      • by MemeRot ( 80975 ) on Friday September 12, 2003 @12:39PM (#6943645) Homepage Journal
        I've heard the rate at which people who commit identity theft get caught is around 1 in 7000.

        So you have a much better than 99.9% chance to just do it to your heart's content and walk away with the money. That's pretty freakin' scary. A crime where you never have to see your victims, never have to face any consequences, and make tons of money. Can you imagine what would happen if a misguided Robin Hood decided to popularize the techniques and teach them to America's poor? Would the entire banking industry collapse at once? With a million people doing it simultaneously you would obviously overload the already overloaded investigative ability of the gov't and probably change the ration to 1 in 100,000 getting caught.
        • by Fulcrum of Evil ( 560260 ) on Friday September 12, 2003 @01:37PM (#6944297)

          Can you imagine what would happen if a misguided Robin Hood decided to popularize the techniques and teach them to America's poor?

          Tyler Durden?

        • by rifter ( 147452 ) on Friday September 12, 2003 @05:13PM (#6947555) Homepage

          I've heard the rate at which people who commit identity theft get caught is around 1 in 7000.

          So you have a much better than 99.9% chance to just do it to your heart's content and walk away with the money. That's pretty freakin' scary. A crime where you never have to see your victims, never have to face any consequences, and make tons of money. Can you imagine what would happen if a misguided Robin Hood decided to popularize the techniques and teach them to America's poor? Would the entire banking industry collapse at once? With a million people doing it simultaneously you would obviously overload the already overloaded investigative ability of the gov't and probably change the ration to 1 in 100,000 getting caught.

          This is because the police refuse to even investigate these crimes. Most of the id thieves we hear about getting caught were actually caught committing some other crime (or pursued therefore). In one of the previous slashdot articles, they had a police officer in charge of ID theft investigations who essentially admitted he sat on his butt all day and answered the phone telling people they were SOL. He said that they even told him who or where the thief was and that did not get him out of his chair.

          The big misconception is that ID theft is all the victim's fault, much like the oft-repeated myth that you can only get worms/viruses by clicking on attachments. The claim is that id theft only happens when people are carelesswith their trash. That is the old way, but it is easier than that now. As Cringely points out, you can get all the info you need for massive id theft for a minimal fee, like $20, or free.

          Of course the most amusing part of all this is that Al Qaeda has been using id theft techniques for decades. If I were a terrorist, that would be the first thing on my list besides cashing in on nigerian spam scams. After all, what terrorist would not want billions of untraceable dollars, untraceable connections to the internet and cellular networks, and a free ride on the passport train to paradise? Yet our illustrious leaders are still keystone kopping it through life instead of actually doing something to fight these threats.

        • Reminds me of the sci-fi story, "Little Heroes", where the cyber-revolutionaries were distributing hacker programs called "bedbugs" to the poor for free which were used to nickel-and-dime the US Treasury and the IRS to death!

          Could happen.

    • by TopShelf ( 92521 ) * on Friday September 12, 2003 @11:37AM (#6942917) Homepage Journal
      I was somewhat luckier. On the same day, I got a notice from a small long-distance telephone company saying I had an account that was being sent to collections, as well as another note saying that the account had been closed and that no further action was necessary. When I called, it turned out someone had used a credit card number in my name to set up an account and wrack up charges, and was eventually recognized as a fraud and everything was closed out.

      The scary part was that if I hadn't called these guys up, I never would have known about the identity theft. How often does something like that occur, where the situation gets resolved but the intended victim is never informed???
      • by MacFury ( 659201 )
        About a year ago I signed up to see If I qualified for a free phone from ATT Wireless. It was one of those mall kiosks. I did qualify, but delayed getting a phone from them, and instead went with Verizon.

        Three months later, I get a call from ATT wireless about my enormous phone bill. I told them they must be mistaken so they tried a couple of different things to verify that I was me, then called the cell phone to do the same thing. Obviously the person on the cell phone couldn't answer the questions.

    • by jbottero ( 585319 ) on Friday September 12, 2003 @11:48AM (#6943069)
      My solution to discurage anyone from stealing my identity has been to default on all my student loans, consistently pay my credit cards a few month late, and write anti-government propeganda letters to the local paper (amazingly, I still have my DoD security clearence!). The scammers run screaming...
    • A similar thing happened here in France.
      But it was in a way more serious since the French have "Unfalsifiable" (yeah right), identity papers.

      A guy got arrested for not paying his fines for travelling with the trains without ticket.. (If you get busted without a ticket they take your name and address and send you the fine.)

      Problem was that he didn't live in France at all but in one of the former colonies, and had never actually been to those places where he was supposed to have been.

      After a bit of

    • by swordboy ( 472941 ) on Friday September 12, 2003 @11:52AM (#6943120) Journal
      My lesson learned: shread everything.

    • by Anonymous Coward on Friday September 12, 2003 @12:05PM (#6943264)
      The newest scam are VINs, the vehicle identification number. Once you have that and the proper books, you can cut keys.

      With the key, you just drive it off the shopping mall lot. And there's no sign of forced entry, so the insurance company says "you left the key in the ignition, tough for your claim. Happened to us on vacation. And 10 year old clean cars are in more demand for the body parts, it isn't just the new Hondas.

      Tape over that damned number.
      • VIN numbers (Score:5, Informative)

        by afniv ( 10789 ) on Friday September 12, 2003 @01:01PM (#6943864) Homepage
        Read more on VIN numbers and stoen cars at snopes.com:

        http://www.snopes.com/crime/warnings/vin.asp [snopes.com]

        As stated in the link, I highly doubt anyone can just steal a car of the shopping mall lot. It takes too long to get a key made. You will be home by then. Also, I think covering the VIN number may be illegal in some states/countries.
      • And there's no sign of forced entry, so the insurance company says "you left the key in the ignition, tough for your claim.
        And if you say "No I didn't. Here are my keys right here where they always are, on the same ring as my house keys and everything." are they going to accuse you of quickly replacing all your lost keys to defraud them? I'd like to see that in a court. Who is/was your insurance co.?
      • And there's no sign of forced entry, so the insurance company says "you left the key in the ignition, tough for your claim.

        That story sucks and I feel bad for you, but I don't understand how there could be no sign of forced entry on a car that's been stolen. Not to sound like the Bloodhound Gang / Sherlock Bones / Encyclopedia Brown here or anything. Presumably you came back and the car was gone, and was reported as a theft.

        Was the car recovered? And if so there's probably not much of a claim there...
      • by mttlg ( 174815 ) on Friday September 12, 2003 @01:18PM (#6944046) Homepage Journal

        Tape over that damned number.

        Go ahead, if you don't care about violating federal law and giving the police a reason to believe that the car has been stolen. From U.S. Supreme Court case NEW YORK v. CLASS, 475 U.S. 106 (1986) [findlaw.com]:

        To facilitate the VIN's usefulness for these laudable governmental purposes, federal law requires that the VIN be placed in the plain view of someone outside the automobile: [475 U.S. 106, 112]
        "The VIN for passenger cars [manufactured after 1969] shall be located inside the passenger compartment. It shall be readable, without moving any part of the vehicle, through the vehicle glazing under daylight lighting conditions by an observer having 20/20 vision (Snellen) whose eye point is located outside the vehicle adjacent to the left windshield pillar. Each character in the VIN subject to this paragraph shall have a minimum height of 4 mm." 49 CFR 571.115 (S4.6) (1984) (emphasis added).
      • A pro theif wouldn't waste the time to do that. Most car models have 20-30 different keys, thats it. Someone with dealer contacts can *easily* get a keychain of all the possible keys for a given model in a given year. Doesn't take long in a car to run through 20-30 keys to open the door.

        Whats interesting, too, is you can do the math on the number of colors of your car, and the average number of keys per model (generally 20) and figure out the odds of you accidentally driving off with someone else's car in
        • by xpccx ( 247431 ) on Friday September 12, 2003 @04:32PM (#6946993)
          I'd like to see the number of different codes for wireless key entry. A buddy of mine and I were walking out to his car one night. When he used the wireless key to unlock his car, it also unlocked another car two to three spots over. We looked around thinking the other owner must be nearby and the two just happened to to unlock the car at the same time. But no one else was in the lot. We sat there for the next minute or so locking and unlocking both cars with one remote.

          We thought it was kind of funny until we realized that the owner of the other car could do the same thing.

      • Simple solution: whenever the dealer looks up the key geometry in the database that associates it with the VIN, a record should be kept. If your car is stolen, and a key was made the hour before, you obviously didn't leave the key in the igniton.
    • by jafac ( 1449 ) on Friday September 12, 2003 @12:16PM (#6943377) Homepage
      The main issue to be concerned about, *unfortunately* involves politics.

      It's the basic question of:
      When someone is running a business, and profiting handsomely from it - should they, or should they not, be responsible for the safety of their customers?

      It's already been established that Automakers should be responsible for defects in their products which compromise car-owner safety.

      The airlines, of course, have dodged responsibility for the lax security they provided which enabled 9/11. Instead of a slap on the wrist, they were rewarded with hundreds of millions of taxpayer dollars in bailouts - and union-busting government arbitration - and, eventually, bankruptcy protection. Wow. I wish I had a business that the government was that generous to.
      But I guess Alaska Air has been getting slapped around for negligent maintenance.

      Now, if you spend $10,000 on a Microsoft server to protect your data, and it falls prey to a security glitch, we all know that Microsoft can't be held responsible.

      Who's held responsible?

      In the Old West - banks were often robbed. And stagecoach deliveries of funds. People were afraid to put their money into banks because if the bank was robbed, their savings would be lost with no recourse. Banks didn't take the responsibility of hiring enough security to prevent robberies. It would have made their business much less profitable.
      Then the US Government created the FDIC insurace act, which insured bank deposits, and made bank robbery a federal crime, so robbers couldn't simply cross state lines to escape justice.

      It was *not* a constutional duty of the government to do so - unless you check the preamble, and read the phrase ". . .to (sic) promote the general welfare. . . " because the result of this act was to reduce the bank robbery, increase the public's faith in the banking system, making more funds available for the economic development of the American West. Which had incredibly huge benefits for all Americans.

      The question here is - would government be overstepping it's constitutional boundries by going in and protecting our personal data in the hands of corporations?
      That's a matter of opinion.

      Would the government be overstepping it's constitutional boundries by mandating that companies, in posession of citizens' personal data, be responsible for taking appropriate measures to secure that data?
      Possibly - but in today's political climate, it would definately NOT be a Republican to suggest such.

      What problem would be solved?
      Citizens would be protected - that's a nice thing. And falls right in line with "...provide for the common defense..."
      Public faith in ecommerce would arise, which might stimulate the economy - which wouldn't be a bad thing.

      A solution is out there. But there are right ways to do this, and wrong ways. I'm certain that the wrong thing to do would be the neoconservative lassez-faire approach. And that's probably the approach our current set of (s)elected officials will choose.
    • by bug506 ( 584796 ) on Friday September 12, 2003 @01:12PM (#6943961) Homepage
      I'm not sure if you are still in California, but if you are you can get a "security freeze" put on your credit report.

      This is different from the "security alert" that most people tell you to put on your credit report when fraud happens.

      With a "security alert," basically it's just a notification to creditors that they should be careful. They can still get your credit report. Apparently, many creditors ignore this warning so you are not guaranteed that someone else isn't applying for credit in your name.

      With a "security freeze," no one can get your credit report (with a few exclusions such as the police with a court order). It's much much safer.

      The credit report agency sends you a PIN that you use to temporarily or permanently remove the security freeze. For example, if you are applying for a mortgage in the next 15 days, you can remove the security freeze for 15 days, and it will be put back on once that period of time is up.

      The credit report agencies do not want people to know about this option because if everyone takes advantage of it then their whole system fails.

      Under California law, there is no charge for a security freeze on your credit reports IF you have ALREADY been the vicitim of fraud. (Someone used some of my checks and stole my credit card number before, so I qualify). If you have not ALREADY been a victim, you can pay some ridiculous amount to have it put on (on the order of $50/year).

      I believe Texas may have a similar law (because my letter including the PIN from one of the agencies said "security freezes are only available in California and Texas" and that if I move out of CA then I have to notify them so that they can remove the security freeze).

      For the last year, I played the credit report agencies' game. I PAID THEM $80/year to get access to MY OWN INFORMATION to make sure no one was using my credit fraudulently. When I renewed a couple of months ago, they changed their policy and limited the number of times a year you could view your credit report. So I dropped them, and was going to sign up with a competitor (still playing the game) when I found out about the security freeze.

      For more info:


      http://www.fightidentitytheft.com/legislation_ca li fornia_sb168.html

      Of course, if you are not in California (or Texas I think), then you can try seeing if your representatives in DC will make this a national requirement.

    • by MikeFM ( 12491 ) on Friday September 12, 2003 @01:16PM (#6944008) Homepage Journal
      I've worked at quite a few companies that handle important customer data and to be honest not one of them made any effort to protect that data either from employees or crackers. Management doesn't care and if an employee raises an alert (even internally) they are likely to get fired. 300,000 people is nothing. I've had access to millions of people's data. Actually I still do since I know for a fact these companies haven't made any effort to protect the data since I left and I was the one who put what security that does exist into place. I bet most even still use the passwords I placed on the servers.

      Even worse is that they would fire, without fair cause, a person that was already underpaid (thus broke) without taking care to finally fix their security. If I was a thief I could be very well off. I'm sure a lot of other IT/programmer types have similar experiences. I'm sure that not all of us are behaving ourselves with the economy the way it is.

      I still shop with vendors I know are storing my data but I'm careful with how much I give them. I don't use checks. I don't use credit cards. I do use a debit card but I was careful to get one that couldn't spend more than was actually in my account and I'm careful not to put more into the account than I'm expecting to use right away. That still leaves me open to damage but at least it controls the damage. I buy with cash or COD when it's possible (my last computer came from iDot.com because they allow purchase by COD).
  • There is so much personal information out there and some people are so uninformed about who not to give this information to or how to secure the information that they have been given. This problem will only get worse. I for one have no idea how to deal with it.
  • by Anonymous Coward on Friday September 12, 2003 @11:32AM (#6942865)
    In fact, someone has stolen my account. I'm not really an AC...

    Watch out - this could happen to you.

  • by 3.5 stripes ( 578410 ) on Friday September 12, 2003 @11:33AM (#6942872)
    I mean, he's no H4Xx0R god or anything, but he seems to be fairly knowledgable.
  • by jratcliffe ( 208809 ) on Friday September 12, 2003 @11:33AM (#6942878)
    "...valued at $65 billion dollars"

    Come on editors, I know it's early on the West Coast, but really.
  • by Anonymous Coward on Friday September 12, 2003 @11:34AM (#6942881)
    Some bastard stole my identity and wrote that article under my name!
    • by camusflage ( 65105 ) on Friday September 12, 2003 @12:03PM (#6943239)
      You're closer to the truth than I think you knew.. I dare you to ask PBS and Infoworld who Robert X. Cringely is. From an old wired article:
      Unfortunately, in 1995, as PBS was editing Triumph of the Nerds, InfoWorld fired [Mark] Stephens [who had written the Cringely column for years--ed] - which was sort of like firing Mary Ann Evans from being George Eliot. InfoWorld thought that it ought to have exclusive dibs on the Cringely name. (In a spooky twist, if anyone really owns the rights to the Cringely name, it is probably Cringely's girlfriend's father, who put an imaginary "Al Cringely" scapegoat on his PR firm's masthead decades ago. The surname was eventually imported by InfoWorld.) Cringely still feels the betrayal deeply - first because, as he sees it, InfoWorld dismissed him without warning, and second, because they accused him of trademark infringement for continuing to use the name that he had done so much to build. "InfoWorld sued me," he says, still sounding incredulous. The case was settled out of court; InfoWorld kept the trademark, and today, another scribe's Cringely column appears in its pages every week. But the company was ordered to pay Cringely's court costs, and he was given license to use the coveted name professionally - "As long as he doesn't use it in computer publications," InfoWorld's editor, Sandy Reed, who fired him, clarifies. "PBS we don't compete with."The lowly Cringely, as ever, somehow came out on top.
  • by Flabby Boohoo ( 606425 ) on Friday September 12, 2003 @11:35AM (#6942896) Journal
    why you use a PO box, like I do.

    Don't have to worry about such things.
  • by Samurai Cat! ( 15315 ) on Friday September 12, 2003 @11:36AM (#6942909) Homepage
    I'll only go as high as $50 billion and not a penny more!
  • by jargoone ( 166102 ) on Friday September 12, 2003 @11:36AM (#6942913)
    I'm usually not paranoid, but talk of identity theft, and nearly being a victim (copied credit card when I visited Mexico), convinced me subscribe to a credit monitoring service. They notify you right away of changes to your profile, and give you free periodic credit reports. I'm trying to start a small business, so it's more important now than ever.

    True Credit [truecredit.com] turned out to be the cheapest at $11/quarter for the basic service. This is not a referral link, and I'm not affiliated with them in any way. Just sharing information.
  • Murder is easy too (Score:5, Insightful)

    by stratjakt ( 596332 ) on Friday September 12, 2003 @11:37AM (#6942920) Journal
    You cant prevent crimes from happening, you can only improve the ability to catch the criminals, and reduce the damages.

    Worried about ID theft? Keep a close eye on your credit card bills, credit scores, etc.. Buy a paper shredder. Shred all bank statements and whatnot before you throw them out. Internet-shminternet, dumpster diving is the fastest way to someone's finances. Get the carbons at the gas station, or stores where they still use the old carbon-thinger credit card machine.

    Cringely is a blowhard trying to scare people, but frankly this isn't news. Using the 'net really doesn't make this easier - it's always been easy.

    I knew someone who got screwed big time by a gas station who would keep the carbons, and double bill her every time she filled up, the cash going straight into the owners pocket. She was a dope for letting it go on so long, as she never bothered scrutinizing her Visa bills. Turned out the station was owned by a Russian mobster. This was long before the world wide weeb.
    • by tbase ( 666607 ) on Friday September 12, 2003 @11:46AM (#6943035)
      You forgot "never put outgoing mail in your mailbox" when you were plagerizing the "blowhard". Oops- sorry, you have to RTFA to plagerize it :-)

      The article's point is that ID theft on a large scale requires more than dumpster diving or a crooked gas station, and he's pointing out that what ID Theives are doing to cause a 4 to 5 billion dollar problem one person at a time can be easily automated and there's a 300,000 name database of ssn's and dob's waiting to happen.

      Did I already say RTFA?
    • by Dr. Bent ( 533421 ) <benNO@SPAMint.com> on Friday September 12, 2003 @12:20PM (#6943436) Homepage
      "You cant prevent crimes from happening"

      OK, so when I leave my house in the morning, I shouldn't lock the door right? I mean, if someone is going to break in, that lock isn't going to stop them, so what's the point?

      And if I see someone in my office parking lot monkeying around with my car, I should just leave them alone. I mean, if they're gonna steal it, there's nothing I can do to stop them, right?

      And if I'm asleep at night, and I hear someone breaking into my house, I should just lay in bed, close my eyes, and go to my happy place. There's nothing I can do to prevent my house from being robbed or stop them from killing me.

      That's a bunch of crap. Criminals prey on the weak, and they're oppertunists. The less oppertunities you give them, the less likely you are to be a victim. Not only can crime be prevented, but YOU PERSONALLY, can prevent crime if you have enough sense to do it.
    • by JohnDenver ( 246743 ) on Friday September 12, 2003 @01:12PM (#6943954) Homepage
      You cant prevent crimes from happening, you can only improve the ability to catch the criminals, and reduce the damages.

      Sure you can, especially when the current security system is virtually non-existant.

      My proposal is simple:

      * 2 key-pairs are issued every individual by the DMV
      * The first (public) key is freely given to everybody
      * The second (private) key is stored on a chip in a credit-card sized pocket calculator like device, or smart card. ($5-$10 device which is paid by the driver upon issuance)

      When you need to prove your identity, you will be challenged with a random number, which can only be encrypted with the private key and verified by the public key.

      * Challenger gives you random number
      * Your encrypt device encrypts number with private key
      * Challenger verifies encryption with public key.

      In the event a private key is comprimised, the corrisponding public key will be published on a public database (which keys institutions should be required to check) and a new private key will be issued.

      The encryption community has come up with many solutions for this problem over the last few decades, and I know the consumer electronics and card issuance industry (which I used to work) would love nothing more than the government to stop dragging it's heels and select one of the many drafted standards.

      We can solve this problem without creating another government institution or delegating it to one corporatation.

      Why aren't nerds pushing for an open and honest solution to this problem? Aren't solving problems like this a nerd's wetdream?

      Like I said before, even a half-assed scheme would be better than our current social-security passwords.

      Don't like my solution? What are your ideas?
  • by Doesn't_Comment_Code ( 692510 ) on Friday September 12, 2003 @11:37AM (#6942925)
    Most instutions will cover your butt now if you get your ID stolen. So it isn't the money that costs you, its the work.

    You have to apply for coverage, and show evidence that your ID was in deed stolen. That can take months or years! And a lot of effort goes into all that. One of the worst parts is trying to restore your credit rating. While the whole process really shouldn't cost very much money ( $1000) it costs a quarter of your life to repair all the damage.
    • Sorry, that's supposed to read LESS THAN $1000, and that should be the worst. $1000 is two or three nice computers afterall.
    • by pyros ( 61399 ) on Friday September 12, 2003 @11:59AM (#6943195) Journal
      It does cost you money. Retail goods and services which can be purchased with credit cards usually raise the prices to to cover their merchant account costs, which go up as fraud increases. This is why you'll sometimes see retailers with a 2% cash/check/eft/anythingbutplastic discount. Retailers aren't allowed to list the added merchant costs as a line-item on your receipt, so you don't realise you're paying for it. I agree about the quarter of your life part. The system really isn't designed well to help people fix it. I know a person who has drug and prostitution charges on her records because of identity theft. It's ludicrous how difficult it is to fix these things.
  • by tinrobot ( 314936 ) on Friday September 12, 2003 @11:39AM (#6942952)
    If I were Cringely, I would have sold those names and now be the proud new owner of Microsoft. Free the source!
  • This is news? I've been living in a tent, typing this on an abacus and wearing a tinfoil suit since I saw the hyper-realistic 'The Net'.

    I mean, come on, it *is* easy to steal someone's identity, but what doesn't get enough attention is the human factor. Not enough people are willing to actually query oddities and if a document looks vaguely official, they'll accept it. After all, if you were trying to sign someone up for a credit card, would you query their ID and lose the possible comission?

  • by BWJones ( 18351 ) on Friday September 12, 2003 @11:39AM (#6942958) Homepage Journal
    From the article:"No, I mean what are you going to do about replacing my book?"

    "Why would we replace your book?"


    This is exactly why I use Fed Ex or UPS when ordering things. They can track your packages and they take responsibility when they screw up. Perhaps the Postal Service could take a lesson?

    • by stratjakt ( 596332 ) on Friday September 12, 2003 @11:43AM (#6943002) Journal
      Priority mail with insurance.

      Fed-Ex or UPS won't replace your item if you didn't get insurance, either.

      We just got a PC shipped back to us from the field by UPS. The box was smashed, and the machine looks like CowboyNeal sat on it. Picking it up I could hear all the fancy shmance electromonical doodads rattling around inside the twisted case.

      UPS won't do shit about it, because the fool didn't pay the 5 bucks for insurance.

      • FedEx insures everything up to $100. If you want more insurance, you can
        get it by paying a little more for it (note the "Declared Value" field
        on the FedEx Airway bill).
      • Goddamn UPS won't even ring the doorbell. They just dump the package on the porch, even if they are supposed to get a signature.

        I nearly tripped over my new DVD burner on my way in the house the other day, and my wife had been home ALL DAY!

        • Goddamn UPS won't even ring the doorbell. They just dump the package on the porch, even if they are supposed to get a signature.

          I've had dozens upon dozens of packages from UPS (as well as Fedex) and had to give my signature on every last one of the packages that required it. Never has a single package been left, if it required a signature. You need to take this up with your local office, since it sounds like you just have a single UPS delivery person that isn't doing their job.

  • by Boss, Pointy Haired ( 537010 ) on Friday September 12, 2003 @11:41AM (#6942981)
    If you're in the UK; you can register your name / address combination with CIFAS:


    The service is operated on behalf of the UK financial institutions by Equifax; and will add a layer of authorisation to your name / address combinarion when arranging credit etc. It probably means that you won't be able to buy stuff on instant credit; but the for the hassle that identity theft can bring I think it's worth it. Registration costs 12 quid for 12 months.

    Personally i'm amazed that institutions will lend large amounts of money without a definite proof of your identity; but I guess that's consumer forces for you - Dixons want you to be able to walk out of their store with that 32" wide screen TV purchased on instant credit. For all the sales that brings; they absorb the liability.
  • One Problem (Score:5, Insightful)

    by jetkust ( 596906 ) on Friday September 12, 2003 @11:42AM (#6942995)
    Possibly this wouldn't be such a big problem if a more relevant credit history was availiable to people without haivng to pay, wait, and damage their credit just to get a report.
  • Why not photo id? (Score:3, Insightful)

    by Anonymous Coward on Friday September 12, 2003 @11:43AM (#6943000)
    Maybe someone on slashdot knows: why doesn't my bank teller ask me for photo ID?

    All they ever ask to see is the bank book. Are bank accounts not tied to actual people, but instead are transferable, simply by giving away the bank book? If not, why don't they ask for my government or bank-issue photo ID?
  • Thank God my Slashdot user ID is still safe.
  • by Cade144 ( 553696 ) on Friday September 12, 2003 @11:46AM (#6943038) Homepage

    In the article it is mentioned that your Social Security Number is used as a universal identifier and as "proof" of identity.
    This is not a good thing.

    I work in the medical records/medical billing industry and a patient's SSN is one of the vital bits of information we collect and use to help index records.
    Also the patient's date of birth.
    For billing purposes, we need the patient's home address.
    The health insurance company also needs all this information. In fact, if we don't supply all of the patient's personal information, they often don't pay claims.

    We try to protect private information. We have yearly training, and monthly filers reminding us of the importance of protecting confidential infromatin. We have every bit of discarded paper shreded, and we have pretty good locks on our doors, and we have a fairly paranoid firewall, but the truly determined employee could always get their hands on thousands of patient records with everything needed for identity theft.

    It's probably the same way at Hospitals and Insuance companies too. Too many people have access to private information, and the social and technological controls on it are too weak.

    I hope that no one who has access to my personal information decides to do a bit of creative fundraising.

    I don't have any answers, but we ought to think of solutions pretty soon.

    • by EZmagz ( 538905 ) on Friday September 12, 2003 @12:09PM (#6943304) Homepage
      I totally agree that using a person's SSN as a global identifier is a baaaaaaad thing. Recently when asked for my SSN when signing up for different services and whatnot, I've started asking if I could use something else as an identifier. Literally all someone needs is your name, SSN, and date of birth and they're on their way to buying that bigscreen plasma TV you've had your eye on for two years...except while they watch it, you'll be stuck with the bill.

      On par with your workplace, I did a contract gig for a major HMO around Minnesota last year. The amount of information I had at my fingertips was amazing, considering I didn't need ANY of it for my job (Desktop Analyst). A close friend of mine works for the same HMO doing data-entry, and since he's in the billing department, he has free reign to people's entire credit and medical history, along with all the other goodies that any peon could exploit easily. I've asked him before how easy it'd be to print out a file on someone and take over their identity. The answer? "Easier than you'd believe."

      Scary shit indeed. One last thing that still boggles my mind is how many times I use my debit card and get the customer copy with my full account number on it. Seriously, it's usually at places where people throw them away right away...gas stations, grocery stores, and restraunts are the big 3 that I've noticed. Make sure to rip those little bastards to shreds once you walk out the door.

  • by IWantMoreSpamPlease ( 571972 ) on Friday September 12, 2003 @11:47AM (#6943052) Homepage Journal
    Wreck your credit score every 7 years by declaring bankruptcy.

    Then no one will want to steal your ID :-)
  • by pubjames ( 468013 ) on Friday September 12, 2003 @11:49AM (#6943081)
    In the last couple of months there have been an increasing amount of very sophisticated email scams.

    For instance, E-Gold members (and others) have been receiving emails like this

    Dear e-gold user.

    At 09.05.2003 our company was attacked by unknown
    persons. Out administrators is working on the database restoring.
    If you have an active account, please check if it is still active, your
    current balance is right and all transactions can be processed.
    If you find that your account is inactive, please letus know
    immediately at e-mail service@e-gold.com
    To check your account, please click on the link below:

    It looks official, doesn't it? And the link looks ok too. But it is an html email, and the actual link went to a page located at e-gold2.com, which looked exactly like the real e-gold site. Thus the fraudsters were able to get peoples log-on details. More here [e-gold.com].

    In the UK, many people have been receiving emails that look as if they are from Barclays bank (one of the biggest in the UK). It is a similar scam to the e-gold one. More here [theregister.co.uk].

    I myself have recieved and email asking me to update my ebay account details. Only on close inspection did I realise that it was a fraud.

    I find this extremely worrying. Personally I am probably like many Slashdotters - paranoid about security and difficult to catch out. However most people aren't like that, and this new type of scam email is an extremely worrying development, because it could catch a lot of people out. People really need to be informed about this type of scam, but I've yet to see much in the press about it. Any journalists reading..?

  • Scary websites... (Score:4, Informative)

    by Cassanova ( 578879 ) on Friday September 12, 2003 @11:50AM (#6943085)

    My wife and I tried buying something on the web on this one particular site. It asked me to register since I was buying stuff for the first time there. Filled up everything on the "new account" page and hit "register me". The page came back in error saying the id I was trying to register was already taken so I had to try another one. Not so bad. What was bad though was THE PAGE RE-LOADED WITH ALL THE FIELDS IN IT PRE-FILLED WITH THAT ALREADY-EXISTING USER ID's DETAILS! Address, phone number, first/last names everything on there for the taking.

    Scaaary. We politely backed out of the site and decided to buy elsewhere.

  • by popo ( 107611 ) on Friday September 12, 2003 @11:50AM (#6943092) Homepage

    Recently I signed a new cellphone contract and they *would not* allow me to sign the contract without giving them my SS# (which I imagine is for a credit check). What's the legality of that? Is there any way to avoid handing over SS#'s in these situations? Its terrifying that cell-phone services have huge databases of millions of Social Security numbers.


    • I questioned the sales rep when I was in the same situation. He said that it's used for nothing but the credit check.

      Then I got my first bill and saw that the first half of the account number was a significant portion of my SSN. I suppose that could be a 1/10000 coincidence.

  • by 4of12 ( 97621 ) on Friday September 12, 2003 @11:53AM (#6943132) Homepage Journal

    Public records are better if you want to be a crook because the Freedom of Information Act makes them completely available.

    Cringely was quite correct when he identified two parts of the problem: the ubiquity of using SSN as both an identifier and as authorization (or using credit card numbers this way).

    It would really be much better if the institutions we dealt with would accept identities and authorizations that were only valid for the specific transactions we conducted with them.

    But no, "people can't remember all those numbers". Well, people ought to have a private key that is really private, and public keys that anyone can use to verify that person X really authorized some transaction Y.

    But rely upon government to come out with a bad solution to this problem.

    The FoIA safeguards, which are important to keeping government transparent and more accountable to the people, will be abolished (as they have already been for various cases deemed to involve national security or "terrorism"), to "increase security for the citizens".

    We'll be trading a great deal in terms of liberty and knowledge of whether our government is acting properly for very little in the way of security.

  • by mr_resident ( 222932 ) on Friday September 12, 2003 @11:55AM (#6943162) Homepage
    After I had my ID swiped by a ID-less loser, I started taking precautions:

    Xerox/scan all your bank cards, credit cards, drivers license, etc front and back. Write down all the contact info and make sure you keep a copy in a safe place. NOT YOUR WALLET! If anything is lost or stolen call immediately!

    Open a second bank account to use for online transactions. I transfer only the amount of money I need to cover gas, lunch, online stuff to it. I don't use an ATM card on my primary checking/savings. If someone grabs a carbon, they don't get access to anymore than the few bucks I keep as a buffer.

    And as many have and will say here: Don't give out your SSN, check your credit report regularly for new lines of credit and shred early - shred often!
  • by mesach ( 191869 ) on Friday September 12, 2003 @12:03PM (#6943244)
    I need some money(being unemployed), who do I sell my info to?

    Just let me make sure I get that email about creating a new credit file first!
  • Cause and Prevention (Score:5, Informative)

    by nanojath ( 265940 ) on Friday September 12, 2003 @12:05PM (#6943256) Homepage Journal
    One of the issues not often addressed is the misuse (in my opinion, and some would argue by its original intention) of the Social Security number as a universal identifier in so many public and private functions. It happens for convenience - the SS # is government issued, unique and relatively difficult to spoof, so it's handy. But it shouldn't be allowed. The SS # should be used by the government for tax identification and issuance of SS and related benefits only. Unfortunately nobody wants to open this huge can of worms.

    There is certainly a degree of catch-22 involved between convenience and security. When my wallet was stolen with license and SS card (dumb to carry both but I recently needed them starting a new job)a few years back, I was glad that I was able to get a new drivers license with no identification except a birth certificate copy I was able to get with just my SS number and no identification - but the ease of doing so certainly gave me pause for thought.

    In addition to the sound advice of shredding, a good idea is to lock your credit reports from being issued without your consent and opting out of pre-approved CC offers. Instructions for both at this article - http://abcnews.go.com/sections/scitech/TechTV/tech tv_fraudprevent030815.html

    I'm just thankful my house has a mail slot that drops into an inaccessible bin inside the home.

    • by chrysrobyn ( 106763 ) * on Friday September 12, 2003 @12:40PM (#6943646)
      One of the issues not often addressed is the misuse (in my opinion, and some would argue by its original intention) of the Social Security number as a universal identifier in so many public and private functions. It happens for convenience - the SS # is government issued, unique and relatively difficult to spoof, so it's handy.

      I'm not certain about all of what you said.

      My mother worked in a state university admissions department in the 1960s and 1970s, and was a programmer and operator of their computer. One year, they had two applicants apply under than same social security number. They were able to verify that both people owned the same number! Turned out, the US Government didn't guarantee the uniqueness of the SSN-- it ALONG WITH YOUR NAME AND BIRTHDAY were your taxpayer unique ID. But the university had no way of admitting both students as they wanted to under the same SSN, so they asked one of them to get a new one. It wasn't hard once the Social Security Administration figured out why.

      Times have changed and computers have proliferated, and I've only done some casual investigation, but I've never found any guarantee by the US government that the SSN is unique.

  • by twofidyKidd ( 615722 ) on Friday September 12, 2003 @12:05PM (#6943258)
    What's really going to suck is when it actually happens to one of those high-profile, illuminati/politicians, there's going to be yet another increase in Orwellian-type citizen monitoring and authentication laws, most likely in the form of some Patriot II act.

    What worries me is not so much the people that try to steal identities, because as most of us understand how its perpetrated, its easier for us to avoid and/or control the consequences, but when some crazy system gets put into place 3 years from now by the Republican cronies because of some silent passing of a Partriot Act clause. I for one don't feel like having to provide a blood sample to get into my office, or giving a sperm sample for a new home loan ala Gattaca.

  • Locking mailboxes? (Score:4, Informative)

    by semanticgap ( 468158 ) on Friday September 12, 2003 @12:19PM (#6943419)
    Something that he doesn't mention but immediately came to mind - I live in a house and have one of those curb-side mailboxes. Anyone can swing by soon after the mailman does his delivery and go through my mail.

    I found this place that sells a "locking mailbox": http://www.oregontrailbox.com/
    I think I'm going to get one from them. If you come across anything better, or have experience, please reply.
  • by baywulf ( 214371 ) on Friday September 12, 2003 @12:40PM (#6943655)
    Once I came home in the evening and got a message on the answering machine to call my card company asap because of possible fraudulent charges. I soon enough called the number they gave me and identified my card number and password. Then I told them about my message and they started looking it up on the computer. After 30 seconds the guy says that the compter is slow and other excuses. After another 30 seconds he apologizes and suggests I call back later since the computer seems down. So I put down the phone and then it suddenly hits me that I have no idea way to verify that the other side was the credit card company. It didn't feel right that a major financial company would have computer problems like this. So now I immediately called back the number on the back of my card and got through okay. They did verify that I had fraudulent charges and canceled my number. I asked them about the other number but they were not too concerned and guessed it might be an internal fraud line number.

    In conclusion I still don't know if the original number was real or not.It could have been the card thieves trying to trick me. After getting the new card, I checked my credit report an month later to verify nothing new had been opened. The lesson I learned is to never use a number you cannot authenticate when doing sensitive stuff like this.
  • by Prometheus_NG ( 61422 ) on Friday September 12, 2003 @12:41PM (#6943665)
    I think something very vital is being missed here. Your name, address, phone numberm and SSN is not your identity. This is all public information. The problem is that we treat this information as if it was our identity.

    Are people really suggesting that this information be "secret"? The SSN is not meant to be secreat, can not really be secret, and every SSN card says explicitly that it is not meant to be secret.

    Surely we are not suggesting that one's name, address, and telephone number be secret.

    The problem is that this non-secret, non-unique information is used to identify people for many significant transactions. I.E. Driver's license, Mortgages, Credit Cards, etc...

    The other problem is many people are opposed to instituting any kind of authoritative nation wide identification system.

    Put aside your libertarian angst for a second and imagine if we did have a national DNA registry that positively and uniquely identified everyone. Sure we have all seen Gattaca and imagine ways of forging DNA derived identification, but it would be much harder.

    Much harder than the current system where all the tokens we use to identify ourselves are from non-secret, non-uniquely identifying information sources.
    • Well, two problems with using DNA as a secret for identification purposes:

      A. DNA is not unique -- consider identical twins, for example

      B. DNA is not secret either; certainly no more secret than fingerprints. You leave piles of copies in the form of hair and shed skin cells whereever you go.
  • I don't understand. (Score:3, Interesting)

    by hanwen ( 8589 ) on Friday September 12, 2003 @12:44PM (#6943710) Homepage Journal
    When I want to {open a bank-account,get a credit-card,get a drivers license} over here in Holland, I have to show my passport (which shows my photo and my SSN).

    New passports are only given out by the city-hall, and you have to turn over the old one, or show signed police-statements that you lost the previous one. (I suppose that they will corroborate with my home-address which is also known at the city hall for lost passports)

    How come photo-ids aren't required in the US?

  • by phildog ( 650210 ) on Friday September 12, 2003 @12:56PM (#6943818) Homepage
    Last night when I got home from work there were two electric scooters waiting in front of my garage. They had just been delivered by FedEx. I was surprised, because I hadn't ordered any scooters lately (ever) and wasn't expecting any. I drew up a very short list called "Friends of the scooter" who might have sent them as gifts, but alas, no luck after a few quick phone calls. So my hunch was either a)credit card fraud or b)computer glitch from company I had already ordered from.

    I called the scooter merchant this morning, and sure enough, someone had used my wife's AmEx card number to order the scooters and ship them to an address just a few miles away. Thankfully, as the nice owner of the scooter co. informed me, they have a policy of only shipping to the billing address and the sweaty-toothed madman didn't get his precious scooters. Ha!

    So since the nice owner of the scooter co. shared the IP address of the person who made the order, and being a huge internet nerd, I have already traced the origin (via nslookup) to an AOL user who was logged in and using AOL at 11:53am on 9/7/03. I might just have the means to track this guy down. I'm turning this over to the credit card company immediately, but the "sue everybody" American in me wants to go after this bastard for mental anguish, lost time returning the scooters, making this post, etc., and emotional damage to my 3 year-old daughter who was understandably excited about the scooters (perhaps even as excited as me!).

    What do you think?

    Story repeated at my blog [tarponcreek.com]
  • Compare with Europe (Score:4, Interesting)

    by sanders_muc ( 703587 ) on Friday September 12, 2003 @03:19PM (#6945626)
    Did you know that the crime of identity theft ist virtually unknown in Europe (at least in Germany, where I live)?

    And there are some obvious reasons for this:

    - Nobody in Europe has mail boxes without a lock. European mailbox are usually flat, upright, rectangular boxes with a slit on the top of the front where the mailman drops the letters and they fall down a slide so you cannot get them out without using either very long pliers or, of course, the key to unlock the door at the back.

    - No bank would give you a checking account or a credit without checking your ID card and making a photo copy of it and noting the number. (Remember that in most European countries (except e.g. the UK) every citizen is required to have a national ID card which you show whenever somebody has to be sure of your ID. (These cards have all kinds of witty security features to make them really hard to counterfeit.)

    - All laws and courts agree that a reasonbable proof that somebody did make a business transaction is a signature on a piece of paper, or at least some computer record showing that the customer has entered a secret PIN. 'Secret' meaning, that nobody else should be able to know it. (PINs are printed out by the banks' computer systems and put in a sealed envelope without any employees being able to look at them.)

    - Especially, if you told a court that a business transaction was valid because you checked the caller's identity on phone by asking for his SSN (or some lcoal equivalent of this), his date of birth or his mother's maiden name, the judge would probably only laugh at you.

    While staying for half a year in California, I was quite astonished about the lax way of checking identities common in th US.

    (For example, I got liability insurance for the used car I bought by just phoning the company. The guy asked for my Visa card number, then said 'Fine. Your car insurance is valid starting now, i.e. 4:13 pm.' That was great and convenient, but after all, I still prefer the European way, where they'll first ask 'So, how do we know, that this was your credit card number, and not taken from some receipt you picked out of a trash can?'. As the very least they would want proof of your address so that they can send you a court summons in case you tried a fraud.)
  • by PetoskeyGuy ( 648788 ) on Friday September 12, 2003 @05:23PM (#6947665)
    He read the earlier /. article and downloaded the Whois database.
  • by anthony_dipierro ( 543308 ) on Friday September 12, 2003 @07:41PM (#6948861) Journal
    it obviously isn't worth $65 billion.
  • by hansreiser ( 6963 ) on Friday September 12, 2003 @09:56PM (#6949539) Homepage
    What a bank considers an ID confirmation is just pathetic. I mean, come one, Mother's maiden name when every other bank also uses it? 4 digit pin codes?

    They belong back in the 19th century!

    We need to task the NSA, or a DARPA project, or any serious professional, with coming up with a secure banking id system, one that meets serious security standards, and just get the damn problem fixed. I think that if you picked any code breaker at random and gave him the task, he'd come up with something a hell of a lot better than what we got. If you held a nice contest, it would come out really nice.

    If we got some modern crypto-spooks involved, if we could get to where the KGB had to sweat even a little to crack our identity system, identity theft would be a crime very few could give a try. Just try reading a few books about what the KGB and CIA have to do to crack each other's security, and then compare that to mother's maiden name and social security number.

    That is the solution.

    As a minor improvement, all credit cards should be required by law to have photos on them that were supplied by the government, and verified to be the unique current registered photo for that id.

    All transactions not serious crypto-verified should be illegal to report to a credit agency.

The last thing one knows in constructing a work is what to put first. -- Blaise Pascal