Identity Thieves Not Big On Technology

alphadogg sends us to Network World, as is his wont, for a summary of a new study of identity theft based on the outcomes of more than 500 Secret Service cases from 2000 to 2006. Here is the study report (PDF). The AP has coverage emphasizing other slants on the findings. Among the surprises: just 51% of convicted ID thieves were sent to prison. Only 20% of the cases involved use of the Internet, and such cases may be on the decline. More perpetrators used good old-fashioned dumpster diving and stealing stuff out of mailboxes.

Lies, Damn Lies, and Statistics...

[gbulmash]

From the AP article: "The Federal Trade Commission has said about 3 million Americans have their identities stolen annually." And this study covers 517 cases over 7 years (2000-2006). I'm sorry, but I can't see a study of 517 cases during a period of approx. 21 million crimes providing really useful data.

Re:

[Tanman]

Team Leader: Mr. Cheney, please calculate our chances of successfully finding the correct identity theft information from our study of 517 obscure cases of random WMDs in Iraq this time.

Mr. Cheney: 0.0001273% repeating, of course

Mr. Bush: G.DUUUUUUUUUUUUUUB-YAAAAAAAAAAAAAAABUSH!

PEW PEW PEW PEW!

Team Leader: Damnit, G.Dubya!

Mr. Bush: Tacos rule!

Re:Lies, Damn Lies, and Statistics...

[hchaos]

From the AP article: "The Federal Trade Commission has said about 3 million Americans have their identities stolen annually." And this study covers 517 cases over 7 years (2000-2006). I'm sorry, but I can't see a study of 517 cases during a period of approx. 21 million crimes providing really useful data.

The 99% margin of error on this study is about 5.5% (e.g. there is a 99% chance that the real percentages are within 5.5 points of the reported percentages). If the sample size were 1000, we would see a margin of error of 4%, and a we'd need a sample size of 10,000 to give us a 1.2% margin of error. One of the things that you learn if you ever take a statistics course is that, regardless of your actual population, you just don't get much better results when your sample size increases beyond a few hundred.

You're making a poor assumption

[Chmcginn]

The 99% margin of error on this study is about 5.5% (e.g. there is a 99% chance that the real percentages are within 5.5 points of the reported percentages). If the sample size were 1000, we would see a margin of error of 4%, and a we'd need a sample size of 10,000 to give us a 1.2% margin of error.

This assumes that the cases taken were representative of all cases in the United States, and were randomly selected out of the pool of available cases. Considering that the Secret Service only gets involved in certain cases of identity theft, this is probably an incorrect assumption.

Mod parent up!

[khasim]

From the pdf:

Source of Data
The data for this study was collected from United States Secret Service closed
cases with an identity theft component which were opened and closed between
2000 and 2006. The staff at Secret Service headquarters selected the cases for
the research team, based on the primary and secondary case codes that Secret
Service uses to classify its cases.

That seems to indicate that only cases that had been SOLVED were used in this "study".

Of course, which case would be easier to solve?

#1. Someone in Russia stealing your ID via a keylogger installed on your workstation.

#2. Someone in your apartment building breaking into your mailbox.

Re:

[Chmcginn]

One of the leading causes of identity theft is when people leave their computer at the curbside for pickup with the hard drive unwiped. Not only does that broadcast to all who see the box on the curbside "COME AND GET IT!", but there is the (Oh my Gaia!) greater offense of POLLUTION!

Oddly enough, the laptop I use on trips I got in that exact way. And, no, they hadn't done anything to the hard drive when I picked it up, either...

Re:

[tubapro12]

Oddly enough being the kind of person I am I don't see why anyone would ever get rid of any part of a computer that works. Heck, I've got chipsets that are almost as old as me (a VIC-20, yes, a VIC-20).

Re:

[conureman]

I don't think the tweakers around here know how to boot up a computer. All the identity theft I've seen is pretty lame, mail box theft sort of stuff. Few crimes are committed by sophisticated Hollywood-fantasy thieves. (And fewer are solved by competent Hollywood-fantasy police people.)

Re:

[Tony Hoyle]

Slowly the banks are realizing this and giving the option to send via email/web only (often under the guise of being 'environmentally friendly'. Short lived SSL transaction > completely unencrypted, unprotected snail mail left outside in the dump for a week (the rubbish collection is going to bi-weekly soon so make that two weeks).

Unfortunately mastercard appear to be the last of mine to do this... all the other cards were very happy to stop sending me paper. I had my mastercard number swiped by some l

Re:

[hchaos]

This assumes that the cases taken were representative of all cases in the United States, and were randomly selected out of the pool of available cases. Considering that the Secret Service only gets involved in certain cases of identity theft, this is probably an incorrect assumption.

No, I'm not making really making that assumption. My only point is that a sample size of ~500 is valid for this kind of study, regardless of the population size. The validity of the sampling is another story completely. If you'

Re:

[JCSoRocks]

One of the things that you learn if you ever take a statistics course is that, regardless of your actual population, you just don't get much better results when your sample size increases beyond a few hundred.

My understanding is that this statistical quirk holds true for women as well.

Re:

[king-manic]

From the AP article: "The Federal Trade Commission has said about 3 million Americans have their identities stolen annually." And this study covers 517 cases over 7 years (2000-2006). I'm sorry, but I can't see a study of 517 cases during a period of approx. 21 million crimes providing really useful data.

A fine product of the US education system I see. Stats was your major?

Re:

[gbulmash]

A fine product of the US education system I see. Stats was your major?

So, if you didn't major in Statistics, you're not allowed to distrust them? 517 was the number of cases the agency closed in a 7 year period. This was not a representative sample of all cases from all law enforcement agencies dealing with this problem. It was all cases handled by one specialized agency.

And furthermore, let's talk statistics. There are like 100 things I can do that will statistically reduce my "chance of death"

Re:

[king-manic]

So, if you didn't major in Statistics, you're not allowed to distrust them? 517 was the number of cases the agency closed in a 7 year period. This was not a representative sample of all cases from all law enforcement agencies dealing with this problem. It was all cases handled by one specialized agency.

The only thing that matters is 517 is a random sample. If it isn't sufficiently random then you can't conclude much but a random sample 517 is sufficient to draw some correlations, patterns, data, or even some conclusions depending on the data. Merely stating 517 / 21 million is not sufficient to dismiss it.

And furthermore, let's talk statistics. There are like 100 things I can do that will statistically reduce my "chance of death" by 10%. How the fuck can I reduce my chance of death? Statistically, based on ALL available data, my chance of death is 100%! All these statistics do is tell me that if I quit smoking now, my chances of dying in the next 10 years go down by 40%. Now that doesn't mean I go from a 100% chance of death to a 60% chance of death. As a man in his 30s, it means my chances of dying go down from about 15% to 9%. That 9 percent includes drunk drivers, gang bangers, suicide bombers, tainted meat, crimes of passion, poisonous snakes, chainsaw accidents, unexpected heart attacks, and 18 types of cancer that smoking doesn't much influence one way or another.

So you're one of those "me hate science because I smartest" types? Most studies come up with correlations. Often weak patterns which then get blown up by the media. You can take the advice or not, with

Re:

[gbulmash]

The only thing that matters is 517 is a random sample. If it isn't sufficiently random then you can't conclude much but a random sample 517 is sufficient to draw some correlations, patterns, data, or even some conclusions depending on the data. Merely stating 517 / 21 million is not sufficient to dismiss it.

Really? Let's say you're looking at 7 characteristics of the crimes and each has 3 different possibilities. That gives you 2187 different variations. And at 2187 variations, given an even distribu

Re:

[king-manic]

Really? Let's say you're looking at 7 characteristics of the crimes and each has 3 different possibilities. That gives you 2187 different variations. And at 2187 variations, given an even distribution among 21 million instances, you can have 9602 instances of *each* variation. Yet even if the distribution is even and the sample is sufficiently random so it produces no duplicates, prove to me that a sample of 517 events will give sufficient insight into all 2187 possibilities in a set of 21 million instances.

And saying "So you're one of those 'me hate science because I smartest' types?" or suggesting I don't understand because I haven't obtained a degree in statistics just reinforces my subject line, a partial quote of: "There are three kinds of lies: lies, damn lies, and statistics."

Lets draw a distinction here, that quote "There are three kinds of lies: lies, damn lies, and statistics." is an emphasis on how people can use statistics to distort the truth. Individuals like Frank Luntz are very good at using it this way. However statistics itself is not at fault it's the generally low level of mathematic literacy that is at fault.

Case in point: The size of your sample varies with the confidence level you want and the margin of error that you will accept. The actual population size is n

Good thing

[Anonymous Coward]

My mail slot goes straight to a shredder so I'm safe.

Re:

[pushing-robot]

The identity thief sues you for endangering him when he sticks his hand into your shredder while trying to steal your mail.

But at least that only applies to the USA for the time being.

Yeah, keep on believing that. [sky.com]

Damnit

[Anonymous Crowhead]

Did they really need to spread that out over two pages? There's only one god damned sentence on the second page.

Re:

[ls -la]

Ad revenue.

Did they catch everyone?

[Anonymous Coward]

Maybe those who use high tech did not get caught?

Hmm...

[Thyrteen]

Either tech for ID theft is on the decline, or hackers have seeded data to the secret service to make them look the other way! I cry Conspiracy! heh, but seriously, isn't this sort of flip-flop normal? It would always make sense to take care of it the easier way. And if computer security goes beyond the point of paper security, it's time to make the switch! It'll go back though, if the mail / dumpster maintainers start to see their faults.

Three words

[greg_barton]

Use a shredder.

Three more

[ls -la]

And a fire.

Re:Three more

[stefanlasiewski]

Nuke it from orbit; it's the only way to be sure.

Re:

[Serhei]

Nuke yourself from orbit, then any further activity on your accounts can be positively identified as the workings of an identity thief.

Re:

[barocco]

That's four.

Re:

[AceCaseOR]

Fireplaces and BBQs are your friend (depending on the paper being used, credit card applications can make for an okay firestarter for your grill - and they always make excellent kindling.) :-)

Re:

[GuidoW]

Burnt paper is often still decipherable, as long as it hasn't crumbled to ashes. And most of the time it doesn't do that on its own. Also, the winds from the fire will make larger pieces of half-burnt paper fly away in random directions faster than you can catch it.

If you really want to make sure, you'll have to think of something else.

Re:

[Oktober Sunset]

To be certain, shred, then burn, then feed to pigs.

Re:

[skoaldipper]

Eat bacon, leave all traces of identity theft behind.

The perfect crime.

Re:

[AceCaseOR]

Well, if you shred and burn, the little bits that end up blowing to the four winds will end up being of no use to anyone, because the little bits will be mostly decipherable - any bits that remain legible should be no where near any of the bits of paper that were next to it in the original document - unless you packed the paper too tight of course.

Re:

[slugstone]

I would hate to eat the BBQ at this place since I do not like the taste of plastic.

Re:

[AceCaseOR]

I don't burn the letters with the plastic windows in the BBQ. And, to be honest, I haven't disposed of any sensative letters in the BBQ, as I've got a fireplace. However, not everyone has a real fireplace (as opposed to an electric "fireplace" or a gas fireplace), so I figured I'd put forward an alternative.

Anyway, if I was using sensative correspondance for my BBQ, for cooking purposes, I'd use it as ignition material for a chimmney starter, rather then the sole combustible material for the actual cooking

Re:

[geekoid]

In had one, but those damn turtles kicked his ass.

Re:Three words

[stefanlasiewski]

A shredder doesn't help when a credit card company delivers a pre-approved credit card offer, or when the community college uses your SSN as your 'Student Identification Number' on a freshly printed postcard.

If Credit Card companies really cared about identity theft, then why do they mail out millions of unsolicited, pre-approved credit card offers every year? Even if someone signs up for the 'opt-out' list, some unscrupulous lenders will ignore the list and send unsolicited offers in the mail.

What percentage of identity theft occurs from someone stealing one of those little envelopes, I wonder.

Re:

[greg_barton]

What percentage of identity theft occurs from someone stealing one of those little envelopes, I wonder.

That's why, when you get 'em, you shred 'em.

Security is not absolute. It's always about probabilities. You reduce the chance of a breach, but you can never make it absolutely impossible.

Re:

[zenofjazz]

What percentage of identity theft occurs from someone stealing one of those little envelopes, I wonder. That's why, when you get 'em, you shred 'em. Security is not absolute. It's always about probabilities. You reduce the chance of a breach, but you can never make it absolutely impossible.

Yes, but that only works if you get to your mail BEFORE the people stealing your mail.

Re:

[stefanlasiewski]

That's why, when you get 'em, you shred 'em.

I'm talking about the period before I get 'em, before Ipick up your mail and drop it in the shredder.

The unsolicited credit card offer sits in the mailbox until I return from work, or return from a long weekend.

Re:

[greg_barton]

1) locked mailbox
2) mail slot in your door
3) get mail sent to a p.o. box

If you don't do any of those things then the security isn't important enough to you.

Re:Three words

[CodeBuster]

If Credit Card companies really cared about identity theft, then why do they mail out millions of unsolicited, pre-approved credit card offers every year?

This would be a really easy one to fix with just a bit of legislation really. The consumer credit contract should be like applying for any other major loan, consumer signature required for contract to be valid or the contract is void and all claims arising out of it are also void (i.e. the credit issuer or backer shoulders all of the responsibility for loaning out money to a phantom that they couldn't verify). This would place all of the risk for verifying identity and preventing theft on the credit card issuers. Some people might complain that this would make credit harder to get for "deserving borrowers" but really the last kind of credit that those marginal borrowers need is yet another unsecured, high rate, short term borrowing instrument (i.e. the credit card). So what if credit is a bit more expensive because we actually implement security and sound verification practices? The easy credit binges are what brought us the housing bust, the subprime mortgage meltdowns, the dotcom crash and a host of other financial disasters. Do you help an alcoholic with a hangover by giving him another drink? Do we have to give pre-approved credit card offers in the mail to everyone who is breathing and has a pulse? Who needs it?

Re:

[Kharny]

Totally agree, it's an unfortunate trend nowadays in europe too. It is getting easier and easier to get yourself into such huge debts that it will cause serious problems.

Debt and loanfree since 1998 after paying my last uni. fees back to the dutch gov.

The only loan i would take would be for buying a house, because those are atleast backed by a physical object of reasonably stable value.

Re:

[porcupine8]

What really drives me crazy are the blank checks Discover keeps sending me. All the necessary info, right there, in a form that they can actually fill out and mail to someone as payment. The thief could be completely internet-illiterate and still max out my card for me, plus rack up the extra cash advance fees that come with using those checks.

Re:

[cubes]

Credit card companies don't care as much as you might think. The credit card companies have very little incentive to prevent or prosecute fraud.

Fraudulent credit card charges are either paid by the consumer (if the consumer fails to take the proper steps to dispute the charge), or paid by the merchant (if the consumer does dispute the charge). The burden of proof that the charge is valid falls on the merchant. If you dispute a charge, and the merchant does not have adequate proof that the charge is valid, t

Re:

[greg_barton]

Get a mail box with a lock.

Re:

[UncleTogie]

Get a mail box with a lock.

Sure, 'cause no one would think to pick [suite101.com] a mailbox lock, would they...?

Re:

[greg_barton]

Probabilities. [slashdot.org]

Re:

[UncleTogie]

Probabilities. [slashdot.org]

Indeed... [thedenverchannel.com]

Re:

[zippthorne]

They used to run a spy series on Discovery channel. In it, they would describe a few of the braindead things people do. For instance "secretaries" would, instead of taking time to take classified documents to the shredder, tear them in half and toss them in the regular waste bin. The flaw in this should be blatantly obvious: instead of making it harder for an intelligence agent to acquire interesting information, they basically highlighted the most interesting bits!

If you put a lock on your mailbox, you

Re:

[SCHecklerX]

Good advice. But what about those who would steal from your mailbox? There was a story on /. not so long ago about exactly that happening (guy made a copy of the mailbox key, and idiot bank was sending account info in the mail!).

Identity theft on the Internet

[suv4x4]

Why should I bother. I have access to your bank account in minutes, I just directly wire money overseas and start laundering them.
There's no even time to start stealing "identities" as it's understood in the classical sense.
 

You aren't taking the long view.

[khasim]

The big money is not in taking cash out of someone's account and hoping that they don't notice.

Here, you know what databases are, right? Think of a database of every possible Social Security Number.

Then, think about a criminal organization filling in the information they can find from various sources.

SSN - FName - LName - DoB - MomMaiden - Address - SpouseLink - Child1 - Child2 ..... BankAccnt1 - BankAccnt2 etc

Fill in enough of that information and you can use it to get info on the numbers you don't have filled in.

Now, they are you, as far as any financial institution is concerned. They can take out a second mortgage on your house. They can buy a car in your name. They can steal more from you than you have in any of your accounts.

They can even try to cash out your 401k. They are you.

Declining use of the Internet for ID theft?

[olehenning]

That's odd. This summer in Norway, over 100 000 people got their identity stolen when web-services using the registry of all norwegian citizens (to perform tasks like credit check etc.) leaked personal information. I was one of the victims after 60 000 of those thefts happened through Tele2's website (and I have never had anything to do with Tele2 before). Funny thing is, Tele2 knew about the flaw for about 8 months (after several warnings from the Norwegian Data Inspectorate) before the attack and did nothing to fix it. With that kind of mentality and ignorance among people who have access to our personal information, why should I believe that it is declining? Because someone somewhere have statistics that might suggest that it is?

Alternate explaination:

[Anonymous Coward]

Only 20% of the cases involved use of the Internet, and such cases may be on the decline.

Law enforcement is becoming less and less effective at identifying and prosecuting electronic identity theft. After all, only 20% of thieves who got caught used the internet.

Re:

[pimpimpim]

What does a company have to do to get the registry of all norwegian citizens? If I start a little reseller shop, can I get one? Isn't the system to give these data to companies in the first place flawed by design?

Re:

[olehenning]

We've actually discussed this at university. There's something clearly wrong about handing out access to everyone who wants it. A Ph.D. student and a professor who wrote an article on the vulnerability before the attack on Tele2 actually took place spoke with the people in charge of the registry, and the people they spoke to were quite proud of the fact that they had given access to 1400 or 1700 or so different businesses. There's something disturbing about that, and it's clear that a lot of people need to

Re:

[Marcos Eliziario]

1. Because you make the prospect of getting caught less pallatable for wanna-be criminals. Duh!
2. Because while in Prison, said criminal cannot commit more crimes.
3. Because Death by hanging would be too polemical for that cases.

Steal Their Identity Too

[jellie]

If they're not so tech-savvy, I say we send out "V1@gr@ for Identity Thieves" emails en masse, and see who responds. Then we'll steal their info.

After all, all of the respondents must be identity thieves. Damn them!

maybe because...

[FudRucker]

they are thieves more interested in stealing money, they are not technophiles...

But but, I learned on Slashdot just yesterday

[CrazyJim1]

Technology breeds crime [slashdot.org]

Racial/nationality/ethnic statistics?

[jihadist]

It would be interesting to see these, and see if I won a bet that they'd be either mostly 30s white men with part-Slavic ancestry or recent African immigrants.

Wrong Statistic

[cale]

Looking at the number of cases closed is the wrong statistic. In combating the problem of identity theft, or online fraud in the larger sense, what really matters are the actual losses associated with each case.

I don't really care if some mope dug through my dumpster, stole my credit card pre-approvals, and got caught using the fake card running up $200 worth of porn purchases. The case I worry about is the single criminal or criminal organization that systematically steals millions of pieces of credit card data and efficiently exploits each piece to the maximum extent possible.

If the investigation of each of those scenarios is one case then they have equal weight under the statistic used by the article. In terms of actually combating identity theft the latter example and the resultant prosecution is much more important and effective. Unless they discuss the loss amounts associated with cases of each case, this statistic, the conclusions based on it, and the entire article are missing the point and not talking about actually fighting identity theft and are instead talking about looking like you are fighting identity theft.

The other comments are completely on the money pointing out that this is only closed cases and the difficulty of actually closing an international investigation.

All in all another wholly misinformed article about the real threat of identity theft and online financial fraud.

worry..

[RK074918]

only 51% of the theft that has been caught to the prison. how do we know how many of them involved out there? if all of them are detected, then they definitely will get caught! that is just some of the prediction from the research. actualy it is very hard to solve. for me it is impossible for us to fully take care of them. even for the time being, i have no worried about this since i don't have credit card, but if i have, i will worry about these people will steal my credit card information and use it to en

Re:

[azman075918]

so you just worried about the porno thing?? come on man! haha

Re:

[RK074918]

haha.please do not shit me coz you just the same with me..

Re:

[johnyport]

looks like the way of ur thinking just the same with me..huhu..

Re:

[rk074499]

what are u talking about? of course it is impossible to detect all of them..detecting criminal takes month or even years for big crime. Much worse if he is one of an important or high influential guy to the society. But techniques such as data mining and AI systems may help investigation to be easier. p/s: Im much worried if my credit card was fraud and there is no way to stop the fraud..what a lousy technology if that situation happened.

Wow

[Roger_Explosion]

The median loss from identity theft was just over $31,000, but in one case, investigated by the Secret Service's Dallas field office, the defendant spent millions on luxury vehicles and then managed to set up shell companies and defraud investors. Total losses: $13 million.

You have to admire his audacity.

Identity thieves interested in a free ride

[bmidgley]

Spice up the headline

No surprise...

[amccaf1]

No surprise that identity thieves aren't big on using the Internet. I mean, think of the risks of their putting personal information out on the 'net... They could have their identities stolen!

Sample bias

[insecuritiez]

Two major problems with these numbers. First, they cover 6 years in which technology has become significantly more pervasive. Second, they were done by the Secret Service which is not a generic computer crime organization. The study should have been about how the Secret Service still deals with a much higher percentage of physical identity theft than electronic even though electronic id theft has become a lot more common.

Identity Thieves Not Big On Technology

[tt077143]

As we all know nowadays we can't run out from identity thieves since they are the ones who are concouring the technology world today.so, what we all have to do is just be careful in using this service.

Young 'uns

[JCSoRocks]

Well, at least we know that Generation Y isn't responsible for any of this! http://slashdot.org/article.pl?sid=07/10/24/143247 [slashdot.org] They're far to "technological fluent". They can't help but use the Internet!

Happened to me Yesterday!

[ender-]

Interesting timing on this article. Just last night, my wife and I got a call from Discover, asking if we had attempted to use our Discover card recently. It just so happens that the ONLY thing this card is [well, was] used for, was the recurring monthly cost of XM Radio. Other than that, we don't use the card at all.

It turns out that at 9:24PM EDT last night, someone tried to buy $986 worth of crap at a Walmart in Jacksboro, TN. I live in Dallas. So it was definitely not myself or my wife. Thankfully, the charge was declined. Someone had also made a whopping $2.51 purchase at some online computer store which I had never heard of. I don't know what kind of nothing they bought, but that usually wouldn't even cover shipping.

What we think happened is this. Our current cards are set to expire at the end of this month. We both still have our cards, so most likely, someone snagged my replacement card out of the mail. Discover says they did send out replacement cards, but we never got them. I'm still trying to figure out where the cards were mailed from, to see if it was somewhere near TN.

I'm guessing this thief isn't too bright. I'm think they weren't able to actually activate the card, which is why it was declined at Walmart. It may have gone through at the computer site because the card number is the same as my active card, and perhaps they don't ask for the 3 digit verification number on the back.

At this point, I'm working with the Walmart in question to have them save their security tapes on all the registers at that time. I'm also trying to get in touch with the online computer store to see if they have records on where the item was shipped. I'll give that info to the fraud group at Discover and hope for the best.

Even though it hasn't actually cost me any money, I want to nail that punk to a tree. Now we have to deal with having our account closed and switched to a new account. We take reasonable precautions to keep ourselves, safe, but you just can't protect mail you haven't even received yet.

Re:

[ender-]

Most likely the $2 charge was just a test to see if they could make the card work. It probably wasn't for a physical object to ship to them, but some cheap download software ("Top 100 bland clipart collection!") or ebook or something.

Well I've looked at the site. They don't have software downloads but they do have a $2.00 USB cable. Don't know about shipping costs.

I called the company. It sounded like some Chinese lady working out of her house. I had some trouble understanding her, but she said they had like 1000 fraudulent order attempts in the month of September, and that nothing was actually shipped.
You have to create an account to place an order, so I tried to see if she could get that information. I know it was probably false if i

Re:

[maxconfus]

"I'm still trying to figure out where the cards were mailed from, to see if it was somewhere near TN." In my area, it was the postal carrier that was snagging the cards out of the mail. so you know. it may help you backtrack. also just call those places to cancel/reverse the charges.