Slashdot Mirror
Cringely on Identity Theft
Boiled Frog writes "Prompted by the theft of his mail, Cringely investigates how easy it is to steal identities from government publications. In this article he explains how he got the identities of 300,000 people which he calculates to be valued at $65 billion dollars. If Cringely can do it, anyone can."
You cant prevent crimes from happening, you can only improve the ability to catch the criminals, and reduce the damages.
Worried about ID theft? Keep a close eye on your credit card bills, credit scores, etc.. Buy a paper shredder. Shred all bank statements and whatnot before you throw them out. Internet-shminternet, dumpster diving is the fastest way to someone's finances. Get the carbons at the gas station, or stores where they still use the old carbon-thinger credit card machine.
Cringely is a blowhard trying to scare people, but frankly this isn't news. Using the 'net really doesn't make this easier - it's always been easy.
I knew someone who got screwed big time by a gas station who would keep the carbons, and double bill her every time she filled up, the cash going straight into the owners pocket. She was a dope for letting it go on so long, as she never bothered scrutinizing her Visa bills. Turned out the station was owned by a Russian mobster. This was long before the world wide weeb.
I don't need no instructions to know how to rock!!!!
I mean, come on, it *is* easy to steal someone's identity, but what doesn't get enough attention is the human factor. Not enough people are willing to actually query oddities and if a document looks vaguely official, they'll accept it. After all, if you were trying to sign someone up for a credit card, would you query their ID and lose the possible comission?
Never work for an employer that demands your Social Security number; if asked for it, make one up and use it instead.
Yeah, cause this will never come back to bite you in the ass. I'm quite sure that when your employer finds out that you gave them a fraudulent SSN, you'll all just have a great big laugh over it, and they won't be calling the Department of Homeland Security or anything.
It hurts when I pee.
Possibly this wouldn't be such a big problem if a more relevant credit history was availiable to people without haivng to pay, wait, and damage their credit just to get a report.
Maybe someone on slashdot knows: why doesn't my bank teller ask me for photo ID?
All they ever ask to see is the bank book. Are bank accounts not tied to actual people, but instead are transferable, simply by giving away the bank book? If not, why don't they ask for my government or bank-issue photo ID?
Comment removed based on user account deletion
A similar thing happened here in France.
But it was in a way more serious since the French have "Unfalsifiable" (yeah right), identity papers.
A guy got arrested for not paying his fines for travelling with the trains without ticket.. (If you get busted without a ticket they take your name and address and send you the fine.)
Problem was that he didn't live in France at all but in one of the former colonies, and had never actually been to those places where he was supposed to have been.
After a bit of investigation he found quite a number of bank accounts in his name, in various banks. Along with other things he was supposed to be doing.. All in all, quite a activity he was supposed to be practicing.
He finally found out that some years ago his father had lost the family's papers, along with his ID card (they were stolen). And his old ID card was then falsified by replacing the picture with a picture of someone else.
When the new "Unfalsifiable" cards came along, the guy who was using his old card, managed to replace it with the new "Unfalsifiable" version..
With that card, he then collected fines for everyting we felt like doing..
The guy wasn't sentenced in the end and got an apoligy from the judge.
This story does a good job of demonstrating that the weakest security link is almost always human and phrases like "Unfalsifiable" and "Unbreakable" are not good for anything but selling the product to the public.
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
Public records are better if you want to be a crook because the Freedom of Information Act makes them completely available.
Cringely was quite correct when he identified two parts of the problem: the ubiquity of using SSN as both an identifier and as authorization (or using credit card numbers this way).
It would really be much better if the institutions we dealt with would accept identities and authorizations that were only valid for the specific transactions we conducted with them.
But no, "people can't remember all those numbers". Well, people ought to have a private key that is really private, and public keys that anyone can use to verify that person X really authorized some transaction Y.
But rely upon government to come out with a bad solution to this problem.
The FoIA safeguards, which are important to keeping government transparent and more accountable to the people, will be abolished (as they have already been for various cases deemed to involve national security or "terrorism"), to "increase security for the citizens".
We'll be trading a great deal in terms of liberty and knowledge of whether our government is acting properly for very little in the way of security.
"Provided by the management for your protection."
It does cost you money. Retail goods and services which can be purchased with credit cards usually raise the prices to to cover their merchant account costs, which go up as fraud increases. This is why you'll sometimes see retailers with a 2% cash/check/eft/anythingbutplastic discount. Retailers aren't allowed to list the added merchant costs as a line-item on your receipt, so you don't realise you're paying for it. I agree about the quarter of your life part. The system really isn't designed well to help people fix it. I know a person who has drug and prostitution charges on her records because of identity theft. It's ludicrous how difficult it is to fix these things.
That really sucks, but that is also the credit card company's fault to a small extent. The companies should have noticed that something was wrong when an account that was inactive for a significant amount of time suddenly has thousands of dollars in activity on it. They should have called your friend to confirm that he was the one doing the spending. I thought that was policy at most card companies.
I realize that this column is mostly about identity theft, but is anyone else bothered by the idea that the USPS, given specific instructions to hold your mail, can just go ahead and deliver it, and then not be responsible for the screw-up (and the resulting havoc)?
Couldn't you sue them if that happened? There are damages involved here, so I don't see why they can get away with it.
Your mileage may vary, but mine is constant.
What's really going to suck is when it actually happens to one of those high-profile, illuminati/politicians, there's going to be yet another increase in Orwellian-type citizen monitoring and authentication laws, most likely in the form of some Patriot II act.
What worries me is not so much the people that try to steal identities, because as most of us understand how its perpetrated, its easier for us to avoid and/or control the consequences, but when some crazy system gets put into place 3 years from now by the Republican cronies because of some silent passing of a Partriot Act clause. I for one don't feel like having to provide a blood sample to get into my office, or giving a sperm sample for a new home loan ala Gattaca.
Hades, PoD: Official Advocate
On par with your workplace, I did a contract gig for a major HMO around Minnesota last year. The amount of information I had at my fingertips was amazing, considering I didn't need ANY of it for my job (Desktop Analyst). A close friend of mine works for the same HMO doing data-entry, and since he's in the billing department, he has free reign to people's entire credit and medical history, along with all the other goodies that any peon could exploit easily. I've asked him before how easy it'd be to print out a file on someone and take over their identity. The answer? "Easier than you'd believe."
Scary shit indeed. One last thing that still boggles my mind is how many times I use my debit card and get the customer copy with my full account number on it. Seriously, it's usually at places where people throw them away right away...gas stations, grocery stores, and restraunts are the big 3 that I've noticed. Make sure to rip those little bastards to shreds once you walk out the door.
"Hell hath no fury like a woman scorned for SEGA. ..."
Yeah and just hope there are no identity thieves working for your mailbox "vendor".
cat
The main issue to be concerned about, *unfortunately* involves politics.
.to (sic) promote the general welfare. . . " because the result of this act was to reduce the bank robbery, increase the public's faith in the banking system, making more funds available for the economic development of the American West. Which had incredibly huge benefits for all Americans.
It's the basic question of:
When someone is running a business, and profiting handsomely from it - should they, or should they not, be responsible for the safety of their customers?
It's already been established that Automakers should be responsible for defects in their products which compromise car-owner safety.
The airlines, of course, have dodged responsibility for the lax security they provided which enabled 9/11. Instead of a slap on the wrist, they were rewarded with hundreds of millions of taxpayer dollars in bailouts - and union-busting government arbitration - and, eventually, bankruptcy protection. Wow. I wish I had a business that the government was that generous to.
But I guess Alaska Air has been getting slapped around for negligent maintenance.
Now, if you spend $10,000 on a Microsoft server to protect your data, and it falls prey to a security glitch, we all know that Microsoft can't be held responsible.
Who's held responsible?
In the Old West - banks were often robbed. And stagecoach deliveries of funds. People were afraid to put their money into banks because if the bank was robbed, their savings would be lost with no recourse. Banks didn't take the responsibility of hiring enough security to prevent robberies. It would have made their business much less profitable.
Then the US Government created the FDIC insurace act, which insured bank deposits, and made bank robbery a federal crime, so robbers couldn't simply cross state lines to escape justice.
It was *not* a constutional duty of the government to do so - unless you check the preamble, and read the phrase ". .
The question here is - would government be overstepping it's constitutional boundries by going in and protecting our personal data in the hands of corporations?
That's a matter of opinion.
Would the government be overstepping it's constitutional boundries by mandating that companies, in posession of citizens' personal data, be responsible for taking appropriate measures to secure that data?
Possibly - but in today's political climate, it would definately NOT be a Republican to suggest such.
What problem would be solved?
Citizens would be protected - that's a nice thing. And falls right in line with "...provide for the common defense..."
Public faith in ecommerce would arise, which might stimulate the economy - which wouldn't be a bad thing.
A solution is out there. But there are right ways to do this, and wrong ways. I'm certain that the wrong thing to do would be the neoconservative lassez-faire approach. And that's probably the approach our current set of (s)elected officials will choose.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
Once I came home in the evening and got a message on the answering machine to call my card company asap because of possible fraudulent charges. I soon enough called the number they gave me and identified my card number and password. Then I told them about my message and they started looking it up on the computer. After 30 seconds the guy says that the compter is slow and other excuses. After another 30 seconds he apologizes and suggests I call back later since the computer seems down. So I put down the phone and then it suddenly hits me that I have no idea way to verify that the other side was the credit card company. It didn't feel right that a major financial company would have computer problems like this. So now I immediately called back the number on the back of my card and got through okay. They did verify that I had fraudulent charges and canceled my number. I asked them about the other number but they were not too concerned and guessed it might be an internal fraud line number.
In conclusion I still don't know if the original number was real or not.It could have been the card thieves trying to trick me. After getting the new card, I checked my credit report an month later to verify nothing new had been opened. The lesson I learned is to never use a number you cannot authenticate when doing sensitive stuff like this.
I think something very vital is being missed here. Your name, address, phone numberm and SSN is not your identity. This is all public information. The problem is that we treat this information as if it was our identity.
Are people really suggesting that this information be "secret"? The SSN is not meant to be secreat, can not really be secret, and every SSN card says explicitly that it is not meant to be secret.
Surely we are not suggesting that one's name, address, and telephone number be secret.
The problem is that this non-secret, non-unique information is used to identify people for many significant transactions. I.E. Driver's license, Mortgages, Credit Cards, etc...
The other problem is many people are opposed to instituting any kind of authoritative nation wide identification system.
Put aside your libertarian angst for a second and imagine if we did have a national DNA registry that positively and uniquely identified everyone. Sure we have all seen Gattaca and imagine ways of forging DNA derived identification, but it would be much harder.
Much harder than the current system where all the tokens we use to identify ourselves are from non-secret, non-uniquely identifying information sources.
And there's no sign of forced entry, so the insurance company says "you left the key in the ignition, tough for your claim.
That story sucks and I feel bad for you, but I don't understand how there could be no sign of forced entry on a car that's been stolen. Not to sound like the Bloodhound Gang / Sherlock Bones / Encyclopedia Brown here or anything. Presumably you came back and the car was gone, and was reported as a theft.
Was the car recovered? And if so there's probably not much of a claim there...
Over here we have debit cards (with almost unlimited credit, which is interest free for two months).
Where is "here"?
Credit card score calculation is complex, and wrong.
It is all based on the way people were expected to use credit 25 years ago. The way people use credit, and the way they work has changed very much in the last 25 years.
The Kruger Dunning explains most post on
As stated in the link, I highly doubt anyone can just steal a car of the shopping mall lot.
So do it in an office park. People tend to go there every day.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
That is not correct. The law places restrictions on how government agencies can use your social security number, but private companies are generally not covered by such laws.
The Privacy Act of 1974 requires government agencies to declare why they have the authority to request it, whether it is voluntary or manditory to disclose it, what they will do to it and what happens if you don't provide it. Also, the Act requires that those agencies that request your social security number, but do not require it, must provide a mechanism for alternative identification number. But, and this is important, the law applies to government agencies only. Also, if the agency was using social security numbers as identifiers prior to 1975, they may continue to use them.
The business about the SSN not being some sort of universal identification number springs from the notification on the card that it is not for use for identification purposes. You'll find, though, that there is no law forbidding its use as an identification number.
And, incidentally, the Privacy Act of 1974 carries no penalties for its violation.
-h-
Deliberately covering the VIN may be illegal, but that's nothing a little artfully-splashed mud can't fix.
~REZ~ #43301. Who'd fake being me anyway?
I guess it is identity paranoia day here at /. . Anyway, this does bring up the issue of how much information needs to be out there. Personally, i think a system of identity verification could be a killer for idenity thieves. I am not talking about a govmint issued ID that will freak a lot of people out here, I mean like a DNA based encrypted PIN. Or something. Just a thought.
I've heard the rate at which people who commit identity theft get caught is around 1 in 7000.
So you have a much better than 99.9% chance to just do it to your heart's content and walk away with the money. That's pretty freakin' scary. A crime where you never have to see your victims, never have to face any consequences, and make tons of money. Can you imagine what would happen if a misguided Robin Hood decided to popularize the techniques and teach them to America's poor? Would the entire banking industry collapse at once? With a million people doing it simultaneously you would obviously overload the already overloaded investigative ability of the gov't and probably change the ration to 1 in 100,000 getting caught.
This is because the police refuse to even investigate these crimes. Most of the id thieves we hear about getting caught were actually caught committing some other crime (or pursued therefore). In one of the previous slashdot articles, they had a police officer in charge of ID theft investigations who essentially admitted he sat on his butt all day and answered the phone telling people they were SOL. He said that they even told him who or where the thief was and that did not get him out of his chair.
The big misconception is that ID theft is all the victim's fault, much like the oft-repeated myth that you can only get worms/viruses by clicking on attachments. The claim is that id theft only happens when people are carelesswith their trash. That is the old way, but it is easier than that now. As Cringely points out, you can get all the info you need for massive id theft for a minimal fee, like $20, or free.
Of course the most amusing part of all this is that Al Qaeda has been using id theft techniques for decades. If I were a terrorist, that would be the first thing on my list besides cashing in on nigerian spam scams. After all, what terrorist would not want billions of untraceable dollars, untraceable connections to the internet and cellular networks, and a free ride on the passport train to paradise? Yet our illustrious leaders are still keystone kopping it through life instead of actually doing something to fight these threats.
Simple solution: whenever the dealer looks up the key geometry in the database that associates it with the VIN, a record should be kept. If your car is stolen, and a key was made the hour before, you obviously didn't leave the key in the igniton.
Litigious bastards
it obviously isn't worth $65 billion.
What a bank considers an ID confirmation is just pathetic. I mean, come one, Mother's maiden name when every other bank also uses it? 4 digit pin codes?
They belong back in the 19th century!
We need to task the NSA, or a DARPA project, or any serious professional, with coming up with a secure banking id system, one that meets serious security standards, and just get the damn problem fixed. I think that if you picked any code breaker at random and gave him the task, he'd come up with something a hell of a lot better than what we got. If you held a nice contest, it would come out really nice.
If we got some modern crypto-spooks involved, if we could get to where the KGB had to sweat even a little to crack our identity system, identity theft would be a crime very few could give a try. Just try reading a few books about what the KGB and CIA have to do to crack each other's security, and then compare that to mother's maiden name and social security number.
That is the solution.
As a minor improvement, all credit cards should be required by law to have photos on them that were supplied by the government, and verified to be the unique current registered photo for that id.
All transactions not serious crypto-verified should be illegal to report to a credit agency.