Slashdot Mirror
Cringely on Identity Theft
Boiled Frog writes "Prompted by the theft of his mail, Cringely investigates how easy it is to steal identities from government publications. In this article he explains how he got the identities of 300,000 people which he calculates to be valued at $65 billion dollars. If Cringely can do it, anyone can."
You cant prevent crimes from happening, you can only improve the ability to catch the criminals, and reduce the damages.
Worried about ID theft? Keep a close eye on your credit card bills, credit scores, etc.. Buy a paper shredder. Shred all bank statements and whatnot before you throw them out. Internet-shminternet, dumpster diving is the fastest way to someone's finances. Get the carbons at the gas station, or stores where they still use the old carbon-thinger credit card machine.
Cringely is a blowhard trying to scare people, but frankly this isn't news. Using the 'net really doesn't make this easier - it's always been easy.
I knew someone who got screwed big time by a gas station who would keep the carbons, and double bill her every time she filled up, the cash going straight into the owners pocket. She was a dope for letting it go on so long, as she never bothered scrutinizing her Visa bills. Turned out the station was owned by a Russian mobster. This was long before the world wide weeb.
I don't need no instructions to know how to rock!!!!
Never work for an employer that demands your Social Security number; if asked for it, make one up and use it instead.
Yeah, cause this will never come back to bite you in the ass. I'm quite sure that when your employer finds out that you gave them a fraudulent SSN, you'll all just have a great big laugh over it, and they won't be calling the Department of Homeland Security or anything.
It hurts when I pee.
Possibly this wouldn't be such a big problem if a more relevant credit history was availiable to people without haivng to pay, wait, and damage their credit just to get a report.
Maybe someone on slashdot knows: why doesn't my bank teller ask me for photo ID?
All they ever ask to see is the bank book. Are bank accounts not tied to actual people, but instead are transferable, simply by giving away the bank book? If not, why don't they ask for my government or bank-issue photo ID?
Public records are better if you want to be a crook because the Freedom of Information Act makes them completely available.
Cringely was quite correct when he identified two parts of the problem: the ubiquity of using SSN as both an identifier and as authorization (or using credit card numbers this way).
It would really be much better if the institutions we dealt with would accept identities and authorizations that were only valid for the specific transactions we conducted with them.
But no, "people can't remember all those numbers". Well, people ought to have a private key that is really private, and public keys that anyone can use to verify that person X really authorized some transaction Y.
But rely upon government to come out with a bad solution to this problem.
The FoIA safeguards, which are important to keeping government transparent and more accountable to the people, will be abolished (as they have already been for various cases deemed to involve national security or "terrorism"), to "increase security for the citizens".
We'll be trading a great deal in terms of liberty and knowledge of whether our government is acting properly for very little in the way of security.
"Provided by the management for your protection."
It does cost you money. Retail goods and services which can be purchased with credit cards usually raise the prices to to cover their merchant account costs, which go up as fraud increases. This is why you'll sometimes see retailers with a 2% cash/check/eft/anythingbutplastic discount. Retailers aren't allowed to list the added merchant costs as a line-item on your receipt, so you don't realise you're paying for it. I agree about the quarter of your life part. The system really isn't designed well to help people fix it. I know a person who has drug and prostitution charges on her records because of identity theft. It's ludicrous how difficult it is to fix these things.
What's really going to suck is when it actually happens to one of those high-profile, illuminati/politicians, there's going to be yet another increase in Orwellian-type citizen monitoring and authentication laws, most likely in the form of some Patriot II act.
What worries me is not so much the people that try to steal identities, because as most of us understand how its perpetrated, its easier for us to avoid and/or control the consequences, but when some crazy system gets put into place 3 years from now by the Republican cronies because of some silent passing of a Partriot Act clause. I for one don't feel like having to provide a blood sample to get into my office, or giving a sperm sample for a new home loan ala Gattaca.
Hades, PoD: Official Advocate
On par with your workplace, I did a contract gig for a major HMO around Minnesota last year. The amount of information I had at my fingertips was amazing, considering I didn't need ANY of it for my job (Desktop Analyst). A close friend of mine works for the same HMO doing data-entry, and since he's in the billing department, he has free reign to people's entire credit and medical history, along with all the other goodies that any peon could exploit easily. I've asked him before how easy it'd be to print out a file on someone and take over their identity. The answer? "Easier than you'd believe."
Scary shit indeed. One last thing that still boggles my mind is how many times I use my debit card and get the customer copy with my full account number on it. Seriously, it's usually at places where people throw them away right away...gas stations, grocery stores, and restraunts are the big 3 that I've noticed. Make sure to rip those little bastards to shreds once you walk out the door.
"Hell hath no fury like a woman scorned for SEGA. ..."
The main issue to be concerned about, *unfortunately* involves politics.
.to (sic) promote the general welfare. . . " because the result of this act was to reduce the bank robbery, increase the public's faith in the banking system, making more funds available for the economic development of the American West. Which had incredibly huge benefits for all Americans.
It's the basic question of:
When someone is running a business, and profiting handsomely from it - should they, or should they not, be responsible for the safety of their customers?
It's already been established that Automakers should be responsible for defects in their products which compromise car-owner safety.
The airlines, of course, have dodged responsibility for the lax security they provided which enabled 9/11. Instead of a slap on the wrist, they were rewarded with hundreds of millions of taxpayer dollars in bailouts - and union-busting government arbitration - and, eventually, bankruptcy protection. Wow. I wish I had a business that the government was that generous to.
But I guess Alaska Air has been getting slapped around for negligent maintenance.
Now, if you spend $10,000 on a Microsoft server to protect your data, and it falls prey to a security glitch, we all know that Microsoft can't be held responsible.
Who's held responsible?
In the Old West - banks were often robbed. And stagecoach deliveries of funds. People were afraid to put their money into banks because if the bank was robbed, their savings would be lost with no recourse. Banks didn't take the responsibility of hiring enough security to prevent robberies. It would have made their business much less profitable.
Then the US Government created the FDIC insurace act, which insured bank deposits, and made bank robbery a federal crime, so robbers couldn't simply cross state lines to escape justice.
It was *not* a constutional duty of the government to do so - unless you check the preamble, and read the phrase ". .
The question here is - would government be overstepping it's constitutional boundries by going in and protecting our personal data in the hands of corporations?
That's a matter of opinion.
Would the government be overstepping it's constitutional boundries by mandating that companies, in posession of citizens' personal data, be responsible for taking appropriate measures to secure that data?
Possibly - but in today's political climate, it would definately NOT be a Republican to suggest such.
What problem would be solved?
Citizens would be protected - that's a nice thing. And falls right in line with "...provide for the common defense..."
Public faith in ecommerce would arise, which might stimulate the economy - which wouldn't be a bad thing.
A solution is out there. But there are right ways to do this, and wrong ways. I'm certain that the wrong thing to do would be the neoconservative lassez-faire approach. And that's probably the approach our current set of (s)elected officials will choose.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
Once I came home in the evening and got a message on the answering machine to call my card company asap because of possible fraudulent charges. I soon enough called the number they gave me and identified my card number and password. Then I told them about my message and they started looking it up on the computer. After 30 seconds the guy says that the compter is slow and other excuses. After another 30 seconds he apologizes and suggests I call back later since the computer seems down. So I put down the phone and then it suddenly hits me that I have no idea way to verify that the other side was the credit card company. It didn't feel right that a major financial company would have computer problems like this. So now I immediately called back the number on the back of my card and got through okay. They did verify that I had fraudulent charges and canceled my number. I asked them about the other number but they were not too concerned and guessed it might be an internal fraud line number.
In conclusion I still don't know if the original number was real or not.It could have been the card thieves trying to trick me. After getting the new card, I checked my credit report an month later to verify nothing new had been opened. The lesson I learned is to never use a number you cannot authenticate when doing sensitive stuff like this.
I think something very vital is being missed here. Your name, address, phone numberm and SSN is not your identity. This is all public information. The problem is that we treat this information as if it was our identity.
Are people really suggesting that this information be "secret"? The SSN is not meant to be secreat, can not really be secret, and every SSN card says explicitly that it is not meant to be secret.
Surely we are not suggesting that one's name, address, and telephone number be secret.
The problem is that this non-secret, non-unique information is used to identify people for many significant transactions. I.E. Driver's license, Mortgages, Credit Cards, etc...
The other problem is many people are opposed to instituting any kind of authoritative nation wide identification system.
Put aside your libertarian angst for a second and imagine if we did have a national DNA registry that positively and uniquely identified everyone. Sure we have all seen Gattaca and imagine ways of forging DNA derived identification, but it would be much harder.
Much harder than the current system where all the tokens we use to identify ourselves are from non-secret, non-uniquely identifying information sources.
And there's no sign of forced entry, so the insurance company says "you left the key in the ignition, tough for your claim.
That story sucks and I feel bad for you, but I don't understand how there could be no sign of forced entry on a car that's been stolen. Not to sound like the Bloodhound Gang / Sherlock Bones / Encyclopedia Brown here or anything. Presumably you came back and the car was gone, and was reported as a theft.
Was the car recovered? And if so there's probably not much of a claim there...
Credit card score calculation is complex, and wrong.
It is all based on the way people were expected to use credit 25 years ago. The way people use credit, and the way they work has changed very much in the last 25 years.
The Kruger Dunning explains most post on
I've heard the rate at which people who commit identity theft get caught is around 1 in 7000.
So you have a much better than 99.9% chance to just do it to your heart's content and walk away with the money. That's pretty freakin' scary. A crime where you never have to see your victims, never have to face any consequences, and make tons of money. Can you imagine what would happen if a misguided Robin Hood decided to popularize the techniques and teach them to America's poor? Would the entire banking industry collapse at once? With a million people doing it simultaneously you would obviously overload the already overloaded investigative ability of the gov't and probably change the ration to 1 in 100,000 getting caught.
This is because the police refuse to even investigate these crimes. Most of the id thieves we hear about getting caught were actually caught committing some other crime (or pursued therefore). In one of the previous slashdot articles, they had a police officer in charge of ID theft investigations who essentially admitted he sat on his butt all day and answered the phone telling people they were SOL. He said that they even told him who or where the thief was and that did not get him out of his chair.
The big misconception is that ID theft is all the victim's fault, much like the oft-repeated myth that you can only get worms/viruses by clicking on attachments. The claim is that id theft only happens when people are carelesswith their trash. That is the old way, but it is easier than that now. As Cringely points out, you can get all the info you need for massive id theft for a minimal fee, like $20, or free.
Of course the most amusing part of all this is that Al Qaeda has been using id theft techniques for decades. If I were a terrorist, that would be the first thing on my list besides cashing in on nigerian spam scams. After all, what terrorist would not want billions of untraceable dollars, untraceable connections to the internet and cellular networks, and a free ride on the passport train to paradise? Yet our illustrious leaders are still keystone kopping it through life instead of actually doing something to fight these threats.
What a bank considers an ID confirmation is just pathetic. I mean, come one, Mother's maiden name when every other bank also uses it? 4 digit pin codes?
They belong back in the 19th century!
We need to task the NSA, or a DARPA project, or any serious professional, with coming up with a secure banking id system, one that meets serious security standards, and just get the damn problem fixed. I think that if you picked any code breaker at random and gave him the task, he'd come up with something a hell of a lot better than what we got. If you held a nice contest, it would come out really nice.
If we got some modern crypto-spooks involved, if we could get to where the KGB had to sweat even a little to crack our identity system, identity theft would be a crime very few could give a try. Just try reading a few books about what the KGB and CIA have to do to crack each other's security, and then compare that to mother's maiden name and social security number.
That is the solution.
As a minor improvement, all credit cards should be required by law to have photos on them that were supplied by the government, and verified to be the unique current registered photo for that id.
All transactions not serious crypto-verified should be illegal to report to a credit agency.