Slashdot Mirror
Cringely on Identity Theft
Boiled Frog writes "Prompted by the theft of his mail, Cringely investigates how easy it is to steal identities from government publications. In this article he explains how he got the identities of 300,000 people which he calculates to be valued at $65 billion dollars. If Cringely can do it, anyone can."
I mean, he's no H4Xx0R god or anything, but he seems to be fairly knowledgable.
He tried to kill me with a forklift!
I was somewhat luckier. On the same day, I got a notice from a small long-distance telephone company saying I had an account that was being sent to collections, as well as another note saying that the account had been closed and that no further action was necessary. When I called, it turned out someone had used a credit card number in my name to set up an account and wrack up charges, and was eventually recognized as a fraud and everything was closed out.
The scary part was that if I hadn't called these guys up, I never would have known about the identity theft. How often does something like that occur, where the situation gets resolved but the intended victim is never informed???
Stop by my site where I write about ERP systems & more
If you're in the UK; you can register your name / address combination with CIFAS:
http://www.cifas.org.uk
The service is operated on behalf of the UK financial institutions by Equifax; and will add a layer of authorisation to your name / address combinarion when arranging credit etc. It probably means that you won't be able to buy stuff on instant credit; but the for the hassle that identity theft can bring I think it's worth it. Registration costs 12 quid for 12 months.
Personally i'm amazed that institutions will lend large amounts of money without a definite proof of your identity; but I guess that's consumer forces for you - Dixons want you to be able to walk out of their store with that 32" wide screen TV purchased on instant credit. For all the sales that brings; they absorb the liability.
In the article it is mentioned that your Social Security Number is used as a universal identifier and as "proof" of identity.
This is not a good thing.
I work in the medical records/medical billing industry and a patient's SSN is one of the vital bits of information we collect and use to help index records.
Also the patient's date of birth.
For billing purposes, we need the patient's home address.
The health insurance company also needs all this information. In fact, if we don't supply all of the patient's personal information, they often don't pay claims.
We try to protect private information. We have yearly training, and monthly filers reminding us of the importance of protecting confidential infromatin. We have every bit of discarded paper shreded, and we have pretty good locks on our doors, and we have a fairly paranoid firewall, but the truly determined employee could always get their hands on thousands of patient records with everything needed for identity theft.
It's probably the same way at Hospitals and Insuance companies too. Too many people have access to private information, and the social and technological controls on it are too weak.
I hope that no one who has access to my personal information decides to do a bit of creative fundraising.
I don't have any answers, but we ought to think of solutions pretty soon.
In the last couple of months there have been an increasing amount of very sophisticated email scams.
For instance, E-Gold members (and others) have been receiving emails like this
Dear e-gold user.
At 09.05.2003 our company was attacked by unknown
persons. Out administrators is working on the database restoring.
If you have an active account, please check if it is still active, your
current balance is right and all transactions can be processed.
If you find that your account is inactive, please letus know
immediately at e-mail service@e-gold.com
To check your account, please click on the link below:
https://e-gold.com/sci_asp/payments.asp
It looks official, doesn't it? And the link looks ok too. But it is an html email, and the actual link went to a page located at e-gold2.com, which looked exactly like the real e-gold site. Thus the fraudsters were able to get peoples log-on details. More here.
In the UK, many people have been receiving emails that look as if they are from Barclays bank (one of the biggest in the UK). It is a similar scam to the e-gold one. More here.
I myself have recieved and email asking me to update my ebay account details. Only on close inspection did I realise that it was a fraud.
I find this extremely worrying. Personally I am probably like many Slashdotters - paranoid about security and difficult to catch out. However most people aren't like that, and this new type of scam email is an extremely worrying development, because it could catch a lot of people out. People really need to be informed about this type of scam, but I've yet to see much in the press about it. Any journalists reading..?
I've heard the rate at which people who commit identity theft get caught is around 1 in 7000.
So you have a much better than 99.9% chance to just do it to your heart's content and walk away with the money. That's pretty freakin' scary. A crime where you never have to see your victims, never have to face any consequences, and make tons of money. Can you imagine what would happen if a misguided Robin Hood decided to popularize the techniques and teach them to America's poor? Would the entire banking industry collapse at once? With a million people doing it simultaneously you would obviously overload the already overloaded investigative ability of the gov't and probably change the ration to 1 in 100,000 getting caught.
I'm not certain about all of what you said.
My mother worked in a state university admissions department in the 1960s and 1970s, and was a programmer and operator of their computer. One year, they had two applicants apply under than same social security number. They were able to verify that both people owned the same number! Turned out, the US Government didn't guarantee the uniqueness of the SSN-- it ALONG WITH YOUR NAME AND BIRTHDAY were your taxpayer unique ID. But the university had no way of admitting both students as they wanted to under the same SSN, so they asked one of them to get a new one. It wasn't hard once the Social Security Administration figured out why.
Times have changed and computers have proliferated, and I've only done some casual investigation, but I've never found any guarantee by the US government that the SSN is unique.
Last night when I got home from work there were two electric scooters waiting in front of my garage. They had just been delivered by FedEx. I was surprised, because I hadn't ordered any scooters lately (ever) and wasn't expecting any. I drew up a very short list called "Friends of the scooter" who might have sent them as gifts, but alas, no luck after a few quick phone calls. So my hunch was either a)credit card fraud or b)computer glitch from company I had already ordered from.
I called the scooter merchant this morning, and sure enough, someone had used my wife's AmEx card number to order the scooters and ship them to an address just a few miles away. Thankfully, as the nice owner of the scooter co. informed me, they have a policy of only shipping to the billing address and the sweaty-toothed madman didn't get his precious scooters. Ha!
So since the nice owner of the scooter co. shared the IP address of the person who made the order, and being a huge internet nerd, I have already traced the origin (via nslookup) to an AOL user who was logged in and using AOL at 11:53am on 9/7/03. I might just have the means to track this guy down. I'm turning this over to the credit card company immediately, but the "sue everybody" American in me wants to go after this bastard for mental anguish, lost time returning the scooters, making this post, etc., and emotional damage to my 3 year-old daughter who was understandably excited about the scooters (perhaps even as excited as me!).
What do you think?
Story repeated at my blog
slashsearch.org - slashdot search. powered by google.
You cant prevent crimes from happening, you can only improve the ability to catch the criminals, and reduce the damages.
Sure you can, especially when the current security system is virtually non-existant.
My proposal is simple:
* 2 key-pairs are issued every individual by the DMV
* The first (public) key is freely given to everybody
* The second (private) key is stored on a chip in a credit-card sized pocket calculator like device, or smart card. ($5-$10 device which is paid by the driver upon issuance)
When you need to prove your identity, you will be challenged with a random number, which can only be encrypted with the private key and verified by the public key.
* Challenger gives you random number
* Your encrypt device encrypts number with private key
* Challenger verifies encryption with public key.
In the event a private key is comprimised, the corrisponding public key will be published on a public database (which keys institutions should be required to check) and a new private key will be issued.
The encryption community has come up with many solutions for this problem over the last few decades, and I know the consumer electronics and card issuance industry (which I used to work) would love nothing more than the government to stop dragging it's heels and select one of the many drafted standards.
We can solve this problem without creating another government institution or delegating it to one corporatation.
Why aren't nerds pushing for an open and honest solution to this problem? Aren't solving problems like this a nerd's wetdream?
Like I said before, even a half-assed scheme would be better than our current social-security passwords.
Don't like my solution? What are your ideas?
"Communism is like having one [local] phone company " - Lenny Bruce
I've worked at quite a few companies that handle important customer data and to be honest not one of them made any effort to protect that data either from employees or crackers. Management doesn't care and if an employee raises an alert (even internally) they are likely to get fired. 300,000 people is nothing. I've had access to millions of people's data. Actually I still do since I know for a fact these companies haven't made any effort to protect the data since I left and I was the one who put what security that does exist into place. I bet most even still use the passwords I placed on the servers.
Even worse is that they would fire, without fair cause, a person that was already underpaid (thus broke) without taking care to finally fix their security. If I was a thief I could be very well off. I'm sure a lot of other IT/programmer types have similar experiences. I'm sure that not all of us are behaving ourselves with the economy the way it is.
I still shop with vendors I know are storing my data but I'm careful with how much I give them. I don't use checks. I don't use credit cards. I do use a debit card but I was careful to get one that couldn't spend more than was actually in my account and I'm careful not to put more into the account than I'm expecting to use right away. That still leaves me open to damage but at least it controls the damage. I buy with cash or COD when it's possible (my last computer came from iDot.com because they allow purchase by COD).
At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
I'm a satisfied owner of a Heavybilt Country Estate. It's of very high quality and I put brass numbers on it with brass screws so I don't have to worry about it for 30 years or so, barring galvanic difficulties. I suspect their self-locking model would be as good or better.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
This is not correct. Despite this, financial advisors repeat this like a mantra.
It's partially correct. By leaving a bunch of available credit around (unused credit cards), you increase your accessible credit. When deciding whether to extend credit to you, creditors usually look at this number. Old credit cards that you never closed => larger amount of available credit (that you don't use) => lower amount of credit that you do use.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
Did you know that the crime of identity theft ist virtually unknown in Europe (at least in Germany, where I live)?
And there are some obvious reasons for this:
- Nobody in Europe has mail boxes without a lock. European mailbox are usually flat, upright, rectangular boxes with a slit on the top of the front where the mailman drops the letters and they fall down a slide so you cannot get them out without using either very long pliers or, of course, the key to unlock the door at the back.
- No bank would give you a checking account or a credit without checking your ID card and making a photo copy of it and noting the number. (Remember that in most European countries (except e.g. the UK) every citizen is required to have a national ID card which you show whenever somebody has to be sure of your ID. (These cards have all kinds of witty security features to make them really hard to counterfeit.)
- All laws and courts agree that a reasonbable proof that somebody did make a business transaction is a signature on a piece of paper, or at least some computer record showing that the customer has entered a secret PIN. 'Secret' meaning, that nobody else should be able to know it. (PINs are printed out by the banks' computer systems and put in a sealed envelope without any employees being able to look at them.)
- Especially, if you told a court that a business transaction was valid because you checked the caller's identity on phone by asking for his SSN (or some lcoal equivalent of this), his date of birth or his mother's maiden name, the judge would probably only laugh at you.
While staying for half a year in California, I was quite astonished about the lax way of checking identities common in th US.
(For example, I got liability insurance for the used car I bought by just phoning the company. The guy asked for my Visa card number, then said 'Fine. Your car insurance is valid starting now, i.e. 4:13 pm.' That was great and convenient, but after all, I still prefer the European way, where they'll first ask 'So, how do we know, that this was your credit card number, and not taken from some receipt you picked out of a trash can?'. As the very least they would want proof of your address so that they can send you a court summons in case you tried a fraud.)
We thought it was kind of funny until we realized that the owner of the other car could do the same thing.