Cringely on Identity Theft

Boiled Frog writes "Prompted by the theft of his mail, Cringely investigates how easy it is to steal identities from government publications. In this article he explains how he got the identities of 300,000 people which he calculates to be valued at $65 billion dollars. If Cringely can do it, anyone can."

Article is spot on. Happened to me..

[Lysol]

I had my identity stolen about 8 years ago. It suuuuuked!

In San Francisco, when some people move out, they throw all this crap they don't need anymore on the curb. I saw this thoughout the city, time and time again, so when it came time for me to move, I did the same.

I got rid of almost everything! This included, tons of old papers - possibly old pay stubs. Big NO NO! At one point, I even noticed some people looking through the big pile. "Just people who like crap", I thought.

Six months later, the Postmaster General Attorney's office in San Jose calls me saying they've arrested someone on postal fraud that had my name and info in his little black book. It was under a section that basically was ready to have a drivers license and social security card issued in my name with this guy's picture!

To make a long story short, the guy went to prison and I had to notify all agencies where I had any type of id or credit/bank card to put a watch on them for the next six months.

My lesson learned: shread everything.

However, online, this is a totally different issue and the only thing I can suggest and do about that is to check into companies and try to make sure they are responsible about how they store your credit-card information. I've personally written to all the online companies I use to ask as how they protect my information. If it ever seemed like they weren't up to snuff, I explained my concerns and asked for some sort of reassurences. Although, I must admit, that's not the best thing and sometimes letters to the BBB and other groups/agencies are necessary.

Re:Article is spot on. Happened to me..

[BWJones]

To make a long story short, the guy went to prison and I had to notify all agencies where I had any type of id or credit/bank card to put a watch on them for the next six months.

Good to hear this person actually went to jail. I should add that the other thing you should do is check your credit history and cancel all old credit cards that you may not even know are still active. A friend of mine had someone get access to three old credit cards that he had cut up, but had not actually cancelled the accounts. A couple of years later he was surprised to find the companies were telling him he owed $30k worth of charges.

Re:Article is spot on. Happened to me..

[TopShelf]

I was somewhat luckier. On the same day, I got a notice from a small long-distance telephone company saying I had an account that was being sent to collections, as well as another note saying that the account had been closed and that no further action was necessary. When I called, it turned out someone had used a credit card number in my name to set up an account and wrack up charges, and was eventually recognized as a fraud and everything was closed out.

The scary part was that if I hadn't called these guys up, I never would have known about the identity theft. How often does something like that occur, where the situation gets resolved but the intended victim is never informed???

Re:Article is spot on. Happened to me..

[The_K4]

Wrong. A closed account still shows on your credit report, It won't drop off for 4 years. It will show as "closed" but will indicate your history. Run your own report some time and look at the non-revolving accounts! By leaving it open you lower your avaliable credit. Also having a large number of open accounts LOWERS your score! It's better to have 2-4 cards with high credit limits then 7-10 with average limits, and will give you a better score. I closed 3 old cards that I never used, my credit score went UP and then the 3 cards I still had all offered to raise my limits. If you have old cards taht you don't/won't use...>CLOSE THEM! they hurt you alot more then they help.

Re:Article is spot on. Happened to me..

[jafac]

The main issue to be concerned about, *unfortunately* involves politics.

It's the basic question of:
When someone is running a business, and profiting handsomely from it - should they, or should they not, be responsible for the safety of their customers?

It's already been established that Automakers should be responsible for defects in their products which compromise car-owner safety.

The airlines, of course, have dodged responsibility for the lax security they provided which enabled 9/11. Instead of a slap on the wrist, they were rewarded with hundreds of millions of taxpayer dollars in bailouts - and union-busting government arbitration - and, eventually, bankruptcy protection. Wow. I wish I had a business that the government was that generous to.
But I guess Alaska Air has been getting slapped around for negligent maintenance.

Now, if you spend $10,000 on a Microsoft server to protect your data, and it falls prey to a security glitch, we all know that Microsoft can't be held responsible.

Who's held responsible?

In the Old West - banks were often robbed. And stagecoach deliveries of funds. People were afraid to put their money into banks because if the bank was robbed, their savings would be lost with no recourse. Banks didn't take the responsibility of hiring enough security to prevent robberies. It would have made their business much less profitable.
Then the US Government created the FDIC insurace act, which insured bank deposits, and made bank robbery a federal crime, so robbers couldn't simply cross state lines to escape justice.

It was *not* a constutional duty of the government to do so - unless you check the preamble, and read the phrase ". . .to (sic) promote the general welfare. . . " because the result of this act was to reduce the bank robbery, increase the public's faith in the banking system, making more funds available for the economic development of the American West. Which had incredibly huge benefits for all Americans.

The question here is - would government be overstepping it's constitutional boundries by going in and protecting our personal data in the hands of corporations?
That's a matter of opinion.

Would the government be overstepping it's constitutional boundries by mandating that companies, in posession of citizens' personal data, be responsible for taking appropriate measures to secure that data?
Possibly - but in today's political climate, it would definately NOT be a Republican to suggest such.

What problem would be solved?
Citizens would be protected - that's a nice thing. And falls right in line with "...provide for the common defense..."
Public faith in ecommerce would arise, which might stimulate the economy - which wouldn't be a bad thing.

A solution is out there. But there are right ways to do this, and wrong ways. I'm certain that the wrong thing to do would be the neoconservative lassez-faire approach. And that's probably the approach our current set of (s)elected officials will choose.

Re:Article is spot on. Happened to me..

[Sapwatso]

Not entierly complete either. Sometimes closing accounts can hurt your credit score too, for example if there were recent late payments on the account, or if closing the account makes your (credit in use)/(avalible credit) ratio too large. Bottom line is that the credit score calculation is very complex. If you are concerned with it enough to open or close accounts to change your score, you should probably consult a financial planner. (IANAFP)

Re:Article is spot on. Happened to me..

[bug506]

I'm not sure if you are still in California, but if you are you can get a "security freeze" put on your credit report.

This is different from the "security alert" that most people tell you to put on your credit report when fraud happens.

With a "security alert," basically it's just a notification to creditors that they should be careful. They can still get your credit report. Apparently, many creditors ignore this warning so you are not guaranteed that someone else isn't applying for credit in your name.

With a "security freeze," no one can get your credit report (with a few exclusions such as the police with a court order). It's much much safer.

The credit report agency sends you a PIN that you use to temporarily or permanently remove the security freeze. For example, if you are applying for a mortgage in the next 15 days, you can remove the security freeze for 15 days, and it will be put back on once that period of time is up.

The credit report agencies do not want people to know about this option because if everyone takes advantage of it then their whole system fails.

Under California law, there is no charge for a security freeze on your credit reports IF you have ALREADY been the vicitim of fraud. (Someone used some of my checks and stole my credit card number before, so I qualify). If you have not ALREADY been a victim, you can pay some ridiculous amount to have it put on (on the order of $50/year).

I believe Texas may have a similar law (because my letter including the PIN from one of the agencies said "security freezes are only available in California and Texas" and that if I move out of CA then I have to notify them so that they can remove the security freeze).

For the last year, I played the credit report agencies' game. I PAID THEM $80/year to get access to MY OWN INFORMATION to make sure no one was using my credit fraudulently. When I renewed a couple of months ago, they changed their policy and limited the number of times a year you could view your credit report. So I dropped them, and was going to sign up with a competitor (still playing the game) when I found out about the security freeze.

For more info:

http://www.privacy.ca.gov/financial/cfreeze.htm

http://www.fightidentitytheft.com/legislation_ca li fornia_sb168.html

Of course, if you are not in California (or Texas I think), then you can try seeing if your representatives in DC will make this a national requirement.

Joey

Identity theft is indeed a big problem

In fact, someone has stolen my account. I'm not really an AC...

Watch out - this could happen to you.

Office of Redundancy Office

[jratcliffe]

"...valued at $65 billion dollars"

Come on editors, I know it's early on the West Coast, but really.

Credit monitoring services

[jargoone]

I'm usually not paranoid, but talk of identity theft, and nearly being a victim (copied credit card when I visited Mexico), convinced me subscribe to a credit monitoring service. They notify you right away of changes to your profile, and give you free periodic credit reports. I'm trying to start a small business, so it's more important now than ever.

True Credit turned out to be the cheapest at $11/quarter for the basic service. This is not a referral link, and I'm not affiliated with them in any way. Just sharing information.

Murder is easy too

[stratjakt]

You cant prevent crimes from happening, you can only improve the ability to catch the criminals, and reduce the damages.

Worried about ID theft? Keep a close eye on your credit card bills, credit scores, etc.. Buy a paper shredder. Shred all bank statements and whatnot before you throw them out. Internet-shminternet, dumpster diving is the fastest way to someone's finances. Get the carbons at the gas station, or stores where they still use the old carbon-thinger credit card machine.

Cringely is a blowhard trying to scare people, but frankly this isn't news. Using the 'net really doesn't make this easier - it's always been easy.

I knew someone who got screwed big time by a gas station who would keep the carbons, and double bill her every time she filled up, the cash going straight into the owners pocket. She was a dope for letting it go on so long, as she never bothered scrutinizing her Visa bills. Turned out the station was owned by a Russian mobster. This was long before the world wide weeb.

Re:You want some wine with that cheese?

[TheGreenLantern]

Never work for an employer that demands your Social Security number; if asked for it, make one up and use it instead.

Yeah, cause this will never come back to bite you in the ass. I'm quite sure that when your employer finds out that you gave them a fraudulent SSN, you'll all just have a great big laugh over it, and they won't be calling the Department of Homeland Security or anything.

UK line of defence against Identity Theft

[Boss,+Pointy+Haired]

If you're in the UK; you can register your name / address combination with CIFAS:

http://www.cifas.org.uk

The service is operated on behalf of the UK financial institutions by Equifax; and will add a layer of authorisation to your name / address combinarion when arranging credit etc. It probably means that you won't be able to buy stuff on instant credit; but the for the hassle that identity theft can bring I think it's worth it. Registration costs 12 quid for 12 months.

Personally i'm amazed that institutions will lend large amounts of money without a definite proof of your identity; but I guess that's consumer forces for you - Dixons want you to be able to walk out of their store with that 32" wide screen TV purchased on instant credit. For all the sales that brings; they absorb the liability.

Re:Avoiding the Post Office.

[stratjakt]

Priority mail with insurance.

Fed-Ex or UPS won't replace your item if you didn't get insurance, either.

We just got a PC shipped back to us from the field by UPS. The box was smashed, and the machine looks like CowboyNeal sat on it. Picking it up I could hear all the fancy shmance electromonical doodads rattling around inside the twisted case.

UPS won't do shit about it, because the fool didn't pay the 5 bucks for insurance.

SSN used as identifer

[Cade144]

In the article it is mentioned that your Social Security Number is used as a universal identifier and as "proof" of identity.
This is not a good thing.

I work in the medical records/medical billing industry and a patient's SSN is one of the vital bits of information we collect and use to help index records.
Also the patient's date of birth.
For billing purposes, we need the patient's home address.
The health insurance company also needs all this information. In fact, if we don't supply all of the patient's personal information, they often don't pay claims.

We try to protect private information. We have yearly training, and monthly filers reminding us of the importance of protecting confidential infromatin. We have every bit of discarded paper shreded, and we have pretty good locks on our doors, and we have a fairly paranoid firewall, but the truly determined employee could always get their hands on thousands of patient records with everything needed for identity theft.

It's probably the same way at Hospitals and Insuance companies too. Too many people have access to private information, and the social and technological controls on it are too weak.

I hope that no one who has access to my personal information decides to do a bit of creative fundraising.

I don't have any answers, but we ought to think of solutions pretty soon.

Re:Which goes to show you...

[grub]

Good idea but many places won't deliver to a PO Box as they've been used for fraud for eons. They want a brick & mortar delivery point.

How I Deal With Identity Theft

[jbottero]

My solution to discurage anyone from stealing my identity has been to default on all my student loans, consistently pay my credit cards a few month late, and write anti-government propeganda letters to the local paper (amazingly, I still have my DoD security clearence!). The scammers run screaming...

Stealing bank details

[pubjames]

In the last couple of months there have been an increasing amount of very sophisticated email scams.

For instance, E-Gold members (and others) have been receiving emails like this

Dear e-gold user.

At 09.05.2003 our company was attacked by unknown
persons. Out administrators is working on the database restoring.
If you have an active account, please check if it is still active, your
current balance is right and all transactions can be processed.
If you find that your account is inactive, please letus know
immediately at e-mail service@e-gold.com
To check your account, please click on the link below:
https://e-gold.com/sci_asp/payments.asp

It looks official, doesn't it? And the link looks ok too. But it is an html email, and the actual link went to a page located at e-gold2.com, which looked exactly like the real e-gold site. Thus the fraudsters were able to get peoples log-on details. More here.

In the UK, many people have been receiving emails that look as if they are from Barclays bank (one of the biggest in the UK). It is a similar scam to the e-gold one. More here.

I myself have recieved and email asking me to update my ebay account details. Only on close inspection did I realise that it was a fraud.

I find this extremely worrying. Personally I am probably like many Slashdotters - paranoid about security and difficult to catch out. However most people aren't like that, and this new type of scam email is an extremely worrying development, because it could catch a lot of people out. People really need to be informed about this type of scam, but I've yet to see much in the press about it. Any journalists reading..?

It happens more than you think!

[mr_resident]

After I had my ID swiped by a ID-less loser, I started taking precautions:

Xerox/scan all your bank cards, credit cards, drivers license, etc front and back. Write down all the contact info and make sure you keep a copy in a safe place. NOT YOUR WALLET! If anything is lost or stolen call immediately!

Open a second bank account to use for online transactions. I transfer only the amount of money I need to cover gas, lunch, online stuff to it. I don't use an ATM card on my primary checking/savings. If someone grabs a carbon, they don't get access to anymore than the few bucks I keep as a buffer.

And as many have and will say here: Don't give out your SSN, check your credit report regularly for new lines of credit and shred early - shred often!

Will the REAL Robert X. Cringely please stand up?

[camusflage]

You're closer to the truth than I think you knew.. I dare you to ask PBS and Infoworld who Robert X. Cringely is. From an old wired article:

Unfortunately, in 1995, as PBS was editing Triumph of the Nerds, InfoWorld fired [Mark] Stephens [who had written the Cringely column for years--ed] - which was sort of like firing Mary Ann Evans from being George Eliot. InfoWorld thought that it ought to have exclusive dibs on the Cringely name. (In a spooky twist, if anyone really owns the rights to the Cringely name, it is probably Cringely's girlfriend's father, who put an imaginary "Al Cringely" scapegoat on his PR firm's masthead decades ago. The surname was eventually imported by InfoWorld.) Cringely still feels the betrayal deeply - first because, as he sees it, InfoWorld dismissed him without warning, and second, because they accused him of trademark infringement for continuing to use the name that he had done so much to build. "InfoWorld sued me," he says, still sounding incredulous. The case was settled out of court; InfoWorld kept the trademark, and today, another scribe's Cringely column appears in its pages every week. But the company was ordered to pay Cringely's court costs, and he was given license to use the coveted name professionally - "As long as he doesn't use it in computer publications," InfoWorld's editor, Sandy Reed, who fired him, clarifies. "PBS we don't compete with."The lowly Cringely, as ever, somehow came out on top.

Cause and Prevention

[nanojath]

One of the issues not often addressed is the misuse (in my opinion, and some would argue by its original intention) of the Social Security number as a universal identifier in so many public and private functions. It happens for convenience - the SS # is government issued, unique and relatively difficult to spoof, so it's handy. But it shouldn't be allowed. The SS # should be used by the government for tax identification and issuance of SS and related benefits only. Unfortunately nobody wants to open this huge can of worms.

There is certainly a degree of catch-22 involved between convenience and security. When my wallet was stolen with license and SS card (dumb to carry both but I recently needed them starting a new job)a few years back, I was glad that I was able to get a new drivers license with no identification except a birth certificate copy I was able to get with just my SS number and no identification - but the ease of doing so certainly gave me pause for thought.

In addition to the sound advice of shredding, a good idea is to lock your credit reports from being issued without your consent and opting out of pre-approved CC offers. Instructions for both at this article - http://abcnews.go.com/sections/scitech/TechTV/tech tv_fraudprevent030815.html

I'm just thankful my house has a mail slot that drops into an inaccessible bin inside the home.

wait until this happens to you

The newest scam are VINs, the vehicle identification number. Once you have that and the proper books, you can cut keys.

With the key, you just drive it off the shopping mall lot. And there's no sign of forced entry, so the insurance company says "you left the key in the ignition, tough for your claim. Happened to us on vacation. And 10 year old clean cars are in more demand for the body parts, it isn't just the new Hondas.

Tape over that damned number.

Stolen credit card number

[baywulf]

Once I came home in the evening and got a message on the answering machine to call my card company asap because of possible fraudulent charges. I soon enough called the number they gave me and identified my card number and password. Then I told them about my message and they started looking it up on the computer. After 30 seconds the guy says that the compter is slow and other excuses. After another 30 seconds he apologizes and suggests I call back later since the computer seems down. So I put down the phone and then it suddenly hits me that I have no idea way to verify that the other side was the credit card company. It didn't feel right that a major financial company would have computer problems like this. So now I immediately called back the number on the back of my card and got through okay. They did verify that I had fraudulent charges and canceled my number. I asked them about the other number but they were not too concerned and guessed it might be an internal fraud line number.

In conclusion I still don't know if the original number was real or not.It could have been the card thieves trying to trick me. After getting the new card, I checked my credit report an month later to verify nothing new had been opened. The lesson I learned is to never use a number you cannot authenticate when doing sensitive stuff like this.

We do not have identities.

[Prometheus_NG]

I think something very vital is being missed here. Your name, address, phone numberm and SSN is not your identity. This is all public information. The problem is that we treat this information as if it was our identity.

Are people really suggesting that this information be "secret"? The SSN is not meant to be secreat, can not really be secret, and every SSN card says explicitly that it is not meant to be secret.

Surely we are not suggesting that one's name, address, and telephone number be secret.

The problem is that this non-secret, non-unique information is used to identify people for many significant transactions. I.E. Driver's license, Mortgages, Credit Cards, etc...

The other problem is many people are opposed to instituting any kind of authoritative nation wide identification system.

Put aside your libertarian angst for a second and imagine if we did have a national DNA registry that positively and uniquely identified everyone. Sure we have all seen Gattaca and imagine ways of forging DNA derived identification, but it would be much harder.

Much harder than the current system where all the tokens we use to identify ourselves are from non-secret, non-uniquely identifying information sources.