Slashdot Mirror
Dumpster-Diving for Your Identity
The NYT magazine has a story titled Dumpster-Diving for Your Identity - the author interviews two convicted identity thieves talking about their methods and successes.
← Back to Stories (view on slashdot.org)
Here is an interesting couple of articles on identity theft by Robert X. Cringely (or Mark Stephens, depending on your version of reality).
Ego, Super-ego, and ID Theft
How to Steal $65 Billion
Dogma - "let's just say we'd like to avoid any empirical entanglements."
A little googling resulted in the same basic story without the registration:
refers to future article in NY Times
and
Over a year ago on CBS News
>>Remind me to check my dumpster here at the office for a NYT login...
Use this to randomly generate a login for you
http://www.majcher.com/nytview.html
Dumpster-Diving for Your Identity
By STEPHEN MIHM
Published: December 21, 2003
tephen Massey was only a few minutes late, yet he apologized profusely as he strode into the lobby of a crowded restaurant in downtown Eugene, Ore. ''I'm very punctual about my time,'' he said, clasping my hand in a firm shake. With his freshly combed hair, crisp white shirt and trimmed mustache, he looked like an off-duty cop or fireman -- a ''pillar of the community,'' as he later described himself, a wolfish smile playing across his lips. Far from it: Massey, 39, directed one of the most extensive and notorious identity-theft rings prosecuted so far by federal authorities. By the time investigators broke the case, Massey and his partner in crime, a computer whiz named Kari Melton, had ruined hundreds of people's credit. A judge sentenced them to prison in 2000; Melton was released in 2001, Massey the next year.
Advertisement
The Federal Trade Commission estimates that identity theft costs nearly $53 billion annually. Some seven million people were victimized in 2002. Yet little is known about how the perpetrators actually operate. It's a popular perception that most identity theft happens on the Internet, but over the course of dinner, Massey quickly made clear that low-tech methods of getting people's personal information are far more effective. ''Every day was exciting,'' he recalled between mouthfuls of potato skins. ''We went to Vegas, Atlantic City. We made a business of it. It was like James Bond . . . 'Mission: Impossible.'''
In late October, Massey disappeared, violating the terms of his supervised release and prompting a national warrant for his arrest. It had become clear to me in five months of interviews that not everything he said was to be trusted, although much of it was verified by the detectives and prosecutors who had already investigated his crimes and by Kari Melton. As for Massey's current whereabouts, Steve Williams, a detective in the Eugene Police Department, who worked on the first case against Massey and is once again on his trail, said: ''My gut feeling is that he is in the Seattle area'' -- where he has family -- ''back to his old tricks, doing drugs, identity theft and counterfeit checks.''
If Massey has indeed resumed operations, it's a sure thing that he's not working alone. His identity-theft crimes depended on the work of a carefully built ring, one that employed hordes of petty thieves and drug addicts. If he sticks to his old techniques, his crimes will originate in Dumpsters and garbage cans, where information can be culled from discarded personnel files and other trash. It's not the most glamorous crime, but that doesn't make it any less devastating to its victims.
Discovering the Dump
Massey's life began to unravel in his late 20's, soon after he started experimenting with the highly addictive stimulant methamphetamine. Before that, Massey achieved some semblance of success, managing an awning-maintenance company, marrying and, with his wife, having two daughters. Then he and his wife divorced in 1992. Soon after, he remarried, and divorced a year later. His business began to decline. Sometime in the mid-90's, his teenage girlfriend offered him some meth. ''So here I am with no place to live, on the rebound and with a habit,'' Massey recounted. ''Who wants to look for a job again?'' Massey began hanging out with a much younger crowd of meth addicts, called ''tweakers,'' and forging checks to feed his drug use. It was during this time that he began to wonder if he could hijack people's identities for profit. He stumbled onto the answer soon after, when the meth-heads invited him to go ''Dumpster diving'' for junk. Massey and the teenagers piled into his Ford Explorer and drove to the outskirts of Eugene.
''It was the first time I had ever been to the dump,'' Massey recalled, wrinkling his nose. ''I said, 'I'm not going to get dirty,' so I wandered over to a shed where the recycling was stored. I notice there's a big barrel for rec
This is not a new technique and doesn't seem worthy of a Slashdot story. Low tech identity theft is nothing new or hard to do.
-=- Many seek good nights and lose good days.
While I cannot say for what reasons the poster above uses professional shredding services, I do know why such services still exist.
The difference between a $30 Office-Depot Shredder and a good commercial shredder is significant. The Cheapo shredder usually shredes only vertically, and does so usually so that there are about 20 cuts down one page. People sending 3-4 documents in at once will find that they have those 3-4 documents nearly intact, just cut into 20 vertical peices which are easy to put back together if someone is careful in extraction.
On the other hand, good commercial shredders litterall demolish the paper, turning it into sawdust like material that would be impossible (virtually) to reconstruct. Along these same lines, good document security companies use combination of methods, not just shredding to ensure security (read: chemical treatment, randomization, etc).
Brushfireb
If your mailbox is on the curbside like mine, seriously consider getting a secure lockable one where the mailman can only drop mail off, but a key is required to retreive it. I just received mine from oregontrailbox. I did some research, there are a few places that sell those under different names, but the ones I liked are actually the same box that seems to be manufactured by pinnacle (or pinnacle is yet another reseller of the same box made by a unknown third party....)
In any event, I will be installing my Heavy Duty Standard tomorrow...
--
OpenHosting Virtual Servers for the geeks.
That sounds extreme for TS documents. When I was handling them they went into burn bags that got thrown (by the lucky volunteer) into the massive shredder. The cool part was "feeding" the shredder a 2x4 every day or so to keep it sharpened. Milk Bones for Machines.
I assume the "burn bag" moniker was a throwback to the older days, as there was no "burn" step after the shredding.
So folks, if you simply shred, it's good enough for government work!
since personal shredders are only $30, why does your company use the shredding service at all? It would probably be cheaper to outfit every employee (or at least every department) with their own shredder than pay for 2 months of that service
;)
Because $30 personal shredders suck ass. They're cheaply made, their motors burn up if you put more than 5 sheets at a time through them with any regularity, and they jam very easily.
Spend a hundred for each one and you might get something worth using.
Spend $1500 for a serious industrial crosscut confetti model and let 30 employees share it and your company is probably far better off than with either of the above options, or the shredding service.
Bonus points if the company then sells the shredded paper *directly* to a pulp mill
p
In Korea, long hair is for old people!
He had all sorts of personal data in his home direcrtory: passport & visa applications, paycheck stubs for several years, copies of expense accounts including scans of credit card statements, info about his retirement from the company we used to be a part of, ...
Once I realized what it was I rm'ed it, but what would posses a supposedly rational person to not only save this data to a networked machine at work but to leave it there after leaving the company?
"Glory is fleeting, but obscurity is forever." --Napoleon Bonaparte
Depends on the location and the epoc. In the early 90s we cross shredded in Huachuca, fine enough that you could take the residue home for garden mulch. However, we burned in Honduras and other remote airfields. Big mesh barrel, would hold 100gal if it was solid. Had rocks in it and we turned it on a spit as the fire burned. The rocks acted like a ball-mill and pulverized the ashes. Was a damn pity, since we burned a lot of film. Back in Ft Huachuca, we shredded the film, and then we were able to turn it in for silver recovery. Bought plenty of beer with the proceeds for the department.
Anon 96Hotel
The two primary examples of this use are the medical profession adn the Motor Vehicles establishment, both of whom seem to think the SSN is a handy Unique ID. Obviously, this magnifies the security risk for anyone who complies. Here's how to deal with both.
When you sign up for health insurance, fill in the SSN field with the phrase "assign ID". Sometimes they will just do it, but usually some clerk will complain that you haven't completed the form, they can't process it, etc. Firmly explain (often several times) that this is illegal, and that their companies have procedures to handle this, and that they need to speak to their manager. They will soon return with a sheepish demeanor, and you will get an ID in the SSN format.
Now, whenever you go to ANY doctor, dentist, hospital, or whatever, fill in this assigned ID as your SSN on their form. If asked whether this is your SSN, simply respond that "This is the correct ID.", and do not let pressure you into revealing your SSN.
The DMV and police may be easier or more difficult to deal with. The DMV should have a checkbox on the form which allows you to decline using the SSN, usually with some corresponding inconvenience. E.g., some states will require you to come in for renewed licenses, whereas they will mail them if your SSN is in their system. If your state doesn't have this option and you cannot argue them out of it, transposing a few digits might not be a bad idea.
When dealing with the police (e.g., in a speeding ticket situation), I've found it is best not to tell them that their request for your SSN is illegal. Best to just say that you don't remember it. Of course you don't want to give false information, right?
These tactics will obviously not close all vulnerabilities, but they will eliminate two major potential sources of identity theft. Good Luck.
With regards to US personal federal income tax, the recordkeeping requirement is 3 years from filing or 2 years from payment, whichever is later. See 2002 Form 1040 Instructions (pdf), page 60.
YMMV, as this is figures that will vary between country and country. Also, there are different kinds of papers for different purposes (of course), which will (of course) have to be properly stored for different amounts of time. :)
Actually, don't do either. Some of those colored inks are quite toxic.
I don't know exactly how this is setup, but my father has some type of high-security flag set with the credit agencies. I found out about when he cosigned for a loan with me. He owns his own business and his business had identity-theft problems a few years back.
So basically how it works, is that there's a phone number specified on his credit report and a secret question and answer. So if anyone makes an attempt to check my father's credit history, or take out credit in his name or SSN, the creditor must call the listed phone number and my father must answer the phone. They identify themselves and what creditor they're representing. Then they ask the security question and my father gives the correct answer. Now business can proceed as usual.
It gets more secure when the security question/answer must be changed each time it's used. Plus, changing the phone number requires a 30-day written notice.
I think that's a GREAT idea... Why don't more people implement that? Once I get some actual credit, instead of just Student Loans, I'm going to put that security measure on MY credit!
"One touch of Darwin makes the whole world kin." George Bernard Shaw
If you check your own credit report with the the credit bureaus, it does not get reflected on your credit rating.
Banks don't get to see how often you check your report.
-
"Vengeance is fine," sayeth the Lord.
You don't need a google news link. Simply search for the url of the story iteslf kind of like this and then click on the link following "If the URL is valid, try visiting that web page by clicking on the following link:"
NYT simply does a referrer check.
Go grab the random NYTimes registration form. Works every time!
Yeah, right.
By law, with few exceptions relating to the government, you are not obligated to give *anyone* your social security number. This is protected by the Fair Credit Billing Act of 1976 and the 1974 Privacy ACt. The ACLU has some good info on your rights andn your SSN.
I can vouch for the effectiveness of dumpster diving; I snarfed the entire budget info for the science dept. in college once. Interesting reading, too.
C|N>K
He was root on an NFS client, browsing files on the server. In that situation, root (on the client) is mapped to nobody on the server, i.e. not very useful.
In order to read the data, he need to change his identity to the file's owner first.
Either you're a troll, or you're a pretty stupid sysadmin for not knowing this.
Or, maybe he had only the root password of a couple of NFS clients, but not the server?
for not destroying his home
If he was not the sysadmin of the server, it was none of his responsibility to do this kind of cleanup when the guy left.
very important. Screw your home dumpster, screw your office. The most dangerous place for your credit cards is where you shop. It's a really bad idea to shop anywhere that prints out credit card receipts w/ full numbers, or takes ( shudder ) a direct print of your card.
Want to know why? The manager that collects all those receipts might be honest enough, but do you know what a lot of those places do w/ their receipts? After anywhere from 1-3 years, a lot of them just throw boxes full of them in the dumpster. A college bookstore I worked at when I was starting college did just that. Literally thousands of credit card receipts w/ full pin numbers, signatures, and names in the bin. A lot places shred that receipts when they're done, but some don't. And think of the traffic a college bookstore generates.
Before you say anything like "well, you didn't have an id, address, or a social or anything like that", imagine the damage I could have done had I been so inclined to steal some of those numbers and then used them where I had a friend on the inside. Or done the digging to find that person's SSN, address, or whatever.
Trust me, I was so tempted to finance the rest of college education w/ a little bit of scamming. Thankfully, I had a hellish cunt of a girlfriend that ruined my life so badly that I dropped out of college and went to work in IT.
Damn...now that I think about, maybe theft was the better option...
PC moderators can suck my White pierced, tattooed dick. If you think pride == hate, s/dick/Aryan meat mallet/g.
If there is a sound card fitted, dd if=/dev/dsp of=/dev/hda will give it some real entropy from static and power hum.
..... there are enough card companies that you can do the Grand Tour and the first company will have forgotten about you by the time you re-apply for a card with them.
One overwrite is enough as long as the data is random. Not only can you not tell a 1 that used to be a 0 from a 1 that always was a 1, or a 0 that used to be a 1 from a 0 that was always a 0, but you don't know whether the 1 or 0 it used to have been got overwritten with a 1 or a 0. You might be able to tell something of past history by opening up the drive; but, as storage densities get higher and higher, there are fewer and fewer oxide molecules used to store each bit and so the chances of there being anything useful are diminishing.
Also, credit card numbers are only valid for a few years, and some people change their card every 6 months or so to take advantage of an introductory offer