Dumpster-Diving for Your Identity

The NYT magazine has a story titled Dumpster-Diving for Your Identity - the author interviews two convicted identity thieves talking about their methods and successes.

Cringely articles on identity theft

[UrgleHoth]

Here is an interesting couple of articles on identity theft by Robert X. Cringely (or Mark Stephens, depending on your version of reality).

Ego, Super-ego, and ID Theft
How to Steal $65 Billion

Same Story without the Registration

[FelixCat]

The NY Times article is about a guy named Stephen Massey.
A little googling resulted in the same basic story without the registration:

refers to future article in NY Times

and

Over a year ago on CBS News

Full Article Text without Karma Whore

Dumpster-Diving for Your Identity
By STEPHEN MIHM

Published: December 21, 2003

tephen Massey was only a few minutes late, yet he apologized profusely as he strode into the lobby of a crowded restaurant in downtown Eugene, Ore. ''I'm very punctual about my time,'' he said, clasping my hand in a firm shake. With his freshly combed hair, crisp white shirt and trimmed mustache, he looked like an off-duty cop or fireman -- a ''pillar of the community,'' as he later described himself, a wolfish smile playing across his lips. Far from it: Massey, 39, directed one of the most extensive and notorious identity-theft rings prosecuted so far by federal authorities. By the time investigators broke the case, Massey and his partner in crime, a computer whiz named Kari Melton, had ruined hundreds of people's credit. A judge sentenced them to prison in 2000; Melton was released in 2001, Massey the next year.

Advertisement

The Federal Trade Commission estimates that identity theft costs nearly $53 billion annually. Some seven million people were victimized in 2002. Yet little is known about how the perpetrators actually operate. It's a popular perception that most identity theft happens on the Internet, but over the course of dinner, Massey quickly made clear that low-tech methods of getting people's personal information are far more effective. ''Every day was exciting,'' he recalled between mouthfuls of potato skins. ''We went to Vegas, Atlantic City. We made a business of it. It was like James Bond . . . 'Mission: Impossible.'''

In late October, Massey disappeared, violating the terms of his supervised release and prompting a national warrant for his arrest. It had become clear to me in five months of interviews that not everything he said was to be trusted, although much of it was verified by the detectives and prosecutors who had already investigated his crimes and by Kari Melton. As for Massey's current whereabouts, Steve Williams, a detective in the Eugene Police Department, who worked on the first case against Massey and is once again on his trail, said: ''My gut feeling is that he is in the Seattle area'' -- where he has family -- ''back to his old tricks, doing drugs, identity theft and counterfeit checks.''

If Massey has indeed resumed operations, it's a sure thing that he's not working alone. His identity-theft crimes depended on the work of a carefully built ring, one that employed hordes of petty thieves and drug addicts. If he sticks to his old techniques, his crimes will originate in Dumpsters and garbage cans, where information can be culled from discarded personnel files and other trash. It's not the most glamorous crime, but that doesn't make it any less devastating to its victims.

Discovering the Dump

Massey's life began to unravel in his late 20's, soon after he started experimenting with the highly addictive stimulant methamphetamine. Before that, Massey achieved some semblance of success, managing an awning-maintenance company, marrying and, with his wife, having two daughters. Then he and his wife divorced in 1992. Soon after, he remarried, and divorced a year later. His business began to decline. Sometime in the mid-90's, his teenage girlfriend offered him some meth. ''So here I am with no place to live, on the rebound and with a habit,'' Massey recounted. ''Who wants to look for a job again?'' Massey began hanging out with a much younger crowd of meth addicts, called ''tweakers,'' and forging checks to feed his drug use. It was during this time that he began to wonder if he could hijack people's identities for profit. He stumbled onto the answer soon after, when the meth-heads invited him to go ''Dumpster diving'' for junk. Massey and the teenagers piled into his Ford Explorer and drove to the outskirts of Eugene.

''It was the first time I had ever been to the dump,'' Massey recalled, wrinkling his nose. ''I said, 'I'm not going to get dirty,' so I wandered over to a shed where the recycling was stored. I notice there's a big barrel for rec

Re:Shredding doesn't offer much protection either.

[Brushfireb]

While I cannot say for what reasons the poster above uses professional shredding services, I do know why such services still exist.

The difference between a $30 Office-Depot Shredder and a good commercial shredder is significant. The Cheapo shredder usually shredes only vertically, and does so usually so that there are about 20 cuts down one page. People sending 3-4 documents in at once will find that they have those 3-4 documents nearly intact, just cut into 20 vertical peices which are easy to put back together if someone is careful in extraction.

On the other hand, good commercial shredders litterall demolish the paper, turning it into sawdust like material that would be impossible (virtually) to reconstruct. Along these same lines, good document security companies use combination of methods, not just shredding to ensure security (read: chemical treatment, randomization, etc).

Brushfireb

Get a locking mailbox too.

[gtrubetskoy]

If your mailbox is on the curbside like mine, seriously consider getting a secure lockable one where the mailman can only drop mail off, but a key is required to retreive it. I just received mine from oregontrailbox. I did some research, there are a few places that sell those under different names, but the ones I liked are actually the same box that seems to be manufactured by pinnacle (or pinnacle is yet another reseller of the same box made by a unknown third party....)

In any event, I will be installing my Heavy Duty Standard tomorrow...

--
OpenHosting Virtual Servers for the geeks.

Re:Shredding doesn't offer much protection either.

[the+pickle]

since personal shredders are only $30, why does your company use the shredding service at all? It would probably be cheaper to outfit every employee (or at least every department) with their own shredder than pay for 2 months of that service

Because $30 personal shredders suck ass. They're cheaply made, their motors burn up if you put more than 5 sheets at a time through them with any regularity, and they jam very easily.

Spend a hundred for each one and you might get something worth using.

Spend $1500 for a serious industrial crosscut confetti model and let 30 employees share it and your company is probably far better off than with either of the above options, or the shredding service.

Bonus points if the company then sells the shredded paper *directly* to a pulp mill ;)

p

Dumpster diving old home directories

[mikewas]

I just had to run in to work to create a report. I needed some data in a former employee's directory, so logged on as root & changed permissions so I could read anything in his directory tree.

He had all sorts of personal data in his home direcrtory: passport & visa applications, paycheck stubs for several years, copies of expense accounts including scans of credit card statements, info about his retirement from the company we used to be a part of, ...

Once I realized what it was I rm'ed it, but what would posses a supposedly rational person to not only save this data to a networked machine at work but to leave it there after leaving the company?

Curtail use of your SSN

[Presence1]

When the Social Security Act was originally passed in the 30s, there was a significant concern that the SSN would become a de-facto Citizen ID. To allay this concern, the law contained specific provisions making it ILLEGAL to require the use of the SSN for any use not directly related to its purpose in identifying income and determining benefits. In other words, if you are not being paid, or having the opportunity to earn interest, they cannot require you to divulge your sSSN

The two primary examples of this use are the medical profession adn the Motor Vehicles establishment, both of whom seem to think the SSN is a handy Unique ID. Obviously, this magnifies the security risk for anyone who complies. Here's how to deal with both.

When you sign up for health insurance, fill in the SSN field with the phrase "assign ID". Sometimes they will just do it, but usually some clerk will complain that you haven't completed the form, they can't process it, etc. Firmly explain (often several times) that this is illegal, and that their companies have procedures to handle this, and that they need to speak to their manager. They will soon return with a sheepish demeanor, and you will get an ID in the SSN format.

Now, whenever you go to ANY doctor, dentist, hospital, or whatever, fill in this assigned ID as your SSN on their form. If asked whether this is your SSN, simply respond that "This is the correct ID.", and do not let pressure you into revealing your SSN.

The DMV and police may be easier or more difficult to deal with. The DMV should have a checkbox on the form which allows you to decline using the SSN, usually with some corresponding inconvenience. E.g., some states will require you to come in for renewed licenses, whereas they will mail them if your SSN is in their system. If your state doesn't have this option and you cannot argue them out of it, transposing a few digits might not be a bad idea.

When dealing with the police (e.g., in a speeding ticket situation), I've found it is best not to tell them that their request for your SSN is illegal. Best to just say that you don't remember it. Of course you don't want to give false information, right?

These tactics will obviously not close all vulnerabilities, but they will eliminate two major potential sources of identity theft. Good Luck.

Re:Curtail use of your SSN

[michael]

This is not really accurate. The whole first paragraph of that comment is false.

There are no laws that forbid the private use of the SSN for any reason whatsoever. Any private entity may demand your SSN as a condition for interacting with you; you must provide it or they may refuse to interact with you. (For instance, getting health insurance or a credit card.) The Privacy Act of 1974 made some restrictions relating to *governmental* (only) uses of the SSN as an identifier; when government agencies demand your SSN, they have to tell you their legal authority for requesting it and what the penalties are for failure to comply. This requirement is largely ignored in practice - for instance, when I was serving on jury duty, the court clerk demanded my SSN (to withhold income taxes on the $12/day jury payment), and when I pointed out that they were violating the law by not disclosing the authority for this request, the clerk was singularly unimpressed. If the court system is violating the law... but I digress.

The rest of the comment (seek to use an assigned number rather than your SSN whenever possible) is good advice, and will often work, albeit at the cost of some hassle. CPSR has a good FAQ with some more information.

Re:Compost them, don't burn them!

[xyote]

Actually, don't do either. Some of those colored inks are quite toxic.

Credit Verification system

[Aetrix]

I don't know exactly how this is setup, but my father has some type of high-security flag set with the credit agencies. I found out about when he cosigned for a loan with me. He owns his own business and his business had identity-theft problems a few years back.

So basically how it works, is that there's a phone number specified on his credit report and a secret question and answer. So if anyone makes an attempt to check my father's credit history, or take out credit in his name or SSN, the creditor must call the listed phone number and my father must answer the phone. They identify themselves and what creditor they're representing. Then they ask the security question and my father gives the correct answer. Now business can proceed as usual.

It gets more secure when the security question/answer must be changed each time it's used. Plus, changing the phone number requires a 30-day written notice.

I think that's a GREAT idea... Why don't more people implement that? Once I get some actual credit, instead of just Student Loans, I'm going to put that security measure on MY credit!

Re:Credit Verification system

Anyone can do this (in the U.S. at least)... just call the three credit reporting agencies, and ask your account to be flagged with a "Fraud Alert". As an added bonus, companies that use your credit report to see if you are 'eligible' for their junkmail (i.e. credit card applications) are prohibited from sending you anything further.

I had to do this a couple of years ago after someone stole my identity and started opening credit card accounts and spending thousands of dollars. Fortunately one of the banks caught some inconsistencies (very similar story to one of the above posts) which alerted me to the whole situation.

Fraud Alerts 'expire' after a certain period (I think 2 years or 7 years depending which credit agency) but you can easily reinstate them. I will definitely continue to 'renew' mine. The minor inconvenience is that it will be more difficult/impossible to open a credit card account for a retail store (but these are mostly pointless) unless your cell phone number is the one associated with the fraud alert.

Re:Credit Verification system

[mabu]

This is called Fraud Alert and it's a very useful utility and a device to get free copies of all your credit reports.