Slashdot Mirror
Dumpster-Diving for Your Identity
The NYT magazine has a story titled Dumpster-Diving for Your Identity - the author interviews two convicted identity thieves talking about their methods and successes.
← Back to Stories (view on slashdot.org)
Remind me to check my dumpster here at the office for a NYT login...
But seriously, we use a shredding company here at my office for our important papers. They're supposed to do all the shredding "on site" in their truck. Yesterday they were here to empty our shred bins, and they brought in a big trash bin to haul our stuff out to the truck. One of these bins was sitting in the hallway, and no one was around, so I took a peek inside. It was papers from an accounting firm down the street! I mean, we're supposed to be paying these guys to keep our info secure, but here they are waiting until their bin is full before they shred anything?! Needless to say, I had a long conversation with our facilities manager after this...
If you want something done right, better do it yourself! I'm now using a $30 shredder BEFORE I dump anything in our shred bins! Who knows where our important documents have been travelling to before they actually got shredded?!
This is why I burn all my important docs, credit card offers, old checks, etc... at home, who knows who is going through your trash? All they need is an account number, and a shredded document can be taped back together with enough motivation and time... (although with some people being easy marks, I guess the harder you can make it, the better!)
My local police department recently published a blurb asking residents to dispose of identity theft-related materials (e.g., financial statements, anything with a SSN, etc.) in the ordinary garbage, instead of the "mixed paper" recycling bins as we've been asked by the rest of the city government.
It seems that identity thieves are very happy about the shared, clean, and portable "mixed paper" recycling containers found throughout my (rather affluent) city, and they tend to pick them up, quickly sort through the cereal and microwave dinner boxes for the good stuff, and have the container back before anyone notices.
Presumably today's dumpster divers have the luxury of avoiding coffee grounds, so you can go a long way towards protecting yourself by dumping the financial correspondence in with the smelly stuff.
I produce very few pieces of paper that have sensitive information like this. I am more worried about the information on my computer, which is sensitive. Companies, on the other hand, do need to worry.
If my answers frighten you, stop asking scary questions.
If you're so worried about ID theft, then maybe you should keep a close eye on your credit card bills, credit scores, etc.. Buy a paper shredder. Shred all bank statements and whatnot before you throw them out. Internet-shminternet, dumpster diving is the fastest way to someone's finances. Get the carbons at the gas station, or stores where they still use the old carbon-thinger credit card machine.
I knew someone who got screwed big time by a gas station who would keep the carbons, and double bill her every time she filled up, the cash going straight into the owners pocket. She was a dope for letting it go on so long, as she never bothered scrutinizing her Visa bills. Turned out the station was owned by a Russian mobster. This was long before the world wide weeb.
Just don't toss your sensitive data into the dumpster where any bum can get your CC number.
One electronic version of "dumpster diving" would be looking through a company's website/anonymous FTP server. Sometimes, a few moronic folks decide to store otherwise-vital information in these "undisclosed" locations that anyone can get into over the web.
Somewhat popular among the consulting types, they upload client data to an FTP server, then fly off to the client's office, and download it from there...or maybe use it as a means to "share" data among themselves. Some forget to password-protect it, relying instead on security through obscurity.
How is this related to dumpster diving? Well, if you look hard enough, those servers are just like public-access trash bins fit for people to...um...recycle data.
If you're a consulting group, make sure you treat your client data with absolute confidentiality. If you're a business working with consultants, make sure they don't leak your info to the world.
Diligence is well worth it. Before I met my wife, she had dramas with her card. The short story is a male several hundred miles away used her card and number to pay for his utility bill. It was a small enough amount that she didn't notice immediately, but came to notice almost a year's worth of payments to a company she had no dealings with.
:P) each time she phoned them to try clearing things up they INSISTED on asking for her boyfriend or husband and she was single at the time.
The dumb bit? They were useless to deal with. Despite the fact a male had been paying his utility with her card (her name's Katie, it's not like that could be mistaken
The fourth call to them slipped up, and she got the name of the guy whose account it was paying. He was arrested soon after (and yes, her card was cancelled)
Despite her protestations, the utility co didn't immediately believe there could be an identity theft problem, but presumed it was a girlfriend/wife trying to meddle in her partner's affairs... despite the card belonging to her.
This happened in the early 1990s, I don't know of it would happen today, but it seemed to be institutionalized by the number of calls she made with the same result.
Fireplaces produce too much air pollution. The ecologically correct way to dispose of these sensitive documents is to first shred them. Then mix the paper shredding into your backyard compost bin or worm bin and let nature dispose of it cleanly.
I doubt that many id theives would want to rummage through your compost bin, if they even thought to look there in the first place.
For added security, add a couple of large dogs to your backyard. They will help deter personal property thieves in addition to compost-diving identity thieves!
You can't shred a classified document. It has to be "declassified" and then you can destroy it. My mom used to do it as a summer job for the Navy. Basically you stamp it "declassified" with a rubber stamp first. (Of course after the proper parties sacrificing the appropriate number and quality of chickens.)
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
I have had way too many people asking for my SSN in the last few years. It started with my dentist's secretary demanding it, and when I declined to provide it, she insisted that they needed it for my dental records.
I told her, "You're not offering me a job, and I'm not opening an iterest-bearing account with you. You don't need my SSN, and you're not getting it."
About a month ago, a freaking cell phone provider asked me for an SSN just to get an account with them? WTF?
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
When I read about guys like this - they are always idiots. Basically he got caught because he was hanging around a bunch of crazy drug addicts.
I keep wondering if for every guy like this they catch, there must be like 3 guys who are really careful and "normal people" (i.e. professionally minded, don't take drugs or hang around prostitutes, etc.) who do these type of crimes to build up some large amount of money, then move someplace and live off the interest. Those would be the guys that would be real hard to catch.
I wonder if those kind of criminals exist and in what numbers?
Avoid Missing Ball for High Score
In Canada, hardly anybody has a curbside mailbox anymore (or even mail delivered to individual homes), unless you live on a farm or something. How's it work in other countries?
Most neighbourhoods here have a bank of mailboxes, each with a lock (small door, but deep enough to hold a standard letter envelope). Walk (or drive, if lazy) down the street to your mailbox. I guess Canada Post likes that system because they can deliver our mail much easier this way - essentially in bulk. Each bank has a pair of larger parcel boxes, in case you get a deliver that doesn't fit in your letter-size box. The nice man leaves you a key for 'compartment A or B', you take your package out, and deposit the key in the mail slot so the mailman can retrieve it with tomorrow's mail.
My only annoyance is some neighbours, who don't like receiving junk mail, leave it on top of the cabinet, leaving the garbage for everyone else to see. Why they can't just take it home and stick it in their recycling box is beyond me.
You can accomplish anything you set your mind to. The impossible just takes a little longer.
A credit rejected letter is an identity theifs DREAM! by law, credit rejection letters contain not only pertinent stuff like your social security number, but they must give you a copy of your credit report if asked to show why you were denied. Once a thief gets your credit report it is all over. the credit report has every bank account and credit card number you own. as well as a lot of other personal info.
http://notanumber.net/
If it is not bad intention, it is just stupidity. For a while, I had a fax number, which was the same as that of some medical lab (or insurance company) -- except for the area code.
Twice a week a fax would arrive from a doctor's office in my area -- thanks to an absent minded "office manager" or some such. Due to the nature of the business, all faxes contained not only the patients' names, SS#, but also diagnoses, health histories -- the works! I called them back every time -- boy, were the morons surprised... They never even bothered to check the fax ID string, which I had configured to my company's name.
Not to give any ideas, but how difficult is it for a scumbag to get a phone number similar to that of a claims department of an insurance company?.. Or a mortgage department of a bank? You can guess the other steps she/he will need to make. Mind you, completely passive and impossible to detect. No dumpster diving involved either -- totally white-collar job...
We can moan about the need to use encryption and authentication, but faxes don't have this feature at all. As long as this sort of information passes over telephone lines unencrypted, your info is not safe.
In Soviet Washington the swamp drains you.
The Cheapo shredder usually shredes only vertically, and does so usually so that there are about 20 cuts down one page
...
On the other hand, good commercial shredders litterall demolish the paper, turning it into sawdust like material that would be impossible (virtually) to reconstruct.
I have the second-cheapest cross-shredder I could buy from WallyWorld (Yeah, I know, evil, but show me a Mom&Pop that carries cross-shredders). For USD$25, I end up with 0.25" by 1.5" confetti. Good luck putting that back together.
And for a teensy bit extra security, when I empty the bin, I dump a cup of water on it for good measure. 15 minutes later I have paper mache - Even if you could still recognize a word here and there, how do you scoop it out of the wet blob to reassemble without obliterating it?. I suppose I could go a step further and burn it as well, but really, why bother? Anyone wanting my personal data that badly can get it a lot easier than searching my garbage for paper mush.
The easiest problem to attack here is that it's too easy to open a credit card account. If this were made a grueling, lengthy process requiring written correspondence, with extra safeguards for changing addresses, then all the credit card side of identity theft would be mooted.
The FTC website says that if you're the victim of identity theft, you can contact the credit bureaus to put a FRAUD WARNING on the top of your credit card report. This makes me wonder whether we should all just do this anyway.
I have read that in Europe, getting a credit card is difficult and not instantaneous, and that identity theft (at least, on the credit card side) is less of a problem.
The DOD standard for wiping a hard disk that has held "secret" grade info involves an appropriate screwdriver, and a power sander applied to all magnetic surfaces until the oxide coat is polished away to bare aluminum.
Even "Confidential" requires a cross cut shredder built to certain standards to destroy. The most common reason for confidential classification is the document contains personal information, such as SSNs. It's common for military units to read a briefing statement that explains what a SSN is being asked for each and every time it is mentioned, and to warn service members when it is optional to provide one.
"It is your option not to provide your SSN for this insurance document. The Department of the Army may have difficulty tracking the issued policy, and it may delay your designated heirs receiving benifits if you elect not to do so".
Can you imagine if the average doctor's office took it this seriously?
Who is John Cabal?
If you're concerned about the use of your SSN, and your school does something that blantently stupid (especially if they print your SSN on all your documents and on your ID card), you should go to a meeting of the governing body of the University (Regents, etc.) and present your case. Bring some examples of policy from other schools. It's kind of pointless to argue with the desk staff who ask for your SSN, as they are just doing what they are told and can't do much to help your privacy concerns. It might be hard to change the system, but it's worth a try.
Also, per our regulations, if you don't run it through the shredder, you have to manually tear up the piece of paper 6 times. This is social security numbers, addresses, medical information, etc.
I have often wondered how wrong this is, but my boss never seems concerned when I bring it up....we are from the government - we are here to help...