Identity theft Happens Predominantly Offline

prostoalex writes "Worried about identity theft online? Relax, say the Feds. You're much more likely to have your identity stolen offline (72% of the cases). In half of all the cases, it's the friendly relatives, neighbors and friends who steal the identity of the victim. Moreover, those watching their financial accounts online lose approximately $551 per incident. The average rockets to $4543 for those relying on paper statements from their banks and credit card companies."

It amazes me how bad retailers are

[hsmith]

I worked in retail for awhile, I learned a trick for myself. I write "ASK FOR ID" on the back of all my credit/debit cards.

RARELY do i have someone ask to see my identification, no matter where I go. it amazes me how easily it is to get away with small things like this.

But I do urge everyone to do that with their credit cards, it may not always be checked, but it is better than a scribble on the back. But while in london, I almost had a pub owner take my CC because my name was't "ASK FORD ID", arg.

Re:It amazes me how bad retailers are

I filled out a form at blockbuster for a membership. One of the lines was for your social security number. I left it blank of course. The clerk read it over and told me I forgot to enter my ssn. I just laughed and said I wasn't going to. She said I was the first person she who had ever done that. The moral is: People are stupid.

Re:It amazes me how bad retailers are

[hal2814]

I sign my name and then put ASK FOR ID next to it. Interestingly enough, I was in London on vacation back in 2000. I had one shop (or is it a "shoppe" over there?) request that I write out ASK FOR ID next to my signature so it matched what was on the card. Are the credit card companies just stricter over there or something?

Re:It amazes me how bad retailers are

[Osty]

My girlfriend works for a financial institution. She has also learned to do what you mention. However, there are places that will not accept your card if not properly signed, and ASK FOR ID is not a proper signature. Fortunately, these places are far and few between. If more people signed their cards in this manner, maybe they'd come around.

The problem is that most credit cards are not valid without the cardholder's signature (actually, I'm pretty sure all credit cards are invalid unless signed, but not all credit cards say, "Authorized Signature. Not valid unless signed," on the back). Unless your full name happens to be "ASK FOR ID", your card with that signature is no longer valid. Any place accepting credit cards as a form of payment can legally decline your card as payment if you have not properly signed it. That most places accept your card anyway is due to a number of reasons:

• Low-paid cashiers just don't care
• Poor employee education on the proper acceptance of legal tender
• Many places don't even look at the back of the card, so they don't know if it's signed or not

Even when you have "ASK FOR ID" on your card, 99% of the time you'll never be asked for your ID. That 1% of the time, you can just say, "Sorry, I don't have my ID on me," and I don't know of any cashier that would then turn down your sale.

A long time ago, I worked in a store that did refuse unsigned and "ASK FOR ID"-signed credit cards (it was a Best Buy store, and they had that policy for a few years -- I'm sure they've dropped it by now, but I thought it was a good policy). When I got an unsigned credit card, I asked the customer to sign it (and verified against a driver's license), or I would refuse them sale. When I got an "ASK FOR ID"-signed card, I flat-out refused it. In every single case, my supervisor backed me up. Unless the customer had another form of payment, they weren't leaving the store with the merch they wanted to buy. Now, I know Best Buy is not known for having the best customer service, but in this one instance I think they were right and the customer truly was wrong.

Re:It amazes me how bad retailers are

[Violet+Null]

It's not an order to the shopkeeper; it's in the shopkeeper's best interests to avoid credit card fraud. If a shopkeeper sells product and it turns out the charge was fraudulent, the shopkeeper gets no money and is out the product.

There's no law saying that the shopkeeper has to follow my orders if I wear a shirt that says, "Videotape me to make sure I don't shoplift," but they seem to do it alot anyways.

Re:It amazes me how bad retailers are

[hackstraw]

Nowhere in either the store policy, or state law, did it mention anything about following cutomer direction on the back of a credit card.

There is a thing called common sense.

I put in big capitol letters with a marker SEE ID on my credit cards, and I don't tell retailers its the law or store policy or anything else for that matter if they don't check it. I will say that I have noticed a much greater likelihood of the retailer checking my ID. I will also bet my signature on a napkin that the odds of a "bad guy" trying to use this CC at a retail place is about 0, and the likelihood that it will be used somewhere else is probably lower than having my scribble that noone on the planet is going to compare or question. See this link for a very funny investigation into how stupid a signature on a receipt can be without any question http://www.thescreamonline.com/cartoons/cartoons3- 3/

Lighten up a bit... Or, are you really 17 too?

Re:It amazes me how bad retailers are

[FuzzyBad-Mofo]

I believe that writing "please see id" on the back of a credit card is a perfectly valid signature, for the same reason initialing, checking a box online, or marking "x" on a contract is valid. A "signature" does not have to literally be your name, only your "mark." Or are you going to argue that electronic checkboxes do not represent a valid signature?

Re:It amazes me how bad retailers are

[LetterJ]

Then do you also sign the receipt with "please see id"? Because, given the ease with which many state ID cards are forged, checking the name on the card with the name on some sort of ID is less of an indication that the card is owned by the presenter than if the already signed card is signed in the same way as the presenter signs.

If I steal your wallet and the cards are signed "please see id", all I need to do is print out a quick fake ID with your name, but my signature of your name and my picture and unless someone's good at checking out of state ID's, no one will even notice. If your wallet is full of signed cards, I have to risk signing in front of the cashier and having it look nothing like the back.

with friends like those...

[ScentCone]

friendly relatives, neighbors and friends who steal the identity of the victim

I suppose that relatives that dumb aren't smart enough to sit down and use those browser-cached passwords to access your PayPal account while you're in the bathroom and send themselves some money anyway.

I'm actually surprised that co-workers aren't a bigger piece of the statistical pie on this one. They often have access to records, PCs, the all important "work number" and so on. I've run across those incidents, and am amazed they're not more common.

When did it become "identity theft"?

When did it become "identity theft"?

Call me crazy, but before the marketroids got a hold of it, it was known as "fraud".

Irrelevant statistics.

[physicsphairy]

The types of scam and identity theft are different. The comparison means nothing. "Don't worry about leaving stacks of money on your lawn! 99.9% of thefts are of a different type! Leaving your retirement fund in $20 wads on your front porch is completely safe!"

Consider that an online banking site may *not actually* be an online banking site. A physical bank, on the otherhand, is without fail, a physical bank. However, I don't have to worry about someone rooting through my garbage to find bank statements if all my data is online.

So both systems have their inherent vulnerabilities. The fact is that you are really paranoid, you are ultimately safest doing everything in person and taking proper measures to destroy relevant documents.

All this study says is that there is a higher incidence of paper based identity theft. Which is to be expected: how many low-level criminals do you think know javascript, for example?

Re:Irrelevant statistics.

Consider that an online banking site may *not actually* be an online banking site. A physical bank, on the otherhand, is without fail, a physical bank.

This reminds me of a story I read some time ago. In Brooklyn there was a standard deposit box standing near a bank. It turned out it was a fake. Some folks were emptying it for several days before people noticed that deposits never make it to bank accounts and started to ask questions.

Fake banks are harder to come by. The only time I've heard of a fake bank was in one of O. Henry stories (sorry forgot the name) :)

ID theft through the mail

[Jere+H]

My brother had an incident of identity theft which happened through the mail. A gang drove around and picked up envelopes containing payment for bills and had checks printed using the correct checking account information. They even printed drivers licenses with their own picture and changed the birthdate to about 10 years older than my brother's age.
He caught the unauthorized activity by chance when he deposited a check at the bank and they told him he had a negative balance. Around $480 of unauthorized activity had taken place. They froze the account at that moment, he went and filed a police report, and the bank canceled payment of all of the fraudulent items.
He received calls and letters for months saying he had written bad checks and that he would have a warrent put out for his arrest if he did not pay. He had to mail dozens of copies of the police report and a copy of the notarized statement he made saying he did not write the checks or authorize electronic payment of the items purchased on the internet. The postage totaled about $30. The money from his account was eventually all returned to him, but all of the time spent on the phone with companies trying to get the issue straightened out is a huge hassle, and the money for postage and telephone calls to various out-of-state companies comes out of your own pocket.

Are they really "friendly" relatives?

[hal2814]

I had a friend in college whose dad opened up a credit card account in my friend's name, charged it up, and let it default. My friend talked to legal services on campus (I'm not sure how good our campus legal services is but our law school is pretty good for a public school). They basically told him that he sould either pay it off or claim fraud and let the credit card company haul his dad off to jail. I can't imaging putting my child in that situation. He asked me what he should do but I didn't know what to tell him. That's a pretty sorry situation for a relative to put you in, especially your own father.

28% Is Still Online

[Plake]

You're much more likely to have your identity stolen offline (72% of the cases).

Well, 28% is still ALOT for identity theft. I'd still be careful of what you do on the internet that involves personal data.

Also, it's it kinda ironic that the top thread right now had one of those "Click for a free Mac Mini" sigs which are one of the main portals for this kind of stuff.

Experience with a Canadian government contractor

[westendgirl]

Following the dot-com bust, my husband and I both lost our jobs. We enrolled with an agency that has been hired by the Canadian government to help IT industry professionals find work. Three years later, we both received emails from that agency. Someone had broken into their office, stealing their computer, which had thousands of applications, resumes, social insurance numbers (social security), and other details. The agency claimed that the server was stolen for resale value only and not for the data on it. They said that there was no reason to change your SIN or do anything other than watch your bank and credit card statements. To top it off, the agency's emails to me and my husband said "Dear " -- and the names belonged to other people, so they had further compromised privacy. After talking to police and federal fraud investigators, I pushed the Canadian Privacy Commissioner and Human Resources Development Canada to force the agency to act responsibly. The agency had no right to tell people that their data was safe or that they only had to watch their bills. The police and fraud investigators recommended monitoring social insurance number data and credit reports and putting fraud alerts on our credit files. Of course, this was a real pain for us -- we were in the midst of buying our first home and all of our financial applications were delayed by the credit alert -- but better safe than sorry.

It irks me that the agency is still under contract to the government. The privacy policy they had us sign when we applied actually said that our data would be totally safe and secure. (Of course, that's an insane promise, but they shouldn't put it in writing!) And the agency completely bungled the way they told people about the data theft -- even counselling people to do nothing, which conflicted with the government/police recommendations. Thousands of people were affected, but I bet my husband and I were the only ones who knew to check with police, instead of doing nothing.

I agree...

[Anita+Coney]

In work in a Court and every ID theft case I've seen in the last five years were committed by co-workers.

Re:this is why

[nikai]

Haha, where I'm living (Austria), everyone has locked mail boxes at the moment. Only the mailman has got a second key to the box.

However, our mail system is getting privatized, and the new mail services demand access to these locked boxes, so they can deliver mail as well. Now legislation has RULED to replace our locked mail boxes with UNLOCKED ones, in order that everyone can access them.

May those idiot politicians rot in hell.

Re:this is why

[ikkonoishi]

Thats why I think the credit cards should work with a preapproval system.

Basically for any purchase larger than say $50 you have to call the company and get the purchase approved. The company then gives you a transaction number that will charge to your card number once, but then never work again.

The phone system could have a voice identifier and maybe a limit to what numbers could call to approve things. (Home phone only so people would have to break into your house or at least hack your lines to accomplish much.)

The phone system would be a point of failure for security, but at least it would be a centralized point of failure rather than trusting basically everyone on the planet not to steal your card.

If my bank had put this much thought into their system I would certainly pay to use it if I made many credit purchases.

Re:Yes but...

[Ayaress]

The point they're trying to make in the article is NOT to ignore the problem. RTFA, mayhap? Meh, what was I thinking?

Anyway, the point they're trying to make is that the leading reason people who don't shop online give for not shoping online is that they're credit card will be stolen. Consumer's Power says that the reason few people use their online payment system is that they're afraid their credit cards will get stolen. The reason so many people say they won't use online banking is that - suprise suprise - their information will get stolen.

Those same people, however, have no compunction against handing their cards over to some random guy in a restaraunt and having it taken into another room and then brought back a couple minutes later. They don't think twice when the lady at the grocery store writes their driver's license number on the sheet with the check number. Doesn't worry them at all any time that the credit card is physically in another person's control during a transaction, and worst of all, they never even think that it might be a bad idea to throw away their bank statements.

The article is about perspective. You can do far more (and there is far more you SHOULD do) offline to protect your identity than you can and should do online.

Online: Don't fall for stupid phish scams.
Offline: Write ASK FOR ID on the back of the card.
Shred your statements.
Don't use your credit card at restaraunts.
Make sure your grocery store has one of the credit card scanners where YOU run it through the machine, and not the cashier.

Most of these come down to the whole thing where all the firewalls and encryption in the world is useless when somebody steals your computer. The weakest points are physical, not digital.

True Story

[temojen]

A guy came up to the counter where I was working at (big chain convenience store) and asked for 6 cartons of cigarettes. Each of them a different brand, and all of them were brands the teenagers smoke. The total would be just over $300 CDN.

I began to get them together (under the counter -- we'd had people grab & dash cartons off the counter the week before). Then the guy handed me a visa card. I read the card, looked at him, and said:

"So Susan, have you got any ID?"

His response was something along the lines of "It's because I'm black, isn't it?". Ummm, no, it's because I just saw you talking to those kids outside, and these are the brands they smoke, and this is not your credit card. He insisted that it was his wife's card; I insisted his wife could pick it up from the RCMP then (an RCMP car pulled up coincidentally), and he ran off.

Re:this is why

[Jaycatt]

My father put a padlock on the front of the box, and leaves the box open with the unlocked padlock inside. He worked out with the mailman so that when the box is filled, the mailman locks the padlock on. After my father gets the mail, he puts the unlocked lock back in the mailbox.

Works great, except that he's lost two locks in three years. But, he bought about six locks all keyed the same way, and they're pretty inexpensive.

my ID theft merry-go-round

[peter303]

A "wife" I never met put her name on my checking account some years ago. I had to file a police report before the bank would cancel the bad checks. I lived in city #1, my bank was in city #2, and the band checks were passed in city #3. You wouldnt believe how hard it was to get oneof these three police stations to take a report. Forged checks are so commonplace that no one wants to bother.
I'd hate to multiple this by many accounts, if a larger identity was stolen.

True, but it's not the same.

[sideshow]

If you lose your credit card and someone charges 10k on it, Visa doesn't make you pay it unless they find out you're defrauding them.

If someone steals you debit card and charges 10k of your money, Wells Fargo doesn't give your money back untill they prove you aren't defrauding them.

The rules are the same and you are at the same risk, but in one case Visa is out the money during the investagation and in the other you are out the money.

spin it the other way

[nothings]

Ok, so if half of ID theft is friends & family, then half of it isn't. Friends & family probably do 99% of their theft offline, so let's call it 100%. What does that leave us for stranger-theft?

Friends & family theft: 50% of all theft; 100% occurs offline
Stranger theft: 50% of all theft; 44% occurs offline, 56% occurs online

(Why? Because 72% of all theft occurs offline, and friends and family accounts for 50% of the total. Given 100 thefts, 50 of them are friends and family, and (72-50) are offline non-friends non-family, or 22. That leaves 28 thefts to occur online.)

If that conclusion is really true, then you can spin these numbers in the entirely opposite direction; the headline could be More Identity Theft By Strangers Online than Offline.

However, the article also says that online theft of bank and CC information is only 12% of all identity theft. 72% + 12% = 84%; who knows where the other 16% really are (maybe they're online theft but not bank/CC). Ain't lying with statistics grand?