Slashdot Mirror
ID Theft Made Easy
chiagoo writes "You may remember that 70% of the time, people will reveal their passwords for chocolate. Well, at this year's Infosecurity Europe, it was revealed that 92% of the 200 attendees surveyed would gladly trade enough information to steal their identities for a chance to win theater tickets. Social engineering at its best. Why spend time writing bots and rootkits when people will give you what you want for a piece of candy or a ticket to see The Pacifier?"
I was at Wal-Mart late one night last week.
You know those self-checkout stations they have now? Each and every one of them was spitting out paper slips non-stop that were records of the day's transactions. My roommate snapped a photo.
Each and every slip had the full credit card number, the expiration date, and a copy of the cardholder's signature.
They were unattended, and the workers had placed plastic bags to catch the slips as they fell out of the machines.
There must have been hundreds...
At just one Wal-Mart...
Out of thousands of stores.
These people looked deep into my soul and assigned me a number based on the order in which I joined.
Theater tickets, not cinema tickets. Submitter is just an asshole.
Tickets to something like Phantom can cost from hundreds to thousands of dollars for good seats, depending on the city. However, they will almost certainly get you laid.
I wouldn't even stop walking for free movie tickets.
I don't need no instructions to know how to rock!!!!
FYI, the official city for postal code 12345 is Schenectady, NY.
I believe in de-evolution. God made the world perfect, man fell, and its been going downhill ever since!
Well, at this year's Infosecurity Europe, it was revealed that 92% of the 200 attendees surveyed would gladly trade enough information to steal their identities for a chance to win theater tickets.
It's 92% of a sample of 200 random Londoners, not 200 of the people who attended Infosecurity Europe.
I realize you said "like LexisNexis", but I'm not so sure about LN itself. I have access, and I gave it a quick perusal.
There are some areas where you can search for information about people, but that's just a law directory, with info about lawyers. There's also a biographical search, but that only includes politicians and business executives. I tried looking myself up, for example, and found nothing.
WeRelate.org - wiki-based genealogy
There are many different sections to LexisNexis and you can have access to any variety of them at a time based on your security. I know of two individuals with access to this information that have nothing to do with law enforcement.
See here for information on LexisNexis' available public records.
Hi,
We are looking for a software development manager with 5+ years experience, expecting to earn around £60,000.
All you have to do is send me your CV with details of where you went to school, what grades you left with, your date of birth, all your work history and your address and phone number.
Knowing you have a job and earn about £60k I will arrive at your house in a few days time, go through you rubbish to get bank account details.
I will then use the information you sent me to steal you identity, the amount your earning I doubt you'll even notice.
Have a nice day.
thank God the internet isn't a human right.
The problem with biometrics is that I don't have to fake your fingerprints and retinal scan, I just have to spoof the data your fingerprint and retina scanner send to whoever you send the biometric password to. It is no different than installing a keylogger to capture your password or passphrase.
The BBC has also previously covered this in April, 2004:
They reported that:
More than 70% of people would reveal their computer password in exchange for a bar of chocolate, a survey has found.
The story can be found here: http://news.bbc.co.uk/1/hi/technology/3639679.stm
Make up your own. They're just UPC-A barcodes on the back. I have a friend who has a card that everyone in their family uses. They get nifty discounts (like ten percent off store brands) because they spend so much with that card. Well, I lifted the number from a receipt (just get two or three of them, and find what numbers match, that's probably the club card number), and print out your own.
0 7 ). Just put the number in. The check digit should be included (it's the 12th digit), but you could always guess. Only takes a max of ten tries.
If you don't have a UPC-A font for your computer, you can use the UPC database (example: http://www.upcdatabase.com/item.pl?upc=7222521040
You can dupe pretty much any store club card this way.
funny munging
You should pay with a credit card (mastercard/visa) as their rules prohibit the merchant from requiring personal information for the transaction. From the MasterCard Merchant Rules:
9.11.2 Cardholder Identification A merchant must not refuse to complete a MasterCard card transaction solely because a cardholder who has complied with the conditions for presentment of a card at the POI refuses to provide additional identification information, except as specifically permitted or required by the Standards. A merchant may require additional identification from the cardholder if the information is required to complete the transaction, such as for mail order, telephone order, or electronic commerce transactions.
For Face-to-Face transactions, they can ask to see your identification for the purposes of ensuring that you are the card holder, but they cannot record that information.
And in some states it's _possible_ to get your electricity and gas hooked up without an SSN, but you have to go and stand in a long line in an inconvenient office at an inconvenient time.
SSNs and every other form of government ID are now worth nothing because the government failure to protect this data (along with credit data) has meant that identity theft is commonplace.
The credit granting agencies and government snoops have been hoist by their own petard in foisting an increasingly non-anonymous society upon us: they've created pervasive, widely forgeable identities which defeat the whole impetus behind ID in the first place.
In California, when you move you must update your records with the DMV, which I did a day after I moved. Instead of wasting ink and plastic by printing a new license, they give you a little sticker to put on the back of your license that contains the updated info. The DMV knows my current updated address and any policeman or other official knows enough to flip my license over and check the back for updates.
The Marlboro chicks (and mostly anyone else who looks at your ID) don't bother to check the back.
On transactions where the person isn't present (such as grocery store transactions, etc), wouldn't this still be suceptible to Man in the Middle attacks? Let's say that, in the near future, home fingerprint scanners become popular. Think about it. I want to sign into my online banking, I have to swipe my finger. Some identity thief in Podunk, Idaho can't just log into my account. But if I'm transmitting my fingerprint, can't it be intercepted and used again later, the same as a password? You might be able to avoid dupe transactions by attaching some sort of special identifier, but you can't keep me from hacking my fingerprint-swiping machine to send Person X's fingerprint to the online banking site instead of mine. It's just a file.
I've had the same issue with signing my name on electronic signature pads (I do it, I just don't like it). Once I do that, it can't be hard to take my signature that is on file and simply move it to a different location in your database and attach it to a different transaction can it? Then you print out a copy of the receipt for that new transaction and BAM!! There's my signature. And since it's electronic, I MUST have signed for it. Why there's even a timestamp. Let's see who has electronic copies of my signature...oh, FedEx, UPS, Airborne Express, DHS, damn near every place I've ever used my debit card, and the list goes on.
Granted, a regular ink signature can be faked, but everyone accepts that. For some reason, when you tack on the word "electronic", everyone suddenly seems to drop their guard and simply accept its authenticity as the gospel even though it's usually even LESS secure. Don't even get me started on "electronic voting"
If you mod me down, I shall become less powerful than you could possibly imagine.
Crobar, a giant club in Manhattan, does this. While I normally wouldn't have gone to a place like that, I was on the guest-list (read: free admission), and so I wasn't concerned at all when I handed them my license. Since then I've received numerous mailings from them. I wonder what else they're doing with my personal information.
What I've also heard since then, though I've not been able to confirm it, is that they use this information to keep track of you. If you start a problem and are kicked out of the club, it's an effective lifetime ban (though I'm not sure how they'll be able to scan your ID as they're kicking you out). Furthermore, they share this information with other clubs, so that if you start a problem in one place, you're essentially banned from every club in the area.
Never again will I allow my license to be electronically scanned. If every bar and club in town adopts this technology, I'll have to go back to drinking 40's on the stoop.
An effective signature identifies a particular user amongst a base of thousands.
Take an American Social Security Number for instance. Technically, no one but the government can require you to give out the number.
That is most certainly incorrect. Anyone may ask for it, there are no laws preventing someone from doing so. Its even legal to deny services for refusal.
CC numbers are not stored after usage locally if you use an electronic means of verifying them. (As opposed to the carbon paper machine you sometimes see when the power is down.) The store cannot get to them. They are required to not store them as part of their contract with the CC company.
Some states require that only the last 4 digits show up on the receipt and a lot of merchants only print them. But they are there - even if you think they aren't they are. When a cardholder refutes a charge with Amex (for example) Amex asks for the entire, unobfuscated card number to verify that you charged the right person.