Slashdot Mirror
ID Theft Made Easy
chiagoo writes "You may remember that 70% of the time, people will reveal their passwords for chocolate. Well, at this year's Infosecurity Europe, it was revealed that 92% of the 200 attendees surveyed would gladly trade enough information to steal their identities for a chance to win theater tickets. Social engineering at its best. Why spend time writing bots and rootkits when people will give you what you want for a piece of candy or a ticket to see The Pacifier?"
One man "provided all his information without question, but returned five minutes later asking for it back, as he thought that we could use it to gain access to his online bank account," Sellick recalled. "We gave him back his survey form, but did not provide any evidence of who we were. If we had been fraudsters, he would have been too late."
I refuse to do business with any Lakeville Liquor store in Lakeville, MN because they require a license swipe to verify my birthday. While they claim on a sign on the counter that they respect my privacy what does that really mean? Do the clerks know that those machines can store an XLS spreadsheet of all the information scanned? Do they know if those that own/operate the stores use that information later? Perhaps it's just to CYOA if some question arises from authorities later but how can I be so sure? I can't so I drive the two and a half miles out of my way to get my wine/beer somewhere else that doesn't scan. I make sure to tell the clerks that I buy there because they don't scan. Most don't care but perhaps someone will overhear me.
The manager at the Lakeville store sure did. I asked "are you going to scan that?" and when the clerk said she was I told her I would like my license back and that I was sorry that I couldn't do business with them. The clerk had no problems with it but the manager muttered that I was an "asshole" under his breath. Somehow I'm the asshole for protecting my privacy. If only more people would refuse to hand over their personal information. What happens if someone robbed the liquor store and stole the little scan box along with the register, would you be a bit more concerned then?
How about the gas station that writes down your license plate information when you purchase gas w/o paying at the pump. It's just for their economic safety they say. Do you know how much information you can get on the owner of a car from their license plate? What happens if I go inside, buy a few items, and pay w/my credit card? They now have my CC # and my personal information. That's enough for ID theft as well. I saw the clerk write down my license plate and I asked them for the paper when I left. They were a little confused as to how I knew they did that and they were VERY confused as to why I would want that back. I didn't feel the need to educate them on it though.
Even I am not immune to this sort of scamming for info. While out drinking with friends (drunk actually) I was approached by an attractive female working for Marlboro. She would give me cheap cigarette coupons and a free Zippo lighter if I let them give me a survey. Drunk, distracted, and clueless, I swiped my license and took the survey. I have been getting coupons and various "gifts" in the mail since. I could have been completely duped by these people and not had a single clue. Luckily they were who they said they were and I'm not seeing any miscellaneous charges being rung up by any cigarette companies trying to cover their lawsuits with my money. Anyone (no matter how careful) can be owned. By the way - I don't even smoke cigarettes.
So, just because we know a company (or its representatives) we should not trust them with our personal information and the more people that are willing to trade over their private/personal information for a bottle of wine, a 12 pack of cheap beer, or a free Zippo might want to think twice.
it was revealed that 92% of the 200 attendees surveyed would gladly trade enough information to steal their identities for a chance to win theater tickets.
Yeah it is cool to think that 92% of the people you have enough info to steal their identity. But lets put theory to practice and see how much of the 92% gave real information.
For me any form online I was born in 1900. My zip code is 12345, usually 666 Elm street, Amityville, NY. Phone number is 1-800-328-7448 and call anytime. I would make of 250,000+ or anything thing they have in the list that is higher. My occupation is the first drop down. Oh and my email address is who you are @mailinater.com. If the site looks up the information than I just go the governors web site and copy that info and use that. So I bet if you run a web site and you found that one than you probably could cross reference that info back to me and I would only say good job.
So I speculate that the 92% you have data from that you'll have 25% techices that give you 100% BS. It will occur to the general population once more and more people get burned to keep quiet.
I have absolutely no problem earning a living from recovering virused, spyware-ridden and cracked systems (or I guess in this case, "here's my password systems"). I encourage this idiot behavior :)
Do the clerks know that those machines can store an XLS spreadsheet of all the information scanned? Do they know if those that own/operate the stores use that information later?
Nightclubs do that. When they scan your license, it stores your name/address/birthday for a mailing list. Big events are a mass mailing...and birthdays get you a "get in for free" pass.
I entered my friend's e-mail in hotmail, and clicked the forgotten password button. It gave me his secret question, and from there I simply asked him it. Its a secret question! Ack.
Whenever I have spare time I go out of my way to answer surveys like these with bogus data. Like they say "It'll only take a couple of minutes of your time Sir!"
I consider it an important and useful civic act to poison the noosphere with false data in order to throw off the pundits, pollsters, advertisers and fraudsters.
Being in the telemarketing industry, I can whole heartedly confirm the stupidity of most people. Hell, I can get someone's credit card, shipping address, and telephone number, and then they ask "oh, what was this product again??"
Flash some useless piece of shit on TV, get Chuck Norris to pretend like he uses it, and people will fall all over themselves to give you all their personal information. I bet I could even ask for their SSN on a Super Duper Blender call and they would cough it up.
Slashdot sucks
Never underestimate the power of social engineering. My sister's identity was recenty stolen, but thankfully they caught is idiots in the act courtesy of an alert bank teller who got suspicious. The bank (located in Ohio) called my sister and asked her where she was (California). When she told her they propmtly got the people arrested. As how it got out there, who knows.
I'm pretty anal about filling out web forms with fake info, and I also have a very assertive stance with my privacy. It's amazing the amount of flack I get from people when I tell them that I won't give them my personal information or that it's none of their business.
It's amazing how quick they change their tune when you tell them that you're taking your money elsewhere.
They can get very little, actually, without access to police computers.
You could not be more wrong. You can get a ton of information including name, address, previous addresses, DOB, etc. This isn't from some police database either. It's records that are available through individuals that have access to databases like Lexis Nexis.
Even if they could, it's no different from just driving around. You proudly display your license plate to hundreds of people each day.
But I don't display my CC # right next to it.
Go ahead and get mad at a gas station clerk if you want.
In the instances I listed above I never made a single mention of being "mad" or "upset" with the individuals doing their job. I just asked for the slip of paper w/my license plate number on it back. Perhaps you should not assume so much and just read what's at face value.
A couple of months ago, someone called me out of the blue claiming to be a collection agency. They said that I owed a hospital ~$400 for some surgery that was performed on me, and they wanted me to pay up. I told them they were wrong. So then to confirm that I was who she thought I was, she asked me for my address and last 4 digits of my SSN. I refused because I felt uncomfortable giving that over the phone. She became very angry and hung up on me.
I called the phone company and the police saying that I thought someone tried to defraud me. After speaking with the phone company, it became clear that the person who called me actually WAS a collection agency! They just mistook me for another person of the same name.
But think about it: if a collection agency wants personal info like address and SSN, some people would give them the info just to get them off their back. Identity thiefs could use the exact same method.
My userid is prime!
I've been very careful about keeping my credit card information safe, but somehow, someone got my credit card information and used it for an online spending spree for e-goods.
I then used social engineering to MY advantage to get information about the person using my credit card information. This moron did absolutely nothing to cover his tracks. After the police and Visa are through with him, maybe I'll post his information here and see if he likes being on the receiving end of this kind of theft.
.sig wanted. Inquire within.
The last few times I've used short-term parking at the LAX airport, I've been asked to pull forward so their camera can get my license plate in view, and I notice they record it in a log. Every time this happens, I question why they do it and their response is "for security." I don't understand how their recording of my license plate increases security. Nowadays, any question you ask at an airport is answered with "it's for security purposes" or "increased security."
I understand that you can write down any license plate number in a parking lot or on the road and you can easily track people that way. I just didn't like the way they told me my plate number was logged for security. One time when I asked and pressed for a better answer I was given something more realistic. I was told that people frequently try to cheat the parking garage by getting a new ticket just before they leave. (park for a week, get a new ticket 10 minutes before you exit and pay $2.00). They occasionally run audits and record license plates during the night to track who is parked in their lot. Upon exiting, if your plate is logged in the system as "parked" and you have a 10 minute old ticket, it raises a red flag.
Of course, I'm sure there are ways that an electronic log of me being parked at the airport for a week could possibly be used against me.
While out drinking with friends (drunk actually) I was approached by an attractive female working for Marlboro. She would give me cheap cigarette coupons and a free Zippo lighter if I let them give me a survey. Drunk, distracted, and clueless, I swiped my license and took the survey.
I've done the same thing before. I wanted the free Zippo to give to my brother. They were walking around with a portable device that scanned the license and accepted the signature electronically. If you read the line where you sign, it says "I CERTIFY THAT I AM A SMOKER 21 YEARS OF AGE OR OLDER". I'm not a smoker, but I signed anyway to get the freebie. I always wonder if insurance companies could get their hands on that info and use it against people. Fortunately for me, the address on my license is incorrect, so no junk mail for me.
My credit card company offered this very protection.
They included a preprinted check with my name on it for $5 ready for cashing. Pre-perforated and everything.
Way deep in the very small print on the back was the line that if I actually did cash this check, then I would be agreeing to have $69.95 automatically billed to my credit card each year for 'identity theft protection'.
Before this scam they sent me checks already made out to 'CASH' with my name and card number already preprinted on it. All I had to do was sign my name on the back and fill in the amount.
I'm sure glad my sleazy meth-shooting junkie neighbors didn't find that one in my mailbox.
I wish that I could get all this nitwit chickenshit from the credit card companies to stop. I'd cancel the card, but I need it maybe once a year for car and hotel rentals.
Citi Corp. must make a ton of money off the American yahoos with all these schemes. Maybe even enough to cover the interest on all their bad loans to third world dictators enabling them to keep the Bongo Congo Mercedes dealership fat and happy.
The way I see it, this is not a sign that people need to be taught not reveal details about their personal life to allow identity theft, but that the standards for allowing new/changed credit and other profitable (including non-monetary) benefits from identity theft should include identifiers that people will not normally give away without realizing it's significance.
Biometrics are a good example, but even that does not go far enough.
How about a video clip where the person says something like "I explicitly authorize the following change to my personal credit/identity profile; Please add a $2453 credit line for ABC appliances to purchase a new washer/drier". This and every other change could be stored with the credit/identity profile. It could be done with a simple mic/webcam and some database extensions.
Birth certificates could include DNA data and/or DNA hashes and new credit/identity profiles could require checking that and recording of a baseline "I Bob Jones authorize the creation of a new credit profile".
New changes to that profile could be checked against past photos / voice prints anytime a change is requested. Impersonators would have to look and sound very much the person being imitated.
This would be A very strong standard to block fraud indeed.
Legislation would be required to prevent the misuse of this kind of DNA data and the accepting of new credit/identity changes without it.
In Summary: Its not the users who are broken, its the system that does not take into account their likely behaviour and provide cost effective technical solutions to the weaknesses of that behaviour.
Its not users who are broken, it's systems not taking account their likely behaviour and fixing it technically.
I knew you must be talking about Citicorp - astounding how such a large financial group could use such borderline-fraudulent, racket type techniques. Basically here in Canada two banks merged, and they decided to dump the Mastercard business of one and keep the Visa of the other.
They sold the Mastercard business off to Citicorp, and thus began the introduction of Canadians to slime-ball banking. While our banks tend towards incompetence, and are often large money sucking pigs, I have never seen a Canadian bank do one of those scumbag "surprize cheque" techniques, or the various assorted other dirtball deals Citi stuffs in with every bill.
It won't really work, because there are too many who just don't care, till something really happens to them. Most of the users who give their real address (as someone mentioned above) are the ones who use internet for basic stuff, like reading their email and maybe some news. Definatly not /.
You can try to explain to someone that you shouldn't use IE because it is dangerous, even people who haven't used a PC in their life, but it still won't work, they just don't see how it matters.
A friend of mine works for a large retail chain. They just decided last week that it is NOT a good idea to throw ALL of their charge slips and former employee files into trash.
And I'm not just talking about some drone middle managers - this was a CORPORATE policy, for hundreds of stores nationwide.
heh reminds me, the easiest way to get into people's email accounts is to ask them their "secret question". I know this from an article I read not from experience....
Signatures are so 90s
Besides leaving the car door unlocked gives the impression that that theres an alarm in place. Research has shown that the single biggest theft deterent is a window sticker announcing the use of an anti-theft system. The ADT sticker keeps you safer than the alarm system itself.
Free MacMini
Interesting you should mention the CC companies' push for fraud protection. In the last few weeks my wife has received two offers from one of her CC companies. They basically want to pay you $10 for signing up for the fraud protection. You know the deal, "cash this check and we'll activate the protection. You can cancel at any time, yadda yadda yadda"
Now here's the important part. The check is made out to "Wife's Name or Bearer". That's right. "Or Bearer" which means that anyone who happened to come upon that check could cash it, automatically starting a monthly charge on her CC without her knowledge. Yeah that's the way to protect her card from fraudulent charges. Way to go!
Needless to say, we are complaining to them and closing the account with that company.
Ender-
Nothing to see here
You may not be getting junk mail but you are breaking the law.
In most states, having a wrong address on your driver's license is against the law. You are supposed to get it updated within a couple of weeks of your move.
My prefered secret question is usually "Pick a number from one to ten", although I will occasionally use the classic "Feathers or Lead?"
Either way, the secret answer is a 25 digit prime that I'm fond of for no particular reason. Good luck.
//Information does not want to be free; it wants to breed.
Which, BTW, they do not. CC numbers are not stored after usage locally if you use an electronic means of verifying them. (As opposed to the carbon paper machine you sometimes see when the power is down.) The store cannot get to them. They are required to not store them as part of their contract with the CC company.
Now, the cashier could obviously write them down as you use them, but most of the time, the card barely leaves your hand. They don't have time to write anything down. And they could write it down completely independent of your license plate, I have no idea what the hell that has to do with anything.
If they actually had your CC numbers, they could easily copy your name at the same time and look up your address in the phone book and drive to your damn house and get your plate.
Not that I'm entirely sure how license plates relate to identity theft, unless you're worried about people buying insurance for your car. I've written my license plates down like five times in my entire life for other people, and it was always for a parking permit or buying insurance. License plates are not secret information, and no one uses to them to keep track of who is who, they use them to keep track of what car is allowed to be where, and they do that by actually looking at the plates.
And gas stations don't 'write down' your license plate unless they don't have video cameras aimed at cars, anyway. That's the only thing they care about, that they can track you if you drive off, and the plates are the easiest way to find that out.
Frankly, I'd rather be on tape that gets erased every 12 hours through reuse and is in a locked backroom that only managers can get to than have my number written down where every goober at the front has access to it and be social-engineered into giving it out.
There are exactly two circumstances that tape will get looked at: the request of law enforment, and if I drive off without paying. I don't do the second, and as for the first...well, I don't like it, but that's the way the world is, and it's not just gas stations. Outside gas stations cameras tend to be aimed where they can pick up license plates, though, and not people's faces, although those areas obviously overlap a bit.
If corporations are people, aren't stockholders guilty of slavery?
an attractive female working for Marlboro... By the way - I don't even smoke cigarettes.
Guess what? According to the insurance companies across America, you are now a smoker. Did you read the fine print on the clipboard underneath the license scanner? It clearly stated that by accepting their cheap free gifts, you were claiming that you are a smoker. This survey wasn't just sold to some sleazy marketers, but was created by a company selling the data to insurance companies.
Next time you try to get a job, or the next time your employer tries to negotiate health insurance for its workforce, this little "fact" will come up. With companies in the U.S. now legally allowed to discriminate based on health claims, you will never be offered that perfect job you were the most qualified for. Your current employer will be faced with much larger insurance bill if they keep smokers on the payroll. You sold away your employability for a packet of smokes and a cheap lighter.
Recently on a trip to the U.S. with some tobacco-addicted cow-orkers, they were approached by a girl giving away a packet of smokes. Since she required a U.S. driving permit she could swipe through her machine, she wouldn't let them take her survey. She did admit that is was just to generate marketing leads, but she was supposed to target obvious smokers. She even admitted that the packets she gave away each day were different brands, purchased on an Indian Reservation, so it wasn't just a single tobacco company marketing their products. She did tell them where to find the closest Indian Reservation for tax free smokes, and they were way over the limit on the return journey.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
Actually... in Colorado, anyone can by filling out a form with either a VIN or a license plate number, paying a small (~$10) fee and signing on the dotted line. How do I know? Personal experience. A private individual apparently saw a vehicle that I had traded in about 5 years ago, and wanted to purchase it. I received a letter in the mail from this person. He had written down the VIN, filled out a form, and received the title history - complete with names and addresses. (Sidebar - apparently the dealer never re-registered it and sold it at auction so I was the "last known owner"). Appalled, I called the DMV to find out how this happened! Indeed I found out that you too, for $10, a form and your signature can get all that info too.
The other day I went to see the movie and there was that stand in the middle of theater offering some credit card (I think citibank). 2-3 young females were approaching people asking to write an application where you should fill in your SSN. When I refused to give them my ssn and asked for some credentials other then name tags they were literally shocked. So was I...
www.ussearch.com and you'll be surprised how much of your private data is available for a few bucks..
;-)
American privacy laws and system to secure it, is a big joke.. they invented big brother.. and now they are using their diplomatic pressures (economic, political) to make us (in Europe) give up ours.. so that US government can have access to more info more easily than even our own government can on their own citizens, without proven suspicion.
See, our drivers licenses can't be scanned.. they contain no scannable info, and all info is stored seperately.
Infact, any company here that wishes to store private information (Such as a website even), must get a license, justifying the information they store and why they need it.. if they wish to store more information than they strictly need for their business, they are not allowed to..
And information is stored as distributed and as little central as possible..
Unfortunately, under pressure of the US, and lobbies in favor of them, I think we have come to the end of such protection. I believe privacy protection is actually a constitutional right here. Or was. And definitely should be.
We should always be in charge of our own information.. meaning, no company should be allowed to have information on us, without our permission, definitely not without us knowing it.
Law enforcement should, but their access to it should be protected in such manner that they can only access it when they can justify you're suspect.
Yes, it would make their work alot easier if they could track every single person and know everything about a person. But the price we have to pay for it is so huge, that privacy protection should way very very heavily in that trade off.
I mean, I much rather risk being killed in an unlikely terrorist attack, then to have a future where no man can have any privacy.. and for that reason, a career in politics or anything.. because no man is perfect, it gets easier all the time to dig up rare faults, to use against you.. for example if you were to run for president.
If you stole candy when you were 12, had a speeding ticket, or a fight.. and 30 years later, that will be used against you.. legally they will have nothing on you.. since you already paid for it, but in public opinion, you'll be doomed for life.
Grocery stores keep track of what you eat.. they can sell this to life insurance companies who may refuse you life insurance (over the phone) because they see you have an unhealthy diet..
Health care institutions may collect and sell your information to insurance companies who may deny you life insurance because they found that too many people in your family have died an eaerly death because of genetic illnesses. You may never know why they denied it.
The more they know about you, the weaker you are.. knowledge is power, and they know it, and most of us don't.. when they have more power, you are weaker in your position, as a consumer, as a citizen, as a competitor.
I really think by the time the public wakes up and realized this, it's too late.. it is important that alot of information never gets stored and fall in the hands of those who shouldn't have access to it.. to protect citizens and consumers. Your private information should be your property and you should have 'copyright' on it with a non-exclusive and limited right to government. We shouldn't become prisoners and cattle in some regime or industry. Digital information is very hard to get rid of.. easy to backup, leak, steal, transfer, copy, etc. it leaves trails everywhere.
Companies should not have the right to store private info on you without your permission or knowledge. Period.
Power to the people..