Slashdot Mirror
Big ID Thefts Not To Be Feared
goldseries writes "A
new study released by ID Analytics says that only about 1 out of every 1000 stolen identities are actually used, due to the amount of time it takes to use the identity, limiting a single thief to 250 identities a year. The likelihood that your information will be used increases drastically when the size a the theft is small. So size does not matter, in identity thefts at least; the identity thefts you need to worry about aren't the big ones heard on the news but the small unreported ones." From the article: "While the findings will provide some comfort to consumers whose credit cards are lost or lifted, or whose sensitive information is compromised when, for instance, a laptop is stolen, as recently happened at Chicago-based Boeing, some of ID Analytics' suggestions could be controversial. The company suggests, for instance, that companies shouldn't always notify consumers of data breaches because they may be unnecessarily alarming people who stand little chance of being victimized."
Unless the companies who lost the information are willing to be liable for any and all damages caused by the identity theft, not limitted to damaged credit ratings, credibility damage, and all monetary losses, they should definitely inform consumers. That would be like not informing people of airplane safety measures "because very few planes actually crash."
This sig has absolutely no significance and serves only to take up screen space and waste the time of the reader.
So those of you that *actually* suffer identity theft... well, you are just a small, inconsequential number of people compared to those who got lucky. Since you are so outnumbered we can safely continue to fail to safeguard your data, and we will use these results to claim it is your fault, not ours, that you suffered identity theft. After all, you are only one in a thousand, right? Heck, losing a tenth of a percentage of our customers won't hurt *us* that much... and all this notification stuff is hurting us *much* more than that.
Sig under construction since 1998.
omfg bbq!@
"As far as notifications, we think there are certain instances where businesses might want to notify consumers and certain instances where they might not to inform them," Cook said.
When would there ever be an instant that a business would want to disclose a leak? There are instances were businesses should be required to inform customers.
Well, 250 informed consumers is much, much better then 250 uninformed consumers who don't know their identity was stolen until their credit card bill comes in.
Luke: I won't fail you. I'm not afraid.
Yoda: You will be. You will be.
Just because statistically you will not have your ID used after being stolen, it is still a terrible feeling - as if millions of voices suddenly cried out in terror and were suddenly silenced.
He who knows best knows how little he knows. - Thomas Jefferson
Still, to the web economy, that's *almost* like them becoming a completely different person, every 35 hrs. Per thief. Pretty amazing/scary when you stop to think about it.
VOTE!
Tell that to the thousands of people who had their lives turned upside down. The effects of identity theft can be devastating and long lasting. If your data is stolen, you have every right to know about it. This is just an attempt for companies to downplay their incompetence and lack of security. I'd like to see how they would react if their information was stolen.
gasmonso http://religiousfreaks.com/This is the most stupid thing I've read recently.
If a criminal gets his hands on a million records, and he can only use a few hundred a year, what do you think he is going to do, throw all the others away?
No, he's going to sell them to other criminals or pass them on as favours.
As a former victim of identity theft, I have to tell these people to go to hell. Sure, my case was a fairly small one -- two lines of credit opened in my name totalling about $5000 (On one of the applications, there wasn't even a SSN. They opened the account simply by listing my name and an address that I've never lived at). Getting the crap cleaned up was an absolute nightmare. And don't expect the 3 credit reporting agencies to be any help, either. They don't want to deal with you. After all, you're not their customer - their customers are the ones buying your information from them. One of the agencies still sends mail to my old address, 6 months after moving. This is despite me sending a letter notifying them of my change in address along with all of the information they requested in order to do so. Basically, any company dealing in personal information brokerage is on my shitlist...
Be a real patriot: Question authority. Think for yourself. Formulate your own conclusions.
"The company suggests, for instance, that companies shouldn't always notify consumers of data breaches because they may be unnecessarily alarming people who stand little chance of being victimized."
We had a case where the local cops got sued for just such a reason. Actually, they were trying to catch a serial rapist and didn't warn the public because they didn't want him to know that they were onto him.
A few good lawsuits should disabuse anyone of the idea that they should keep information theft a secret.
If they would stop being Asshats and allow you to "LOCK" your credit reports then this would be a non issue.
If I could call and place my credit reports in a locked status so no credit reports can be pulled then this would be a much smaller issue. But they refuse to because it would significantly impact the revinue stream they get from the tens ofthousands of illigimate requests they get an hour for people's credit. I wont even go into the issue that their data is horribly inaccureate anyways but they should allow me to lock it down until I release that lock.
Do not look at laser with remaining good eye.
Even if this is completely without error, it sets the stage for future problems. What they're saying is that currently this is the situation. However, let's say a group of identity thieves become more organized and start making more efficient use of the big thefts. Setting procedure based on the current thinking would leave us unprepared for future "improvements" made by criminals. This is the same kind of thinking that left us with the 640k wall. As far as I'm concerned, if my identity information was leaked in any way, I want to know about it. Don't tell me "it's not likely to be used.".
i.e. None at all.
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
My home fax machine is one digit off from that of an headhunter. Two nights ago I got a 20 page fax detailing the background check results for a candidate including:
Name
SSN
Address
Bank account numbers
Credit score
Arrest/conviction records: Federal State Local
Urinanalysis results
There was never a I never received a followup fax to check up on it - clearly they didn't have my phone number so they couldn't speak to me, but they already had a record of the fax number.
And if that wasn't dumb consider this.
My home phone number is one digit off from the States depart of Revenue unclaimed funds division. I routinely get calls from people asking "Is this the money line???" I get people leaving their name, address, SSN and phone number on my voice mail, unasked and please remember that the outbound message states the phone number and nothing else to indicate what the number is for. I get calls from people in state, out of state, out of the country, from prisons from other branches of the government.
Security is bullshit as long as people act retarded.
I recommend also reading a post in Schneier's blog about identity theft being over-reported and confused with fraud.
GET YOUR WEAPONS READY! --DR.LIGHT
This is based upon the typical thief work-week, with 2 weeks holiday annually in Cancun.
Cogito Ergo Sum
Got extra IDs you can't use right away? I'd be willing to bet that there are people that would pay for some handy identities... Sure, you'd have to trust the seller to an extent, but I'm sure there's a market for it.
250 per year per thief. What about when one company is breached, 1 million IDs are stolen, and the one thief (who specializes in security penetration) then resells these to hundreds of other thieves (who specialize in id theft) online? 'Cyber criminals' are more organized and more specialized these days. We're not dealing with script kiddies any more.
The company suggests, for instance, that companies shouldn't always notify consumers of data breaches because they may be unnecessarily alarming people who stand little chance of being victimized.
Of course they do. This is spin to attack California law. Choicepoint and friends don't like the law and want it repealed.
This will probably get modded flamebait, but...
The people who paid for this study should be fired for wasting money. Only the small ones matter? One thief can only use 250 a year?
So, if we have a hundred thieves in the US.... that's 250,000 a year? And that's no big deal.
You know what this is? This is a study, funded by someone with a vested interest, that will be used when large companies are SUED for allowing large scale identity theft. It will be referenced, cross referenced etc.
Walk down the street and talk to someone who has spent 7 years trying to clean up their record. Someone who has been denied houses, cars, and bank accounts because of an identity theft. Ask them if they care about the size of the theft.
It doesn't matter then right?
My name, address, phone number, credit card number, pin number and social security number are as follows...
What concerns me lately is some of the faceless/nameless droids working in the call centers. After we called our Texas power company to transfer our service to a new address, we found out some time later that they added on another house in Dallas, as part of the same work order. Assigned my wife's social security number to the account, too. It's not just the databases that concern me, but the trustworthiness of the people taking my call.
what happens when you throw away those enormous Publisher's Clearing House checks? Someone goes through the trash, finds a cancelled check that's 3'x6', now they have your account #... next thing you know...
The likelihood that your information will be used increases drastically when the size a the theft is small. So size does not matter, in identity thefts at least; the identity thefts you need to worry about aren't the big ones heard on the news but the small unreported ones."
Is this stupid or what? Claim that size doesn't matter, all the while describing how size matters?
Stupidity: it's a renewable resource!
I work for a healthcare organization and one of the applications I support is this system for merging multiple medical records into a single one. We have a team of people whose sole purpose is to take multiple accounts and turn them into one. This extra accounts can be created accidentally, such as when a Jane Doe comes into the ER and their identity is later established. It can happen on accident, such as when a registration person creates a new account instead of finding the old one.
In the last couple years, identity theft and identity fraud have resulted in huge inputs to the system. Where we once had to merge up to three identities, the system now supports merging up to ten. What happens is that a single individual will steal a bunch of different identities and then use them all, typically to get drugs.
So, while the risk of your credit card being stolen and used may be low in certain cases, don't lose your other "proof of identity" stuff: driver's licenses, insurance cards, and your social security number.
Well, the idea of witholding information "for people's own good" alarms the hell out of me.
That's nice. What if you do everything humanly possible to protect your personal information and someone gets it through negligent corporation? We're not even talking about credit cards here. We're talking about identity theft. If they manage to steal your identity, they won't need your credit card.
When asked what identity theft had to do with Iraq, Bush angrily replied that our troops "are as susceptible to this sort of terrorism as any other God-fearing American." And as for the new sportscars the heads of the Department of Homeland Security have been seen driving in, Bush says that "those on the front lines of the war on identity need to move quickly when confronted by our secretive foes."
A new study released by ID Analytics says that only about 1 out of every 1000 stolen identities are actually used, due to the amount of time it takes to use the identity, limiting a single thief to 250 identities a year.
Major flaw in thinking here...
If this is true, then said computer criminal could just sell his/her stolen
info in batches of 250 to multiple criminals. I can see all kinds of possible
"value" add ins for the data thief as well. Items such as:
Data mining for likely high income identities.
Data mining for identies which match the buyers profile (e.g. white male mid 30's)
Service guarantees Citizenship! Questions Guarantee GITMO.... Amerika Uber Alles!
"...only about 1 out of every 1000 stolen identities are actually used" I'm very excited about the news! Hopefully they (theives / criminals) will not take the time to become more efficient in their activities. Perhaps even 1 out of every 100 is also acceptable. 1 out of 10? That too sounds ok to me.
One ring to bind them - should probably have more fiber and less rings in their diet.
Looks like Baghdad Bob has a new venue for employment...
"The criminals are commiting suicide outside the gates of your personal information! There is no ID theft in the city, not at all! We are victorious!"
Right, blame the victim. How about we blame the person breaking the law, harming other people... the person committing the identity theft itself?
The technology exists to make credit cards secure. The technology exists to keep our identities secure from fraud. Let's have gov't and big corporations start to take it seriously. All they do right now is accept a certain % of fraud per year and consider it an expense against their bottom line, and charge all their customers extra to compensate. The criminals are getting away with it, and it costs everyone.
Heck, even if they integrated a 4 digit PIN on all credit card transactions in addition to a signature, you'd cut down on fraud significantly. Point of sale and internet transactions could easily be adapted to this. The only problem would be selling stuff over the phone, where you're left with the same problem, but the credit card companies already charge an extra amount to those retailers who can't do signature verification, and that makes this kind of transaction more expensive, so the buyer of that particular product ultimately pays the risk, which is better than the current situation where we all pay extra.
"I have never let my schooling interfere with my education." - Mark Twain
Given all the data floating around out there and the lack of data theft reporting laws, one can argue that everyone "could" be a victim. I've heard that some people put in a fraud alert on their files just in case.
Anyone know of any serious downsides to using fraud alert as a routine ID theft security measure?
Two wrongs don't make a right, but three lefts do.
If it was their sensitive trade secrets that went missing... like the blend of secret herbs and spices or that syrup mixture. If anyone has the recipies for that let me know
"only about 1 out of every 1000 stolen identities are actually used, "
"The likelihood that your information will be used increases drastically when the size a the theft is small. So size does not matter, in identity thefts at least; the identity thefts you need to worry about aren't the big ones heard on the news but the small unreported ones.""
Isn't this the definition of size mattering?
If size did not matter, the same percentage of identities used would apply to both thefts sizes. IE, size wouldn't matter!
Way to contradict yourself, submitter!
Sounds about the same level of quality as the article though.
The study cited sure doesn't make me feel more secure. The hack who ends up with 500K customer records may not be able to or even want to do anything with that info. If he's smart, though, the list is broken into smaller chunks and sold off. Repeat this a few times and you have a lot of thieves with a lot of small sets of info. There was a big scam locally where old DMV records were being found on CDs in possession of ID thieves. Digital data is incredibly easy to duplicate and distribute. If 500,000 IDs are stolen and "only 100" are used by an individual thief, the odds are 1 in 5000 that your information gets used. Does this make you feel any more secure? Are those odds low enough that you don't want to be notified when a breach occurs? If that same set of information is shared by 10 thieves, the odds "improve" to 1 in 500.
If there is any chance that my personal, private information is in the hands of even one unauthorized person, I want to know about it. There are precautions I can take to safeguard my identity before any fraud occurs, and it's a lot easier to deal with *before* it happens. Once your information is stolen and used, it can take *years* to rebuild.
Give a man a beer and he wastes an hour. Teach a man to brew and he wastes a lifetime.
I would rather be informed and it be a false alarm that not know at all and be caught with my pants down. VISA called me the other day, to check if I was responsible for a series of purchases in a few different countries in the past hour (which I was). I was very happy to see they checked up. While they do this for their protection, it is also my protection that is assured at the same time. So, if my personal information gets compromised due to a data breach, I better be informed as soon as they know, so I can take the necessary steps to protect myself, else if I track it down to them and their negligence , I guarantee you that a lawsuit will be following.
- Jason Terlecki
I'd love to read it.
A news blurb is little substitute for "study" from a commecrial entity with a vested interest.
Mastercard at least, has a solution for this, even if it's a little bit of a hassle. You create throw-away card numbers that are only valid for a certain amount and expire after a month or two. It's all about minimalizing your exposure to fraud.
When I signed up for my credit card, I don't recall the terms & conditions including anything like "We may, from time to time, be recklessly negligent with the data we hold on you. At the Credit Card Companies discretion, we may lose or otherwise inadvertently pass on your data to a third party."
If that was in the contract then I agree, yeah I did know the risks when I signed up and it is my problem if the company does just that; they warned me about it, after all.
Thanks for posting this. I feel so much safer now.
I'm not tense. I'm just terribly, terribly, alert.
"This analysis was based on data breaches at four separate companies, covering approximately half a million identities."
So, using your 100 thieves, that means 250,000 of the 500,000 identities were stolen. 50-50 chance? Not bad!
is to ruin your credit rating to the point where theives beg you to take your identity back!
Monstar L
The likelihood that your information will be used increases drastically when the size a the theft is small. So size does not matter
So if the likelihood of my information being used increases drastically when the theft is small, doesn't size matter? It might be inversely proportional to the size of the theft, but it still matters.
"Some days you just can't get rid of a bomb."
"stand little chance of being victimized."
Let's say there's a serial killer on the loose in NYC who kills 1 person each night. Statistically there's little chance of it being any one specific person killed heinously, so why bother notifying the public?
Examples:
Recently the mafia was behind a ring of websites that fraudulently charged viewers of pornographic websites who provided their credit card numbers for "age verification purposes". I could imagine that the mafia would be particularly interested in purchasing stolen IDs of consumers who have previously been charged for pornographic-related purchases, providing them with a much wider base of victims. Similarly, think of how many pyramid schemes could revolve around the criminal use of stolen IDs.
In fact, terrorist or war-related hacking/infrastructural attacks sponsored by governments could very well incorporate the use of stolen IDs. Imagine if the most 500 influential people in America had to clean up the mess that hackers could cause with their stolen IDs.
And remember, this data is infintesimally inexpensive to archive - just because your data isn't used today, doesn't mean it won't be used in 5 years.
In communist Russia, the identity steals YOU!
Help! I've fallen in a karma hole and I can't get up!
So that's who Sony's been asking for technical advice.
Here's how I'd do it if I were an ID thief (obviously I'm not).
1) Steal a hundred thousand IDs.
2) Hire a pile of cheap workers somewhere
3) Get them to mine the money for a 10-20% commission.
4) Move to Vegas and/or the Bahamas and, um, get to know the locals...
I mean, seriously, when you're dealing with a lot of money, when has manpower ever been an issue?
If downloading music is "copyright infringement" and not "theft", then surely "identity theft" is really just plain old "fraud". In either case no physical property is taken from anyone's posession, so it's not right to call it "theft".
These people are idiots. All it would take is a little organization to increase the efficiency.
Of course with a larger number of potential victims, fewer percentage-wise will be hit. But they also contradict themselves.
They say...
ID Analytics said it discovered that identity thieves have a hard time using a stolen credit cards to hijack the identity of cardholders. That's because the cards are usually quickly canceled and because piecing together an identity based on the information on the card is hard work. Not one of the card breaches it studied resulted in a subsequent identity takeover.
Now if credit card companies don't report it, who says the cards will be canceled?
I can't remember which company it was, but I remember a breach a couple years ago, the initial numbers where in the tens of thousands, after the FBI got involved the true number was over a million IIRC.
They should never be able to hide their culpability. If they can, they will always minimize their liability.
-William Shatner can be neither created nor destroyed.
Of course there is a benefit in informing people of a security breach, you have the chance to do something about it, change your cards etc. But it's also a big hassle, and the theft of a huge block of IDs does not necessarily mean you are likely to be targeted personally, as the article points out.
So basically if these types of alerts are things that happen once every couple of years (which is the frequency I've experienced with this personally so far), I am willing to take the extra precaution of reissuing everything and setting up new auto payments etc. and dealing with all the hassle of it. If it's something that happens like every week, I don't want to be alerted because the value of the data (increased precaution/safety vs. effort of remedial action) is low when it happens too often.
And just who paid for this report?
"But all your emitter and collector are belong to me!"
I don't beleive someone would use this argument for something so destructive. If I were about to be splattered accross the front of a train then no I wouldn't want to know. Victims of ID theft suffer years of pain. There seems to be some kind of new mentality that people SHOULD be ignorant.
Having to work for a living is the root of all evil.
I had my credit-card info stolen recently. I have two credit cards--one I use regularly, and for buying online. The other I had only one regular local bill going onto, had not used that card for ANYTHING else for nearly a year.
In the time span of three days, BOTH credit cards had charges from unknown companies on the other side of (my) country (USA) put on them. The amounts? $9.95. The companies names did not turn up in Google, the items on the CC bill had non-toll-free phone numbers that did not turn up in reverse lookups or online phone directories. They both had state codes on the CC invoice but their telephone area codes revealed them to be located in tiny one-horse towns in remote areas of other states. I refused to call the phone numbers (even though the credit card companies suggested doing so) because I did not want any fraudulent phone charges as well; I told the credit-card people that THEY could call those numbers in a 3-way call, and listen in as I asked WTF was this charge for? Would have been entertaining no doubt, but both credit-card companies declined to do so. The credit card companies' said that their info states that these companies were "event ticket vendors".
The charge info was as follows:
Evergreen Alliance LLC 206-407-3000 WA
DLX, LLC TEL5304532876 MN
One credit card company (happily, the one I use way more) automatically sent the investigation forms and refunded the amount.... but the other company stated that "normally, they do not refun a charge unless it is $10 or more". When they called me on the matter, I calmly asked it this meant that anyone could steal 9.95 from me as many times as they wanted, and they said that they would send the forms to request refunding the amount.
On the one hand I understand the reasoning that every fraudulent charge that they go after costs money--but it is obvious that if they set any sort of lower floor amount, thieves will strike for amounts just under that amount.
So in practice, it ignoring any level of theft will only serve to drastically increase theft at that level.
Quite plainly, there can be no "acceptable" level of theft.
~~~
The next time I golf, and I see my ball heading towards a large crowd of people, I shouldn't alert them about it since it will probably only hit one person (assuming no rebound)?
In undeveloped countries, the consumer controls the market. In capitalist America, the market controls you.
You know, you're right. I mean, people knew the risks when they purchased Fords with bad tires right? They knew the risks when they purchased a TV wall mount that it was poorly designed and could drop the TV on you. They knew that certain vaporizers have defective heaters that can emit sparks and flames, right? Why are we coddling these people? Just let their homes burn down because they were stupid enough to trust a company to build something safe.
Heck, why should these companies even safeguard this information at all? Information wants to be free, right? Just slap it out there on the web for all to see. It's not like your name might be on their list...
--- This
If someone steals you ID, you should be allowed to go and take everything that person owns, including their life - after all, they are pretending to be you, so by rights, their property is yours, including their life, so feel free to kill them!
Of course, if they've stolen multiple IDs, you'll have to divvy up the loot.
The solution is simple ... Hold the credit bureau, bank, loan company, etc. responsible to prove their complaint, purchase or debt was created by me, rather than require me to prove the fraud was not me. Their system is flawed allowing unsecure data to be used to identify a person, and they expect us to be responsible for their mistakes!!
Nothing to worry about, folks! Except that your ID is stolen FOREVER, and the thieves are certainly working on ways of automating the process.
That's "Mr. Soulless Automaton" to you, Bub.
Whether or not the identities are used makes no difference. It's plainly obvious that someone isn't doing anything at all to secure their data.
fast as fast can be. you'll never catch me.
This is the major reason identity theft is so easy/rampant.
Of course people too stupid to dial a phone number correctly... You can't make those claims without a control group to define your results. I live off of margin of stupidity in this country. I'm in security. *evil laugh*
7h3$3 4r3n'7 7h3 Ðr01Ð$ ¥0 4r3 £00|{1n9 f0r. M0v3 4£0n9. --OB1
Have you considered changing your phone and fax numbers?
Maybe you could sell them to an identity thief?
Gee.... I wonder what they'd suggest if
Only one in a thousand airline flights crashed
Only one in a thousand cars lost steering control at highway speeds
Only one in a thousand babies were injured from a particular product
Only one in a thousand reports were actually accurate
I know my answer for the last one.....
--
As a matter of fact, I am a lawyer. But I play an actor on TV.
I'm not, personally, too worried about having my identity deliberately stolen. I take reasonable precautions, and key places like banks and employers tend to be wise to obvious and seriously damaging identity theft and how to deal with it these days. Relative to the odds of it happening, I have more serious things to worry about...
...like incompetence, for example. All it took was one government staffer mistyping my NI number (roughly the UK equivalent of a US SSN) into a database, out of probably thousands they typed that day, and my whole tax/NI contribution record was messed up. It took me months to clear it up, calling round several tax offices, and out of pocket by hundreds of pounds in the meantime. (At the time, I had just started my first job, and could barely afford the rent as it was, so that was a very serious position to be in.)
The thing that was scary was that this is supposed to be systemically "impossible". (I think that just means there's a check digit in the number, and they have to fluke that being consistent when they mistype it...) That means they don't bother telling you about it (even though their database had me working in two different full time jobs on opposite sides of the country!), so the first I heard of it was when my employer deducted more from my pay for tax than usual, as they are legally required to do on receiving notice from the tax office.
Worse, there weren't any serious systems in place to deal with the problem. The first several government people I spoke to on the phone wouldn't even talk to me, because I couldn't tell them the name of my employer or my address. Or rather, I couldn't tell them the name of the other guy's employer and his address, since it turned out they'd somehow merged part of my record with someone else's because of the incorrect ID. I only got through in the end by convincing one of the staffers to listen to my explanation and tell me what I could do, and between us we figured out what must have happened and who I needed to contact to get it fixed.
This bothers me far more than a malicious ID theft, because (a) it's the tax man, who is basically immune to any sort of useful legal action in this sort of situation; (b) it's probably far more common, because thousands of people get processed by these operators every day; and (c) there obviously aren't sufficient checks and safeguards in the system to even identify a clearly inconsistent database entry and flag it for checking by a real person, never mind a proper mechanism for me to get the situation resolved quickly and effectively.
Given that the problems are much the same here as for a minor identity theft, except that you don't have the normal legal avenues available to you to pursue the culprit and it's probably a lot more common, I'd say that makes unintended human error a much bigger danger than ID theft with criminal intent, at least until they tighten up key systems in governments, banks, credit agencies, etc.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Not quite as scary as my parents phone number. Swap two numbers and you get the police, swap two others and you get the fire department, switch the area code (or leave it off, the chicago area places next to each other have different area codes) and get a bank. They get calls for all manner of things.
Opening up charge cards isn't the only harm that an identity thief can use -- they can use it to impersonate you in other ways.
Using information gleaned from bank, insurance & credit records, one could easily obtain driver's licenses, purchase controlled substances like perscription drugs and weapons or obtain a passport, get a marriage license or register to vote -- using your data.
The potential for abuse by "the terrorists", organized crime or even bigamists is obvious to anyone.
Conformity is the jailer of freedom and enemy of growth. -JFK
The management would like to remind the herd that safety is our highest priority. Remember, the safest place for an individual herd member to stand is near the center of the herd. Each member will be expected to remain as close to the center herd as possible at all times. Management is not responsible for any loss of life or limb which may occur to individuals who fail to remain in at the center of the herd. Management is not responsible for any random shifts in the location of the center of the herd.
Thank you.
...or maybe not.
So, how is this a comfort?
And this just plain disturbs me. Right now, I'm happy (very happy) I'm not a US citizen.
"Never attribute to malice what can be attributed to human stupidity." It's also possible that the cashier ignored or bypassed the message. Her pay isn't likely to be influenced either way by it and if multiple people are putting on "fraud alert" alarms on their credit records, it's entirely possible she gets so many bogus alerts that she doesn't even think twice before dismissing the dialogue. *grumble* I really wish I had the URL to that study someone posted on Slashdot... they were ostensibly heavily involved with the "photo ID on a credit card" concept at its first inception and he posted a nice long summary of his results. Basically, it didn't matter what the picture looked like; the cashiers passed the card. They even tried people of the wrong gender and it didn't make a difference. They then tried adding alerts, first a notification that popped up to ask the cashier to check the picture, then a dialogue which asked them to call into the credit agency, which required using a bypass key to dismiss. The rates of checking the picture were actually lower because the dialogue would get automatically dismissed without thinking about it.
Come to think of it, I think that article was in something about biometrics... someone was publishing instructions on how to fake fingerprints using gelatin and he was commenting on other failed security features.
This sig has absolutely no significance and serves only to take up screen space and waste the time of the reader.
So the little guy who gets his whole life savings stolen because you didn't inform him that his identity was stolen doesn't matter?
My parents had gone through a major case of identity thieft for the last 3-4 months. They had always been careful about not giving out information and always shredding paper before throwing it out. Want to know how he got them? He called the bank and asked them.
Luckly my parents noticed it right away and contacted the bank and after 3 months and 3 new bank accounts later (he kept breaking into the new ones) they finnaly had to switch banks all together.
Now here is the important part. Another family, whose identity was stolen by the same guy, didn't find out in time and so when they reported it to the bank the bank went "Sorry, you took too long, you aren't getting it back." This person lost almost his entire savings account (about $5000).
Now, they police could of caught the guy in the first month, know why? They've had video tapes of the guy the whole time. They were just being extreamly slow about giving them to the police officer on the case. Because of this a guy lost his life savings.
This wasn't the only shenanigans that came out of this. It took my father weeks to fix his information at the credit agencies and to get his information removed from all the sex hotlines the theif used (and we don't know if he got them all).
My question is, why do banks let this go on so long? Actually, I can answer it myself: We don't matter. Customers matter as a group but not individually. The banks are insured against theift so if we lose money they get to keep it.
Too many companies have way too much information about us. Worse still, they are far too casual about its security.
Speaking is NOT communication
In fact, if this ever happens, it is not even necessary to report it on the news. After all, it would only needlessly alarm the public.
I've never had card declined, but I have received phone calls after I made one purchase in Ohio and the next in Missouri. Interestingly enough, among the usual information about maiden names and the like, I was asked whether I paid typically the minimum or full balance on my cards. I'll admit that my first reaction was to ask them questions to try to prove their legitimacy, as that started sounding more like a survey than a credit fraud call, but it turns out it's being used more often for identity checks because things like payment schedules and types are fairly unique to customers and it's less likely that an attempted defrauder would learn such things by dumpster diving.
This sig has absolutely no significance and serves only to take up screen space and waste the time of the reader.
Oh, and it's called Rugged irresponsibility.
And the first thing that I thought of when I read this "it takes too long for a thief to use all the identities" is this:
1. Steal 1000 identities.
2. Use 10 identities to buy stuff.
3. ???
4. Profit!!!
5. Sell other 990 identities to other lowlifes.
6. ???
7. Profit again!!!
As if the person who did the theft is the only one who's going to use the identities they stole. What were they smoking when they did this study?! Admittedly I didn't RTFA, but come on! It's obvious what could easily happen to the other information they don't use directly, so how could it be not even considered by this study?
"City hall" in German is "Rathaus" Kinda explains a few things......
Comment removed based on user account deletion
Will /. just publish anything these days? This is industry spin! The "experts" commenting on this article are all hired guns.
I don't think it's just about how the thief can only use a few sets of ids given a certain length of time. All of the info stolen would have a rapidly deteriorating expiration date after the breach was discovered. All the replys I see about "selling the info" to other thieves seem ridiculous, as it would (should, anyway) be a large batch of bad data by the time it transfers hands. I think most reactions here are missing the point, which I think is that very large thefts are very noticable, and not very successful in terms of gain for the thief. Some slime who lives down the street from you and somehow gets a hold of your data (an envelope stolen from your mailbox, for instance, with a credit card in it) is much more damaging, much less noticable (there will be no stories in the media, etc) and much more likely to get away with it.
I would expect to be told about my information were it to be accesssed illegaly or otherwise lost to someone else's hands, though I can see a company's concern with fielding a few hundred thousand calls by people who aren't/weren't affected by the problem...
The biggest concern would be SS#s. But anyone giving their SS# to the Gap, iTunes, Newegg, or the like...well, I don't know what to say to that.
So, hacker X hacks into my credit card company and downloads their cardholder database.
They can only use 250 #s in one year, by themselves.. But they could sell off the names/#s in blocks of 500 for a decent bit of change, and leave actually exploiting the identities to other people. Not to mention some specific people might be in there, with details like SSN and Mothers Maiden Name that would allow access to possibly more important accounts of databases belonging to that person..
It's nothing different than many large companies that would rather settle a claim for wrongdoing out of court (and out of the public eye), because it's actually cheaper than making the necessary changes to fix the problem. Only when someone is held accountable, do things start to change- this is one reason you see such huge damage awards for some injury cases...often times it's to penalize a company for a history of willful disregard for the well-being of others. They'll probably change their tune after losing a lawsuit or two.
Under the new HIPPA regulations, you have more rights about what happens to your medical record. I'm not an expert, but I believe you can contact them and ask to see your medical record as well as suggest corrections to it.
I highly recommend everyone review their own medical record. I work in the healthcare industry for the web services team. We all dutifully checked them and nearly every one had errors. In once case, a test had been done during an ER visit that required follow-up. It wasn't done at the time and once it was discovered, they immediately started certain cancer-prevention therapies. Scary stuff.
I don't play the lotto much or anything, but 1/1000th chance of having my life messed up due to someone else's incompetence is still too high in my opinion.
Content Management System: A pretentious way of saying "text editor."
This article assumes that the phisher/thief is the one who is going to use the information. This is an incorrect assumption. They are only one piece of a criminal enterprise. They sell the information to thugs who put it to use. This creates a layer of insulation from the source of the information to the street level criminal who actually puts it to use. There may even be another layer, the scammer who takes the info from the thief and uses it to obtain the credit card or whatever may then actually sell it to someone who will use it. One thief can support many scammers who take a different risk than the original thief.
And you know that this study is going to be cited, very quietly, to senators and others every time an information security admission type act comes across the table.
"Ethics? What are those? Ethics don't buy me a mansion in Maui. What do you mean I'm paying for it by screwing over the rest of America? Screw 'em. I've got mine."
My blog. Good stuff (when I remember to update it). Read it.
He can then take it to his local police department and file charges against them for sending the fax to the wrong location. Most states have stringent laws covering violations of privacy.
In other news, a study suggests that big companies whose money is stolen face little risk of real loss.
"If you get $100, $200 or $250 stolen, there's a pretty high probability that your money is going to be used," said Ima Nidiot. "The reason for that is if you look at how long it takes a thief to spend money. As the size of the theft grows, it drops off pretty drastically."
The company suggests, for instance, that police shouldn't notify corporate victims of theft, because they may be unnecessarily alarming people who stand little chance of significant losses.
Reduce, reuse, cycle
So size does matter, just opposite normal convention.
It is stupid and irresponsible not to warn consumers and I can't see any way it doesn't add to the liability of a company to fail to disclose this information.
My step-mother was the victim of ID theft, and this was about 20 years ago, before the internet. She spent over a decade dealing with it. The responsible party was never found and every year or two, a new thing would pop up on her credit history. It was an absolute nightmare. This, from a person who never carried a debt on her credit cards and had an otherwise flawless, and I mean, FLAWLESS credit history.
Companies that don't take every step to protect their customers from this nightmare are no better than the ID thieves themselves.
If someone hacks a system and grabs hold of a database with 1 million identities, and if by selling the database to a single identity thief only 250 identities can get stolen, that makes the potential market for the database is 4,000 identity thieves!
Of course, one guy finding 4,000 identity thieves to sell to is kind of hard, but there's no reason they can't turn it over to larger criminal enterprises that can maximize returns on this kind of investment.
If stealing one identity means profit, stealing a million means up to a million times as much profit.
You should be telling people to go to Texas (and a few other states), since apparently there you can put your credit in lockdown so that this won't happen.
Because only 1 in 1000 die.
God created man in his own image, but somehow he evolved into a hairless monkey.
the only real solution to having to give out your pin is something like RSA SecurID where the pin+code rotates on an interval (usually 1 minute).
If with every credit card you got an RSA SecurID fob, or something similar, credit theft would be all but impossible. Sure if someone physically steals your card and fob, there's a small window before you call the company, but that's minimal and easily controlled.
The problem though is others applying for other lines of credit in your name. Theyd have their own fob and their own card, but under your name and with you on the hook.
Ultimately, there will have to be developed or utilized some form of technology to uniquely identify an individual signing up for a credit line. Biometrics perhaps? And then take that technology and make it such that it can be used over the internet or some other means that makes signing up for credit less of a headache than having to drive somewhere. Honestly, I'd be willing to drive somewhere local to apply for any form of credit, if it meant that I'd be guaranteed no one could sign up in my name without my eyes/hand/whatever.
Most credit card fraud right now is done with a credit card number and an expiry date. If you remove that option, and they have to resort to signing up for a credit card in your name, presumably having the card somehow mailed to a physical address, that's going to make fraud a lot less common, which helps.
Your fob idea would work just as well if the credit card didn't have a human readable number on it, and was a fob itself. I think that if you combine that with a secret 4 digit PIN, it's quite secure. Even if the card is stolen, you need the PIN. Still makes phone purchases hard.
"I have never let my schooling interfere with my education." - Mark Twain
For a large ID theft case, what is to keep the crook from selling off blocks of ID information to other crooks? Wouldn't that allow a large compromise to have a large impact?
Heck, even if they integrated a 4 digit PIN on all credit card transactions in addition to a signature, you'd cut down on fraud significantly.
It remains my understanding that only 10-20% of credit card fraud is with the card in hand at point of sale.
Having said that, I believe it's unlikely you'll see a pin code for credit card transactions in the US, because it would resemble too much a debit card transaction, and MC/Visa need to make sure that people use credit, and not debit, for their own financial benefit.
If anything, you'll see more and more transactions not requiring signature at all--so that the transactions are processed quickly and painlessly.
interesting idea. I was trying to figure out earlier how one could use one fob for all cards without having to retain the seed data for the fob or trusting/forcing the card companies to pass it around- which would be a risk in itself.
I wouldn't mind carrying one fob-card, but I don't know if I'd want to replace the 3 I have now with fobs.
Perhaps theyd have to come up with a device that can keep track of multiple 'cards' and syncs up with USB or something. You go to your online banking and give the hardware serial, or do write it when you sign up for the card (if you already have one, they send one if you dont), then the bank uploads a special file that will only work on that hardware, and then you can use a click wheel (like scroll wheel from a mouse?) to rotate through the cards on the one line display, which would show the banks's name and card type and the rotating code.
That way you have one fob, for several or many banks.
me fail english? thats unpossible!
please excuse the mistake(s). I was trying to type too many thoughts at once.
If the banks were liable for the losses, instead of the retailers, then you would see some high security applied to credit transactions. Of course, it might also make it a lot less convenient to buy stuff online, and you'd have to pay one or two state taxes on mail-order items.
Be who you are and say what you feel, because the people who mind don't matter, and the people who matter don't mind.