Slashdot Mirror

← Back to Stories (view on slashdot.org)

Big ID Thefts Not To Be Feared

Posted by Zonk on from the i-would-still-be-nervous dept.

goldseries writes "A new study released by ID Analytics says that only about 1 out of every 1000 stolen identities are actually used, due to the amount of time it takes to use the identity, limiting a single thief to 250 identities a year. The likelihood that your information will be used increases drastically when the size a the theft is small. So size does not matter, in identity thefts at least; the identity thefts you need to worry about aren't the big ones heard on the news but the small unreported ones." From the article: "While the findings will provide some comfort to consumers whose credit cards are lost or lifted, or whose sensitive information is compromised when, for instance, a laptop is stolen, as recently happened at Chicago-based Boeing, some of ID Analytics' suggestions could be controversial. The company suggests, for instance, that companies shouldn't always notify consumers of data breaches because they may be unnecessarily alarming people who stand little chance of being victimized."

33 of 161 comments (clear)

  1. Of Course You Should Inform Them! by SeanDuggan · · Score: 4, Interesting

    Unless the companies who lost the information are willing to be liable for any and all damages caused by the identity theft, not limitted to damaged credit ratings, credibility damage, and all monetary losses, they should definitely inform consumers. That would be like not informing people of airplane safety measures "because very few planes actually crash."

    --
    This sig has absolutely no significance and serves only to take up screen space and waste the time of the reader.
    1. Re:Of Course You Should Inform Them! by timeOday · · Score: 4, Insightful
      Unless the companies who lost the information are willing to be liable for any and all damages caused by the identity theft, not limitted to damaged credit ratings, credibility damage, and all monetary losses, they should definitely inform consumers.
      I'll go you one further, I think the law should *compel* them fess up. Most of the interest over identity theft has resulted from the California law which does just that. As a result, we started to hear about things that before would have been secret, and it has really blown the issue wide open. For markets to work well, people must have access to relevant information, such as which companies have bad track records for infosec.
    2. Re:Of Course You Should Inform Them! by NotoriousGOD · · Score: 3, Funny

      "Shit. Another 100,000 credit card numbers were jacked? Naw, we don't need to let anyone know. It's the holidays for fuck's sake."

      --
      Where all think alike, no one thinks very much.
  2. Nice whitewash... by Godeke · · Score: 5, Insightful

    So those of you that *actually* suffer identity theft... well, you are just a small, inconsequential number of people compared to those who got lucky. Since you are so outnumbered we can safely continue to fail to safeguard your data, and we will use these results to claim it is your fault, not ours, that you suffered identity theft. After all, you are only one in a thousand, right? Heck, losing a tenth of a percentage of our customers won't hurt *us* that much... and all this notification stuff is hurting us *much* more than that.

    --
    Sig under construction since 1998.
    1. Re:Nice whitewash... by BushCheney08 · · Score: 2, Interesting

      Have you ever been the victim of identity theft? I have. They essentially have you "prove" that you did not open a line of credit somewhere. The full burdon of proof is on you for something that you had nothing to do with.

      --
      Be a real patriot: Question authority. Think for yourself. Formulate your own conclusions.
    2. Re:Nice whitewash... by Godeke · · Score: 4, Informative

      Having known those who suffered identity theft, I don't need an article to imply this. It takes five years before you can even *start* to breath easier: the first two are full of collection agencies attempting to recover on the "bad debt" in your name. Unlike other businesses who have to stop calling if you ask, collection agencies are exempt from do not call requirements. Attempting to purchase anything major becomes impossible because the three major companies still report your credit as bad, but "contested". They *don't* strike the charges completely off your record. Meanwhile, the company that fumbled the ball claims "we have done what we can" by sending a letter to the credit companies saying that the charger "may" be related to identity theft.

      You end up carrying police reports and your own copy of the credit report, annotated to indicate the problem when trying to buy a car. But it doesn't help because the lacky who is the "loan officer" for the dealership has no real power to make a decision. You receive "mechanics leans" on your property and have to fight repeatedly to not lose ownership of perperty you already owned because of state laws (at least here in Arizona) that allow a mechanic to force the sale of property to pay for "services rendered". Even if the services were rendered to a crook instead of you, they are not barred from trying until you sue them into submission.

      All while the company that screwed up claims that they are faultless because they sent three letters out, and that perhaps "there are other issues here".

      --
      Sig under construction since 1998.
  3. Nonsense Quote by LostCluster · · Score: 2, Insightful

    "As far as notifications, we think there are certain instances where businesses might want to notify consumers and certain instances where they might not to inform them," Cook said.

    When would there ever be an instant that a business would want to disclose a leak? There are instances were businesses should be required to inform customers.

  4. Every 35 hours by amrust · · Score: 2, Insightful
    ...limiting a single thief to 250 identities a year...

    Still, to the web economy, that's *almost* like them becoming a completely different person, every 35 hrs. Per thief. Pretty amazing/scary when you stop to think about it.

    --
    VOTE!
  5. Not a big deal??? by gasmonso · · Score: 4, Insightful

    Tell that to the thousands of people who had their lives turned upside down. The effects of identity theft can be devastating and long lasting. If your data is stolen, you have every right to know about it. This is just an attempt for companies to downplay their incompetence and lack of security. I'd like to see how they would react if their information was stolen.

    gasmonso http://religiousfreaks.com/
  6. Stupid by pubjames · · Score: 2, Informative

    This is the most stupid thing I've read recently.

    If a criminal gets his hands on a million records, and he can only use a few hundred a year, what do you think he is going to do, throw all the others away?

    No, he's going to sell them to other criminals or pass them on as favours.

  7. overblown my ass! (ewww, nasty image) by BushCheney08 · · Score: 3, Insightful

    As a former victim of identity theft, I have to tell these people to go to hell. Sure, my case was a fairly small one -- two lines of credit opened in my name totalling about $5000 (On one of the applications, there wasn't even a SSN. They opened the account simply by listing my name and an address that I've never lived at). Getting the crap cleaned up was an absolute nightmare. And don't expect the 3 credit reporting agencies to be any help, either. They don't want to deal with you. After all, you're not their customer - their customers are the ones buying your information from them. One of the agencies still sends mail to my old address, 6 months after moving. This is despite me sending a letter notifying them of my change in address along with all of the information they requested in order to do so. Basically, any company dealing in personal information brokerage is on my shitlist...

    --
    Be a real patriot: Question authority. Think for yourself. Formulate your own conclusions.
  8. Credit reporting companies fault by Lumpy · · Score: 2, Insightful


    If they would stop being Asshats and allow you to "LOCK" your credit reports then this would be a non issue.

    If I could call and place my credit reports in a locked status so no credit reports can be pulled then this would be a much smaller issue. But they refuse to because it would significantly impact the revinue stream they get from the tens ofthousands of illigimate requests they get an hour for people's credit. I wont even go into the issue that their data is horribly inaccureate anyways but they should allow me to lock it down until I release that lock.

    --
    Do not look at laser with remaining good eye.
  9. I just got a 20 page background check fax in error by gelfling · · Score: 5, Insightful

    My home fax machine is one digit off from that of an headhunter. Two nights ago I got a 20 page fax detailing the background check results for a candidate including:

    Name
    SSN
    Address
    Bank account numbers
    Credit score
    Arrest/conviction records: Federal State Local
    Urinanalysis results

    There was never a I never received a followup fax to check up on it - clearly they didn't have my phone number so they couldn't speak to me, but they already had a record of the fax number.

    And if that wasn't dumb consider this.

    My home phone number is one digit off from the States depart of Revenue unclaimed funds division. I routinely get calls from people asking "Is this the money line???" I get people leaving their name, address, SSN and phone number on my voice mail, unasked and please remember that the outbound message states the phone number and nothing else to indicate what the number is for. I get calls from people in state, out of state, out of the country, from prisons from other branches of the government.

    Security is bullshit as long as people act retarded.

  10. "Identity Theft Over-Reported" by lysander · · Score: 2, Insightful

    I recommend also reading a post in Schneier's blog about identity theft being over-reported and confused with fraud.

    --
    GET YOUR WEAPONS READY! --DR.LIGHT
  11. And when the thief resells the info? by Anonymous Coward · · Score: 2, Insightful

    250 per year per thief. What about when one company is breached, 1 million IDs are stolen, and the one thief (who specializes in security penetration) then resells these to hundreds of other thieves (who specialize in id theft) online? 'Cyber criminals' are more organized and more specialized these days. We're not dealing with script kiddies any more.

    The company suggests, for instance, that companies shouldn't always notify consumers of data breaches because they may be unnecessarily alarming people who stand little chance of being victimized.

    Of course they do. This is spin to attack California law. Choicepoint and friends don't like the law and want it repealed.

  12. What about the people in the call centers? by rolypolyman · · Score: 4, Insightful

    What concerns me lately is some of the faceless/nameless droids working in the call centers. After we called our Texas power company to transfer our service to a new address, we found out some time later that they added on another house in Dallas, as part of the same work order. Assigned my wife's social security number to the account, too. It's not just the databases that concern me, but the trustworthiness of the people taking my call.

  13. Re:I'm not sure I get it by timeOday · · Score: 4, Insightful
    I'm not sure why anybody should be notified at all. Customers knew the risks when they signed up for a credit card, if they didn't know the risks they could have found out. And now nobody has an excuse for not knowing the risks involved.
    You are the classic example of somebody who berates individuals for not taking responsibility (for things they have very little control over), while at the same time giving companies carte blanche for utterly reckless irresponsibility. It's bizarre.
  14. Not in the hospital setting by PIPBoy3000 · · Score: 3, Interesting

    I work for a healthcare organization and one of the applications I support is this system for merging multiple medical records into a single one. We have a team of people whose sole purpose is to take multiple accounts and turn them into one. This extra accounts can be created accidentally, such as when a Jane Doe comes into the ER and their identity is later established. It can happen on accident, such as when a registration person creates a new account instead of finding the old one.

    In the last couple years, identity theft and identity fraud have resulted in huge inputs to the system. Where we once had to merge up to three identities, the system now supports merging up to ten. What happens is that a single individual will steal a bunch of different identities and then use them all, typically to get drugs.

    So, while the risk of your credit card being stolen and used may be low in certain cases, don't lose your other "proof of identity" stuff: driver's licenses, insurance cards, and your social security number.

    1. Re:Not in the hospital setting by Jon+Abbott · · Score: 2, Interesting

      This happened to me a few months ago -- I had a couple visits to the physical therapist and then started receiving bills for numerous drugs that I had no clue about. I had to call, write letters and complain to the hospital billing department for six months for them to fix it. The crazy part is that they didn't know how it happened, they just claimed that it was fixed...

      Do you know anything more about this sort of medical identify theft? If so, please reply to this or email me at i_love_junk_email@yahoo.com.

      --
      Slashdot's first reaction to VMware
  15. Flaw in this by isotope23 · · Score: 2, Insightful

    A new study released by ID Analytics says that only about 1 out of every 1000 stolen identities are actually used, due to the amount of time it takes to use the identity, limiting a single thief to 250 identities a year.

    Major flaw in thinking here...

    If this is true, then said computer criminal could just sell his/her stolen
    info in batches of 250 to multiple criminals. I can see all kinds of possible
    "value" add ins for the data thief as well. Items such as:

    Data mining for likely high income identities.
    Data mining for identies which match the buyers profile (e.g. white male mid 30's)

    --
    Service guarantees Citizenship! Questions Guarantee GITMO.... Amerika Uber Alles!
    1. Re:Flaw in this by lysander · · Score: 2, Insightful

      Exactly. It's not like stolen identities go stale all that quickly, either. I'd want to know my infomation was compromised regardless if it was stolen in a batch of 100 or in a batch of one million. A company worrying about whether they're "unnecessarily alarming people" should also be taking proactive steps to avoid and minimalize the damage of such thefts.

      --
      GET YOUR WEAPONS READY! --DR.LIGHT
  16. ID Theft not a problem? by voice_of_all_reason · · Score: 2, Funny

    Looks like Baghdad Bob has a new venue for employment...

    "The criminals are commiting suicide outside the gates of your personal information! There is no ID theft in the city, not at all! We are victorious!"

  17. Re:I'm not sure I get it by RobinH · · Score: 2, Informative

    Right, blame the victim. How about we blame the person breaking the law, harming other people... the person committing the identity theft itself?

    The technology exists to make credit cards secure. The technology exists to keep our identities secure from fraud. Let's have gov't and big corporations start to take it seriously. All they do right now is accept a certain % of fraud per year and consider it an expense against their bottom line, and charge all their customers extra to compensate. The criminals are getting away with it, and it costs everyone.

    Heck, even if they integrated a 4 digit PIN on all credit card transactions in addition to a signature, you'd cut down on fraud significantly. Point of sale and internet transactions could easily be adapted to this. The only problem would be selling stuff over the phone, where you're left with the same problem, but the credit card companies already charge an extra amount to those retailers who can't do signature verification, and that makes this kind of transaction more expensive, so the buyer of that particular product ultimately pays the risk, which is better than the current situation where we all pay extra.

    --
    "I have never let my schooling interfere with my education." - Mark Twain
  18. Re:I'm not sure I get it by theRiallatar · · Score: 2, Informative

    Mastercard at least, has a solution for this, even if it's a little bit of a hassle. You create throw-away card numbers that are only valid for a certain amount and expire after a month or two. It's all about minimalizing your exposure to fraud.

  19. Re:Ask Slashdot: Downside to "Fraud Alert"? by lividdr · · Score: 3, Informative

    In my experience, the fraud alert doesn't do anything.

    My wife's wallet was stolen, containing a credit card, our debit card, and her driver's license. We cancelled/re-issued the cards and she had her DL# changed. We called experian, equifax, and transunion to have a fraud alert set on our credit reports.

    A few days later we got letters from all three indicating the fraud alert was set. According to the letters, we shouldn't be receiving any pre-approved credit offers in the mail for 90 days. Any query against our credit report would return a fraud alert. We also signed up for a service offered by our bank to receive notification on any activity against our credit report.

    Unfortunately, we continued to receive those damn credit card offers, often "pre-approved" , every Tuesday non-stop. We opened an account with Home Depot about a month later and there wasn't any mention of a fraud alert. We also never received any notification of any activity against our credit report, not the inquiry that HD should have run, nor the appearance of a new trade line. We cancelled the credit report monitoring service and got our money back.

    Bottom line, using the fraud alert didn't really do anything, positive or negative. I expected to get a request for some additional ID from the CSR at Home Depot, but instead she just said "You've been approved" after a couple of minutes and handed me my temporary credit info.

    --
    Give a man a beer and he wastes an hour. Teach a man to brew and he wastes a lifetime.
  20. ID Sweatshops by ZachPruckowski · · Score: 2, Insightful

    Here's how I'd do it if I were an ID thief (obviously I'm not).

    1) Steal a hundred thousand IDs.
    2) Hire a pile of cheap workers somewhere
    3) Get them to mine the money for a 10-20% commission.
    4) Move to Vegas and/or the Bahamas and, um, get to know the locals...

    I mean, seriously, when you're dealing with a lot of money, when has manpower ever been an issue?

  21. Only 250? Thank God crime isn't organized. by shotgunefx · · Score: 2, Interesting

    These people are idiots. All it would take is a little organization to increase the efficiency.

    Of course with a larger number of potential victims, fewer percentage-wise will be hit. But they also contradict themselves.

    They say...

    ID Analytics said it discovered that identity thieves have a hard time using a stolen credit cards to hijack the identity of cardholders. That's because the cards are usually quickly canceled and because piecing together an identity based on the information on the card is hard work. Not one of the card breaches it studied resulted in a subsequent identity takeover.

    Now if credit card companies don't report it, who says the cards will be canceled?

    I can't remember which company it was, but I remember a breach a couple years ago, the initial numbers where in the tens of thousands, after the FBI got involved the true number was over a million IIRC.

    They should never be able to hide their culpability. If they can, they will always minimize their liability.

    --

    -William Shatner can be neither created nor destroyed.
  22. So...... by ShyGuy91284 · · Score: 2, Funny

    The next time I golf, and I see my ball heading towards a large crowd of people, I shouldn't alert them about it since it will probably only hit one person (assuming no rebound)?

    --
    In undeveloped countries, the consumer controls the market. In capitalist America, the market controls you.
  23. Re:Oh well in THAT case by carlos_benj · · Score: 2, Funny

    Bah! You probably aren't even standing......

    99.525809283902% of all typists are seated as they type.

    --

    --

    As a matter of fact, I am a lawyer. But I play an actor on TV.

  24. I'm more worried about accidental mistakes by Anonymous+Brave+Guy · · Score: 2, Interesting

    I'm not, personally, too worried about having my identity deliberately stolen. I take reasonable precautions, and key places like banks and employers tend to be wise to obvious and seriously damaging identity theft and how to deal with it these days. Relative to the odds of it happening, I have more serious things to worry about...

    ...like incompetence, for example. All it took was one government staffer mistyping my NI number (roughly the UK equivalent of a US SSN) into a database, out of probably thousands they typed that day, and my whole tax/NI contribution record was messed up. It took me months to clear it up, calling round several tax offices, and out of pocket by hundreds of pounds in the meantime. (At the time, I had just started my first job, and could barely afford the rent as it was, so that was a very serious position to be in.)

    The thing that was scary was that this is supposed to be systemically "impossible". (I think that just means there's a check digit in the number, and they have to fluke that being consistent when they mistype it...) That means they don't bother telling you about it (even though their database had me working in two different full time jobs on opposite sides of the country!), so the first I heard of it was when my employer deducted more from my pay for tax than usual, as they are legally required to do on receiving notice from the tax office.

    Worse, there weren't any serious systems in place to deal with the problem. The first several government people I spoke to on the phone wouldn't even talk to me, because I couldn't tell them the name of my employer or my address. Or rather, I couldn't tell them the name of the other guy's employer and his address, since it turned out they'd somehow merged part of my record with someone else's because of the incorrect ID. I only got through in the end by convincing one of the staffers to listen to my explanation and tell me what I could do, and between us we figured out what must have happened and who I needed to contact to get it fixed.

    This bothers me far more than a malicious ID theft, because (a) it's the tax man, who is basically immune to any sort of useful legal action in this sort of situation; (b) it's probably far more common, because thousands of people get processed by these operators every day; and (c) there obviously aren't sufficient checks and safeguards in the system to even identify a clearly inconsistent database entry and flag it for checking by a real person, never mind a proper mechanism for me to get the situation resolved quickly and effectively.

    Given that the problems are much the same here as for a minor identity theft, except that you don't have the normal legal avenues available to you to pursue the culprit and it's probably a lot more common, I'd say that makes unintended human error a much bigger danger than ID theft with criminal intent, at least until they tighten up key systems in governments, banks, credit agencies, etc.

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  25. Credit Alerts and Cashiers by SeanDuggan · · Score: 3, Informative
    Bottom line, using the fraud alert didn't really do anything, positive or negative. I expected to get a request for some additional ID from the CSR at Home Depot, but instead she just said "You've been approved" after a couple of minutes and handed me my temporary credit info.
    "Never attribute to malice what can be attributed to human stupidity." It's also possible that the cashier ignored or bypassed the message. Her pay isn't likely to be influenced either way by it and if multiple people are putting on "fraud alert" alarms on their credit records, it's entirely possible she gets so many bogus alerts that she doesn't even think twice before dismissing the dialogue. *grumble* I really wish I had the URL to that study someone posted on Slashdot... they were ostensibly heavily involved with the "photo ID on a credit card" concept at its first inception and he posted a nice long summary of his results. Basically, it didn't matter what the picture looked like; the cashiers passed the card. They even tried people of the wrong gender and it didn't make a difference. They then tried adding alerts, first a notification that popped up to ask the cashier to check the picture, then a dialogue which asked them to call into the credit agency, which required using a bypass key to dismiss. The rates of checking the picture were actually lower because the dialogue would get automatically dismissed without thinking about it.

    Come to think of it, I think that article was in something about biometrics... someone was publishing instructions on how to fake fingerprints using gelatin and he was commenting on other failed security features.

    --
    This sig has absolutely no significance and serves only to take up screen space and waste the time of the reader.
    1. Re:Credit Alerts and Cashiers by jafiwam · · Score: 2, Informative

      The cashier may actually get a bonus on their paycheck for signing up X number of people in a month. Extended warranties work the same way.

      So it is likely against their self interest to care if there is a fraud alert, as opposed to being simply indifferent.

  26. Re:I'm not sure I get it by Loconut1389 · · Score: 2, Insightful

    the only real solution to having to give out your pin is something like RSA SecurID where the pin+code rotates on an interval (usually 1 minute).

    If with every credit card you got an RSA SecurID fob, or something similar, credit theft would be all but impossible. Sure if someone physically steals your card and fob, there's a small window before you call the company, but that's minimal and easily controlled.

    The problem though is others applying for other lines of credit in your name. Theyd have their own fob and their own card, but under your name and with you on the hook.

    Ultimately, there will have to be developed or utilized some form of technology to uniquely identify an individual signing up for a credit line. Biometrics perhaps? And then take that technology and make it such that it can be used over the internet or some other means that makes signing up for credit less of a headache than having to drive somewhere. Honestly, I'd be willing to drive somewhere local to apply for any form of credit, if it meant that I'd be guaranteed no one could sign up in my name without my eyes/hand/whatever.