Slashdot Mirror
ID Thieves Target Smaller Businesses
wiredog writes, "The Washington Post writes about real-time credit-card theft from small merchants (registration required). An accompanying Security Fix blog commentary from Brian Krebs describes '...10 hours of lurking I did on a variety of underground chat and Web channels frequented by identity and credit card thieves. From that research, Security Fix confirmed recent data breaches at four online merchants that were unaware that hackers had broken into their databases until we contacted them.' Lesson: Don't buy online from the cheapest retailers. Guess where they are cutting costs to be the cheapest?" The article and blog commentary also cast doubt on the efficacy of online "hacker testing" services.
Only through art can we emerge from ourselves and know what another person sees.
If the prices of your favorite retailer just went up by 10%, it's not because they've invested more in security, but just in /. articles.
It didn't seem to be for me, I guess there's no excuse for not RTFA.
What I would say on this issue though, and what we should have learnt from AOL is that it's not just the small companies who either get compromised or make huge mistakes, it seems rather harsh to focus just on the small companies as if they are always bad. The best advice that I think that I could give anyone for buying anything online (regardless of who from) would be to use a credit card - then your contract is with the credit card company so it's their issue if your data gets stolen or you don't get your goods... and they have deep pockets ; )
*''I can't believe it's not a hyperlink.''
Okay, that's a bit of a cheap stab, but it's important to remember that white-hats and black-hats are only separated by the particular direction their careers took them (consider that "security consultant" guy in NZ who narrowly escaped a conviction).
There's no such thing as a completely secure system. A security cracking service for testing your systems is paid to identify weaknesses, but there's no way they could make sure you were completely secure - their motivation is to do a decent job and get paid, which means identifying obvious flaws and telling you how to fix them. They're not going to spend their waking lives figuring out how to breach it.
If a black-hat of a similar caliber really wants to, they'll find a way into your system. It just might take time. Mostly though, they want into the easiest systems they can penetrate, so getting a white-hat in to make their job harder is worthwhile - it's just not a guarantee.
Meta will eat itself
Here's what I wonder...
Say I happen to like this online retailer, and they happen to have good prices. Say they might cut corners on security so they can pass the savings on to me, the consumer. Then also say that in my account with them I offer no social security number and pay with a check card. Furthermore, let's assume that in using my check card I transfer only the money I need to use to the checking account from the savings account (this is done easily online with my bank), thus after using said money anybody who did happen to get my card details won't be finding any money in the account anyway.
So, how exactly am I at risk? I have a bank account that stays at basically zero balance except during the exact moments I intend to use the money. Call it a safety net... I mean this as a serious question. How am I at risk? Looks like I'm the one saving money here.
I do not respond to cowards. Especially anonymous ones.
I know this is a bit off topic; presenting a solution (sort of) instead of bitching about the problem, but here goes nothing:
Living in Sweden, I am using an "e-card" system offered (for free, as in beer) by my bank for all my online purchases requiring credit card information. I bet this system is available for you yanks as well as in most other industrial countries, but for those of you who are unfamiliar with the concept, here's a description:
* On any online shop, when you've finished stuffing your shopping basket and head for the counter, you chose "credit card" just like you normally would.
* Instead of using your ordinary credit card, you generate a time limited, amount limited virtual credit card. For all intents and purpose, this "electronic Visa" is no different from a regular Visa card.
The advantage is that - even if a man-in-the-middle-attack - intercepts your order, the amount limit would hinder the culprit from stealing any money. And you don't have to worry about the shop losing the database containing your CC number; it's only valid for a month - and doesn't contain any money anyway.
I've used this solution for a few months now, ordering from companies in Sweden and USA, by online order form and phone order. It works like a charm each time - no fuzz.
SIG: TAKE OFF EVERY 'CAPTAIN'!!
on a related note, credit card thieves in africa are using non-profits "donation" pages (those who accept CCs) to test their newly stolen cards. one of our customer has multiple occurences of one scammer doing 3 transactions within a few minutes, two times for small amounts (1-2$) and one larger amount (~50$)
I guess that means they really aren't passing on those cost savings on to us huh?
Disturbing, but it makes complete sense.
Justin - Don't be afraid of my blog, it won't bite.
Very interesting.
I imagine bricks and mortars once had similar problems. But, they've been around for enough time that security has been improved and common tricks will not usually work on them.
The Internet is still young, and many people are using it who simply do not know what it is about. If attacks like this keep happening, and keep being reported, people will take have a better general knowledge, and real-world protection (burglar alarms, security monitoring, etc) will become more common, and slowly but surely, security will be enhanced overall.
Kudos for the article. Things like this need to be reported in the nice way the author mentioned it.
Have you read my journal today?
I seen many of the credit card holder today, have to knowlegde how to keep save of their credit card. Credit card thieves can just easily used the money without the owner knowledge. Credit card thieves has many advance(with latest technology) to tranfer and steal money easily. So, to all credit card holder, please used your credit card when necassry only and always keep track of your acount bank balance.
Read the CC agreement, you're not liable for the charges, why should you worry about security?
Identity theft is one thing, but until the CC companies can get a change in policy making me liable for charges I don't think I'll worry about protecting them from loss.
In fact, given that credit card companies screw you over at every opportunity (eg 29% APR) I can't see why any of should help them with their problems.
Of course they're going after the small fry; small business owners often have only a rudimentary IT capacity, if any at all, more often relying on an outside firm to handle these things. A Fortune 500 company has all sorts of resources to prevent this kind of thing (which begs the question why so many of them still have problems with it), while a small business owner doesn't and by the they find out it's a problem, it so pervasive that it gets expensive to fix.
GetOuttaMySpace - The Anti-Social Network
Better yet, some credit cards offer the ability to create virtual cards for specific amounts and defined time periods. The "cards" validate just like the real thing and are linked to your real card, but are only valid for a defined period, amount, or number of transactions.
It must have been something you assimilated. . . .
Add :" Dont Donate just about anywhere & everywhere" also.
Wincopy
This just flat out makes sense. If I am looking to aquire credit card information for identity theft or fraudulent purposes, I want to get it as easily and un-noticed as possible. Big companies like Amazon.com and the like invest large amounts of money into security and fraud prevention. They have trained staff whose only purpose is to stop the baddies. Small companies aspiring to be an Amazon.com don't have the capital to invest and therefore rely on 3rd party vendors liek Yahoo! Shopping to handle thier credit card management. If theey don't then they are an easy target. As my management likes to say, they are "low hanging fruit" and "easy pickings".
So if I want to steal information, I'm going to go where it is easy to get. It's amazing that it took a study and investigative reporting to "uncover" this whole "conspiracy". Then again, it can apply to brick and mortar stores too where small business can make a dirty habit of tossing credit card signature slips in the trash where an unscrupulous person can make use of them. that's not to say a big chain store wouldn't do that but they might be less likely to so. Maybe The Washington Post should investigate that one too?
Most retailers offer great prices because they are big not the other way round. Have you ever heard of newegg? Economies of scale.
The word "cheap" may mean small startup businesses, however, and if you are supplying your credit card info directly to Uncle Joe's Hardware and Pottery, then you deserve to get phished.
The virtual credit number feature is a god send for online shopping. I use the one from Citibank. The virtual card number has a one month expiration date, and is tied to a single merchant (and can have a set spending limit). You can even close the number early if you have to. This is also especially helpful for doing "free trials" since you can close the virtual account after using it so they will never be able to "mistakenly" charge you later. Discover and MBNA also have similar features. I believe Discover actually lets you have a virtual account that lasts longer than a month.
as I wrote about in my blog about being recruited by one:
http://swoolley.org/blog.cgi/scanalert
They can't even keep their own site secure.
It's not just that brick-and-mortar stores have had longer to learn about security (though that's true)--it's that there's a whole different level of audacity (for want of a better word) involved in standing in line, paying for an item, and then brazening it out when the cashier asks to see ID.
Sitting in your parent's basement hacking databases there are layers of obscurity between you and the "scene" of the crime. For a careful hacker, there can be enough layers of indirection that getting caught borders on the impossible. In order to be apprehended, a long chain of events must occur: the retailer has to figure out they've been hacked, you have to make a mistake that leaves tracks for the authorities to trace, and someone in law enforcement has to have the skills, time, and drive to track you down. On top of that, once arrested, the jury must be able to be convinced that those obscure technical details do indeed mean that you were the one who did the deed.
The perceived danger of remotely hacking a system (and the cost-to-benefit ratio) is lower than standing at the cash register, with the possibility that a security guard, or even a plainclothes police officer, might be nearby. I think this is much like that lack of civility that we seen in online forums; people will write things on Slashdot that they would never dream of saying in the presence of coworkers (I'm thinking here primarily of sexist and racist comments, but some of the more extreme personal insults might fall into this category too).
It's not so much experience that makes the difference. It's the criminal's ability to assess risk.
Interested in a Flash-based MAME front end? Visit mame.danzbb.com
Does this means that there's no guarantee at all when we are doing the business online? In what sense does the HackerGuardian (with HackerSafe logo) and Scan Alert are there for? And the funny part is, the cases aren't being report? "..only about two percent of all data thefts from online merchants get reported.." Now I see why this data breaches still can't be prevented. Further more, there still exist bunch of people who use the vendor supplied default password for their activity. This does not differ then just give the permission to breach their data..
This is why I ALWAYS use one time credit card numbers for all transactions (online, and many times even when I call in something). A lot of credit card companies offer this service for free. Mine does (MBNA - just recently merged with BankofAmerica). When I want to buy something, I log into my account, click on "ShopSafe" set the number of months the number should be valid (i leave it at 2) and the limit, normally i put 5 bucks over what the cost should be. It then gives you a credit card number that is tied to the first merchant that uses it. Once the merchant tries to use it, no one else can... and it can never be used for more than the limit you set.
One might think that there would be complications with refunds, but they handle it all perfectly behind the scenes. I have received refunds for numbers that have expired.
Seriously, if you're not using this service you are a fool.
There is no reason I can think of for a mechant to store CC data in their e-commerce application's database. All they need is to go to their CC gateway's
console, and they can deal with all of their transactions.
Need to reprocess the card due to a glitch? Pick up the phone, your customers
will appreciate the personal touch.
Storing card numbers is like stockpiling nukes. A bad accident waiting to happen.
No thanks.
I have enough worries having to maintain a password file for customers who want to have "accounts".
My Heart Is A Flower
that is our real world now..thieves are everywhere.. looking for us..stealing for us..even everything we can get just using our nails, but we must remember and make sure and also try to avoid that from happening.. never easily trust everything that we found.. safety and security must be the one BIG thing in our mind... vulnerability of the application has been doubt...!!! be smart users...
I work in the payments industry, and I can say without hesitation that the majority of small businesses really don't care about security. They just want everything to be easy for them and the customer. Until there are some real penalties for not being secure, this won't change. Hopefully merchant banks will start terminating merchants that get hacked and cannot show they were compliant with the PCI security standard. Then again, the merchant banks don't do anything to encourage security either, it's pretty much left up to the payment gateways and shopping cart vendors. I had a potential client last week that had a merchant account rep tell him it was ok to send credit card information via email..
Rather than blaming the website, we should be laying the responsibility at the feet of the outsourcing services and data security will not be a deciding feature of the service contract. and yeah, we got what we pay for..the cheaper price with risk for data breach.. i wonder if the FTC (Federal Trade commission) sue this small companies for having inadequate data security practices in violation of federal law..
"Most of these merchants that get hacked do not have updated versions of the software that runs their business, they're just trying to sell widgets," said Dan Clements, co-founder of CardCops.com.
Graham Paul and Co, for chartered accounts has announced that businesses should forward any enquiries to their appointed tax agent.
Businesses should be made aware that they have no obligation to enter into discussion or correspondence with the Revenue as this is not a formal tax investigation. The Revenue have been put on notice that they may be in breach of agency law if they try to get information in this manner direct from taxpayers who have recognised tax agents.
Their strong recommendation is that they do not give the Revenue any information and that all enquiries should be handled by their accountant. Those companies without accountants or tax agents are advised to consider appointing one as the investigation culture continues.
This issue is very similarly being called pharming. Pharming is a scamming practice in which malicious code is installed on a personal computer or server, misdirecting users to fraudulent Web sites without their knowledge or consent. Pharming has been called "phishing" without a lure.
I can't seem to digest the picture that is (I think) offered here:
Small firms cut corners on security to save money!
It is human nature to take "calculated risks" to save moeny, which often turn out to be big mistakes, at least in terms of "cutting" back on security. I am personally much more concerned with human nature's tendency not to look further than it's own proverbial nose and thus have an overconfidence of their existing security or of the honesty of their potential client base.
Meaning that most of these small firms might be likely not to realise that they don't have adequate security mesures in place, rather than that they would have knowingly reduced their vigilance.
that the reality... cheapest retailers..because they cut cost on something else.. beware..they get what they want..and we are the one who lost something.. crackers are sniffing and waiting for it..
Thanx for the reply. I appreciate the couterpoints.
But, i must disagree.
the retailer has to figure out they've been hacked
The brick and mortar retailer also has to figure out they were broken into.
Breaking in to an office, copying sensitive data (even off a local computer) is not always easily detectable.
Don't compare stealing information with stealing objects.
you have to make a mistake that leaves tracks for the authorities to trace
This item is slightly misleading. You mean that the cracker has attempted to clean up the evidence, and has made a mistake. IOW, he *didn't* clean up. ("make a mistake" makes it sound like the mistake requires an action. In this case, it requires inaction.)
This is quite the same in the real world. Whether it is fingerprints, security cameras, passers-by, codes, whatever, they are little different than log files and its ilk.
and someone in law enforcement has to have the skills, time, and drive to track you down.
This is *very* much like the real world. Except, that IRL, the cops are already quite aware of things. When today's hackers (and possibly crackers) become tomorrow's cops, the difference between tracking online and offline crimes will fade. All because of increased familiarity.
On top of that, once arrested, the jury must be able to be convinced that those obscure technical details do indeed mean that you were the one who did the deed.
Same. Familiarity will increase with time.
The perceived danger of remotely hacking a system (and the cost-to-benefit ratio) is lower than standing at the cash register, with the possibility that a security guard, or even a plainclothes police officer, might be nearby.
I actually disagree with you here. Crackers, like regular thieves, assume they can get away with it. So there is no difference. Non-crackers, can rely on their senses to see if a shop can be robbed (like running a fresh red-light, or speeding), whereas the lack of technical knowledge online will likely scare a person that they will definitely be caught.
I think this is much like that lack of civility that we seen in online forums; people will write things on Slashdot that they would never dream of saying in the presence of coworkers (I'm thinking here primarily of sexist and racist comments, but some of the more extreme personal insults might fall into this category too).
That is quite different. It's just a different projection of ourselves. Being online handles can be scrapped easily, people (feel they) have less to lose, and are less careful. For comparison, think of a person who IRL moves around *a lot*, or someone online who has worked hard to gain handle recognition.
It's not so much experience that makes the difference. It's the criminal's ability to assess risk.
The criminal's *assumed* ability to assess risk. And that very much comes with experience.
Have you read my journal today?
I really, really hate it when people refer to it as "identity theft," as if something has somehow been stolen from the person who was impersonated. They should simply call it called it what it really is - credit card fraud. Instead of making any sort of rudimentary effort to verify that the people they hand thousands of dollars over to are actually who they claim to be, credit companies shift the burden onto everyone else by insisting that we should treat our personal information like secret nuclear launch codes. Why should I have to worry about keeping my social security number or other personal information secret? If the credit card companies are stupid enough to issue a huge line of credit to someone simply because they know my social security number, well, their idiotic business model really shouldn't be my problem. I would love to see a law mandating something like an automatic $500 penalty for the credit card companies any time they put a false black mark on a consumer's credit report; maybe that would help shift the burden back onto the companies who are allowing themselves to be so easily defrauded, rather than "identity theft victims" who don't really have anything to do with the situation.
each site listed hosts asp pages ... though their server software according to netcraft are unknown and freebsd ...
those hacker safe symbols are silly, they're a business, but nothing to put stock in.
is any of this relevant?
hurm....do these online merchants use PayPal instead??or do they never heard of such names..:p
FTA, 'Wonderfulbuys.com customer service manager Frank Joseph initially said the site was "unhackable" after being contacted by a washingtonpost.com reporter.'.
Here is a reporter contacting you with evidence that data from your website is being trafficked on forums associated with identify theft/credit card trading and your first instinct it to say its impossible. With that attitude no wonder that website didn't have good controls in place.
However, a subsequent manual review by ScanAlert determined that hackers broke into Wonderfulbuys's database through a previously undocumented security hole in the site's shopping cart software, which the company had custom-made by a third-party software development firm based in India.
I wouldn't appreciate this at all. I'd wonder what kind of retailer this was that couldn't get my order right the first time and wouldn't give them my information because I would have no way to verify the retailer is calling. I would consider their call a phishing scheme.
Spelling and grammar mistakes specifically left in to give the grammar and spelling nazis a meaning to their life.
Why smaller business? smaller business usually have a less security when come to online business.. they cannot afford to have a full scale security features. So, for the thieves, instead trying to catch those bigger fish in such a big, hard cage, let's just take smaller fish that freely available outside the cage and in such a big amount of them..
This pushes responsibility where it belongs. Whether this means credit card companies tighten up their procedures or makes the retailers do it should be their problem, not ours.
Of course, we have to persuade the Federal legislators they pwn to see it this way and write this into law.
Tech Public Policy stuff
before ordering from the cheapest retailers, make some research first.also...choose web sites that are more commenly use such as e-bay.another lesson is...go buy the product physically you lazy bump!!!get some exercise!!
ID thieves are going corporate. Assuming the identity of consumers to obtain loans and credit cards under assumed names has become the US's fastest growing crime. Now fraudsters are applying similar tricks against potential enterprise victims. How come all these things happen??
hm.. this makes me wonder.. how can the buyer know exactly, which retailer to trust? should they trust a certain retailer because of the price, or because of something else.. if i were to buy goods online, i'd like the goods to be cheap(who doesnt?), credit card transfering must be convenient, goods must be delivered on time, and most importantly; i get what i'd paid for.. the thing is, how can i be sure that this is safe? how do they work(paying online)? is there any guarantee to all of these? the retailers can promised and guaranteed us safe payment via online.. but then again, how safe is safe?
Today we find ourselves dependent on cellphones, computers and electronic diaries and we wonder how we managed without them. The more dependency and the utility of them in day to day work have given birth to the darker side of internet age. Network crimes are the most unpredictable calamity on the cyber world. Unauthorized access, hacking, spreading of viruses, smashing computer networks on very large scale, the brutal weapons like e-mail bombing, logic bombs resulting into the disrupt behavior of computer networks are very few incidences of recent days. This crime is high-tech and needs trained and equipped personnel to man investigatory and prosecuting agencies for effective prevention and control of computer related crime. Due to this we can't avoid using internet or online transaction, we must have some knowledge about data security. so update yourself with information. Maybe we can't stop it but chances to avoid is possible.
A couple of years ago, my personal credit card account number was compromised. Did this stop me from continuing online transactions? No way. In my case, while an unauthorized party gained my account details, no transactions were made. The bank's fraud department were understandably hesitant in releasing details of the compromise, but they were very quick in taking action. I'm not even sure that the offending party was an online merchant, hacker or traditional retailer. The media in general have fed the paranoia levels of the online consumer community regarding online transactions. Yes, credit card numbers are stolen and yes, there are victims who suffer financial loss. But submitting your credit card details online is no different to handing your card to a shop assistant that you don't know or a waiter you have never met before. There is very little stopping merchants we carry out transactions with on a face to face basis from gathering detailed lists of account numbers to be sold off on the black market. In fact, according to the 2005 Identity Fraud Survey Report, under 12 percent of ID fraud incidents originate online. The media have also fed the xenophobic cold war attitudes of years gone by by focusing on certain countries. Credit card number hackers are "Russian", true. They are also American, Australian and English. Every country in the world has a community of identity thieves, scammers and spammers. If you own a credit card and don't carry out online transactions, it doesn't mean you are safe. We need to remember that most of the world's information systems are now connected somehow to the Internet. All your vital details are now available online; regardless of whether or not you are a Internet user. If you have ever collected a welfare payment, taken out an insurance policy or registered a vehicle - congratulations! You are now part of the World Wide Web, like it or not. You can now emerge from your privacy fortress as resistance is futile. That's the reality of our modern lives. So, now after having blown away your misconceptions of your privacy, and your false security of being safe from identity theft, let's deal with reality! Identity theft and credit card fraud is not uncommon, such is the nature of an online world. How do we as netizens and webmasters protect ourselves and our clients as best as possible? It boils down to a number of simple guidelines.
The Internet makes this type of crime even more efficient. With "phishing" scams, criminals send out bogus e-mails telling recipients that they need to confirm certain account details to reactivate their accounts or claim prizes. The messages appear to come from a reputable business and often include logos and text lifted from company e-mails and websites. But the links actually go to phony but convincing websites set up solely to gather information, whether it's ISP passwords or Social Security numbers.
At first glance, it seems you can't do a lot if your company is targeted by a phishing scam, in which a phisher spoofs your company's identity in an effort to gather personal information about your customers. (See "Gone Phishing," right.) "It's pretty difficult" to deal with, admits the Anti-Phishing Working Group's Jevans. "You can say, we will never send you e-mail, or do not click on a URL in e-mail, but that makes it difficult to do any kind of e-commerce." What's more, when a bogus website is reported to law enforcement, Jevans says, it takes an average of 160 hours to get it shut down if it is hosted outside the United States--which applies to 40 percent of phishing sites. And by then the damage is done. In this case, a little education can go a long way. Start by letting customers know that your company won't ever ask them by e-mail to divulge personal information, says Howard Schmidt, former vice chairman of President Bush's Critical Infrastructure Protection Board and CISO of eBay. Common targets such as Amazon, AOL and eBay have set up phishing tutorials on their websites to educate their customers about the scams. At the same time, make sure employees who correspond with customers don't ask for this kind of information. You'll also need a mechanism for consumers to report the spoofed e-mails to you, and for your company to report the scams to law enforcement. Then, Schmidt says, "it becomes a policy issue."
Got employees? Then you have information that could be used for identity theft, and nothing will help as much as just being good at your job in the first place. We're talking data hygiene 101: firewalls, background checks and security policies. "The reason that a CSO should be concerned over identity theft is because it fits in with so many other elements of a good security program," says Richard Lefler, the former vice president of worldwide security for American Express. For instance, he says, background checks might help keep criminals from infiltrating your human resources department, where they could access employee records. Shredding policies could keep Dumpster divers from getting their mitts on sensitive customer data. And audit trails would help you determine the source of a possible problem if law enforcement spotted a trend that traced back to your company. Sound paranoid? Perhaps. However, notes Lefler, although "criminal enterprises generally are small and loosely knit, they can be very large and very sophisticated. "Other forms of white-collar crimes have become more difficult, so many of the criminals have migrated into doing identity takeover because they can increase their returns." In other words: Don't underestimate your enemy.
ALways ask "What harm could it do?" Being constantly aware of where your ID is and what information-in the wrong hands-could hurt you is your best defenses against social engineering. Shred all of your mail no matter how innocuos it may look to you. Be ever-vigilant for where your SS# is in print (You'll be amazed how public it is) I advise cutting up those creidt cards that are "key chain-sized" that banks send automatically now as we all lose our cards. Keep your eyes open for your own ID, listen to your gut and don't ever be afraid to double check when in doubt. Do you think that searchable websites that display 'public records' (like unlisted phone numbers, actual addresses) should be illegal? Don't these types of 'public data' servers help out committers of theft identity? BEWARE, search engines/portals are listing your private data (it is definitely unethical to post peoples addresses and other personal data), people can attain this data to assist them with IDENTITY THEM (stollen identities). People do not know that if you even simply register to vote or request to join the army/military in USA, you name/address/telephone are made public information (multi billion dollar industry selling our private info) without you having to sign a consent form or without asking permission! Even where you buy a internet domain name (lease actually, no single person actually owns a domain name, even Bill Gates does not own Microsoft.com), your address, name and telephone number are added to public records that anyone with an internet connection can retrieve this data to harrass you or even SPAM you (don't forget that deranged cyberstalkers can find you now)!
Yes, identity theft. And I'm not talking about this petty nonsense either. I'm talking big time, purchases made in my name with my debit card number--which is tied directly to my checking account. Shady purchases like a telephone forwarding service. This thief wasn't planning on having the best prom ever. I was balancing my checkbook last night and came across two charges from within the last two weeks that, after a little head scratching, I determined I did not make. Neither were especially significant in dollar amount but I lost almost an entire business day to cleaning up the mess and talking to authorities. The card was cancelled and another issued, fraud alerts were placed on my credit reports with the Big Three (Experian, TransUnion and Equifax), and a police report was filed. I can't imagine how someone acquired my card number. Being a web designer/developer I'm savvy enough to sniff out a phishing hole and I keep all of my receipts. Thankfully, I don't think my Social Security number is out there but we'll see what my credit reports turn up. I did receive some small consolation--actually, I'm stoked!--when I found out that ShaunInman.com was today's pick over at Web Standards Awards. The site is in excellent company (The League needs to stick together, right?) so it will be interesting to see which one walks away with the first Site of the Month. Fingers are crossed that it's me--and not just somebody claiming to be me.
The shape of identity crime means that impacts encompass - -the deeply personal (parents of dead children discovering that someone has appropriated their child's identity) -erosion of someone's good name (use of an email address for spam) without direct economic impact -evasion of behavioural restrictions (using a doctored ID card to enter a nightclub while underage) illegal receipt of welfare benefits -scams against consumers and businesses (eg a forged cheque or stolen credit card) that result in direct financial loss -erosion of someone's profile, with theft of identity resulting an individual losing a good credit rating or even employment opportunities -evasion of surveillance and law enforcement (eg fake identities for terrorists and other criminals) -exploitation of 'credentialism' for economic or other benefit.
Identity Fraud, an associated offence, has attracted less media attention. It can take two forms Most commonly, it involves an individual 'massaging' data: adding a degree or two, deleting a conviction or a divorce, adding a few years of age (popular among teenagers facing age-based access restrictions) or taking a few years off once the individual reaches a certain age. As such it is popular among all classes, from highschool kids enhancing ID passes to get into nightclubs through to company directors and members of parliament buffing their profiles. More rarely, some individuals have created a new identity altogether - one that is sometimes used to live an otherwise law-abiding existence rather than as the basis for theft. Self reinvention is arguably a central theme of US culture, where - like people in the rest of the world - many have dreamed of shucking off an inconvenient past and starting afresh, often with the aid of a glossier resume and fewer wrinkles. As discussed later in this profile, statistics about theft/fraud are problematical. In 1985 the US Congress for example noted indications that up to 500,000 false tertiary degrees are in 'use' in the USA (eg were cited for employment purposes), that 10,000 false medical degrees are in use and that 30% of employees were hired with 'massaged' credentials.
Right. Because nothing ever goes wrong on the internet.
So the merchant calls you to tell you that something went squirrely,
and even though they know you purchased a pallet of adult diapers,
an "I'm with stupid ^" t-shirt and three year subscription to
"Soldier of Fortune" magazine, and know the exact time you did your
transaction, and ask you whether you want them to run the tx for you,
or if you want to redo your order, you're going to decide it's phishing?
It's called customer service. You're just not used to it. Much like
hearing somebody in Westchester say "please" and "thank you".
My Heart Is A Flower