Slashdot Mirror
No-Fail Identity Theft – Live and In Person
ancientribe writes "A researcher performing social-engineering exploits on behalf of several US banks and other firms in the past year has 'stolen' thousands of identities with a 100 percent success rate. He and his team have posed as investigators for the FDIC (among other things), and numerous times have literally been able to walk out the door with pilfered identities. The reason: organizations are typically so focused on online ID theft that they've forgotten how easy it is for a criminal to socially engineer his way into a bank branch or office and physically hack it."
Step one, find a birth certificate for a person of the same gender as you, and around the same ago.
Register at your local university and obtain student card in the name of the person on the birth certificate, withdraw before you have to pay anything (this step may vary with your university, I know it is possible at the Uni that I attended).
Obtain utility bills in the name of the person on the birth certificate.
There you go, 100 points of ID!
Use to obtain other forms of ID etc. (If you're in the USA finding the social security number would probably be useful too.)
If the person isn't dead (to create a "new" id, make sure that the birth certificate is for a person who died quite young), then you can have a field day getting access to whatever.
Enjoy.
I wank in the shower.
I think this story is a fake. The FDIC does not audit or insure credit unions, the NCUA does. So either the author of the article got the initials wrong or the whole story is social engineering.
Yes, unless the "in-person" thief can pocket a couple of CDs with the personal details of almost all the families in the UK on it.
There has been one confirmed case of a $500 loan via ID-theft of their CEO. There are 25 other disputed cases. According to the company, as of last month 105 of Lifelock's customers have been victims of identity theft. Which is 0.01% of their customers.
Your ad here. Ask me how!
Banks make money from it? Could have fooled me. Last time I got my cards stolen, the bank reimbursed EVERY LAST TIME i lost because of it. They took the entire blame and responsability, I lost -nothing-....
Duck tape is the brand name, duct tape is the product. I realize that, and I didn't really feel like clarifying in my original post.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Banks make money by borrowing your money (at a low interest rate) and loaning it out to someone else (at a higher interest rate). I
Not quite true. That is the school level illusion that most people live under. The current money system in most countries today is far more insidious than that, allowing banks to lawfully lend out money(debt) created from nothing. Yes, they need some money deposited, but it is far less than what is lent out.
You should really see the documentary "Money as debt" (just search on youtube). While it may be slightly preachy and biased at some moments, a large part of it is a good description of how the money system really works.
Still, your basis assumption and discussion point regarding them wanting your money is correct, because the bank do need it to be able to lend out these even larger amounts of money. Actually, it is even more important for them to get your money as they can lend out a multiple of it.
made purchases using debits
And the merchant is on the hook for those transactions. They paid penalties for taking the bad card, plus the balance, plus the lost merchandise.
Debit/credit is pretty much the same from the average retailer's perspective, just another cost of doing business.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
If you're in USA, you can now apply for a credit freeze. It will be annoying, but if you're not planning on opening new accounts for a while it would help you sleep better.
Not available in all states, but available in most.
http://clarkhoward.com/topics/credit_freeze_states.html
Camping on quad since 1996.
No, definitely not airtight. I was only responding to the notion that you can bluff your way in, plop down in a conference room, hook up to the network, and do bad things. That's the scenario the GP was discussing and it can't happen here, or, if it can happen, it's unlikely to give anyone any better information than how poor is the quality of the carpet and furniture in our conference rooms.
You bring up good points. Let me take a stab at them.
The security on them is the picture that has to match the face. We're tranisitioning to HSPD12 (RFID smart cards for ID and access) as quickly as we can. The point isn't that the ID badges are of much use in a technical sense. The point is that you must have one of ours. A badge from anyone outside isn't good enough. If you have an accurate-looking fake badge, you can defeat much of our first line of security.
You can't, however, get through any doors with your fake badge. We use separate access-control cards.
Yes to the first question, no to the second. If someone finds a USB stick, they're going to treat it like radioactive anthrax. A lost USB stick means that someone has lost a device that may contain taxpayer (sensitive but unclassified) data. If you possess SBU data you're not supposed to have, you get in big trouble. Nobody wants that. Also, it is almost universally true (though this was definitely not the case not so long ago) that no one will plug into an IRS computer anything that wasn't issued to them by the IRS.
If, OTOH, you're talking about putting malware of some sort on those USB sticks and hoping someone plugs just one of them in, you have a point. However, we run constant scans on the network looking for unapproved software. The last time a contractor in my building plugged in a personally-owned USB stick with various non-IRS-issued applications, his account was locked off the LAN within 5 minutes. Within 10 minutes, Security had concluded a stern talk with his supervisor. He was a good guy, just new to the place and not yet "in the groove" when it comes to security. He took his suspension and a couple of weeks later got back to work with a bit more appreciation for the fact that we mean it when we tell people not to plug anything into the network that wasn't issued to you by the IRS.
I've been around for 26 years. I know this has happened. And in every case I know of, the offender left the office in handcuffs. Slashdot actually had a story about these incidents some months ago. Yearly, we'll have a few hundred incidents. Most are extremely benign, accidental compromises of a few scraps of disjointed information from a single account. The few deliberate "copy and sell" cases with which I am familiar have sent people to jail. Pretty much no one wants to risk that.
Besides, our access isn't as easy as you might think. I can easily access the computers of people who have massive amounts of SBU data. Their default settings, however, place that data in folders protected by Windows encrypted file system. I can't read their stuff. I can get a recovery key for times when there's been a system crash, but doing so requires documentation and approval from the encryption staff and they are, technically, the only ones who actually use the key, i.e. it's initiated from their end over the network. Everything they do is fully monitored.
The current money system in most countries today is far more insidious than that, allowing banks to lawfully lend out money(debt) created from nothing. Yes, they need some money deposited, but it is far less than what is lent out.
This isn't quite right, though it might just be a vocabulary thing. To clarify: any single bank does need to loan out less than they get in deposits - but the money they loan out ends up re-deposited in a bank again, and then it can be loaned out a second time (and third, and fourth). Thus everyone's accounts end up with money that represents someone else's debt. For example: Suppose banks can loan out 80% of their deposits. Person A deposits $100 of "original" money into bank X. Bank X loans out $80 to B. B buys $80 worth of stuff from C. C deposits the $80 ('created' by the loan to B) into bank Y. Y only sees $80 of "deposits" - it's not marked as "loaned money" or any such thing - so Y can loan out $64 to D. D buys stuff from E. E deposits the money in Bank Z. There's already $144 "created" from the original $100 ($100 in A's bank account, $80 in C's account, $64 in E's account). Z loans out E's deposit. Etc, etc.
Of course, the sum of a geometric series is bounded, so there's a limit to the amount of money 'created' this way. And nowadays, every economist knows this already, and should be already taking this into account when they think about anything involving the money supply. It's not really "insidious" anymore, just counter-intuitive.
Thanks, but I wasn't really trying to convince anyone. I was just pointing out that reasonable steps could be taken to guard against obvious attacks.
An apology - I'm sorry that I can't explain exactly how security is set up to isolate a single machine that gets rooted. Going into that much depth in a public forum is, itself, a violation of our security. Suffice it to say that this isn't the sort of scenario that causes me to lose sleep.
Confession 1 - The "caught in 5 minutes" thing was a fluke. Security admitted as much. Most machines get scanned only every few days. This guy just happened to plug in his USB stick right before his scan started.
Confession 2 - Pen testing has been done against us and we've failed. Not in any big ways, but we've had people hand over their passwords. We've had a couple of cases where physical access was gained. When this testing was done, though, the investigators had access to sufficient knowledge of our SOPs and culture that they were able to pull off things that no one who isn't already an employee could accomplish. The only really disturbing tests that I've heard of have been a few cases where an investigator entered an office (they had their badge to get in the building and an access card to get through doors), got to the cube farm, took off his badge, and proceeded to walk around for a half-hour without being challenged. That's an embarrassing failure but it's happened at least a couple of times.
The theme here is that getting in isn't a piece of cake. Once in, the chance of discovery is high. If you're not discovered, you probably can't steal the data. If you're an employee who can steal the data, our monitoring will probably catch you and you won't like the result.
Many layers. One of them should do the trick.
Actually there is a reason for this, at least in the US The bank who accepts the check is left holding the bag for a fraudulent check if it doesn't turn out. So they tend to be very careful about who they allow to cash checks.
If there is a fraudulent check written from an account, then the bank accepting the check (not the original bank, usually) is the one who pays. The more they know about the person cashing the check, the better their chance of recovering.
Of course, you are correct that random forms of ID are not very good at true identification, and I know personally of a check fraud case where the crooks opened accounts with fake id's at several banks and got away with depositing checks from blank checkbooks and absconding with the funds shortly after the wait period. This works because the funds are actually in the victim's account, and the victim doesn't question it until their bank statement comes. Usually, neither the victim nor their bank is on hook, but the bank that accepted the fraudulent check is the one who pays, since they are the one who took the check, and presumably checked that it was ok.
Check fraud is not common, but it's good to always guard one's checkbook and account information.
Already been done: http://www.swansea-union.co.uk/index.php?option=com_content&task=view&id=270&Itemid=127