2-Year ID Theft Investigation Yields 86 Arrests; 25 More Sought

angry tapir writes with this bit from TechWorld: "Prosecutors call it the biggest identity theft bust in U.S. history. 111 bank tellers, retail workers, waiters and alleged criminals were charged with running a credit-card-stealing organization that stole more than $US13 million in less than a year-and-a-half. 'This is by far the largest — and certainly among the most sophisticated — identity theft/credit card fraud cases that law enforcement has come across,' the Queens County District Attorney's office said in a statement announcing the arrests."

This is thanks to Bush's failed policies.

The only way to make an honest buck in this economy is to steal it. The more crooked you are, the farther you'll go. Greed rules. Greed is good. (to paraphrase Gordon Gekko)

Re:This is thanks to Bush's failed policies.

[zenthax]

Yup it's not stealing, well at least not from the person. Nobody stole any identities, but rather a good bit of money from banks and creditors. However somehow they have managed to convince everyone that it is not the banks problem. For a comical take on this point Identity theft should not be an individuals problem but rather whatever institution that mistakenly allowed the transaction should be held responsible.

Identity is only worth stealing

as long as identity has value.

We have too much identity. Alleged identity does not assure good intentions or good funds.

The powers that be have been incessantly pushing more identity on us and all it's done is create more identity theft and identity abuse (often from marketers).

We should be moving to chip and pin, a proof of knowledge scheme, rather than this nonsense based on numbers which must be kept secret from thieves but shared with the whole world to do business, and names, an information commodity passed around more than a joint at a Dead concert.

Why should a card be billed by name and number? Are either relevant to assuring funds transfer? No. The only thing which should matter is a positive response from the merchant's bank confirming funds transfer.

A user-friendly payment system would give the merchant neither the name of the person using the secure card nor any unique identifying number. The response should be either VALID $x.yy or INVALID.

Our current payment system was designed by bankers, marketers, and politicians, and it shows.

If it were designed by security experts this would not be a problem.

A lost cause; but here we go...

[fuzzyfuzzyfungus]

I despise how these cases get treated as "identity theft" rather than "bank/CC fraud with a side of impersonation". An "identity" as it is presently constructed for financial purposes, is basically all public, or near-public information(much of it is public record, the rest is simultaneously treated as Super Secret Proof, and demanded, all the time, by basically everybody, because it is Super Secret Proof, which of course means that it is basically public, like SSNs and CC numbers...) It isn't the person whose "identity" is used to perpetrate a given frauds fault that financial institutions can't be bothered to actually verify transactions properly, although the poor bastards often get stuck with years of hassle for it anyway.

The notion of "identity theft" seems like nothing more than a cynical way to shift responsibility away from the responsible parties, and the parties who could do something about it(hey, Visa, don't want my CC getting cloned by anybody who manages to obtain the numbers visible in plaintext on the card, which have to be used to perform a transaction? Try cryptography...) and onto the suckers at the bottom of the food chain who, realistically, have very little control over the 'security' that a bunch of nearly public information connected to them is given by the large number of people who have access to it.

Re:A lost cause; but here we go...

[ka9dgx]

I love this thread... it is insane to try to keep a system like this designed for a few clients in the 1950s and 1960s alive when it has scaled to a significant fraction of the planet's population. Cryptography would be a great leap forward, but even a few simple things could make it much better like having a website for each of the major CC/Debt card vendors where you can have them generate a new random large number for handing off (via cut/paste, or whatever) to a vendor, which gives them a claim for x dollars from your account... once, or whatever schedule/limits you set.... and would only work for their account, nobody elses.

Even if their computers were stolen, the number wouldn't work for anyone else..... and if they tried to screw you, you'd just revoke the capability from your control panel, and they'd never get another cent.

This could be done with 1970's class mainframe hardware... and would require only a few nano-cents worth of storage these days.... yet we get screwed by the IT systems designed in the 1950s.

Re:That's ... weird.

[fuzzyfuzzyfungus]

Wrong search terms: "Magnetic Stripe Encoders" are what you are looking for.

~$300, won't handle the fancy card graphics and embossed numerals("Magnetic Stripe Card Embossers" are used for that, also perfectly licit off-the-shelf items); but will turn a card blank into something that an automated POS won't bat an eye at(and, in most cases, re-using a bank-issued card, even if the number on the card doesn't match the one on the stripe, should probably escape a retail employee's notice).

Magnetic card stock is also a legitimate off-the-shelf item, as are printers that will dump an arbitrary color image onto blanks(entirely non-suspicious, any organization that issues mag-stripe IDs probably has such a printer on the shelf somewhere.) Getting a card-stock supplier to do a large print run of cards identical to bank blanks would probably raise some eyebrows; so you would presumably have to steal or print your own.

Everything you need to produce fully functional magnetic stripe cards is fully licit, available off the shelf, and not particularly expensive. The only "secret" is the name and number prominently displayed on actual issued credit cards, and handed over during each transaction. The "chip and PIN" stuff is horribly broken; but at least it pretends to be concerned about card cloning...

Re:Identity "theft"

[Jason+Levine]

My identity was stolen, so I have personal experience here. The thieves had my name, SSN, DOB, and address. They used it to open a credit card in my name. (Curiously, they had my mother's maiden name wrong yet Capital One still approved the online application.) They also requested rush delivery and changed the address on the card from my home to some other location. Unfortunately, for them, Capital One sent the card out BEFORE changing the address and it went to me. I was able to stop the fraud and lock down my credit, but I never found out who stole my personal info or how.

I was lucky. If the card had gone out how they hoped it had, they would have been able to activate it and run up a huge tab under my name. Then, when they didn't pay, the collection agencies would have come knocking down my door. My credit would have been ruined for years as I fixed the damage they did.

Yes, I would have had my credit but it would have been completely trashed.

To use a car analogy (since this *IS* Slashdot), identity theft is like "borrowing" someone's car at night and returning it with the windows smashed, two doors missing, dents all over, paint smeared all over the interior and three tires flat. Sure you have your car to use, but you aren't going to get much actual use out of it until you spend a lot of time and money restoring it. (And unlike the car analogy, you can't just ditch that car and get a new one.)

I'd say depriving someone of the credit that they earned by fraudulently gaining access via stolen personal information is "theft". This isn't a case of someone making a copy of your identity and it not affecting you. The results are real and can affect you for years to come.