RE: ID Fruad - Is there more hype than risk?

[Eric White <ewhite () ssc wisc edu>]

Here's a link to a recent blurb from SANS:

https://www.sans.org/newsletters/newsbites/newsbites.php?vol=9&issue=54#sID2
00

The Washington Post article it links to is worth the read. 

--
---------------------------------------------------------------
Eric White                           


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of k7.fantr () gmail com
Sent: Monday, July 23, 2007 7:54 AM
To: security-basics () securityfocus com
Subject: ID Fruad - Is there more hype than risk?

At the risk of opening a can of worms, this is a legitimate inquiry.

I am trying to separate the identity fraud hype from actual risk in the now
more common sense of electronic data stolen online or from a database - not
my uncle Joe filled out a credit app as his dog.. :)

The situation is stolen electronic data: such as name, address, and ssn -
one or one million records.

Does anyone know themselves or can direct me to a place that can explain
what a malicious person actually does with stolen personal information? Or,
can anyone explain a realistic situation where the thief can prosper and get
away with it?   

I am looking for a scenario that actually or logically works, not generic
conventional wisdom like, "they use it to open accounts in their name and
buy houses and vacations and things, and, er, stuff." - The problem is that
I can not seem to get my head around more then a couple of petty situations
that would only work for misc charges, and for a very short period of time -
not major purchases like a home, or car, and certainly not anything larger
scale that would require thousands of identities. 

Sure I realize that I could open an account at a bank, but why on earth
would I do that? How could I possibly benefit from that without tipping off
where I live, or some point of where I will be? 

Also, are there really people that will buy this information at $75 a
record? Or, is that just an FBI agent placing an ad in 2600 waiting for some
idiot to respond? And if these people do buy this information, what on earth
are they doing with it? There are by now hundreds of millions of stolen
records out there. There are free tools that will create valid credit card
numbers, and the information as to what makes a real ssn is published for
verification checking (I know that does not make it real, but come on), etc,
so why would anyone pay? It just doesn't make sense to me.

After spending years protecting this information, I have never heard any
realistic scenarios that wouldn't simply lead the cops to the person's front
door. I have heard plenty of Hollywood movie plots and academic what if's,
which is what I theorize created the hype in the first place.

Perhaps it's a testament to how lousy our law enforcement is, or my apparent
lack of ability to think like a smart crook, or perhaps these crimes are
being committed by idiots, but I tend to think that there is more hype then
actual risk out there.It almost seems more akin to the "I'm in, here's
proof" situation rather than trading databases of socials for a fist full of
dollars..


Thanks,

Attachment: smime.p7s
Description: