Re: ID Fruad - Is there more hype than risk?

[Kevin Wilcox <kevin () tux appstate edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

k7.fantr () gmail com wrote:

<snip>

> Does anyone know themselves or can direct me to a place that can
> explain what a malicious person actually does with stolen personal
> information? Or, can anyone explain a realistic situation where the
> thief can prosper and get away with it?

Sure. It depends on the information that was stolen. If you have a name,
address, telephone number, Social Security Number and a bit of courage
(or stupidity, take your pick) you can get credit cards issued to the
individual and sent *to their address*. At that point it's a simple
matter to change the address on the card to, say, the address of a home
in some neighbourhood that's vacant. Even if you *don't* change the
address you can use the authentic billing address but have items mailed
to a separate address. A lot of companies will mail to secondary
addresses if the correct billing address is provided. This will
*usually* result in the thief being found out but at the very least
discovery will mean they have to move on to someone or some place else.

> I am looking for a scenario that actually or logically works, not
> generic conventional wisdom like, “they use it to open accounts in
> their name and buy houses and vacations and things, and, er, stuff…”
> - The problem is that I can not seem to get my head around more then
> a couple of petty situations that would only work for misc charges,
> and for a very short period of time - not major purchases like a
> home, or car, and certainly not anything larger scale that would
> require thousands of identities.

The above scenario *does* fit your "open accounts ... and things, and,
er, stuff" bit but it *does* happen. I have a relative in particular
that was the victim of ID theft and was nearly stuck with paying for a
couple of *thousands* of dollars (USD) for items the thief purchased. In
that case the thief didn't need his SSN - he had name, address,
telephone number and the number to a cheque account.

> Sure I realize that I could open an account at a bank, but why on
> earth would I do that? How could I possibly benefit from that without
> tipping off where I live, or some point of where I will be?

Just because you are there *at that point in time* doesn't mean you're
going to remain there.  I know it sounds trite to say someone can "take
the money and run" but there is some truth to it. If you are targeting
someone in particular and determine it is worth your time then you may
very well stay in an hotel or motel long enough to open an account, pass
yourself off as someone else while making a withdrawal or cashing a
cheque then disappear to another town. ID theft isn't always about
personal gain - it can be explicitly about another's loss.

> Also, are there really people that will buy this information at $75 a
> record? Or, is that just an FBI agent placing an ad in 2600 waiting
> for some idiot to respond? And if these people do buy this
> information, what on earth are they doing with it? There are by now
> hundreds of millions of stolen records out there. There are free
> tools that will create valid credit card numbers, and the information
> as to what makes a real ssn is published for verification checking (I
> know that does not make it real, but come on), etc, so why would
> anyone pay? It just doesn’t make sense to me.

Whereas there are some incredibly intelligent thieves there are also
some that are quite ignorant or, in some cases, downright stupid. There
are indeed those that would pay for individual records and there are
more than enough people that would sell them.

While you probably *could* use the generated information and get away
with it, at least for a short while, why not use *legitimate*
information (aside from it being illegal and just plain *evil*)? If you
know a particular account number will match up with a particular address
then you're less likely to tip someone off *quite* as soon.

> After spending years protecting this information, I have never heard
> any realistic scenarios that wouldn’t simply lead the cops to the
> person’s front door. I have heard plenty of Hollywood movie plots and
> academic what if’s, which is what I theorize created the hype in the
> first place…

Some of those Hollywood movie plots are are based in historical
occurrences. While their stories are now the thing of legend, the names
Frank Abagnale and Kevin Mitnick spring to mind. Both had incredible
skill in passing themselves off as someone (or something) they weren't
and were highly skilled scam artists.

> Perhaps it’s a testament to how lousy our law enforcement is, or my
> apparent lack of ability to think like a smart crook, or perhaps
> these crimes are being committed by idiots, but I tend to think that
> there is more hype then actual risk out there…It almost seems more
> akin to the “I’m in, here’s proof” situation rather than trading
> databases of socials for a fist full of dollars..

There is a lot of hype out there but make no mistake - the risks for
having your identity stolen, or for someone to use just a small portion
of it for nefarious means, are very real.

kmw

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGpj2tsKMTOtQ3fKERAhd3AKCr0W1MvN3Lf13UrdKcMBOboVRhqACgivS6
ATQgnPJiwkez64U+h8fOu1Y=
=RF6h
-----END PGP SIGNATURE-----