[IP] How to Steal $65 Billion Why Identity Theft is a Growth Industry
How to Steal $65 Billion
Why Identity Theft is a Growth Industry
By Robert X. Cringely
Recently my mail was stolen. It wasn't supposed to be stolen, which is a
given, but it also wasn't supposed to be able to be stolen because I was
out of town for two weeks and had the Post Office hold my mail. Only it
turns out that in Santa Rosa, California at least, holding mail means
different things to different mail carriers. Someone -- a substitute
carrier I'm told -- saw that big old pile of mail down at the post office
(the pile with the big "vacation hold" sign above it) and thought what the
heck I'll just deliver that mail anyway. And so they did. That big old pile
of mail sat in my big old mail box on my little old country road under a
walnut tree and across from a pond and sometime in the next few days it was
stolen. The only reason I know any of this is because a neighbor eventually
found some of my mail and some of a lot of other people's mail strewn along
the road like errant unmarked bills after a bank heist.
Here is something you probably didn't know. If you have the Post Office
hold your mail and they do something stupid like NOT hold it for some
reason, as happened to me, you have no recourse. They start an
"investigation" of course, but since no investigator ever calls and
certainly nobody reports back to me, the victim, I think this is pretty
much of a ruse. They sure don't replace any of the mail. I had, for
example, ordered from Amazon.com a copy of the 2003 Kelley Blue Book Used
Car Guide. My neighbor found the envelope from Amazon.com, but not the book.
"Where's my book?" I asked the lady at the Post Office.
"Lost," she said.
"What are you going to do about it?" I asked.
"We'll start an investigation," she replied earnestly.
"No, I mean what are you going to do about replacing my book?"
"Why would we replace your book?"
"BECAUSE YOU LOST IT????"
Nope. The Post Office didn't lose my book or any of my other mail, it
seems. Oh the mail was lost, but they didn't lose it. They delivered it in
error, but they didn't lose it. I LOST IT by not being there to collect the
mail. It was my fault. It seems that holding mail while you are out of town
is actually "a courtesy" performed by the Post Office and carries with it
no obligation or liability other than, of course, to start an investigation.
Film at 11.
Now in the pile of mail discovered by my neighbor, along with the envelope
from amazon.com and many many bills was something really scary. It was a
plain white envelope that had been opened and in that envelope I found a
report from one of the big credit reporting agencies. It was MY credit
report and though the credit score was nowhere as high as I would have
liked, the thing most startling about that credit report was that it
existed at all. That's because I never ordered the credit report.
Uh-oh.
Uh-oh is right. I did some checking and found that my credit report had
been ordered from all three national credit reporting agencies though two
had refused to send the report because something was odd about the request.
But the third credit reporting agency, sensing nothing odd and gladly
taking the money, sent the report which was intercepted presumably by the
person who had ordered it -- my very own identity thief.
My sense of self is fragile as it is without someone stealing me from me.
That was more than a month ago and I have since done everything I can
(which isn't really a heck of a lot) to protect and preserve my identity.
And I am still waiting for the results of that investigation. Yeah, right.
But I have also used the time to learn more about identity theft and what I
found is very scary. Identity theft is not only incredibly easy to do, but
our government seems to go out of its way to help the thieves. The
government is making many Americans more vulnerable, not less. This is
crime just waiting to happen on a massive scale, thanks to computer
technology.
Identity theft is generally a pretty low-tech crime. The bad guys steal
your mail or pilfer your trash, coming up with enough personal information
to apply for bank accounts, credit cards and loans with your name and
credit rating but with their address. They can even appropriate your
existing accounts. All it takes is having your name, address, date of
birth, and Social Security number. Before you know it the crooks have
bought goods, bounced checks, and drained your bank accounts, leaving a
world of heartbreak for the victims as they try to repair the damage.
The single greatest deterrent to identity theft is probably a paper
shredder. Get one and use it for anything you throw away that contains
personal information. Oh, and NEVER put outgoing mail in your mailbox for
pickup by the carrier. Take it to the post office or to a local post office
box.
It is very difficult to measure the cost of identity theft. The U.S.
General Accounting Office tried to do so in a 2002 report and finally
concluded that it simply could not be done with any precision. Many
identity thefts aren't even noticed, for one thing. What's that $30 charge
on your credit card bill? Oh well. Even many identity thefts that are
noticed aren't reported. And when they are reported it is often to
different federal, state and local agencies that don't necessarily speak
with each other.
What we do know is that there is somewhere between 250,000 and 750,000
identity theft victims every year. While many cases are small, the U.S.
Secret Service reported in one year investigating more than 7,000 cases
with an average cost to victims and financial institutions of $217,000 or a
total cost of about $1.5 billion. The American Banking Association reports
identity fraud losses to its members of around $1 billion per year and the
credit card companies absorb around $1.5 billion per year in such fraud
losses.
Then there is the cost of fighting the problem, which ranges from $15,000
per case for the Secret Service to the average 175 man-hours that consumer
counseling organizations report it takes victims to deal with the paperwork
of restoring their financial lives to order.
So the cost to society of identity theft is in the range of $4-5 billion
per year and may be even higher. The U.S. Federal Trade Commission recently
came up with an annual figure of $53 billion, though that feels to me like
a made-up number -- one that is good for Congressional hearings.
Identity theft is bad enough but right now it is also pretty much of a
cottage industry relying primarily on techniques like dumpster diving. What
if the identity thieves found a way to automate their crimes using
computers? Then it would get far worse, which is what this column is about.
When the term "computer crime" was coined it was during the mainframe age
and the perceived threat was from employees who could program bank or
company computers to conduct millions of tiny thefts, grabbing a penny here
and there and accumulating over time millions in the employee's account. It
would be an inside job involving vast sums but done so skillfully that
nobody would even notice. But it really didn't happen very often. When
computer crime finally became a reality in the 1990s it was the Internet
age and the criminals weren't, for the most part, company employees, they
were kids with bad attitudes and too much time on their hands. And their
crime wasn't theft but vandalism, as viruses -- malevolent programs -- led
to loss of data worth billions.
According to a 1999 report by Computer Economics Inc., a Carlsbad, CA-based
consulting firm that tries to measure such things, computer viruses, Trojan
horse programs, and denial of service attacks that year cost Americans a
total of $12.1 billion. While that is a horrific sum, it is not money that
is stolen, but destroyed. There is no crook sunning on a tropical beach
thanks to computer viruses. But with identity theft that is exactly the
case. Some crook IS sunning on a tropical beach at your expense.
Crossing identity theft and computer crime requires gaining access to
personal identity data on tens or hundreds of thousands of people at one
time then using that data on a mass scale to apply for credit cards and
bank accounts online. Crunching the data for all those credit card
applications is the easy part once you've written a program to do so.
What's hard is finding the personal identity information needed to drive
the process and that's where the government, all too often, plays a role.
It's that damned Social Security number, which is so useful as a universal
identifier that it becomes a part of almost every database at all levels of
government. If you are a bad guy, then, the trick is gaining access to
those databases, which ought to be difficult but isn't at all. Most states
include Social Security numbers in their voter registration databases,
nearly all of which are open to the public and many of which are searchable
online. But searching for one name and grabbing 100,000 voter records are
very different things, so trying to gather mass data for identity theft
using your AOL account would probably be noticed and is not a good idea.
But many states will sell you the data on CD-ROMs that you can take home
and search as intensively as you like. These CDs are typically intended for
politicians to use for generating mailing lists but could obviously be used
for a far darker purpose.
Of course you could probably do the same thing with medical, educational,
or insurance records, but then there is the problem of gaining access.
Public records are better if you want to be a crook because the Freedom of
Information Act makes them completely available.
While government agencies are doing their pitiful best to keep this kind of
data hidden (a GAO study last year found 14 out of 15 Federal agencies
studied were inadequately protecting Social Security numbers), even after
they've finally taken action to protect this information the danger is
still present. That's because Social Security numbers last a lifetime and
there is a lot of old data floating around out there, data that can be
brought up to date with frightening ease.
Here is the part where I have to slow down a bit because it would be very
easy to explain exactly how to steal a whole lot of money. I want to
publicize a problem that should be fixed, but in doing so I don't want to
tempt anyone to break the law. So I'll just say that there is a particular
Federal agency that used to use Social Security numbers as individual
record identifiers for a large database of names and addresses -- a policy
they changed only last year. When they stopped using Social Security
numbers as identifiers for new records, this agency didn't immediately go
back and assign new numbers to its almost 600,000 old database entries. The
old Social Security numbers are still there, though they are no longer
reported on the $30 CD-ROM version of the database that the agency sells to
all comers, nor is the all-important date of birth in the public record
anymore. Problem solved, right?
Wrong.
There are thousands of old CD's in circulation from earlier years including
both missing pieces of information. Given that some of these database
entries linger for decades (mine is more than 30 years old) and neither
Social Security numbers nor dates of birth ought to change over time, it
should be simple to reconstruct the missing data. Just grab it from an
older CD and apply it to any entries that span both old and new disks. So
that's just what I did, really. I borrowed a version of the same data CD
from 1998 that was available locally and used my computer to mix that old
data with the more limited data from the current CD, which is released
quarterly. Sure enough, in less than an hour I had updated names,
addresses, Social Security numbers and dates of birth for the more than
300,000 entries that were in common across both CD's.
What I produced in that hour was all the information required to steal the
identities of 300,000 people, most of whom would be considered to have high
financial (if not emotional or artistic) net worth. If I was a real
criminal I could use this data over a period of 4-6 weeks to apply for
online credit cards and bank accounts, to order credit reports that list
where the victims do their banking so I could loot those accounts, too.
Before anyone would notice I could grab that Secret Service equivalent of
$217,000 per victim for a total take of $65 billion, which certainly beats
my day job.
This sort of crime is eventually going to happen. If I can do it just about
anyone can do it. The take probably won't be $65 billion, but it will be in
the multiple billions. Once it sinks in what has happened, the financial
world and the world of business will never be quite the same again as yet
another shred of our innocence is torn away. And government will likely
respond with new laws that won't work and with a profound lack of
understanding of its own role in the tragedy.
But first they'll start an investigation.
[]
<http://www.pbs.org/cringely/pulpit/../index.html>Home |
<http://www.pbs.org/cringely/pulpit//cgi-registry/cringely/thisweek.pl?pulpit>The
Pulpit |
<http://www.pbs.org/cringely/pulpit//cgi-registry/cringely/thisweek.pl?ilike>I
Like It | <http://cgi.pbs.org/cgi-registry/cringely/baloney/ic.pl>Baloney |
<http://www.pbs.org/cringely/pulpit/../oldhat.html>Old Hat |
<http://www.pbs.org/cringely/pulpit/../tellmewhen.html>Tell Me When |
<http://www.pbs.org/cringely/pulpit/../passiton.html>Pass It On |
<http://www.pbs.org/cringely/pulpit/../bobsworld.html>Bob's World
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/