Log in

How to Steal Identities – Why It’s So Easy

Saturday, March 19th, 2011 (4 comments)

How to be an ID thief

ID theft is fairly simple in theory. Get all the information you can find on someone so you can impersonate them and buy stuff. Then the victim gets the bill and you get all the stuff.

In practice, making this all work can be complicated, but that's ok, because businesses make it easy as I'll explain:

Part 1: Getting personal data

The small time: Dumpster diving

This method is time consuming, can be disgusting, but is very effective, and completely legal (to a point). Garbage in a can at the curb is considered abandoned property by lawmakers. Therefore, you can safely collect this garbage, take it home and search for treasure.

Note: when collecting garbage, make sure to do it in the wealthiest neighborhoods where the targets are likely to have identities that are more valuable.

Have you ever paid attention to what you throw away? What information about you is printed on that? Let's say that in your trash this month were some birthday cards, a few bills, a bank statement, and an unopened pre-approved credit card offer (you've stopped looking at them anymore and just toss them on sight).

There's a lot of sensitive information on those types of documents aren't there? I can get your birth date and mother's name from the birthday cards (what? Like your mother doesn't send you a card?). The bills give me account numbers, address, and telephone numbers for your home and possibly any businesses you run. That pre-approved card offer might have your social security number on it (paydirt!), but if not, I can still send it in with a change of address so the card comes to me.

The big haul: Hacking

The Internet is a wonderful thing. If I lived on a remote desert isle, but had Internet access, I can see the same information, make the same orders, and play the same games as anyone else in the world. I can also attack the security of any of any system that uses the Internet (such as the government, businesses, or individuals)

BAAAA! You're hacked.
BAAAA! You're hacked.

As a hacker, I can break into systems, sneak past security, steal data, and make my getaway all without getting up from my armchair. What if you're not a hacker? No problem! There are many people (hackers or security activists) who will post simple pre-built hacking scripts on the Internet. All you have to do is type in the Internet address of the site you want to hack into and push the proverbial "GO" button (firesheep for example).

Once you have access, you can wander around the site with full privileges. This allow you to do creative things like adding code to their shopping cart that redirects all credit card transactions to a monitoring site under your control.

But wait! Rather than rewrite their code and wait for results, why not just dump their entire customer database to your hard drive? Now you have instant access to thousands or millions of records (just ask TJX).

What kind of information do they store in their databases? Just about anything and everything. Data mining is what happens when you combine giant storage capacities thanks to today's technology with companies who buy and sell information about you to other companies resulting in a large and detailed profile about you and everyone around you.

Everything there is to know about you is being pooled into a central profile for companies to use as they see fit.

The full sum of all data you post to the Internet voluntarily, anything you give to companies when ordering online, and all public records is being pooled into your profile without your knowledge, out of your control, and without any option to remove it. Laws are slow in coming and often make things worse due to Congressional ignorance of all things technological.

With this vast cornucopia of data, you couldn't possibly steal the identities of everyone. What to do!?

How about select the juiciest prospects for yourself and sell the rest to other thieves? Not only are you getting rich from victimizing your chosen lambs, but you can earn additional money for years to come by selling you second or third draft picks to other people little by little.

Know the victim

If the person you choose as a victim is someone you know personally (especially a friend or family member), you may already know most of their personal data. This becomes especially important in the next step.

Part 2: Filling in the blanks

Assuming that you didn't get all the data you needed from the above, you can fill in the rest with some simple social engineering tricks. For this exercise you can use one or more of the following targets.

  1. Businesses

    Have you ever called a bank or utility service? How much information did they ask from you before deciding that you were you? Couldn't you call them and easily convince them that you are your neighbor? Once they've granted you access, you can "confirm" that they have your correct birthdate or other personal information which gives you information you didn't have before.

  2. Friends and family

    If I call your mother/friend/neighbor and say that I'm with the FBI and believe that you are a victim of identity confusion and need their help to clear your name, what are they likely to do? That's right, spill their guts about any personal information they have on you to "help" clear you. This is an easy way to get birthdays, mother's maiden names, even social security numbers.

  3. From you

    By pretending to be your bank or any other institution, I may be able to convince you to "confirm" a large amount of sensitive information such as bank account numbers, access codes, or any other number of things.

Part 3 – Using personal data

With enough data, you can create fake IDs, fake checks, or any other type of credential or document. Using these materials makes it easy to get utilities, credit, or services in your name which makes it far easier to commit crimes without getting caught.

If you don't want to (or can't) create fake documents, don't worry! Most places make it very easy to get credit online or through pre-approved offers. One experimenter was even able to send a ripped and re-taped offer with a change of address and cell-phone number to a company and still get credit.

Part 4 – The future

Though very inconvenient, no one is interested in hunting your average identity thief. The laws and punishments are weak if you get caught making it a waste of time for law enforcement to pursue most cases. Also, because it's such an easy crime that's a growing trend, there are far to many cases to handle.

Don't worry about the market drying up. Business and credit card companies use their ability to lean on insurance and tax write-offs to absorb the costs rather than implement any security which would inconvenience their lambs… I mean customers.

The one thing that could slow or stop most instances of identity theft is a Credit Freeze, which thankfully is available in EVERY state now.

Seminars and Guides
Work With Jeremy

For:

Seminars

Conferences

Consultation

Private Tutoring

Classes

Click here to
CONTACT JEREMY

Support the Geek

If you hate ads as much as I do, please consider supporting us by donating or browsing our recommended products


Recommended Products and Services
Quick Tips:
IDENTITY THEFT
PRIVACY
INTERNET SAFETY
PASSWORDS

The Identity Theft Victim's Mini-Guide to Recovery

If you've already experienced ID theft, here are some tips of what to do next.

[Click for full description]

How to Stop Credit-Based ID Theft with a Credit Freeze

A credit freeze locks your credit report preventing any thieves from being able to open new accounts in your name. Your credit cards and current accounts work like they always have.

[Click for full description]

Data Defense

One of the most important, but least understood, threats against us today is the creeping data-abuse by companies seeking to compile complete profiles on every American in order to enable "targeted marketing".

Until laws are in place to control their use of your data, learn the tips and tricks to make it harder for them while improving your identity-theft defense at the same time.

[Click for full description]

Credit Monitoring

What is credit monitoring, why it doesn't live up to its promises, and what you can do instead.

[Click for full description]

Id Theft Insurance

Id theft insurance is another of the many types of "services" that have been created in response to the id-theft problem. But rather than help you solve identity theft, it generally helps the insurance company transfer money from you to them.

[Click for full description]