How to be an ID thief
ID theft is fairly simple in theory. Get all the information you can find on someone so you can impersonate them and buy stuff. Then the victim gets the bill and you get all the stuff.
In practice, making this all work can be complicated, but that's ok, because businesses make it easy as I'll explain:
Part 1: Getting personal data
The small time: Dumpster diving
This method is time consuming, can be disgusting, but is very effective, and completely legal (to a point). Garbage in a can at the curb is considered abandoned property by lawmakers. Therefore, you can safely collect this garbage, take it home and search for treasure.
Note: when collecting garbage, make sure to do it in the wealthiest neighborhoods where the targets are likely to have identities that are more valuable.
Have you ever paid attention to what you throw away? What information about you is printed on that? Let's say that in your trash this month were some birthday cards, a few bills, a bank statement, and an unopened pre-approved credit card offer (you've stopped looking at them anymore and just toss them on sight).
There's a lot of sensitive information on those types of documents aren't there? I can get your birth date and mother's name from the birthday cards (what? Like your mother doesn't send you a card?). The bills give me account numbers, address, and telephone numbers for your home and possibly any businesses you run. That pre-approved card offer might have your social security number on it (paydirt!), but if not, I can still send it in with a change of address so the card comes to me.
The big haul: Hacking
The Internet is a wonderful thing. If I lived on a remote desert isle, but had Internet access, I can see the same information, make the same orders, and play the same games as anyone else in the world. I can also attack the security of any of any system that uses the Internet (such as the government, businesses, or individuals)
As a hacker, I can break into systems, sneak past security, steal data, and make my getaway all without getting up from my armchair. What if you're not a hacker? No problem! There are many people (hackers or security activists) who will post simple pre-built hacking scripts on the Internet. All you have to do is type in the Internet address of the site you want to hack into and push the proverbial "GO" button (firesheep for example).
Once you have access, you can wander around the site with full privileges. This allow you to do creative things like adding code to their shopping cart that redirects all credit card transactions to a monitoring site under your control.
But wait! Rather than rewrite their code and wait for results, why not just dump their entire customer database to your hard drive? Now you have instant access to thousands or millions of records (just ask TJX).
What kind of information do they store in their databases? Just about anything and everything. Data mining is what happens when you combine giant storage capacities thanks to today's technology with companies who buy and sell information about you to other companies resulting in a large and detailed profile about you and everyone around you.
The full sum of all data you post to the Internet voluntarily, anything you give to companies when ordering online, and all public records is being pooled into your profile without your knowledge, out of your control, and without any option to remove it. Laws are slow in coming and often make things worse due to Congressional ignorance of all things technological.
With this vast cornucopia of data, you couldn't possibly steal the identities of everyone. What to do!?
How about select the juiciest prospects for yourself and sell the rest to other thieves? Not only are you getting rich from victimizing your chosen lambs, but you can earn additional money for years to come by selling you second or third draft picks to other people little by little.
Know the victim
If the person you choose as a victim is someone you know personally (especially a friend or family member), you may already know most of their personal data. This becomes especially important in the next step.
Part 2: Filling in the blanks
Assuming that you didn't get all the data you needed from the above, you can fill in the rest with some simple social engineering tricks. For this exercise you can use one or more of the following targets.
Have you ever called a bank or utility service? How much information did they ask from you before deciding that you were you? Couldn't you call them and easily convince them that you are your neighbor? Once they've granted you access, you can "confirm" that they have your correct birthdate or other personal information which gives you information you didn't have before.
Friends and family
If I call your mother/friend/neighbor and say that I'm with the FBI and believe that you are a victim of identity confusion and need their help to clear your name, what are they likely to do? That's right, spill their guts about any personal information they have on you to "help" clear you. This is an easy way to get birthdays, mother's maiden names, even social security numbers.
By pretending to be your bank or any other institution, I may be able to convince you to "confirm" a large amount of sensitive information such as bank account numbers, access codes, or any other number of things.
Part 3 – Using personal data
With enough data, you can create fake IDs, fake checks, or any other type of credential or document. Using these materials makes it easy to get utilities, credit, or services in your name which makes it far easier to commit crimes without getting caught.
If you don't want to (or can't) create fake documents, don't worry! Most places make it very easy to get credit online or through pre-approved offers. One experimenter was even able to send a ripped and re-taped offer with a change of address and cell-phone number to a company and still get credit.
Part 4 – The future
Though very inconvenient, no one is interested in hunting your average identity thief. The laws and punishments are weak if you get caught making it a waste of time for law enforcement to pursue most cases. Also, because it's such an easy crime that's a growing trend, there are far to many cases to handle.
Don't worry about the market drying up. Business and credit card companies use their ability to lean on insurance and tax write-offs to absorb the costs rather than implement any security which would inconvenience their lambs… I mean customers.
The one thing that could slow or stop most instances of identity theft is a Credit Freeze, which thankfully is available in EVERY state now.