How to Steal Identities – Why It’s So Easy
How to be an ID thief
ID theft is fairly simple in theory. Get all the information you can find on someone so you can impersonate them and buy stuff. Then the victim gets the bill and you get all the stuff.
In practice, making this all work can be complicated, but that's ok, because businesses make it easy as I'll explain:
Part 1: Getting personal data
The small time: Dumpster diving
This method is time consuming, can be disgusting, but is very effective, and completely legal (to a point). Garbage in a can at the curb is considered abandoned property by lawmakers. Therefore, you can safely collect this garbage, take it home and search for treasure.
Note: when collecting garbage, make sure to do it in the wealthiest neighborhoods where the targets are likely to have identities that are more valuable.
Have you ever paid attention to what you throw away? What information about you is printed on that? Let's say that in your trash this month were some birthday cards, a few bills, a bank statement, and an unopened pre-approved credit card offer (you've stopped looking at them anymore and just toss them on sight).
There's a lot of sensitive information on those types of documents aren't there? I can get your birth date and mother's name from the birthday cards (what? Like your mother doesn't send you a card?). The bills give me account numbers, address, and telephone numbers for your home and possibly any businesses you run. That pre-approved card offer might have your social security number on it (paydirt!), but if not, I can still send it in with a change of address so the card comes to me.
The big haul: Hacking
The Internet is a wonderful thing. If I lived on a remote desert isle, but had Internet access, I can see the same information, make the same orders, and play the same games as anyone else in the world. I can also attack the security of any of any system that uses the Internet (such as the government, businesses, or individuals)
As a hacker, I can break into systems, sneak past security, steal data, and make my getaway all without getting up from my armchair. What if you're not a hacker? No problem! There are many people (hackers or security activists) who will post simple pre-built hacking scripts on the Internet. All you have to do is type in the Internet address of the site you want to hack into and push the proverbial "GO" button (firesheep for example).
Once you have access, you can wander around the site with full privileges. This allow you to do creative things like adding code to their shopping cart that redirects all credit card transactions to a monitoring site under your control.
But wait! Rather than rewrite their code and wait for results, why not just dump their entire customer database to your hard drive? Now you have instant access to thousands or millions of records (just ask TJX).
What kind of information do they store in their databases? Just about anything and everything. Data mining is what happens when you combine giant storage capacities thanks to today's technology with companies who buy and sell information about you to other companies resulting in a large and detailed profile about you and everyone around you.
The full sum of all data you post to the Internet voluntarily, anything you give to companies when ordering online, and all public records is being pooled into your profile without your knowledge, out of your control, and without any option to remove it. Laws are slow in coming and often make things worse due to Congressional ignorance of all things technological.
With this vast cornucopia of data, you couldn't possibly steal the identities of everyone. What to do!?
How about select the juiciest prospects for yourself and sell the rest to other thieves? Not only are you getting rich from victimizing your chosen lambs, but you can earn additional money for years to come by selling you second or third draft picks to other people little by little.
Know the victim
If the person you choose as a victim is someone you know personally (especially a friend or family member), you may already know most of their personal data. This becomes especially important in the next step.
Part 2: Filling in the blanks
Assuming that you didn't get all the data you needed from the above, you can fill in the rest with some simple social engineering tricks. For this exercise you can use one or more of the following targets.
-
Businesses
Have you ever called a bank or utility service? How much information did they ask from you before deciding that you were you? Couldn't you call them and easily convince them that you are your neighbor? Once they've granted you access, you can "confirm" that they have your correct birthdate or other personal information which gives you information you didn't have before.
Friends and family
If I call your mother/friend/neighbor and say that I'm with the FBI and believe that you are a victim of identity confusion and need their help to clear your name, what are they likely to do? That's right, spill their guts about any personal information they have on you to "help" clear you. This is an easy way to get birthdays, mother's maiden names, even social security numbers.
From you
By pretending to be your bank or any other institution, I may be able to convince you to "confirm" a large amount of sensitive information such as bank account numbers, access codes, or any other number of things.
Part 3 – Using personal data
With enough data, you can create fake IDs, fake checks, or any other type of credential or document. Using these materials makes it easy to get utilities, credit, or services in your name which makes it far easier to commit crimes without getting caught.
If you don't want to (or can't) create fake documents, don't worry! Most places make it very easy to get credit online or through pre-approved offers. One experimenter was even able to send a ripped and re-taped offer with a change of address and cell-phone number to a company and still get credit.
Part 4 – The future
Though very inconvenient, no one is interested in hunting your average identity thief. The laws and punishments are weak if you get caught making it a waste of time for law enforcement to pursue most cases. Also, because it's such an easy crime that's a growing trend, there are far to many cases to handle.
Don't worry about the market drying up. Business and credit card companies use their ability to lean on insurance and tax write-offs to absorb the costs rather than implement any security which would inconvenience their lambs… I mean customers.
The one thing that could slow or stop most instances of identity theft is a Credit Freeze, which thankfully is available in EVERY state now.
Too Late!
If you've already become a victim, here is a list of things you should do. |
Solving ID Theft
Lock your credit reports with a Credit Freeze to prevent credit-based ID theft (90% of ID theft risk). |
Learn to protect your information to prevent not only ID theft, but many other kinds of problems (the rest of ID theft risk). |
Save Time and Money
cancel credit-monitoring services. |
Cancel id-theft-insurance |
Who is Responsible?
Sometimes you just have to wonder why it's so easy to steal identities in the first place. |
I am already a lifelock member. I haven’t decided yet whether or not that’s a good thing or bad thing. Is it safe or a good idea to provide lifelock with a list of my credit cards and numbers or is that a waste of time?
If you were to do a Google search for “Lifelock sucks”, you’d learn very quickly that it’s not really a good deal. Here’s a link to my page that describes it in decent detail: http://www.thegeekprofessor.com/lifelock-sucks/
What if you have id and ss card but don’t want bills sent to your address
I don’t think I understand your question. If you want bills sent somewhere other than your home address, couldn’t you just ask the company to do so?
I always wondered how people get away with having credit cards and shipments from; say, Amazon shipped to their homes once they have committed the act of credit fraud and have opened credit in someone else’s name? Wouldn’t that just lead authorities directly to your home??? How is this circumvented? Last year I went to file my taxes and they kept rejecting federal and state taxes. I kept trying over and over thinking maybe I put information in wrong but I was told a tax return was already filed in mine and my wife’s names. So of course I had to go through the lengthy process trying to restore some type of stability and getting government pin codes for submitting taxes, 37 year credit block and password protecting my credit profiles so no new credit to be opened in my name along with submitting police reports and the whole horrah. Fun stuff.
Can someone steal my id by using my prescription bottle or pill card?
The more information someone has, the more they can do. What is on your bottle and pill card? What they can do depends on what’s there.
I sent an amazon gift card by email to a friend. Can any information from that transaction be stolen or identity theft happen?
Gift card information is stored somewhere in a database. If someone gets that (or looks at the card and redeems it first), then yes, they can get the fund. I wouldn’t call it ID theft though…