Dumpster-Diving for Your Identity 344
The NYT magazine has a story titled Dumpster-Diving for Your Identity - the author interviews two convicted identity thieves talking about their methods and successes.
Machines have less problems. I'd like to be a machine. -- Andy Warhol
Cringely articles on identity theft (Score:5, Informative)
Ego, Super-ego, and ID Theft [pbs.org]
How to Steal $65 Billion [pbs.org]
Same Story without the Registration (Score:4, Informative)
A little googling resulted in the same basic story without the registration:
refers to future article in NY Times [here-now.org]
and
Over a year ago on CBS News [cbsnews.com]
NYT random login (Score:2, Informative)
Use this to randomly generate a login for you
http://www.majcher.com/nytview.html
Full Article Text without Karma Whore (Score:5, Informative)
By STEPHEN MIHM
Published: December 21, 2003
tephen Massey was only a few minutes late, yet he apologized profusely as he strode into the lobby of a crowded restaurant in downtown Eugene, Ore. ''I'm very punctual about my time,'' he said, clasping my hand in a firm shake. With his freshly combed hair, crisp white shirt and trimmed mustache, he looked like an off-duty cop or fireman -- a ''pillar of the community,'' as he later described himself, a wolfish smile playing across his lips. Far from it: Massey, 39, directed one of the most extensive and notorious identity-theft rings prosecuted so far by federal authorities. By the time investigators broke the case, Massey and his partner in crime, a computer whiz named Kari Melton, had ruined hundreds of people's credit. A judge sentenced them to prison in 2000; Melton was released in 2001, Massey the next year.
Advertisement
The Federal Trade Commission estimates that identity theft costs nearly $53 billion annually. Some seven million people were victimized in 2002. Yet little is known about how the perpetrators actually operate. It's a popular perception that most identity theft happens on the Internet, but over the course of dinner, Massey quickly made clear that low-tech methods of getting people's personal information are far more effective. ''Every day was exciting,'' he recalled between mouthfuls of potato skins. ''We went to Vegas, Atlantic City. We made a business of it. It was like James Bond . . . 'Mission: Impossible.'''
In late October, Massey disappeared, violating the terms of his supervised release and prompting a national warrant for his arrest. It had become clear to me in five months of interviews that not everything he said was to be trusted, although much of it was verified by the detectives and prosecutors who had already investigated his crimes and by Kari Melton. As for Massey's current whereabouts, Steve Williams, a detective in the Eugene Police Department, who worked on the first case against Massey and is once again on his trail, said: ''My gut feeling is that he is in the Seattle area'' -- where he has family -- ''back to his old tricks, doing drugs, identity theft and counterfeit checks.''
If Massey has indeed resumed operations, it's a sure thing that he's not working alone. His identity-theft crimes depended on the work of a carefully built ring, one that employed hordes of petty thieves and drug addicts. If he sticks to his old techniques, his crimes will originate in Dumpsters and garbage cans, where information can be culled from discarded personnel files and other trash. It's not the most glamorous crime, but that doesn't make it any less devastating to its victims.
Discovering the Dump
Massey's life began to unravel in his late 20's, soon after he started experimenting with the highly addictive stimulant methamphetamine. Before that, Massey achieved some semblance of success, managing an awning-maintenance company, marrying and, with his wife, having two daughters. Then he and his wife divorced in 1992. Soon after, he remarried, and divorced a year later. His business began to decline. Sometime in the mid-90's, his teenage girlfriend offered him some meth. ''So here I am with no place to live, on the rebound and with a habit,'' Massey recounted. ''Who wants to look for a job again?'' Massey began hanging out with a much younger crowd of meth addicts, called ''tweakers,'' and forging checks to feed his drug use. It was during this time that he began to wonder if he could hijack people's identities for profit. He stumbled onto the answer soon after, when the meth-heads invited him to go ''Dumpster diving'' for junk. Massey and the teenagers piled into his Ford Explorer and drove to the outskirts of Eugene.
''It was the first time I had ever been to the dump,'' Massey recalled, wrinkling his nose. ''I said, 'I'm not going to get dirty,' so I wandered over to a shed where the recycling was stored. I notice there's a big barrel for rec
Not news (Score:2, Informative)
Re:Shredding doesn't offer much protection either. (Score:5, Informative)
The difference between a $30 Office-Depot Shredder and a good commercial shredder is significant. The Cheapo shredder usually shredes only vertically, and does so usually so that there are about 20 cuts down one page. People sending 3-4 documents in at once will find that they have those 3-4 documents nearly intact, just cut into 20 vertical peices which are easy to put back together if someone is careful in extraction.
On the other hand, good commercial shredders litterall demolish the paper, turning it into sawdust like material that would be impossible (virtually) to reconstruct. Along these same lines, good document security companies use combination of methods, not just shredding to ensure security (read: chemical treatment, randomization, etc).
Brushfireb
Get a locking mailbox too. (Score:5, Informative)
If your mailbox is on the curbside like mine, seriously consider getting a secure lockable one where the mailman can only drop mail off, but a key is required to retreive it. I just received mine from oregontrailbox [oregontrailbox.com]. I did some research, there are a few places that sell those under different names, but the ones I liked are actually the same box that seems to be manufactured by pinnacle [lockingmailbox.com] (or pinnacle is yet another reseller of the same box made by a unknown third party....)
In any event, I will be installing my Heavy Duty Standard tomorrow...
--
OpenHosting [openhosting.com] Virtual Servers for the geeks.
Re:I don't know if he was kidding... (Score:1, Informative)
I assume the "burn bag" moniker was a throwback to the older days, as there was no "burn" step after the shredding.
So folks, if you simply shred, it's good enough for government work!
Re:Shredding doesn't offer much protection either. (Score:5, Informative)
Because $30 personal shredders suck ass. They're cheaply made, their motors burn up if you put more than 5 sheets at a time through them with any regularity, and they jam very easily.
Spend a hundred for each one and you might get something worth using.
Spend $1500 for a serious industrial crosscut confetti model and let 30 employees share it and your company is probably far better off than with either of the above options, or the shredding service.
Bonus points if the company then sells the shredded paper *directly* to a pulp mill
p
Dumpster diving old home directories (Score:5, Informative)
He had all sorts of personal data in his home direcrtory: passport & visa applications, paycheck stubs for several years, copies of expense accounts including scans of credit card statements, info about his retirement from the company we used to be a part of, ...
Once I realized what it was I rm'ed it, but what would posses a supposedly rational person to not only save this data to a networked machine at work but to leave it there after leaving the company?
Re:I don't know if he was kidding... (Score:1, Informative)
Anon 96Hotel
Curtail use of your SSN (Score:5, Informative)
The two primary examples of this use are the medical profession adn the Motor Vehicles establishment, both of whom seem to think the SSN is a handy Unique ID. Obviously, this magnifies the security risk for anyone who complies. Here's how to deal with both.
When you sign up for health insurance, fill in the SSN field with the phrase "assign ID". Sometimes they will just do it, but usually some clerk will complain that you haven't completed the form, they can't process it, etc. Firmly explain (often several times) that this is illegal, and that their companies have procedures to handle this, and that they need to speak to their manager. They will soon return with a sheepish demeanor, and you will get an ID in the SSN format.
Now, whenever you go to ANY doctor, dentist, hospital, or whatever, fill in this assigned ID as your SSN on their form. If asked whether this is your SSN, simply respond that "This is the correct ID.", and do not let pressure you into revealing your SSN.
The DMV and police may be easier or more difficult to deal with. The DMV should have a checkbox on the form which allows you to decline using the SSN, usually with some corresponding inconvenience. E.g., some states will require you to come in for renewed licenses, whereas they will mail them if your SSN is in their system. If your state doesn't have this option and you cannot argue them out of it, transposing a few digits might not be a bad idea.
When dealing with the police (e.g., in a speeding ticket situation), I've found it is best not to tell them that their request for your SSN is illegal. Best to just say that you don't remember it. Of course you don't want to give false information, right?
These tactics will obviously not close all vulnerabilities, but they will eliminate two major potential sources of identity theft. Good Luck.
Re:Important add-on (Score:2, Informative)
With regards to US personal federal income tax, the recordkeeping requirement is 3 years from filing or 2 years from payment, whichever is later. See 2002 Form 1040 Instructions (pdf) [irs.gov], page 60.
Re:Important add-on (Score:2, Informative)
Re:Curtail use of your SSN (Score:5, Informative)
There are no laws that forbid the private use of the SSN for any reason whatsoever. Any private entity may demand your SSN as a condition for interacting with you; you must provide it or they may refuse to interact with you. (For instance, getting health insurance or a credit card.) The Privacy Act of 1974 made some restrictions relating to *governmental* (only) uses of the SSN as an identifier; when government agencies demand your SSN, they have to tell you their legal authority for requesting it and what the penalties are for failure to comply. This requirement is largely ignored in practice - for instance, when I was serving on jury duty, the court clerk demanded my SSN (to withhold income taxes on the $12/day jury payment), and when I pointed out that they were violating the law by not disclosing the authority for this request, the clerk was singularly unimpressed. If the court system is violating the law... but I digress.
The rest of the comment (seek to use an assigned number rather than your SSN whenever possible) is good advice, and will often work, albeit at the cost of some hassle. CPSR has a good FAQ [cpsr.org] with some more information.
Re:Compost them, don't burn them! (Score:5, Informative)
Credit Verification system (Score:5, Informative)
So basically how it works, is that there's a phone number specified on his credit report and a secret question and answer. So if anyone makes an attempt to check my father's credit history, or take out credit in his name or SSN, the creditor must call the listed phone number and my father must answer the phone. They identify themselves and what creditor they're representing. Then they ask the security question and my father gives the correct answer. Now business can proceed as usual.
It gets more secure when the security question/answer must be changed each time it's used. Plus, changing the phone number requires a 30-day written notice.
I think that's a GREAT idea... Why don't more people implement that? Once I get some actual credit, instead of just Student Loans, I'm going to put that security measure on MY credit!
Re:how to find out? (Score:2, Informative)
Banks don't get to see how often you check your report.
Re:I tried, really! (Score:2, Informative)
NYT simply does a referrer check.
Re:Credit Verification system (Score:5, Informative)
I had to do this a couple of years ago after someone stole my identity and started opening credit card accounts and spending thousands of dollars. Fortunately one of the banks caught some inconsistencies (very similar story to one of the above posts) which alerted me to the whole situation.
Fraud Alerts 'expire' after a certain period (I think 2 years or 7 years depending which credit agency) but you can easily reinstate them. I will definitely continue to 'renew' mine. The minor inconvenience is that it will be more difficult/impossible to open a credit card account for a retail store (but these are mostly pointless) unless your cell phone number is the one associated with the fraud alert.
Instant NYTimes registration (Score:2, Informative)
Re:Credit Verification system (Score:5, Informative)
You don't have to give out your SSN (Score:4, Informative)
Re:Shredding doesn't offer much protection either. (Score:3, Informative)
I can vouch for the effectiveness of dumpster diving; I snarfed the entire budget info for the science dept. in college once. Interesting reading, too.
Re:Get a locking mailbox too. (Score:3, Informative)
Re:No you didn't (Score:3, Informative)
He was root on an NFS client, browsing files on the server. In that situation, root (on the client) is mapped to nobody on the server, i.e. not very useful.
In order to read the data, he need to change his identity to the file's owner first.
Either you're a troll, or you're a pretty stupid sysadmin for not knowing this.
Or, maybe he had only the root password of a couple of NFS clients, but not the server?
for not destroying his home
If he was not the sysadmin of the server, it was none of his responsibility to do this kind of cleanup when the guy left.
i think you're all forgetting something... (Score:4, Informative)
Want to know why? The manager that collects all those receipts might be honest enough, but do you know what a lot of those places do w/ their receipts? After anywhere from 1-3 years, a lot of them just throw boxes full of them in the dumpster. A college bookstore I worked at when I was starting college did just that. Literally thousands of credit card receipts w/ full pin numbers, signatures, and names in the bin. A lot places shred that receipts when they're done, but some don't. And think of the traffic a college bookstore generates.
Before you say anything like "well, you didn't have an id, address, or a social or anything like that", imagine the damage I could have done had I been so inclined to steal some of those numbers and then used them where I had a friend on the inside. Or done the digging to find that person's SSN, address, or whatever.
Trust me, I was so tempted to finance the rest of college education w/ a little bit of scamming. Thankfully, I had a hellish cunt of a girlfriend that ruined my life so badly that I dropped out of college and went to work in IT.
Damn...now that I think about, maybe theft was the better option...
Re:hey.. (Score:1, Informative)
One overwrite is enough as long as the data is random. Not only can you not tell a 1 that used to be a 0 from a 1 that always was a 1, or a 0 that used to be a 1 from a 0 that was always a 0, but you don't know whether the 1 or 0 it used to have been got overwritten with a 1 or a 0. You might be able to tell something of past history by opening up the drive; but, as storage densities get higher and higher, there are fewer and fewer oxide molecules used to store each bit and so the chances of there being anything useful are diminishing.
Also, credit card numbers are only valid for a few years, and some people change their card every 6 months or so to take advantage of an introductory offer