Dumpster-Diving for Your Identity

The NYT magazine has a story titled Dumpster-Diving for Your Identity - the author interviews two convicted identity thieves talking about their methods and successes.

Re:OK.....

[Anonymous Coward]

[since I'm waiting for a build to complete, I'll bite..]

This is because back in the day (~1985) when people used to go 'trashing', they were usually buying various techno goodies (anyone remember the Prometheus modem with the clock?) for even more mischief. If the early hacking/phreaking geeks didn't invent trashing, they certainly brought it to a higher level...or lower depending on your perspective.

Not advocating btw, just relaying...

a little while back

[dandelion_wine]

I've always taken a few moments to shred my bank machine receipts when I get them. Since sorting for recycling takes time anyway, I've always gone through it and shredded anything remotely useful, long before the notion of "identity theft" became mainstream.

Honestly, if people would just be a bit more paranoid, and not worry about being casual with risk as a fashion statement, these guys would have a lot less to go on.

That's with regard to personal papers. Businesses should know better, and should get their asses sued for failing to protect sensitive information that was entrusted to them by their clients.

Punishment != Harm Caused

[Lancer]

By the time investigators broke the case, Massey and his partner in crime, a computer whiz named Kari Melton, had ruined hundreds of people's credit. A judge sentenced them to prison in 2000; Melton was released in 2001, Massey the next year.

Given the amount of turmoil, headache, as well as real monetary loss these crimes must have caused, it's amazing to me that they each spent less than two years locked up.

I'd argue that was nothing but a slap on the wrist, and not much of a deterrent to future fraudsters.

Important add-on

[karevoll]

Im not saying Im agreeing with the parent post, but if you do, please remember that certain papers must be filed by you for a period of up to 10 years.. so you might want to do what most people in this situation does: buy a small file-safe... othervise you might end up having troubles with the IRS, and we dont want that, do we?

Re:Shredding doesn't offer much protection either.

[Jason1729]

Quick question...since personal shredders are only $30, why does your company use the shredding service at all? It would probably be cheaper to outfit every employee (or at least every department) with their own shredder than pay for 2 months of that service, when you empty your personal shredders, just use ordinary recycling for the shreds.

Jason
ProfQuotes [profquotes.com]

Well, who cares about them

[Anonymous Coward]

To be honest I'm not so curious to hear from these two. What worries me is what the identity theives who DON'T get caught are doing!!!

Re:The solution is easy

[waveclaw]

Shred all bank statements and whatnot before you throw them out.

You throw these out!?!? Never, in my wildest imagination would I consider taking such critical records and disposing of them. I've got my account histories (at the touch of a lock) form three banks over 15 year - I've even got records fom companies that closed, long before the whole 'get it online' rush. This is why I request paper copies of those records: so I can keep them.

Certainly, someone can break into my house, ignore all the shiny, expensive and portable things and got straight for the heavy, ugly, locked boxes obviously full of useless paper that are being used as a table for dirty laundry and AOL CD's (same really). But I degress.

Re:Shredding doesn't offer much protection either.

[igrp]

Well, in my experience it usually boils down to one, or a combination of, the following:

• ignorance
• incomptence
• liability

That's one of the reasons the military and (some) government agencies have adopted standarized protocols to deal with this kind of stuff and generally are quick to reprimand those who violate policy.

Many security problems these days have to do with the fact that people for some reason refuse to apply common sense -- requiring people to wear ID tags at all times and conducting thorough background checks is not going to do any good if you just dispose of confidential documents into some backyard alley dumpster.

Three Stacks of Paper:

[Anonymous Coward]

accounts receivable
accounts payable
accounts incinerable

Re:Shredding doesn't offer much protection either.

[timshea]

The cost of having every employee or department having their own shredder isn't restricted to the initial $30/seat investment. There's also the time involved in shredding documents.

Probably not a good example, but:

I once had a job which involved faxing purchase orders to suppliers. When I first started, the process was:

1. Print batch of purchase orders.
2. Go to accounting department. (I didn't have a fax machine on my desk.)
3. Fax each purchase order individually.

This process consumed 2 to 3 hours of each of my days.
COST: 2 to 3 hours employee time per day.
SAVINGS: $100 one-time cost of fax machine

Upper management greatly improved the situation when they donated a fax machine from their office for my desk...because it didn't meet their needs - it didn't automatically identify the sender in the page headers.
COST: 45 to 60 minutes employee time per day; plus additional 40 minutes of long-distance calling per day for the header page.
SAVINGS: $100 one-time cost of fax machine; 2 to 2-1/4 hours employee time per day.

Although it saved the daily trip to the accounting office, faxing now required a header page identifying where the fax was coming from. At least I could be mostly-productive while doing the mindless hours of fax work.

1. Print batch of purchase orders.
2. Fax each purchase order individually, with header page.

Eventually, we did end up with a fax modem which was connected directly to the mainframe which saved even more time.
COST: $300 for the fax modem; software written in-house in about an hour
SAVINGS: 2 to 3 hours of employee time per day

Queue batch of purchase orders.

Time is money - even if it is 15 minutes.

Re:Shredding doesn't offer much protection either.

[migstradamus]

Getting all your employees to do it is the main problem. There is no way you're going to get the consistency you need.

Another reason is liability. Having a company you can sue is nicer than having to cut your own throat by firing someone who screws up.

We don't need to abolish it...

[devphil]

...because something even more invasive would be put in its place. The Devil that ya know, and all that.

We don't even need to pass new laws to restrict the use of the SSN, because we already have them. It's not supposed to be used for any identification purpose other than actual Social Security.

Once again, the problem is not lack of laws. It's lack of enforcement. (Look at Bush and Kenny Boy, and tell me if you're surprised.)

As long as banks can write off 100% of loss

[Anonymous Coward]

we will continue to have situations where the banks don't give a damn about your identity being stolen, and will continue to refuse assisting in investigations.

Why should they? It's a 100% writeoff.

Start changing the writeoff to 95% next year, 90% the year after that, 85% 3rd year, and see how fast they change their attitude.

Re:Shredding doesn't offer much protection either.

[garcia]

We use a shredding company to do our work as well. The papers are put into a loosely locked box and picked up monthly.

The man who picks ours up is a toy short of a happy meal. He rarely says more than an incoherent mumble or two. Something usually about the damn lock on the door (I share his frustration).

We started using them after we shred about 5000 pounds of confidential data. I filled 12 large bins that they provided for us. These were probably 3.5 feet tall and large enough for at least two of my fat asses to fit inside easily.

Why do we use them? Because it would take me two or three days to destroy a single box of paper records that we have. I don't have time for that.

It's something like $500 for 5000 pounds. You do the math... Pay an employee $15/hr to shred documents for 3 days ($15 x 8) x 3 or $500 for 5000 pounds.

how to find out?

[Anonymous Coward]

How would I go about finding out if someone else has some form of credit opened in my name?

Would a credit report indicate all of my accounts? (even the ones opened by fraud?)

College Anyone?

[saderax]

What about idiot colleges who require are not allowed (legally) to request your social security number, but anyone can ask for your "student ID" which is coincidently the same?

(all sarcasm aside, really what could one do?)

Re:Dumpster diving old home directories

[Anonymous Coward]

Don't know about your case there, but in some cases, the dismissed employee doesn't exactly have the time to pack up his things, and go through all his files as well. Depending on how immediate your termination is, companies don't really like "ex-employees" to have computer access.

The real lesson there is not to have personal information on work-machines to begin with.

Re:avoid recycling bins for financial mail

[Colazar]

Interesting. The City of Seattle recently decided that they are going to start fining people for putting recyclable materials in the garbage, instead of in the recycling bins.

So that won't work for me.

link=http://seattlepi.nwsource.com/local/152676_re cycle16.html

Just wondering

[lurker412]

OK, I'll burn some karma here by being off-topic and politically incorrect. I don't understand why everyone seems to be so concerned about NYT registration. I registered years ago, and just out of curiosity I looked at my user profile just now. It showed an old, long-defunct email address and a fraudulant zip code. There were some other demographic drop-down boxes that I had never selected. So what's the big deal? I had to supply an email address to register for /. too. Neither one has abused that information AFAIK.

Liability

[Detritus]

How about changing the law so lenders are required to verify the identity of the people they lend money to? If they don't, they would be prohibited from taking any legal action against the debtor, referring the debt to a collection agency, or putting a black mark on the debtor's credit record. The identity verification process would have to meet high standards, comparable to what the government requires before issuing sensitive licenses and identification documents. Maybe a current photograph, thumbprint, and signature, collected by someone like a notary public or other trusted person, and submitted directly to the creditor.

Re:Compost them, don't burn them!

[Anonymous Coward]

I shread all of the sensitive paperwork that comes through my house. In the winter, it becomes tinder in the fireplace. I don't care if it is ecologically correct. Talk to the people who keep sending it to me if you have a problem with it. The ashes (in winter) or shreadings (in summer) get mixed with the used kitty litter.

There's an old saying: "I don't have to run faster than the bear. I just have to run faster than you." I presume that someone else's trash will be pilfered. Mine is rather unappealing.

Re:Shredding doesn't offer much protection either.

[karnal]

In addition, there's the "liability" factor.

If someone happens to get ahold of your sensitive data, it's nice for the bigwigs to have someone to blame other than themselves....

Think about it. Someone forgets to shred some confidential documents in their own personal shredder, and they get into the dumpster intact. That would be a whole lotta egg on the company. But, if the shredding company acidentally let a document "leak", then they'd probably lose more than just face... they'd probably lose a lotta money!

Re:Shredding doesn't offer much protection either.

[berzerke]

...Anyone wanting my personal data that badly can get it a lot easier than searching my garbage for paper mush.

And there lies the answer. You don't have to perfectly destroy the papers. Just make it cost more to get the data than the data's worth. Even the most basic methods (straight shredder) will deter most thieves. Unless you're being specifically targeted, there's always the idiot down the street (or next door) that's an easier target.

It seems to me

[ajs318]

It seems to me that the problem is a social one, not a technological one, and therefore we should be looking for solutions in the social domain.

Somebody who knows me is better qualified to say "That is the real ajs318" {or not} than some piece of machinery ever will be. A human being can check subtle things like signatures far more reliably than a machine. But the corporate mentality seems to be far too trusting of machines and far too distrustful of human beings. It's well known that humans make mistakes, but who designed and built the machines?

In Britain, we have a National Insurance Number as a unique per-person identifier, but it is only used for taxation purposes. Also, your employer is responsible for stopping your tax right out of your wages before you ever see them, making it physically impossible for the working classes to commit tax fraud.

With no national identity card, anyone requiring ID has to seek it from multiple sources ..... usually official letters such as gas / electricity statements and bank statements for your address, and a passport or driving licence for your signature and photo. If you join a video club, for example, you might have to produce two bills and a signature, and you'll get a card which is only good for renting videos; there is no information on the video card that links it back to the papers you submitted. Of course you could mug someone on their way to or from joining a video club and get their papers that way, but if you already knew what they were about to do you probably already know enough about them.

Now, your name and address are published in the telephone directory. So places insist on official letters. Of course these could be forged ..... but it's recognised that the name and address aren't enough, so other documents are also usually required. {And if, say, my electric bill shows I paid 10 last Saturday, they might want to see my payment card and make sure the account number matches.} Most places also require a signature, and you may even be required to sign the form in front of them. It does take skill to forge signatures with an audience ..... I could do a very convincing one of my last-but-one boss's, but nowhere near as quickly as he could.

It seems the problem in the USA is that the social security number {which uniquely identifies a person} is treated as though it were a secret, unknown to any entity beyond the person it identifies. That clearly is not the case. Look at how PGP works ..... there is a published part known to everybody, a secret part known only to one individual and a mathematical relationship that makes it difficult to determine the secret part from the published part. If I just send you ajs318's public key, that doesn't prove I am ajs318. If I sign something with ajs318's secret key, and you can recover it with ajs318's public key, then that at least proves I know ajs318's secret key, and there's a better chance that I might actually be ajs318. It seems to me that the SSN {which identifies without authentiation} is being misused.

The other thing is, when you go into somewhere like a newsagent's shop, you are recognised by the regular staff there. {Kids in my old village used to shoplift from the local newsagents' once at most. The items they took got added onto their parents' slate.} The point is, the main identity used in that situation is the person themself, which is hard to forge. In a large impersonal supermarket, there is less potential for recognition, so if you pay by payment card or credit card then they require a signature {though trials are underway where the shopper will merely have to enter a 4-digit PIN, thus relieving the cashier of the responsibility to check a signature and not at all paving the way for brand new opportunities in crime}; on the Internet, none at all.

If you want security, stick with old fashioned pound notes, because they can only steal as many of those as you actually have. And, until they get RFID in money, it's untraceable. You can't look at a 20 note and see it was won in a poker game, for instance.