Big ID Thefts Not To Be Feared

goldseries writes "A new study released by ID Analytics says that only about 1 out of every 1000 stolen identities are actually used, due to the amount of time it takes to use the identity, limiting a single thief to 250 identities a year. The likelihood that your information will be used increases drastically when the size a the theft is small. So size does not matter, in identity thefts at least; the identity thefts you need to worry about aren't the big ones heard on the news but the small unreported ones." From the article: "While the findings will provide some comfort to consumers whose credit cards are lost or lifted, or whose sensitive information is compromised when, for instance, a laptop is stolen, as recently happened at Chicago-based Boeing, some of ID Analytics' suggestions could be controversial. The company suggests, for instance, that companies shouldn't always notify consumers of data breaches because they may be unnecessarily alarming people who stand little chance of being victimized."

Nice whitewash...

[Godeke]

So those of you that *actually* suffer identity theft... well, you are just a small, inconsequential number of people compared to those who got lucky. Since you are so outnumbered we can safely continue to fail to safeguard your data, and we will use these results to claim it is your fault, not ours, that you suffered identity theft. After all, you are only one in a thousand, right? Heck, losing a tenth of a percentage of our customers won't hurt *us* that much... and all this notification stuff is hurting us *much* more than that.

Nonsense Quote

[LostCluster]

"As far as notifications, we think there are certain instances where businesses might want to notify consumers and certain instances where they might not to inform them," Cook said.

When would there ever be an instant that a business would want to disclose a leak? There are instances were businesses should be required to inform customers.

Every 35 hours

[amrust]

...limiting a single thief to 250 identities a year...

Still, to the web economy, that's *almost* like them becoming a completely different person, every 35 hrs. Per thief. Pretty amazing/scary when you stop to think about it.

Not a big deal???

[gasmonso]

Tell that to the thousands of people who had their lives turned upside down. The effects of identity theft can be devastating and long lasting. If your data is stolen, you have every right to know about it. This is just an attempt for companies to downplay their incompetence and lack of security. I'd like to see how they would react if their information was stolen.

gasmonso http://religiousfreaks.com/ [religiousfreaks.com]

overblown my ass! (ewww, nasty image)

[BushCheney08]

As a former victim of identity theft, I have to tell these people to go to hell. Sure, my case was a fairly small one -- two lines of credit opened in my name totalling about $5000 (On one of the applications, there wasn't even a SSN. They opened the account simply by listing my name and an address that I've never lived at). Getting the crap cleaned up was an absolute nightmare. And don't expect the 3 credit reporting agencies to be any help, either. They don't want to deal with you. After all, you're not their customer - their customers are the ones buying your information from them. One of the agencies still sends mail to my old address, 6 months after moving. This is despite me sending a letter notifying them of my change in address along with all of the information they requested in order to do so. Basically, any company dealing in personal information brokerage is on my shitlist...

Credit reporting companies fault

[Lumpy]

If they would stop being Asshats and allow you to "LOCK" your credit reports then this would be a non issue.

If I could call and place my credit reports in a locked status so no credit reports can be pulled then this would be a much smaller issue. But they refuse to because it would significantly impact the revinue stream they get from the tens ofthousands of illigimate requests they get an hour for people's credit. I wont even go into the issue that their data is horribly inaccureate anyways but they should allow me to lock it down until I release that lock.

Re:Of Course You Should Inform Them!

[timeOday]

Unless the companies who lost the information are willing to be liable for any and all damages caused by the identity theft, not limitted to damaged credit ratings, credibility damage, and all monetary losses, they should definitely inform consumers.

I'll go you one further, I think the law should *compel* them fess up. Most of the interest over identity theft has resulted from the California law which does just that. As a result, we started to hear about things that before would have been secret, and it has really blown the issue wide open. For markets to work well, people must have access to relevant information, such as which companies have bad track records for infosec.

I just got a 20 page background check fax in error

[gelfling]

My home fax machine is one digit off from that of an headhunter. Two nights ago I got a 20 page fax detailing the background check results for a candidate including:

Name
SSN
Address
Bank account numbers
Credit score
Arrest/conviction records: Federal State Local
Urinanalysis results

There was never a I never received a followup fax to check up on it - clearly they didn't have my phone number so they couldn't speak to me, but they already had a record of the fax number.

And if that wasn't dumb consider this.

My home phone number is one digit off from the States depart of Revenue unclaimed funds division. I routinely get calls from people asking "Is this the money line???" I get people leaving their name, address, SSN and phone number on my voice mail, unasked and please remember that the outbound message states the phone number and nothing else to indicate what the number is for. I get calls from people in state, out of state, out of the country, from prisons from other branches of the government.

Security is bullshit as long as people act retarded.

"Identity Theft Over-Reported"

[lysander]

I recommend also reading a post in Schneier's blog about identity theft being over-reported and confused with fraud [schneier.com].

And when the thief resells the info?

[Anonymous Coward]

250 per year per thief. What about when one company is breached, 1 million IDs are stolen, and the one thief (who specializes in security penetration) then resells these to hundreds of other thieves (who specialize in id theft) online? 'Cyber criminals' are more organized and more specialized these days. We're not dealing with script kiddies any more.

The company suggests, for instance, that companies shouldn't always notify consumers of data breaches because they may be unnecessarily alarming people who stand little chance of being victimized.

Of course they do. This is spin to attack California law. Choicepoint and friends don't like the law and want it repealed.

What about the people in the call centers?

[rolypolyman]

What concerns me lately is some of the faceless/nameless droids working in the call centers. After we called our Texas power company to transfer our service to a new address, we found out some time later that they added on another house in Dallas, as part of the same work order. Assigned my wife's social security number to the account, too. It's not just the databases that concern me, but the trustworthiness of the people taking my call.

Re:I'm not sure I get it

[timeOday]

I'm not sure why anybody should be notified at all. Customers knew the risks when they signed up for a credit card, if they didn't know the risks they could have found out. And now nobody has an excuse for not knowing the risks involved.

You are the classic example of somebody who berates individuals for not taking responsibility (for things they have very little control over), while at the same time giving companies carte blanche for utterly reckless irresponsibility. It's bizarre.

Flaw in this

[isotope23]

A new study released by ID Analytics says that only about 1 out of every 1000 stolen identities are actually used, due to the amount of time it takes to use the identity, limiting a single thief to 250 identities a year.

Major flaw in thinking here...

If this is true, then said computer criminal could just sell his/her stolen
info in batches of 250 to multiple criminals. I can see all kinds of possible
"value" add ins for the data thief as well. Items such as:

Data mining for likely high income identities.
Data mining for identies which match the buyers profile (e.g. white male mid 30's)

Re:Flaw in this

[lysander]

Exactly. It's not like stolen identities go stale all that quickly, either. I'd want to know my infomation was compromised regardless if it was stolen in a batch of 100 or in a batch of one million. A company worrying about whether they're "unnecessarily alarming people" should also be taking proactive steps to avoid and minimalize the damage of such thefts.

ID Sweatshops

[ZachPruckowski]

Here's how I'd do it if I were an ID thief (obviously I'm not).

1) Steal a hundred thousand IDs.
2) Hire a pile of cheap workers somewhere
3) Get them to mine the money for a 10-20% commission.
4) Move to Vegas and/or the Bahamas and, um, get to know the locals...

I mean, seriously, when you're dealing with a lot of money, when has manpower ever been an issue?

Re:I'm not sure I get it

[Loconut1389]

the only real solution to having to give out your pin is something like RSA SecurID where the pin+code rotates on an interval (usually 1 minute).

If with every credit card you got an RSA SecurID fob, or something similar, credit theft would be all but impossible. Sure if someone physically steals your card and fob, there's a small window before you call the company, but that's minimal and easily controlled.

The problem though is others applying for other lines of credit in your name. Theyd have their own fob and their own card, but under your name and with you on the hook.

Ultimately, there will have to be developed or utilized some form of technology to uniquely identify an individual signing up for a credit line. Biometrics perhaps? And then take that technology and make it such that it can be used over the internet or some other means that makes signing up for credit less of a headache than having to drive somewhere. Honestly, I'd be willing to drive somewhere local to apply for any form of credit, if it meant that I'd be guaranteed no one could sign up in my name without my eyes/hand/whatever.