Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Dumpster-Diving for Your Identity 344

The NYT magazine has a story titled Dumpster-Diving for Your Identity - the author interviews two convicted identity thieves talking about their methods and successes.
This discussion has been archived. No new comments can be posted.

Dumpster-Diving for Your Identity

Comments Filter:
  • by RobertB-DC ( 622190 ) * on Friday December 19, 2003 @08:00PM (#7770125) Homepage Journal
    I tried to use Google News [google.com] to find a registration-free link. No luck. Will this do?

    Dumpster-diving bears at greater risk [cjonline.com]

    It's not about bears stealing your identity, though I pity the bear that applies for a Visa card with a FICO [myfico.com] as bad as mine! But it is an interesting tale:

    Then there are the people: One older woman set out a batch of syrup-slathered pancakes for the bears, and some parents smeared peanut butter on their children's faces so they could photograph cubs licking it.

    Where's Darwin [darwinawards.com] when you need him?
  • by shakamojo ( 518620 ) * on Friday December 19, 2003 @08:02PM (#7770140)
    Remind me to check my dumpster here at the office for a NYT login...

    But seriously, we use a shredding company here at my office for our important papers. They're supposed to do all the shredding "on site" in their truck. Yesterday they were here to empty our shred bins, and they brought in a big trash bin to haul our stuff out to the truck. One of these bins was sitting in the hallway, and no one was around, so I took a peek inside. It was papers from an accounting firm down the street! I mean, we're supposed to be paying these guys to keep our info secure, but here they are waiting until their bin is full before they shred anything?! Needless to say, I had a long conversation with our facilities manager after this...

    If you want something done right, better do it yourself! I'm now using a $30 shredder BEFORE I dump anything in our shred bins! Who knows where our important documents have been travelling to before they actually got shredded?!

    This is why I burn all my important docs, credit card offers, old checks, etc... at home, who knows who is going through your trash? All they need is an account number, and a shredded document can be taped back together with enough motivation and time... (although with some people being easy marks, I guess the harder you can make it, the better!)
    • by Jason1729 ( 561790 ) on Friday December 19, 2003 @08:17PM (#7770265)
      Quick question...since personal shredders are only $30, why does your company use the shredding service at all? It would probably be cheaper to outfit every employee (or at least every department) with their own shredder than pay for 2 months of that service, when you empty your personal shredders, just use ordinary recycling for the shreds.

      ProfQuotes [profquotes.com]
      • by Brushfireb ( 635997 ) * on Friday December 19, 2003 @08:44PM (#7770456)
        While I cannot say for what reasons the poster above uses professional shredding services, I do know why such services still exist.

        The difference between a $30 Office-Depot Shredder and a good commercial shredder is significant. The Cheapo shredder usually shredes only vertically, and does so usually so that there are about 20 cuts down one page. People sending 3-4 documents in at once will find that they have those 3-4 documents nearly intact, just cut into 20 vertical peices which are easy to put back together if someone is careful in extraction.

        On the other hand, good commercial shredders litterall demolish the paper, turning it into sawdust like material that would be impossible (virtually) to reconstruct. Along these same lines, good document security companies use combination of methods, not just shredding to ensure security (read: chemical treatment, randomization, etc).

        • by pla ( 258480 ) on Friday December 19, 2003 @10:17PM (#7770949) Journal
          The Cheapo shredder usually shredes only vertically, and does so usually so that there are about 20 cuts down one page
          On the other hand, good commercial shredders litterall demolish the paper, turning it into sawdust like material that would be impossible (virtually) to reconstruct.

          I have the second-cheapest cross-shredder I could buy from WallyWorld (Yeah, I know, evil, but show me a Mom&Pop that carries cross-shredders). For USD$25, I end up with 0.25" by 1.5" confetti. Good luck putting that back together.

          And for a teensy bit extra security, when I empty the bin, I dump a cup of water on it for good measure. 15 minutes later I have paper mache - Even if you could still recognize a word here and there, how do you scoop it out of the wet blob to reassemble without obliterating it?. I suppose I could go a step further and burn it as well, but really, why bother? Anyone wanting my personal data that badly can get it a lot easier than searching my garbage for paper mush.
          • by berzerke ( 319205 ) on Saturday December 20, 2003 @03:47AM (#7772197) Homepage

            ...Anyone wanting my personal data that badly can get it a lot easier than searching my garbage for paper mush.

            And there lies the answer. You don't have to perfectly destroy the papers. Just make it cost more to get the data than the data's worth. Even the most basic methods (straight shredder) will deter most thieves. Unless you're being specifically targeted, there's always the idiot down the street (or next door) that's an easier target.

          • I end up with 0.25" by 1.5" confetti. Good luck putting that back together.

            Its simple, you dump the stuff out on a scaner, do a boundry scan and then run length encode each end and then sort thouse. The result is a map of how to put it all back together. No big deal and there is shareware that will do it.

            That size of paper is good for running through a blender with a bit of water.
        • In addition, there's the "liability" factor.

          If someone happens to get ahold of your sensitive data, it's nice for the bigwigs to have someone to blame other than themselves....

          Think about it. Someone forgets to shred some confidential documents in their own personal shredder, and they get into the dumpster intact. That would be a whole lotta egg on the company. But, if the shredding company acidentally let a document "leak", then they'd probably lose more than just face... they'd probably lose a lotta
      • by the pickle ( 261584 ) on Friday December 19, 2003 @08:49PM (#7770502) Homepage
        since personal shredders are only $30, why does your company use the shredding service at all? It would probably be cheaper to outfit every employee (or at least every department) with their own shredder than pay for 2 months of that service

        Because $30 personal shredders suck ass. They're cheaply made, their motors burn up if you put more than 5 sheets at a time through them with any regularity, and they jam very easily.

        Spend a hundred for each one and you might get something worth using.

        Spend $1500 for a serious industrial crosscut confetti model and let 30 employees share it and your company is probably far better off than with either of the above options, or the shredding service.

        Bonus points if the company then sells the shredded paper *directly* to a pulp mill ;)

      • by igrp ( 732252 ) on Friday December 19, 2003 @08:50PM (#7770511)
        Well, in my experience it usually boils down to one, or a combination of, the following:

        • ignorance
        • incomptence
        • liability

        That's one of the reasons the military and (some) government agencies have adopted standarized protocols to deal with this kind of stuff and generally are quick to reprimand those who violate policy.

        Many security problems these days have to do with the fact that people for some reason refuse to apply common sense -- requiring people to wear ID tags at all times and conducting thorough background checks is not going to do any good if you just dispose of confidential documents into some backyard alley dumpster.

      • by timshea ( 257474 ) on Friday December 19, 2003 @08:57PM (#7770559)

        The cost of having every employee or department having their own shredder isn't restricted to the initial $30/seat investment. There's also the time involved in shredding documents.

        Probably not a good example, but:

        I once had a job which involved faxing purchase orders to suppliers. When I first started, the process was:

        1. Print batch of purchase orders.
        2. Go to accounting department. (I didn't have a fax machine on my desk.)
        3. Fax each purchase order individually.
        This process consumed 2 to 3 hours of each of my days.
        COST: 2 to 3 hours employee time per day.
        SAVINGS: $100 one-time cost of fax machine

        Upper management greatly improved the situation when they donated a fax machine from their office for my desk...because it didn't meet their needs - it didn't automatically identify the sender in the page headers.
        COST: 45 to 60 minutes employee time per day; plus additional 40 minutes of long-distance calling per day for the header page.
        SAVINGS: $100 one-time cost of fax machine; 2 to 2-1/4 hours employee time per day.

        Although it saved the daily trip to the accounting office, faxing now required a header page identifying where the fax was coming from. At least I could be mostly-productive while doing the mindless hours of fax work.

        1. Print batch of purchase orders.
        2. Fax each purchase order individually, with header page.

        Eventually, we did end up with a fax modem which was connected directly to the mainframe which saved even more time.
        COST: $300 for the fax modem; software written in-house in about an hour
        SAVINGS: 2 to 3 hours of employee time per day

        Queue batch of purchase orders.

        Time is money - even if it is 15 minutes.

      • by migstradamus ( 472166 ) * on Friday December 19, 2003 @09:02PM (#7770589) Homepage
        Getting all your employees to do it is the main problem. There is no way you're going to get the consistency you need.

        Another reason is liability. Having a company you can sue is nicer than having to cut your own throat by firing someone who screws up.
      • by Radical Rad ( 138892 ) on Friday December 19, 2003 @09:09PM (#7770626) Homepage
        Quick question...since personal shredders are only $30, why does your company use the shredding service at all?

        $30 personal shredders won't handle many items such as old badges, bernoulli disks, floppies, backup tapes, CD's, last year's Xmas fruitcake, whistleblowers, etc.

      • by garcia ( 6573 ) * on Friday December 19, 2003 @09:35PM (#7770765)
        We use a shredding company to do our work as well. The papers are put into a loosely locked box and picked up monthly.

        The man who picks ours up is a toy short of a happy meal. He rarely says more than an incoherent mumble or two. Something usually about the damn lock on the door (I share his frustration).

        We started using them after we shred about 5000 pounds of confidential data. I filled 12 large bins that they provided for us. These were probably 3.5 feet tall and large enough for at least two of my fat asses to fit inside easily.

        Why do we use them? Because it would take me two or three days to destroy a single box of paper records that we have. I don't have time for that.

        It's something like $500 for 5000 pounds. You do the math... Pay an employee $15/hr to shred documents for 3 days ($15 x 8) x 3 or $500 for 5000 pounds.
    • Taking it a step further... some family members work for DoD contractors. They have a system where used toner cartridges are accounted for before incinerating them because a bit of skill can retrieve the last few pages from them. Same for media such as CD's and HDD's. The machines these parts come from are locked in a bank vault with *no* networking, no portable devices allowed, etc.

      I can vouch for the effectiveness of dumpster diving; I snarfed the entire budget info for the science dept. in college once.

  • by js7a ( 579872 ) * <james@@@bovik...org> on Friday December 19, 2003 @08:02PM (#7770143) Homepage Journal
    ''It was the first time I had ever been to the dump,'' Massey recalled, wrinkling his nose. ''I said, 'I'm not going to get dirty,' so I wandered over to a shed where the recycling was stored. I notice there's a big barrel for recycled paper that's full of discarded tax forms from an accounting firm.'' Each form had the person's name, date of birth, Social Security number -- all the information necessary for taking out a line of credit.

    My local police department recently published a blurb asking residents to dispose of identity theft-related materials (e.g., financial statements, anything with a SSN, etc.) in the ordinary garbage, instead of the "mixed paper" recycling bins as we've been asked by the rest of the city government.

    It seems that identity thieves are very happy about the shared, clean, and portable "mixed paper" recycling containers found throughout my (rather affluent) city, and they tend to pick them up, quickly sort through the cereal and microwave dinner boxes for the good stuff, and have the container back before anyone notices.

    Presumably today's dumpster divers have the luxury of avoiding coffee grounds, so you can go a long way towards protecting yourself by dumping the financial correspondence in with the smelly stuff.

  • by irokitt ( 663593 ) <`moc.oohay' `ta' `ruai-setirdnamihcra'> on Friday December 19, 2003 @08:05PM (#7770161)
    I produce very few pieces of paper that have sensitive information like this. I am more worried about the information on my computer, which is sensitive. Companies, on the other hand, do need to worry.
  • The solution is easy (Score:5, Interesting)

    by Kirk Troll ( 729217 ) on Friday December 19, 2003 @08:07PM (#7770176) Journal
    If you're so worried about ID theft, then maybe you should keep a close eye on your credit card bills, credit scores, etc.. Buy a paper shredder. Shred all bank statements and whatnot before you throw them out. Internet-shminternet, dumpster diving is the fastest way to someone's finances. Get the carbons at the gas station, or stores where they still use the old carbon-thinger credit card machine.

    I knew someone who got screwed big time by a gas station who would keep the carbons, and double bill her every time she filled up, the cash going straight into the owners pocket. She was a dope for letting it go on so long, as she never bothered scrutinizing her Visa bills. Turned out the station was owned by a Russian mobster. This was long before the world wide weeb.

    Just don't toss your sensitive data into the dumpster where any bum can get your CC number.
    • Important add-on (Score:5, Insightful)

      by karevoll ( 630350 ) on Friday December 19, 2003 @08:14PM (#7770244) Homepage
      Im not saying Im agreeing with the parent post, but if you do, please remember that certain papers must be filed by you for a period of up to 10 years.. so you might want to do what most people in this situation does: buy a small file-safe... othervise you might end up having troubles with the IRS, and we dont want that, do we?
    • by A Commentor ( 459578 ) on Friday December 19, 2003 @08:31PM (#7770364) Homepage

      How does that protect you from the information theft that occurs with others that you have to deal with? If you have to see the doctor, and had it billed to insurance, most likely you're Social Security Number was seen by many people. Anyone of them could copy the number name and start opening accounts. I guess you could avoid the doctor offices too.

      Having gone through this a few years back, it not as simple as you state. They didn't have any personal Credit Card numbers, just the SS # and they opened new accounts with that. Luckily one of the companies actually took time and flag the application for inconsistencies... Credit Report showed working at a computer company, yet the application said I cut hair... not many people make that kind of job change. The lady actually track me down, and I was able to clean it up relatively easy. If I had to wait for the next review of my credit report (which is recommended every year) with could be upto 12 months before this is detected, would make it much harder to clean up.

      When a few companies was questioning me, as if I was involved in the scheme: "How did you find out about this if you weren't involved", it was quite satisfying to respond: "Mrs. X at company Y actually inspected the credit application and contacted me to verify that I didn't sign-up. She was the first to notify me and you can reach her at: xxx-xxxx. Don't blame me for your companies lack of verification."

      • by Elwood P Dowd ( 16933 ) <judgmentalist@gmail.com> on Friday December 19, 2003 @09:24PM (#7770708) Journal
        If you have to see the doctor, and had it billed to insurance, most likely you're Social Security Number was seen by many people.

        And those people don't necessarily work for your doctor or your insurance agency. I worked as a temp for a few weeks at a medical imaging billing company. Since a doctor that works in medical imaging processes a *ton* of patients, the billing becomes a large portion of their office's work. This is (I suspect) almost always outsourced.

        My first day on the job, they handed me a stack of several hundred people's names, addresses, phone numbers, SOCIAL SECURITY NUMBERS AND MEDICAL RECORDS. This is pre-HIPAA. Dunno how it works now.

        Let alone identity theft, one of the records they handed me that week was a well known elected politician's totally routine mammogram. Her results were clear. Imagine what that kind of leak could do to an election if it were not.

        Obviously their entire business process needed to be completely redesigned if they wanted to provide some semblance of privacy. And you don't know if this company handles your bill or not. And such a redesign would raise their costs astronomically. It might even make them non-competitive with in-house billing. This doesn't mean it's ok, it just means it's not going to happen unless they're forced.

        Obviously, I could go on and on.
      • How does that protect you from the information theft that occurs with others that you have to deal with? If you have to see the doctor, and had it billed to insurance, most likely you're Social Security Number was seen by many people.

        Many of those people weren't even supposed to see it. I was just in the doctor's office recently and when I looked in through their window I could see a woman's name, DOB, and SSN on a piece of paper right in front of me. The SSN was helpfully written very large on a pos

    • Shred all bank statements and whatnot before you throw them out.

      You throw these out!?!? Never, in my wildest imagination would I consider taking such critical records and disposing of them. I've got my account histories (at the touch of a lock) form three banks over 15 year - I've even got records fom companies that closed, long before the whole 'get it online' rush. This is why I request paper copies of those records: so I can keep them.

      Certainly, someone can break into my house, ignore all the shiny,
    • by John Courtland ( 585609 ) on Saturday December 20, 2003 @12:27AM (#7771563)
      Having abhorrently bad credit is the best way to protect your financial assets. No one is going to get a credit card under MY name, that's for damn sure.

      Easy way to do it is to not pay a utility at an old residence (People's Energy is trying to extort $50 for the 0.07 therms of natural gas I used at my last apartment, and they will never see a dime of it. And no, I'm not kidding about the 7/100ths of a therm.)
  • But... (Score:5, Funny)

    by The-Bus ( 138060 ) on Friday December 19, 2003 @08:08PM (#7770182)
    What if all your bills are past due? Then it doesn't matter. It's like that old joke (or is it a scene from a movie?)...

    "A thief stole my credit card and has been using it for the past couple of months."
    "Oh my! Why haven't you reported it?"
    "Because it still works out to be cheaper than me using it!"
  • Burn Them. (Score:5, Funny)

    by vspazv ( 578657 ) on Friday December 19, 2003 @08:08PM (#7770190)
    This is the reason i have a fireplace in addition to central heat and air. Well, that and the fact that i like making smores.
    • This is the reason i have a fireplace in addition to central heat and air.

      We used to shred constantly until we moved out to the country. Now, we're never short of kindling for the trash barrel! Too bad I didn't "remember" to update the address on all my domain name registrations, though. Heh.
    • by wart ( 89140 ) on Friday December 19, 2003 @08:33PM (#7770379) Homepage
      Fireplaces produce too much air pollution. The ecologically correct way to dispose of these sensitive documents is to first shred them. Then mix the paper shredding into your backyard compost bin or worm bin and let nature dispose of it cleanly.

      I doubt that many id theives would want to rummage through your compost bin, if they even thought to look there in the first place.

      For added security, add a couple of large dogs to your backyard. They will help deter personal property thieves in addition to compost-diving identity thieves!
  • by dandelion_wine ( 625330 ) on Friday December 19, 2003 @08:12PM (#7770225) Journal
    I've always taken a few moments to shred my bank machine receipts when I get them. Since sorting for recycling takes time anyway, I've always gone through it and shredded anything remotely useful, long before the notion of "identity theft" became mainstream.

    Honestly, if people would just be a bit more paranoid, and not worry about being casual with risk as a fashion statement, these guys would have a lot less to go on.

    That's with regard to personal papers. Businesses should know better, and should get their asses sued for failing to protect sensitive information that was entrusted to them by their clients.
    • by Anonymous Coward
      Diligence is well worth it. Before I met my wife, she had dramas with her card. The short story is a male several hundred miles away used her card and number to pay for his utility bill. It was a small enough amount that she didn't notice immediately, but came to notice almost a year's worth of payments to a company she had no dealings with.

      The dumb bit? They were useless to deal with. Despite the fact a male had been paying his utility with her card (her name's Katie, it's not like that could be mistaken
    • Recycling.... (Score:3, Interesting)

      by Avihson ( 689950 )
      That is why I recycle all my personal papers into tinder for my wood stove.
      Properly rolled and bound newpaper "logs" burn for a long time, and give up some nice heat.
      I use the cheap single cut shredder to shred everything with personal info, this is good enough for starting the fire.
      I cut the address from my old trade periodicals before I drop them off at the waiting room at my Doctor's office. Better computer magazines than Women's Day.

      Now before all of you green geeks flame me, the county stopped collec
  • by Lancer ( 32120 ) on Friday December 19, 2003 @08:13PM (#7770235) Homepage
    By the time investigators broke the case, Massey and his partner in crime, a computer whiz named Kari Melton, had ruined hundreds of people's credit. A judge sentenced them to prison in 2000; Melton was released in 2001, Massey the next year.
    Given the amount of turmoil, headache, as well as real monetary loss these crimes must have caused, it's amazing to me that they each spent less than two years locked up.

    I'd argue that was nothing but a slap on the wrist, and not much of a deterrent to future fraudsters.

    • Well, you know, you have to keep all those pot users in lock up for five-to-ten. Imagine what *they* would do if they got out!
      • I'll tell you what they'd do: single-handedly revive the bread market that's starting to suffer because of people starting the Atkins diet.

      • It's too bad you've been modded up as funny so far - you've nailed the issue.

        I'd be willing to bet that most Americans would choose to put away criminals like those in this article for much longer sentences than they would choose to put away marijuana pushers, if ever give na direct choice.

        Regrettably, most of our politicians, DAs, and judges don't have the backbone to rethink our drug policies.

        I'm getting off-topic, clearly, but the point is that if they had locked these guys up for 20 years, it woul

  • by UrgleHoth ( 50415 ) on Friday December 19, 2003 @08:15PM (#7770252) Homepage
    Here is an interesting couple of articles on identity theft by Robert X. Cringely (or Mark Stephens [xent.com], depending on your version of reality).

    Ego, Super-ego, and ID Theft [pbs.org]
    How to Steal $65 Billion [pbs.org]
  • How ironic (Score:5, Funny)

    by Rosco P. Coltrane ( 209368 ) on Friday December 19, 2003 @08:17PM (#7770264)
    The New-York "registration required" Times running an article on people fishing for other people's personal information, that's amusing ...
    • Just wondering (Score:3, Insightful)

      by lurker412 ( 706164 )
      OK, I'll burn some karma here by being off-topic and politically incorrect. I don't understand why everyone seems to be so concerned about NYT registration. I registered years ago, and just out of curiosity I looked at my user profile just now. It showed an old, long-defunct email address and a fraudulant zip code. There were some other demographic drop-down boxes that I had never selected. So what's the big deal? I had to supply an email address to register for /. too. Neither one has abused that i
  • by FelixCat ( 594769 ) on Friday December 19, 2003 @08:20PM (#7770282)
    The NY Times article is about a guy named Stephen Massey.
    A little googling resulted in the same basic story without the registration:

    refers to future article in NY Times [here-now.org]


    Over a year ago on CBS News [cbsnews.com]

  • by Metallic Matty ( 579124 ) on Friday December 19, 2003 @08:22PM (#7770298)
    Why do I need to do that? I know who I am..
  • Anonymous FTP (Score:5, Interesting)

    by Eberlin ( 570874 ) on Friday December 19, 2003 @08:23PM (#7770306) Homepage
    One electronic version of "dumpster diving" would be looking through a company's website/anonymous FTP server. Sometimes, a few moronic folks decide to store otherwise-vital information in these "undisclosed" locations that anyone can get into over the web.

    Somewhat popular among the consulting types, they upload client data to an FTP server, then fly off to the client's office, and download it from there...or maybe use it as a means to "share" data among themselves. Some forget to password-protect it, relying instead on security through obscurity.

    How is this related to dumpster diving? Well, if you look hard enough, those servers are just like public-access trash bins fit for people to...um...recycle data.

    If you're a consulting group, make sure you treat your client data with absolute confidentiality. If you're a business working with consultants, make sure they don't leak your info to the world.
    • a journalist in my country (Poland) made an investigation about possible uses of Kazaa to find data of national importancy (I cannot find URL now, and the article is written in polish ;).

      In just a few hours he found documents related to national security and bussiness. Mostly because careless employers of crucial national institutions carelessly install Kazaa just to download junk, and don't even know (or understand) that they share C:\My Documents\ directory. This is outrageous.

      The journalist said th
  • NYT random login (Score:2, Informative)

    by Anonymous Coward
    >>Remind me to check my dumpster here at the office for a NYT login...

    Use this to randomly generate a login for you
  • ...burn it in the barbeque, or in a fireplace if you have one.
  • by Anonymous Coward on Friday December 19, 2003 @08:28PM (#7770339)
    Dumpster-Diving for Your Identity

    Published: December 21, 2003

    tephen Massey was only a few minutes late, yet he apologized profusely as he strode into the lobby of a crowded restaurant in downtown Eugene, Ore. ''I'm very punctual about my time,'' he said, clasping my hand in a firm shake. With his freshly combed hair, crisp white shirt and trimmed mustache, he looked like an off-duty cop or fireman -- a ''pillar of the community,'' as he later described himself, a wolfish smile playing across his lips. Far from it: Massey, 39, directed one of the most extensive and notorious identity-theft rings prosecuted so far by federal authorities. By the time investigators broke the case, Massey and his partner in crime, a computer whiz named Kari Melton, had ruined hundreds of people's credit. A judge sentenced them to prison in 2000; Melton was released in 2001, Massey the next year.


    The Federal Trade Commission estimates that identity theft costs nearly $53 billion annually. Some seven million people were victimized in 2002. Yet little is known about how the perpetrators actually operate. It's a popular perception that most identity theft happens on the Internet, but over the course of dinner, Massey quickly made clear that low-tech methods of getting people's personal information are far more effective. ''Every day was exciting,'' he recalled between mouthfuls of potato skins. ''We went to Vegas, Atlantic City. We made a business of it. It was like James Bond . . . 'Mission: Impossible.'''

    In late October, Massey disappeared, violating the terms of his supervised release and prompting a national warrant for his arrest. It had become clear to me in five months of interviews that not everything he said was to be trusted, although much of it was verified by the detectives and prosecutors who had already investigated his crimes and by Kari Melton. As for Massey's current whereabouts, Steve Williams, a detective in the Eugene Police Department, who worked on the first case against Massey and is once again on his trail, said: ''My gut feeling is that he is in the Seattle area'' -- where he has family -- ''back to his old tricks, doing drugs, identity theft and counterfeit checks.''

    If Massey has indeed resumed operations, it's a sure thing that he's not working alone. His identity-theft crimes depended on the work of a carefully built ring, one that employed hordes of petty thieves and drug addicts. If he sticks to his old techniques, his crimes will originate in Dumpsters and garbage cans, where information can be culled from discarded personnel files and other trash. It's not the most glamorous crime, but that doesn't make it any less devastating to its victims.

    Discovering the Dump

    Massey's life began to unravel in his late 20's, soon after he started experimenting with the highly addictive stimulant methamphetamine. Before that, Massey achieved some semblance of success, managing an awning-maintenance company, marrying and, with his wife, having two daughters. Then he and his wife divorced in 1992. Soon after, he remarried, and divorced a year later. His business began to decline. Sometime in the mid-90's, his teenage girlfriend offered him some meth. ''So here I am with no place to live, on the rebound and with a habit,'' Massey recounted. ''Who wants to look for a job again?'' Massey began hanging out with a much younger crowd of meth addicts, called ''tweakers,'' and forging checks to feed his drug use. It was during this time that he began to wonder if he could hijack people's identities for profit. He stumbled onto the answer soon after, when the meth-heads invited him to go ''Dumpster diving'' for junk. Massey and the teenagers piled into his Ford Explorer and drove to the outskirts of Eugene.

    ''It was the first time I had ever been to the dump,'' Massey recalled, wrinkling his nose. ''I said, 'I'm not going to get dirty,' so I wandered over to a shed where the recycling was stored. I notice there's a big barrel for rec
    • by Anonymous Coward
      we will continue to have situations where the banks don't give a damn about your identity being stolen, and will continue to refuse assisting in investigations.

      Why should they? It's a 100% writeoff.

      Start changing the writeoff to 95% next year, 90% the year after that, 85% 3rd year, and see how fast they change their attitude.
  • "I was an actor," Massey told me. "I could put on a new hat every day. Who do I want to be today? The feeling after you've just hooked them, is just, like, bam!" He smacked his fist into the palm of his hand. "Take that, Bank of America!"

    Of course, by which he means, "Take that, people who have spent their lives helping other people and getting paid for it! All that money you saved is mine now!"

    Not only is a two year sentence too short, it'd be fine with me if this guy were beaten to death.
  • a fiancee of my cousin (who is in the Air Force), says that US military top secret documents, which are destined for destruction, have to be escorted by 2 armed guards, and thrown into an oven which bakes the quadruple-shredded-and-reshredded dust of the formerly top-secret document at 1600 F for 1 hour.
    • by EvilTwinSkippy ( 112490 ) <yodaNO@SPAMetoyoc.com> on Friday December 19, 2003 @08:45PM (#7770472) Homepage Journal
      You can't shred a classified document. It has to be "declassified" and then you can destroy it. My mom used to do it as a summer job for the Navy. Basically you stamp it "declassified" with a rubber stamp first. (Of course after the proper parties sacrificing the appropriate number and quality of chickens.)
    • by Artifakt ( 700173 ) on Friday December 19, 2003 @11:51PM (#7771412)
      The DOD standard for wiping a hard disk that has held "secret" grade info involves an appropriate screwdriver, and a power sander applied to all magnetic surfaces until the oxide coat is polished away to bare aluminum.
      Even "Confidential" requires a cross cut shredder built to certain standards to destroy. The most common reason for confidential classification is the document contains personal information, such as SSNs. It's common for military units to read a briefing statement that explains what a SSN is being asked for each and every time it is mentioned, and to warn service members when it is optional to provide one.
      "It is your option not to provide your SSN for this insurance document. The Department of the Army may have difficulty tracking the issued policy, and it may delay your designated heirs receiving benifits if you elect not to do so".
      Can you imagine if the average doctor's office took it this seriously?

  • Not news (Score:2, Informative)

    by cpopin ( 671433 )
    This is not a new technique and doesn't seem worthy of a Slashdot story. Low tech identity theft is nothing new or hard to do.
  • by gtrubetskoy ( 734033 ) on Friday December 19, 2003 @08:44PM (#7770460)

    If your mailbox is on the curbside like mine, seriously consider getting a secure lockable one where the mailman can only drop mail off, but a key is required to retreive it. I just received mine from oregontrailbox [oregontrailbox.com]. I did some research, there are a few places that sell those under different names, but the ones I liked are actually the same box that seems to be manufactured by pinnacle [lockingmailbox.com] (or pinnacle is yet another reseller of the same box made by a unknown third party....)

    In any event, I will be installing my Heavy Duty Standard tomorrow...

    OpenHosting [openhosting.com] Virtual Servers for the geeks.

    • by JediTrainer ( 314273 ) on Friday December 19, 2003 @09:24PM (#7770707)
      In Canada, hardly anybody has a curbside mailbox anymore (or even mail delivered to individual homes), unless you live on a farm or something. How's it work in other countries?

      Most neighbourhoods here have a bank of mailboxes, each with a lock (small door, but deep enough to hold a standard letter envelope). Walk (or drive, if lazy) down the street to your mailbox. I guess Canada Post likes that system because they can deliver our mail much easier this way - essentially in bulk. Each bank has a pair of larger parcel boxes, in case you get a deliver that doesn't fit in your letter-size box. The nice man leaves you a key for 'compartment A or B', you take your package out, and deposit the key in the mail slot so the mailman can retrieve it with tomorrow's mail.

      My only annoyance is some neighbours, who don't like receiving junk mail, leave it on top of the cabinet, leaving the garbage for everyone else to see. Why they can't just take it home and stick it in their recycling box is beyond me.
    • Excellent idea. Check the lock regularly, by the way. Here's what happened to me. I had my identity stolen because the outgoing mail slot at my apartment complex had a busted lock. In my case the thief got an insurance form with my SSN and checking account number. The mail slot door was cleverly wedged shut so that it wasn't obvious that the lock was busted, but after I and several other residents reported thefts the problem was discovered by accident when one of the on-site managers was just checking to
    • In Britain, your "letter box" is just a slot in your front door, far enough from the locking mecchanism that you can't put your hand in and open the door. Stuff can be pushed in, but not taken out. It works quite well.
  • I found the article useful since it provided ideas on HOW people gain access to your info. Made me think I have to do more.

    One thing that was disappointing is that its not always a slip on an individual's part. A hospital could be sloppy with records and you've got a big target on your head. (...or wallet.)


    PS: I do like those Citibank identity theft ads. They're funny. Too bad they didn't tell you more about how to protect yourself except to buy something.
    • All the more reason to stop blaming the victim. I love how authorities seem to think that handing out assinine advice is better than actually prosecuting these cretans.

      If jail space is the issue, stop locking up drug offenders and/or bring back corporal punishment. A nice "IDENTITY THIEF" brand on the forehead would be a good start. Perhaps reversed so they can read it for themselves in the mirror every day. My other thought is a tattoo on the fingers, one ring for each guilty conviction. Heck, I'd even c

  • Abolish the SSN! (Score:5, Interesting)

    by jcr ( 53032 ) <jcr@@@mac...com> on Friday December 19, 2003 @08:46PM (#7770474) Journal
    I have had way too many people asking for my SSN in the last few years. It started with my dentist's secretary demanding it, and when I declined to provide it, she insisted that they needed it for my dental records.

    I told her, "You're not offering me a job, and I'm not opening an iterest-bearing account with you. You don't need my SSN, and you're not getting it."

    About a month ago, a freaking cell phone provider asked me for an SSN just to get an account with them? WTF?

    • by devphil ( 51341 ) on Friday December 19, 2003 @09:29PM (#7770730) Homepage

      ...because something even more invasive would be put in its place. The Devil that ya know, and all that.

      We don't even need to pass new laws to restrict the use of the SSN, because we already have them. It's not supposed to be used for any identification purpose other than actual Social Security.

      Once again, the problem is not lack of laws. It's lack of enforcement. (Look at Bush and Kenny Boy, and tell me if you're surprised.)

  • by soft_guy ( 534437 ) on Friday December 19, 2003 @08:53PM (#7770531)
    When I read about guys like this - they are always idiots. Basically he got caught because he was hanging around a bunch of crazy drug addicts.

    I keep wondering if for every guy like this they catch, there must be like 3 guys who are really careful and "normal people" (i.e. professionally minded, don't take drugs or hang around prostitutes, etc.) who do these type of crimes to build up some large amount of money, then move someplace and live off the interest. Those would be the guys that would be real hard to catch.

    I wonder if those kind of criminals exist and in what numbers?
  • by mikewas ( 119762 ) <[wascher] [at] [gmail.com]> on Friday December 19, 2003 @08:58PM (#7770563) Homepage
    I just had to run in to work to create a report. I needed some data in a former employee's directory, so logged on as root & changed permissions so I could read anything in his directory tree.

    He had all sorts of personal data in his home direcrtory: passport & visa applications, paycheck stubs for several years, copies of expense accounts including scans of credit card statements, info about his retirement from the company we used to be a part of, ...

    Once I realized what it was I rm'ed it, but what would posses a supposedly rational person to not only save this data to a networked machine at work but to leave it there after leaving the company?

    • by Anonymous Coward
      Don't know about your case there, but in some cases, the dismissed employee doesn't exactly have the time to pack up his things, and go through all his files as well. Depending on how immediate your termination is, companies don't really like "ex-employees" to have computer access.

      The real lesson there is not to have personal information on work-machines to begin with.
  • by Presence1 ( 524732 ) on Friday December 19, 2003 @09:38PM (#7770773) Homepage
    When the Social Security Act was originally passed in the 30s, there was a significant concern that the SSN would become a de-facto Citizen ID. To allay this concern, the law contained specific provisions making it ILLEGAL to require the use of the SSN for any use not directly related to its purpose in identifying income and determining benefits. In other words, if you are not being paid, or having the opportunity to earn interest, they cannot require you to divulge your sSSN

    The two primary examples of this use are the medical profession adn the Motor Vehicles establishment, both of whom seem to think the SSN is a handy Unique ID. Obviously, this magnifies the security risk for anyone who complies. Here's how to deal with both.

    When you sign up for health insurance, fill in the SSN field with the phrase "assign ID". Sometimes they will just do it, but usually some clerk will complain that you haven't completed the form, they can't process it, etc. Firmly explain (often several times) that this is illegal, and that their companies have procedures to handle this, and that they need to speak to their manager. They will soon return with a sheepish demeanor, and you will get an ID in the SSN format.

    Now, whenever you go to ANY doctor, dentist, hospital, or whatever, fill in this assigned ID as your SSN on their form. If asked whether this is your SSN, simply respond that "This is the correct ID.", and do not let pressure you into revealing your SSN.

    The DMV and police may be easier or more difficult to deal with. The DMV should have a checkbox on the form which allows you to decline using the SSN, usually with some corresponding inconvenience. E.g., some states will require you to come in for renewed licenses, whereas they will mail them if your SSN is in their system. If your state doesn't have this option and you cannot argue them out of it, transposing a few digits might not be a bad idea.

    When dealing with the police (e.g., in a speeding ticket situation), I've found it is best not to tell them that their request for your SSN is illegal. Best to just say that you don't remember it. Of course you don't want to give false information, right?

    These tactics will obviously not close all vulnerabilities, but they will eliminate two major potential sources of identity theft. Good Luck.

    • by michael ( 4716 ) * on Friday December 19, 2003 @10:37PM (#7771044) Homepage
      This is not really accurate. The whole first paragraph of that comment is false.

      There are no laws that forbid the private use of the SSN for any reason whatsoever. Any private entity may demand your SSN as a condition for interacting with you; you must provide it or they may refuse to interact with you. (For instance, getting health insurance or a credit card.) The Privacy Act of 1974 made some restrictions relating to *governmental* (only) uses of the SSN as an identifier; when government agencies demand your SSN, they have to tell you their legal authority for requesting it and what the penalties are for failure to comply. This requirement is largely ignored in practice - for instance, when I was serving on jury duty, the court clerk demanded my SSN (to withhold income taxes on the $12/day jury payment), and when I pointed out that they were violating the law by not disclosing the authority for this request, the clerk was singularly unimpressed. If the court system is violating the law... but I digress.

      The rest of the comment (seek to use an assigned number rather than your SSN whenever possible) is good advice, and will often work, albeit at the cost of some hassle. CPSR has a good FAQ [cpsr.org] with some more information.
  • by mi ( 197448 ) <slashdot-2017q4@virtual-estates.net> on Friday December 19, 2003 @09:46PM (#7770812) Homepage Journal

    If it is not bad intention, it is just stupidity. For a while, I had a fax number, which was the same as that of some medical lab (or insurance company) -- except for the area code.

    Twice a week a fax would arrive from a doctor's office in my area -- thanks to an absent minded "office manager" or some such. Due to the nature of the business, all faxes contained not only the patients' names, SS#, but also diagnoses, health histories -- the works! I called them back every time -- boy, were the morons surprised... They never even bothered to check the fax ID string, which I had configured to my company's name.

    Not to give any ideas, but how difficult is it for a scumbag to get a phone number similar to that of a claims department of an insurance company?.. Or a mortgage department of a bank? You can guess the other steps she/he will need to make. Mind you, completely passive and impossible to detect. No dumpster diving involved either -- totally white-collar job...

    We can moan about the need to use encryption and authentication, but faxes don't have this feature at all. As long as this sort of information passes over telephone lines unencrypted, your info is not safe.

  • College Anyone? (Score:5, Insightful)

    by saderax ( 718814 ) on Friday December 19, 2003 @09:47PM (#7770817)
    What about idiot colleges who require are not allowed (legally) to request your social security number, but anyone can ask for your "student ID" which is coincidently the same?

    (all sarcasm aside, really what could one do?)
    • by mabu ( 178417 ) on Saturday December 20, 2003 @01:30AM (#7771803)
      By law, with few exceptions relating to the government, you are not obligated to give *anyone* your social security number. This is protected by the Fair Credit Billing Act of 1976 and the 1974 Privacy ACt. The ACLU has some good info on your rights andn your SSN [aclu.org].
    • Re:College Anyone? (Score:4, Interesting)

      by taped2thedesk ( 614051 ) on Saturday December 20, 2003 @02:54AM (#7772084)
      The University of Michigan implements this policy [umich.edu], and I think it works pretty well:

      A. Systems purchased or developed by the University of Michigan will not use Social Security numbers as identifiers unless required by law or business necessity.

      B. Each member of the University community will be assigned a unique identification number that is not the same as, or derived from, the individual's Social Security number.

      C. Systems purchased or developed by the University of Michigan will use Social Security numbers as data elements only, not as keys to databases.

      D. Systems purchased or developed by the University of Michigan will not display Social Security numbers visually, whether on computer monitors or on printed forms or other system output, unless required by law or business necessity.

      E. Name and directory systems purchased or developed by the University of Michigan will be tied to individuals' unique identification numbers, not to Social Security numbers.

      F. When databases require Social Security numbers, the databases may automatically cross-reference between the Social Security numbers and other information through the use of conversion tables within systems or other technical mechanisms.

      G. No new system or technology will be developed or purchased by the University of Michigan unless it is compatible with these regulations.

      The only times I'm asked for my SSN are for tax, financial aid, and health purposes.

      If you're concerned about the use of your SSN, and your school does something that blantently stupid (especially if they print your SSN on all your documents and on your ID card), you should go to a meeting of the governing body of the University (Regents, etc.) and present your case. Bring some examples of policy from other schools. It's kind of pointless to argue with the desk staff who ask for your SSN, as they are just doing what they are told and can't do much to help your privacy concerns. It might be hard to change the system, but it's worth a try.

  • by tempshill ( 413165 ) on Friday December 19, 2003 @10:17PM (#7770951)
    The easiest problem to attack here is that it's too easy to open a credit card account. If this were made a grueling, lengthy process requiring written correspondence, with extra safeguards for changing addresses, then all the credit card side of identity theft would be mooted.

    The FTC website says that if you're the victim of identity theft, you can contact the credit bureaus to put a FRAUD WARNING on the top of your credit card report. This makes me wonder whether we should all just do this anyway.

    I have read that in Europe, getting a credit card is difficult and not instantaneous, and that identity theft (at least, on the credit card side) is less of a problem.
  • by soybean ( 1120 ) on Friday December 19, 2003 @10:52PM (#7771145)
    Dumpster-diving is my identity!
  • Liability (Score:3, Insightful)

    by Detritus ( 11846 ) on Friday December 19, 2003 @11:03PM (#7771207) Homepage
    How about changing the law so lenders are required to verify the identity of the people they lend money to? If they don't, they would be prohibited from taking any legal action against the debtor, referring the debt to a collection agency, or putting a black mark on the debtor's credit record. The identity verification process would have to meet high standards, comparable to what the government requires before issuing sensitive licenses and identification documents. Maybe a current photograph, thumbprint, and signature, collected by someone like a notary public or other trusted person, and submitted directly to the creditor.
  • by Aetrix ( 258562 ) on Friday December 19, 2003 @11:04PM (#7771212) Homepage
    I don't know exactly how this is setup, but my father has some type of high-security flag set with the credit agencies. I found out about when he cosigned for a loan with me. He owns his own business and his business had identity-theft problems a few years back.

    So basically how it works, is that there's a phone number specified on his credit report and a secret question and answer. So if anyone makes an attempt to check my father's credit history, or take out credit in his name or SSN, the creditor must call the listed phone number and my father must answer the phone. They identify themselves and what creditor they're representing. Then they ask the security question and my father gives the correct answer. Now business can proceed as usual.

    It gets more secure when the security question/answer must be changed each time it's used. Plus, changing the phone number requires a 30-day written notice.

    I think that's a GREAT idea... Why don't more people implement that? Once I get some actual credit, instead of just Student Loans, I'm going to put that security measure on MY credit!

    • by Anonymous Coward on Saturday December 20, 2003 @12:07AM (#7771482)
      Anyone can do this (in the U.S. at least)... just call the three credit reporting agencies, and ask your account to be flagged with a "Fraud Alert". As an added bonus, companies that use your credit report to see if you are 'eligible' for their junkmail (i.e. credit card applications) are prohibited from sending you anything further.

      I had to do this a couple of years ago after someone stole my identity and started opening credit card accounts and spending thousands of dollars. Fortunately one of the banks caught some inconsistencies (very similar story to one of the above posts) which alerted me to the whole situation.

      Fraud Alerts 'expire' after a certain period (I think 2 years or 7 years depending which credit agency) but you can easily reinstate them. I will definitely continue to 'renew' mine. The minor inconvenience is that it will be more difficult/impossible to open a credit card account for a retail store (but these are mostly pointless) unless your cell phone number is the one associated with the fraud alert.
    • by mabu ( 178417 ) on Saturday December 20, 2003 @01:18AM (#7771751)
      This is called Fraud Alert [fightidentitytheft.com] and it's a very useful utility and a device to get free copies of all your credit reports.
  • Shredder Chair (Score:3, Interesting)

    by shadowcabbit ( 466253 ) * <cx@thefurryoRASPne.net minus berry> on Friday December 19, 2003 @11:07PM (#7771226) Journal
    Easiest solution to this whole mess, and one I'm seriously considering.

    1. Buy a personal cheapo shredder with a small wastebasket and shred stuff until the basket is full.
    2. Buy a beanbag chair.
    3. Remove the styrofoam packing peanuts from the beanbag chair, they'll be mashed flat and useless in a week anyway.
    4. Place the shredded documents into the beanbag chair.
    5. Repeat until the beanbag chair reaches the desired firmness.

    Instant furniture, very comfy when playing games.
  • by pipingguy ( 566974 ) on Friday December 19, 2003 @11:59PM (#7771452)
    If you feel you're being spied-on by individuals poking through your garbage, toss into the bag a few carefully selected, ummm, "leavings" as a bonus for the sifters.

    This should point the searchers in a different direction, causing them to move on to a more attractive find, much as car alarms doo.
  • It seems to me (Score:5, Insightful)

    by ajs318 ( 655362 ) <sd_resp2@@@earthshod...co...uk> on Saturday December 20, 2003 @07:19AM (#7772582)
    It seems to me that the problem is a social one, not a technological one, and therefore we should be looking for solutions in the social domain.

    Somebody who knows me is better qualified to say "That is the real ajs318" {or not} than some piece of machinery ever will be. A human being can check subtle things like signatures far more reliably than a machine. But the corporate mentality seems to be far too trusting of machines and far too distrustful of human beings. It's well known that humans make mistakes, but who designed and built the machines?

    In Britain, we have a National Insurance Number as a unique per-person identifier, but it is only used for taxation purposes. Also, your employer is responsible for stopping your tax right out of your wages before you ever see them, making it physically impossible for the working classes to commit tax fraud.

    With no national identity card, anyone requiring ID has to seek it from multiple sources ..... usually official letters such as gas / electricity statements and bank statements for your address, and a passport or driving licence for your signature and photo. If you join a video club, for example, you might have to produce two bills and a signature, and you'll get a card which is only good for renting videos; there is no information on the video card that links it back to the papers you submitted. Of course you could mug someone on their way to or from joining a video club and get their papers that way, but if you already knew what they were about to do you probably already know enough about them.

    Now, your name and address are published in the telephone directory. So places insist on official letters. Of course these could be forged ..... but it's recognised that the name and address aren't enough, so other documents are also usually required. {And if, say, my electric bill shows I paid 10 last Saturday, they might want to see my payment card and make sure the account number matches.} Most places also require a signature, and you may even be required to sign the form in front of them. It does take skill to forge signatures with an audience ..... I could do a very convincing one of my last-but-one boss's, but nowhere near as quickly as he could.

    It seems the problem in the USA is that the social security number {which uniquely identifies a person} is treated as though it were a secret, unknown to any entity beyond the person it identifies. That clearly is not the case. Look at how PGP works ..... there is a published part known to everybody, a secret part known only to one individual and a mathematical relationship that makes it difficult to determine the secret part from the published part. If I just send you ajs318's public key, that doesn't prove I am ajs318. If I sign something with ajs318's secret key, and you can recover it with ajs318's public key, then that at least proves I know ajs318's secret key, and there's a better chance that I might actually be ajs318. It seems to me that the SSN {which identifies without authentiation} is being misused.

    The other thing is, when you go into somewhere like a newsagent's shop, you are recognised by the regular staff there. {Kids in my old village used to shoplift from the local newsagents' once at most. The items they took got added onto their parents' slate.} The point is, the main identity used in that situation is the person themself, which is hard to forge. In a large impersonal supermarket, there is less potential for recognition, so if you pay by payment card or credit card then they require a signature {though trials are underway where the shopper will merely have to enter a 4-digit PIN, thus relieving the cashier of the responsibility to check a signature and not at all paving the way for brand new opportunities in crime}; on the Internet, none at all.

    If you want security, stick with old fashioned pound notes, because they can only steal as many of those as you actually have. And, until they get RFID in money, it's untraceable. You can't look at a 20 note and see it was won in a poker game, for instance.
  • by blankmange ( 571591 ) on Saturday December 20, 2003 @09:46AM (#7772819)
    I work for the fed. Our sensitive material is shredded through a large, commercial shredder. It only does a vertical shred, so you could reconstruct fairly easily. The best part is this: once the shredding is bagged, it goes out to our dumpster out back in the alley. It is not secure, guarded, or anything else.

    Also, per our regulations, if you don't run it through the shredder, you have to manually tear up the piece of paper 6 times. This is social security numbers, addresses, medical information, etc.

    I have often wondered how wrong this is, but my boss never seems concerned when I bring it up.
  • by painehope ( 580569 ) on Saturday December 20, 2003 @02:15PM (#7773877)
    very important. Screw your home dumpster, screw your office. The most dangerous place for your credit cards is where you shop. It's a really bad idea to shop anywhere that prints out credit card receipts w/ full numbers, or takes ( shudder ) a direct print of your card.

    Want to know why? The manager that collects all those receipts might be honest enough, but do you know what a lot of those places do w/ their receipts? After anywhere from 1-3 years, a lot of them just throw boxes full of them in the dumpster. A college bookstore I worked at when I was starting college did just that. Literally thousands of credit card receipts w/ full pin numbers, signatures, and names in the bin. A lot places shred that receipts when they're done, but some don't. And think of the traffic a college bookstore generates.

    Before you say anything like "well, you didn't have an id, address, or a social or anything like that", imagine the damage I could have done had I been so inclined to steal some of those numbers and then used them where I had a friend on the inside. Or done the digging to find that person's SSN, address, or whatever.

    Trust me, I was so tempted to finance the rest of college education w/ a little bit of scamming. Thankfully, I had a hellish cunt of a girlfriend that ruined my life so badly that I dropped out of college and went to work in IT.

    Damn...now that I think about, maybe theft was the better option...

Never buy what you do not want because it is cheap; it will be dear to you. -- Thomas Jefferson