<div class='os_post_top_link'><a href='http://www.pbs.org/cringely/pulpit/pulpit20030911.html' target='_blank'>http://www.pbs.org/cringely/pulpit/...it20030911.html</a><br /><br /></div>You'd think that progress in securing consumer's privacy has been made, given the recent spectacular reports of how easily SSNs and other valuable pieces of data are pulled down from the Internet, right? Guess again. Robert X. Cringely (ironically, an identity with two people behind it) recently had a very scary experience -- and found a trivial way to obtain several hundred thousand identities. 8O<br /><br />"Sure enough, in less than an hour I had updated names, addresses, Social Security numbers and dates of birth for the more than 300,000 entries that were in common across both CD's. What I produced in that hour was all the information required to steal the identities of 300,000 people, most of whom would be considered to have high financial (if not emotional or artistic) net worth. If I was a real criminal I could use this data over a period of 4-6 weeks to apply for online credit cards and bank accounts, to order credit reports that list where the victims do their banking so I could loot those accounts, too. Before anyone would notice I could grab that Secret Service equivalent of $217,000 per victim for a total take of $65 billion, which certainly beats my day job."<br /><br />As our lives get more connected, and we have more technology at our fingertips, I can't see this go anywhere but down. Do we have any hope in solving it?

That's pathetic. And thanks for posting the article. Amazing. That's the difficulty in mixing politics and government with technology. The first two can't develop and evolve at anywhere close to the speed of the latter. Like an old person in a wheelchair trying to compete with a Ferrari on the racetrack.

I guess two steps that people can take are first, to get a private mailbox. I have one. And I make effort not to have any mail sent to anywhere except there. That way, you don't have to deal with the braindead post office and their braindead employees.

Second, consider subscribing to a credit report monitoring service that lets you know everytime someone makes an inquiry. If not, then get a copy of your credit report at least twice a year and have it sent to your private mailbox. Keep an eye on things.

And yeah, shred or burn EVERYTHING.

Don't give your SS# to anyone. Sometimes you have to, but still...

Make effort not to subscribe to magazines. Do what you can to keep yourself as invisible as possible, otherwise, you'll be on every mailing list known to mankind, and the more your info is out there, the more opportunities there are for some of your info to get into the wrong hands.

Consider having two checking accounts. One for Paypal and small purchases where you can deposit small amounts of money at a time for those things, and then your regular account.

I know there are services that some credit card companies offer where they will issue you a temporary credit card number that is good for only one purchase and then is discarded. It's linked of course, to your true credit card number, but by having it good for only one purchase, anybody who might try to use it will be out of luck. It processes the same way as your true number, but it's better for when you're making purchases over the internet.

Some restaurants, like Denny's, will display your entire credit card number on the receipt they give you. Stupid. I found a receipt on the ground just yesterday near my home, and discovered that it belonged to a neighbor. There it was, from stupid Denny's, with his entire name and credit card number. If I were a criminal, I could have used it so easily. Do you know how easy it would be for Denny's employees to steal these names and numbers? I won't even eat at restaurants like that just because they're so careless with things like that. I say, avoid places like Denny's and give your money to someplace else. There are too many other places to eat at that will actually use their brains. Not to mention, life's too short to eat at Denny's anyway, lol...

Just using common sense is what's important. Being cautious and not so trusting. And taking advantage of the tools we do have to protect ourselves. Beyond that, there's prayer. Either that, or go live in the mountains or a cave somewhere It's a cold, messed up world we live in, but we don't have to live in fear.

Crazy stuff.

The problem I see in the US is that everything is based on credit. You need a credit card for EVERYTHING over there, it's ridiculous. And you have to give everybody and their grandmother your ssn! Why?!?! I mean why on earth would your video rental place need to have your ssn on record? I don't get it.

You know, it's funny...

Your Social Security card has written right on it "Not to be used for identification purposes"... Yet look at your medical insurance card (and probably others as well), what do they use for your ID: you got it, your Sicial Security Number...

I was in the doctors office yesterday, three people went up to the window after me, three times they were each asked for their Soc, and three times they gave it out loud enough for everyone in the office to hear...

And if you have the Soc, you can get anything...

Steve

And then there's all the schools where student ID == SSN, and so it's given to all teachers, etc. Grades are listed on professors' doors according to ID....

And then there's all the schools where student ID == SSN, and so it's given to all teachers, etc. Grades are listed on professors' doors according to ID....

And these student IDs are used so frequently for web logons etc, that you can approach your average student and ask them for their student ID without even giving a reason with a 50% or greater chance that they will simply tell you without reason. Signing up for clubs on campus frequently involves SID numbers for instance.

Great post Janak! Some other things that can help with identity theft.

• Use a financial program like Money or Quicken and immediately get all of your bank accounts and credit card accounts online with it. You will notice suspicious activity within days, not 6 weeks later when you get your statement. I check mine daily. Part of the morning routine. :morning:
• Where available, suspend all paper statements. Many will email you a link when they are ready and you can download PDF files over HTTPS and print them yourself or just archive them on your hard drive.
• Stop mailing checks from your mailbox. THe article says this, but I don't mail any checks period. They are sent from some computer somehwere - I use online checking with my bank. Many aren't checks at all but direct debit transfers. I don't recommend you allow the vendor to just ding you each month. Utilities love doing this. Make them send you a statement then you initiate the check. That way if the utility's system is hacked or just messed up due to a glitch, your account is unaffected.

My credit card number was stolen once, probably off a discarded receipt since it was someone in my home town. I know that because he used it to call a bunch of phone sex numbers and they gave me the phone number that the calls originated from.

But anyway, thanks to online banking, I knew about the theft and had the number cancelled and the money back in my account after only about 3 or 4 days. Plenty of people think online banking is insecure, but for me, I couldn't live without it!

But anyway, thanks to online banking, I knew about the theft and had the number cancelled and the money back in my account after only about 3 or 4 days. Plenty of people think online banking is insecure, but for me, I couldn't live without it!
ONline banking with SSL is far more secure than physical world banking when Joe Schmoe is working the register at Wal-Mart.

You know, it's funny...

Your Social Security card has written right on it "Not to be used for identification purposes"... Yet look at your medical insurance card (and probably others as well), what do they use for your ID: you got it, your Sicial Security Number...

They mean the card is not to be used as proof that you're the person named on the card. It doesn't mean your SSN can't be used as an identifying number for you.

They mean the card is not to be used as proof that you're the person named on the card. It doesn't mean your SSN can't be used as an identifying number for you.

Actually, I'm not sure about that...

The number is not supposed to be given out, nor is it supposed to be used for ID purposes...

Steve

And then there's all the schools where student ID == SSN, and so it's given to all teachers, etc. Grades are listed on professors' doors according to ID....

If a professor does that, s/he is in violation of the Family Educational Rights and Privacy Act (FERPA) and is putting him/herself at risk as well as the institution. This is also true if the professor puts a pile of graded papers outside his/her office door and allows you to search through to find your own. If you are a student and a professor does that, you are within your rights to file a complaint with the Dept of Education, though it would probably make more sense to bring it to the attention of your registrar's office. They will be familiar with FERPA and will advise your professor to stop doing that.

They mean the card is not to be used as proof that you're the person named on the card. It doesn't mean your SSN can't be used as an identifying number for you.

Actually, I'm not sure about that...

The number is not supposed to be given out, nor is it supposed to be used for ID purposes...

Steve

Steve, this got me thinking. Someone who should know told me what I passed along here, but I thought it might be good to see if there was any reference to it on the Net. Here what I found and it seems pretty self-expanatory. So it seems it was a nice idea, but not one that ever really had any meaning.

http://www.cpsr.org/cpsr/privacy/ssn/ssn.faq.html#IsItIllegalToAsk

Is it illegal for someone to ask for my SSN?
The short answer is that there are many restrictions on government agencies asking for your number, but few on individuals or companies. When someone from a government agency asks for your number, they are required to provide a Privacy Act Disclosure Notice, which is required to tell you what law allows them to ask, whether you have to provide your number, and what will happen if you don't provide the number.

Private companies aren't required to follow this law, and in general your recourse is to find another company to do business with if you don't like their policies.

Didn't the government promise that SSNs wouldn't be used for ID?
For the first few decades that SSN cards were issued, they carried the admonition: "Not to be used for Identification." Unfortunately there was never any law passed instituting this as a policy. The Social Security Agency was apparently attempting to instill good values in the citizens, but was apparently unsuccessful in preventing government encroachment into this territory.

And then there's all the schools where student ID == SSN, and so it's given to all teachers, etc. Grades are listed on professors' doors according to ID....
If a professor does that, s/he is in violation of the Family Educational Rights and Privacy Act (FERPA) and is putting him/herself at risk as well as the institution.
Right. When I was an undergraduate, we used SSNs throughout the university system, but everything has changed -- they now have their own unique ID system, and students are no longer required to put SSNs on anything. I assume this happened around the time FERPA took effect.

--janak

Steve, this got me thinking. Someone who should know told me what I passed along here, but I thought it might be good to see if there was any reference to it on the Net. Here what I found and it seems pretty self-expanatory. So it seems it was a nice idea, but not one that ever really had any meaning.
.

Rob,

Thanks for the link and the info!!!

Steve

Another tip: don't just shred paperwork with personal information on it, but also be sure to recycle that paper. Less likely to end up in a dumpster or landfill where someone might be able to piece it together.

When I was in the Air Force (1979-1986) your SSN == Military ID # which you had to recite constantly. If you didn't have your SSN already memorized then a couple weeks in the military would have fixed that problem.

Another tip: don't just shred paperwork with personal information on it, but also be sure to recycle that paper. Less likely to end up in a dumpster or landfill where someone might be able to piece it together.
Or get a shredder that doesn't just cut the paper into long strips, but into short strips as well. They aren't much more than the long-strip sort and it does make it virtually impossible to stick the stuff back together because of the big jump in the number of pieces of paper you are dealing with.

Fellowes do a few - they are described as confetti shredders. (http://www.fellowes.com/category.aspx?sendingPageType=BrowseProducts&catalog=Fellowes+Web+Site+Catalog&category=Shredders(Fellowes+Web+Site+Catalog)&main=0&sub=2&path=Paper+Shredders+%26+Supplies(Fellowes+Web+Site+Catalog)%7c%7c%7cShredders(Fellowes+Web+Site+Catalog)) I've linked to the US web site, but you can buy similar products in the UK and other countries.

I quite like the look of the Shredmate Shredder ($34.99) but it is quite small, so it may not suit everybody, but the main point here is that you don't have to spend a lot of money to gain quite a bit in added security.

--Philip

Actually, I know someone who steals and uses identities. He's into it big time. He has full details on a bunch of people, important government numbers, names/numbers/addresses, even cancelled cheques. He FOUND a bunch of files - thousands - from an insurance company and has been using them to get gold/platinum cards from Amex. He gets them approved online and he says Visa and Mastercard don't have such an easy system.

He's not really a friend, but I have known him for years, and he always tells me what he's up to. This credit card / identity theft is just the latest scam. He buys high-end stuff with the Amex cards, including computers and video cameras and expensive clothes. By his own estimates, he's done a few million bucks worth of badness in the last few years. I did my duty and reported him. I even had proof (times, dates, envelopes with other people's names on, including ones that used to have credit cards in them). And guess what, nothing happened except that I was given a hard time.

One evening, I called Amex security in the States and they took it very seriously, so seriously, that they called the head of security in my country - Canada - at home in the Toronto area on his cell phone and transferred my call. Mr. Rick Neal mocked me and was quite rude. I attempted to speak with him two more times, but once he did not return my voice message and once he said he'd call me back and he never did.

I feel terrible for the people whose identities are getting stolen, but Amex are jerks and are allowing it to happen even thought they could stop him. If anyone from Amex is reading this, let your superiors know about it. Maybe some Vice President will nail Rick Neal for letting someone run rampant and not doing anything about it despite having all the details and proof.

Tari,

Call US law enforcement. For the amount of money you are talking, they would probably be interested.

I feel terrible for the people whose identities are getting stolen, but Amex are jerks and are allowing it to happen even thought they could stop him. If anyone from Amex is reading this, let your superiors know about it. Maybe some Vice President will nail Rick Neal for letting someone run rampant and not doing anything about it despite having all the details and proof.Just call your local authorities. Call the local postal authorities. Anything being done via mail constitutes mail fraud.

you would think that the authorities would be interested but think again. this has been a very frustrating experience for me. i am not exaggerating either what he's done and is still doing, the amount he has stolen, or the lack of response from those who you'd think would be interested.

this idiot i know puts 5 to 50 thousand on each card in spending. i do not exaggerate. also, did you know that if you take a major credit card into most department stores, you can generate a store credit card? yuppers, so he basically uses a card like a parent and makes a bunch of kids with it, so to speak. he also gets lines of credit. and spends it all on DRUGS and partying and travelling. anything he gets like a big screen tv or a digital camera or a laptop, he sells.

and it gets better. let's say a victim complains. well, too bad for them is the way the system works. with a bit of wrangling, Amex will see that they don't have to pay, but the law says they aren't a victim because they face no actual loss. the credit card company is the so-called victim. as if. they just claim it on their insurance and their rates go up, so that makes it harder for legit card holders.

of course, that is stupid thinking of who actually gets hurt. the person is a victim because their credit is wrecked and that is really hard to fix. credit bureaus work a certain way and begging them to fix the negative listings doesn't work very well. it can take years! often people don't even realize until they try to get a car loan or a new card or a mortgage.

also, in terms of the government - it is not easy to get a new social insurance number (Canada) or a new social security number (States), and even if you can get it, the trick is to make sure it is not linked to the old one at the credit bureau. if it is linked, then the same old bad credit comes back again to haunt you. you can even be denied some jobs if your credit is bad.

anyway, if law enforcement do manage to get enough interest to charge and convict someone, the law is behind in terms of what they can be charged with and what the punishment is. typically, it is treated like shoplifting, and you might get a small fine, 14 to 30 days in jail, rarely an order of restitution and maybe no jail at all, just 3 to 6 months of probation. no wonder this is an ideal sort of crime to do. big rewards, little punishment.

i was not aware of all this until i started looking into the whole thing and i am just disgusted.

anyway, if law enforcement do manage to get enough interest to charge and convict someone, the law is behind in terms of what they can be charged with and what the punishment is. typically, it is treated like shoplifting, and you might get a small fine, 14 to 30 days in jail, rarely an order of restitution and maybe no jail at all, just 3 to 6 months of probation. no wonder this is an ideal sort of crime to do. big rewards, little punishment.

IMO a very large percentage of what makes crime in general (including ID theft) so easy is the punishment involved. You could commit the most heinous crime in the world and walk away with a slap on the wrist! Want a cushy lifestyle? Do something to earn life in prison!

IMO a very large percentage of what makes crime in general (including ID theft) so easy is the punishment involved. You could commit the most heinous crime in the world and walk away with a slap on the wrist! Want a cushy lifestyle? Do something to earn life in prison!

well, that last part is definitely an exaggeration. time in prison is not generally not fun or 'cushy', so let's dispell that myth since it is completely false. prison is pretty nasty and no walk in the park although some people like to claim it is.

my point is that a few days or a few weeks in the local jail or cop shop cells is not enough. some real prison time would do a world of good because it is so awful. and definitely an order of restitution is important.

also, the credit card company, Amex in this case, needs not to be so irresponsible. they have an easy system to defeat and they are aware of this, plus they blew me off when i tried to report it.

By his own estimates, he's done a few million bucks worth of badness in the last few years.

Hum. There is usually a threshold on how much can someone go crazy on online fraud. Above that threshold, banks will start cancelling card numbers that have been used in compromised vendors/merchants (where identity theft take place). From personal experience, the threshold for visa/mastercard/amex is much lower than your numbers above.

Furthermore, modern banks have early detection systems, which are applications working on the background, checking all credit card approvals, like FEWS (Fraud Early Warning System), sabretooth, etc. Basically it works by comparing transactions vs. customer's transaction pattern. When you make a large transaction which is not inline with your previous transaction pattern, the transaction is automatically logged in the early detection system for further clearance. If the system consider that a compromise has happened .... It only take 3 seconds to block a batch of 100,000 card accounts.

Online fraud can still happened, but it usually comes in smaller ticket size ($50,000 on a single card is simply ... outrageous :wink: )

gee, you sound like some of the authorities to whom i reported this. let me repeat myself. i am NOT exaggerating. if anything, i am under-reporting. he applied for the cards ONLINE and used them in the real world. he used the credit information that he got from life insurance files that he lucked into finding for people mostly in their 40s to 60s, so good credit ratings after a lifetime of hard work. upper middle class, at least by income. he doesn't bother with green cards, just gold and platinum. he's got at least 5 000 files. and he's using them with abandon. he even has photocopies of cheques. he told me that it is harder to get visa/mastercard online, and also most of them have a limit. Amex has no set limit as it is based on previous patterns. anyway, i did my part and got nowhere except to be made fun of by that high up Amex guy. and of course, i'm disbelieved here. no wonder so many people don't want to get involved.

and of course, i'm disbelieved here. no wonder so many people don't want to get involved.
I don't think you personally are disbelieved. It's just difficult to comprehend this happening, and sounds to be much worse than your average fraud case. Are there other government authorities you can report this to that might be more willing to listen? I'm sure you've looked into it. It's frustrating that no one who could do anything is willing.

well, Kati, i've done a lot already, and now i've just grown tired. i went a few extra miles on this because i once lived with someone who used my credit cards without my permission and cleaned out my bank account. i was told it was a 'domestic situation' and was forced to pay, so i know what it is like to get screwed, first by a jerk and then even more so by those who should help.

well, Kati, i've done a lot already, and now i've just grown tired.
I don't blame you. I'm still surprised at the difficulties you had getting Amex to take you seriously.

There are $3 billion (and growing) in ID fraud losses every year from credit cards alone. And that's just in the US. So a more sophisticated guy stealing a million or so a year is not out of the realm of possibilities. Unfortunately, I don't know anything about Canadian laws or law enforcement so I really can't help you there but I can tell you about what I would do it the US and maybe that will help. If you were in the US I would call the FBI or your local prosecutor. The FBI is actually taking these cases with increasing seriousness. I say local prosecutor rather than police officer because the local police are typically not set up to handle these types of paper cases while local DA's offices have their own investigators and prosecution units with the proper training necessary to crack these types of cases. If you live in a smally municipality however, that will not be true. Larger counties have hightech and white collar fraud units that would be able take the case on.

I for one believe you if that helps. This guy actually sounds fairly typical among the more dilligent, smart credit card fraud crooks. ie in 2001, 15 employees at NJ car dealership were arrested for racking up $800k in false charge from new accounts they got from 2,500 credit report files. The arrest last year by the FBI of a ring of people including a clerk at Ford credit that racked up tens of millions and avoided detection (and a full accounting) by spreading the origins of false credit card creation and purchases around the country.
The $3 billion number is from 2000 from Credit card company claims.

Another scarry aspect of ID fraud is that these people can do more than mess up your credit rating (which really is a hell on earth for those who are victims, even when armed with a police report and a certified copy of convictions for the people who committed it).
Some of these people are also getting driver's licenses etc with their victim's names, and these ID's have dual purposes. They can be used to confirm id on purchases but they can also be used to show id at the time of arrest or when they get a traffic ticket. etc.
Imagine getting handcuffed and thrown in jail because you have an outstanding warrant for not showing up in court on your DUI/DWI even though it wasn't you who was driving drunk? Then you have to get an attorney to get copies of the booking photos, and fingerprints to have them compared, you have to goto court to have the judge and prosecutor confirm the fraud and you have to have a separate motion to be declared factually innocent of the crime and keep a copy of that just in case the guy tries to do it again. Scarry.

well, shindullin, according to my research, you are 100% correct. this sort of thing happens more often than one might think. just a few weeks ago, an American was captured in the States after 25 years on the run, using someone's identity. he was one of those student radicals who liked to blow things up to protest the Vietnam war. another American was also grabbed up several months ago. he had been on the run from a drug smuggling conviction and was tripped up by using someone else's identity. likely he would have remained free except that he started defaulting on bills he'd run up in that guy's name. both types of charges are very serious and if the real person had been arrested, they'd have to jump through many hoops to get their freedom and have their name cleared. just saying "hey that's not me, really" is not enough, of course.

Just a suggestion...

CSIS contact info (http://www.csis-scrs.gc.ca/eng/address/contact_e.html)

(Apologies if somewhere in this thread the info I am sharing is already mentioned -- I just skimmed earlier responses :wink: )

One way to safeguard yourself from identify theft is to place a "fraud alert" on your credit file at all three major credit bureaus (in the U.S.): TRW, Equifax and Experian. All three have automated voice response systems that allow you to do this without too much trouble. Happily, the three bureaus have improved their integration this year so when you notify one credit bureau, they will automatically notify the other two that you'd like your credit file to be put on a fraud alert.

What does a fraud alert do?

Essentially, it will do two things. Firstly and primarily, it will notify any agency inquiring on your account that your file is on fraud alert, and the inquiring agency is supposed to not open a new account or extend credit to the credit applicant unless and until the credit applicant is contacted at home and gives consent to the new line of credit. If everyone does their part correctly, someone who is trying to steal your identity will be thwarted in getting a new line of credit opened under someone else's name. Of course, there are several ways this system can breakdown -- for instance, a credit grantor can ignore the fraud alert and still extend credit notwithstanding your account's status.

Secondly, your name will be removed from all promotional solicitations for new credit. That means less junk mail! :)

Fraud alerts ostensibly are for those who suspect that they have been victims of identity theft, but there is no obstacle in requesting a fraud alert as a precautionary measure.

Fraud alerts come in two durations: a 90-day duration and a 7-year duration. Quite frankly, when I have called to put my account on fraud alert, it appears to be only good for the 90-days only -- although the voice response system never indicates this. I *think* that the 7-year duration can be requested in writing, but I'm not sure about the finer points on this matter.

There is a happy benefit to putting yourself on fraud alert: you get free copies of your credit report from all three credit bureaus! :lol: This saves you about $24 in requesting your reports separately from each bureau.

After 90 days, you'll have to call one of the bureaus and re-request that your account be placed on fraud alert. I have this task set-up in Outlook so I remember to call every 90 days.

Don't expect that the credit bureaus will make this easy for you! Firstly, they're forfeiting revenue by giving you a free copy of your credit report, and they reduce the number of times they can include your name for promotional matters. Their websites are abysmal in explaining what a fraud alert is all about.

Here are the three credit bureaus, and their telephone numbers. In some instances, you will keypunch vital info into your telephone keypad, and one of the bureaus (I think TRW) has you record your responses just by speaking into the receiver. Get all your info ready, because the voice response system often doesn't give you an opportunity to re-enter your responses to correct them. You'll need to have your SS#, know the numeric portion of your street address, and other such info as they may require.

Equifax: 800-525-6285
Experian: 888-397-3742
TRW: 800-269-0271

Sidenote: I shared this info with my co-workers earlier this year. One them just came to me and asked for these numbers again. His wife's purse was stolen, and now their getting statements in the mail for thousands of credit card charges on new credit card accounts! Had he taken the trouble to make a phone call earlier this year, his current situation might have been avoided.

This little piece of info comes from your friendly Registered Financial Associate, famousdavis! Hope this helps somebody! :lol: