Identity Theft - The Real Cause
By Mike Lee and Brian Hitchen
Monday, 24 May 2004 13:51 EST
To understand the crime of identity theft and to see why it is such a rapidly growing problem you need to go back a few years. At that time here were criminal gangs that needed to launder the proceeds of their crimes.
In the seventies and early eighties the banking industry with its centuries old code of secrecy was just what any self-respecting criminal needed. To open a bank account was a simple matter and the banks were keen to gain new customers. The days when it was a privilege to be allowed to have a bank account went out in the early seventies and the banks were fighting each other for business.
At this time the country was seeing a massive growth in the smuggling of illegal drugs. Before the war, the use of cannabis and cocaine was legal but limited to the middle and upper classes. After the war the use of these drugs was banned and for a while the problem seemed to go away. In the sixties, the use of recreational drugs started to become widespread among the youth of the day and the suppliers of these illegal drugs needed to legitimise the proceeds of their trade. They were able to open bogus bank accounts very easily.
For a while there seemed little that the Police could do about this growth industry so the Government of the day introduced legislation to try to combat the massive problem of money laundering. With the growing threat from terrorism, the laws were tightened further to the point where it became extremely hard to create a false identity and open a bank account. It is these restrictions that we all have to accept when we want to use the financial services available. A good example here is when a bank and its staff know us, yet we have to again prove our identity when we wish to open another account.
Where We Are Today
With the massive restrictions placed on criminals attempting to open false bank accounts for money laundering purposes, they naturally took the next easiest route open to them; they looked at stealing existing identities. Stealing is not the right term since they only copy the identity of a victim, along with any credit rating, reputation and standing that the victim may have built up over the years and it is for this reason that for the victim the effects can be extremely serious.
Unfortunately the criminals have a well-funded ally with almost limitless resources - the banking industry itself! What has happened with the rapid growth of computers is the corresponding increase in the sophistication of the marketing industry. The banks, credit card and finance companies no longer waste money sending out blanket mail-shots to a town or area, they have well researched and selective marketing campaigns aimed at respected customers with decent credit ratings who are a good target for new financial products.
It is a fact that anyone who gets financial junk mail is almost certain to have a decent credit rating. (Remember the old adage of the bank lending you an umbrella when the sun is shining). In fact the term "junk-mail" should no longer apply to these mass-mailings.
These are not “junk” to the criminals, they are a godsend and every single piece of mass-mail is valuable, in fact they all say something about the addressee. So, how do the criminals take advantage of this situation?
How To Clone A Human!
There are large organised gangs of criminals working the dustbins of our towns and cities every week of the year. They will employ the homeless and unemployable to search through the black-plastic bags that are put out for rubbish. People will throw away the most valuable of documents. In fact a recent survey by a leading Credit Agency found that only 14 per cent of household rubbish bins contain absolutely no information of interest to fraudsters.
That means that 6 out of every 7 bins contain information that is useful to a criminal who wants to steal your identity! Researchers have found all junk mail, receipts, credit-card bills and even bank-statements. These are passed on to the "foreman" who will pay a bounty to the collector depending on what has been retrieved.
So, how hard is it to clone a person? It is surprisingly simple. For a start you need some basic information about your intended victim. There is little point in copying someone who has a poor credit rating or who has been declared bankrupt, however, due to the way that most of the financial services industry will vet potential customers, the junk-mail tells the criminal enough about their prey.
Once they have some junk mail, they will look closely to see which target fits the bill. They will probably need addition documents, maybe an old phone bill or a letter from a company dealing with an existing account. Once the criminal has two pieces of documentation, then creating a utility bill for example can be a simple process with modern scanners, inkjet printers and common software. Why some companies even make it easier by creating the address panel with a white background for clarity!
Criminals (or anyone who is reasonably competent with a PC and word processor) can take a letter from one person, scan this into a computer and print an identical letter for another person. Suddenly they have enough information to convince the post office that they are that person and tell them that they have moved house and need to have their mail forwarded.
When this has been done, they can then contact a credit card company (probably as a result of another mail-shot) and get a credit card. The same survey stated above also found information that connected credit card numbers, with individuals along with an expiry date! With this, they can get some motor or home insurance and then a new bank account. All of the documents will be sent to the victims "real" address but as all of the mail has been forwarded, the criminal can simply remove the letters they are waiting for and place the rest of the mail in the letterbox of the victim.
Once the new identity has been created, the criminal will then write to the new bank and credit-card company and tell them they have moved to a new address. This will be a mail-drop that is used for tens of people. Before the bank knows what has happened the criminals will have take out loans for tens of thousands of pounds and run up thousands of pounds in credit-card debts.
Buying goods is even easier. Using a stolen, cloned or bogus credit card you can go online to any of the stores, (Littlewoods, Tesco’s, Argos etc) order goods AND have them delivered wherever you want. This can go on for a long as the original victim is not contacted by the companies concerned or receives a credit card bill.
Sooner or later something has to give. The victim will receive notice that his identity will have been stolen in the form of paying for goods or services that they have no knowledge of. The first reaction of the bank and other authorities is to blame him. In all cases financial you are guilty until proven innocent and the bank will be chasing the original, innocent, victim for the money.
If the victim manages to convince the bank that the crime is one of identity theft the bank will suffer the loss, right? Well not exactly, the banks simply pass on their costs to you, the customer. The banks and credit-card companies only have the money that you have paid in charges. When a credit-card company gives you an on-line guarantee, they are spending the money that they charge you! One way or another, you, the customer, will pay for the crime!
So How Do We Stop This
Fact: - The financial services industry makes more money from this type of Junk-Mail marketing than it costs them in fraud. Remember complaining about the cost of fraud is a good reason for these companies to justify their high charges. Imaging the outcry if a bank said, "I have to raise my charges because I am spending too much money on marketing!!"
Fact: - Identity Fraud is not really considered stealing. In the final analysis many consider that stealing from large anonymous companies is acceptable. BUT we forget that in the end it’s us that PAY!
Fact: - The Banks do not swap information. They may supply information separately to Credit Agencies who conveniently sell it back to them en-masse in the form of credit checks – but they all have different databases and different Identity Checking routines.
The only way to cut this source of easy funds for criminals and terrorists is for the entire financial services industry to put in place standards and procedures that guarantee the correct privacy and protection of the individual.
Of course before we get there (and the opponents will quote Big Brother, Minority Report and other examples) we have a lot of pain to go through, not the least of which is the effect on the individual.
- It must be made illegal for companies to send you mail that you are not expecting that contains private and personal information about you.
- We need a central database that is securely controlled that can be referenced to absolutely confirm a person’s true identity.
- Individuals (the silent honest majority) have to agree to a level of central information (i.e. populate a database) that can be used to verify their identity. This may in time contain biometric information on the individual in the form of fingerprint or voiceprint)
- Banks and Financial institutions have to come clean on the level of fraud they manage, who pays for it and where the responsibility lies.
- It is important that we have the privacy of our personal data respected by those who have been entrusted with it.
I only have to imagine the effect on a elderly person who has struggled all their life to maintain their dignity self-respect and financial independence of credit, overdrafts and debt when they find that their good name is being used by an uncaring and callous criminal to run up huge debts and blacken their name. Simply the effect of receiving a “pre-printed” debt letter from an automatic Bank process causes them sleepless nights.
If the custodians of our sensitive personal data can’t or won’t get their collective act together the lawmakers will force them to. If that happens the financial services industry will bitterly complain about “Government interference”. The trail of devastated victims will barely get a thought.
Essential Bluetooth hacking tools
25.05.07 Bluetooth provides an easy way for a wide range of mobile devices to communicate with each other without the need for cables or wires.
DEP for IE7 in Vista
22.05.07 Security tips blog, security-hacks, has posted details on how to enable DEP for Internet Explorer 7 in Vista.
SMB over SSH: Secure File Sharing
18.05.07 Security tips blog, security-hacks, has published an simple guide to share files securely in heterogeneous networks.
Avoid data leaks by clearing the page file
14.05.07 Security-Hacks publishes a useful tip to avoid potential data leaks when you run out of memory.
How to set Master Password in Firefox
11.05.07 Nowadays many web sites require you to type a user name and password before you can enter the site.
How to test your firewall?
10.05.07 Security tips blog, Security-Hacks, has published a compilation of tools to test your firewall: "We’ve compiled a list of tools we believe will be of value to both home users and advance users.
eEye released integer overflow auditing tool
16.02.07 Vulnerability research company eEye Security has released a free security vulnerability auditing tool that helps spotting possible integer overflow vulnerabilities.