September 02, 2004

• I was reading this too. Fascinating. People think it's all database hacking and keystroke logging, but here's a guy who just called up a few low-level operators and got all the information he needed. Imagine how much easier it is now. The seat-to-keyboard interface is always the greatest vulnerability.
• I stole a guy's identity once when I worked at the video store. Unfortunately, he had an outstanding warrant for his arrest for arson. I did 11 months in a plea bargain.
• Creditors should be shot for continuing to use "mother's maiden name" as a challenge question. I won't even go into the mess regarding Social Security number abuse.
• Identity is not security; it just confirms who I say I am. Every piece of information makes the picture of "me" that much clearer and easier to find the next piece. It does not prove intent. Whoever can do this will make security in itself, secure. And that, my monkeys, is the most powerful social engineering tool. Intent. Coupling faux intent with a culled identity is gold—all in a phone call. I just wish I knew what to do about it.
• the_they: i'm pretty naive in this arena, so could you expand on that a bit?
• I'm amazed at what you can do without an ID. For example today I went to the bank and changed the address of where my statements are sent without having to show any proof of who I am. That could seriously screw up someone's finances if given access to that info. There are lots of ways that someone can steal someone's info if they want. For example when I worked in the cage and credit department of a casino the cage and credit dept. was responsible for verifying the sales of the resteraunts and bars. Included in the waitstaffs drops were the credit card reciepts of the customers complete with the credit card number and signature of the customer. Those receipts had gone through several hands before they got to me. Someone could easilly have made off with them and even with all the cameras in the casino, it would be damn hard to trace that back to a single person.
• It would seem that some sort of national ID might be useful to help avoid this. Yikes.
• The old-skool way (which certainly used to work in Britain*): go to an obscure local newspaper's archives in a faraway town. Trawl around your date of birth for a death notice of a child who died in early infancy. This will usually give the mother's maiden name, as well as the date of birth. These are the only pieces of information needed to go and ask for a copy of 'your' birth certificate, which (ta-da!!) aren't cross-referenced with death certificates. You now have a birth certificate, which is all you need to get a passport, which is all you need to get... and so on. And as the_they said, the more pieces of 'identity' you get, the more solid your identity becomes, even if they all eventually refer back to only one single form of identification. That's the trouble with ID schemes - they only work as systems when they assume infallibility. And very few systems are infallible, even before you factor in human failings (such as the ones the guy in this article relied upon). So you're stuck with a fallible system that believes itself to be flawless... which only exacerbates problems for many innocent people, and reinforces the deception of the guilty. *I don't know if it still does. I bloody hope not, it's decades since Day of the Jackal was published.
• A more contemporary example, flashboy. The New Zealand Department of Affairs, whose record borthds, deaths, and marriages, has been computerising records in an effort to cut down on the method you've described succeeding.
• path: Identification can be forged. The front page post proves it. Beyond identity theft, people talk about national IDs for counterterrorism and the like. This won't work...for the very reason identities are faked and assumed, nonwithstanding the implications around a centralized database. But that's another topic. A national ID I fear most. Right now, to assume an identity, there are steps and phases. A birth certificiate, driver's license, social security number...they all add up to build identity. A national ID would carry so much weight, that when faked, that's all you need. When it comes to identity theft or any attempt to get unauthorized access, social engineering—a college word for tricking people—is bar none the most powerful and effective tool (outside the potential for a national ID). Take what James Rinaldo Jackson did to find out about Steven Spielberg: He started by calling the Screen Actors Guild and tricking an operator into sharing the name of the guild’s health care insurance provider. Then he called the provider’s toll-free number and pretended to be an administrator at a medical provider looking to verify coverage for billing purposes. Helpful operators spat back Social Security numbers, dates of birth, addresses, and other private information. “All I needed was a name,” he said. Then, he would start his “prowl.” All it takes is a little information. Each bit allowed him to social engineer the next more valuable piece. As far as identity goes, as "James Rinaldo Jackson", he didn't have access to medical records. But internal account managers do. All he had to do was pretend to be one, verifying coverage. He faked identity (account manager) and a reason (verifying coverage). They are both plausible to the person on the other end of the phone. The trouble is, even if the health care provider only allowed the real account manager to such information, all he had to do was find out that person's name and assume it. Like I said, identity is a very poor security practice. Intent is key...and identity has very little to do proving intent. I use the "identity" the_they. It doesn't prove I intend to have kids someday. It doesn't matter if my name is John, Jacob or Penelope. That's the difference and its weakness. We use identity to prove intent and people can pretend to be other people.
• Ah, yes, but They are one step closer to implanting a unique identity chip into your brain that can only be read by government licensed scanners. They'll cross-reference the chip identity with your retna patterns, and bingo! Big Brother really will know all about you. You can get an ID chip implanted for your pet right now, so wassa holdup?
• BlueHorse, chips in animals aren't for security; they're for identification. All a chip does is identify the chip in the person. Add a determined person with an x-acto and tweezers or a depraved surgeon to the fray, fake the chip and we're even worse off. Conversely, a suicide bomber wouldn't care if they're ID'd.
• damn spellcheck
• chips in animals aren't for security; they're for identification Wait a minute, your point was that identity is easy to falsify, thus security is at risk, so I suggested a way to make it harder to falsify identity. Sure somebody could dig out the chip, but wouldn't it be a tad suspect to walk into a bank or other establishment with a pair of gouged out bloody eyeballs in order to match the chip to the retinal scan? Ok, you don't like that one. How about implanting a receptor and beaming Correct Thoughts from cell phone towers?
• That just might do it.
• I find that in the US the Social Security Number (SSN) seems to be used more than the similar Social Insurance number (SIN) is in Canada. My university, very stupidly, uses it as my student number - a practice which allowed another university to snoop around their admissions a few years back. I also find it being asked for in many other situation - I don't remember the SIN being so ubiquitous - it took me longer to memorise it than it has my SSN.
• Mitigating identity theft
• >b>homunculus -- fine link, foul fraudsters.
• Linkin Park's Mysterious Cyberstalker
• How victim snared ID thief: She chased down woman who had given her 6 months of hell
• You go, GiRRRLL!