and instructing people to use the alternate swipe.
8 7
T H E M E C H A N I C S O F I D T H E F T
The main drawback to skimming—from the crook’s perspective—is that it’s a short-lived scheme. Skimmers usually have to make all of their purchases and transactions before the true card owner gets his or her next monthly statement. Sometimes the crook can find out when the statements are mailed; but, more often, they don’t want to risk discovery by asking.
In short, the card skimmer—and most ID thieves, no matter what their
modus operandi
—run so-called
bust-
out schemes
. In purest form of these schemes, the crooks use credit card terminals obtained by a shell or front business to apply charges to stolen credit cards. The crooks run the cards or numbers through the terminals but do not provide any goods or services. The credit card company credits the account of the front business. Before the next statement from the stolen card reaches its rightful owner and the bogus charges can be reversed, the funds are moved out of the front business account.
In a slight variation on this scheme, the crook will
use the stolen cards (or card information) to buy
things from legitimate businesses—and flee with the
goods before the next statement arrives.
Some seasoned ID thieves move from city to city, skimming card information, charging up goods and either busting out or moving on.
8 8
C H A P T E R 4
I N S I D E R S S T E A L I N G I D E N T I T I E S
Skimming often relies on the
cooperation of corruptible employees
. But it’s a relatively simple and often anonymous proposition.
More complex ID thefts involve more detailed cooperation between employees and thieves. At a meeting of Florida law enforcement officials in November 2002, lawyers with the state attorney’s office introduced a veteran ID thief for some dramatic testimony. Wearing a plastic mask that reminded some of the Hannibal Lecter character from the film
Silence of
the Lambs
, the speaker offered details on how he’d been able to steal between $15 million and $20 million using other people’s names.
He claimed that he could purchase a Florida driver’s license for as little as $100 and, in a few minutes of telephone work, he could get someone’s Social Security number—all with the help of “people on the inside.” In all, he’d corrupted more than 50 people working in the offices of state and federal agencies in various Florida cities; and he’d been able to do it all by focusing on clerical and administrative employees.
Not managers or professionals.
He said
greedy people
were happy to sell him other people’s personal identification. He would pay as much as $1,000 for a complete package—that included a name, birth date, address, account details and SSN.
He pointed out that the most effective ID thieves prefer not to steal credit cards, because owners miss them quickly and report their loss. It is easier, he said, to corrupt a bank worker, a driver’s-license examiner or someone from a credit-reporting service.
8 9
T H E M E C H A N I C S O F I D T H E F T
ID thieves often use techniques similar to drug dealers. A group of middlemen will contact corruptible
employees; these middlemen function as independent contractors with a penchant for secrecy.
The crooks often contact employees on the recommendation of a mutual acquaintance, keep communications limited to a cell phone and stay in one place for a short time. They
pay cash for credit card numbers
, bank account information, blank document forms and—most importantly—Social Security numbers.
In May 2002, Ford Motor Credit Company (which writes mortgages, as well as car loans) sent out a series of letters notifying some 13,000 borrowers that their credit information may have been stolen. For more than a year, a crew of sophisticated ID thieves had been breaking into the files at credit bureau Experian, using a Ford Motor Credit password and lender account information.
Experian blamed the breach on the Ford account information. For its part, Ford spokespeople said they didn’t know how the breakins happened—and they couldn’t rule out employee involvement. Rich Van Leeuwen, a Ford Motor Credit executive, said: A lot of these attacks happen because of insiders that have particular knowledge of how the application works, or get help from somebody from the inside without even knowing that they’re helping the attack happen.
9 0
C H A P T E R 4
The ID thieves accessing the Ford Motor Credit data were looking for more than just credit card numbers.
The credit information that Ford kept in the Experian system included complete identities—SSNs, birth dates, family names, bank information—that crooks could use to establish complete financial clones of the borrowers. In law enforcement circles, this more complete reproduction is called
true identity theft
.
And it can go on for years without being stopped.
About the same time as the Ford Motor Credit de-bacle, a Philadelphia-based ID theft scheme that used a corrupted insider was coming to light.
More than 40 people who banked with the Philadelphia Federal Credit Union started finding out that their credit histories had been stolen. The ID theft had enabled local crooks to operate a huge bust-out scheme; they bought more than 60 new or late-model cars worth almost $2 million from Philadelphia-area dealers, using the Credit Union customers’ credit. The crooks
sold or moved the cars
; and they never made any payments.
But the ID heist had been too dramatic to go unno-ticed. Because the crooks had used so many IDs stolen from one financial institution, federal banking authorities were able to trace the dirty deals back to a single source. The Feds’ detective work led them to a Philadelphia Federal Credit Union employee—a part-time clerk named Marpessa McNeil.
McNeil hardly seemed like a hardened criminal. She
was a recent college graduate (with a degree in
9 1
T H E M E C H A N I C S O F I D T H E F T
criminal justice, no less) in her mid-20s, who’d been
working for the Credit Union for several years to
strong performance reviews. But she’d been influenced by a hard character.
Darryl Brown, who had a checkered history of financial missteps, misdemeanors and malfeasance, had paid McNeil $10,000 for getting the detailed credit reports of 44 Credit Union members. He had coordinated the automobile bust-out scheme.
Brown, McNeil and several others were found guilty of various crimes including identity theft and grand larceny.
The victims of the scheme seemed more upset with McNeil—whom they’d trusted—than the con artist Brown. Credit Union members and executives peti-tioned the federal judge hearing the case to make an example of McNeil. And he did.
U.S. District Judge John R. Padova sentenced McNeil to 30 months in prison and ordered her to pay back $674,661. The sentence exceeded standard guidelines; but Padova defended his decision because of “the severe non-economic harm” the Credit Union members had suffered in piecing back together their damaged credit.
Some ID thieves don’t like to rely on bribed insiders
for credit information. They are more patient—and
systematic. And they take customer service jobs
themselves to get access to the information.
9 2
C H A P T E R 4
In August 2002, Kansas law enforcement agents charged a former customer service manager at several local companies with stealing identities from people who paid their bills with credit cards. Christo-pher Paul Ware was charged with five counts of identity theft.
Local detectives said Ware
took customer-service
jobs
at Verizon Wireless, Capital One, Chrysler Finance and Household Payroll Services, all in the Kansas City area. He kept a private log of names, Social Security numbers, mothers’ maiden names and other information when customers called him to pay their bills. He might have gotten away with the thefts—but he stayed in the Kansas City area too long.
Local police tracked Ware down only after he’d used two fraudulent credit cards and a false credit application to buy a car. They arrested him at his office in the suburban town of Overland Park—and found more than a dozen files of customer identity information in a bag he carried.
W I - F I A N D O T H E R W E B R I S K S
Identity theft is a disturbing combination of old schemes and abuse of emerging technologies.
One example of such abuse of new technologies is called
wardriving
—randomly searching for open signals to acquire free wireless Internet service.
Proponents of the practice envision a
utopian
Internet world
where everybody can walk outside and log on without paying a provider. But the signals can also be used to gain access to private information
9 3
T H E M E C H A N I C S O F I D T H E F T
in the computers of the companies that pay for the service. No passwords or secret codes have to be cracked using this method.
Entering computer systems without official permission is a state and federal crime. Penalties depend on the amount of damage that results. But it remains a popular activity among the hacker community. Some wardrivers invade computer networks for fun; others do it for identity theft, password acquisition or just plain old snooping.
A wardriver can use ordinary equipment—such as a simple laptop computer, a commonly-available an-tenna and the Windows 2000 operating system. The only difficult part is getting the right software; but even that is done easily enough on the Internet. One popular program, called
netstumbler
, recognizes signal access points in a small geographic area.
Online ID theft exposures don’t require anarchistic
hackers.
Some thieves gain access to your personal information via old e-mail—that you thought you’d deleted.
E-mail services often make backup copies of the email so as to recover from a catastrophic failure of a primary server. From time to time, e-mail users are surprised to discover that e-mail they thought they had long since deleted has been
retained in backup
files
and has been released by accident or has become discoverable in a legal proceeding or is accessible under appropriate warrants.
9 4
C H A P T E R 4
Other thieves gain access to personal information through another serious consumer Internet risk that arises from
access-controlled services
requiring user authentication. The most common method of authentication is to associate a password with a user identifier (ID). These passwords are often fixed and reused repeatedly. Users are notorious for the poor choices of passwords and their unwillingness to change them regularly. Passwords can often be guessed (birthdate, pet’s name, spouse’s name, the current year, anniversary date, Social Security number, telephone number, address).
Password files at the service hosts are usually one-way encrypted but if a hacker can get a copy of the
encrypted password file it’s possible to run a “reverse dictionary attack” to try to find the password. In a reverse dictionary attack, all the words
in the dictionary are encrypted and then compared
with each of the encrypted passwords taken from
the target computer. A match exposes the password. Such tools are commonly available.
Good password practices dictate at the least that re-usable passwords be changed regularly, contain more than just alphabetic characters, be six to 10 characters long and not contain common words found in the dictionary. See Chapter 8 for more about passwords.
Information about
consumer use of Web services
can be collected in each user’s personal computer by Web service providers in small caches of information called “cookies.” The Web service providers can
9 5
T H E M E C H A N I C S O F I D T H E F T
use this information to tailor services provided to individual users. Consumers are at risk if companies that collect this data make use of it in ways that consumers do not expect or would not approve. It is this concern that led to requirements for companies to report their privacy protection practices to consumers on a regular basis.
Not all Web sites are what they seem. Some may appear to offer products or services but may in fact simply be “fronts” for purposes of
capturing personal information
, credit card numbers and the like.
This is outright fraud.
Finally, software can be put into your computer by someone with physical access to it that will provide a record of virtually everything you do with your machine. Similar software might be ingested over the Internet as an attachment to an e-mail message or possibly as a consequence of loading a Web page and executing “applets.” Such “
Trojan horse
” software can expose all of your personal computer’s data and activity to view.
S L O P P Y O N L I N E S H O P P I N G H A B I T S
People who use the Internet today willingly give up a lot of information about themselves.
In this age of gathering marketing data, information and cross-referencing databases, once you purchase something online and they have a good profile of you, that information can be propagated to a
lot of other agencies or places and sold.
9 6
C H A P T E R 4
Your credit card information is stored at that company. And security of your information is only as good as the security of the company that’s storing your information. If they’ve broken into it and your information is sold or stolen, you’ve got no control. Once it’s gone, it’s gone.
If you buy something online, the company that sold you that something may have the right—even the
obligation
—to
give the information to other entities
— including the federal government, for one. And, if there’s a financial transaction involved, the online company may have obligations to give the information to affiliates and reporting services. And they may want to give the information to marketers.