How to Steal $65 Billion

How to Steal $65 Billion
Why Identity Theft is a Growth Industry
Source

By Robert X. Cringely

Recently my mail was stolen. It wasn't supposed to be stolen, which is a given, but it also wasn't supposed to be able to be stolen because I was out of town for two weeks and had the Post Office hold my mail. Only it turns out that in Santa Rosa, California at least, holding mail means different things to different mail carriers. Someone -- a substitute carrier I'm told -- saw that big old pile of mail down at the post office (the pile with the big "vacation hold" sign above it) and thought what the heck I'll just deliver that mail anyway. And so they did. That big old pile of mail sat in my big old mail box on my little old country road under a walnut tree and across from a pond and sometime in the next few days it was stolen. The only reason I know any of this is because a neighbor eventually found some of my mail and some of a lot of other people's mail strewn along the road like errant unmarked bills after a bank heist.

Here is something you probably didn't know. If you have the Post Office hold your mail and they do something stupid like NOT hold it for some reason, as happened to me, you have no recourse. They start an "investigation" of course, but since no investigator ever calls and certainly nobody reports back to me, the victim, I think this is pretty much of a ruse. They sure don't replace any of the mail. I had, for example, ordered from Amazon.com a copy of the 2003 Kelley Blue Book Used Car Guide. My neighbor found the envelope from Amazon.com, but not the book.

"Where's my book?" I asked the lady at the Post Office.

"Lost," she said.

"What are you going to do about it?" I asked.

"We'll start an investigation," she replied earnestly.

"No, I mean what are you going to do about replacing my book?"

"Why would we replace your book?"

"BECAUSE YOU LOST IT????"

Nope. The Post Office didn't lose my book or any of my other mail, it seems. Oh the mail was lost, but they didn't lose it. They delivered it in error, but they didn't lose it. I LOST IT by not being there to collect the mail. It was my fault. It seems that holding mail while you are out of town is actually "a courtesy" performed by the Post Office and carries with it no obligation or liability other than, of course, to start an investigation.

Film at 11.

Now in the pile of mail discovered by my neighbor, along with the envelope from amazon.com and many many bills was something really scary. It was a plain white envelope that had been opened and in that envelope I found a report from one of the big credit reporting agencies. It was MY credit report and though the credit score was nowhere as high as I would have liked, the thing most startling about that credit report was that it existed at all. That's because I never ordered the credit report.

Uh-oh.

Uh-oh is right. I did some checking and found that my credit report had been ordered from all three national credit reporting agencies though two had refused to send the report because something was odd about the request. But the third credit reporting agency, sensing nothing odd and gladly taking the money, sent the report which was intercepted presumably by the person who had ordered it -- my very own identity thief.

My sense of self is fragile as it is without someone stealing me from me.

That was more than a month ago and I have since done everything I can (which isn't really a heck of a lot) to protect and preserve my identity. And I am still waiting for the results of that investigation. Yeah, right.

But I have also used the time to learn more about identity theft and what I found is very scary. Identity theft is not only incredibly easy to do, but our government seems to go out of its way to help the thieves. The government is making many Americans more vulnerable, not less. This is crime just waiting to happen on a massive scale, thanks to computer technology.

Identity theft is generally a pretty low-tech crime. The bad guys steal your mail or pilfer your trash, coming up with enough personal information to apply for bank accounts, credit cards and loans with your name and credit rating but with their address. They can even appropriate your existing accounts. All it takes is having your name, address, date of birth, and Social Security number. Before you know it the crooks have bought goods, bounced checks, and drained your bank accounts, leaving a world of heartbreak for the victims as they try to repair the damage.

The single greatest deterrent to identity theft is probably a paper shredder. Get one and use it for anything you throw away that contains personal information. Oh, and NEVER put outgoing mail in your mailbox for pickup by the carrier. Take it to the post office or to a local post office box.

It is very difficult to measure the cost of identity theft. The U.S. General Accounting Office tried to do so in a 2002 report and finally concluded that it simply could not be done with any precision. Many identity thefts aren't even noticed, for one thing. What's that $30 charge on your credit card bill? Oh well. Even many identity thefts that are noticed aren't reported. And when they are reported it is often to different federal, state and local agencies that don't necessarily speak with each other.

What we do know is that there is somewhere between 250,000 and 750,000 identity theft victims every year. While many cases are small, the U.S. Secret Service reported in one year investigating more than 7,000 cases with an average cost to victims and financial institutions of $217,000 or a total cost of about $1.5 billion. The American Banking Association reports identity fraud losses to its members of around $1 billion per year and the credit card companies absorb around $1.5 billion per year in such fraud losses.

Then there is the cost of fighting the problem, which ranges from $15,000 per case for the Secret Service to the average 175 man-hours that consumer counseling organizations report it takes victims to deal with the paperwork of restoring their financial lives to order.

So the cost to society of identity theft is in the range of $4-5 billion per year and may be even higher. The U.S. Federal Trade Commission recently came up with an annual figure of $53 billion, though that feels to me like a made-up number -- one that is good for Congressional hearings.

Identity theft is bad enough but right now it is also pretty much of a cottage industry relying primarily on techniques like dumpster diving. What if the identity thieves found a way to automate their crimes using computers? Then it would get far worse, which is what this column is about.

When the term "computer crime" was coined it was during the mainframe age and the perceived threat was from employees who could program bank or company computers to conduct millions of tiny thefts, grabbing a penny here and there and accumulating over time millions in the employee's account. It would be an inside job involving vast sums but done so skillfully that nobody would even notice. But it really didn't happen very often. When computer crime finally became a reality in the 1990s it was the Internet age and the criminals weren't, for the most part, company employees, they were kids with bad attitudes and too much time on their hands. And their crime wasn't theft but vandalism, as viruses -- malevolent programs -- led to loss of data worth billions.

According to a 1999 report by Computer Economics Inc., a Carlsbad, CA-based consulting firm that tries to measure such things, computer viruses, Trojan horse programs, and denial of service attacks that year cost Americans a total of $12.1 billion. While that is a horrific sum, it is not money that is stolen, but destroyed. There is no crook sunning on a tropical beach thanks to computer viruses. But with identity theft that is exactly the case. Some crook IS sunning on a tropical beach at your expense.

Crossing identity theft and computer crime requires gaining access to personal identity data on tens or hundreds of thousands of people at one time then using that data on a mass scale to apply for credit cards and bank accounts online. Crunching the data for all those credit card applications is the easy part once you've written a program to do so. What's hard is finding the personal identity information needed to drive the process and that's where the government, all too often, plays a role.

It's that damned Social Security number, which is so useful as a universal identifier that it becomes a part of almost every database at all levels of government. If you are a bad guy, then, the trick is gaining access to those databases, which ought to be difficult but isn't at all. Most states include Social Security numbers in their voter registration databases, nearly all of which are open to the public and many of which are searchable online. But searching for one name and grabbing 100,000 voter records are very different things, so trying to gather mass data for identity theft using your AOL account would probably be noticed and is not a good idea. But many states will sell you the data on CD-ROMs that you can take home and search as intensively as you like. These CDs are typically intended for politicians to use for generating mailing lists but could obviously be used for a far darker purpose.

Of course you could probably do the same thing with medical, educational, or insurance records, but then there is the problem of gaining access. Public records are better if you want to be a crook because the Freedom of Information Act makes them completely available.

While government agencies are doing their pitiful best to keep this kind of data hidden (a GAO study last year found 14 out of 15 Federal agencies studied were inadequately protecting Social Security numbers), even after they've finally taken action to protect this information the danger is still present. That's because Social Security numbers last a lifetime and there is a lot of old data floating around out there, data that can be brought up to date with frightening ease.

Here is the part where I have to slow down a bit because it would be very easy to explain exactly how to steal a whole lot of money. I want to publicize a problem that should be fixed, but in doing so I don't want to tempt anyone to break the law. So I'll just say that there is a particular Federal agency that used to use Social Security numbers as individual record identifiers for a large database of names and addresses -- a policy they changed only last year. When they stopped using Social Security numbers as identifiers for new records, this agency didn't immediately go back and assign new numbers to its almost 600,000 old database entries. The old Social Security numbers are still there, though they are no longer reported on the $30 CD-ROM version of the database that the agency sells to all comers, nor is the all-important date of birth in the public record anymore. Problem solved, right?

Wrong.

There are thousands of old CD's in circulation from earlier years including both missing pieces of information. Given that some of these database entries linger for decades (mine is more than 30 years old) and neither Social Security numbers nor dates of birth ought to change over time, it should be simple to reconstruct the missing data. Just grab it from an older CD and apply it to any entries that span both old and new disks. So that's just what I did, really. I borrowed a version of the same data CD from 1998 that was available locally and used my computer to mix that old data with the more limited data from the current CD, which is released quarterly. Sure enough, in less than an hour I had updated names, addresses, Social Security numbers and dates of birth for the more than 300,000 entries that were in common across both CD's.

What I produced in that hour was all the information required to steal the identities of 300,000 people, most of whom would be considered to have high financial (if not emotional or artistic) net worth. If I was a real criminal I could use this data over a period of 4-6 weeks to apply for online credit cards and bank accounts, to order credit reports that list where the victims do their banking so I could loot those accounts, too. Before anyone would notice I could grab that Secret Service equivalent of $217,000 per victim for a total take of $65 billion, which certainly beats my day job.

This sort of crime is eventually going to happen. If I can do it just about anyone can do it. The take probably won't be $65 billion, but it will be in the multiple billions. Once it sinks in what has happened, the financial world and the world of business will never be quite the same again as yet another shred of our innocence is torn away. And government will likely respond with new laws that won't work and with a profound lack of understanding of its own role in the tragedy.

But first they'll start an investigation.
Why Identity Theft is a Growth Industry

By Robert X. Cringely

Recently my mail was stolen. It wasn't supposed to be stolen, which is a given, but it also wasn't supposed to be able to be stolen because I was out of town for two weeks and had the Post Office hold my mail. Only it turns out that in Santa Rosa, California at least, holding mail means different things to different mail carriers. Someone -- a substitute carrier I'm told -- saw that big old pile of mail down at the post office (the pile with the big "vacation hold" sign above it) and thought what the heck I'll just deliver that mail anyway. And so they did. That big old pile of mail sat in my big old mail box on my little old country road under a walnut tree and across from a pond and sometime in the next few days it was stolen. The only reason I know any of this is because a neighbor eventually found some of my mail and some of a lot of other people's mail strewn along the road like errant unmarked bills after a bank heist.

Here is something you probably didn't know. If you have the Post Office hold your mail and they do something stupid like NOT hold it for some reason, as happened to me, you have no recourse. They start an "investigation" of course, but since no investigator ever calls and certainly nobody reports back to me, the victim, I think this is pretty much of a ruse. They sure don't replace any of the mail. I had, for example, ordered from Amazon.com a copy of the 2003 Kelley Blue Book Used Car Guide. My neighbor found the envelope from Amazon.com, but not the book.

"Where's my book?" I asked the lady at the Post Office.

"Lost," she said.

"What are you going to do about it?" I asked.

"We'll start an investigation," she replied earnestly.

"No, I mean what are you going to do about replacing my book?"

"Why would we replace your book?"

"BECAUSE YOU LOST IT????"

Nope. The Post Office didn't lose my book or any of my other mail, it seems. Oh the mail was lost, but they didn't lose it. They delivered it in error, but they didn't lose it. I LOST IT by not being there to collect the mail. It was my fault. It seems that holding mail while you are out of town is actually "a courtesy" performed by the Post Office and carries with it no obligation or liability other than, of course, to start an investigation.

Film at 11.

Now in the pile of mail discovered by my neighbor, along with the envelope from amazon.com and many many bills was something really scary. It was a plain white envelope that had been opened and in that envelope I found a report from one of the big credit reporting agencies. It was MY credit report and though the credit score was nowhere as high as I would have liked, the thing most startling about that credit report was that it existed at all. That's because I never ordered the credit report.

Uh-oh.

Uh-oh is right. I did some checking and found that my credit report had been ordered from all three national credit reporting agencies though two had refused to send the report because something was odd about the request. But the third credit reporting agency, sensing nothing odd and gladly taking the money, sent the report which was intercepted presumably by the person who had ordered it -- my very own identity thief.

My sense of self is fragile as it is without someone stealing me from me.

That was more than a month ago and I have since done everything I can (which isn't really a heck of a lot) to protect and preserve my identity. And I am still waiting for the results of that investigation. Yeah, right.

But I have also used the time to learn more about identity theft and what I found is very scary. Identity theft is not only incredibly easy to do, but our government seems to go out of its way to help the thieves. The government is making many Americans more vulnerable, not less. This is crime just waiting to happen on a massive scale, thanks to computer technology.

Identity theft is generally a pretty low-tech crime. The bad guys steal your mail or pilfer your trash, coming up with enough personal information to apply for bank accounts, credit cards and loans with your name and credit rating but with their address. They can even appropriate your existing accounts. All it takes is having your name, address, date of birth, and Social Security number. Before you know it the crooks have bought goods, bounced checks, and drained your bank accounts, leaving a world of heartbreak for the victims as they try to repair the damage.

The single greatest deterrent to identity theft is probably a paper shredder. Get one and use it for anything you throw away that contains personal information. Oh, and NEVER put outgoing mail in your mailbox for pickup by the carrier. Take it to the post office or to a local post office box.

It is very difficult to measure the cost of identity theft. The U.S. General Accounting Office tried to do so in a 2002 report and finally concluded that it simply could not be done with any precision. Many identity thefts aren't even noticed, for one thing. What's that $30 charge on your credit card bill? Oh well. Even many identity thefts that are noticed aren't reported. And when they are reported it is often to different federal, state and local agencies that don't necessarily speak with each other.

What we do know is that there is somewhere between 250,000 and 750,000 identity theft victims every year. While many cases are small, the U.S. Secret Service reported in one year investigating more than 7,000 cases with an average cost to victims and financial institutions of $217,000 or a total cost of about $1.5 billion. The American Banking Association reports identity fraud losses to its members of around $1 billion per year and the credit card companies absorb around $1.5 billion per year in such fraud losses.

Then there is the cost of fighting the problem, which ranges from $15,000 per case for the Secret Service to the average 175 man-hours that consumer counseling organizations report it takes victims to deal with the paperwork of restoring their financial lives to order.

So the cost to society of identity theft is in the range of $4-5 billion per year and may be even higher. The U.S. Federal Trade Commission recently came up with an annual figure of $53 billion, though that feels to me like a made-up number -- one that is good for Congressional hearings.

Identity theft is bad enough but right now it is also pretty much of a cottage industry relying primarily on techniques like dumpster diving. What if the identity thieves found a way to automate their crimes using computers? Then it would get far worse, which is what this column is about.

When the term "computer crime" was coined it was during the mainframe age and the perceived threat was from employees who could program bank or company computers to conduct millions of tiny thefts, grabbing a penny here and there and accumulating over time millions in the employee's account. It would be an inside job involving vast sums but done so skillfully that nobody would even notice. But it really didn't happen very often. When computer crime finally became a reality in the 1990s it was the Internet age and the criminals weren't, for the most part, company employees, they were kids with bad attitudes and too much time on their hands. And their crime wasn't theft but vandalism, as viruses -- malevolent programs -- led to loss of data worth billions.

According to a 1999 report by Computer Economics Inc., a Carlsbad, CA-based consulting firm that tries to measure such things, computer viruses, Trojan horse programs, and denial of service attacks that year cost Americans a total of $12.1 billion. While that is a horrific sum, it is not money that is stolen, but destroyed. There is no crook sunning on a tropical beach thanks to computer viruses. But with identity theft that is exactly the case. Some crook IS sunning on a tropical beach at your expense.

Crossing identity theft and computer crime requires gaining access to personal identity data on tens or hundreds of thousands of people at one time then using that data on a mass scale to apply for credit cards and bank accounts online. Crunching the data for all those credit card applications is the easy part once you've written a program to do so. What's hard is finding the personal identity information needed to drive the process and that's where the government, all too often, plays a role.

It's that damned Social Security number, which is so useful as a universal identifier that it becomes a part of almost every database at all levels of government. If you are a bad guy, then, the trick is gaining access to those databases, which ought to be difficult but isn't at all. Most states include Social Security numbers in their voter registration databases, nearly all of which are open to the public and many of which are searchable online. But searching for one name and grabbing 100,000 voter records are very different things, so trying to gather mass data for identity theft using your AOL account would probably be noticed and is not a good idea. But many states will sell you the data on CD-ROMs that you can take home and search as intensively as you like. These CDs are typically intended for politicians to use for generating mailing lists but could obviously be used for a far darker purpose.

Of course you could probably do the same thing with medical, educational, or insurance records, but then there is the problem of gaining access. Public records are better if you want to be a crook because the Freedom of Information Act makes them completely available.

While government agencies are doing their pitiful best to keep this kind of data hidden (a GAO study last year found 14 out of 15 Federal agencies studied were inadequately protecting Social Security numbers), even after they've finally taken action to protect this information the danger is still present. That's because Social Security numbers last a lifetime and there is a lot of old data floating around out there, data that can be brought up to date with frightening ease.

Here is the part where I have to slow down a bit because it would be very easy to explain exactly how to steal a whole lot of money. I want to publicize a problem that should be fixed, but in doing so I don't want to tempt anyone to break the law. So I'll just say that there is a particular Federal agency that used to use Social Security numbers as individual record identifiers for a large database of names and addresses -- a policy they changed only last year. When they stopped using Social Security numbers as identifiers for new records, this agency didn't immediately go back and assign new numbers to its almost 600,000 old database entries. The old Social Security numbers are still there, though they are no longer reported on the $30 CD-ROM version of the database that the agency sells to all comers, nor is the all-important date of birth in the public record anymore. Problem solved, right?

Wrong.

There are thousands of old CD's in circulation from earlier years including both missing pieces of information. Given that some of these database entries linger for decades (mine is more than 30 years old) and neither Social Security numbers nor dates of birth ought to change over time, it should be simple to reconstruct the missing data. Just grab it from an older CD and apply it to any entries that span both old and new disks. So that's just what I did, really. I borrowed a version of the same data CD from 1998 that was available locally and used my computer to mix that old data with the more limited data from the current CD, which is released quarterly. Sure enough, in less than an hour I had updated names, addresses, Social Security numbers and dates of birth for the more than 300,000 entries that were in common across both CD's.

What I produced in that hour was all the information required to steal the identities of 300,000 people, most of whom would be considered to have high financial (if not emotional or artistic) net worth. If I was a real criminal I could use this data over a period of 4-6 weeks to apply for online credit cards and bank accounts, to order credit reports that list where the victims do their banking so I could loot those accounts, too. Before anyone would notice I could grab that Secret Service equivalent of $217,000 per victim for a total take of $65 billion, which certainly beats my day job.

This sort of crime is eventually going to happen. If I can do it just about anyone can do it. The take probably won't be $65 billion, but it will be in the multiple billions. Once it sinks in what has happened, the financial world and the world of business will never be quite the same again as yet another shred of our innocence is torn away. And government will likely respond with new laws that won't work and with a profound lack of understanding of its own role in the tragedy.

But first they'll start an investigation.