×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Big ID Thefts Not To Be Feared

Zonk posted more than 8 years ago | from the i-would-still-be-nervous dept.

Privacy 161

goldseries writes "A new study released by ID Analytics says that only about 1 out of every 1000 stolen identities are actually used, due to the amount of time it takes to use the identity, limiting a single thief to 250 identities a year. The likelihood that your information will be used increases drastically when the size a the theft is small. So size does not matter, in identity thefts at least; the identity thefts you need to worry about aren't the big ones heard on the news but the small unreported ones." From the article: "While the findings will provide some comfort to consumers whose credit cards are lost or lifted, or whose sensitive information is compromised when, for instance, a laptop is stolen, as recently happened at Chicago-based Boeing, some of ID Analytics' suggestions could be controversial. The company suggests, for instance, that companies shouldn't always notify consumers of data breaches because they may be unnecessarily alarming people who stand little chance of being victimized."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

161 comments

Of Course You Should Inform Them! (4, Interesting)

SeanDuggan (732224) | more than 8 years ago | (#14210899)

Unless the companies who lost the information are willing to be liable for any and all damages caused by the identity theft, not limitted to damaged credit ratings, credibility damage, and all monetary losses, they should definitely inform consumers. That would be like not informing people of airplane safety measures "because very few planes actually crash."

Re:Of Course You Should Inform Them! (1)

Korvar (937226) | more than 8 years ago | (#14210925)

And indeed, it seems to me that if you inform someone, they're more likely to take action, so the ID thief gets less of a chance to actually do damage.

Re:Of Course You Should Inform Them! (1)

Psiolent (160884) | more than 8 years ago | (#14211342)

Their argument for not forcing companies to disclose is that those big companies would be better off spending the money they would use to inform everyone on the people who actually get victimized. What does that even mean exactly? Also, they don't want to needlessly freak people out.

Sounds like a pretty weak argument to me really. More corporate BS?

BTW, I beat /. to the story on my ID theft site: Identity Theft Risk Overhyped [bloomshare.com]. Do I get extra points for that, or what?

Re:Of Course You Should Inform Them! (4, Insightful)

timeOday (582209) | more than 8 years ago | (#14210981)

Unless the companies who lost the information are willing to be liable for any and all damages caused by the identity theft, not limitted to damaged credit ratings, credibility damage, and all monetary losses, they should definitely inform consumers.
I'll go you one further, I think the law should *compel* them fess up. Most of the interest over identity theft has resulted from the California law which does just that. As a result, we started to hear about things that before would have been secret, and it has really blown the issue wide open. For markets to work well, people must have access to relevant information, such as which companies have bad track records for infosec.

Yesterday was Pearl Harbor day... (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14211070)

and not a word of compassion from all you slashdot asswipes...yet you all get weepy eyed on Hiroshima day because a few thousand Japs got incinerated??
You all make me sick

Re:Of Course You Should Inform Them! (3, Funny)

NotoriousGOD (936922) | more than 8 years ago | (#14211174)

"Shit. Another 100,000 credit card numbers were jacked? Naw, we don't need to let anyone know. It's the holidays for fuck's sake."

Thanks To Homeland Insecurity: +1, Patriotic (-1)

Anonymous Coward | more than 8 years ago | (#14211225)

No should fear anything except the MIlitary-Industrial Complex [whitehouse.org].

Patriotically as always,
President-Vice Richard B. Cheney

Any terrorist attacks since 9/1/01? (-1)

Anonymous Coward | more than 8 years ago | (#14211288)

I thought not, seems Homeland Security is working just fine. Now if we could only round up asswipes like you...

Re:Of Course You Should Inform Them! (1)

wile_e_wonka (934864) | more than 8 years ago | (#14211263)

That would be like not informing people of airplane safety measures "because very few planes actually crash."
I've always wondered the use of those airplane safety measures. They tell you all about the life vests, floating seat cushions, and slides that turn into rafts even on flights that don't go over water.

Nice whitewash... (5, Insightful)

Godeke (32895) | more than 8 years ago | (#14210900)

So those of you that *actually* suffer identity theft... well, you are just a small, inconsequential number of people compared to those who got lucky. Since you are so outnumbered we can safely continue to fail to safeguard your data, and we will use these results to claim it is your fault, not ours, that you suffered identity theft. After all, you are only one in a thousand, right? Heck, losing a tenth of a percentage of our customers won't hurt *us* that much... and all this notification stuff is hurting us *much* more than that.

Re:Nice whitewash... (1)

BushCheney08 (917605) | more than 8 years ago | (#14210979)

And this is flamebait why?!?

Re:Nice whitewash... (0)

flyinwhitey (928430) | more than 8 years ago | (#14211429)

"and we will use these results to claim it is your fault, not ours, that you suffered identity theft"

That's why. Show me where it says that, or implies that, or in any way suggests that these businesses believe that.

He made that garbage up, and got modded correctly for it. Perhaps there should be a mod for "-1 incredibly, stupidly hyperbolic made up crap" but there isn't, so that's what he got.

Re:Nice whitewash... (2, Interesting)

BushCheney08 (917605) | more than 8 years ago | (#14211523)

Have you ever been the victim of identity theft? I have. They essentially have you "prove" that you did not open a line of credit somewhere. The full burdon of proof is on you for something that you had nothing to do with.

Re:Nice whitewash... (1)

nharmon (97591) | more than 8 years ago | (#14211203)

Maybe you (or whatever company you are making fun of) doesn't realize is that what you don't know about can hurt you. I won't seek to do business with a company with a poor track-record of safeguarding my identity.

3rd post!!! (0)

Anonymous Coward | more than 8 years ago | (#14210923)

omfg bbq!@

I'm not sure I get it (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14210924)

I'm not sure why anybody should be notified at all. Customers knew the risks when they signed up for a credit card, if they didn't know the risks they could have found out. And now nobody has an excuse for not knowing the risks involved. What is this a nanny state where corporations act like our mothers? People need to take personal responsibility for the risks they have entered into.

Re:I'm not sure I get it (4, Insightful)

timeOday (582209) | more than 8 years ago | (#14211037)

I'm not sure why anybody should be notified at all. Customers knew the risks when they signed up for a credit card, if they didn't know the risks they could have found out. And now nobody has an excuse for not knowing the risks involved.
You are the classic example of somebody who berates individuals for not taking responsibility (for things they have very little control over), while at the same time giving companies carte blanche for utterly reckless irresponsibility. It's bizarre.

Re:I'm not sure I get it (1)

KarmaMB84 (743001) | more than 8 years ago | (#14211054)

That's nice. What if you do everything humanly possible to protect your personal information and someone gets it through negligent corporation? We're not even talking about credit cards here. We're talking about identity theft. If they manage to steal your identity, they won't need your credit card.

Re:I'm not sure I get it (2, Informative)

RobinH (124750) | more than 8 years ago | (#14211089)

Right, blame the victim. How about we blame the person breaking the law, harming other people... the person committing the identity theft itself?

The technology exists to make credit cards secure. The technology exists to keep our identities secure from fraud. Let's have gov't and big corporations start to take it seriously. All they do right now is accept a certain % of fraud per year and consider it an expense against their bottom line, and charge all their customers extra to compensate. The criminals are getting away with it, and it costs everyone.

Heck, even if they integrated a 4 digit PIN on all credit card transactions in addition to a signature, you'd cut down on fraud significantly. Point of sale and internet transactions could easily be adapted to this. The only problem would be selling stuff over the phone, where you're left with the same problem, but the credit card companies already charge an extra amount to those retailers who can't do signature verification, and that makes this kind of transaction more expensive, so the buyer of that particular product ultimately pays the risk, which is better than the current situation where we all pay extra.

Re:I'm not sure I get it (2, Informative)

theRiallatar (584902) | more than 8 years ago | (#14211162)

Mastercard at least, has a solution for this, even if it's a little bit of a hassle. You create throw-away card numbers that are only valid for a certain amount and expire after a month or two. It's all about minimalizing your exposure to fraud.

Re:I'm not sure I get it (1, Informative)

Anonymous Coward | more than 8 years ago | (#14211170)

When I signed up for my credit card, I don't recall the terms & conditions including anything like "We may, from time to time, be recklessly negligent with the data we hold on you. At the Credit Card Companies discretion, we may lose or otherwise inadvertently pass on your data to a third party."

If that was in the contract then I agree, yeah I did know the risks when I signed up and it is my problem if the company does just that; they warned me about it, after all.

Re:I'm not sure I get it (1)

greenegg77 (718749) | more than 8 years ago | (#14211428)

You know, you're right. I mean, people knew the risks when they purchased Fords with bad tires right? They knew the risks when they purchased a TV wall mount that it was poorly designed and could drop the TV on you [cpsc.gov]. They knew that certain vaporizers have defective heaters that can emit sparks and flames [cpsc.gov], right? Why are we coddling these people? Just let their homes burn down because they were stupid enough to trust a company to build something safe.

Heck, why should these companies even safeguard this information at all? Information wants to be free, right? Just slap it out there on the web for all to see. It's not like your name might be on their list...

troll^2 Re:I'm not sure I get it (1)

speculatrix (678524) | more than 8 years ago | (#14211450)

I'll meet your troll and raise it with another...

If someone steals you ID, you should be allowed to go and take everything that person owns, including their life - after all, they are pretending to be you, so by rights, their property is yours, including their life, so feel free to kill them!

Of course, if they've stolen multiple IDs, you'll have to divvy up the loot.

Nonsense Quote (2, Insightful)

LostCluster (625375) | more than 8 years ago | (#14210929)

"As far as notifications, we think there are certain instances where businesses might want to notify consumers and certain instances where they might not to inform them," Cook said.

When would there ever be an instant that a business would want to disclose a leak? There are instances were businesses should be required to inform customers.

Re:Nonsense Quote (1)

Red Flayer (890720) | more than 8 years ago | (#14211018)

"When would there ever be an instant that a business would want to disclose a leak?"

If a company negligently allows access to sensitive information on thousands of their clients, their liability in the end might be less if they notify all the clients exposed, since the actual harm done would (hopefully) be less.

So the conditions are:

1) Legal liability for the leak
2) Announcing the leak will help prevent damages

Re:Nonsense Quote (1)

JoeBuck (7947) | more than 8 years ago | (#14211359)

Companies are profit-maximizing entities. They will only bother to secure their data when it costs them too much if they don't.

Notifying everyone when there is a big breach costs money. That's not a bug, it's a feature. Companies that don't want to spend the money need to secure their data better.

1 in a thousand? (1)

Bananatree3 (872975) | more than 8 years ago | (#14210936)

The company suggests, for instance, that companies shouldn't always notify consumers of data breaches because they may be unnecessarily alarming people who stand little chance of being victimized."

Well, 250 informed consumers is much, much better then 250 uninformed consumers who don't know their identity was stolen until their credit card bill comes in.

I'm not afraid....just very worried (1)

digitaldc (879047) | more than 8 years ago | (#14210939)

Luke: I won't fail you. I'm not afraid.
Yoda: You will be. You will be.


Just because statistically you will not have your ID used after being stolen, it is still a terrible feeling - as if millions of voices suddenly cried out in terror and were suddenly silenced.

Every 35 hours (2, Insightful)

amrust (686727) | more than 8 years ago | (#14210948)

...limiting a single thief to 250 identities a year...

Still, to the web economy, that's *almost* like them becoming a completely different person, every 35 hrs. Per thief. Pretty amazing/scary when you stop to think about it.

Re:Every 35 hours (1)

moreentropy (721394) | more than 8 years ago | (#14211095)

A couple of years ago they broke a ring here in Denver which was cracking banks (card issuers), forwarding the data to Montreal where it was forwarded to New York and some guys with a lot of vowels in their last names. The entire premise that this is 250 names a year per cracker is simply not relevant to the business of stealing ID's: it is not just one guy with the names and info, and you have a machine in place to get a hell of a lot more out of it than one guy could get. These guys are maximizing their returns!

Re:Every 35 hours (1)

amrust (686727) | more than 8 years ago | (#14211184)

True, true. Those machines multiply their "effficiency".

This is also the time of year where people are out shopping, in a rush to get home where it's warm, and may not think to check out the "ATM" they're swiping their MAC card through. Just a reminder to everyone to be mindful of what they do with their cards this holiday season. Check out those machines carefully before putting your card in.

Re:Every 35 hours (1)

aug24 (38229) | more than 8 years ago | (#14211204)

More like every 24 hours. Even identity theives take the weekend off ;-)

J.

Not a big deal??? (4, Insightful)

gasmonso (929871) | more than 8 years ago | (#14210951)

Tell that to the thousands of people who had their lives turned upside down. The effects of identity theft can be devastating and long lasting. If your data is stolen, you have every right to know about it. This is just an attempt for companies to downplay their incompetence and lack of security. I'd like to see how they would react if their information was stolen.

gasmonso http://religiousfreaks.com/ [religiousfreaks.com]

Re:Not a big deal??? (1)

Surt (22457) | more than 8 years ago | (#14210993)

No kidding. My friend went through this, and spent well over 200 hours fixing all the problems it caused him.

Stupid (2, Informative)

pubjames (468013) | more than 8 years ago | (#14210956)

This is the most stupid thing I've read recently.

If a criminal gets his hands on a million records, and he can only use a few hundred a year, what do you think he is going to do, throw all the others away?

No, he's going to sell them to other criminals or pass them on as favours.

overblown my ass! (ewww, nasty image) (3, Insightful)

BushCheney08 (917605) | more than 8 years ago | (#14210958)

As a former victim of identity theft, I have to tell these people to go to hell. Sure, my case was a fairly small one -- two lines of credit opened in my name totalling about $5000 (On one of the applications, there wasn't even a SSN. They opened the account simply by listing my name and an address that I've never lived at). Getting the crap cleaned up was an absolute nightmare. And don't expect the 3 credit reporting agencies to be any help, either. They don't want to deal with you. After all, you're not their customer - their customers are the ones buying your information from them. One of the agencies still sends mail to my old address, 6 months after moving. This is despite me sending a letter notifying them of my change in address along with all of the information they requested in order to do so. Basically, any company dealing in personal information brokerage is on my shitlist...

Re:overblown my ass! (ewww, nasty image) (1)

MightyMartian (840721) | more than 8 years ago | (#14211371)

If identity theft were limited to single individuals then I'd say these guys have something of a point (though, as with all statistical analyses of bad things, it don't make a victim feel much better). However, my big concern would be organized crime getting into the game. At that point, a far greater fraction of stolen identities could be used. This strikes me as being one of those "don't worry, be happy" reports, sort of like "ah, that amount of benzine in your drinking water won't hurt you at all".

Unnecessarily alarmed (0)

Anonymous Coward | more than 8 years ago | (#14210962)

"The company suggests, for instance, that companies shouldn't always notify consumers of data breaches because they may be unnecessarily alarming people who stand little chance of being victimized."

We had a case where the local cops got sued for just such a reason. Actually, they were trying to catch a serial rapist and didn't warn the public because they didn't want him to know that they were onto him.

A few good lawsuits should disabuse anyone of the idea that they should keep information theft a secret.

Credit reporting companies fault (2, Insightful)

Lumpy (12016) | more than 8 years ago | (#14210966)


If they would stop being Asshats and allow you to "LOCK" your credit reports then this would be a non issue.

If I could call and place my credit reports in a locked status so no credit reports can be pulled then this would be a much smaller issue. But they refuse to because it would significantly impact the revinue stream they get from the tens ofthousands of illigimate requests they get an hour for people's credit. I wont even go into the issue that their data is horribly inaccureate anyways but they should allow me to lock it down until I release that lock.

A Study in Non-Thinking (1)

SlashAmpersand (918025) | more than 8 years ago | (#14210970)

Even if this is completely without error, it sets the stage for future problems. What they're saying is that currently this is the situation. However, let's say a group of identity thieves become more organized and start making more efficient use of the big thefts. Setting procedure based on the current thinking would leave us unprepared for future "improvements" made by criminals. This is the same kind of thinking that left us with the 640k wall. As far as I'm concerned, if my identity information was leaked in any way, I want to know about it. Don't tell me "it's not likely to be used.".

I just got a 20 page background check fax in error (5, Insightful)

gelfling (6534) | more than 8 years ago | (#14210986)

My home fax machine is one digit off from that of an headhunter. Two nights ago I got a 20 page fax detailing the background check results for a candidate including:

Name
SSN
Address
Bank account numbers
Credit score
Arrest/conviction records: Federal State Local
Urinanalysis results

There was never a I never received a followup fax to check up on it - clearly they didn't have my phone number so they couldn't speak to me, but they already had a record of the fax number.

And if that wasn't dumb consider this.

My home phone number is one digit off from the States depart of Revenue unclaimed funds division. I routinely get calls from people asking "Is this the money line???" I get people leaving their name, address, SSN and phone number on my voice mail, unasked and please remember that the outbound message states the phone number and nothing else to indicate what the number is for. I get calls from people in state, out of state, out of the country, from prisons from other branches of the government.

Security is bullshit as long as people act retarded.

Re:I just got a 20 page background check fax in er (1)

Doomedsnowball (921841) | more than 8 years ago | (#14211522)

Of course people too stupid to dial a phone number correctly... You can't make those claims without a control group to define your results. I live off of margin of stupidity in this country. I'm in security. *evil laugh*

Dude (0)

Anonymous Coward | more than 8 years ago | (#14211559)

Have you considered changing your phone and fax numbers?

Maybe you could sell them to an identity thief?

typical work-week? (1)

Tominva1045 (587712) | more than 8 years ago | (#14210992)



..due to the amount of time it takes to use the identity, limiting a single thief to 250 identities a year...

This is based upon the typical thief work-week, with 2 weeks holiday annually in Cancun.

That's what the black market is for (1)

timothyf (615594) | more than 8 years ago | (#14210999)

Got extra IDs you can't use right away? I'd be willing to bet that there are people that would pay for some handy identities... Sure, you'd have to trust the seller to an extent, but I'm sure there's a market for it.

And when the thief resells the info? (2, Insightful)

Anonymous Coward | more than 8 years ago | (#14211001)

250 per year per thief. What about when one company is breached, 1 million IDs are stolen, and the one thief (who specializes in security penetration) then resells these to hundreds of other thieves (who specialize in id theft) online? 'Cyber criminals' are more organized and more specialized these days. We're not dealing with script kiddies any more.

The company suggests, for instance, that companies shouldn't always notify consumers of data breaches because they may be unnecessarily alarming people who stand little chance of being victimized.

Of course they do. This is spin to attack California law. Choicepoint and friends don't like the law and want it repealed.

Only the small ones matter? (1)

Puls4r (724907) | more than 8 years ago | (#14211014)

This will probably get modded flamebait, but...

The people who paid for this study should be fired for wasting money. Only the small ones matter? One thief can only use 250 a year?

So, if we have a hundred thieves in the US.... that's 250,000 a year? And that's no big deal.

You know what this is? This is a study, funded by someone with a vested interest, that will be used when large companies are SUED for allowing large scale identity theft. It will be referenced, cross referenced etc.

Walk down the street and talk to someone who has spent 7 years trying to clean up their record. Someone who has been denied houses, cars, and bank accounts because of an identity theft. Ask them if they care about the size of the theft.

Re:Only the small ones matter? (0)

Anonymous Coward | more than 8 years ago | (#14211154)

One thief can only use 250 a year?

So, if we have a hundred thieves in the US.... that's 250,000 a year?


No, that's 25,000 a year....

Re:Only the small ones matter? (1)

LurkerXXX (667952) | more than 8 years ago | (#14211157)

One thief can only use 250 a year? So, if we have a hundred thieves in the US.... that's 250,000 a year? And that's no big deal.

Check your math. I think you mena a thousand thieves.

And yes, I know. There are a lot more than a thousand in the U.S.

Re:Only the small ones matter? (0)

Anonymous Coward | more than 8 years ago | (#14211231)

And you should check your spelling ;)

Fun with stats (1)

ScrappyLaptop (733753) | more than 8 years ago | (#14211190)

From the "ID Analytics" website report on the study:

"This analysis was based on data breaches at four separate companies, covering approximately half a million identities."

So, using your 100 thieves, that means 250,000 of the 500,000 identities were stolen. 50-50 chance? Not bad!

Oh well in THAT case (1)

pr0vidence (562808) | more than 8 years ago | (#14211017)

It doesn't matter then right?

My name, address, phone number, credit card number, pin number and social security number are as follows...

What about the people in the call centers? (4, Insightful)

rolypolyman (933130) | more than 8 years ago | (#14211021)

What concerns me lately is some of the faceless/nameless droids working in the call centers. After we called our Texas power company to transfer our service to a new address, we found out some time later that they added on another house in Dallas, as part of the same work order. Assigned my wife's social security number to the account, too. It's not just the databases that concern me, but the trustworthiness of the people taking my call.

Big ID theft? Is that... (1)

Bin_jammin (684517) | more than 8 years ago | (#14211022)

what happens when you throw away those enormous Publisher's Clearing House checks? Someone goes through the trash, finds a cancelled check that's 3'x6', now they have your account #... next thing you know...

What the heck? (1)

fredrated (639554) | more than 8 years ago | (#14211044)

The likelihood that your information will be used increases drastically when the size a the theft is small. So size does not matter, in identity thefts at least; the identity thefts you need to worry about aren't the big ones heard on the news but the small unreported ones."

Is this stupid or what? Claim that size doesn't matter, all the while describing how size matters?

Stupidity: it's a renewable resource!

Not in the hospital setting (3, Interesting)

PIPBoy3000 (619296) | more than 8 years ago | (#14211045)

I work for a healthcare organization and one of the applications I support is this system for merging multiple medical records into a single one. We have a team of people whose sole purpose is to take multiple accounts and turn them into one. This extra accounts can be created accidentally, such as when a Jane Doe comes into the ER and their identity is later established. It can happen on accident, such as when a registration person creates a new account instead of finding the old one.

In the last couple years, identity theft and identity fraud have resulted in huge inputs to the system. Where we once had to merge up to three identities, the system now supports merging up to ten. What happens is that a single individual will steal a bunch of different identities and then use them all, typically to get drugs.

So, while the risk of your credit card being stolen and used may be low in certain cases, don't lose your other "proof of identity" stuff: driver's licenses, insurance cards, and your social security number.

"unnecessarily alarming people" (1)

Medievalist (16032) | more than 8 years ago | (#14211048)

Well, the idea of witholding information "for people's own good" alarms the hell out of me.

In related news ... (1)

TallMatthew (919136) | more than 8 years ago | (#14211076)

President Bush has increased next year's budget for the Department of Homeland Security by $37.4 billion to fight identity theft, or as he calls it "the war on identity." "We must be vigilant," he opines, "lest our American values be compromised by this new and dangerous enemy. Victory is a certainty if we are a steadfast and brave as our soldiers in Iraq. Otherwise our citizens could be overcome by a mushroom cloud of debt."

When asked what identity theft had to do with Iraq, Bush angrily replied that our troops "are as susceptible to this sort of terrorism as any other God-fearing American." And as for the new sportscars the heads of the Department of Homeland Security have been seen driving in, Bush says that "those on the front lines of the war on identity need to move quickly when confronted by our secretive foes."

Flaw in this (2, Insightful)

isotope23 (210590) | more than 8 years ago | (#14211078)

A new study released by ID Analytics says that only about 1 out of every 1000 stolen identities are actually used, due to the amount of time it takes to use the identity, limiting a single thief to 250 identities a year.

Major flaw in thinking here...

If this is true, then said computer criminal could just sell his/her stolen
info in batches of 250 to multiple criminals. I can see all kinds of possible
"value" add ins for the data thief as well. Items such as:

Data mining for likely high income identities.
Data mining for identies which match the buyers profile (e.g. white male mid 30's)

Re:Flaw in this (2, Insightful)

lysander (31017) | more than 8 years ago | (#14211187)

Exactly. It's not like stolen identities go stale all that quickly, either. I'd want to know my infomation was compromised regardless if it was stolen in a batch of 100 or in a batch of one million. A company worrying about whether they're "unnecessarily alarming people" should also be taking proactive steps to avoid and minimalize the damage of such thefts.

Good News! (1)

ehaggis (879721) | more than 8 years ago | (#14211079)

"...only about 1 out of every 1000 stolen identities are actually used" I'm very excited about the news! Hopefully they (theives / criminals) will not take the time to become more efficient in their activities. Perhaps even 1 out of every 100 is also acceptable. 1 out of 10? That too sounds ok to me.

ID Theft not a problem? (2, Funny)

voice_of_all_reason (926702) | more than 8 years ago | (#14211081)

Looks like Baghdad Bob has a new venue for employment...

"The criminals are commiting suicide outside the gates of your personal information! There is no ID theft in the city, not at all! We are victorious!"

Ask Slashdot: Downside to "Fraud Alert"? (1)

G4from128k (686170) | more than 8 years ago | (#14211093)

The U.S. FTC ID Theft website [consumer.gov] suggests putting a "fraud alert" [consumer.gov] on your credit reporting files if you think you are or could be a victim of identity theft (e.g., your wallet was stolen, data breached, mail pilfered, phished, etc.). In theory it alerts companies not to open new accounts in your name without further verification (a potential minor hassle).

Given all the data floating around out there and the lack of data theft reporting laws, one can argue that everyone "could" be a victim. I've heard that some people put in a fraud alert on their files just in case.

Anyone know of any serious downsides to using fraud alert as a routine ID theft security measure?

Re:Ask Slashdot: Downside to "Fraud Alert"? (3, Informative)

lividdr (775594) | more than 8 years ago | (#14211230)

In my experience, the fraud alert doesn't do anything.

My wife's wallet was stolen, containing a credit card, our debit card, and her driver's license. We cancelled/re-issued the cards and she had her DL# changed. We called experian, equifax, and transunion to have a fraud alert set on our credit reports.

A few days later we got letters from all three indicating the fraud alert was set. According to the letters, we shouldn't be receiving any pre-approved credit offers in the mail for 90 days. Any query against our credit report would return a fraud alert. We also signed up for a service offered by our bank to receive notification on any activity against our credit report.

Unfortunately, we continued to receive those damn credit card offers, often "pre-approved" , every Tuesday non-stop. We opened an account with Home Depot about a month later and there wasn't any mention of a fraud alert. We also never received any notification of any activity against our credit report, not the inquiry that HD should have run, nor the appearance of a new trade line. We cancelled the credit report monitoring service and got our money back.

Bottom line, using the fraud alert didn't really do anything, positive or negative. I expected to get a request for some additional ID from the CSR at Home Depot, but instead she just said "You've been approved" after a couple of minutes and handed me my temporary credit info.

Re:Ask Slashdot: Downside to "Fraud Alert"? (1)

JazzLad (935151) | more than 8 years ago | (#14211464)

I duhno about that specific fraud alert, but on black friday when I went to my second store (c.usa at midnight, c.city at 5am) it my credit card declined, even when the sales guy called it in they declined it over the phone, but when we got home and called, they gave us some BS reason concerning 2 large purchases in the same day (under $600 total, but as much as I usually charge in a couple average months). I can see them watching for unusual activity, but when the guy called & could verify my ID, etc . . . kinda a BS way to CTA. This from the same people that wouldn't inform me if my data was stolen from them.

Odds Are Companies Would Not be as happy... (1)

xoip (920266) | more than 8 years ago | (#14211115)

If it was their sensitive trade secrets that went missing... like the blend of secret herbs and spices or that syrup mixture. If anyone has the recipies for that let me know

Re:Odds Are Companies Would Not be as happy... (0)

Anonymous Coward | more than 8 years ago | (#14211426)

Mmm... Soylent Green...

Size doesn't matter? (0)

Anonymous Coward | more than 8 years ago | (#14211139)

"only about 1 out of every 1000 stolen identities are actually used, "

"The likelihood that your information will be used increases drastically when the size a the theft is small. So size does not matter, in identity thefts at least; the identity thefts you need to worry about aren't the big ones heard on the news but the small unreported ones.""

Isn't this the definition of size mattering?

If size did not matter, the same percentage of identities used would apply to both thefts sizes. IE, size wouldn't matter!

Way to contradict yourself, submitter!

Sounds about the same level of quality as the article though.

Lies, Damn Lies, and Statistics (1)

lividdr (775594) | more than 8 years ago | (#14211142)

The study cited sure doesn't make me feel more secure. The hack who ends up with 500K customer records may not be able to or even want to do anything with that info. If he's smart, though, the list is broken into smaller chunks and sold off. Repeat this a few times and you have a lot of thieves with a lot of small sets of info. There was a big scam locally where old DMV records were being found on CDs in possession of ID thieves. Digital data is incredibly easy to duplicate and distribute. If 500,000 IDs are stolen and "only 100" are used by an individual thief, the odds are 1 in 5000 that your information gets used. Does this make you feel any more secure? Are those odds low enough that you don't want to be notified when a breach occurs? If that same set of information is shared by 10 thieves, the odds "improve" to 1 in 500.

If there is any chance that my personal, private information is in the hands of even one unauthorized person, I want to know about it. There are precautions I can take to safeguard my identity before any fraud occurs, and it's a lot easier to deal with *before* it happens. Once your information is stolen and used, it can take *years* to rebuild.

Inform me (1)

Jason Terlecki (664831) | more than 8 years ago | (#14211147)

I would rather be informed and it be a false alarm that not know at all and be caught with my pants down. VISA called me the other day, to check if I was responsible for a series of purchases in a few different countries in the past hour (which I was). I was very happy to see they checked up. While they do this for their protection, it is also my protection that is assured at the same time. So, if my personal information gets compromised due to a data breach, I better be informed as soon as they know, so I can take the necessary steps to protect myself, else if I track it down to them and their negligence , I guarantee you that a lawsuit will be following.

Where's the Study? (1)

midicase (902333) | more than 8 years ago | (#14211160)

I'd love to read it.

A news blurb is little substitute for "study" from a commecrial entity with a vested interest.

The real way to beat identity thieves (1)

antifoidulus (807088) | more than 8 years ago | (#14211196)

is to ruin your credit rating to the point where theives beg you to take your identity back!

Size Matters Not? (1)

thebdj (768618) | more than 8 years ago | (#14211197)

The likelihood that your information will be used increases drastically when the size a the theft is small. So size does not matter

So if the likelihood of my information being used increases drastically when the theft is small, doesn't size matter? It might be inversely proportional to the size of the theft, but it still matters.

better chances than the lottery (0)

Anonymous Coward | more than 8 years ago | (#14211200)

"stand little chance of being victimized."

Let's say there's a serial killer on the loose in NYC who kills 1 person each night. Statistically there's little chance of it being any one specific person killed heinously, so why bother notifying the public?

But criminal sophistication matures... (1)

null etc. (524767) | more than 8 years ago | (#14211240)

It's a given that the sophistication behind criminal operations will mature. Right now, only a small percentage of stolen IDs might be put to detrimental use, but similar to the way that marketing firms aggregate, filter, and categorize the viewing/buying/consumption patterns of consumers, you can expect that criminals will do the same. This will lead to a future in which stolen ID aggregators comb through IDs and categorize them into specialized lists, sold to the criminal organizations that could benefit from them the most.

Examples:

Recently the mafia was behind a ring of websites that fraudulently charged viewers of pornographic websites who provided their credit card numbers for "age verification purposes". I could imagine that the mafia would be particularly interested in purchasing stolen IDs of consumers who have previously been charged for pornographic-related purchases, providing them with a much wider base of victims. Similarly, think of how many pyramid schemes could revolve around the criminal use of stolen IDs.

In fact, terrorist or war-related hacking/infrastructural attacks sponsored by governments could very well incorporate the use of stolen IDs. Imagine if the most 500 influential people in America had to clean up the mess that hackers could cause with their stolen IDs.

And remember, this data is infintesimally inexpensive to archive - just because your data isn't used today, doesn't mean it won't be used in 5 years.

Sounds Familiar (1)

Ilex (261136) | more than 8 years ago | (#14211252)


'ID Analytics' suggestions could be controversial. The company suggests, for instance, that companies shouldn't always notify consumers of data breaches



So that's who Sony's been asking for technical advice.

ID Sweatshops (2, Insightful)

ZachPruckowski (918562) | more than 8 years ago | (#14211254)

Here's how I'd do it if I were an ID thief (obviously I'm not).

1) Steal a hundred thousand IDs.
2) Hire a pile of cheap workers somewhere
3) Get them to mine the money for a 10-20% commission.
4) Move to Vegas and/or the Bahamas and, um, get to know the locals...

I mean, seriously, when you're dealing with a lot of money, when has manpower ever been an issue?

More of the same. (0)

Anonymous Coward | more than 8 years ago | (#14211277)

If downloading music is "copyright infringement" and not "theft", then surely "identity theft" is really just plain old "fraud". In either case no physical property is taken from anyone's posession, so it's not right to call it "theft".

Re:More of the same. (1)

ScrewMaster (602015) | more than 8 years ago | (#14211377)

Yes, but in both cases saying "theft" makes it sound cooler. And besides, "copyright infringement" just has too many syllables.

Only 250? Thank God crime isn't organized. (2, Interesting)

shotgunefx (239460) | more than 8 years ago | (#14211298)

These people are idiots. All it would take is a little organization to increase the efficiency.

Of course with a larger number of potential victims, fewer percentage-wise will be hit. But they also contradict themselves.

They say...

ID Analytics said it discovered that identity thieves have a hard time using a stolen credit cards to hijack the identity of cardholders. That's because the cards are usually quickly canceled and because piecing together an identity based on the information on the card is hard work. Not one of the card breaches it studied resulted in a subsequent identity takeover.

Now if credit card companies don't report it, who says the cards will be canceled?

I can't remember which company it was, but I remember a breach a couple years ago, the initial numbers where in the tens of thousands, after the FBI got involved the true number was over a million IIRC.

They should never be able to hide their culpability. If they can, they will always minimize their liability.

Inform vs. Ignore (1)

Odonian (730378) | more than 8 years ago | (#14211303)

Whether or not I want to be informed about potential security problems with my personal or financial data depends on how often these kinds of alerts happen.

Of course there is a benefit in informing people of a security breach, you have the chance to do something about it, change your cards etc. But it's also a big hassle, and the theft of a huge block of IDs does not necessarily mean you are likely to be targeted personally, as the article points out.

So basically if these types of alerts are things that happen once every couple of years (which is the frequency I've experienced with this personally so far), I am willing to take the extra precaution of reissuing everything and setting up new auto payments etc. and dealing with all the hassle of it. If it's something that happens like every week, I don't want to be alerted because the value of the data (increased precaution/safety vs. effort of remedial action) is low when it happens too often.

Re:Inform vs. Ignore (1)

ScrewMaster (602015) | more than 8 years ago | (#14211408)

In other words, you don't want all your credit card issuers crying wolf on a regular basis. I would expect them, at some point, to do just that, and when millions of people start complaining they'll say, "See? Nobody really wants to be notified" and they'll go back to telling us nothing.

Ignorance is bliss (1)

sgt scrub (869860) | more than 8 years ago | (#14211388)

I don't beleive someone would use this argument for something so destructive. If I were about to be splattered accross the front of a train then no I wouldn't want to know. Victims of ID theft suffer years of pain. There seems to be some kind of new mentality that people SHOULD be ignorant.

...Because small thefts don't matter.... (1)

Slugster (635830) | more than 8 years ago | (#14211389)

I had my credit-card info stolen recently. I have two credit cards--one I use regularly, and for buying online. The other I had only one regular local bill going onto, had not used that card for ANYTHING else for nearly a year.

In the time span of three days, BOTH credit cards had charges from unknown companies on the other side of (my) country (USA) put on them. The amounts? $9.95. The companies names did not turn up in Google, the items on the CC bill had non-toll-free phone numbers that did not turn up in reverse lookups or online phone directories. They both had state codes on the CC invoice but their telephone area codes revealed them to be located in tiny one-horse towns in remote areas of other states. I refused to call the phone numbers (even though the credit card companies suggested doing so) because I did not want any fraudulent phone charges as well; I told the credit-card people that THEY could call those numbers in a 3-way call, and listen in as I asked WTF was this charge for? Would have been entertaining no doubt, but both credit-card companies declined to do so. The credit card companies' said that their info states that these companies were "event ticket vendors".

The charge info was as follows:
Evergreen Alliance LLC 206-407-3000 WA
DLX, LLC TEL5304532876 MN

One credit card company (happily, the one I use way more) automatically sent the investigation forms and refunded the amount.... but the other company stated that "normally, they do not refun a charge unless it is $10 or more". When they called me on the matter, I calmly asked it this meant that anyone could steal 9.95 from me as many times as they wanted, and they said that they would send the forms to request refunding the amount.

On the one hand I understand the reasoning that every fraudulent charge that they go after costs money--but it is obvious that if they set any sort of lower floor amount, thieves will strike for amounts just under that amount.
So in practice, it ignoring any level of theft will only serve to drastically increase theft at that level.
Quite plainly, there can be no "acceptable" level of theft.
~~~

So...... (2, Funny)

ShyGuy91284 (701108) | more than 8 years ago | (#14211390)

The next time I golf, and I see my ball heading towards a large crowd of people, I shouldn't alert them about it since it will probably only hit one person (assuming no rebound)?

Responsibility ... (0)

Anonymous Coward | more than 8 years ago | (#14211490)

The solution is simple ... Hold the credit bureau, bank, loan company, etc. responsible to prove their complaint, purchase or debt was created by me, rather than require me to prove the fraud was not me. Their system is flawed allowing unsecure data to be used to identify a person, and they expect us to be responsible for their mistakes!!

How I Learned To Stop Worrying & Love the Bomb (1)

ENOENT (25325) | more than 8 years ago | (#14211492)

Nothing to worry about, folks! Except that your ID is stolen FOREVER, and the thieves are certainly working on ways of automating the process.

Only 1 in 1000? (1)

SilverspurG (844751) | more than 8 years ago | (#14211509)

1 out of every 1000 stolen identities are actually used, due to the amount of time it takes to use the identity, limiting a single thief to 250 identities a year
That means that a single thief averages 250000/year? How many thieves are there?

Whether or not the identities are used makes no difference. It's plainly obvious that someone isn't doing anything at all to secure their data.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...