Skip to main content

Identity Theft & the Mail Box Meth Gang

Botnets are the big guns in the Identity Theft world, ripping millions of identities from hard drives around the world -- not just home users, but web servers and database servers getting thousands or tens of thousands or millions pieces of data at once. However, low tech methods of data harvesting are still used. Low tech methods, too, appear to be evolving as increasingly organized, larger scale efforts are being uncovered, paralleling what we see in the internet security world. The canonical examples of organized crime driving spyware, worms and botnets has been shady advertising schemes. However, it's clear that identity theft is also a driver. But what drives the identity theft? Well, money obviously, but apparently drugs are behind some of it, too. The North County Times (San Diego) has an interesting story with quite a few details about one gang of Meth users turning to identity theft to pay for their habit. Apparently 14,000 credit card numbers were gathered by the gang of 20 people using a fairly low tech method -- they drove around suburbs looking for mailboxes with raised red flags, and extracted bills and other mail. That may seem like a lot of identity for 20 people to harvest by driving around and stealing mail, but they could probably harvest that much in a month or maybe two at most, working in pairs, and working only a few hours a day. The wonder is that they managed to do this for more than a couple days without getting caught. Neighborhood watch must not be watching the neighbor's mailboxes. The basic organization behind turning stolen data into money has been the same for decades, but the scale is larger than it's ever been.
"There is the collector who steals your identity from mailboxes or trash bins," said Alameda police Sgt. Anthony Munoz, who teaches a class about the connection for the California Narcotics Officers Association. "Then there is the converter, who turns your identity into something, and lastly there is the passer, the person who uses the fraudulent identity."
From the perspective of an individual, the short term and low cost solution to this problem is prevention -- start by getting a lockable mailbox. Make sure you shred any paper or other media (floppy, zip disk, cdrom, etc.) that has any name and address information. This includes things like bills that you don't think of as sensitive. However, on the scale of the society, this is problematic, partly because people don't always realize when they are throwing away sensitive data -- because they think of each item separately. "Here's a bill, it just has my name and address," for example. Well, it has other things. It's got your account number with the electric company. With enough different little bits of information stole from mailboxes and dug out of the trash, the Mail Box Meth Gang was able to steal identities and use them to fund expensive drug habits. By picking up several different bits of information out of the trash, or inbound mail, it's possible to assemble a more complete picture of the data needed to steal an identity. We discussed this general technique recently in another context --it's known as "the aggregation problem". In order to deter this kind of theft, a substantial majority of people would need to exercise careful practices with their sensitive data -- thereby raising the cost of gathering the raw data. In actual practice, most people don't realize it's that important, and won't go to the time and expense required. Credit card vendors have responded to the growing identity theft problem by trying to make it more difficult to use a credit card number without the card. That's what those little three-digit and four-digit numbers that appear on the back of the card are about. Those numbers don't appear on the credit card statement, and are required for some online purchases, thus making it more difficult to use a stolen credit card number. Unfortunately for the victims of identity theft, the classic trade-off between security and convenience hasn't been conquered. Further attempts to improve security of the credit card transaction system are clunky at best, typically problematic, and possibly open up new avenues for large scale identity harvesting at worst.

Technorati Tags: , , , , , , , ,


smith said…
well this blog has the total giving look which makes it a well informer website or web blog. Thanks for making such a beautiful blog
Crystal Meth Addiction
Steve Cabouli said…
During the early days of hacking and identity theft, individuals were the culprits now with the advancement of digital age identity theft has got a global face and now a days the crime is much an organised one. Hope that technological advancements from people involved in anti identity theft will bring the necessary change

Popular posts from this blog

Verified by Visa (Veriphied Phishing?)

If you have used a Visa card to make a purchase online lately you may have encountered a relatively new program, Verified by Visa . I've encountered it twice. The system is an interesting attempt by Visa to reduce online fraud and identity theft. It's a noble effort, but the user experience is unsettling, and the security implications are not exactly crystal clear. Here's what happened to me, both times the system was activated. I was redirected away from the domain at which I was shopping, to a URL which was: not the domain where I was shopping, not the domain of the bank that issued my card not I've been telling people for years that if anything like that happens to you, close your web browser immediately and do not under any circumstances enter any personal information into the form, because this is a sure sign of a man in the middle or phishing scam. (Never mind that all the best phishing scams now-a-days look like the actual domai…

Hacker 0x80 0wn3d by FBI (Arrested after Accidental Outing by Washington Post) [1]

What can the botmaster 0x80's impending misfortune [1] teach us about information security? Quite a bit. What the botmaster and the reporter didn't count on is a security risk known as "the aggregation problem" or "point and click aggregation". It's not surprising, as even practicing security professionals are often unaware of this problem, or vaguely aware of the concept but not the name. Information Security dictionaries online generally lack the terms, and don't mention them in their discussion of "disclosure" either. The aggregation problem happens when a series of small facts, any one of which if disclosed present a minimal security risk, combine to present a greater security risk when disclosed together. When aggregated, information from publicly available sources may accidentally disclose information that was intended to remain confidential. As it happens, an IETF glossary contains a definition of the basic term. RFC 282…

Splunk acquires Phantom Cyber

I hope it doesn't come across as too cynical, the observation that most acquisitions in the tech domain fail to produce anything useful and often as not wind up killing a promising upstart technology, even if only by accident.

I have hope for this one, though. Splunk strikes me as a likely exception. This acquisition of fresh ideas and talent might breathe new life into a solid, if somewhat staid, security company.

Splunk’s data analytics gets a security boost with $350 million acquisition of Phantom Cyber