Skip to main content

Identity Theft & the Mail Box Meth Gang

Botnets are the big guns in the Identity Theft world, ripping millions of identities from hard drives around the world -- not just home users, but web servers and database servers getting thousands or tens of thousands or millions pieces of data at once. However, low tech methods of data harvesting are still used. Low tech methods, too, appear to be evolving as increasingly organized, larger scale efforts are being uncovered, paralleling what we see in the internet security world. The canonical examples of organized crime driving spyware, worms and botnets has been shady advertising schemes. However, it's clear that identity theft is also a driver. But what drives the identity theft? Well, money obviously, but apparently drugs are behind some of it, too. The North County Times (San Diego) has an interesting story with quite a few details about one gang of Meth users turning to identity theft to pay for their habit. Apparently 14,000 credit card numbers were gathered by the gang of 20 people using a fairly low tech method -- they drove around suburbs looking for mailboxes with raised red flags, and extracted bills and other mail. That may seem like a lot of identity for 20 people to harvest by driving around and stealing mail, but they could probably harvest that much in a month or maybe two at most, working in pairs, and working only a few hours a day. The wonder is that they managed to do this for more than a couple days without getting caught. Neighborhood watch must not be watching the neighbor's mailboxes. The basic organization behind turning stolen data into money has been the same for decades, but the scale is larger than it's ever been.
"There is the collector who steals your identity from mailboxes or trash bins," said Alameda police Sgt. Anthony Munoz, who teaches a class about the connection for the California Narcotics Officers Association. "Then there is the converter, who turns your identity into something, and lastly there is the passer, the person who uses the fraudulent identity."
From the perspective of an individual, the short term and low cost solution to this problem is prevention -- start by getting a lockable mailbox. Make sure you shred any paper or other media (floppy, zip disk, cdrom, etc.) that has any name and address information. This includes things like bills that you don't think of as sensitive. However, on the scale of the society, this is problematic, partly because people don't always realize when they are throwing away sensitive data -- because they think of each item separately. "Here's a bill, it just has my name and address," for example. Well, it has other things. It's got your account number with the electric company. With enough different little bits of information stole from mailboxes and dug out of the trash, the Mail Box Meth Gang was able to steal identities and use them to fund expensive drug habits. By picking up several different bits of information out of the trash, or inbound mail, it's possible to assemble a more complete picture of the data needed to steal an identity. We discussed this general technique recently in another context --it's known as "the aggregation problem". In order to deter this kind of theft, a substantial majority of people would need to exercise careful practices with their sensitive data -- thereby raising the cost of gathering the raw data. In actual practice, most people don't realize it's that important, and won't go to the time and expense required. Credit card vendors have responded to the growing identity theft problem by trying to make it more difficult to use a credit card number without the card. That's what those little three-digit and four-digit numbers that appear on the back of the card are about. Those numbers don't appear on the credit card statement, and are required for some online purchases, thus making it more difficult to use a stolen credit card number. Unfortunately for the victims of identity theft, the classic trade-off between security and convenience hasn't been conquered. Further attempts to improve security of the credit card transaction system are clunky at best, typically problematic, and possibly open up new avenues for large scale identity harvesting at worst.

Technorati Tags: , , , , , , , ,

Comments

Unknown said…
Hi
well this blog has the total giving look which makes it a well informer website or web blog. Thanks for making such a beautiful blog
--------------
smith
Crystal Meth Addiction
Steve Cabouli said…
During the early days of hacking and identity theft, individuals were the culprits now with the advancement of digital age identity theft has got a global face and now a days the crime is much an organised one. Hope that technological advancements from people involved in anti identity theft will bring the necessary change

Popular posts from this blog

Verified by Visa (Veriphied Phishing?)

If you have used a Visa card to make a purchase online lately you may have encountered a relatively new program, Verified by Visa . I've encountered it twice. The system is an interesting attempt by Visa to reduce online fraud and identity theft. It's a noble effort, but the user experience is unsettling, and the security implications are not exactly crystal clear. Here's what happened to me, both times the Verified by Visa system was activated. I was redirected away from the domain at which I was shopping, to a URL which was: not the domain where I was shopping, not the domain of the bank that issued my card not visa.com I've been telling people for years that if anything like that happens to you, close your web browser immediately and do not under any circumstances enter any personal information into the form, because this is a sure sign of a man in the middle or phishing scam. (Never mind that all the best phishing scams now-a-days look like the actual dom

Splunk acquires Phantom Cyber

I hope it doesn't come across as too cynical, the observation that most acquisitions in the tech domain fail to produce anything useful and often as not wind up killing a promising upstart technology, even if only by accident. I have hope for this one, though. Splunk strikes me as a likely exception. This acquisition of fresh ideas and talent might breathe new life into a solid, if somewhat staid, security company. Splunk’s data analytics gets a security boost with $350 million acquisition of Phantom Cyber

Jailbreaking iOS is a Dead Man Walking

Rumor has it that Apple will include a new security feature (possibly known to the developers in Apple as "Rootless") in the upcoming releases iOS 9 and OS X 10.11. Although details are sparse, it looks like Apple may have implemented what other UNIX systems call "namespaces" (See this nice discussion of namespaces on Linux ). Most of the public speculation about the rumor concerns a possible end to jailbreaking , a sport which has fallen on hard times with successful jailbreaks coming fewer and farther between. Since the defects which enable jailbreaking are inherently open to malware, Apple's ongoing efforts to find and fix these bugs with the LLVM/Clang compiler's ever-more-diligent static analyzer make it harder for the jailbreak community to find a toehold. However, a namespaces-like security architecture might fix one of the biggest issues that leads people to desire a jailbroken iPhone. When iOS was created, the system extension features were