RE: ID Fruad - Is there more hype than risk?

["Ackley, Alex" <aackley () epmgpc com>]

Use the data:

1) Sell to illegal immigrants to use valid SSNs to get work.  All most
HR departments do is validate that the person has a SSN not if it is
theirs or not.
2) Use an SSN to file tax returns for refunds.  Easy enough to do and
the chance of getting audited are small unless you go over $100k in
fraud and bring the special unit down on you.  (My sister is one of
those special investigators and you don't want to mess with them)
3) Use the data to get a driver's license; get a Birth Certificate copy;
create a second set of identity credentials for nefarious reasons.
4) Use a group of data to validate another persons credentials.  For
example; file a series of Quit Claim deeds on a piece of property...
then take a mortgage on property you don't own... most title insurance
places don't go back more then 3 deeds.  

I'm sure I and others could come up with a lot more.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of k7.fantr () gmail com
Sent: Monday, July 23, 2007 8:54 AM
To: security-basics () securityfocus com
Subject: ID Fruad - Is there more hype than risk?

At the risk of opening a can of worms, this is a legitimate inquiry.


I am trying to separate the identity fraud hype from actual risk in the
now more common sense of electronic data stolen online or from a
database - not my uncle Joe filled out a credit app as his dog.. :)


The situation is stolen electronic data: such as name, address, and ssn
- one or one million records.


Does anyone know themselves or can direct me to a place that can explain
what a malicious person actually does with stolen personal information?
Or, can anyone explain a realistic situation where the thief can prosper
and get away with it?   


I am looking for a scenario that actually or logically works, not
generic conventional wisdom like, "they use it to open accounts in their
name and buy houses and vacations and things, and, er, stuff..." - The
problem is that I can not seem to get my head around more then a couple
of petty situations that would only work for misc charges, and for a
very short period of time - not major purchases like a home, or car, and
certainly not anything larger scale that would require thousands of
identities. 


Sure I realize that I could open an account at a bank, but why on earth
would I do that? How could I possibly benefit from that without tipping
off where I live, or some point of where I will be? 


Also, are there really people that will buy this information at $75 a
record? Or, is that just an FBI agent placing an ad in 2600 waiting for
some idiot to respond? And if these people do buy this information, what
on earth are they doing with it? There are by now hundreds of millions
of stolen records out there. There are free tools that will create valid
credit card numbers, and the information as to what makes a real ssn is
published for verification checking (I know that does not make it real,
but come on), etc, so why would anyone pay? It just doesn't make sense
to me.


After spending years protecting this information, I have never heard any
realistic scenarios that wouldn't simply lead the cops to the person's
front door. I have heard plenty of Hollywood movie plots and academic
what if's, which is what I theorize created the hype in the first
place...


Perhaps it's a testament to how lousy our law enforcement is, or my
apparent lack of ability to think like a smart crook, or perhaps these
crimes are being committed by idiots, but I tend to think that there is
more hype then actual risk out there...It almost seems more akin to the
"I'm in, here's proof" situation rather than trading databases of
socials for a fist full of dollars..



Thanks,