Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Security Privacy

ID Theft Made Easy 435

chiagoo writes "You may remember that 70% of the time, people will reveal their passwords for chocolate. Well, at this year's Infosecurity Europe, it was revealed that 92% of the 200 attendees surveyed would gladly trade enough information to steal their identities for a chance to win theater tickets. Social engineering at its best. Why spend time writing bots and rootkits when people will give you what you want for a piece of candy or a ticket to see The Pacifier?"
This discussion has been archived. No new comments can be posted.

ID Theft Made Easy

Comments Filter:
  • by garcia ( 6573 ) * on Monday March 28, 2005 @01:27PM (#12067024)
    One man "provided all his information without question, but returned five minutes later asking for it back, as he thought that we could use it to gain access to his online bank account," Sellick recalled. "We gave him back his survey form, but did not provide any evidence of who we were. If we had been fraudsters, he would have been too late."

    I refuse to do business with any Lakeville Liquor store in Lakeville, MN because they require a license swipe to verify my birthday. While they claim on a sign on the counter that they respect my privacy what does that really mean? Do the clerks know that those machines can store an XLS spreadsheet of all the information scanned? Do they know if those that own/operate the stores use that information later? Perhaps it's just to CYOA if some question arises from authorities later but how can I be so sure? I can't so I drive the two and a half miles out of my way to get my wine/beer somewhere else that doesn't scan. I make sure to tell the clerks that I buy there because they don't scan. Most don't care but perhaps someone will overhear me.

    The manager at the Lakeville store sure did. I asked "are you going to scan that?" and when the clerk said she was I told her I would like my license back and that I was sorry that I couldn't do business with them. The clerk had no problems with it but the manager muttered that I was an "asshole" under his breath. Somehow I'm the asshole for protecting my privacy. If only more people would refuse to hand over their personal information. What happens if someone robbed the liquor store and stole the little scan box along with the register, would you be a bit more concerned then?

    How about the gas station that writes down your license plate information when you purchase gas w/o paying at the pump. It's just for their economic safety they say. Do you know how much information you can get on the owner of a car from their license plate? What happens if I go inside, buy a few items, and pay w/my credit card? They now have my CC # and my personal information. That's enough for ID theft as well. I saw the clerk write down my license plate and I asked them for the paper when I left. They were a little confused as to how I knew they did that and they were VERY confused as to why I would want that back. I didn't feel the need to educate them on it though.

    Even I am not immune to this sort of scamming for info. While out drinking with friends (drunk actually) I was approached by an attractive female working for Marlboro. She would give me cheap cigarette coupons and a free Zippo lighter if I let them give me a survey. Drunk, distracted, and clueless, I swiped my license and took the survey. I have been getting coupons and various "gifts" in the mail since. I could have been completely duped by these people and not had a single clue. Luckily they were who they said they were and I'm not seeing any miscellaneous charges being rung up by any cigarette companies trying to cover their lawsuits with my money. Anyone (no matter how careful) can be owned. By the way - I don't even smoke cigarettes.

    So, just because we know a company (or its representatives) we should not trust them with our personal information and the more people that are willing to trade over their private/personal information for a bottle of wine, a 12 pack of cheap beer, or a free Zippo might want to think twice.
    • by SamMichaels ( 213605 ) on Monday March 28, 2005 @01:31PM (#12067074)
      Do the clerks know that those machines can store an XLS spreadsheet of all the information scanned? Do they know if those that own/operate the stores use that information later?

      Nightclubs do that. When they scan your license, it stores your name/address/birthday for a mailing list. Big events are a mass mailing...and birthdays get you a "get in for free" pass.
      • by jm92956n ( 758515 ) on Monday March 28, 2005 @03:38PM (#12068539) Journal
        I wish I had know this about a year ago.

        Crobar, a giant club in Manhattan, does this. While I normally wouldn't have gone to a place like that, I was on the guest-list (read: free admission), and so I wasn't concerned at all when I handed them my license. Since then I've received numerous mailings from them. I wonder what else they're doing with my personal information.

        What I've also heard since then, though I've not been able to confirm it, is that they use this information to keep track of you. If you start a problem and are kicked out of the club, it's an effective lifetime ban (though I'm not sure how they'll be able to scan your ID as they're kicking you out). Furthermore, they share this information with other clubs, so that if you start a problem in one place, you're essentially banned from every club in the area.

        Never again will I allow my license to be electronically scanned. If every bar and club in town adopts this technology, I'll have to go back to drinking 40's on the stoop.

    • How about the gas station that writes down your license plate information when you purchase gas w/o paying at the pump. It's just for their economic safety they say. Do you know how much information you can get on the owner of a car from their license plate?

      They can get very little, actually, without access to police computers. Even if they could, it's no different from just driving around. You proudly display your license plate to hundreds of people each day. In light of this, it's not very easy to get much information from them, and it requires police cooperation. That gas station doesn't punch in the plate and go vigilante on you, they call the police and give the plate numbers to the police.

      The gas station writing down your information is totally different from someone scanning your ID. Scanning your ID is a much more private process, and it requires your cooperation. However, anyone can write down a plate number. It's not even remotely the same, and it's definately not a security risk.
      • They can get very little, actually, without access to police computers.

        You could not be more wrong. You can get a ton of information including name, address, previous addresses, DOB, etc. This isn't from some police database either. It's records that are available through individuals that have access to databases like Lexis Nexis.

        Even if they could, it's no different from just driving around. You proudly display your license plate to hundreds of people each day.

        But I don't display my CC # right nex
        • by joeljkp ( 254783 ) <joeljkparker&gmail,com> on Monday March 28, 2005 @01:52PM (#12067291)
          I realize you said "like LexisNexis", but I'm not so sure about LN itself. I have access, and I gave it a quick perusal.

          There are some areas where you can search for information about people, but that's just a law directory, with info about lawyers. There's also a biographical search, but that only includes politicians and business executives. I tried looking myself up, for example, and found nothing.
          • There are many different sections to LexisNexis and you can have access to any variety of them at a time based on your security. I know of two individuals with access to this information that have nothing to do with law enforcement.

            See here [lexis-nexis.com] for information on LexisNexis' available public records.
        • But I don't display my CC # right next to it.

          Nor do you display your credit card number right next to it at the gas station. You'll notice that parent specified when you drive off without paying. In this case, you have given the gas station no more than you give all the people you drive past during the day. If you're going to get upset about this, then you also need to yell at everyone who uses security cameras. Given the number of times security cameras have been used to solve crimes, I'm placated.
    • by phauxfinnish ( 698087 ) on Monday March 28, 2005 @01:40PM (#12067166)
      In this society, we use various forms of identification for various reasons. Go ahead and get mad at a gas station clerk if you want. If they arn't writing it down then your plate is on tape. Privacy is one thing, but your licence plate is there to PUBLICLY IDENTIFY you. That is its purpose. The poor guy would lose his job if you drove away without paying for your gas, not to mention that everyone would have to pay more for theirs.
      A driver's license it there to privatly identify to those you show it to, a choice you make.
      Your social security number should not be used for identification except to services (taxes, social security) that require it.
      If you are mad that too much information is available to someone just by your license plate, fight to change what information is linked to it, don't get pissed at some schmuck for writing down a number that is plastered on both ends of the outside of your car!
      • Go ahead and get mad at a gas station clerk if you want.

        In the instances I listed above I never made a single mention of being "mad" or "upset" with the individuals doing their job. I just asked for the slip of paper w/my license plate number on it back. Perhaps you should not assume so much and just read what's at face value.
    • by nametaken ( 610866 ) on Monday March 28, 2005 @01:43PM (#12067200)
      Even I am not immune to this sort of scamming for info. While out drinking with friends (drunk actually) I was approached by an attractive female working for Marlboro. She would give me cheap cigarette coupons and a free Zippo lighter if I let them give me a survey. Drunk, distracted, and clueless, I swiped my license and took the survey. I have been getting coupons and various "gifts" in the mail since. I could have been completely duped by these people and not had a single clue. Luckily they were who they said they were and I'm not seeing any miscellaneous charges being rung up by any cigarette companies trying to cover their lawsuits with my money. Anyone (no matter how careful) can be owned. By the way - I don't even smoke cigarettes.

      Yeah, the copper zippo! I have one. And I love that they send me the coupons, decks of cards, CDs, all kinds of cool stuff. If they're going to be my choice of cancer providers, at least they can give me cool shit to get buried with.
    • Congratulations sir, here is your official membership pin to the Tin Foil Hat Brigade! Your address is really not all that confidential at all; anyone can get it if they want to. Your car's license plate number is by definition public information; what are you going to do, cover it up? To get the level of privacy you seem to be looking for, I recommend that you never leave your house except to purchase necessities, and then you must walk and not drive, wear a ski mask, pay with cash, and never buy anything
    • by lowrydr310 ( 830514 ) on Monday March 28, 2005 @01:51PM (#12067288)
      How about the gas station that writes down your license plate information when you purchase gas w/o paying at the pump.

      The last few times I've used short-term parking at the LAX airport, I've been asked to pull forward so their camera can get my license plate in view, and I notice they record it in a log. Every time this happens, I question why they do it and their response is "for security." I don't understand how their recording of my license plate increases security. Nowadays, any question you ask at an airport is answered with "it's for security purposes" or "increased security."

      I understand that you can write down any license plate number in a parking lot or on the road and you can easily track people that way. I just didn't like the way they told me my plate number was logged for security. One time when I asked and pressed for a better answer I was given something more realistic. I was told that people frequently try to cheat the parking garage by getting a new ticket just before they leave. (park for a week, get a new ticket 10 minutes before you exit and pay $2.00). They occasionally run audits and record license plates during the night to track who is parked in their lot. Upon exiting, if your plate is logged in the system as "parked" and you have a 10 minute old ticket, it raises a red flag.

      Of course, I'm sure there are ways that an electronic log of me being parked at the airport for a week could possibly be used against me.

      While out drinking with friends (drunk actually) I was approached by an attractive female working for Marlboro. She would give me cheap cigarette coupons and a free Zippo lighter if I let them give me a survey. Drunk, distracted, and clueless, I swiped my license and took the survey.

      I've done the same thing before. I wanted the free Zippo to give to my brother. They were walking around with a portable device that scanned the license and accepted the signature electronically. If you read the line where you sign, it says "I CERTIFY THAT I AM A SMOKER 21 YEARS OF AGE OR OLDER". I'm not a smoker, but I signed anyway to get the freebie. I always wonder if insurance companies could get their hands on that info and use it against people. Fortunately for me, the address on my license is incorrect, so no junk mail for me.

      • You may not be getting junk mail but you are breaking the law.

        In most states, having a wrong address on your driver's license is against the law. You are supposed to get it updated within a couple of weeks of your move.

        • BULL$HIT

          In California, when you move you must update your records with the DMV, which I did a day after I moved. Instead of wasting ink and plastic by printing a new license, they give you a little sticker to put on the back of your license that contains the updated info. The DMV knows my current updated address and any policeman or other official knows enough to flip my license over and check the back for updates.

          The Marlboro chicks (and mostly anyone else who looks at your ID) don't bother to check t

    • by Tuffsnake ( 767507 ) on Monday March 28, 2005 @02:02PM (#12067400)
      "Ok mr. simpson, just fill out this form giving us all of your personal information and we will hand you this ICE, COLD 6-PACK of DUFF."

      "Laaaaaaa, beeeeeeeer. gimme gimme gimme!"

      "Thank you for your information and here is your beer. Now, if you'd be so kind as to sign over your power of attorney we'll give you a SECOND 6-PACK."

      .......

      People (and I am including myself in this) are idiots, we'd give up tons of our rights for a quick little gift.
    • an attractive female working for Marlboro... By the way - I don't even smoke cigarettes.

      Guess what? According to the insurance companies across America, you are now a smoker. Did you read the fine print on the clipboard underneath the license scanner? It clearly stated that by accepting their cheap free gifts, you were claiming that you are a smoker. This survey wasn't just sold to some sleazy marketers, but was created by a company selling the data to insurance companies.

      Next time you try to get a job,
  • Any good info though (Score:5, Interesting)

    by slashnutt ( 807047 ) on Monday March 28, 2005 @01:28PM (#12067033) Journal
    it was revealed that 92% of the 200 attendees surveyed would gladly trade enough information to steal their identities for a chance to win theater tickets.

    Yeah it is cool to think that 92% of the people you have enough info to steal their identity. But lets put theory to practice and see how much of the 92% gave real information.

    For me any form online I was born in 1900. My zip code is 12345, usually 666 Elm street, Amityville, NY. Phone number is 1-800-328-7448 and call anytime. I would make of 250,000+ or anything thing they have in the list that is higher. My occupation is the first drop down. Oh and my email address is who you are @mailinater.com. If the site looks up the information than I just go the governors web site and copy that info and use that. So I bet if you run a web site and you found that one than you probably could cross reference that info back to me and I would only say good job.

    So I speculate that the 92% you have data from that you'll have 25% techices that give you 100% BS. It will occur to the general population once more and more people get burned to keep quiet.

    • by MankyD ( 567984 ) on Monday March 28, 2005 @01:31PM (#12067079) Homepage
      But you wouldn't be getting theater tickets now would you, seeing as how they need a real address to mail the tickets to.
    • by Khomar ( 529552 ) on Monday March 28, 2005 @01:43PM (#12067197) Journal

      FYI, the official city for postal code 12345 is Schenectady, NY.

    • by phauxfinnish ( 698087 ) on Monday March 28, 2005 @01:45PM (#12067219)
      Why do you know the number to a sex line off the top of your head.

      Oh, this is Slashdot. Never mind.
    • ... 666 Elm street, Amityville, NY

      I used to live there, but now I moved to 69 Sex Drive
    • you know my favorite thing? THere's a grocery store near my house that requires a card to get the sale stuff (I know, I'd avoid them, but they are close for an occasional quick run). Anway, I not only filled out fake info, I've traded with people before, I HATE someone tracking my stuff.
      • Make up your own. They're just UPC-A barcodes on the back. I have a friend who has a card that everyone in their family uses. They get nifty discounts (like ten percent off store brands) because they spend so much with that card. Well, I lifted the number from a receipt (just get two or three of them, and find what numbers match, that's probably the club card number), and print out your own.

        If you don't have a UPC-A font for your computer, you can use the UPC database (example: http://www.upcdatabase.c [upcdatabase.com]
    • by dnoyeb ( 547705 ) on Monday March 28, 2005 @02:00PM (#12067373) Homepage Journal
      The problem is not with the people. The information they give out _should_ be giveoutable. The problem is with the system that allows such simple information like a drivers license number allow someone to take your identity.

      Its unreasonable to expect people to keep something private they are required to give out so frequently. It don't make sense.
      • by MankyD ( 567984 ) on Monday March 28, 2005 @02:07PM (#12067451) Homepage
        But that's where it gets interesting. Take an American Social Security Number for instance. Technically, no one but the government can require you to give out the number. Workplaces, however, often ask for it, when applying, so that they can fill out government income tax forms. Health care facilities often ask for things like medic-aid and medicare.

        All someone has to do is convince you that they need that kind of information, regardless of the truth of the matter. There is a famous saying (that I'm about to butcher) in the security world: there should always be three factor identifcation - something you carry (like an id), something you know (like a password), and something you own/are (like a fingerprint or dna). While the first two are in place, with driver's licenses and maiden names and what not, there is no widespread biometric database. And we all know how keen slashdotters are on that ;)
        • by crush ( 19364 )
          And in some states it's _possible_ to get your electricity and gas hooked up without an SSN, but you have to go and stand in a long line in an inconvenient office at an inconvenient time.
          SSNs and every other form of government ID are now worth nothing because the government failure to protect this data (along with credit data) has meant that identity theft is commonplace.
          The credit granting agencies and government snoops have been hoist by their own petard in foisting an increasingly non-anonymous socie
        • by curunir ( 98273 ) * on Monday March 28, 2005 @02:55PM (#12068044) Homepage Journal
          Take an American Social Security Number for instance. Technically, no one but the government can require you to give out the number. Workplaces, however, often ask for it, when applying, so that they can fill out government income tax forms. Health care facilities often ask for things like medic-aid and medicare.

          The problem with SSNs has nothing to do with the uses you've listed. It's an ID that is intended to identify you to the government. Tax forms, health care, etc are valid reasons for the government to need a unique identifier. What isn't valid is the credit card companies piggy-backing off the government's ID system. That usage (applying for credit cards) is the primary reason why SSNs are problematic and people's identities are stolen. Without that usage, SSNs would be mostly harmless.

          Identity theft is a huge problem, but its one that needs to be primarily addressed within the banking industry. Addressing it in other ways is simply letting them off the hook. If they got their act together, you could tell your SSN to anyone you wanted without fear of it being used illegally.
        • "Your SSN number is not required for this service (because that would land us in jail), but without it we cannot process your application (meaning you don't get the service)."

        • Take an American Social Security Number for instance. Technically, no one but the government can require you to give out the number.

          That is most certainly incorrect [ssa.gov]. Anyone may ask for it, there are no laws preventing someone from doing so. Its even legal to deny services for refusal.
    • My phone number is

      911-5555

      Hope their dialing computer catches that one ;)
    • by Anonymous Coward
      As a Canadian the only US Zip I use is 90210 when the info collected is US only based. I remember there was a report on CNN a while back about how web usage in the L.A area was growing faster than any other metro area in the US.

      Data accuracy much...
  • Money made easy (Score:3, Interesting)

    by SamMichaels ( 213605 ) on Monday March 28, 2005 @01:28PM (#12067041)
    I have absolutely no problem earning a living from recovering virused, spyware-ridden and cracked systems (or I guess in this case, "here's my password systems"). I encourage this idiot behavior :)
  • Moral of the story (Score:5, Insightful)

    by daveschroeder ( 516195 ) * on Monday March 28, 2005 @01:29PM (#12067046)
    No matter how many privacy "protections" there are, it won't stop people from volunteering their own personal information.
    • The real moral is that security is, at root, a human issue and one that is extremely hard to address via machines and technology only.

      The answer is training for users, in a fashion that is understandable explaining at least some of the details of security and concepts. And it must be repeated, and done in different fashions to have as wide an exposure as possible and as wide an impact as possible ('loose lips sink ships', anyone?)

      But this is
      a) Hard
      b) expensive
      c) hard to measure the impact of

      This means th
      • >> training for users

        good luck getting resources for that, or management with the the backbone and understanding required to make good practices work.

        Do you want LAN access where I work? At any mega corp? Just get a job as a night cleaner and start turning keyboards over. The number of post it notes you find will be impressive. Some of the accounts will have admin rights too...

      • by Letaals ( 752363 )
        It won't really work, because there are too many who just don't care, till something really happens to them. Most of the users who give their real address (as someone mentioned above) are the ones who use internet for basic stuff, like reading their email and maybe some news. Definatly not /. You can try to explain to someone that you shouldn't use IE because it is dangerous, even people who haven't used a PC in their life, but it still won't work, they just don't see how it matters.
  • by GAATTC ( 870216 ) on Monday March 28, 2005 @01:29PM (#12067050)
    For free identity theft monitoring, please send your name, social security number, birth date, credit card numbers with expiration dates, and address to protectmyidentity@gmail.com. We will take care of your credit record for you and guarantee that you will never have to worry about your good credit record ever again.
    • by Simonetta ( 207550 ) on Monday March 28, 2005 @01:52PM (#12067301)
      My credit card company offered this very protection.

      They included a preprinted check with my name on it for $5 ready for cashing. Pre-perforated and everything.

      Way deep in the very small print on the back was the line that if I actually did cash this check, then I would be agreeing to have $69.95 automatically billed to my credit card each year for 'identity theft protection'.

      Before this scam they sent me checks already made out to 'CASH' with my name and card number already preprinted on it. All I had to do was sign my name on the back and fill in the amount.
      I'm sure glad my sleazy meth-shooting junkie neighbors didn't find that one in my mailbox.

      I wish that I could get all this nitwit chickenshit from the credit card companies to stop. I'd cancel the card, but I need it maybe once a year for car and hotel rentals.

      Citi Corp. must make a ton of money off the American yahoos with all these schemes. Maybe even enough to cover the interest on all their bad loans to third world dictators enabling them to keep the Bongo Congo Mercedes dealership fat and happy.
      • I knew you must be talking about Citicorp - astounding how such a large financial group could use such borderline-fraudulent, racket type techniques. Basically here in Canada two banks merged, and they decided to dump the Mastercard business of one and keep the Visa of the other.

        They sold the Mastercard business off to Citicorp, and thus began the introduction of Canadians to slime-ball banking. While our banks tend towards incompetence, and are often large money sucking pigs, I have never seen a Canadian
    • heh reminds me, the easiest way to get into people's email accounts is to ask them their "secret question". I know this from an article I read not from experience....
  • Exchange (Score:2, Insightful)

    The IT Guy surely give you his boss email password if you give him a new and most wanted PSP.
  • by lethalpotato37 ( 871428 ) on Monday March 28, 2005 @01:31PM (#12067082) Homepage
    I entered my friend's e-mail in hotmail, and clicked the forgotten password button. It gave me his secret question, and from there I simply asked him it. Its a secret question! Ack.
  • Bogus data (Score:5, Interesting)

    by crush ( 19364 ) on Monday March 28, 2005 @01:31PM (#12067083)

    Whenever I have spare time I go out of my way to answer surveys like these with bogus data. Like they say "It'll only take a couple of minutes of your time Sir!"

    I consider it an important and useful civic act to poison the noosphere with false data in order to throw off the pundits, pollsters, advertisers and fraudsters.

    • Answering surveys with bogus data doesn't work. The data is simply stored in huge data banks. Programs either now or the near future will filter out the bogus entries.

      It would be a more important and civil act not to answer surveys with bogus data. The pundits, pollsters, advertisers and fraudsters are going to do what want regardless of public opinion and will manipulate the collected data to justify whatever position that they take from challengers.
    • by ackthpt ( 218170 ) * on Monday March 28, 2005 @02:11PM (#12067495) Homepage Journal
      I consider it an important and useful civic act to poison the noosphere with false data in order to throw off the pundits, pollsters, advertisers and fraudsters.

      Name: Andrew Nonymuss
      Occupation: Executive Assisstant to the Vice Peon of Menial Affairs
      Income: 400,000 zorkmids (I don't know what that is in dollars
      Age: 39.14246575342465753424657534246575
      Ethnic: Some of the above, but in no particular order.
      Have you bought any of our products before? Only when I couldn't find anything else to disembowel a Kodiak Marmoset with.
      Were you satisfied with it? Why don't you ask the Marmoset?
      Would you buy any of our products again? Only if it's that or be stoned by an angry mob.

  • by heir2chaos ( 656103 ) on Monday March 28, 2005 @01:31PM (#12067084)
    I could see giving up the info for a good movie, but come on, the Pacifier?? :)
  • by Dimentox ( 678813 ) on Monday March 28, 2005 @01:32PM (#12067091)
    Personally I think that most people are not aware that the information that they are giving could be used in that way. The problem is that our personal information has become more and more frequently asked. I remember back years ago when you could actually refuse to give your SSN but now your SSN has become a more Unified Personal ID number. This in itself is a shame. People need to be educated about what information should be given. With the article there I am sure there are quite a bit of people who actually use social engeneering to gain what they seek. But there are the other ones who would rather do things anon. What have you all done/given to win things? I know that when i refure to give out my information they usually say they cant give me what I won. It really makes you question what this information they gain is being used for when you win something. I am sure it goes into some marketing DB somewhere that the company uses. But one can never be sure or safe. My X Wife one time had identity theft happen to her and it was a major hastle for us to sort it out. Though we have no idea how the information was gained. Let me tell you tracking down where the information was gained is close to impossible.
    • I completely agree that your SSN is commonly used now, and that alone will get a lot of people to drop their guards when they shouldn't. The following story is illustrative:

      A couple of months ago, someone called me out of the blue claiming to be a collection agency. They said that I owed a hospital ~$400 for some surgery that was performed on me, and they wanted me to pay up. I told them they were wrong. So then to confirm that I was who she thought I was, she asked me for my address and last 4 digits

  • by TechnologyX ( 743745 ) on Monday March 28, 2005 @01:32PM (#12067092) Journal
    Being in the telemarketing industry, I can whole heartedly confirm the stupidity of most people. Hell, I can get someone's credit card, shipping address, and telephone number, and then they ask "oh, what was this product again??"

    Flash some useless piece of shit on TV, get Chuck Norris to pretend like he uses it, and people will fall all over themselves to give you all their personal information. I bet I could even ask for their SSN on a Super Duper Blender call and they would cough it up.
    • Being in the telemarketing industry

      Please provide your name, address and times you are available at home. I have some goons..uh , I mean Customers yes Customers who would like to talk to you about your products.
  • AC (Score:5, Funny)

    by gammygator ( 820041 ) on Monday March 28, 2005 @01:33PM (#12067098)
    That Anonymous Coward dude must've really screwed up. Everybody seems to have his password.
  • rootkit (Score:4, Funny)

    by stonebeat.org ( 562495 ) on Monday March 28, 2005 @01:33PM (#12067104) Homepage
    Why spend time writing bots and rootkits when people will give you what you want for a piece of candy or a ticket to see The Pacifier?

    must write rootkits, to allow for future logins. don't want to be handing out candy, for each time i want to login into a system.
    • Yeah. The real question is this:

      Why should you read an article when the referer (submitter) doesn't demonstrate that he understands what key security terms are.
  • biometrics (Score:3, Insightful)

    by alatesystems ( 51331 ) <chris@talking[ ]d.com ['toa' in gap]> on Monday March 28, 2005 @01:33PM (#12067106) Homepage Journal
    I'll make the obligatory comment: Biometrics! The sooner the price comes down on these and the reliability goes up, they will be much better than passwords. I think today, two factor authentication is enough of a hurdle.

    I know fingerprints can be foiled with rubber or BREATHING, but if you combine that with voice print or retinal scan, it should be pretty secure, even today. Add in facial recognition, and you've got a secure environment.

    All authentication mechanisms are just hurdles. You have to hope your hurdles are high enough to obstruct the level of cracker that is after your information.

    I have convinced people at work that making people change their passwords every month totally backfires; it causes utter INsecurity when the people can't remember the password because they have to change it all the time. They end up putting it on post-it notes in drawers next to the desk. I understand the motive, to increase the time it takes to brute-force the password, but when the users are going to do this in reaction to this because they have so many to remember, then you have zero security.

    In short, we NEED biometrics, and we need them widely available and cheap.
    • Biometrics are great until someone figures out how to spoof them. Replacing a compromised retina scan is mighty difficult, however.
      • Re:biometrics (Score:5, Insightful)

        by rjelks ( 635588 ) on Monday March 28, 2005 @02:01PM (#12067386) Homepage
        "Replacing a compromised retina scan is mighty difficult, however."

        I'd rather give up my wallet in a mugging than have to fork over MY EYE.

        Seriously, I have a feeling that biometrics will just be spoofed. I'm sure I read an article about Gummy Bears and foiling a finger-print scanner. As long as there are people in charge of information, social engineering will be able to cut through all of these countermeasures.
    • Biometrics could possibly be worse for security and here is how. No matter what you request, some part of it must eventually go through a scanner. I'll take the Voice and Retinal you use since they are more or less at two different ends of the spectrum here. For voice, someone can tape record you and then play that back. Have you ever seen the movie "Sneakers"? They get around a voice pass phrase that way. For retinal, at some point your information is read by the scanner. All someone needs to do is
    • Re:biometrics (Score:3, Insightful)

      by dayid ( 802168 )
      Biometrics are indeed fascinating and would save some of this turmoil; however, I find it fascinating as to what solutions people offer if biometrics do NOT always work. I'm not talking about someone spoofing a finger-print, I'm more concerned with burning my finger, or getting a blister - how do I sign on to everything then? What if I get a new prescription, or laser-eye surgery, would I have to remove my contacts each time I do a retina scan? (I seriously do not know how the eye-scans work). How about fac
    • I know fingerprints can be foiled with rubber or BREATHING, but if you combine that with voice print or retinal scan, it should be pretty secure, even today. Add in facial recognition, and

      you've got a secure environment.

      I added emphasis... do you really think that simply identifying people will make our environments secure? A lot of crimes are committed by people that are known, be it insider trading our spousal abuse. The current darling of media attention and the subject of moral panic, child sexual abus

    • by clickster ( 669168 ) on Monday March 28, 2005 @02:43PM (#12067910)
      On transactions where the person isn't present (such as grocery store transactions, etc), wouldn't this still be suceptible to Man in the Middle attacks? Let's say that, in the near future, home fingerprint scanners become popular. Think about it. I want to sign into my online banking, I have to swipe my finger. Some identity thief in Podunk, Idaho can't just log into my account. But if I'm transmitting my fingerprint, can't it be intercepted and used again later, the same as a password? You might be able to avoid dupe transactions by attaching some sort of special identifier, but you can't keep me from hacking my fingerprint-swiping machine to send Person X's fingerprint to the online banking site instead of mine. It's just a file.

      I've had the same issue with signing my name on electronic signature pads (I do it, I just don't like it). Once I do that, it can't be hard to take my signature that is on file and simply move it to a different location in your database and attach it to a different transaction can it? Then you print out a copy of the receipt for that new transaction and BAM!! There's my signature. And since it's electronic, I MUST have signed for it. Why there's even a timestamp. Let's see who has electronic copies of my signature...oh, FedEx, UPS, Airborne Express, DHS, damn near every place I've ever used my debit card, and the list goes on.

      Granted, a regular ink signature can be faked, but everyone accepts that. For some reason, when you tack on the word "electronic", everyone suddenly seems to drop their guard and simply accept its authenticity as the gospel even though it's usually even LESS secure. Don't even get me started on "electronic voting"
  • by markov_chain ( 202465 ) on Monday March 28, 2005 @01:36PM (#12067129) Homepage
    TFA: Last year, people at a transit station gladly gave up their passwords for a chocolate Easter egg.

    What passwords? Did they check them? This doesn't sound too credible.
  • by sssmashy ( 612587 ) on Monday March 28, 2005 @01:37PM (#12067137)

    and other personal data, just for a bit of candy. Heck, I'd do it for free. I just wouldn't give them the correct password. I'd also make sure that the personal data I gave them was total BS.

    So how do we know that the seemingly credulous participants in the survey weren't lying?

  • by Anonymous Coward on Monday March 28, 2005 @01:37PM (#12067138)
    Dear Sir,

    ASSISTANCE REQUIRED FOR ACQUISITION OF MASS QUANITY OF CHOCOLATE

    I write to inform you of my desire to acquire large quanities of chocolate in your country on behalf of the Director of Contracts and Finance Allocations of the Federal Ministry of Works and Housing in Nigeria.

    Considering his very strategic and influential
    position, he would want the transaction to be as
    strictly confidential as possible. He further wants his identity to remain undisclosed at least for now, until the completion of the transaction. Hence our desire to have an overseas agent.

    I have therefore been directed to inquire if you would agree to act as our overseas agent in order to actualize this transaction.

    The deal, in brief, is that the funds with which we intend to carry out our proposed investments in your country is presently in a coded account at the Nigerian Apex Bank (i.e. the Central Bank of Nigeria) and we need your assistance and password to transfer the funds to your country in a convenient bank account that will be provided by you before we can put the funds into use in your country.
  • It doesn't matter how well you hide things. You can burn everything, never put your details any where you can't burn afterwards. But if someone wants you, they will get you. By hook or by crook someone will get you if they truely want you..
    • You're quite right. If someone has targeted you, and they're diligent, sooner or later they'll get what they need.

      The idea, is to avoid being hit by the average scammer, who's just looking for whatever info they can grab.

      It's the same idea behind using "The Club" and a security system to protect your car. Both can be easily defeated, but why bother, when the thief can just go a couple cars over and steal one that won't take the extra 30 to 45 second to cut the steering wheel and remove The Club?

      Try rea
  • This is NOTHING (Score:5, Informative)

    by msaulters ( 130992 ) on Monday March 28, 2005 @01:40PM (#12067164) Homepage
    I was at Wal-Mart late one night last week.

    You know those self-checkout stations they have now? Each and every one of them was spitting out paper slips non-stop that were records of the day's transactions. My roommate snapped a photo.

    Each and every slip had the full credit card number, the expiration date, and a copy of the cardholder's signature.

    They were unattended, and the workers had placed plastic bags to catch the slips as they fell out of the machines.

    There must have been hundreds...

    At just one Wal-Mart...

    Out of thousands of stores.
    • Yeah, stealing the identities of Wal-Mart shoppers. There's a million dollar scam.
    • Re:This is NOTHING (Score:3, Insightful)

      by hackstraw ( 262471 ) *
      Each and every slip had the full credit card number, the expiration date, and a copy of the cardholder's signature.

      Many other stores, restaurants, etc simply store this information in the trash. I guess you can consider the new Walmart approach progress.

      However, I don't care too much if my credit card info gets stolen, and being that the credit card people don't do anything to protect themselves from this kind of theft, I guess they don't either. There is, and always will be a balance between security
  • Never underestimate the power of social engineering. My sister's identity was recenty stolen, but thankfully they caught is idiots in the act courtesy of an alert bank teller who got suspicious. The bank (located in Ohio) called my sister and asked her where she was (California). When she told her they propmtly got the people arrested. As how it got out there, who knows.

    I'm pretty anal about filling out web forms with fake info, and I also have a very assertive stance with my privacy. It's amazing the amo
  • by kevin_conaway ( 585204 ) on Monday March 28, 2005 @01:44PM (#12067206) Homepage
    Not necessarily divulged information. These studies are worthless because they ignore the very blatant fact that people can and most likely do give false information.
    • Most people do not intentionally lie in response to seemingly inane questions. Mother's maiden name, pets' names, and so forth. Birthdate, people may lie to conceal their age, but most people aren't quick enough with math for that and just spit out the real date.

      The whole point is that someone who is unsavvy enough to answer these questions without inquiring as to why they're being asked is probably not savvy enough to deliberately lie to foil the thieves asking them.
  • by Anita Coney ( 648748 ) on Monday March 28, 2005 @01:44PM (#12067210) Homepage
    Tickets for The Pacifier was NOT part of the deal. You promised me advanced tickets to Revenge of the Sith damnit! If I don't get those tickets soon, I swear I'll change my password!
  • by JudgeFurious ( 455868 ) on Monday March 28, 2005 @01:45PM (#12067216)

    I'm about as close to paranoid about my personal information as anyone I know and my identity was stolen about 5 weeks ago. I give out practically nothing and it still happened. The part that drives you up the wall is how nobody seems to really give a crap about it. The police yawn, write the report, and leave. The stores all want an affidavit and then go away. Your bank gives you a new account and returns your money. Aside from the pile of paperwork I had, and am still having to deal with it doesn't seem to bother anyone that this happens. This money must have come from somewhere right?

    I know I got all my cash back but I'd bring back roadside crucifixion in a heartbeat if I could get my hands on the guy who wrote $5K worth of checks using my info.
  • The writeup is wrong (Score:3, Informative)

    by porges ( 58715 ) on Monday March 28, 2005 @01:45PM (#12067217) Homepage
    Well, at this year's Infosecurity Europe, it was revealed that 92% of the 200 attendees surveyed would gladly trade enough information to steal their identities for a chance to win theater tickets.

    It's 92% of a sample of 200 random Londoners, not 200 of the people who attended Infosecurity Europe.
    • Slashdot editors can't be bothered to read Slashdot (hence all the dupes), let alone the linked articles in a story submission. And as for actually, you know, editing the submissions? No chance.
  • My philosophy is, make my info a bit harder to get than the next guy's and I'm safe(er). So the fact that there are so many others out there whose info is so easy to get, just makes me feel safer. Just like putting the Club on my car. A thief can remove it w/o too much trouble, but it's still easier for him to just steal the car that doesn't have any theft-deterrent. What does worry me is companies not guarding the information that I give them for legitimate use.
  • This is one circumstance where the required social security number in the US actually makes us more secure. You would find it difficult to open a bank account without one in the US and people do tend to look up briefly when you ask them for it. Usually the SSN makes us less safe but in this case it would make this particular experiment fail to gather enough info to open a bank account.
  • The information about someone can be found out via other methods. I'm not going to go into details, but I'll say simply the Net.
  • by de_boer_man ( 459797 ) on Monday March 28, 2005 @01:50PM (#12067270)
    I've been very careful about keeping my credit card information safe, but somehow, someone got my credit card information and used it for an online spending spree for e-goods.

    I then used social engineering to MY advantage to get information about the person using my credit card information. This moron did absolutely nothing to cover his tracks. After the police and Visa are through with him, maybe I'll post his information here and see if he likes being on the receiving end of this kind of theft.
  • by Harodotus ( 680139 ) * on Monday March 28, 2005 @01:53PM (#12067309) Homepage
    The way I see it, this is not a sign that people need to be taught not reveal details about their personal life to allow identity theft, but that the standards for allowing new/changed credit and other profitable (including non-monetary) benefits from identity theft should include identifiers that people will not normally give away without realizing it's significance.

    Biometrics are a good example, but even that does not go far enough.

    How about a video clip where the person says something like "I explicitly authorize the following change to my personal credit/identity profile; Please add a $2453 credit line for ABC appliances to purchase a new washer/drier". This and every other change could be stored with the credit/identity profile. It could be done with a simple mic/webcam and some database extensions.

    Birth certificates could include DNA data and/or DNA hashes and new credit/identity profiles could require checking that and recording of a baseline "I Bob Jones authorize the creation of a new credit profile".

    New changes to that profile could be checked against past photos / voice prints anytime a change is requested. Impersonators would have to look and sound very much the person being imitated.

    This would be A very strong standard to block fraud indeed.

    Legislation would be required to prevent the misuse of this kind of DNA data and the accepting of new credit/identity changes without it.

    In Summary: Its not the users who are broken, its the system that does not take into account their likely behaviour and provide cost effective technical solutions to the weaknesses of that behaviour.
  • Who's the dummy? (Score:5, Insightful)

    by Rev Snow ( 21340 ) on Monday March 28, 2005 @02:18PM (#12067563)
    Think system wide and find the real
    flaw here. Are people really stupid
    to provide a handful of facts about
    themselves? Or are the banks stupid
    to accept a handful of facts as
    evidence of authorization to access
    an account?

    Seems to me this whole "identity theft"
    is an exercise in blaming people for the
    banks' failures. I haven't had my
    "identity stolen" -- whatever that's
    supposed to mean. No, the bank has been
    tricked, defrauded into giving up my
    money to someone who happens to know my
    mother's maiden name. That's the bank's
    policies hurting the bank's ability to
    do its job -- keep my money safe. That's
    not my problem.

    Calling it "identity theft" and holding
    me responsible for preventing it is just
    an attempt to turn the banks' problem into
    my problem -- one they are happy to help
    me solve for a fee of $10 a month.

    No, thanks, I decline to pay a monthly
    fee to do the bank's work for it.

  • by Ulric ( 531205 ) on Monday March 28, 2005 @02:36PM (#12067816) Homepage
    The password would be 12345. That's the kind of password an idiot would use on his luggage.

Don't steal; thou'lt never thus compete successfully in business. Cheat. -- Ambrose Bierce

Working...