8
The Anatomy of Identity Theft
David Wilson and Eric Malin
Ranked number one on the Federal Trade Commission’s
complaint list, identity theft has been casting a dark shadow over many
American citizens and is increasing in frequency. This leads any
individual to question how easy it really is to obtain information about
anyone. There is a remarkable amount of information already stored on
the Internet that can be obtained for a small fee. There are old-
fashioned methods of obtaining information, such as mimicking an
individual over the phone or creating fake identification cards. There is
also the opportunity to acquire information legitimately and use that
data for malicious purposes. Whatever the method may be, one still
must consider what type of information can be obtained from various
sources. One of America’s most problematic crimes will demonstrate
how an ‘average’ person can gather enough information in order to
steal an individual’s identity. These sources have been neglected in the
past, although this data is open to the public.
Types of Identity Theft
Conventional
The most common type identity theft is referred to as
conventional identity theft. This occurs when the identity thief attains as
much information as possible about a single targeted individual, and
appears to be the most stereotypical type of identity theft
Synthetic
Another type of identity theft that is currently on the rise is
known as synthetic identity theft. This is a newer type of piracy that is
becoming more difficult to trace. This is a type of fraud in which thieves
create new identities by combining information from different
individuals, by combining real and fake information, or by using fake
information (McFadden). An identity thief will utilize a real social
security number from one person and combine it with a name other
than the one associated with that number. Amazingly, this type of
combination usually does not hit the victim’s credit report! Synthetic
identity theft creates sub files at credit bureaus. A sub file refers to
additional credit report information which is tied to a real consumer’s
social security number but a different name (McFadden). Thus, when
negative information gets stored in the sub file, that consumer’s credit
will decline and he/she will have no idea until a creditor checks the
credit report and asks for all supporting documents.
Post Mortem
The last type of commonly used identity theft is referred to as
post mortem. This literally entails an individual stealing the identity
from someone who has passed away. The Social Security
Administration (SSA) keeps a database of who has passed away in
order to ensure that taxpayers’ money does not keep going to the
deceased. The SSA publishes a death database online for employers to
check and ensure that the people they are hiring are who they say they
are. Also, people have been known to use social security numbers
related to dead newborns. For example, newborns do not have any
previous work history, thus, identity thieves could easily create entirely
new people, as if the child had never died.
The Three Tiers
Identity theft can be thought of as a three-tiered structure. The
three tiers are: tier one - personal information, tier two - governmental
information and tier three - institutional information. Tier one includes
personal pieces of information about an individual, such as: full name,
birth date, telephone number, current and previous addresses, email
address and other personal details. Tier two includes information the
government employs to aid in storing detailed data about a specific
individual: social security numbers (SSN), employer identification
numbers (EINs), driver’s license numbers and vehicle identification
numbers (VINs). Tier three encompasses important financial and
medical information, as well as specific records that would only apply
to business institutions. This type of data includes bank account
numbers, credit card numbers and insurance policy numbers. The
specificity of the data and the difficulty of obtaining it increases with
each tier.
Each tier is comprised of three elements: information, source
of information and method used to obtain the information. They are
summarized as follows.
Information: Information describes the type of data contained in the
tier. In tier one, for example, this would be the full name, phone
number, address, etc. of the victim. The tier, by definition, is classified
by the type of records located in that tier and not by the sources or
methods that can be associated with that tier.
Source: The source is the institution or storage unit from which the
information was obtained. For example, if one was able to attain a
person’s date of birth from facebook.com, the website would be the
source. When looking at sources of information, a source can technically
be grouped into tiers sorted by the highest degree of information
obtainable. This means that if the department of motor vehicles was
able to reveal names, addresses, phone numbers, and SSNs, the source
would be grouped into tier 2, because SSN is the highest degree of
information. There is also a good chance that sources in higher tiers
will include information that other storage units have in lower tiers.
Method: The method describes how the identity thief attains
information from the source. In the case of acquiring a date of birth
from facebook.com, the act of hacking a facebook.com account in order
to gain access to that information would be considered the method.
Methods are particularly unique because they describe the way in
which people are able to acquire the information. These include: social
engineering, hacking, openly requesting information, and paid
membership. Any method can be used for any source, because one can
openly request information or employ social engineering to obtain the
information needed. Following is an explanation of such methods:
Social Engineering: This is the preferred method of manipulating
people and obtaining data by any identity thief. Whether by telephone,
in person or through a website, this method is merely the act of
pretending to be someone or something that you are not. For example,
one can call a mortgage company and try to use someone else’s name
and address in order to obtain more sensitive information. One can also
construct fake websites and attempt to capture people’s information by
having them submit various information in your website and storing
that data (also known as phishing). Another instance would be sending
a letter to someone pretending to be an insurance company and
explaining to him or her that they need to send you updated
information in order to continue providing a service.
Dumpster Diving: Records are thrown away by individuals daily,
which greatly assist an identity thief in his/her endeavors to steal a
person’s identity. Simple offers for credit cards can be utilized to secure
information or actually obtain a credit card. That allows an identity
thief to maximize the benefit of the credit card, make no payments and
severely harm or destroy a person’s credit rating. Obtainable
information which is thrown away daily, includes: medical bills, old car
insurance policies, old medical/health policies and bills, telephones bills,
utilities invoices, mortgage payment bills, social security numbers, and
Medicare bills. Many of those invoices identify the person by name,
birth date and identification number. In some instances, the identification number is identical to the individual’s social security
number. More daring thieves steal mail from corporate mail rooms,
mailboxes, infiltrate medical offices and insurance companies, work for
office and home cleaning companies, hospitals, retirement homes and
other corporations including state, city and local governmental agencies
where confidential information is readily available.
Hacking: There are two types of hackers: white hats and black hats.
The white hats break into networks or modify hardware for non-
malicious purposes, normally contacting the network administrator to
alert them of a security flaw. Black hat hackers attack networks with a
malicious intent, not alerting the network administrator of a breach and
utilizing the information gathered for their own needs.
Openly Requested Information: This is where an individual openly
requests information about someone other than himself/herself.
Whether or not this person is breaking the law depends solely on the
intent in which he/she plans on using the information. For example, if
you go to the DMV and request vehicle information on a random
person and do not use that information in a malicious manner, then you
are within the bounds of the law. However, if you lie about how you
intend to use the information and actually end up stealing that person’s
identity, then you are breaking the law, but punished only if you are
caught.
Bribes and Hired Professionals: When information cannot be found
externally from a source, the researcher might be forced to pay off
individuals in order to pass data to them. This comes into play when an
individual becomes heavily involved in trying to gather information for
tier three. One could, for example, pay a nurse or clerk to provide a
patient’s medical records or policy number. Hired professionals are
individuals who are appointed to perform certain tasks or create tools
for utilization by the identity thief. These could include a private
investigator, photographer or a hacker that is able to create hacking
tools and websites for phishing.
Figure A below summarizes the structure of the tiers and what is
included in each.
Stealing an Identity
The following is a breakdown of each source, corresponding
tier, associated methods, attainable information and relative costs. Keep
in mind that the sources are not limited to the information listed.
Source: Facebook.com / Tier: 1
Probably known as the most convenient way to obtain free
information, facebook.com has spiraled into a billion dollar business as
children and adults, alike, have flocked to the idea of social networking.
Obtaining an account is easy. Some would call facebook.com a social
networking trap, as employers actually refuse to hire young people due
to explicit pictures and other obscenities posted on facebook.com.
Others would describe it as a site where an individual can keep in touch
with long-lost friends around the globe. Whatever your intention may
be, there is no doubt that facebook.com is literally a massive database
which is the foundation for the informational structure of tier one.
Associated Methods: Ordinary use, hacking
Information Available: Name, gender, sexual preference, relationship
status, birth date, home town, political views, religious views, email
address, instant messenger screen names, phone number, current home
address, activities, personal interests (movies, books, etc.), college,
major, year of high school graduation, year of college graduation,
employer, position, time spent with the company, job description, many
other miscellaneous applications and pictures
Cost to Obtain Information: There are no monetary costs. Also,
acquiring a facebook.com account is virtually effortless as long as one
has an Internet access.
Source: Myspace.com / Tier: 1
Although myspace.com was promoted as the place for users
seeking alternatives to facebook.com, the site is currently considered to
be the leader in social networking in terms of traffic. Even when trying
to contrast differences between the two websites, myspace.com does
reveal nearly the same amount of information as facebook.com.
Associated Methods: Ordinary use, hacking
Information Available: Same as facebook.com, except you can also
obtain height and body type, as well as courses taken in college.
Cost to Obtain Information: There are no monetary costs. Also,
acquiring a myspace.com account is virtually effortless as long as one
has access to the Internet.
Source: County Assessor / Tier: 2
What happens if you do not possess the name of an
individual? Do you have an address? Is it possible to drive around and
find a street name or even a house number and then be able to locate
your target? If so, then all that is required is to search for your
particular county’s assessor’s office in a search engine. From there, you
need to provide very minimal information in order to obtain a decent
amount of useful data. For example, while visiting the site for Denver,
you can easily obtain the owner information for any home in Denver.
The following information is available: comparable sales information
for the property, property sales information for the neighborhood,
property tax data for the property and a considerable number of other
useful pieces of information. It will even draw a map of the property
with the associated address and parcel number.
Associated Methods: Ordinary use
Information Available: Name, address, history of the home, property
values, property taxes and mortgage details
Cost to Obtain Information: These sites tend to be free.
Source: DMV / Tier: 2
A significant degree of information from both tier one and two
could easily be obtained at a low cost. At your local Department of
Motor Vehicles, there are specific forms available for requesting driver
and vehicle information. All one needs is the name, last known
address, and date of birth in order to compile a fairly significant
itemization of information. Interestingly, one does not necessarily need
a last known address or even a date of birth in order to obtain this
information. The last known address only assists in narrowing down
the search of the individual (since many people have the same name).
This is also true for the date of birth. At minimum, one must provide a
name and approximate age (although once a person is in front of the
clerk at the DMV, a guessing game cannot be played). There is a check
box section for why this information is being requested. However, one
of the options reads: “In research activities (the information may not be
published, redisclosed, or used to contact the parties).” Therefore,
selecting an excuse is not all that difficult. What could one do with all
of this information? The answer is actually quite simple and incredibly
powerful – construct a fake ID!
Making a fake ID with completely accurate information becomes quite
simple: all you would need after acquiring this information from the
DMV would be a template for a license (which could be scanned) and a photo. Now, there are complications, such as holograms, black light
recognition and scanning capabilities, which could be obtained from
professional fake ID producers. However, you are not interested in
getting into your local bar with this fake ID. You are interested in
setting up a bank account, which requires only a state issued ID, a
second form of ID and a social security number. With this fake ID, you
lack only one vital piece of information from being able to leap into tier
3 – a social security number. Once that is obtained, you can easily set
up a bank account.
Associated Methods: Openly request information
Information Available: Name, address, driver’s license number, eye
color, hair color, weight, any recent citations, vehicle license plate and
title numbers, traffic accident reports and traffic tickets
Cost to Obtain Information: The cost for each printed piece of paper is
$2.20. For example, the record containing the driver’s license number
will be on one page and there will be a separate page for each vehicle
registered in that person’s name. Thus, if one looks for John Smith and
he has two cars in his name, then the total cost will be a mere $6.60.
Source: County Court Cases / Tier: 3
Most counties now have all of their case information online. If
one navigates to google.com and types in ‘Denver County Court,’ for
example, he/she will be directed to a website where all that is needed is
the name of an individual or a business. Further, one can obtain that
individual’s date of birth and information on any past or current cases.
Interestingly enough, the most significant piece of information provided
at no cost is the case number. If there was a judgment (which is detailed
in the online report) then one can pull the file at the county court office.
There are facts contained in many files, which lawyers will refer to as
‘discovery.’ This is a formal investigation, which is governed by court
rules prior to a trial. Discovery allows one party to question other
parties and occasionally witnesses. It also permits one party to force
others to produce requested documents or other physical evidence
(NOLO). Thus, one could obtain such information as social security
numbers, credit card numbers and bank account numbers. Keep in
mind, the file will not pop out and give a bank account number.
However, it could provide the amount of a line of credit from a
particular bank with the account number! As long as an open mind is
kept and one is willing to backtrack, extremely valuable information can
be found in a court case file.
Associated Methods: Ordinary use
Information Available: Name, birth date, civil record, criminal record,
social security number, bank account number and credit card number.
Cost to Obtain Information: This information requires very little effort
to obtain and only entails the transportation costs of visiting your local
county court.
Source: Receipts / Tier: 3
Most business in the consumer services industry will
reproduce only the last four digits of a credit card number, if that is the
form of payment the consumer chooses to use. There are a few places,
such as restaurants, that will print out your full name, credit card
number and the expiration date. This can be incredibly dangerous, as it would take literally no effort for an employee and possibly even
another customer to steal this information and use it in a way that could
be catastrophic.
Associated Methods: Ordinary use, social engineering
Information Available: Name, credit card number, expiration date of
credit card
Cost to Obtain Information: There is no cost or effort to bending over
and picking up someone’s receipt on the sidewalk.
Source: Google / Tier: 3
The benefits of Google.com are interesting due to the fact that
it indexes a large portion of the Internet. Google.com is also a method
for finding various online databases and services that can disclose
information such as social security numbers or court cases information.
In this sense, Google.com is a portal for finding the tools a person
would need on the Internet for the task of researching an individual to
steal his/her identity. Google.com also has a massive database
containing enormous amounts of information on many people
throughout the world.
Associated Methods: Ordinary use, hacking
Information Available: Nearly an infinite amount of data can be at
your fingertips. One can easily obtain the majority of data from tier one
by typing in keywords and pulling that information straight from the
database of Google.com.
Cost to Obtain Information: The information is free.
Source: Various Online Databases / Tier: 3
It is not as unrestricted as one would assume to go online and
acquire a large amount of information about an individual. Many sites
merely pull their data from public sources and then charge one a fee
when it could be searched elsewhere for free. However, if one has a
business and is agreeable to answering a series of questions,
information can be obtained including social security numbers and even
credit reports. Unfortunately, this particular source is diminishing with
new privacy laws, as stated by one private investigator:
-
The method I use to obtain social security numbers is almost
always through computer database searches. These are pay
sites that I'm able to access with my business. However,
several of these companies are now starting to only give me
partial social security numbers. This current "privacy issue"
being debated is causing problems even for conducting
legitimate business. There are still a couple of database
companies that provide quality service/complete information
(Private Investigator).
Netdetective.com: When searching through this database, it is quite
difficult to find specific people. There are incorrect and/or incomplete
pieces of information everywhere. For example, one may search by
address and discover someone with a similar name but different age.
When asked where this site acquires the bulk of their data, their
response was simple, “One of the most time consuming processes in
maintaining our service is keeping our database up to date. So in order
to save us time and money and ultimately keep our prices so low, we
use a third-party companies that specializes in compiling and
formatting databases from public records. Voter registration, DMV
records, public phone books, and many other public files are used in
developing our database. Unlisted phone numbers are included where
available.” (W). Since every source they use is public, it is easy for one
to obtain this information himself/herself. This is not a recommended
website, especially since a monetary cost is involved.
Associated Methods: Paid membership, hacking
Information Available: Name, address, age, criminal records, DMV
records and social security number
Cost to Obtain Information: In order to activate an account, $29.00 is
required. If one requests more detailed information, he/she will be hit
with a $10.00 charge. Be careful, this is not a onetime charge. An
account will be depleted by $10.00 every month until they are informed
otherwise. The effort is frustrating. It is not easy to navigate and even
more difficult to locate specific individuals. Combining the cost and
effort makes this online database one of the worst to use.
Searchrecords.org: This website was more user friendly than
netdetective.com. It continues to be quite difficult to obtain the
required information about specific people if they are under certain
ages. It appears that homeowner records are the foundation of this site.
Thus, if one is searching for someone who has never owned his/her own
home, it will be ,much more difficult to find him or her. As a matter of
fact, if one purchases the standard membership for searchrecords.org,
then the only information provided is the homeowner details, which
may or may not include a date of birth. However, visiting your local
county assessor’s office will easily furnish this information. In addition,
this database is difficult to work with, as it will report the same name
numerous times.
Associated Methods: Paid membership, hacking
Information
Available: Name, birth date, property information,
address history, marital status, neighborhood information and criminal
check
Cost to Obtain Information: A onetime fee of $39.95 is required in
order to access homeowner information. If you wish to initiate a
‘complete background check,’ including much of the information above,
then you must pay an additional $20.00 per record. You can easily
obtain this information for free elsewhere. One positive about a
background check from this website is that if you are unable to find
who you are looking for then you will not be charged.
Intelius.com: This type of online database houses a great deal of
information, which is contained in tier one. This would be the
recommended website to use among the other three listed in this report.
Associated Methods: Paid membership, hacking
Information
Available: Name, age, home address, phone number,
neighbors, jobs, various statistics about the area surrounding the home
address, title reports which included the owners name, mortgage
amount, mortgage company, taxes, size and type of dwelling
Cost to Obtain Information: Registering at this site will cost $49-$89
depending on the level of your search.
Docusearch.com: This site promises that it has the ability to find full
and complete social security numbers if the individual being searched
has a debt obligation to the person searching for his/her information.
This service mentions that everyone who requests this information will have to present documents supporting his/her claim and also submit to
a phone interview.
Associated Methods: Paid membership, hacking
Information Available: Name, home address, telephone number, social
security number and more information if you are willing to submit to
the privacy terms
Cost to Obtain Information: Membership requirement is $49.
Source: Trash / Tier: 3
There is no limit to the amount of information that can be
found in trash. As long as one does not get caught and is willing to get
a little dirty, there’s no telling what can be found buried in a dumpster.
Associated Methods: Dumpster diving
Information Available: Combines all the information from tiers one,
two and three. If one picks through someone’s personal trash, their bills
will most likely be found. If one goes through a company’s dumpster,
patient information, employee records and even old applications for
employment can be found.
Cost to Obtain Information: There is no cost to obtain this information
other than rubber gloves, dirty overalls, and conquering one’s fear of
spoiled food and rats.
Source: Life Insurance and Medical Insurance Companies / Tier: 3
These companies retain extensive data files regarding their
patients. Surprisingly, many medical insurance companies, such as
Blue Cross and Blue Shield, use a person’s social security number as the
member ID. Thus, finding an old bill or statement in the trash can
easily open access to tier three information. Also, pharmacies have
access to medical insurance companies and can access social security
numbers, dates of birth and other personal information in the insurance
company’s database, as well as in the database of the pharmacy.
Associated Methods: Bribes and hired professionals, dumpster dive,
hacking
Information Available: Name, home and business addresses, phone
number, social security number, birth date, medical history, illness and
accident information and drug usage
Cost to Obtain Information: It will range from negligible to high cost.
If one dumpster dives, it will not cost a cent. However, if someone is
hired who is working within one of the businesses to obtain the
information, the costs will be more significant. This is also true if a
computer hacker is hired to gain access to the database.
Source: Banks / Tier: 3
Today, all banks maintain extensive personal information on
all depositors, clients and borrowers. As regulatory environments
change within securities, sales and stock brokerage business, banks
have access to many databases, including bond and security agencies.
Therefore, they are able to obtain an individual’s bank records file. That
file provides an extensive amount of information in regards to his/her
personal finances, such as balance sheets and retirement accounts.
Associated Methods: Bribes and hired professionals, hacking
Information Available: Credit report, total assets and liabilities, income
and expenses, investment accounts and balances, cash, checking, savings and money market accounts, certificates of deposit, 401K
retirement accounts and balances, amount of life insurance carried,
alimony payment amount, present address and previous addresses for
the past ten years, judgments, litigation, bankruptcy and criminal
records.
Cost to Obtain Information: There will be a significant cost. One will
need to either hire someone working within one of the businesses to
obtain the information, or hire a computer hacker to gain access to the
database.
Source: Credit Reports / Tier: 3
These reports contain an immense amount of information on
individuals. Once a credit report is acquired, that particular individual
is at the mercy of the thief’s imagination. One of the most crucial pieces
of information needed in order to request a credit report is a social
security number. A credit report can be obtained directly from a credit
reporting agency, as well as through various databases online for a
minimal fee.
Associated Methods: Paid membership, hacking
Information Available: Name, aliases, present home address, past
home addresses, birth date, social security number, spouse’s name and
address, judgments, liens, collection items, credit card numbers, issuer,
balances, history of payments, outstanding balances, monthly
payments, sale/transfer of accounts to lenders’ purchasing rates, car
loans, name of the lender, amount of loan, payment history, mortgage
loans, respective addresses, loan numbers, balances, payments, lender,
unsecured loans, credit lines, maximum credit available on the
accounts, all balances and issuer of all credit facilities
Cost to Obtain Information: Make sure to sign up for the right kind of
database for a lower fee (some will go as low as $36).
Source: Mortgage Loan Document Files / Tier: 3
These files contain almost the same information as bank
records and include credit reports. They are the least safe of all the
aforementioned records, as the information can be developed by
unlicensed and unsupervised individuals who have the opportunity to
sell the information. There are no checks, balances or controls over the
majority of mortgage originators or brokers. Virtually anyone in the
state of Colorado and many other states can portray himself/herself as a
loan originator or broker. Unsuspecting citizens freely provide all
information needed for identity theft when applying for a home loan.
Once the home loan file is submitted to a licensed lender, that lender
has in place security procedures to safeguard the information. Most
originators and brokers keep a record of all information for several
months and, in some cases, several years. Destruction of old files is not
handled in a secure manner as most files are simply thrown in the trash,
not destroyed, shredded, or burned.
Associated Methods: Dumpster diving, hacking, social engineering
Information Available: Please refer to the following sources: ‘Banks’
and ‘Credit Reports’
Cost to Obtain Information: There is a very small cost to acquiring this
information. Interestingly, Colorado does not require mortgage bankers to be licensed. Thus, you could easily follow the social engineering
method above and receive files on an individual at little to no charge.
Conclusion
In summary, it is profound to realize that for a small fee, you
can completely take over anyone’s identity. At first, you can sign up for
a free facebook.com account and immediately dip into someone’s
personal life. From there, you can pay an insignificant price for an
online database which will detail where he/she lives, what his/her
neighborhood is like, what kind of car he/she drives and the true figures
of his/her actual physique. Then, you can construct a fake identification
card, search his/her trash for a social security number, set up a bank
account in his/her name and begin building credit that will never hit
your own credit report. Consequently, it would be ideal if an
individual used different pieces of information from various individuals
in order to construct a synthetic identity, which would be even more
difficult for authorities to recognize. If an individual became
comfortable speaking and feeling like another, using social engineering
to acquire any missing information would be straightforward.
Understand that one has unrestricted access to all of these methods and
sources. However, they are the most overlooked ways of obtaining
such vital information at incredibly low costs.
Works Cited
Denver County Court. “Criminal, General Sessions, and Traffic.” 26
Oct. 2007."http://www.denvergov.org/apps/court/courtselect.asp"
Denver the Mile High City. “Real Property Record.” 25 Oct. 2007. City
and County of Denver. 26 Oct. 2007.
Docusearch Investigations. Docusearch.com. 8 Oct. 2007.
www.docusearch.com.
Intelius. Intelius, Inc. 28 Sept. 2007.
.
McFadden, Leslie. “Detecting Synthetic Identity.” Bankrate.com. 27
Oct. 2007.
http://www.bankrate.com/brm/news/pf/identity
theft_20070516_a1.asp
.
Net Detective. Harris Digital Publishing Group. 28 Sept. 2007.
www.netdetective.com.