Schneier on Security
A blog covering security and security technology.
« Locking Gas Caps |
| Cameras Catch Dry Run of 7/7 London Terrorists »
September 21, 2005
Automobile Identity Theft
This scam was uncovered in Israel:
- Thief rents a car.
- An identical car, legitimately owned, is found and its "identity" stolen.
- The stolen identity is applied to the rented car and is then offered for sale in a newspaper ad.
- Innocent buyer purchases the car from the thief as a regular private party sale.
- After a few days the thief steals the car back from the buyer and returns it to the rental shop.
What ended up happening is that the "new" owners claimed compensation for the theft and most of the damage was absorbed by the insurers.
Posted on September 21, 2005 at 7:45 AM
• 25 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
You missed out the “make a copy of the keys��? step.
What is needed is a third party, (e.g. the government) to check the IDs of both parties and the ownership rights of the selling before the buyer hands over the money. This is also needed when someone uses a car as part of a crime then claims that they had sold the car the week before for cash.
The fact that it is VERY easy to clone number plates just make this scam easier to do, having number plates that can not be cloned and can not be removed from a car without damming them will offer some protection.
It is also a lot too hard to change all the locks on a car when you buy it, so as to protect yourself from the seller keeping a copy of the keys.
Yes, but the more difficult you make it to clone the number plates, the more you end up trusting the numberplates even if someone does successfully counterfeit them.
So, what you need isn't merely number plates that are *more difficult* to clone, but ones that are *impossible* to clone.
And it has to be something that can be detected as a fake by the average person who wants to buy a car.
I have some suggestions, but I can already see holes in them. I'd probably have to write up a long dissertation trying to bring up each hole and think of a solution for it.
But here's a sketchy beginning:
Say you wanted to make VIN tags verifiable by the average person... Maybe you could create a toll free number where the potential buyer enters the VIN number, the license tag number, and the name of the current owner of the car. Some database could respond with a "True" or "False" answer which tells you if that information is correct. You would, of course, have the usual complaints about the possible abuses of the database, but at least by only handing out a "True" or "False" answer, you can't quite use it to discover the identity of the owner of a vehicle... You have to already know it to use the service...
The questions now become "How do we keep fake identities out of the system?", "How do we ensure that the VIN tag on the car is the correct one?" and "How do we ensure that the license plate on the car is the correct one?" ...because all the *information* on the car could be correct, but the *car* attached to that information might be the wrong one... the rental car with the 'stolen identity'
Currently, most late-model cars handle verification of the VIN tag number by placing it in many hard-but-not-impossible-to-forge locations on the car: Stamped on a tag on the dashboard, stamped on the engine and transmission, etched onto the windows, and printed on temper-evident stickers applied to every body panel on the car.
But it still doesn't stop a resourceful thief from faking all of the above if they try hard enough. Grind off the old numbers and restamp the engine block. Stamp a new VIN plate, print up new stickers, and even replace all the windows.
With enough peer-review and suggestions from enough people, I'm sure we could hack out something workable.
What holes or alternate suggestions can the rest of you come up with?
> What is needed is a third party, (e.g. the government) to check
> the IDs of both parties and the ownership rights of the selling
> before the buyer hands over the money. This is also needed when
> someone uses a car as part of a crime then claims that they had sold
> the car the week before for cash.
Isn't this an example of authenticate-the-transaction-not-the-person way to do things?
The only thing I can think of is perhaps a cooling off period. It's basically a "limbo" for purchases. Someone out there who can be trusted (already one point of failure) keeps both car and money for a while. If anything hinky pops up, the transaction can be stopped. The only way the cooling off period works is by slowing down the flow of fast cash. You can't grab it and run, you have to stick around. But in this case the cooling off wouldn't work, because nothing has been stolen yet. The "real" theft happens after the car is stolen and returned to the car rental. I'm curious to as why the bad guys sold the rental car and then stole it again? Why not sell the rental with the fake info and skip town? Did the rental place put a really big deposit on the car? Were the bad guys just really greedy?
This is actually a fairly old idea and an extension of one that was used for amongst other things money laundering of drugs etc in the US a few years ago.
What the auto manufactures have started doing (on high value) cars is to put an ID number on all windows the wheels etc etc etc. A buyer simply has to check that all the ID numbers match (if not they should ask questions). They can then check that the ID matches the registration of the car.
This makes ID cloning very difficult which limits "Home waters" theft, it does not however stop the cars being shipped to Nigeria or other parts of the world where the buyer does not care who owned it previously or what it's provinance is (the same applies to mobile phones, laptops and other high value items).
I always wondered who decided that windows and wheels should be tagged. It works until you break/chip a window or change wheels, which seems to be two of the more likely things to happen on a car during its life. Imagine if someone breaks into your car, but you recover it and replace the windows. You're still the owner, but because your replacements do not have the ID number...
I didn't bother trying to translate the original article, but I found the synopsis on the linked site a little short on information.
Was there a system like our placement of VIN numbers that was completely forged? If not, the VIN system generally works. Most people will shell out $30 for a carfax when buying a car of much greater value.
If the VIN system was forged well, could the theives also return all the markings to their original numbers before returning it to the rental place?
what about the pink slip, as no one would buy a car without it? How does the thief acquire that -- or is it so easily forged?
> I'm curious to as why the bad guys sold the rental
> car and then stole it again? Why not sell the rental
> with the fake info and skip town? Did the rental
Because as it stands, they don't need to skip town - all they did, supposedly, is rent a car and sell a car. Their name isn't on anything that actually appears shady. The rental car company is happy - they got their car back. The buyer thinks they're happy with the *transaction*, just not with the fact that their car got stolen afterward. They don't know that it was stolen by the same person who sold it to them, and it gets rid of any need to sell the car after the crime, when people might be looking for a car of that make/model being sold.
Selling rented cars is nothing new. See the book "Document Fraud and Other Crimes of Deception" by Jesse M. Greenwald
The original (Hebrew) article is very short on details of the mechanics of the con. Perhaps they thought that they would prevent copycats by not disclosing these details.
I've never purchased a car in Israel, but I asked my father for the mechanics of the transaction and he also provided me with a title. Some observations:
1. The "title" or "pink slip" is an easily forgeable piece of paper, there is one piece of silver impression that is more for style than protection (it included the VIN number, owner ID/address/name and car info.)
2. In order to sell a car the seller and the buyer need to appear _in person_ at the DMV (or equivalent), bank or post office to show their ID just for the purpose of showing they both actually exists. Clearly, those places have no access to any car registry database except the former and they don't have the ability to examine the car. This step is to authenticate the people, not the car.
3. No authority ever looks at the car in any step of the transaction.
4. There is no Carfax in Israel (this is critical, although the thief could provide a fake report while the buyer is excited to get the car for cheap and never runs it on his own.)
I believe that the whole thing fell apart when someone tried to insure the car where it was already insured...
w.r.t. item 2, the seller, of course, needs to have a fake ID, which is easy to obtain as well.
I don't think that the identity of the "legitimate" car is ever physically applied to the rental/sold/stolen/returned car - just its papers. The physical car has to be returned to the rental agency, so actually grinding/stamping/redoing anything but the most obvious VIN probably wouldn't make sense.
Also- the interesting thing is the role of this "innocent" victim in what basically looks like insurance fraud. The innocent victim's "innocence" helps to establish legitimacy for getting insurance on a vehicle that isn't present for the transaction. One wonders whether these "innocent" victims could be recruited to be colluders in the whole venture, and cut out the whole rent/return charade.
There are a couple of failutes here, for example that the purchaser doesn't adequately validate the identity of the car he is being sold, etc., but one struck me particularly strongly. Whenever you purchase a second hand car, under _most_ circumstances, you are at risk of the vendor stealing it back because he has had the opportunity to copy the keys. The usual mitigation against this is that customarily the transaction takes place at the vendor's premises. This means that he should not know where to find the car if he wants to steal it, whereas if it vanishes, then even if he gave a false identity you have some solid clues to give to the police.
Perhaps the crooks can trick some purchasers into doing this at the purchasers' premises, but this sounds like they were recovering the rental cars consistently. This fact, along with the fact that the thieves were able to readily obtain suitable "car ids", indeed suggests collusion with an insider at the DMV. If the DMV can't be trusted to keep this information private, then every car purchaser should change the locks immediately after purchase.
Interesting story some time back on NPR (remembering as best as I can), apparently many stolen cars in Isreal were resold in the occupied territories, and pretty much written off by the insurance companies.
The PA actually found it necessary to issue special plates for these undocumented cars which amounted to a 'stolen car' license plate.
It took me a while to figure out why they were using the identity of a second car. I think I have it figured out:
The buyer (who spent money on a car they no longer have), probably never looked at the VIN to compare it to the pink slip. So when they complain, they look at the pink slip. This leads to a completely unrelated car which was never sold or stolen.
Meanwhile, the rental agency is happy: they got their car back and no one comes calling claiming one of their cars.
In the absence of the fake identity, the buyer would have eventually traced to car to the rental company. The rental company could trace the car to the renter/thief (rental companies are pretty careful to get a working credit card number because of the risk of theft). Thief gets busted. Even if the thief managed to entirely fake his ID and credit card (perhaps using someone else's CC#; we've already seen that they're willing to commit one type of fraud), but the pattern would be quickly noticed. The rental car companies would be more careful, the police would watch for the behavior, and the "easy money" would get much harder.
At least that's my thinking. Perhaps it was obvious to everyone else.
i don't quite get it-
the task involves "stealing a car" in any case-
why even do the "renting a car" step?
if the identity is "stolen" then it's not a matter of switching vin plates, it's a matter of crafting new ones-
so- why not just steal a car, create an identity for it from some other car just like it, then sell it?
You don't have to find a fence, you can make a lot more off it than a fence would give you, and you have a perfectly legitimate reason for having the car just in case you get pulled over before you can get it back (assuming a very alert buyer).
@ Alan De Smet
you missed the point of the borrowed identity. The victim, post theft, is unlikely to have any information to lead them back to the rental company.
The rental company can hardly help - they never notice anything out of the ordinary.
If, as suggested, the scam was discovered due to attempting to insure the "fake" car through the same insurance firm as the borrowed car already used, then there was crucially the chance to check the car's identity more thoroughly (e.g. chassis number) *before* the car was stolen.
this is not clever. this is dumb. particularly part five, where the thief steals the car back after a few days and returns it to the rental agency. that sounds like a lot of work, surveilling the buyer to find out where the car is, unless you use gps/lojack. what if it's in a locked garage and the homeowner has motion detectors and firearms? the face-to-face sale to an unknown buyer is high risk, that could be a cop or a cop's sister. if you're gonna steal a car, doesn't it make a lot more sense to hand it over to your chop shop immediately, or else to the guy who takes them south of the border? this sounds like a great comic caper screenplay in the making.
Yet another clever scam in Israel. Here's another from many years ago:
When the Sinai was given back to Egypt, the border was smuggled past many cars! Cars from Israel were buried in Israeli Sinai. After the border moved, they were dug up in Egypt and sold without paying any expensive border-crossing duties.
It makes more sense to me now. The bad guy tries to make it as legitimate as possible so there is less hinky stuff going on, and the stealing of the car to return to the rental place only mkaes the rental place think the bad guy isn't doing anything funny and further confusing the bad guys role in all of this. Actually pretty clever. It's kind of like selling the Brooklyn bridge for scrap.
That's actually a neat idea. Rent a car, sell it and then steal it back after you've sold it and return it back to the rental shop.
Sure! Don't forget to always sell it to a Friend, (boy it's nice to have lots of Friends), and make sure the same Friend never uses the same Insurance Company as the Rental Car Agency. That will at least keep them off you long enough to return it. (..lol..)
Of course, this will only work until the Insurance Companies grow tired of paying out, Consumers grow even more tired of paying out, and both demand a stronger Rental Car Return methodolgy that gets handed down as some kind of Homeland Security "mandate" whose details (hopefully) are only exposed on a "need to know" basis.
Until then, have fun and bee safe!
I think its a clever idea, but really the individual whom purchased a vehicle was stupid, there are a lot of discrepancies in the story. 1: Why didn't the buyer get a used car package on the car? 2: If the VIN was altered, why did the buyer not check the VIN on the car itself at time or on or before purchase. If the person did change the physical VIN on the car, how did he get it done within the time frame of renting the car
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.