Schneier on Security
A blog covering security and security technology.
« N-DEx National Intelligence System |
| Bottle Liquid Scanners »
March 31, 2008
Church's Pastor Is an ID Thief
The more trusted a thief is, the harder he is to catch.
Posted on March 31, 2008 at 1:07 PM
• 30 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
So if the president of the United States was an identity thief would he be very hard to catch?
that depends on the level of trust you have in the president.
@Timothy: no, because no one trusts the President of the United States.
No one trusts Real ID, including the governor of South Carolina.
So he gets one year and a day on a plea bargain versus how long to fix a victim's credit history? I've heard a couple of years for sure...
Does that seem right to you?
Do people really give their SSN and other such information to their church? I mean, I can see giving them your name and address for the church directory, and if you write them checks that gives them your account number.
I can picture it now... "And Gawd told me that each of you should also write down your mother's maiden name, two prior addresses, annual household income, and whether you touch yourself in the shower."
Unfortunately you probably don't want to make (significant) donations to your church in cash, since that gives you less substantiation when deducting the donation on your income tax.
It's also a shame that we can't trust the journalist writing the story to know that the word "hers" is already possessive without an apostrophe.
"Do people really give their SSN and other such information to their church?"
No need for a SSN number to get tax deductions. They can easily give you a giving statement that you file on your own with your taxes.
My church has no idea about any of my info that doesn't come from my check.
@Anonymous, for the tax deduction, you supply your SSN to the IRS, not to your church. There is no reason for the church to have your SSN unless you are an employee.
You and I know that the church does not need to know the ss number of those who donate. I doubt that is what he told them, however. Most people are very trusting when it comes to faith in those they believe represent God(tm). They are very trusting and will even ignore problems until it is far too late. It is the nature of faith to have that sort of trust in spite of all the evidence at hand. This is not the first case of a minister abusing the trust of his flock and it will not be the last. I don't see how it being ID theft makes it different from the other scams and crimes that some in the clergy do to their flocks. It was just only a little more indirect. (Usually they just get the cash up front.)
@random:"Do people really give their SSN and other such information to their church?"
They likely do if they make donations and want a receipt for tax purposes.
That might not be too far off. A certain preacher in Virginia was known to target the elderly, telling them that "God had told him to give him x" where x could be anything from money to land.
@hers vs her's
The grammar error is not the fault of the author, it is the fault of the editor. It's the editor's job to fix things like that. For all you know, the author got it right and the editor or someone else in the chain of custody between the author and your eyeballs 'fixed' it incorrectly.
Church collections are mostly a cash business, which is why there is never a shortage of unpaid volunteers to show up every week. With all that folding green, everybody gets to skim.
A defense against skimming is paying by credit card -- but we see where that leads.
It is certainly true that some people let down their guard when it comes to religion. I know a lot of older people who assume that, since their realtor (or attorney or accountant or car salesman) is a fellow churchgoer, that means they're automatically trustworthy, God facilitated this relationship, no further vetting is necessary, yada yada.
Suppose that, instead, the minister had simply offered to have people donate $100 but in exchange he would give them a receipt for $1,000? That's a crime less likely to be caught by anything short of an audit or a whistleblower, since the victim (other taxpayers) can't complain.
I've heard of some larger (as in mega) churches actually pulling the credit reports of their congregants. I suppose by now they could probably cast a wider net.
This is so funny, the only people stupid enough to trust preachers are the people sitting in the congregation - they deserve what they get!
Now they need to address the pastors who ask for more donations than their elderly parishioners can actually afford, and those who steal valuable items while on Pastor Visits. Are you really going to accuse the minister of stealing your silverware? Probably not.
I can hear my elderly cousins: "If you can't trust your pastor, who can you trust?" Well.... that tells you something, doesn't it.
As others have said, NO church should be collecting SSNs except for employees. I can only assume that anyone who suggests it's needed for tax deductions has apparently never claimed a charitable donation, because it's NEVER needed.
We claim tax deductions for church, cancer research of various kinds, Alzheimer's research, school groups, community bands and arts organizations, our alma mater college, and other places, and NONE of them has ever had our SSNs. OK, our college had it but that was while we were students.
If your church wants your SSN, IMHO it's time to walk. Nobody in our church except the treasurer knows who gave how much, and that's only to give receipts at the end of the year.
@Roy: I don't know what church you go to, but I can assure you that there's not a dime of skimming going on in our church. Everything is in the open at all times, and collections are counted in the presence of at least one (usually 2 or 3) witnesses. Also hardly any of it is cash; it's almost entirely checks. There might be a few $20s in the plate but the vast majority is checks made out to the church.
@Random: I don't think a minister that was offering fraud on the menu would last long. I'd sure as heck turn him in. Abusing such a position is horrendous and I would HOPE that any church would have at least a few people who wouldn't stand for it.
IMHO, any preacher who's asking ANYONE for any specific amount is telling me "time to walk." Giving to the church is your own decision. If you're asked for some specific amount or thing, time to leave.
Note the statement that the church has since disbanded. It makes me wonder whether it was a small congregation, possibly unaffiliated with any denomination, or even a "church" organized for the purpose of scamming parishioners.
It's also common for pastors to take on a lot of ancillary duties when ministering to elderly and infirm members of their flock, so I wouldn't be surprised if this guy had offered to help vulnerable parishioners with their taxes or bill-paying or other tasks where he could get access to information useful for identity theft.
I don't understand why nobody has brought this up yet: why is a SSN the only thing you seem to need to know to steal an identity?!? It's hardly a secret, and shouldn't be treated as such.
I live in the Netherlands, and we have an equivalent to a SSN, which I'll happily give to anyone who asks (with a sensible reason), because it's totally useless to anyone but me. We have a digital identity, called DigiD, not mandatory but rather convenient for dealing with taxes and such, which requires a username, password, and in some cases, a secret send to you by sms. I'm sure it's not totally secure, but it's better than some number that is available to anyone at any company you worked for, and some other people.
So, are you a thief ..:P ?
In our Church we try to help people to help themselves - to cars, washing machines, lead piping, no questions asked. We are the only Church, apart from the Baptists, to do respray jobs.
@sparky: "why is a SSN the only thing you seem to need to know to steal an identity?!?"
There was a time in the US when not many people needed to know your SSN, so not many did know. At that time, providing an SSN gave a moderate confidence that you really were either the person in question, or else were a "trusted" entity like the IRS, or the payroll department of an employer, considered unlikely to be pretending to be that person.
So, SSN came to be treated as though it were a shared secret, even though in fact it never was, and was never designed to be.
This has gradually become more and more of a problem, to the point where SSN is used for trivial purposes. Anyone can easily find out anyone else's SSN, and yet it is still treated as though it were an identifying secret, and any criminal who knows your SSN is allowed to act as though they were you.
This is just part of a general problem, though. There are similar problems in other countries - if you know enough information about someone, information which is public record in almost all cases, then you can get credit in their name. This is referred to as "identity theft", and is a huge problem for the person you impersonate, because the creditors don't want to admit that it is in fact "bank robbery", and that what has been stolen is money from them (on false pretences), not identity from their customer. Calling it "identity theft", describing the customer as the "victim", and making them suffer, ensures that they will pay money and do work to avoid it, which saves the banks from paying so much money or doing so much work themselves.
The question is, who has an incentive to solve the problem, by ceasing to use SSN, DoB, mothers' maiden name, etc, as if they were passwords? Unfortunately, so far the people with that incentive (the "victims" of "identity theft") don't have the means to change anything. About the best they can do is insure the risk (and so the banks actually *make* some money from the whole situation, perversely reducing their incentive to fix it).
In minnesota, even state supreme court justices can bilk old people. Trust authority is illogical, see Arguementum ad vericundiam. on wiki
we have an entire political party that is a con game, selling one thing and doing whatever makes the cronies rich. look up joe albaugh or jack abramoff. Maybe it has always been so. certainly it was under nixonreaganbushdaddy and now its just a gang of looters from the suprem court to congress to the Junta.
With respect, the same thing can be said for a pastor you gives you *any* specific advice on your conduct. There's no difference in my mind between a church that instructs you to tithe 10% (your 8% is "not enough"), to say ten Hail Marys (8 is "not enough" for your penance) or to abide by ten commandments (8 commandments is "not enough").
You may have the personal preference of not being told specifically how much to give, while being okay with other specific religious instructions--but that's completely arbitrary and merely your own prejudice.
"So if the president of the United States was an identity thief would he be very hard to catch?"
Bush = Untrusted Zone. ;)
Not true, Bush is highly *trusted*. Whether he's *trustworthy* is another issue, since if he isn't then it probably hasn't been such a great plan to be trusting him the last 7 years.
There are several reasons, nowadays, that the church may require your SSN. Some of the reasons - if you are serving in the child or kids ministry they need it for doing a background check; also if you're going on a mission trip they would like to do some background check.
I was requested it ... but find it odd that they need all those details for a trip .. but my bigger concern is how safe and secure is it treated and handled once they have it on their files.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.