Bruce Schneier

 

Blog

Crypto-Gram Newsletter

Books

Essays and Op Eds

News and Interviews

Audio and Video

Speaking Schedule

Password Safe

Cryptography

About Bruce Schneier

Contact Information

 

Schneier on Security

A blog covering security and security technology.

« More on Greek Wiretapping | Main | FedEx Kinko's Payment Card Hacked »

March 1, 2006

Jury Duty Identity Theft Scam

Here are the details:

Identity thieves trick the unwary into revealing their personal details by telling them they've failed to report for jury duty and warrants for their arrest are being issued.

Tags: , , , ,

Posted on March 1, 2006 at 1:12 PM28 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

richMarch 1, 2006 1:40 PM

Relies on people (sheep) thinking it's entirely reasonable that the Government can lock you up because you didn't receive some mail.

Fred PageMarch 1, 2006 1:46 PM

Actually, I find it more reliant on many people having little to no legal education. For example, how can a legitimate warrant be served without identifying information?

TimMarch 1, 2006 1:54 PM

It's purely an example of taking advantage of people who aren't familiar with the law. In our area (Pasco County, FL), anybody who's actually participated in jury duty knows that missing it simply results in the courthouse issuing another summons for duty. If you miss the second one, a third is issued in person by a deputy or other officer of the court. You only get into hot water if you get that third strike. All of this is actually explained to you when you appear during a short orientation session. I've had the pleasure of attending these sessions twice in the past few years.

Of course, those who haven't ever been summoned for jury duty most likely don't know those little details. It's betting on the same odds that scam emails bet on. They figure if they try it 100 times and succeed once, then it was worth it.

Don ByrdMarch 1, 2006 2:21 PM

I know popular usage nowdays is to call this kind of thing "identity theft", but isn't it just old-fashioned fraud? I used to think the new term "identity theft" really meant something new and more far-reaching, but I'm not sure anymore.

AndrewMarch 1, 2006 2:56 PM

Re: Rich "people thinking they can be locked up because they didn't receive some mail".

This can and does happen. I got to spend an evening in my local jail once because the Registry of Motor Vehicles sent some mail to a wrong address (so I didn't get it). I didn't show up to my court date to contest a traffic ticket, so they issued a bench warrant for me. They sent it to the same wrong address, closely followed by the mail that told me my license was suspended for failure to appear. Didn't get those either.

Fast forward 6 months to a routine traffic stop that ended up in the grey-bar hotel for a few hours.

jammitMarch 1, 2006 3:10 PM

I agree that this isn't really identity theft. It's fraud. The one time I was called for jury duty (s-mail) I called the courthouse on the day I was supposed to show up and got through to the automated phone machine. It told me the case was closed and I wasn't needed. Oddly enough, someone forgot to reset the machine and the court case was still on. I did get a phone call wanting me to turn myself in. In Kansas you have to show up or you get a fine. In this case I went to the courthouse in person and had it cleared up (no fine). In good faith I elected to be there for the next one.

Bruce SchneierMarch 1, 2006 3:21 PM

"Relies on people (sheep) thinking it's entirely reasonable that the Government can lock you up because you didn't receive some mail."

They locked up Jose Padilla for less.

Bruce SchneierMarch 1, 2006 3:22 PM

"I know popular usage nowdays is to call this kind of thing 'identity theft', but isn't it just old-fashioned fraud? I used to think the new term 'identity theft' really meant something new and more far-reaching, but I'm not sure anymore."

Identity theft is old-fashioned fraud modified for the Internet. I think "identity theft" is a terrible name for it, BTW. Your identity is the one thing about you that cannot be stolen. It's fraud. It's fraud due to impersonation.

MyCatMarch 1, 2006 4:19 PM

"Your identity is the one thing about you that cannot be stolen."

Yes it can.

http://www.ibiblio.org/Dave/Dr-Fun/df200504/...

daveMarch 1, 2006 4:28 PM

This is just another one of many, down here in the land of retirees we read many articles and see many reports on TV about how some of them are taken. Some of these are just too much to believe but when you are old it sometimes doesn’t take much.

RogerMarch 1, 2006 5:25 PM

When I read the subject line, I thought it was going to be about "identity thieves" impersonating real jurors in order to pervert the course of justice.

I've served on two juries, and in neither case do I recall anyone checking my identity at the courthouse. If someone had stolen my summons from the letterbox, turned up at the courthouse saying "yep, I'm Roger", and been able to give sensible answers to a few basic questions from the lawyers, no-one would have been any the wiser. Having even one juror on their team, as a spy, would give a considerable advantage in argument, as well as facilitating jury tampering. Three would usually be sufficient to force a favourable verdict on all but the most open-and-shut cases.

You'd probably need an informer or other security breach at the courthouse to know which electors are going to be impanelled, but otherwise it would be pretty easy, at least for minor cases where the lawyers aren't going to use PIs to check your "voir dire" answers. (Actually, I think it's only defendant's lawyers who do that, so if the attack is being made by the defendant then you're completely safe.) The main difficulty is that usually there are several times more electors impanelled than jurors selected, and the rest just get a lunch voucher and then sent home. You would need to get quite a few agents onto the panel to get a good chance of one making it into the jury.

In my country, I believe the press aren't supposed to publish the names of jurors. However even if they do so, they are very unlikely to publish name AND address, so no-one will be alerted unless the attacker foolishly chooses a juror with a very unusual name. In fact a resourceful attacker may even be able to substitute a juror with another person with a very similar name, so even if the ruse is detected it can all be blamed on the Post Office.

No Such Thing As ID TheftMarch 1, 2006 5:30 PM

@Bruce

"Identity theft is old-fashioned fraud modified for the Internet. I think "identity theft" is a terrible name for it, BTW. Your identity is the one thing about you that cannot be stolen. It's fraud. It's fraud due to impersonation."

I totally agree. The thing that perplexes me is why this "new" fraud is so successful. Not the part about how the criminals are getting the data, but how the criminals are able commit the real crime, which is stealing money from banks, with the banks passing their loss onto their hapless customers.

Perhaps it is just that, as long as the bank customers let these incompetent banks pass this fraud onto them, the banks will continue to do so.

Back in the "old days" of check fraud, I don't recall ever reading about people having their bank accounts cleaned out as the result of fraud when a criminal successfully cashed a counterfeit check at a bank. Maybe I just don't have all the facts, but it seems that the bank was held at least partially responsible for having cashed the bad check and wasn't able to pass this fraud onto their hapless customers.

RoyMarch 1, 2006 6:15 PM

@MyCat

The Bruce is correct. You identity is the answer to the question, of the 6.5 billion people on this planet, which one are you?

Someone may impersonate you, but they cannot be you.

Tobias WeisserthMarch 1, 2006 8:15 PM

"Relies on people (sheep) thinking it's entirely reasonable that the Government can lock you up because you didn't receive some mail."

Actually the government can do that, at least in Germany. I have received a letter urging me to appear in front of a court as a witness and the letter states that I either have to pay 1000 Euro if I don't show up or in case I can't pay the 1000 Euro they lock me up for a couple of weeks. Suppose I didn't receive the letter but it got sent. What then? The court will claim that they sent it and I have to claim I didn't get it? It will be their word against mine.

I wouldn't underestimate fear of sanctions as a great motivator regarding scams of all sort. It puts pressure on people, especially if the chance they have experienced a fake situation for real is rather slim, people tend to know less about what's real and what's not.

Take me for example. I had to study the letter very hard and read it three times until I understood all the inclinations. These letters tend to be written in Legalese so that ordninary people like me are hindered of understanding them instantly and often correctly.

David FrierMarch 2, 2006 3:21 AM

@Roger: Put down the Grisham novel and back slowly away.

There are enough random factors in jury selection that an attacker would have to seed a jury pool with anywhere from 5 to 30 fraudsters per day (jury selection doesn't always happen on quite the day one might predict) to be reasonably sure of getting one on the targeted jury.

Nick LancasterMarch 2, 2006 5:12 AM

Re: Gaming the Jury Pool ...

Furthermore, the only thing a fake juror could hope to do is hang the jury, in which case his identity might come under further scrutiny, and the 'real' person would learn of the impersonation as soon as the media got hold of the story. If you're going to pay for the real person's silence, why not pay for their complicity in the first place?

DanMarch 2, 2006 6:11 AM

@Nick Lancaster
Err, the majority or court cases don't go on TV, even if the jury is hung

DavidMarch 2, 2006 7:03 AM

People who fall for this scam are not entirely to blame, considering the big brother attitude of our governments these days. However, a rule of thumb that would completely stop almost all scams of this nature: Before giving sensitive information over the phone, ask for a call-back phone number, then hang up and call them back. That simple step would eliminate the vast majority of all scams. It works especially well for other things, too, such as ebay scams, "your bank is updating your personal data" scams, etc.

JBMarch 2, 2006 10:30 AM

@David

That was my thought too. A slight correction/addition though. *Find* a call back number or independantly verify the one supplied by the caller otherwise they can just supply a false one (theirs). I am sure that's what you meant but if I didn't correct you someone else would ;)

Matt DMarch 2, 2006 11:17 AM

"Before giving sensitive information over the phone, ask for a call-back phone number, then hang up and call them back. That simple step would eliminate the vast majority of all scams."

However, here in the UK at least, it is surprising how awkward and even aggressive many call centre staff can become if their default request of "For reasons of security please provide me with [blah blah]" is refused by the person whom they have just called.

A standard (and completely incorrect) assertion which they often trot out at this point is "the Data Protection Act requires us to ask this".

Organisations which have done this to me include banks, credit card companies, car insurance companies and the local council.

Trying to arrange to call the organisations back to verify their requests securely can be almost impossible in this age of call-gates and the like, and in one case the call centre agent became argumentative to the point that I hung up, after which he re-called me repeatedly over a period of ten or fifteen minutes, still demanding information I was not prepared to give to a cold-caller, until I threatened to involve my phone company's Malicious Calls Bureau.

With this sort of unthinking pressure from (legitimate) call centre staff who are in general merely following a pre-set script, it takes a fairly strong will to fend off such stupidity especially when it is backed by explicit, albeit incorrect, claims that it is being done "for security purposes" and that the law demands it.

People are also pre-conditioned to hand over such information by the sensible practice of companies requiring their customers to validate themselves over the phone with such information when it is the customer who has initiated the call - however too many companies who really ought to know better now seem to think that it is an equally secure practice when it is they who are calling their customers.

Josh OMarch 2, 2006 1:18 PM

Geez, I don't know where you people live, but don't they have certified mail there. For like 3 dollars I can have any letter I send be signed for and get a receipt sent back to me. If you are to be liable for receiving mail, then it needs to be certified so they can prove if you got it or not! Sounds like they dont' always do that, from these stories, though. I believe when I got called for jury duty before, it was certified. Had to go to the post office to pick it up actually. Complete PITA!

Davi OttenheimerMarch 2, 2006 2:44 PM

"I think "identity theft" is a terrible name for it, BTW. Your identity is the one thing about you that cannot be stolen. It's fraud. It's fraud due to impersonation."

I have an identity, therefore I am? Seriously, though, why would we say copying someone's identity without their approval is not stealing? I agree that duplicate IDs can exist, and therefore the "loss" of your ID does not mean that you no longer have one...but what is the point in saying that stealing an ID is not theft?

Look at it from a security practitioner's perspective. We try to stop unauthorized access to the ID data. Why? Because someone might "steal" it and then use it without authorization to impersonate someone (fraud). How do you suggest that fraud occurs if there is no "theft" of the ID in the first place?

Also, how do you account for protecting the many identities in our lives (e.g. father, brother, son, friend, coach, player, consumer, poet, writer) all of which are valid and sometimes even independent of the others? How do you identify your leader? Can someone take away your identity as a father? Apparently so:

http://www.azdhs.gov/vitalrcd/amend_02.htm

RogerMarch 2, 2006 7:34 PM

@David Frier:

> There are enough random factors in jury selection

True, it wouldn't be trivial. But an unscrupulous person facing, say, a 50:50 chance of either 5 years in prison or walking away scot free, might consider it to be worth a considerable effort and substantial money.

> from 5 to 30 fraudsters per day (jury selection doesn't always happen on quite the day one might predict)

That's true, but not very relevant, because the same panel (typically about 60 persons) is kept for the entire selection period. So basically all your stooge needs to do is avoid being selected for the wrong jury. There are a lot of well known tricks to help with that.

At least that's how it works around here, different places might do it differently; however getting a new panel every day would be an administrative nightmare, and an order of magnitude more expensive.

> to be reasonably sure of getting one on the targeted jury.

The probabilities aren't quite as hard as you seem to think. To avoid boring everyone I won't give the calculations unless asked, but basically with a typical rate of challenging (say, 1 in 3), the probability of getting at least one stooge onto the jury reaches 50% with just two in a panel of 60, and climbs quickly from there. If there will be two juries selected at the same session with yours second, you challenge one in three, and you have 5 stooges in the panel, then there is a 91% chance of getting at least one of your guys onto the jury, and a 60% chance of more than 1.

@Nick Lancaster:
> Furthermore, the only thing a fake juror could hope to do is hang the jury,

Not so, there are many valuable ways to use such a stooge:
* Spy on the jury room to help target arguments
* Argue your side in the jury room, including arguments not permissible in court itself
* Identify problem jurors who might be coerced or corrupted
* Warn the defence when to plea bargain or throw in the towel for leniency if they have no chance
* When majority verdicts are permitted, 2 stooges or 1 and an influenced juror can potentially switch all the way to "not guilty"
* Replace all the coffee with decaf -- except his own.
* The night before the prosecution sums up, spike the last coffee of the day with No-Doz. Decaf again in the morning.
* After dead-locking the jury, and everyone is tired and fed-up, horse-trade votes -- agree to switch to "guilty" on the one charge that he secretly knows will get a powerful mitigating argument in the sentencing phase.

> in which case his identity might come under further scrutiny,

Very unlikely -- it is a serious criminal offence to disclose how individual jurors voted.

Christopher DavisMarch 3, 2006 10:49 AM

@Roger: Massachusetts uses a "one day or one trial" system. If you are not empaneled, you have fulfilled your obligation after being available for that one day.

It works quite well, actually; the lower cost of participation makes it easier to comply instead of trying to avoid it, and they just cycle through more people over time, which spreads the load out.

another_bruceMarch 3, 2006 11:13 AM

@mattd
you let "call centre" people beat you up over the phone? yow!

Matt DMarch 3, 2006 4:11 PM

@another_bruce
I, personally, don't let call centre staff "beat me up over the phone", but that doesn't stop them attempting to do so!

My concern with the behaviour described (company calls me, asks for, e.g. DoB and first line of home address for "security") is that it is an insecure inversion of a different security practice (I call company, who then ask me for, e.g. account number and two other semi-secret items of information, to verify my identity).

When companies train their customers to unthinkingly recite various details about themselves over the phone in this way to what are essentially anonymous callers, "for security purposes", then they are also training their customers to potentially hand out information that is more sensitive to fraudsters and social engineers.

As I noted previously, these companies often then compound their error by claiming that it is a requirement of the UKs Data Protection Act that the person whom they have called recite this information to a cold caller - which is most certainly not what the relevant sections of the act are intended to mean!

johnOctober 12, 2006 7:21 PM

my jury was tampered with the corrup com fabricated a video, ifound out who it was then he showed up on the jury what is the pprobability?

johnOctober 12, 2006 7:22 PM

my jury was tampered with the corrup com fabricated a video, ifound out who it was then he showed up on the jury what is the pprobability?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Powered by Movable Type. Photo at top by Per Ervland.

Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.

 
Bruce Schneier
Subscribe
Atom Feed Facebook Twitter E-Mail Newsletter (Crypto-Gram)
Subscribe via Kindle
Blog Menu

Search

Powered by DuckDuckGo


blog only
essays and op eds only
whole site

Blog Home Page
100 Latest Comments

Archives by Date

2014 J F M
2013 J F M A M J J A S O N D
2012 J F M A M J J A S O N D
2011 J F M A M J J A S O N D
2010 J F M A M J J A S O N D
2009 J F M A M J J A S O N D
2008 J F M A M J J A S O N D
2007 J F M A M J J A S O N D
2006 J F M A M J J A S O N D
2005 J F M A M J J A S O N D
2004 J F M A M J J A S O N D

Tags

more tags

Support Bloggers' Rights!
Defend Privacy--Support Epic
Latest Book
Carry On
more books by Bruce Schneier


Co3 Systems