Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Squid Cooking Tools |
| Disaster Recovery for the Internet »
November 5, 2007
Synthetic Identity Theft
Synthetic identity theft is poised to become a bigger problem than regular identity theft:
Unlike traditional identity thieves, who purloin people's information to get loans or make purchases, fraudsters like Mr. Rose mix legitimate and phony data to create synthetic identities. This kind of fraud doesn't usually directly affect consumers. The big losers are banks, which get stuck with loan defaults and unpaid credit-card bills that identity thieves leave behind.
Actually, real people do get harmed:
The men paired fake names with Social Security numbers of real people. Adam Gregory, the purported Las Vegas resident, had the Social Security number of a real California resident.
The conspirators needed addresses for their synthetic identities and for a dozen or so shell companies that helped to facilitate the scam. Eventually they rented 200-odd apartments in 14 states. They kept binders of data in their Phoenix headquarters to keep the details straight.
The duo acquired business licenses, usually online, for the dummy businesses. A few had real offices with furniture; others rented "virtual" office space. After Messrs. Rose and Newton triggered the credit bureaus to set up no-hit files for their synthetic identities, their shell companies fed false data to credit bureaus.
Posted on November 5, 2007 at 6:14 AM
• 23 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
With regards to shell companies and such, one of the most profitable frauds in Europe is VAT fraud via cross boarder trade. It is known as Carousel Fraud and it is costing the EU more than 50Billion and obviously the fraudsters pick up a large chunk of this cash.
For one of the more recent incarnations see,
The long-term solution here involves weening ourselves off of the crutch of identity.
Interim measures include support for the creation of legitimate lightweight identities whose attributes are a subset of your real ones, thereby allowing you to limit your exposure to risk when one of your lightweight identities is stolen or corrupted. (The Burton Group's Limited Liability Persona is a good concrete example.)
Wow is that ever a lot of work. I wonder what these cretins' *effective* annual salary was? Wouldn't it be far less stressful to put the same effort into a legitimate job?
@Yahoo: After he serves his approximate three years in prison, he will have grossed $150,000 per year.
One of the telling bits in that article is the "reason" given for the existence of multiple files associated with the same social security number. All of the non-fraudulent "variations" are things that could be checked out and either corrected or properly noted and incorporated into the right primary file. Instead, if someone mistypes a social security number, the credit-report folks just blunder forward with the erroneous data. (Because, y'know, programmers have never noticed that raising an error when wrong data first appears is much cheaper than just continuing the computation until something blows up.)
This really isn't new. The slightly smarter use SSNs from deceased persons.
Good grief. Some people really don't know what the word "theft" means. I thought "identity theft" was bad enough.
What you appear to mean to say is "identity synthesis". And that's still stretching "identity" a bit.
It would seem pretty difficult to tell the difference between a fraud and a real person who doesn't fit the norm.
I left the US as a child, before getting a SSN. You can imagine the hoops I had to jump to get a bank account with only a passport and a new SSN. My foreign DL wouldn't be taken as ID. They asked for my 'visa or green card' even though I have a US passport.
I have an established identity now, but am I really me?
First off, the original WSJ article called this "synthetic identity fraud", why Bruce felt the need to change this to "identity theft", I have to wonder.
Seems like a pretty eloborate scheme, to say the least. Kind of reminds of the schemes Frank Abagnale cooked up (and sensationalized in the movie).
Again, this is just another example of the inadequate systems used by the financial industry.
But then, it all comes down to risk. What are the trade-offs regarding identity and potential fraud that are going to be made by the financial institution when giving the financial institution's money to someone. The problem is that some financial institutions are willing to take on more risk than others (a lot of risk in cases like those describe in the article). The problems arise when financial institutions "lose their bets", and try to pass their loss off as "identity theft".
Keep in mind that "identity theft" doesn't really exist, it is just a clever term created by the financial institutions to allow them to pass their fraud losses onto unsuspecting people/customers.
For those of us seasoned in the field, we know that ID theft is an oxymoron. It is fraud through impersonation, where the victim is left with their identity, and in essense "framed" for the crime. However, ID theft, for whatever reason, has become the term. Whenever I write about this type fraud, I always mention the term Identity Theft (with a brief note explaining what it really is) so that readers with less expertise, as well as those doing searches, may find it. After all, if those who understand what is wrong with the term never use it, those who do searches will never find it.
Though I don't know this for sure, i would suspect Bruce used the term Identity Theft so that the general readership would recognize and/or locate what he is talking about.
here's a REAL terrorist threat:
"Imagine what detrito-terrorists could do in a major American city if they stole a gasoline tanker, then drained it into a major and critical sewer pipe, and ignited the vapour'"
this is what it does:
yahoo: Yeah, but I bet this was more fun, except for the whole getting-caught aspect. You have to admit it's a clever hack.
"This kind of fraud doesn't usually directly affect consumers. The big losers are banks, which get stuck with loan defaults and unpaid credit-card bills that identity thieves leave behind."
Here's a spoiler: Consumers eventually pay for everything.
Anton> Here's a spoiler: Consumers eventually pay for everything.
I see. So there's no need for ethics in business. Bonus!
Spoiler: consumers, in general, do *not* eventually pay for everything. Investors pay for a lot of it, and there can be a pretty long path between the cash some "consumer" plops down for a bag of corn nuts and a fat cat investor's big stock purchase.
From here on out, I am only interested in what is real. Real people, real feelings, that's it, that's all I'm interested in.~
Russell Hammond Quote from the movie Almost Famous
I don't get it - why would a bank accept a loan request from a name whose social security number relates to someone completely different? If banks are too lazy/stupid/tightfisted to check details properly they deserve all the fraud they can afford.
Banks have knowingly spent less money on security an passed the buck by using chip and pin.
This has been proved to be even worse than a simple signature as people can withdraw without fear of refusal of signature.
I asked my bank to add a picture of me on the card, but this wouldn't help as the purchase is made with no human checks anymore!
The annoying thing is that you can't live without them, unless you get paid in cash!
@Tricky, isn't cash illegal yet?
Outstanding! Maybe this will make banks stop issuing credit under false pretenses; which will in turn make "identity theft" (the code word for lazy/greedy banks giving money to people who they do not know) decrease.
Also, I never realized credit bureaus were so closely modeled on the "no fly" list...
This sounds great!! It gives me hope. I want a synthetic identity so that I can occasionally hop of the grid. Imagine a nice credit card (I'm the sort of guy that would pay the bill; profit's not my interest) that wouldn't be associated with you.
I want to be able to buy, say, some nice porn or donate to a radical political group with no chance that it shows up in my history.
The ability of computers to connect everything I have ever done to me at any time causes despair. This is a rare bright moment.
The untraceable "credit card" already exists: go into any Long's Drugs and look for the Green Dot Visa (a prepaid debit card, which you can purchase for cash without giving your name). These appear to be intended for people without bank accounts, but I'm sure they're quite useful to the dope dealers and other off-the-record income earners too, especially since there's no reason one person can't have several.
As for using the SSNs of dead people: this amounts to the same crime, because SSA frequently reissues dead people's SSNs and will have to keep doing so unless it increases the number of digits in an SSN.
What may do some good is the new system of "e-filing" tax returns, which may become compulsory in the next few years. The "e-file" system refuses any return that contains an SSN (whether it's the taxpayer, spouse, or a dependent) whose name on file with SSA does not match the name for that person on the return. This is not a foolproof system (SSA itself will accept as proof of identity many documents that other agencies won't, but they'll take a Social Security card), but it's progress.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.