Schneier on Security
A blog covering security and security technology.
« Designing Processors to Support Hacking |
| Protect Your Laptop Screen from Roving Eyes »
April 25, 2008
Identity Theft from the Dead
List of deaths, intended to prevent identity theft, is used for identity theft:
Ironically, the government produces the monthly Death Index so that banks and other lenders can prevent people from applying for credit using a dead person's information -- the index is made public by the Department of Commerce under the Freedom of Information Act. The caper Kirkland's accused of mastering apparently exploits a loophole, by taking over accounts that are already open.
Posted on April 25, 2008 at 6:01 AM
• 21 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Isn't that a problem with the banks, etc, not using the Death Index, rather than with the Dept of Commerce publishing it?
Some people die and still can't get AOL to stop billing them. Sad.
On the other hand, if credit freezes were mandatory, this kind of thing couldn't happen.
I'm suffering from semantic confusion here: if you can "steal" identity from the dead, how come you can't "inherit" identity?
Or is "identity theft" in fact a misnomer, meaning "bank robbery" ;-)
"The caper Kirkland's accused of mastering apparently exploits a loophole"
Often the way with identity theft.
Seems to me that the "loophole" has little to do with the death list. It's that you can phone up a bank and add yourself to an account using only the name, DoB and SSN of your victim.
Unless the criminal was actually claiming to be the executor, that will work just as well for live victims as dead. If the exploit does rely on the person being dead, then a relatively simple fix might work - don't allow executors to just add themselves as users of accounts. Have a formal process by which the accounts of the deceased are closed and funds made available for transfer to the estate.
Otherwise, the death list is just the icing on the cake for criminals who unaccountably have no other way of finding out DoBs and SSNs. Seriously, how many specific examples does it take to prove a general point?
I guess the main advantage of stealing from dead people is that they're less likely to complain.
The banks and credit companies are complicit and negligent in all identity theft. As usual, the consequences are on the victim, not the enabler. Can we sue them for complicity? Unlikely, they can buy enough regressive politicians to make themselve judgement proof.
I've always thought financial institutions should be responsible for verifying the identity of the person they're dealing with. Since the only victim of this crime (other than the general public indirectly) is the bank, I suppose it's better than the fraud being committed using a live person. I also have to admit I feel this admittedly perverted sense of justice that the banks are left holding the bag.
@Keith and Rai
"the index is made public by the Department of Commerce"
Can it be any more clear who is at fault? Read the quoted sentence again.
Sounds like the Bank could fix this by applying additional functionality to the way it uses the death index.
Precisely this situation was already described by Gogol in "Dead Souls". To quote
The plot of the novel relies on "dead souls" (i.e., "dead serfs") which are still accounted for in property registers.
Another twist on social engineering and human nature to convince the company to change the address. The firms involved should have been able to verify with the same death index that the account holder was dead.
I have used the SSI death index in the past for genealogy and never wondered about accessing the information. It is open to the public.
This turns into an interesting denial of service attack. Just report your victim as having died. Anyone claiming to be him *must* be an identity thief, right?
BTW, this was originally used by Jonathan Swift against an astrologer named John Partridge. He printed a prediction of the man's death under the name of Issac Bickerstaff and then sat back and watched the fun. Pretty much destroyed the astrologer's career. It is considered one of the greatest April Fools pranks of all time.
Wouldn't it be nice if we overhauled our financial system to use public/private key digital signatures for authentication instead of SSN?
I feel the banks make it too easy, as well. However, when you can find a valid first, last, SSN, and address in a DB query that takes literally 10 seconds @ a free web site, you may start to think that the congress needs to rethink the public cost/benefit at having SSNs be subject to FOIA.
That said, if banks and other lenders get this dead list, it must be trivial to obtain a copy via a bank employee.
Chris: I think Congress and everyone else need to re-think the cost/benefit of treating mere knowledge of someone's SSN as proof of identity.
I worked for a govt. owned lender in the UK, where the official death register isn't ready yet, and we wrestled with death (so to speak). There are two problems with death and finance;
1/ if you don't have a death register you are vulnerable to fraud where people masquerade as the dead.
2/ if you have one and don't use it rigorously you are significantly more vulnerable to the same frauds.
The fact that there are homespun registers means you have to have your eye on the ball to avoid inadvertently falling into the second category.
The answer is for gov't agencies to publish a death register, and do it often and accurately, and for financial institutions to pay attention to it.
I have no sympathy for risk-based lenders who get burned if there is an official register. But the story you link suggests that the fraud was facilitated by unofficial death notices from genealogy sources, which could so easily blind side big institutions.
There's no excuse for using secrecy or ignorance as your security, locksmiths tried it, admittedly it worked for them for centuries, but in the final analysis its a flawed premise.
Weren't you against usage of this unfortunate phrase "identity theft"
(http://www.schneier.com/blog/archives/2005/04/mitigating_iden.html)? Identity is a concept. It is a type of information which means that one can uniquely recognize some object in a set of objects. E.g.: "I will call this pebble Yamada, and I can identify Yamada in a truckload of pebbles by its distinctive patterns of scratches from kicking it around". Identity can be unknown, but it can not be stolen. Only Bruce Schneier is Bruce Schneier, and no one else is Bruce Schneier, no matter who says what. It seems like there is sort of consensus among many commenters on this blog that it is preferable to use term "fraud by impersonation" or similar (see Nick Bohm's excellent summary in a comment on http://www.schneier.com/blog/archives/2006/11/...
This particular case of impersonating dead people is just that - impersonation. Title of blog entry "Identity Theft from the Dead" looks really bad in this context. I understand that you wish to speak to broader audience, many members of which have only heard of "identity theft", and have not realized that it is a misnomer for "impersonation". But if you continue writing "identity theft" without explaining that it is not (as you seem to have done in several last blog posts; please excuse me if I'm wrong on this) - this does not help to educate general population, does it? I urge you not to leave "identity theft" unqualified in your writings.
"Weren't you against usage of this unfortunate phrase 'identity theft.'"
Yes, but sometimes it's just expedient.
An advantage of the Death Index is that it'll stop all those zombies from applying for a bank account.
The caper Kirkland's accused of mastering apparently exploits a loophole, by taking over accounts that are already open.
My friend died in 2002 he was 15 years old He died of the result of playing a "Pass out Game" , Ilinois DMV issued someone a drivers license using his identity. He had to wait untill he was 16 however he died 16 days before his 16th birth day, so someones using his social security number and obtained a drivers license after he died.
How can I get on the Death List?
I mean, if I'm dead I don't have to pay a debt and I can't be prosecuted for a crime, right?
It's like disappearing.
Hey, can I put my boss on the list?
This is way better than a David Copperfield act. Huh!
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.