Identity Thief’s Best Friend
May 11th, 2009 by sherri
Today I got a charming letter in the mail from Citibank informing me that:
“A paper trail is an identity thief’s best friend. Sign up for paperless statements and you can rest easy knowing all your account information is locked away safely online.”
Ahahahahaha!…ha… ha… When’s the last time you heard about millions of credit card numbers being stolen from the mail? Somehow I don’t recall identity theft being such a big deal before online financial systems started taking off. In much the same way that the Bush administration linked Saddam Hussein to 9/11, credit card companies are now campaigning to link “identity theft” and… paper.
This brilliantly twisted marketing campaign:
1) Fuels the “identity theft” fear-mongering, increasing identity theft protection sales.
2) Reduces the number of individuals who will be able to independently verify and access statements down the road
3) Saves Citibank money on paper (which also benefits the environment, but that isn’t Citibank’s motivation)
4) Instills a false sense of security regarding the safety of web-based account management systems
5) Increases customers’ risk of identity theft by promoting the use of insecure, online web based account management systems (which will subsequently lead to more “identity theft protection” sales… yay!)
I’d feel a lot safer if all of my account information were locked away in my own fireproof filing cabinet. Unfortunately, it’s clearly not. Less than a month ago Citibank sent me a new card because one of their payment processors lost millions of people’s account information, including mine.
An identity thief’s friends are the vast legions of computers running Windows with Internet Explorer that people use to login to their online accounts (with re-used passwords such as “fluffy2009″). Identity thieves are also pretty chummy with payment processors such as Heartland, who recently lost over 100 million of credit card numbers.
Identity thieves’ best friends in the world are the credit card companies themselves, who have created a system rife with holes, and subsequently profit from their own systematic failures through scams such as “identity theft protection” services.
What chutzpah.
| Sherri Davidoff |
| PGP-signed text: 2009-05-11 (current) |
| 2009-05-11 (version 0) |
What a load of rubbish.
Mastercard and Visa both have a “zero liability” policy for unauthorised transactions. It is by far a better way to conduct transactions online compared to other means.
If your argument is that online merchants can store credit card details rather than merely forwarding them to a payment gateway, then I fail to see why the average credit card user shouldn’t take steps to avoid their paper mail being intercepted by an unscrupulous person.
And in what world does pushing online statements constitute increasing “identity theft protection sales”? And what are these “identity theft protection” products you speak of? Do you allege Citibank to have a financial stake in them too?
It is quite interesting that you accuse Citibank of scaremongering, yet all your article appears to do is raise unfounded allegations at a company, which, for the most part, appears generally concerned with the inherent insecurity of delivering paper mail to (what I would assume to be, in the majority of cases) unsecured mailboxes.
If you’re a target for identity fraud, it seems that your mailbox would be a fantastic way to acquire information to proceed. Do you really wish to dispute this?
“Paper” is not the driving force behind the identity theft problem. Yes, things can (and have) been stolen from the physical mail, but the number of people who can potentially access the average user’s desktop and online accounts is far greater. Furthermore, most financial institutions haven’t bothered introducing technology like two-factor web site authentication, which would greatly increase online banking site security. With all the malware, spyware and other nastiness infecting a normal user’s computer, simple password protected web sites are not even remotely a secure means for storing account data.
Can you imagine someone trying to steal 100 million credit card numbers from a large city mail processing center all at once? It wouldn’t be subtle at all. On the other hard, virtual theft of over 100 million credit card numbers happened recently with Heartland, and it took them a while to figure it out. As Dr. Dan Geer once pointed out, on the Internet you’re only 150 milliseconds away from every psychopath on the planet. The risk involved in stealing data virtually is far less than it is for theft in the real world, and they payoffs are greater.
Credit card companies offer their own Identity Theft Protection services, such as:
Citi’s IdentityMonitor
Discover’s Identity Theft Protection
… and many others.
Lots of credit card companies do offer low or zero liability for identity theft, but once your information has been stolen it can be used to cause you headache in ways far outside the credit card company’s control. Health insurance fraud is a good example.
Online banking is convenient, but security protections right now are not very effective. There are a few companies out there that require hardware tokens and two-factor authentication, but in the United States that’s the exception, not the rule. People seem to have just accepted that theft and lack of privacy are the price of convenience, and rather than invest in preventative solutions, credit card companies are offering response services and making a killing.
I agree with #1 k, and furthermore research supports it. According to a 2008 study by Javelin Research (http://www.mailboss.net/identity-theft-up-22-in-2008/), the MAJORITY of identity theft occurs due to LOW-TECH methods such as a stolen wallet or mail stolen from mailboxes – either unlocked mailboxes or low-quality locking mailboxes like apartment cluster boxes, the MailSafe, etc. You point out that thieves can access a greater VOLUME of information in the way you describe… that may be true but there is nothing that we, as Americans, homeowners, consumers can really DO to ensure that these corporations are taking the necessary steps to secure our information. Most of them are, and for this reason these massive kinds of data breaches are rare. On the other hand, millions of Americans have their identities stolen every year, and the majority of those who know how their information was taken report it was through physical PAPER documents. SOooo.. if you are not going to take the necessary precautions to secure physical documents with your person information (i.e. use a security locking mailbox and a paper shredder religiously) then getting bank statements and other documents with sensitive info online versus in the mail is a SMART WAY to minimize your risk of becoming an identity theft… based on the available STATISTICS.
Also, mail theft has been around since the 1800s believe it or not… and has been a HUGE problem in the Northwest beginning about 1995… before the era of online banking.
For an example of millions of credit card account numbers being stolen through the mail… i can’t give you that. but how about thousands of people’s accounts taken for millions of dollars? http://www.nytimes.com/2000/06/08/nyregion/2-charged-in-1.5-million-mail-theft-scheme.html?sec=&spon=
“2 Charged in $1.5 million mail theft scheme: A young couple used mail pilfered from THOUSANDS of homes in Queens and Long Island neighborhoods to steal more than $1.5 million from banks and credit card companies, prosecutors said yesterday.”
@MailBoss:
Thanks for the interesting link. The study you referred to says that:
Data Loss DB: Latest incidents
Data Loss DB: Largest incidents
SC’s Data Breach Blog/
“Federal prosecutors have charged 11 people with stealing more than 41 million credit and debit card numbers, cracking what officials said on Tuesday appeared to be the largest hacking and identity theft ring ever exposed…
“Mr. Gonzalez and several in his cohort drove around and scanned the wireless networks of retailers to find security holes — known as “war driving,” according to prosecutors. Once the thieves identified technical weaknesses in the networks, they installed so-called sniffer programs, obtained from collaborators overseas.”
“Those programs tapped into the retailers’ networks for processing credit cards and intercepted customers’ PINs and debit and credit numbers that were stored there. The thieves then spirited that information away to computers in the United States, Latvia and Ukraine…”
“‘Computer networks and the Internet are an indispensable part of the world economy. But even as they provide extraordinary opportunities for legitimate commerce and communication, they also provide extraordinary opportunities for criminals,’ said Michael B. Mukasey, the United States attorney general, at a news conference in Boston to announce the indictments.” – The New York Times, August 5 2008
Well the point in referencing that article is that… out of the people who KNEW how their identity was stolen, the MAJORITY was from low-tech methods, i.e. stolen wallet, mail, dumpster diving, etc. People are more AWARE of the high-tech cyber plots and more fearful of this avenue.. yet research shows low-tech methods account for the majority of known means of perpetuating ID theft.
None of this takes away from my main point that **MAIL THEFT IS HUGELY UNDERREPORTED** either because (1) homeowners don’t realize their mail has been stolen (I imagine a large percentage of the 65% of individuals who don’t know how their information was compromised had their mail stolen) or (2) homeowners don’t know who to contact if they suspect their mail has been stolen. I have read countless blogs of individuals complaining they find their junkmail discarded on the street and suspect someone has been rifling through their mail… but they don’t report this to the authorities… police or USPIS.
The failure to report ID theft is across the board as I’m sure you know, not just for mail theft… so most experts agree the FTC values largely underestimate the ID theft problem numbers as a whole…
Unlike with stolen mail, I imaging most individuals who have their information compromised via large corporate data breaches, they are AWARE that their info was compromised b/c the company has a legal obligation to inform the consumer. I have heard of many instances of this happening.. sometimes banks will just reissue cards and account#s without even asking if the breach was large enough.. I guess thats damage control of sorts..
ANyway, I’m glad you have brought this information to light though, I think its important for consumers to be aware of all the ways their ID info can be compromised so they can cover all their bases.