Can we trust anyone with our personal info?

Filed Under: Cryptography, Data loss, Featured, Law & order

In the last few weeks, two very different criminal cases have concluded on opposite sides of the Atlantic, each of them showing how vulnerable our personal information is to those eager to exploit it.

In the US, a man was sentenced to more than nine years in jail, and ordered to pay over $600,000 in restitution, for his part in a scam using the identities of prison inmates to make tax refund claims.

Harvey James was part of an Alabama-based gang which gathered stolen identity data from a range of sources, including an unnamed co-conspirator with access to information on prison inmates stored by the Alabama Department of Corrections.

This data was then used to file tax returns, with any resulting refunds, issued in the form of prepaid debit cards or cheques, making their way to the crooks thanks to a corrupt postal worker, Vernon Harrison.

Harrison provided James with addresses on his route for the refunds to be sent to, then harvested the refund mail and passed it on to James via another unnamed conspirator.

Harrison was given 111 months in jail and a fine of over $82,000 in October 2013.

James also worked together with his sister Jacqueline Slaton, who was sentenced to 70 months jail time and $100,000 in restitution in October 2012.

James pleaded guilty to mail fraud and identity theft charges in October last year, and his sentence of 110 months in jail, plus three years supervised release and a $618,042 restitution payment, was handed down on 29 April 2014.

Between them the gang filed over 1000 fraudulent tax returns and netted over $1 million in refunds.

It seems that a large proportion of US tax returns result in refunds, with standard payouts averaging around $3000. These refunds are a popular vector for cashing out on ID thefts.

In the UK, the Information Commissioner's Office has released details of a case in which a private investigator was fined £89,000 (about $150k) for tricking various bodies out of information on their clients and customers.

Barry Spencer ran a company called ICU Investigations, specializing in tracking down debtors for clients including insurers, banks and utility firms.

The investigators regularly scammed personal data on their targets from doctors' surgeries, utility providers and the TV Licensing authority, often claiming to be the people they were trying to trace.

Spencer, alongside business partner Adrian Stanton, was convicted of breaches of the Data Protection Act in November last year. Stanton and several other employees of the firm were jointly ordered to pay a total of over £34,000 (about $60k) in fines and costs in January.

Spencer's fine includes a confiscation order of just over £69,000 (about $115k) for proceeds of crime.

These two cases show the many uses to which uor personal information can be put, and how knowledge about us can be turned into cash in a bewildering variety of ways.

They also show the vulnerability of our information to leakage.

It doesn't take an epic digital breach like the Target leak for us to be at risk of ID theft - often all you need is a corrupt employee or two, such as the corrections office leaker and the postman in the Alabama fraud case, or the outsourced contractors in the recent AT&T case, for swathes of information to find its way into the hands of crooks.

Even where there is no intent to leak on the part of those holding our data, they can still be tricked into handing over information through social engineering, like the agencies abused by the UK private investigators, or the online service providers who can be conned into granting access to accounts.

We even leak information about ourselves when we're just driving to work.

The root of the problem is the loose and insecure methods we use to authenticate ourselves. Different bodies accept all manner of information as proof of identity, and if that information can be stolen it can be leveraged to pose as us.

The solution, a foolproof and incontestable authentication process, remains a rather distant dream.

Even if we can come up with a panacea, unless it includes something drastic like microchipping us all at birth, there will still need to be a transition process, which is likely to rely on the old, weak approaches and so will leave the new process open to fraud from the start.

We will probably need to keep on hauling our identities back from scammers for a long time yet.


Image of hands on bars courtesy of Shutterstock.

, ,

You might like

3 Responses to Can we trust anyone with our personal info?

  1. This is exactly what I've been complaining to our legislators about. I always get to the 'free' sites, that only want information, sometimes including a credit card, but at least some of your information that I consider very valuable. When an adult site is accessed, they want a credit card to 'prove you are 18', but they have already shown you what they claim to be checking for.

    I would hope our legislators would stop the flagrant use of 'free', used on-line by, probably thousands of sites. This along with the promise of $1 access and then they slam you with a $39.99 charge, from somewhere. Not to mention 'free download', that we know as a ruse.

    I hate to see the legislation of this kind of stuff, but it's abuse that usually institutes legislation and these people need to be stopped. Not telling where the data actually goes...

    Jack

  2. Vito · 140 days ago

    Are there actually people who think microchipping everyone is a good idea?

    Wow.

    But perhaps I shouldn’t be so surprised. After all, there are still people who think it's a good idea to give money and power to politicians...which, as P.J. O'Rourke once said, is like giving whiskey and car keys to teenage boys.

  3. Neal O'Farrell · 139 days ago

    I'm currently involved in a case where a thief was able to run a similar scam, from San Quentin prison in California, for nearly 3 years without being caught. In another case, a thief in the same neighborhood was caught with nearly 500,000 stolen identities in his hotel room. That's the equivalent of a mid-sized city, all in the hands of one thief who knew exactly what to do with it.

    Assume all your information is already out there and you're just waiting in line for your number to come up.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

John Hawes is Chief of Operations at Virus Bulletin, running independent anti-malware testing there since 2006. With over a decade of experience testing security products, John was elected to the board of directors of the Anti-Malware Testing Standards Organisation (AMTSO) in 2011.