A Florida man has been sentenced to two years in federal prison for defrauding student aid accounts, while his two fellow-conspirators have been given probation and community sentences.
The group’s techniques should serve as a reminder that it’s not just the information stored on our computers that we need to keep secure.
Christopher J. Wright of Fort Lauderdale in Florida was a student at Florida Agricultural and Mechanical University (FAMU) when he and two other Florida men hijacked financial aid accounts of a number of fellow-students, redirecting funds due to them into accounts controlled by the trio.
Wright was sentenced last week to two years prison time, and the two men who joined him in his frauds, Carl Coutard and Carliss Pereira, pleaded guilty earlier this year and have been given “home detention” and “community confinement” sentences, plus community service and restitution payments.
Most but not all of the money they defrauded has been retrieved by reversing transfers.
At the time of the initial indictments in the case, the offenses covered were said to carry sentences of up to ten years in some cases and five years in others, so it may seem that the three men have got off lightly, particularly those serving no actual jail time.
But the US Attorney announcing the sentences insisted that they send ” a clear message that engaging in this type of criminal conduct will have serious consequences, including the real possibility of a felony conviction and a prison term”.
Perhaps the most interesting feature of the case from a security viewpoint is how the three men went about gathering the information they needed to defraud their victims.
As well as using the standard techniques of social engineering, “tricking FAMU employees and the students themselves into providing this information”, and researching their victims on the internet for useful PII, they also found data “by taking paperwork discarded in the trash bins near the FAMU computer help desk”.
This should remind us of the importance of hard-copy data as well as the vast swathes of digital information on all of us swirling around the internet.
In the age of NSA snooping anxiety, the focus of our privacy worries has been very much on protecting our online data and communications, but it’s important not to forget the potential value of old-school “dumpster diving” techniques.
Printed material we throw away can be very useful to identity thieves. Those pre-filled-in credit card application forms the banks seem to so enjoy sending out may be an obvious danger, but there are subtler indicators too, with data such as dates of birth and travel plans often easily deduced from discarded material.
Printing things out at work or college is especially dangerous, as we tend to feel safer among our peers and so are perhaps less wary of leaving bank statements or half-filled application forms lying around for prying eyes to see.
So be careful with your personal information in the real world, not just in the digital one – for example, I tear addresses off junk mail before it goes into the recycling, and I put anything at all personally identifiable straight onto the fire-lighting pile to be burned ASAP.
If you’re not lucky enough to have a nice fireplace to keep you toasty and safely destroy documents, maybe invest in a good-quality shredder and use it on anything at all sensitive.
And if you’re running a business, hospital, university or other institution handling sensitive internal or third-party data, consider a shred-by-default policy, and discourage your people from printing out anything that doesn’t really need to be committed to paper.