Can we trust anyone with our personal info?


In the last few weeks, two very different criminal cases have concluded on opposite sides of the Atlantic, each of them showing how vulnerable our personal information is to those eager to exploit it.

In the US, a man was sentenced to more than nine years in jail, and ordered to pay over $600,000 in restitution, for his part in a scam using the identities of prison inmates to make tax refund claims.

Harvey James was part of an Alabama-based gang which gathered stolen identity data from a range of sources, including an unnamed co-conspirator with access to information on prison inmates stored by the Alabama Department of Corrections.

This data was then used to file tax returns, with any resulting refunds, issued in the form of prepaid debit cards or cheques, making their way to the crooks thanks to a corrupt postal worker, Vernon Harrison.

Harrison provided James with addresses on his route for the refunds to be sent to, then harvested the refund mail and passed it on to James via another unnamed conspirator.

Harrison was given 111 months in jail and a fine of over $82,000 in October 2013.

James also worked together with his sister Jacqueline Slaton, who was sentenced to 70 months jail time and $100,000 in restitution in October 2012.

James pleaded guilty to mail fraud and identity theft charges in October last year, and his sentence of 110 months in jail, plus three years supervised release and a $618,042 restitution payment, was handed down on 29 April 2014.

Between them the gang filed over 1000 fraudulent tax returns and netted over $1 million in refunds.

It seems that a large proportion of US tax returns result in refunds, with standard payouts averaging around $3000. These refunds are a popular vector for cashing out on ID thefts.

In the UK, the Information Commissioner’s Office has released details of a case in which a private investigator was fined £89,000 (about $150k) for tricking various bodies out of information on their clients and customers.

Barry Spencer ran a company called ICU Investigations, specializing in tracking down debtors for clients including insurers, banks and utility firms.

The investigators regularly scammed personal data on their targets from doctors’ surgeries, utility providers and the TV Licensing authority, often claiming to be the people they were trying to trace.

Spencer, alongside business partner Adrian Stanton, was convicted of breaches of the Data Protection Act in November last year. Stanton and several other employees of the firm were jointly ordered to pay a total of over £34,000 (about $60k) in fines and costs in January.

Spencer’s fine includes a confiscation order of just over £69,000 (about $115k) for proceeds of crime.

These two cases show the many uses to which uor personal information can be put, and how knowledge about us can be turned into cash in a bewildering variety of ways.

They also show the vulnerability of our information to leakage.

It doesn’t take an epic digital breach like the Target leak for us to be at risk of ID theft – often all you need is a corrupt employee or two, such as the corrections office leaker and the postman in the Alabama fraud case, or the outsourced contractors in the recent AT&T case, for swathes of information to find its way into the hands of crooks.

Even where there is no intent to leak on the part of those holding our data, they can still be tricked into handing over information through social engineering, like the agencies abused by the UK private investigators, or the online service providers who can be conned into granting access to accounts.

We even leak information about ourselves when we’re just driving to work.

The root of the problem is the loose and insecure methods we use to authenticate ourselves. Different bodies accept all manner of information as proof of identity, and if that information can be stolen it can be leveraged to pose as us.

The solution, a foolproof and incontestable authentication process, remains a rather distant dream.

Even if we can come up with a panacea, unless it includes something drastic like microchipping us all at birth, there will still need to be a transition process, which is likely to rely on the old, weak approaches and so will leave the new process open to fraud from the start.

We will probably need to keep on hauling our identities back from scammers for a long time yet.

Image of hands on bars courtesy of Shutterstock.