Identity Theft is a crime that millions of people have been exposed to and millions more are afraid of. Some experts even say its not a matter of if, but when you’ll be the next victim. Identity Theft can even happen to the deceased, which only makes things harder for those left behind. So what can be done about it, and how does it happen?
What got us thinking abut this story was a blog post written by Rafal Los, a security consultant and blogger. “I've been contemplating writing this article for a while, not knowing the impact it would bring but I just can't justify keeping my mouth shut any longer. There is too much at risk here,” wrote Los. His topic was Identity Theft and how one business made it a risk to the dead.
The story he told centered on a client he had about a year ago, who needed his services because of a severe lack in security. However, this client was unique, or as Los put it, “You know when you check that little box on the back of your license that says you'll donate your body parts when you pop off... these folks get your parts.”
They are unique not just because of what they do as a 501(c)(3), which is manage the willed body donor program in Illinois, but that they lacked basic security to protect the identity of those who were enrolled in the donor program.
“This organization, prior to my arrival, never even had a firewall on their Internet-facing DSL circuit. Everyone could get access to their MS Access database or spreadsheets where hundreds upon hundreds of records were meticulously kept. The information gathered was an absolute what's-what in information and identity theft,” explained Los.
The information he is referring to includes Social security number, home address and phone number, birthdate, eye color, hair color, weight, and more.
“Given that the person was deceased, they figured it wouldn't matter anymore except that they often couldn't find the right information for the right body. Yea... this is what disturbed me,” Los added in his post.
When it came time to implement security, according to Los’ story, that wasn’t going to happen, as his clients told him that they didn’t have the funding.
“It seemed like any kinds of controls I wanted to put into place were met with a staunch reply of "well, we don't have money for that"... and they really didn't want to hear anything about the kind of absolute atrocities they were committing. I shudder to think what's transpired there over the past 18 or so months... but the point is I suspect nothing has gotten better,” Los wrote.
We talked with Los, and he would not give the name of the organization he talked about in his post. However, the number of associations in the Chicago area that deal with willed body donations, including the organ and tissue banks listed, is rather small, so it was fairly simple to narrow it down to one single source.
We spoke to the organization as well. Just one of the cold calls we made for this story. The information they provided about past data practices, as well as some other parts of the conversation made for a telling story.
However, out of respect for the families of the donors, as well as the company, as we don’t know if the staff presently employed were there at the time Los contracted with them, we will withhold their name. That is, unless they come forward, or Los gives out the name on his own.
While researching this article, several cold calls gave us the same basic information. Mostly what we learned is that the details about a person become public record shortly after they die. It is entirely possible to look up a person’s death certificate, as well as other information on your own. When you add those facts to the research detailed earlier this year on the personal blog ran by the VP of Research at Damballa, Gunter Ollmann, the amount of personal information available to the public about people, living or dead, is almost equal.
Ollmann, using Obituaries.com, was able to discover all the information needed to create a complete profile on a person who had just died. While the scope of Ollmann’s research was to discover the answer to the question of, “how family members of the recently deceased could recover the passwords of email accounts,” the use of the same information for Identity Theft is not that far of a stretch.
While not to come off as alarmist, just spending 10 minutes on Legacy.com, where family can create virtual memorials of their recently departed loved ones, we were able to discover quite a bit about a man from Pennsylvania, including everything short of his social security number. This type of information could be used to assume his identity, and with a little work, take out credit in his name. We didn’t do that obviously, and we wouldn’t for both legal and moral issues, but would a criminal be as considerate?
There are other ways to access information, for example the Social Security Death Master File. This file is used to record the name and SSN of every deceased individual reported to them. The various Department of Motor Vehicles and credit bureaus will ping this and update their records accordingly. At the same time, it can take weeks or moths for the new information to be assimilated across all the various agencies and organizations. This gap is where identity thieves operate.
A criminal is unlikely to think twice about the expense of paying $650.00 USD for access to the SSDMF if the return on investment is good. For $650.00 USD the criminal could make 1,000 queries to the records. The names would come from the obituaries, as well as other sources online. If the investment is too much, there is always Social Security Death Index to help with the search. The point here is that the criminals care not if you are living or dead, just that your name and Social Security Number are out of the various indexes that would prevent them from using it.
Identity thieves often operate in rings. Sometimes they are highly sophisticated and even organized on a criminal level. This is a good deal of money to be made from buying and selling personal information, and the fact that the person might be dead is of little consequence. One example of this comes from 2004.
In 2004, scammers trolled obituaries and took the information collected there to pull credit histories and reports from online sources. With the accumulated information, the stolen identities were used to purchase cars from an unidentified metropolitan Atlanta car dealership. The stolen identities, mostly from deceased in Georgia, California, Virginia, Oklahoma, and Ohio, were also sold as well.
Jay Foley of the Identity Theft Resource Center, a San Diego-based consumer advocacy group, said in a 2007 interview that, “About 400,000 checking accounts were opened in the names of deceased people in 2004.” He added that the ultimate goal would be to open credit accounts in the deceased’s name.
Ghosting is another problem, which is a different branch of Identity Theft on its own. Criminals here will ghost (clone) a person’s identity, sometimes their entire life, and sell it. In each case of ghosting, the deceased individual’s family is often unaware that someone is living with the identity of the person they just lost. The only time that the ghosting scam becomes useless is when the various agencies and bureaus update their records. Ghosting, more often that not, is where illegal aliens get their identifications from.
However, back to the original problem, companies who are supposed to secure this information and fail to do so.
Los noted in his blog post that you'd have to ask yourself, “... how many "hackers" have stumbled upon a wide-open internet-connected server with no security controls, perused the many data files on there only to discover a trove of information about people who can't even speak for themselves? How should organizations like this be held accountable?”
The answer to his questions, in order, are that there is no way to know, as the organization he talked about would not know if they were hit, and even if they did, they would not fall under the scope of the law to report it. They’re too small. Likewise, there’s little in the way of the law to hold such organizations accountable, and that is the problem. There is too much red tape standing in the way of consumer protection.
The painstaking process of recovering from Identity Theft is bad enough, but only compounded when coupled with the fact that the victim is a recently lost loved one. There is just no way to express or imagine how hard that must be unless you’ve experienced it.
Here are some tips to prevent this type of Identity Theft. When a loved one has passed, don’t include too many details about the person in the obituary listing, such as day and month of birth or address. While researching this story, we used Legacy.com for a good deal of information gathering. Aside from the one example, there were dozens of listings with information that simply could have been left out.
Request multiple copies of the death certificate, as these will be needed for most of the other steps mentioned below.
The next thing to do is to notify the Social Security Administration immediately, as well as send a copy of the death certificate to each of the three credit bureaus (Equifax, Experian, and TransUnion). You’ll also need to notify all credit issuers to cancel accounts. Once a year, use the free service from the three credit bureaus to check the credit history, this will ensure no fraudulent activity.
Lastly, contact the local DMV and cancel the driver’s license. This will prevent anyone from obtaining a copy of the ID.
Social Security Administration:
800-772-1213 7 a.m. to 7 p.m., Monday through Friday
TTY number: 1-800-325-0778
PO Box 6790
Fullerton, CA 92834
Equifax Office of Fraud Assistance
PO Box 105069
Atlanta, GA 30348
PO Box 9530
Allen, TX 75013
From our Other Sites
This Japanese guy cooks up some pancakesâ€¦nothing special there right? Well he uses tiny implements to do it and makes perfect little pancakes. Kinda cool and they look tasty!
Well this one has been trending all over the web, just what color is this dress? It all started in Scotland when the mother of a bride-to-be sent a picture to her daughter asking what she thought of the dress. The bride and groom each saw the image differently, this then got posted online and picked up by some viral sites. The lighting in photo is probably causing different people to see it as either white and gold or blue and black. Prof Stephen Westland, chair of color science and technology at a University in the UK told the BBC that it was impossible to see what other people see but that it was most [â€¦]
Some great shots of the forthcoming McLaren 675LT. This coupe will get you to 60mph in less than 2.9 second and go all the way to 205mph.
McLarenâ€™s 675LT will debut at this yearâ€™s Geneva show and promises some eye-popping performance. The coupe only 675LT has a 3.8 liter V8 that will get you from 0-60mph in less than 2.9 seconds and to 124mph in less than 7.9 secondsMore than a third of the parts have been changed compared with its stable mate [â€¦]
Some cool McLaren 675LT Wallpaper. The McLaren 675LT is the latest coupe to come from the supercar maker and has a top speed of 205mph.Click on an image to open a page with multiple sizes that you can download to use as wallpaper for your mobile or desktop.More McLaren Wallpaper.
This crab is minding its own business searching the rock pools for food when suddenly an octopus leaps out of the water and grabs it. The amazing thing is that the octopus does not just jump on the crab it actually pulls it all the way back to the rock pool it came from. If you check the second video you will see it is not unknown for octopus to come out of the water and the one in the second video has a crab with it, though is not hunting one! Octopus Walks on Land at Fitzgerald Marine Reserve The video was taken by Porsche Indrisie in Yallingup, Western [â€¦]
This image by the Curiosity Mars rover is not exactly your typical selfie. It is made up of a bunch of images taken by the rover during January 2015 by the Mars Hand Lens Imager. This (MAHLI) camera is at the end of the robotâ€™s arm. For a sense of scale the roverâ€™s wheels are about 20 inches diameter and 16 inches wide. Check the annotated image below for more information on the surroundings. Also if you really want to see some detail click this very large image, 36mb, at NASA.
This cool video from NASA shows how dust is transferred across the Atlantic to the Amazon rainforest and helps nourish the plants growing there. For the first time scientists have measured the amount of dust and the amount of phosphorus in the dust. The later acts like a fertiliser and helps replenish the phosphorus the rainforest loses each year, around 22,000 tons. Amazing how something we perceive as being desolate like a desert actually has an important role in sustaining somewhere we see as teeming with life. Image and video from NASAâ€™s Goddard Space Flight Center.
This amazing video shows a laser guided bomb bouncing back up after hitting its target. We actually think this is a non-explosive bomb designed to test guidance systems but it is still pretty remarkable and somewhat scary.
This amazing footage taken from the CCTV on a passing bus shows the moment two pedestrians in South Korea fall down a sinkhole in the street! Rescue workers managed to save the pair, who were treated in a nearby hospital for minor injuries. According to reports the city authorities and the Korean Geotechnical Society are looking into the cause.