Identity Theft is a crime that millions of people have been exposed to and millions more are afraid of. Some experts even say its not a matter of if, but when you’ll be the next victim. Identity Theft can even happen to the deceased, which only makes things harder for those left behind. So what can be done about it, and how does it happen?
What got us thinking abut this story was a blog post written by Rafal Los, a security consultant and blogger. “I've been contemplating writing this article for a while, not knowing the impact it would bring but I just can't justify keeping my mouth shut any longer. There is too much at risk here,” wrote Los. His topic was Identity Theft and how one business made it a risk to the dead.
The story he told centered on a client he had about a year ago, who needed his services because of a severe lack in security. However, this client was unique, or as Los put it, “You know when you check that little box on the back of your license that says you'll donate your body parts when you pop off... these folks get your parts.”
They are unique not just because of what they do as a 501(c)(3), which is manage the willed body donor program in Illinois, but that they lacked basic security to protect the identity of those who were enrolled in the donor program.
“This organization, prior to my arrival, never even had a firewall on their Internet-facing DSL circuit. Everyone could get access to their MS Access database or spreadsheets where hundreds upon hundreds of records were meticulously kept. The information gathered was an absolute what's-what in information and identity theft,” explained Los.
The information he is referring to includes Social security number, home address and phone number, birthdate, eye color, hair color, weight, and more.
“Given that the person was deceased, they figured it wouldn't matter anymore except that they often couldn't find the right information for the right body. Yea... this is what disturbed me,” Los added in his post.
When it came time to implement security, according to Los’ story, that wasn’t going to happen, as his clients told him that they didn’t have the funding.
“It seemed like any kinds of controls I wanted to put into place were met with a staunch reply of "well, we don't have money for that"... and they really didn't want to hear anything about the kind of absolute atrocities they were committing. I shudder to think what's transpired there over the past 18 or so months... but the point is I suspect nothing has gotten better,” Los wrote.
We talked with Los, and he would not give the name of the organization he talked about in his post. However, the number of associations in the Chicago area that deal with willed body donations, including the organ and tissue banks listed, is rather small, so it was fairly simple to narrow it down to one single source.
We spoke to the organization as well. Just one of the cold calls we made for this story. The information they provided about past data practices, as well as some other parts of the conversation made for a telling story.
However, out of respect for the families of the donors, as well as the company, as we don’t know if the staff presently employed were there at the time Los contracted with them, we will withhold their name. That is, unless they come forward, or Los gives out the name on his own.
While researching this article, several cold calls gave us the same basic information. Mostly what we learned is that the details about a person become public record shortly after they die. It is entirely possible to look up a person’s death certificate, as well as other information on your own. When you add those facts to the research detailed earlier this year on the personal blog ran by the VP of Research at Damballa, Gunter Ollmann, the amount of personal information available to the public about people, living or dead, is almost equal.
Ollmann, using Obituaries.com, was able to discover all the information needed to create a complete profile on a person who had just died. While the scope of Ollmann’s research was to discover the answer to the question of, “how family members of the recently deceased could recover the passwords of email accounts,” the use of the same information for Identity Theft is not that far of a stretch.
While not to come off as alarmist, just spending 10 minutes on Legacy.com, where family can create virtual memorials of their recently departed loved ones, we were able to discover quite a bit about a man from Pennsylvania, including everything short of his social security number. This type of information could be used to assume his identity, and with a little work, take out credit in his name. We didn’t do that obviously, and we wouldn’t for both legal and moral issues, but would a criminal be as considerate?
There are other ways to access information, for example the Social Security Death Master File. This file is used to record the name and SSN of every deceased individual reported to them. The various Department of Motor Vehicles and credit bureaus will ping this and update their records accordingly. At the same time, it can take weeks or moths for the new information to be assimilated across all the various agencies and organizations. This gap is where identity thieves operate.
A criminal is unlikely to think twice about the expense of paying $650.00 USD for access to the SSDMF if the return on investment is good. For $650.00 USD the criminal could make 1,000 queries to the records. The names would come from the obituaries, as well as other sources online. If the investment is too much, there is always Social Security Death Index to help with the search. The point here is that the criminals care not if you are living or dead, just that your name and Social Security Number are out of the various indexes that would prevent them from using it.
Identity thieves often operate in rings. Sometimes they are highly sophisticated and even organized on a criminal level. This is a good deal of money to be made from buying and selling personal information, and the fact that the person might be dead is of little consequence. One example of this comes from 2004.
In 2004, scammers trolled obituaries and took the information collected there to pull credit histories and reports from online sources. With the accumulated information, the stolen identities were used to purchase cars from an unidentified metropolitan Atlanta car dealership. The stolen identities, mostly from deceased in Georgia, California, Virginia, Oklahoma, and Ohio, were also sold as well.
Jay Foley of the Identity Theft Resource Center, a San Diego-based consumer advocacy group, said in a 2007 interview that, “About 400,000 checking accounts were opened in the names of deceased people in 2004.” He added that the ultimate goal would be to open credit accounts in the deceased’s name.
Ghosting is another problem, which is a different branch of Identity Theft on its own. Criminals here will ghost (clone) a person’s identity, sometimes their entire life, and sell it. In each case of ghosting, the deceased individual’s family is often unaware that someone is living with the identity of the person they just lost. The only time that the ghosting scam becomes useless is when the various agencies and bureaus update their records. Ghosting, more often that not, is where illegal aliens get their identifications from.
However, back to the original problem, companies who are supposed to secure this information and fail to do so.
Los noted in his blog post that you'd have to ask yourself, “... how many "hackers" have stumbled upon a wide-open internet-connected server with no security controls, perused the many data files on there only to discover a trove of information about people who can't even speak for themselves? How should organizations like this be held accountable?”
The answer to his questions, in order, are that there is no way to know, as the organization he talked about would not know if they were hit, and even if they did, they would not fall under the scope of the law to report it. They’re too small. Likewise, there’s little in the way of the law to hold such organizations accountable, and that is the problem. There is too much red tape standing in the way of consumer protection.
The painstaking process of recovering from Identity Theft is bad enough, but only compounded when coupled with the fact that the victim is a recently lost loved one. There is just no way to express or imagine how hard that must be unless you’ve experienced it.
Here are some tips to prevent this type of Identity Theft. When a loved one has passed, don’t include too many details about the person in the obituary listing, such as day and month of birth or address. While researching this story, we used Legacy.com for a good deal of information gathering. Aside from the one example, there were dozens of listings with information that simply could have been left out.
Request multiple copies of the death certificate, as these will be needed for most of the other steps mentioned below.
The next thing to do is to notify the Social Security Administration immediately, as well as send a copy of the death certificate to each of the three credit bureaus (Equifax, Experian, and TransUnion). You’ll also need to notify all credit issuers to cancel accounts. Once a year, use the free service from the three credit bureaus to check the credit history, this will ensure no fraudulent activity.
Lastly, contact the local DMV and cancel the driver’s license. This will prevent anyone from obtaining a copy of the ID.
Social Security Administration:
800-772-1213 7 a.m. to 7 p.m., Monday through Friday
TTY number: 1-800-325-0778
PO Box 6790
Fullerton, CA 92834
Equifax Office of Fraud Assistance
PO Box 105069
Atlanta, GA 30348
PO Box 9530
Allen, TX 75013