On Fri, 4 Mar 2005, Tim Trent wrote:
...
> But it struck me forcibly how easy it is for someone to do this to someone
> else. To anyone else. For me to do to you or you to do to me.
>
> To do it to you I just have to visit that wheelie bin and get your card
> number and name (and I have your address because it's there, on the
> paperwork), the expiry date and that three digit number that I am told is
> intended for web transactions but that every phone based business records as
> well.
Maybe I'm confused or misunderstanding Tim's post, but isn't that the
obvious common example of how Identity theft occurs; unfriendly people
looking through the bins for thrown-away financial statements etc (they
used to call it "dumpster diving" in the states in the 80s when crackers
were doing it for info about how to get into systems)? Hence the boom in
personal shredder sales over the last year.
But anyway, I thought the point of the three digit check number was that
it was ONLY on the card, so it can only be given by the card's (physical)
holder.
Nevertheless, there is much information to be gained from the typical
household bin (which in my area at least is left unsecured for several
hours one day a week waiting for the bin men to empty), so there is a
considerable danger there.
The further danger is that other documents found in the bin could be used
to in the process to request new, legitimate credit cards, in the name of
the person whose documents have been filched, but at an address accessible
to the ill-doer (usually not their own). Hence they'll get the real
physical card as well. How feasible this is depends on what documents are
found, and the procedures of the credit card company checking details (who
of course are falling over themselves to offer credit).
> A reasonable question here, and I expect we have a financial institution
> or so on this list to help answer it, is how can the ordinary person
> know that this has happened (until the 6am knock on the door, of course.
> I understand one notices that in a highly stressful manner), how can
> they protect themselves from it, and most importantly, how can they
> defend themselves against it?
Don't throw out documents with *any* financial information on them.
Either store them or shred/burn them.
I've always safely disposed of credit card slips are receipts with my
whole card number on them (all too common still). Lately I've decided
that even the ones with a partial number on are unsafe (usually the last 4
or 6 digits), so I'll be shredding or burning them too. I looked through
a number of them and not always the same digits are hidden. While I
couldn't get the whole number, I could get a signifant part of it; and
maybe there would be ways of discovering the rest. So there is a
cumulative danger there.
I also occasionally get calls from "my bank" to discuss my account, they
then start to ask me things like my date of birth and my mother's maiden
name and all that sort of thing to "confirm my identity". I refuse,
telling them that *they* called *me* out of the blue, so they should be
proving their identity to *me* first. And realistically, the only way
this could happen is to have a shared passphrase. Neither side discloses
it in full, but requests the first or third letters (or words) or
whatever. I keep meaning to write to them to complain about this.
Neither do I see how typing a PIN number, which anyone could discover and
type in, is any safer than a signature which supposedly only the
legitimate card holder can reproduce (that being the premises of
signatures through the centuries). Of course, it isn't any safer,
whatever the banks claim. The benefit is that is makes cards harder to
skim and copy, granted; but also then banks don't need to have sales staff
pretend to check signatures, and can foist the liability onto them for
fraudulent use if signatures are used.
I've also sometimes complained if I sign while using my card, and the
sales assistant doesn't compare the signature with that on my card. I ask
them how they would feel if I didn't check their signature when some
criminal was making transactions with their stolen or skimmed card. Some
don't get it.
Whatever happened to credit cards with photographs on them?
Can of worms.
Jethro.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services
University Of Strathclyde, Glasgow, UK
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
[log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|