On Fri, 4 Mar 2005, Tim Trent wrote:

> Everything you say below is right, especially about identifiable "stuff" in
> your home.  This wheelie bin is in Manchester at the back of a business.
>
> The 3 digit check number exists in the back of the card.  BUT when you give
> this number to someone else, THEY have it.  Plus your address, plus your
> card number, plus the expiry date.

Ah, I think I'm with you.  You're talking about the wheelie bin of a
business processing cards, not the personal bin of the card holder?  That
makes better sense then.  Is it fair to assume that the check number is
"written down" in some way?  I've no idea what happens to it.  Do
businesses routinely through out into bins card details and stuff?  I
suppose some probably do.

Jethro.


>
> Photo Credit Cards work fine face to face.  Now use the phone to pay your
> parking fine.  Or your London Congestion Charge.  Or to buy a pizza.
>
> -----Original Message-----
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]] On Behalf Of Jethro R Binks
> Sent: 04 March 2005 09:07
> To: [log in to unmask]
> Subject: Re: [data-protection] Identity Theft - Nightmare scenario
>
> On Fri, 4 Mar 2005, Tim Trent wrote:
>
> ...
> > But it struck me forcibly how easy it is for someone to do this to
> > someone else.  To anyone else.  For me to do to you or you to do to me.
> >
> > To do it to you I just have to visit that wheelie bin and get your
> > card number and name (and I have your address because it's there, on
> > the paperwork), the expiry date and that three digit number that I am
> > told is intended for web transactions but that every phone based
> > business records as well.
>
> Maybe I'm confused or misunderstanding Tim's post, but isn't that the
> obvious common example of how Identity theft occurs; unfriendly people
> looking through the bins for thrown-away financial statements etc (they used
> to call it "dumpster diving" in the states in the 80s when crackers were
> doing it for info about how to get into systems)?  Hence the boom in
> personal shredder sales over the last year.
>
> But anyway, I thought the point of the three digit check number was that it
> was ONLY on the card, so it can only be given by the card's (physical)
> holder.
>
> Nevertheless, there is much information to be gained from the typical
> household bin (which in my area at least is left unsecured for several hours
> one day a week waiting for the bin men to empty), so there is a considerable
> danger there.
>
> The further danger is that other documents found in the bin could be used to
> in the process to request new, legitimate credit cards, in the name of the
> person whose documents have been filched, but at an address accessible to
> the ill-doer (usually not their own).  Hence they'll get the real physical
> card as well.  How feasible this is depends on what documents are found, and
> the procedures of the credit card company checking details (who of course
> are falling over themselves to offer credit).
>
> > A reasonable question here, and I expect we have a financial
> > institution or so on this list to help answer it, is how can the
> > ordinary person know that this has happened (until the 6am knock on the
> door, of course.
> > I understand one notices that in a highly stressful manner), how can
> > they protect themselves from it, and most importantly, how can they
> > defend themselves against it?
>
> Don't throw out documents with *any* financial information on them.
> Either store them or shred/burn them.
>
> I've always safely disposed of credit card slips are receipts with my whole
> card number on them (all too common still).  Lately I've decided that even
> the ones with a partial number on are unsafe (usually the last 4 or 6
> digits), so I'll be shredding or burning them too.  I looked through a
> number of them and not always the same digits are hidden.  While I couldn't
> get the whole number, I could get a signifant part of it; and maybe there
> would be ways of discovering the rest.  So there is a cumulative danger
> there.
>
> I also occasionally get calls from "my bank" to discuss my account, they
> then start to ask me things like my date of birth and my mother's maiden
> name and all that sort of thing to "confirm my identity".  I refuse, telling
> them that *they* called *me* out of the blue, so they should be proving
> their identity to *me* first.  And realistically, the only way this could
> happen is to have a shared passphrase.  Neither side discloses it in full,
> but requests the first or third letters (or words) or whatever.  I keep
> meaning to write to them to complain about this.
>
> Neither do I see how typing a PIN number, which anyone could discover and
> type in, is any safer than a signature which supposedly only the legitimate
> card holder can reproduce (that being the premises of signatures through the
> centuries).  Of course, it isn't any safer, whatever the banks claim.  The
> benefit is that is makes cards harder to skim and copy, granted; but also
> then banks don't need to have sales staff pretend to check signatures, and
> can foist the liability onto them for fraudulent use if signatures are used.
>
> I've also sometimes complained if I sign while using my card, and the sales
> assistant doesn't compare the signature with that on my card.  I ask them
> how they would feel if I didn't check their signature when some criminal was
> making transactions with their stolen or skimmed card.  Some don't get it.
>
> Whatever happened to credit cards with photographs on them?
>
> Can of worms.
>
> Jethro.
>
>
> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
> Jethro R Binks
> Computing Officer, IT Services
> University Of Strathclyde, Glasgow, UK
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>        All archives of messages are stored permanently and are
>       available to the world wide web community at large at
>       http://www.jiscmail.ac.uk/lists/data-protection.html
>       If you wish to leave this list please send the command
>        leave data-protection to [log in to unmask]
>             All user commands can be found at : -
>         http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving message please send to the list owner
>               [log in to unmask]
>   (all commands go to [log in to unmask] not the list please)
>    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>        All archives of messages are stored permanently and are
>       available to the world wide web community at large at
>       http://www.jiscmail.ac.uk/lists/data-protection.html
>       If you wish to leave this list please send the command
>        leave data-protection to [log in to unmask]
>             All user commands can be found at : -
>         http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving message please send to the list owner
>               [log in to unmask]
>   (all commands go to [log in to unmask] not the list please)
>    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services
University Of Strathclyde, Glasgow, UK

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
        http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
              [log in to unmask]
  (all commands go to [log in to unmask] not the list please)
   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^