Updated: 24.11.2002; 14:08:21 Uhr.
disLEXia
lies, laws, legal research, crime and the internet
        

Thursday, December 13, 2001

Cisco accountant's fraud

www.cybercrime.gov: Former Cisco Systems, Inc. Accountants Sentenced for Unauthorized Access to Computer Systems to Illegally Issue Almost $8 Million in Cisco

Stock to Themselves (November 26, 2001)

Press release excerpt:

Judge Whyte sentenced the defendants each to 34 months in federal prison, restitution of $7,868,637, and a three year period of supervised release. The defendants will begin serving their sentences on January 8, 2002.

David S. Weitzel, M.S., J.D., Senior Principal, Mitretek Systems dweitzel@mitretek.org 1-703-610-2970 [david weitzel via risks-digest Volume 21, Issue 82]
0:00 # G!

Identity theft without prior knowledge of social security number

A while back I had few occasions when I was asked for my social-security number by organizations I felt have no business knowing it (such as libraries, etc.). Following advice from the Usenet SSN FAQ, I asked why they wanted my SSN, quoted appropriate legislation, and was allowed to give "a different number" (which these organizations presumably want as a primary key for their databases or for similar procedural reasons).

Needless to say, I used a meaningless word for mother's maiden name and a made up birth date, one per organization.

When I have later requested my credit report, I discovered that these silly made up numbers appear on the report as "Other social security numbers used." Along with their respective mother maiden names and birth dates. Apparently, credit-reporting agencies aggressively merge records in their databases.

A risk? Surely. Consider the following scenario:

1. Identify target for identity theft by name (common names could work). Use the phone book to learn the address of the person in question. This is all the information you need to know.

2. Apply for a credit card in the name of that person, using a made up SSN, mother's maiden name, and birth date. (It doesn't matter if the request for credit is approved; the information you submit will get reported to credit agencies and they will merge it into the database entry of the target person based on matching name and address. You now have information that's sufficient to ask for a credit report.)

3. Ask a credit reporting agency for "your" credit report. You should be able to do it through a Web interface. (If you had to give them a mailing address, you could have asked for the report to be mailed to a temporary Mail Boxes, Etc address or to somebody else's street address where the mailbox is accessible and you can get to it before the rightful owner does--for example, because you know the owner's work schedule.)

4. Examine the credit report. It has the target's actual ("primary") social security number and other information.

5. Having that, proceed with identity theft in any number of well-known ways.

I have a fairly uncommon name. Maybe the record merging algorithm will not actually work with common names. Does anybody know more about their actual merging algorithm? [(Identity withheld by request) via risks-digest Volume 21, Issue 82]
0:00 # G!


Maximillian Dornseif, 2002.
 
December 2001
Sun Mon Tue Wed Thu Fri Sat
            1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30 31          
Nov   Jan
Search
about this disLEXia thing
presentations
scientific publications
logner Texts
my old homepage
categories in this weblog
Subsections of this WebLog
bloging by me
german language content
hacks
computer investigations
computer incidents
going to court
events and conferences
statistics and the like
privacy
main page

Subscribe to "disLEXia" in Radio UserLand.

Click to see the XML version of this web page.

Click here to send an email to the editor of this weblog.