Has there been a documented case of someone whose identity was stolen from trash?

Factual Questions
1

My wife shreds anything with an account number or an SSN before she puts it in the trash or recycling bin.

I get why the CIA might shred–or burn–highly sensitive documents that would be explicitly targeted for recovery by bad guys (like the shredded documents that were reassembled as depicted in Argo.)

But is anybody really going through trash and recycling bins, looking at every piece of paper, just to see if they find something? Is shredding necessary, or just security theater? I would think it would be more productive to just steal stuff out of mailboxes.

2

This is a good question, and I’m afraid I don’t have a good answer. It might be hard to get a documented instance of identity fraud that can be definitively linked to dumpster diving, since often the source of the original exposure is effectively impossible to pinpoint. But hopefully someone with a more authoritative answer can chime in.

I would think a criminal looking to get paper records for ID fraud would be most likely to dumpster dive outside a medical office or someplace like that rather than residences.

3

This New York Times Magazine article, Dumpster Diving for Your Identity , claims that a major identity theft ring started the process in trash cans and the dump to find names and other information.

4

Let’s pretend there are no documented cases: Would you like to be the first?

I’m on your wife’s side.

We even grind up those offers that arrive, just for grins because I don’t know what kind of numbers might be contained.

This doesn’t mean we’ll never get compromised, but we don’t want to make it easy for them. And I sleep better.

5

I suspect that back in the 1970s dumpster diving was THE primary way to gather info for identity theft. Although as said above, there were/are more productive targets than household trash; especially in less-than-fatcat neighborhoods.

Fast forward to 2021.

Your exposure to identity theft from the vast array of your online data that you don’t control and may not even be aware of is far larger than the junk mail and account statements in your postal mailbox or trash can. The risk of malware on your devices is also orders of magnitude more dangerous than is numbers on paper in your trash.

Shredding your phone bills does in fact reduce your attack surface, but probably only by a negligible percentage.

6

Agree. Identity theft from written documents has been around since written documents were created.

Stealing documents from a mailbox is a Federal crime that can and is prosecuted. Taking trash from a trash can probably isn’t a crime unless the can is on private property. Put the trash can on a curb and it’s generally on public property (barring private roads or streets).

7

Some municipalities (I had always assumed most municipalities) have an explicit ordinance that when you put your trash out on the curb or in the street, it immediately becomes municipal property. I’ve assumed that the reason (or one reason) for this rule is so that anyone caught rummaging through trash could be cited for it.

8

No sure how his relates to municipal law but the U.S. Supreme Court declared in 1988, that trash on a public curb isn’t protected by the 4th Amendment which protects against illegal search and seizure.

https://www.google.com/search?q=is+trash+on+the+curb+public+property&rlz=1C1ASVC_enUS940US940&oq=is+trash+on+the+&aqs=chrome.0.0j69i57j0j0i22i30l7.5335j0j4&sourceid=chrome&ie=UTF-8

I suspect that motive is a major factor in whether someone would be cited for going through trash on a curb. The LEO would have to have a suspicion and proof that ID theft was the intent and not just searching for recyclables.

9

IANAL.There’s an interesting twist with trash and recycle bins provided by the municipality. Since they’re provided by the municipality, they’re not public property.

“Once the bin has been placed out on the street for pick-up, if the items are removed, then the City of Bakersfield becomes the victim.”

Carruesco says thefts of items valued at less than $950 are considered misdemeanors, and can result in a range of penalties which could include a fine or jail time.

Smith says she’s seen thefts a number of times from blue bins around her neighborhood. The confrontation with the man by her bin was in late October, but just this week a neighbor saw someone going through their recycling bin.

Smith says it’s the principle of the theft, she’s not worried about the value of redeeming the bottles or cans.

“It’s up to us, we have the can, we’re supposed to be part of recycling,” she says. But, her part of that process is also a matter of principle – and that’s what she told the man she confronted.

“I told him, I’m the one that pays the CRV (California redemption value), not you. You didn’t pay that, I did,” she says.

Smith now puts both the recycling bin and the trash can inside her garage. She puts the bins out, just before they’ll be picked up.

That’s exactly what police advise.

“Keep them behind locked gates prior to putting them out on the street for pick-up,” Sgt. Carruesco said. He also said residents can call police if they see people going through the recycle bins.

Smith says she’ll stick with keeping the bins inside her garage. “Since I’ve put them in here, I feel better,” she says."

https://bakersfieldnow.com/news/investigations/taking-items-from-blue-recycle-bins-is-it-illegal

When we sold your family home years ago, we filled a 40’ trash bin what was left on the street. I saw a couple of guys inside the bin and yelled at them it was illegal to search through it. I didn’t know for sure if it was true, still don’t know, but the way I looked at it was that since they had to climb up the ladder to get into the bin, they were trespassing on the bin’s company’s property. And if they got hurt while inside, they may have been able to claim that I had something in the bin that caused the injury. Anyway, they took a couple of things, including an empty computer case and left.

10

Interesting article (which is 17 years old). In particular it notes:

For the aspiring identity thief, a Dumpster can be a gold mine – full of documents discarded by hospitals, accounting firms and law firms. And if that doesn’t work, there are other readily tappable sources. ‘‘Theft from mail is also a very common mechanism for getting this stuff,’’ explained Jonathan J. Rusch, the special counsel for fraud prevention in the Department of Justice. ‘‘Even one handful of mail can yield lots of valuable information to an identity thief.’’ Rusch recalled a recent case in Southern California in which an identity thief robbed postal drop boxes while driving a bogus mail truck. Total losses: $1.7 million.

So it seems that residential trash was not the mother lode here.

I’m in IT and do federal contracting, and I would bet more damage was done by the failure of OPM to secure its database of background investigations than from stolen trash in the same period.

11

It is worth noting that in the past 17 years people are far more careful about shredding documents and using safe disposal methods, and there has been a decrease in the creation of paper documents. Yet at the same time online information has become more prevalent and never was very secure. You can find a few documents in a dump or someone’s trash can, names while SSNs, credit card numbers etc. are stolen online millions at a time.

12

Exactly. The easy way to get data these days is online.

13

In the good old days, commercial dumpster diving for large retail establishments was useful; old credit card processing involved imprinting the card in a carbon paper 3-part form. The store usually separated out the carbons and threw them in the garbage. (one paper copy to store, one to customer, and one to CC processing). So thieves would have an imprint of card - number, name, expiry, and user’s signature. Can’t get much better than that. Get a plastic card maker, and you’re set. or for the lazy, some merchants would accept cards over the phone.

First, stores would rip the carbons into multiple pieces in front of you. Then came carbonless forms, then the mag stripe and computer authorization, PINs, etc.

It’s hard to tell if personal trash yielded meaningful results; but it did impel banks and CC companies, among others, to start the “disguise full number with asterisks” trend. Your credit card and bank statements use to come with a full account name, client address, bank account or CC number, and other interesting details. Did people typically throw this stuff out in the trash, unshredded? I assume many did. Plus, a full garbage bank may also yield some credit card slips or other documents with signature, etc. It may not be obvious what your card number is from trash nowadays, but it can tell who issued the card and other details.

I suppose the power of the internet is the ability to assemble a collection of data from multiple sources to build an even more complete picture.

14

We used to have coal furnaces, backyard incinerators and autumn leaf burning. That’s where the documents went.

15

In 2011, it cost less than a quarter online to get a name linked to a social security number. Actually it was worse than that:

In the “Fullz Info USA Type A” package, each record includes the subject’s first name, last name, middle name, email address, email password, physical address, phone number, date of birth, Social Security number, drivers license number, bank name, bank account number, bank routing number, the victim employer’s name, and the number of years that individual has been at his or her current job . . The proprietor of this shop says he has more than 330,000 records of this type, and is adding 300-400 new records each day.

From Krebs On Security, the go-to website for tracking what the online crims are up to. How Much Is Your Identity Worth? – Krebs on Security

Admittedly, I’m not convinced that it would be prudent to toss a financial statement with lots of zeros in the trash. Casual criminals or even nosy neighbors might be unduly interested.

16

They have no numbers you need be worried about. BUT, at least rip them in half, you dont want anyone sending them in then stealing the card from the mail. True, now that you have to call in, that risk is lessened, but if all they gotta do is the last four of your SSN, that’s trivial. So they find the offer, send in the postpaid envelope, the bank sends the card, they steal from the box, etc. It isnt common anymore but it still happens.

OK, as a Certified expert in this you do not need to shred stuff with address or name, etc.

SSN - yes, shred it. Sure they can get it, but why make it easy.

Bank and other financial service accts, credit cards etc- shred them also. Most are now masked, so not critical, but still, it is easy.

You dont need to shred utility bills etc. Phone bills? Maybe. If it makes you happy, why not?

However, as LSLGuy sez, dumpster diving for info is outdated. For less than $5 each, one can get a list of Names, SSNs, DoB etc , order them by the thousand. Sometimes for 25cents even.

But they are cheap low rent crooks still around.

One other thing- do you NEED a online bank account? If you dont have the ability to access your bank acct online, that makes it very difficult for outsiders to do so also.

17

I used to write one or two cheques a year or so, until eTransfer came along - mostly for one-off payments to private individuals. I’ve paid almost all my bills online since the early to mid 2000’s. I rather wonder who can get by without an online account.

It seems to me that the Fultz Info stuff would be simpler, indeed trivial, for hackers to obtain by dumping personnel databases from large employers - or finding an unscrupulous IT or HR person to sell that data. Still, for them, 330,000 is 0.1% of the USA population. The other difficulty of this sort of data is that to sell it onward to the “hacking public”, you have to expose yourself. Yes, the FBI trying to stop this is a game of whack-a-mole, but that’s small comfort to the moles who do get whacked.

18

Don’t forget to lock/freeze your account at the three major credit bureaus. Hard to maliciously open a line of credit in your name with that done. My wife and I expect to live the rest of our lives without needing to get a new credit card or loan so we’ve locked it at the three major as well as ChexSystems and Innovis (it appears to be fairly easy to unfreeze with the info we have). And as I harp on about on every credit/account/password related thread: Enable MFA on every important account possible (email, amazon, banks, retirement, etc).

19

Yes, that is both a good and bad idea. It should be considered, but not automatically done for everyone. As you said “…My wife and I expect to live the rest of our lives without needing to get a new credit card or loan…” So for you, it seems like a good idea. Maybe not for others.

20

It appears to be almost trivial to unfreeze your credit. For example, I can go to the Experian Security Freeze Center, enter my info and the PIN I setup and immediately unfreeze. Submit my application, wait for approval, refreeze. Seems worth it unless you are one of those people that is constantly getting new credit cards.

So, not sure why it would be a bad idea? Minor inconvenience for some, but it absolutely helps stop identity theft.