Using family tree search engines for identity theft

In My Humble Opinion
1

I was in a discussion with someone I just met recently on identity theft.

He was unsure about it and whether it was that prevalent or not. I asked him his name and age. Nothing more.

I looked up his name on ancestry.com and it gave me his full name, his date of birth, his mother’s and father’s names including his mothers maiden name, where he went to high school, several addresses where he had lived at.

The last address that was listed there was the address that he currently lives at and to further confirm this, I could also look this up on the county property tax records as well that are available online. This is in Texas FYI

This is almost enough to open several credit cards in his name with just missing the Social Security number.

I am sure I am not the only one who has discovered this but I was surprised just how much information could be gathered with a simple ancestry.com search

Any comments on the ease of using this data?

I also realize that there is a social security death index with SS numbers listed that could also be used for identity theft fraud or am I giving people reading this thread too many ideas?

2

You bastard! (Just kidding… Follow along)

Interesting timing for this topic, and I am not sure where it will ultimately belong.

But I was called late last night from a credit card company asking me if I had recently submitted an application for credit. The answer was “no”. This woman was then very apologetic and said that this individual apparently has “your name and your SSN”.

Well, that’s not good.

This was one that was caught, but she started me down a long and pretty drawn out path on what my options were. My first call was to Credit Monitoring Agency 1 (which will now be referred to as CMA1 (it could have been any of the three credit agencies… Experian, Transunion, or Equifax.)

Needless to say, after a very stressful week in my life, the idea that I would have to clean up someone trying to steal my identity and screw with my credit just set me off.

After sitting through a 5 minute monotone voice dumping all sorts of information and things I need to take care of, including websites I need to read to know my rights, etc, CMA1 will put a 90 day-block on my credit report (and will forward a copy to CMA2 and CMA3 automatically), indicating someone will need to speak with me directly before confirming that any credit is given in my name. I have a “fraud warning” on my credit report, and I get 90 days free. I can get another 90 days if I file again before this one is over, OR I can file a police report, which MAY permit me to lock my credit report for 7 years, but ONLY if my local police department will file that report.

This require 2 more phone calls, and I received conflicting info from credit card company that originally called me and the police officer I spoke to.

Then, CMA1 bumps me to a live person, which I thought was “great”, since I was upset, had a lot of questions, and wanted to speak with someone who could answer my questions. The woman, who spoke with a very heavy Indian accent (and got pissed at me for not understanding everything she was saying, starts telling me all the great things CMA1 is now going to do for me… They are going to monitor my SSN, and inform me when someone is trying to use my name and establish credit. I said “and then what are you going to do? Help prosecute the case?” She said “no”, we don’t do that, that is up to the consumer to do the investigation work." :dubious:

I am seeing red, because she is clearly reading from a script and she is selling me something. I just don’t know what yet.

She starts telling me that now that my name and SSN are now out there, it is being bought and sold all over the “dark web” and other illegal sites. She is laying on the doomsday scenario thick. And then the punchline… For ONLY $19.99 a month, CMA1 will do all it said. I thought my head was going to explode.

So, what they will do is monitor credit applications and if one comes up in my name and SSN, they will call me to confirm (which is basically what is happening now for the next 90 days).

The credit card companies do nothing to help prosecute the people trying to steal ID’s. The woman at the CC company told me that she speaks to literally thousands of people like me a week, and they don’t have the resources to pursue legal action. I can, but only if I file a police report. I ask, “was the application filed on line or though the mail?” “Can’t tell you that, sir.” I said “can you tell me what the phone number it was they used? Was it local or from another state?” " no, can’t give you anything." So, they basically have decided that they cannot give the person who was a victim of fraud any info without the police report, because if they gave you that info and you happened to know the person who did this, and if you decide to confront that person and something happens, the CC company could be liable. W. T. F.

The police officer told me most people don’t pursue it because it takes a lot of time and resources.

So there really seems to be no real difficulty in doing this… Odds are low you will get some nut like me who is going to try to see this through to the end.

They push all the responsibility for playing detective onto you, the victim of fraud.

What is even more baffling is that I just checked my credit reports two weeks ago and there was nothing in them. Spotless. And that is the only time I used my SSN on line. I used the government website that permits you to get a free credit report each year from each agency, but I didn’t get one because I couldn’t answer their own security questions they had for me. That one locked me out, so I can try to get that credit report next week and make sure nothing has been added.

But the truth is, criminals can get this info anywhere. Wherever your SSN is used to identify you, you open up yourself up to this Bullshit. And now, that is almost anywhere. I can’t see my dentist without giving them my SSN, because my dental insurance uses my SSN as my identifier. Even though that is SUPPOSED to be illegal, no one seems to have a problem with that. When I refused to give them my SSN, they refused to take my insurance. At the time, I had a real problem that needed to be taken care of right then, and they wouldn’t take a credit card. Only cash. :dubious:

So I gave my SSN to her, and the woman at the credit card company tells me that criminals pay office workers in doctor and dental offices all the time… A thousand dollars cash for say 100-200 clients…names, SSN, address, telephone, employer, to just get started. It gets scary very fast.

I am curious if anyone has had this happen to them, and what the outcome was.

I am very angry. This seems backward to me. And there is any number of places where my data could be compromised. The point it, it is against federal law to use the SSN for any other identification purpose, but every doctor’s office routinely asks this on their forms. Tell me, some 22 year old with a couple of kids and bills to pay is not going to be tempted to fork over what someone asks her for when she can get a $1000 in cash to spend. What does she care? Based on what I learned the last 24 hours, her risk in getting caught is low.

The other thing that bothers me is that these credit agencies should be already calling people before granting large credit lines… Confirming addresses and phone numbers. And how about this? If they find a fraudulent case, they turn it over to law enforcement and something gets done about it.

But it’s the old “too many cases”, “can’t handle the load”, you have to do the legwork yourself nonsense that not only emboldens a criminal to keep doing what he’s doing, but it makes the credit bureaus richer because they get you at your most vulnerable and squeeze your tit until it turns blue. "Hey, for only $19.99 a month, we can “monitor this” for you.

I am not going away. I am going to get the police report filed, then I will see where that takes me.

I’d love to hear anyone else’s experiences.

F*#%in’ scumbags…

3

The real issue, as I discuss in a thread I opened on the topic, is that simply knowing a nine digit number should not be proof of anything. It’s a number you can’t change and ultimately thousands of people have access to it.

I propose a system where each citizen has to obtain an electronic device that generates a unique passcode for every transaction. If you lose the device, you report it stolen and get it reissued, with the old one voided. It should be illegal for any bank or credit institution to hold an individual liable for a debt if they cannot prove the individual actually incurred the debt with definitive proof of their identity.

4

Interesting comment on the info being released.

Neither my current doctor nor Dentist require the SSN number but I can see how that could be a problem if they got out.

My point was how much information is on the family research sites that can be used for identity theft if used in the wrong way.

5

Over the years, wired.com and others have run articles on the actual dens of thieves where the crooks all hang out online. Turns out, a single person’s identity isn’t worth very much. Just a couple of bucks to buy a stolen SSN from another criminal. Even “deluxe packages” - the identity details on someone with money, complete with their debit card numbers and PIN codes - is like $20 each. And, the criminals rate each other, so they know which criminals are selling legit data and which ones aren’t.

These low prices tell me that the criminals are awash in stolen identities. They get more stolen identities every day from thousands of different methods than they will ever have time to actually steal from.

Also, the criminals doing the data theft face less risk than the ones committing the actual money stealing fraud, kind of how drug smugglers make more money than drug producers. Per wired.com, it’s a great way to make money committing crimes until you get caught - if a criminal can rob a person for whom they bought their identity for $10 of $1000 on average, obviously that’s a huge ROI. Wired even mentions that the criminals offer starter packages for would be aspiring identity thieves.

I guess on the plus side, unlike other forms of crime, not many people are dying doing it. I’d rather be a victim of anonymous electronic fraud than armed robbery.

6

The correct solution seems to be that we more-or-less honest people (who, us people on SDMB?) are fools for not getting in on this business for ourselves. Why should we settle for passively being the potential victims when, with so little extra effort or risk, we can make such a good living being identity thieves ourselves?

7

Since I don’t see an actual question in the OP, let’s move this to IMHO.

Colibri
General Questions Moderator

8

I had a feeling that this was going to be switched to IMHO as I almost put it there in the first place.

Thanks for the comments so far

I tried to find my SSN online but all that I could find was that it was issued in Texas but lots of sites offering my records for a fee. I tried one of those once for the fun of it and I only got what was released publically.

Namely

Property tax records
Marriage records
Criminal records
Phone number(s)
Facebook account (If I had one)
Possible relatives

No SSN numbers at all on the listing

9

Habeed,

Technically, you can change your SSN number but it would cause all kinds of troubles. Yes, I do see your solution of the changing codes for each transaction but something like that would take a long time and be cumbersome to implement. Look how long it took to get the CHIP cards in place and they are still not completely 100% functional yet

10

The problem is, the SSN is linked to EVERYTHING.

and the credit institutions should be held to a higher standard when giving money to a faceless name and number based on no other evidence.

Your SSN is in your mailbox if you get something sent to you from the government. You use it to open bank accounts, file your taxes, etc.

There are virtually unlimited ways to get someone’s personal data. With an ancestry site, finding “mother’s maiden name” is a cinch, isn’t it?

Senegold, my wife and I had that conversation today. Why live by the rules when no one else does? The penalties are next to nothing, and that is if they ever get caught in the first place. Maybe a misdemeanor… Most likely no jail time, just probation. Oooh, they’ll never do that again.

Don’t know if anyone saw the 60 minute special where people were filing tax returns from their own homes with stolen identities. They would use someone’s name and SSN, and make up numbers to get a few thousand dollars in a return. All done through the IRS portal, and the IRS would cut the check. One guy interviewed who was caught (and got a crazy low jail term of something like 18 months), said he would get 20 refund checks delivered each day for weeks by the SAME MAILMAN to his one bedroom apartment. And THAT didn’t raise suspicion.

Then, what happens is the real person with the real income, job, and SSN files and THEN the IRS flags it, not paying the real person, and making that real person jump through hoops to make them prove who they are. It takes some of these people years to get their legit money paid off, and the scammer is usually long gone.

I like Habeed’s idea. He is on the right track. This can’t be hard to do. Someone just needs to get to the right lawmaker and make it a law.

11

Funny, I was planning to ask that exact same question. But as far as I know, the SSN is no longer on the death index, or at least the one I regularly use for genealogy work.

12

Did you ever stop to consider that you were played, not by potential identity thieves, but by the purported “credit card company” that received the claimed application, as a funnel to deliver business to “credit monitoring” agencies.

13

“Identity Theft” as it is portrayed in films like Identity Thief is very rare. For the average person, the most likely way to be ripped off online is to buy something from a stranger and not get what you expected and never get your money back.

Applications for credit are pretty common too, but, in the UK at least, any loan company will write a physical letter to the purported applicant. For a fraudster (that description sounds kind of jokey [fraudster/prankster] doesn’t it?) to complete the theft, they need to be able to intercept your mail. In the US, where many people still have street side letterboxes or insecure boxes in the entrance to a condo etc, this may be easier than here, where mail is (mostly) pushed through the letterbox in the front door.

It still happens here though - as far as I can tell, where the fraud is perpetrated by someone with access to the victims house. Credit/debit cars are frequently stolen and if not quickly reported and stopped, this can cause a lot of grief.

It seems to me though, from reading accounts in newspapers, that the victim has often been the architect of their own misfortune - either by omission; failing to take reasonable precautions, or commission, doing business with dubious characters who promise some great bargain or profit (Bernie Madoff? Nigerian Bankers?).

14

So what you want is for a federal agency to be monitoring everyone’s mail and respond whenever they see something “suspicious”?

Hello 1984. The last thing I want is routine government monitoring of every citizen’s activities.

15

The was a major debate on genealogy sites several years ago about what people should be allowed to post online. Some of the issues: specifics about living people (birth date/place info, current residence, etc.), any info on living people at all, or any info about anyone going back a couple generations.

Note that mother’s maiden name is a common verification question and can be easily deduced from a lot of family trees posted online even if a couple generations are blanked out.

Anyway, people on some sites got completely reamed by guardians of identity theft.

If I was trying to steal a specific person’s identity, genealogy sites could be a resource. But it’s much easier to get necessary data to find a generic person’s info if you don’t care what name you end up with.

16

Of course. But where does the suspicion stop?

I called the credit card company back and spoke to another person. She confirmed I was getting a letter sent to me indicating what happened so I can file a police report. That is step one (in the US anyway).

But yeah. It occurred to me that just two weeks ago, I tried to get my credit reports from the three agencies, and I was on a (supposedly) secure website. In the US, you get one free report a year from each of the credit monitoring agencies.

When I got the phone call, they gave me a number to call which would put a “90 day fraud alert” on my information, and all 3 credit agencies get this update. However, they dump a lot of information to you in an automated message with numerous websites to visit, things to do, etc. When that was over, they send you to a live person who is clearly using the situation to sell you a service that I am sure a lot of people buy immediately. It was offensive.

When I stopped the lady from reading her corporate sales script, she was flustered. I asked her why she was trying to sell me services when I am just looking for information? I asked her to stop reading from her script and talk to me. She got indignant that I suggested she was reading from a script, and told me she wasn’t trying to sell me anything. She was just “trying to tell me what happening and what I should do to protect myself.” I said “why wouldn’t I just go to LifeLock or some other company then?” She immediately had an answer, and told me what they offer that LifeLock doesn’t. :dubious: Yeah, you aren’t trying to sell me anything. Except a $20 monthly fee, billed automatically, for the rest of my life. Oh, and the fee does NOT cover anyone else in my family, nor does it guarantee me anything. They will just offer me $1MM of insurance if someone decides to buy a Porsche in my name.

The timing was a bit coincidental. But maybe that’s all it was.

I also had a relative die recently, and I was left some bonds to cash. I had to send in all my identifying information in to cash the bonds to the federal reserve. I was called by a person there who was one of the dimmest people I have ever spoken to. She had access to all of my information right in front of her. I don’t know what, if any, security checks someone has to go through to work at the processing center at a place like that, but could that person have sold my information? What about the people at the doctor’s office or dental office? Unless I can figure out who sent the application in (which may be impossible), the reality is if you have a SSN, and someone attaches your name to it, they can do some damage. If the application was sent on-line? Even harder to trace, at least without a court order.

The last credit card I applied for was a few years ago. It was through a department store (made a purchase, got a lot of money to set up a credit account) and they gave me a store credit card that is also a Visa card with a line of credit. They didn’t call me to confirm. Maybe the process has changed a bit since then (and that would be a good thing).

Hate to break it to you, but it’s too late. The government is monitoring everything you are doing, and we are making it easy for them. It’s passive monitoring for most of us, but make no mistake… They are recording everything they can record about everyone, and they are using that information to create a picture of you. Why do you think google, microsoft, facebook, etc all want you to use their “free” services? So they can build a profile of you. Now they might use it to target marketing data and commmercials to you, but the data exists, and anything you send out that bounces off a microwave tower, a satellite, or goes through a router can be intercepted and tracked.

I am not saying there is much you can do about it, because there isn’t. But your every activity can be tracked if you are connected to the electronic world. If you have a cell phone, your location can be pin-pointed. Buy something with a credit card? They know where you are, what store you are in, what you have purchased and who your cashier is. Cameras are everywhere, and meta data is being gathered and stored. If the government thinks you are doing something illegal, they can start to focus in on a specific target fairly easily.

As for the tax refund scam. A couple of things… A tax refund in the US comes in a very easy-to-spot envelope. It does NOT look like most junk mail. In the particular case I referenced, the guy who was running this particular scam was living in an apartment building. He was delivered HUNDREDS of refund checks. Is it too hard to imagine putting a few software checks in place before the 100th refund check from the IRS is created by their software and sent to the exact same address? I don’t know the exact process the IRS has in place, but I would think that someone who understands how to perform a workflow analysis could put some security checks in place to help control the massive fraud that is currently going on.

Not to mention a mail carrier noticing that he is shoving 20 envelopes in the same box on the same day? That wouldn’t strike a normal person as a bit strange, and something that should be bumped up to the postal inspectors? I am not suggesting that a mail carrier should be held accountable for something like this, but as I understand it, the same person was delivering those checks to the same box for months. I would think that when they are sorting the mail for delivery, someone MIGHT just notice that there are 20 IRS redund envelopes all going to the same address on the same day.

Maybe I am expeting too much, though. And it should never get to that point, anyway. The IRS should have the capability to track some data and STOP the printing of a check if they already show that the address has received X number of checks. (I don’t know what “X” is, but it should be less than, say 100). And yes, I know that there may be special cases where a lot of people use the same address, say a retirement home. I’ve written enough software to know that you can create special checks for special cases.

17

Thanks for the responses.

Remember that any system is only as good as the user.

That is why often even the most secure and complicated systems can get tripped up by a simple unintended usage.

ie As described, the administrators selling personal information in a medical office

18

[quote]
The point it, it is against federal law to use the SSN for any other identification purpose,

Is is? I’m not trying to be a jerk but can you point out where it says this, just curious.

Also as for doctors asking for the SSN, I assume this is so if you skip paying them or don’t pay they can report you to your credit agency. Is it possible to report bad debt without it?

19

Where does it say your doctor can’t use your SSN as an identifier or require it. They may not NEED it, but I was not aware of anything that prevents them from having it. I assume they want it to collect on bills that are not paid by the insurance, and if you don’t pay they can ding your credit.