Shostack + Friends Blog Archive


Meth Addicts and ID Theft

There’s a great article in USA Today, “Meth addicts’ other habit: Online theft.” Unlike many articles of this type, the reporting is measured and carefully reported, and full of details that make it believable:

One dumpster behind a call center in suburban Mill Woods proved to be a jackpot. In a nondescript strip mall just two blocks from the spacious three-bedroom apartment where Frank lived with his divorced dad, it brimmed with valuable data. The company using the dumpster, Convergys, often tossed out paperwork related to customer-service calls from Sprint cellphone subscribers in the USA, Mary says.

“We’d get credit check information from Equifax, credit card numbers to make payments, Social Security numbers, date of birth, addresses,” Mary says. “They would make a printout, then just throw it out.”

Convergys spokeswoman Lauri Roderick disputes Mary’s account. The Cincinnati-based company has a “strict clean-desk policy” that requires shredding of any sensitive paperwork, she says. And Sprint customer-service calls, she says, were never handled by the 1,200 workers at the Mill Woods facility, one of 14 in Canada. “We’re confident there has been no breach in security of our customers’ data,” Roderick says.

One comment on "Meth Addicts and ID Theft"

  • allan says:

    Interesting article, although still lacking concrete numbers on scale and scope of the problem (anyone seen ANY good ones?).
    I especially liked the final summary of data collection and exploitation methods. They highlight how hard any single downstream approach to impersonation fraud is: a liability regime might give Equifax incentives to make sure Convergys actually shredded the data, but would fail to capture threats like mailbox theft or common burglary.
    I’m also curious about the data processing capacities inside these groups. The article highlights a local/global dichotomy: is information aggregated as it moves upstream to compile more complete profiles? Can a single criminal “search” for a datem on a specific target?

Comments are closed.