AusCERT 2011: firms ignore ID theft risk

Summary:Businesses don't take the risk of identity theft seriously enough, according to Welsh identity theft victim, activist and comedian Bennett Arron.

Businesses don't take the risk of identity theft seriously enough, according to Welsh identity theft victim, activist and comedian Bennett Arron.

Bennett Arron

Bennett Arron (Credit: Munir Kotadia/ZDNet Australia)

"It's looked upon even now as a victimless crime because nothing tangible has been taken," he said.

"Banks and companies don't try hard enough," he told the AusCERT information security conference this morning. While businesses might cover consumers' monetary loss to fraudsters, Arron believes that they don't understand that it's about more than the money itself.

"They don't realise that having a zero credit rating affects everything and can be worse than having the money taken, and that's the thing that I think needs to be changed," he said.

Arron believes that the UK's new central identity fraud unit will make little difference. "To me it's going to be the companies that have to make a difference and have to stop making it so easy for people to set up accounts."

When Arron's own identity was stolen around 12 years ago, the fraudster had a simple job.

A home shopping company had mailed a postcard to Arron, asking if he wanted to receive a printed catalog. Aaron had in fact moved house, but the post office's mail forwarding failed. The postcard was delivered to his old home as addressed — and there, the new resident — the fraudster — ticked the box to request a catalog. The catalog arrived, along with an order form. The fraudster ordered an item, and the company opened an account for him in Arron's name.

The fraudster then went to an independent mobile phone shop and purchased a phone using the home shopping account as proof of his address. "From there he went to [department store] Harrods, and so on and so forth," Arron said. "It had all started from this tiny mail shot."

Arron approached the companies involved, seeking compensation, but they all refused.

"They didn't think it was their fault, that they had acted in good faith. That home shopping company actually said to me, 'This is happening quite a lot.' So because of that, they'd stopped sending out these postcards. Two weeks after that letter I received a postcard. They'd taken my personal information from personal correspondence and put it in the mailing list."

Arron queried the home shopping company. "Whilst we sympathise with the distress you've been caused, we feel we acted in good faith ... On the issue of the mailings, we'd like to point out that these mailings arose entirely separately. The fact that we started to send mailings at this time was purely coincidental," the company wrote.

"PS: Our pants are on fire," Arron said.

It took Arron and his family up to three years to recover from the identity theft. The experience led him to explore the fraudster's methods.

He began by stealing the identity of a person chosen at random from the phone book. Arron went through the victim's garbage late at night. A discarded bank statement and PIN notification letter allowed him immediate access to the victim's account, change the address and open new accounts.

Later, he succeeded in stealing the identity of the UK's Home Secretary, Charles Clarke. This led to a dawn raid by the police and a charge of fraudulently obtaining a drivers licence, which could have led to fines or even jail. He was let off with a caution.

Arron's TV documentary How To Steal An Identity can be viewed online.

Topics: Security, AUSCERT

About

Stilgherrian is a freelance journalist, commentator and podcaster interested in big-picture internet issues, especially security, cybercrime and hoovering up bulldust. He studied computing science and linguistics before a wide-ranging media career and a stint at running an IT business. He can write iptables firewall rules, set a rabbit tr... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.