I was thinking about the problem of identity theft today and looked back at notes I took during Nitesh Dhanjani and Billy Rios's presentation at Black Hat and Blue Hat recently and I came to the realization that our government should be doing more about this crap.
You see, identity theft is an economy itself. It has demand, thieves trying to use the stolen information for their own financial gain, and supply, the stolen IDs. In fact, there's a whole sales process of selling phishing kits, IDs, skimmers, etc. Think of all the places that keep record of your personal information... banks, your employer, your cell phone provider, your cable company, your apartment complex, the government, your doctor, etc. etc. etc.; now also think of all the places where you readily scan your information to be stored, ATMs, the Redbox, etc. All of these data warehouses are potential places where your data could be stolen from. The attacks are well known these days, phishing, web application compromise, skimming, etc., but we've forgotten about something. Scam calls.
For the past 20 days I've been getting calls from the number 480-543-1320, listed as SSPL. It appears I'm not alone. For me, I've never heard anything but dead line on the other end. Calls back have been met with a busy tone. However, for others, they've received prank calls, calls asking for their social security number or credit card directly (not very intelligent callers it would seem), claiming the call recipient has won a free cruise (just provide your SSN and credit card number), or claiming the call recipient has won free gas (just provide your SSN and credit card number).
You know, I thought this crap was illegal. Apparently it is, but only if you are on the "Do Not Call" list... well, I joined that a long, long time ago. There's also been a lot of complaints registered against this number, yet nothing has been done. I thought it was interesting and thought, maybe I should investigate the 480 area code (Arizona). The list of scam calls from that area code is absurd, but I have no idea if it is any more than any other.
Being a security consultant in my primary job, I know just how easy it is to social engineer someone into giving you something you want. I hope our government is considering more proactive measures than this "Do Not Call" registry, as obviously all the complaints against this number have done nothing to punish those making the calls.