[onetimeonly]

Source: at 17 I was running a black-hat hacker collective and had, through a series of bad choices, got pretty deep into the 'real-world' side of that business: fraud. The day after my 19th birthday my house was raided by the US Secret Service and the UK Serious Organised Crime Agency in a worldwide coordinated swoop that took in dozens of loosely affiliated people. I have since completely rebuilt my life, so I don't mind anonymously sharing this.

Stealing an identity is trivially easy. Society revolves around relationships of trust between organisations and individuals, and the trust runs amazingly deep. The basic information you need to do it is publicly available: date of birth, mother's maiden name (on the birth certificate and parents' marriage certificate respectively, copies available on request from the records office).

Carrying out the ID theft takes resources and balls. You'll need to be able to manufacture ID documents, or have access to someone who does. Nowadays you can buy them on one of the onion dark markets. Generally you want a driving license, as this is the easiest to forge form of ID that gets you complete access. Banks, governments, etc. will accept it.

Sadly, making driving licenses is not too hard - document security is pretty weak. You'll need to make yourself some ultra-high resolution scans, trace the entire design in illustrator, and then get hold of some printing equipment. You usually want to print on teslin (http://en.wikipedia.org/wiki/Teslin_(material)), and laminate with a high-quality laminator. UV seals can be easily replicated by hacking an epson printer to use modified cartridges with UV pigments injected into them. Holograms can also be replicated by dusting your laminate with interference pigments and reverse-printing in clear ink to fix the design. It can all be done on commodity hardware.

With a driving license and dob/mother's maiden name you can then access a huge amount of someone's sensitive information, and more importantly, control their relationships with organisations. I don't want this to be a tutorial, so I'll simply say that with several more pieces of information you can take out credit in someone's name, control their existing accounts (e.g. by adding yourself as a new cardholder), or start causing trouble in their name.

A final word of caution. While it's easy to get people's information from government records offices, it's even easier to get it from them personally. We used to call people and social engineer them into giving us their DOB, bank account numbers, secret words, etc. Don't be stupid with your information: never tell someone your data down the telephone unless you called them. Oh, and if you're thinking of committing identity fraud, think again. It's not hard to pull off, but you're not smart enough to do it without getting caught. Everyone gets caught in the end.

[6d0debc071]

> Everyone gets caught in the end.

How would you know if they didn't?

[onetimeonly]

I have a large sample size of the people I worked with over 8 years. Seriously, everyone went down eventually.

[jpdoctor]

Would be an interesting book (for your copious free time.)

[onetimeonly]

Yeah I've thought about it a few times. Maybe when I finish my current commitment, I'll think about it more seriously. Some of the people involved went on to be very famous for their crimes.

[socceroos]

Your username of 'one time only', is that a reflection on the proper use of an OTP? Is there a story there about a mistake? Just curious. =)

[kimble]

Well you know, we all make mistakes.

There is nobody who likes to be woken by a dawn-raid!

Old-school hackers still like proper handles rather than random strings for usernames, even for one time posts.

The devil is in the details.

[driverdan]

They don't, it's the toupée fallacy http://rationalwiki.org/wiki/Toupee_fallacy

[onetimeonly]

It's not the toupee fallacy - in this case I started with a large sample of fraudsters in my circle and know the outcome for all of them.

[driverdan]

You know a small subsample of the total number of people committing fraud. I'm a former blackhat / ID thief / fraudster too. I worked for the US secret service for 2 years and saw what percentage of people were caught. And those were just the online fraudsters we knew about.

[swalsh]

Since you clearly know the process, can you give some tips on protecting yourself?

[onetimeonly]

Actually my biggest lesson about identity theft is that most people just don't need to worry. The negative effect of identity theft in 9999/1000 cases is just the inconvenience of correcting the mistakes by informing various institutions about it. In the last 5 years or so, banks have got very good at clearing up the mess fast.

You need to assess the risk, taking into account the very low probability of having your identity stolen and the fairly low inconvenience, against the time and effort it takes to take protective measures. Don't live in fear of it.

That said, the single best way to protect yourself from random ID theft is to use a decent bank with good fraud protection. In the UK, Barclays and HSBC are very good, Natwest and Halifax are very bad. Citibank is a bad US one.

[driverdan]

This isn't true at all. You generally don't have to worry about credit card theft, you're not liable. ID theft is completely different.

If someone steals your ID and drains your bank account it's going to be much harder and more time consuming to get your money back. If someone opens credit cards under your ID it will be easier to correct than losing your bank account but can still be very time consuming. Often people discover the issue when they're applying for new credit, such as a mortgage. Correcting your credit issues can take months to resolve. They could lose a house they're trying to buy if they don't get approved.

[onetimeonly]

Well, I just disagree. My experience is that recovering your bank account after fraud is trivial. Fixing fraudulently obtained credit takes longer, but basically just involves going through a formal process with credit reference agencies and lenders. If you want to protect against this, you can get a credit record protection service from any of the major credit agencies, where they alert you if there is any activity on your credit record s you can fix it.

edit: nobody should be so unaware of their own credit record that they lose a house sale because of undiscovered fraud. Keeping on top of it is very cheap and as simple as registering on a website (UK example: https://www.creditexpert.co.uk)

[triplesec]

I had a friend who was id hacked. not nice, and citibank was really bad at helping him. Don't expect them to be on your side, any of the big nasties.

and don't put your damn personal information on facebook!

[wisty]

Don't overuse any website that lists your name, DOB, first pet's name, mother's maiden name, your high school (and maybe even the teachers, including your favorite one), the street you live on, and so on.

You are now a harder target than most people.

[EGreg]

http://xkcd.com/792/

[swamp40]

> Everyone gets caught in the end.

I think that's the most important lesson learned from this tale.

[majelix]

> Sadly, making driving licenses is not too hard

The hard part, I imagine, is testing that's a good-enough fake. Standing in front of the passport agent or getting pulled over are probably the worst possible times to learn your print was an eighth of an inch off in the wrong place.

[onetimeonly]

Yeah, there are a few hard parts that I left out. Making it 'good enough' is hard, but for a reason I found surprising when developing the methods. Making the design look exactly right is quite easy, but making it feel perfect is damn-near impossible. The way it bends and the texture in your hands are qualities of the exact manufacturing process and materials, and you can never quite nail it with a knock-off.

That said, most people will never hand them to a customs agent, and I had reports that mine were accepted as ID by police officers on several occasions. Maybe the forger is more sensitive to the differences than most.