Identity Theft - what to expect, and what to do now

All of this crap about passwords is useful but other things matter too.

Take your birthdays off FB and everything else.

Don’t wish your mum happy birthday on social media - don’t even link to her as your mum because then her maiden name can be found out on Ancestry.com.

Take your job history off FB and Linked in, only leaving the last job or two. Nobody cares that you spent two months working for a newsagents in 1983 just after you left school.

Take your schools off your social history

Hide anything you can from gaze.

When your bank asks for your mums maiden name give them a random phrase instead that links to it - maybe where you first lived together, her favourite album but not her maiden name.

Think of things for other questions - your favourite teacher put down the colour of the walls in their class, etc.

go to 192 and ensure that you are not on anything that can be searched from there. Take yourself off every electoral roll.

A lot of this stuff is social engineering. And never tell anyone your porn name when they ask on FB!
 

Sarastro

LE
Kit Reviewer
Change all my passwords and PINs on financial sites to unique, long crypto type ones that Safari suggests. I've been resistant to doing that, because of usability concerns.
This is unnecessary. 16 character length all lowercase alphabet only is mathematically stronger than 15 character length with all numbers, characters, etc. The real important variable is the length of the password.

The disadvantage of long crypto passwords managed by Safari or a password checker is that you are simply delegating your security to the browser / password manager, as well as (often) putting all your eggs in one basket (theirs). Security of browser managers is variable, and they are the absolute tip top targets for hackers to exploit. This is a case where the correct application of mandraulic security is the best option unless you are Putin or UBL, because nobody is particularly interested in you - your accounts are either easy to crack and therefore low hanging fruit, or not and so not.

I chose a longish unusual name (ie not a dictionary word), added some numbers and special characters that I could remember, and thought that would be sufficient.
This will actually make it less secure, although I understand that almost all sites now require this.

I've gone into this before so won't bore about it again, but standard password rules are flat out wrong, and the requirement by sites that you add a capital letter, number, character actually reduces security. In short this is because mathematically the only variable that matters is string length. Think of password cracking like a red line of how many guesses an attacker needs to make before they get the right answer: requiring at least one capital letter, number, character gives attackers a hard rule to exploit (i.e. they know that every guess they make needs to include a capital letter, number, character) which lowers the number of guesses they need to make, and therefore negates the already ineffective guess-increasing measure of adding a larger address space (i.e. adding the numbers, characters etc). Adding characters/numbers only works to increase guesses if you can add characters/numbers but do not have to add characters/numbers. So the measures that 90% of sites have now adopted are actively helping hackers crack passwords. This has been a form of bozo explosion from incompetent IT security wallahs who didn't understand maths.

Genuinely, if you have the option and are interested in a secure password rather than a rule-following password, you want 16+ letters and everything else is fluff. I'd usually recommend a contraction of 3-4 words, or some nonsense additions to make it longer.

Well now I don't believe that's enough, so I'll go through that ball ache. I'll absolutely have to write them down, which is a no-no in my mind, so that will then go in the safe.

So two questions:

1. What can I expect in terms of the attacker's next steps?
2. What else can I do to protect myself?

Cheers!
Realistically, changing all your passwords so they are a) different, and b) follow the 16+ rule will negate the viability of the attacker further exploiting those accounts. It is not worth the compute time it takes to crack a set of 16+ passwords for a single account when it's already been identified as compromised.

The vulnerability of writing down passwords entirely depends on how you then store the written down passwords, and the environment. If you put it on a post-it on your open plan office screen = insecure. In your own study (unless someone cares about you enough to stage a breakin just to get your passwords, unlikely) = secure. In a safe is overkill, but highly secure.

The next steps will very much depend on what kind of scam they are running. Often bank accounts are just used to run automated payments through as a form of money-laundering. It will start small, and see if there is any reaction, and if not, get bigger. If the bank account was cancelled shortly after being open, they (hackers) have likely already red-flagged your account(s) as having been identified, and so are unlikely to return to it (or them).

If you can (very hard these days) identifying the source of the SSN leak, or identifying which accounts/information you have submitted which contains exactly those details used, might help. It's very likely that the original leak came from one site which had a password list compromised. The threat of password guessing additional sites using those details (i.e. brute force trying usernames linked to you with the password from the original cracked site) is still theoretically possible, but practically in mass-market hacking is less common as most sites have limited the number of times it's possible to guess at password/user combinations.

Obviously you want to totally bin that email address too, and make sure that nothing is sent to/from that address that identifies others you use or the one you move to (i.e. don't forward key emails to your new address).
 

Sarastro

LE
Kit Reviewer
It is not difficult to start to pin down who is behind these things. Sadly, plod, and the banks are not interested. In your case I would want a chat without coffee with the person that opened your account. With all the Know Your Customer (anti money laundering requirements) it is not easy to just open an account,………..unless you happen to work in a part of a bank that lets you do so.
Depends on the bank. It's increasingly easy to anonymously open accounts with challenger banks that use automated ID checks and referral accounts or users as a form of ID. Also, not all countries have the same set of rules or level of enforcement as US / UK ones. The basic principle of all this at scale is like a pyramid scheme: they use previously hacked details and fake accounts to validate or give credibility to the systems of new ones.
 

Sarastro

LE
Kit Reviewer
Unfortunately these calculations are only considering the single password, and not the password system. They are theoretically correct but practically wrong.

The principle here is information entropy (uncertainty, basically). The logic is that the more characters there are (string length), the more possible combinations, so higher entropy. It is also true that the more possible characters there are (address space, using numbers etc instead of just letters), the more possible combinations, so higher entropy.

However, because string length is random, password entropy is calculated as string length to the power of address space. Since keyboards mean that address space is fixed (there is a set number of possible characters), the potential change in address space is from 26 to 128 / 192 / 256 (depending on character set used, this applies to English). The maths of power exponent curves means that the difference in potential entropy produced by a character space of 26 to 256 is less than the effect of just adding one additional character to the string length. TL:DR one more character in password length has more of an effect than opening up all of the possible characters you can use. This leads to the rule that, in fact, you might as well advise people just to always add an additional letter to their password rather than worry about using numbers, symbols, etc.

But it gets worse.

Entropy = uncertainty. Anything that reduces uncertainty reduces entropy (which means the passwords are easier to guess / crack). So what happens when sites declare: you must use at least one capital letter, number, and symbol in your password. They have given you a rule that certainly defines at least 3 characters in the password. This makes passwords on sites with that rule less secure than ones on sites that don't have that rule, not because the individual passwords have higher entropy (they do), but because the rule set has lower entropy. Passwords are cracked in bulk as a single rule set, so any rule that applies to all passwords within that set lowers uncertainty, and makes it easier to crack them. So although your password on that site, if taken in isolation (as that link above does) has a higher entropy and therefore is theoretically more secure, the system (the password set, the rule set, etc) has lower entropy so is practically less secure.

As it happens, most passwords aren't cracked by directly attacking your thing, they are cracked by stealing a hash database (encrypted lists of passwords) from a website, and then reverse-engineering the hash algorithm with different password guesses against the whole list. So the rule-set is incredibly important to how easy it is to crack passwords. This is why it's the password system that matters, not just the single password.

That is before you get onto the effect of behavior, which is that requiring that set of rules almost exclusively results in three formulations: passworD1! ; !1Password ; or you're really pushing the boat out, pass1!Word (I challenge anyone to claim their self-selected passwords don't follow some version of this formula). Alternatively, as previously mentioned, people use simple substitutions like 1337 speak. All of these patterns are predictable, because they are the obvious choices downstream of the entropy flowchart for the rule: you must use at least one capital letter, number, and symbol in your password. So in the big compute rainbow tables (probabilistic sets of the most likely password combinations) they give an easy set of rules which again substantially reduces uncertainty, and therefore password entropy.

In short: password advice is mathematically wrong, and enforced password rules are actively counterproductive.

 
Depends on the bank. It's increasingly easy to anonymously open accounts with challenger banks that use automated ID checks and referral accounts or users as a form of ID. Also, not all countries have the same set of rules or level of enforcement as US / UK ones. The basic principle of all this at scale is like a pyramid scheme: they use previously hacked details and fake accounts to validate or give credibility to the systems of new ones.

Appreciated, but @Roadster280 , and myself have accounts with large institutional banks, and my Mrs has worked for 3 of the big institutionals. Mrs Effendi has been an institutions responsible person for staff employment vetting and compliance training for around 20 years now, with the UK and USA regulatory agencies.

What I stated about rings/ groups of individuals/ dodgy organisations infiltrating financial service company call centres happened multiple times in the UK that I know about. The perpetrators in the UK were linked to Al Qaeda, and other similar groups extracting money for their war chests.

If you have a team of 20 to 30 people working in a call centre for 6 to 12 months it is quite easy to collect comprehensive customer information. Enough to start attacking accounts. They were not taking large amounts, a fiver here, a tenner there, maybe the odd 20 quid, and it soon starts to build up. Once they had it set up and running in one bank they moved on to the next bank, where, because they all had a call centre background they had no problems getting jobs.........and so it went on.

My point being that the only way anyone would have all of roadies information is if it has come from a source where it was collected for business reasons.

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

The USA is farking useless when it comes to personal data security as there are no data privacy laws like there are in euroland. I remember when I rolled up here and had to present myself to immigration to tell them I was here and would they please send me my greencard. The customs and border patrol bloke doing our admin looked us both in the eye and said, "do not ever give your social security number to anyone".

The stupid thing is over here they whinge about ID theft yet they use their social security numbers as their unique personal identifier for everything from registering with a doctor, dentist, bank account, car loan, any form of financial transaction involving credit, or opening any form of business, or trade account. I have spent 10 years telling them to fark off when asked for my social security number. Then they get shirty telling me they need it, or I can't do business with them. I then ask them if they are going to give me a job, pay me a pension, or a disability benefit, when they answer "no" I tell them then in that case they do not need my social security number. If they persist and tell me that unless I give them the information they will not let me use their services I point out that they are in business to make money and my money is going elsewhere.
 
Appreciated, but @Roadster280 , and myself have accounts with large institutional banks, and my Mrs has worked for 3 of the big institutionals. Mrs Effendi has been an institutions responsible person for staff employment vetting and compliance training for around 20 years now, with the UK and USA regulatory agencies.

What I stated about rings/ groups of individuals/ dodgy organisations infiltrating financial service company call centres happened multiple times in the UK that I know about. The perpetrators in the UK were linked to Al Qaeda, and other similar groups extracting money for their war chests.

If you have a team of 20 to 30 people working in a call centre for 6 to 12 months it is quite easy to collect comprehensive customer information. Enough to start attacking accounts. They were not taking large amounts, a fiver here, a tenner there, maybe the odd 20 quid, and it soon starts to build up. Once they had it set up and running in one bank they moved on to the next bank, where, because they all had a call centre background they had no problems getting jobs.........and so it went on.

My point being that the only way anyone would have all of roadies information is if it has come from a source where it was collected for business reasons.

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

The USA is farking useless when it comes to personal data security as there are no data privacy laws like there are in euroland. I remember when I rolled up here and had to present myself to immigration to tell them I was here and would they please send me my greencard. The customs and border patrol bloke doing our admin looked us both in the eye and said, "do not ever give your social security number to anyone".

The stupid thing is over here they whinge about ID theft yet they use their social security numbers as their unique personal identifier for everything from registering with a doctor, dentist, bank account, car loan, any form of financial transaction involving credit, or opening any form of business, or trade account. I have spent 10 years telling them to fark off when asked for my social security number. Then they get shirty telling me they need it, or I can't do business with them. I then ask them if they are going to give me a job, pay me a pension, or a disability benefit, when they answer "no" I tell them then in that case they do not need my social security number. If they persist and tell me that unless I give them the information they will not let me use their services I point out that they are in business to make money and my money is going elsewhere.

Last paragraph is exactly right. I got the same speech from the SSA bloke when issued with the number. For a good few years I followed your routine, and fcuked anyone off at the high port who asked for the number. Eventually it was my wife who persuaded me things'd be a bit easier if I did give them it. Look where that's got me!

I think I'll go back to that policy, and look into what the current regs are. Back then, it was "you can't be discriminated against for not providing your SSN". Not sure if that's still the case.
 
Last paragraph is exactly right. I got the same speech from the SSA bloke when issued with the number. For a good few years I followed your routine, and fcuked anyone off at the high port who asked for the number. Eventually it was my wife who persuaded me things'd be a bit easier if I did give them it. Look where that's got me!

I think I'll go back to that policy, and look into what the current regs are. Back then, it was "you can't be discriminated against for not providing your SSN". Not sure if that's still the case.

I apply the need to know rule. It sometimes pisses off the Mrs, but I don't get scammed.

I sort of half listen when the wife twaddles on about such things, I think the law is now a tad tighter and they may not ask for/collect superfluous data. It does not stop them from trying as everything here is about data driven marketing...........I never even give out my real phone number, or email address.

This is based off a couple, or three multiple occurences I knew about when I was a copper:

You go somewhere to register to use a service, for example a Doctors surgery. They have your name, address, phone number, and for those of you in the UK they also take a digital scan of your driving licence here to verify your ID. You then go in for some check up, or treatment and need to pay your 10% that the insurance company does not cover..........so you hand over your credit card.

SIDEBAR
OK, so you have just handed over your credit card to a young lady behind the counter who you do not know from Adam. She may have only been working there for a fortnight, and be a member of a group who gets jobs in places where lots of personal details are held and credit cards are freely handed over for payments. And, in two months she will have moved on to a new job, in a new surgery, doing exactly the same thing.

Having taken your credit card the young lady says, "I'll just take it to the machine". Then quickly using her phone photgraphs the front and rear of your card. Next thing you know you have just been sold for $15 on the dark web.

Similar to the above happened in the UK that I know about.

1. Never just hand over your credit card in an eatery, ALWAYS take the card to the till and watch it being processed.
2. When calling a call centre, even for the most trusted banks, and building societies, never answer any "security questions" that seem beyond the normal, or too probing. Make sure you have their operator number, call back and speak to fraud prevention about your concerns. This happened to me once when I called a large bank the Mrs worked at in the UK. Fraud will go and listen to the recorded calls that operator has received and act accordingly.
3. never allow your card to be swiped through two machines. This also happened to me at the Newport Pagnell service station southbound. Sadly, for the east european lady who did it I was a copper at the time, called the local CID lads who arrived within half an hour, and within 15 minutes she was unemployed and her swiper was seized. They could not charge, or arrest her as there was no actual theft they knew of, or could prove, but her card was, shall we say, marked.
4. Be wary of giving too much information over the phone when buying stuff using your credit card. *ands En* (the clothing catalogue company) was involved in a scam where a couple, or three, of their employees took it upon themselves to use collected information to trouser 500,000 quid of customers money.
 
Last edited:
I still think the best one ever was the one where the bloke put an out of order notice on the night safe. Then stood there with a shopping trolley, dressed in a security guard uniform, with a notice placed on the shopping trolley that read: Place deposits in here.

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

The Bulgarians get all techy with skimmers. They have actually built false fronts to cashpoint machines that fit perfectly over the cashpoint card slot fascia with a skimmer built into the false front. The skimmer then spends all night, or all weekend collecting card details with a rotating shift of Bulgarians sat just down the way with a receiver collecting pin numbers over the airwaves. I took to pulling on the front of UK cashpoint machines once that started to happen......just to make sure it was the machine and not a false front stuck on with double sided carpet tape.
 
I would expect that the fake account may be used for money laundering. Evidently getting hold of bent money is relatively easy, getting it "washed" so it doesn't look dodgy is more difficult. Once it's paid into a legit bank account it becomes "clean" money.

I had one of the fake porn "pay me $2,000 in bitcoin or I'll put your porn videos of you thrapping off in front of the computer all over the internet and to all your friends. The scary thing was that they had a password that I used about 4 years ago for IIRC Linkedin. However, I had my laptop stolen about 4 years ago and immediately changed all my passwords for longer and stronger ones.

I guessed that the scumbag in question had gotten hold of some of the info off my old laptop.

fortunately, I've never thrapped off in front of a laptop and hence I just deleted the email.
God, these emails are hilarious.

Here's one I received a while ago that I still look at when I need a giggle.


---

Hello.. .

This email is not going to take a lot of your efforts, so direct to the issue. I got a footage of you beating the shit out of your midget friend while at the pornweb site you are visited, due to a fantastic arse program I have was able to place on a few sites with that sort of material.

You press play button and all of the webcams and a microphone start working in addition, it saves every darn thing through your computer, just like contact information, passwords or shit such as dat, think where i have this email from?) So now i know just who my goal is to send that to, in case you aren't planning to settle down this with me.

I am going to place a account address under that you can hit me 730 dollars within 1 dayz maximum via bitcoin. See, it is not that huge of a value to pay, guess this tends to make me not that bad of a guy.

You are welcome to complete whichever da shit you want to, however if i won't find the total in the time period mentioned above, well... you already understand what will occur.

Thus it is up to you at this point. I'm not going to undergo all the info and stuff, simply ain't got precious time for this and you probably know that world-wide-web is filled with mail similar to this, therefore it is also your choice to believe in this or not, there may be only a proven way to figure out.

The following is my btc wallet address:<removed>

Have a great time and remember that time clock is ticking)

---
 
God, these emails are hilarious.

Here's one I received a while ago that I still look at when I need a giggle.


---

Hello.. .

This email is not going to take a lot of your efforts, so direct to the issue. I got a footage of you beating the shit out of your midget friend while at the pornweb site you are visited, due to a fantastic arse program I have was able to place on a few sites with that sort of material.

You press play button and all of the webcams and a microphone start working in addition, it saves every darn thing through your computer, just like contact information, passwords or shit such as dat, think where i have this email from?) So now i know just who my goal is to send that to, in case you aren't planning to settle down this with me.

I am going to place a account address under that you can hit me 730 dollars within 1 dayz maximum via bitcoin. See, it is not that huge of a value to pay, guess this tends to make me not that bad of a guy.

You are welcome to complete whichever da shit you want to, however if i won't find the total in the time period mentioned above, well... you already understand what will occur.

Thus it is up to you at this point. I'm not going to undergo all the info and stuff, simply ain't got precious time for this and you probably know that world-wide-web is filled with mail similar to this, therefore it is also your choice to believe in this or not, there may be only a proven way to figure out.

The following is my btc wallet address:<removed>

Have a great time and remember that time clock is ticking)

---

I wonder what their success rate is? One in a hundred thousand? One in a million? Simple maths really. Cost of X emails vs Y return. I suppose it works for them, otherwise they wouldn't do it.

Boggles the mind that some people pay them.
 
I wonder what their success rate is? One in a hundred thousand? One in a million? Simple maths really. Cost of X emails vs Y return. I suppose it works for them, otherwise they wouldn't do it.

Boggles the mind that some people pay them.
Doesn't cost much to send bulk emails, and even if one falls for it, it's still $730 worth of whatever their local currency is in their pockets
 
Doesn't cost much to send bulk emails, and even if one falls for it, it's still $730 worth of whatever their local currency is in their pockets

Depends on the hit rate. Mailchimp is a well-known bulk email sender that I am acquainted with. 75K contacts costs $300/mo. So the hit rate must be somewhere int hat ballpark for those that use Mailchimp. I'm sure there are other services, but it's not free, once you get into telephone numbers of outgoing emails.
 
I use this site for my passwords - hell I dont even know what they are - placed in text files on a 7zip (pass worded) file on USB sticks

 
I use this site for my passwords - hell I dont even know what they are - placed in text files on a 7zip (pass worded) file on USB sticks

I just bang my head on the keyboard a couple of times.

Relieves frustration and generates passwords that are random enough to pass most idiotic requirements these days

Thank God for mechanical switch keyboards
 
Genuinely, if you have the option and are interested in a secure password rather than a rule-following password, you want 16+ letters and everything else is fluff. I'd usually recommend a contraction of 3-4 words, or some nonsense additions to make it longer.
One other option, particularly for more forgetful, is to use the opening words of your favourite book (or teh first words on an easy to remember page number).
e.g.

ItwasabrightcolddayinApril

WeweresomewherearoundBarstow

Itisatruthuniversallyacknowledged

InthiseditionofReadersWives
 

Sarastro

LE
Kit Reviewer
If you have a team of 20 to 30 people working in a call centre for 6 to 12 months it is quite easy to collect comprehensive customer information. Enough to start attacking accounts. They were not taking large amounts, a fiver here, a tenner there, maybe the odd 20 quid, and it soon starts to build up. Once they had it set up and running in one bank they moved on to the next bank, where, because they all had a call centre background they had no problems getting jobs.........and so it went on.
Yep, so that same pyramid pattern of establishing credibility is also used with online / remote identification to create accounts.

The most ingenious one I've seen was a scam around e-marketplaces. It showed up as small (sub-£10, below the threshold for any checks for a single charge) charge to Amazon, iTunes etc. Then increasingly spammed that charge if not identified. They had clearly made some nonexistent product and managed to get it onto those online stores, and then used the details to pay themselves from stolen cards, with the money going to another set of accounts that were regularly converted into BTC. Wasn't flagged until they got greedy or attributed a store that wasn't used by that person, because for those who use Amazon etc a lot, they probably don't check the details of every single payment.

Despite disliking some elements of it, I have a grudging respect for the foreign bank account I have that now confirms every payment on the card by text/app. It's a reverse 2FA that lets the owner know when a payment has been made, which is actually much better security and for the customer than demanding they prove their ID to the bank. It won't stop every fraudulent payment, but is has a much better chance of stopping it happening twice.
 

Sarastro

LE
Kit Reviewer
Some bedtime reading from the NCSC about password spraying

Good to see that the NCSC is giving sensible, correct advice (as you would hope they would), but the number of UK organisations - including govt software - which still use the bad old CISSP manual recommendations is far, far higher than those who use the three word approach suggested there.
 
Welsh language passwords, that's all you ever need for really, really, secure passwords.
 

Latest Threads

Top