Abuse of Usenet: Guest Editorial

by Wulf


The street is dark and foreboding as you walk along the sidewalk.

Suddenly a figure appears from the shadows.

"Don't turn around, this is a robbery."

You hand your wallet over to the general direction of the unseen voice. You have been robbed. You know with a certainty that you have been robbed because the voice at least did you the courtesy of informing you beforehand that you were going to be a few dollars lighter.

You will need to make several phone calls tomorrow to cancel and reissue your credit cards. You feel angry and humiliated. You feel frustrated and confused, but you at least know you have been robbed.

Your credit cards are delivered in about a week, and you only had something like $50 in your wallet to begin with, so life goes on.

Sometime later you are browsing the web and discover a site that has something you desperately want to buy for a great price if you order through the online catalogue. The site is very nicely done and professional. What a nice touch to make it so easy to buy. Otherwise you'd have to drag yourself down to the mall, wait in endless traffic to find parking, not to mention all the hassle in the mall itself you'll avoid by having it delivered to your door.

You enter your name and credit card number into the CGI form. It also requires your social security number for validation of your credit - and your mother's maiden name - for your security, to make sure you are actually the cardholder.

You are delighted that someone has taken the trouble to make sure nobody can use your card but you at this site. You find yourself wishing that other sites would take security this seriously. You click the submit button and your order goes through without a hitch. You feel pretty good about yourself for having saved yourself so much time trouble and money.

You have just been robbed.

This time the man didn't hide in the shadows. This time he let you find him. You found him because you were looking for something expensive. Something that immediately tells him you have money in your account...

He has your social security number and your mother's maiden name. He calls the credit card company and with the information you have provided to him issues a duplicate card and orders a change of address for your billing account. He is well on his way toward cleaning out your bank account by lunch. He traces your bank through the billing assistance number for the credit card company. He tells them a couple of entries are missing from the check register and want to verify which bank account the money was drawn on. Now he waits...

A few days later your credit card is delivered to an apartment mailbox. The apartment belonging to the box is vacant and uses a variety of mailbox locks for which there are 16 different keyings. (Don't be shocked, one brand uses only 4 different keyings) He waits in the cafe down the street from the complex until he sees the postal carrier leave. He finds the correct key on the fifth try andempties the box. His new credit card has come, except that it is going to be your account that gets billed.

He heads off to finish cleaning you out. He charges items which he will be returned without a receipt for the cash. He only charges a few items at a time to avoid setting off the credit cards usage watchdog program.

He has already been in touch with the folks at your credit card company so he knows your limit, and he can guess what the traffic will bear before they flag the card. He has decided he can probably get about $500 out of your account before it will become risky.

He proceeds slowly. $150 worth of CD's the first day, a half dozen designer shirts at $75 each the next day. He buys things he can claim were given to him as gifts, and will explain to the clerk at the return desk that he didn't get a receipt... after all, they were gifts.


You still don't know you've been robbed.

He uses the card one last time and buys some home exercise equipment. He can't return it without the receipt, it's too big and too expensive, but he can sell it for a little less than half of its cost. He's done with your card now, so he sells it to someone who uses it to run a phone time scam from a pay phone. And you thought you were gonna get off for less than $1000.


You still don't even know you've been robbed yet.

You are waiting the 4-6 weeks for delivery required by the web site you ordered from.

If you tend to get a lot of mail you will probably begin to notice you're only getting the "Occupant" junkmail...because your mailing address has been changed. You will not receive late notices or warnings that your account is being abused until the credit card company tries to reach you by phone.

If you think for a moment that the scene you have just read is overstated, think again. There are high-tech gangs who prey on the ease with which you can be robbed blind without your knowledge. There are even schools in at least one African country which train members in high-tech fraud before sending these folks to America.

The credit card companies know about the risks, but they have an interest in seeing to it that their cards get used. It's how they make money. They aren't going to warn you about what you should look out for because it would imply there is a problem.

The solution?

There isn't a really good one. Since the Federal government allows credit companies to require SSNs in addition to your valid drivers license, your personal information has already been catalogued in painfully minute detail in several databases throughout the country. Anyone possessing your SSN and, yes, your mother's maiden name can find out everything about who you are...

They can find out where you live...what car you drive...what your unlisted phone number is...how much is in your bank account(s)...and where your child goes to school...

The next time someone asks you for your SSN and your credit card number, your mother's maiden name or to sign a waiver allowing your bank account to be billed for recurring charges, imagine you hear a little click, like the sound of the hammer of a gun being cocked.

"Your money or your personal information," the click says.

Now go run and find the guy who robbed you a few weeks back and give him a big hug...he told you he wanted money, took it and left. Now you have to deal with permanent damage to your credit history and you are at risk of arrest for fraud. The police usually have no idea at the start that they are looking for someone using your name. After all, you STILL don't know you have been charging a fortune and opening new bank accounts against which dozens of bad checks will be written. You probably won't know until you try to charge something or write a check. Your mortgage company will call you at work to say your check bounced. You might find yourself being arrested in the middle of a major department store for crimes of which you have no knowledge.

And you're still waiting for the UPS truck to roll up to your door to deliver the cool stuff you ordered on the web a few weeks ago.

If your lights are still on and your phone still works you might try to find the web site you ordered it from, send them a note through E-mail to find out what the delay is. But the site is long gone though by now - it was paid for with a credit card number from a previous victim and the Postmaster and FBI are probably already trying to figure out who opened the account, but they will trace it to the cardholder, the victim.

After all, the person who opened that account knew all his personal information, right down to his mothers maiden name.

At this point you are feeling paranoid. It's probably a goodthing, too.

Now, set the "Way-Back Machine" for a couple of months ago. You find this really cool site on the web... You go to the BBB (Better Business Bureau) and look for the name, nothing comes back. You understand that a negative answer only means no complaints have been filed yet. Then you do a web search for the Consumer Fraud resources available to you at no cost except your time. These give no indication that anything is wrong, after all, the web site is still young. Nobody realizes yet that it is a problem. You look at the web page again. You notice there is no phone number to call for information. You send an E-Mail requesting further information, such as a verifiable phone number and street address and their business license number.

The next day the site has disappeared.

They have realized someone is looking for them and that you have come very close to closing the gap the police have not yet been able to close. They realize that their only recourse is to cover their tracks and disappear quickly.

But you have not been robbed of your identity today. You have also probably saved a dozen other people from making the mistake of contacting this individual. You will not have to stand before a judge in a few months trying to explain that it wasn't you who charged all the stuff on the card, all the bounced checks. You won't be inconvenienced by an endless sea of paperwork, depositions and phone calls from collection agents.

This time when someone asked you for sensitive personal information you refused to give out your mother's maiden name and your SSN.

Yes, you may have to wait in line at the mall to get what you want or you may find another site on the web selling the same item. It might even look the same... Hey, you don't think for a minute this guy is gonna take the time to actually design that cool page you found? NO, the page's HTML code and graphics were stolen, too. Captured off the web and edited slightly to direct traffic to him rather than the legit site.

This time you contact the legit site by phone and verify their business license through the local Chamber of Commerce. They don't mind a bit that you are nervous about internet transactions. They understand.

You verify that they actually have a mailing address, not a P.O. Box. You explain to the voice on the phone that you would like to purchase the cool item you saw advertised but you will not surrender your SSN (which they do not have the right to ask for in the first place) or your mother's maiden name, but that if they will take your credit card info you will arrange a one-time charge verified through the customer service desk at your credit card company for a one time transaction. If you have trouble getting your credit card company to accommodate you with this, demand to know why not. You are paying for the service they offer. The least they can do is manage your account so that you are not exposed to the risk of fraud.

Yes, it means the convenience of shopping through the internet is not quite as convenient as you may have previously believed. But at least you have a very good chance your identity will remain yours.

In the meantime, the sysadmin at the BBS or ISP doesn't have the personal information that could be hacked into and stripped along with hundreds of names, SSN's and maiden names of mothers - all in a neat comma delimited format for easy importing to the data base of their choice.

The next time someone asks for your mother's maiden name, simply tell them something like, "Thanks for the interest but she's still quite happy with Dad."

Somewhere between "Conspiracy Theory" and "Rebecca of Sunnybrook Farm" lies reality. Unless you pay close attention, however, you might not notice the plot changes until it is to late.

Be very careful.

Peace to you all.


Return to the Abuse of Usenet Story Page

(written specifically for the Help Fund Committee, to which I grant permission to display this as they best see fit. This document may not be copied to other sites on the web without my prior agreement, but may be linked to here.)

Disclaimer: The HELP Fund Committee, Abuse of Usenet/Cyberstalked webmasters, are not responsible for the views of others expressed on any of the pages herein