How to Steal Somebody’s Identity for Fun and Profit


I’ve written lots of blog posts about electronic data breaches and identity theft over the Internet. I even published a book about how a data breach might unfold, and I’m publishing another one about what might happen if a nation-state really does get serious about attacking the United States over the Internet. But for anyone looking for an easy way to steal somebody’s identity, here’s a retro way to do it, with a modern twist.

The picture at the top of this post is a USPS change-of-address packet. It’s filled with ads and one form. Here is a closeup of the form.

The form asks for a name, old address, and new address. Fill it out, mail it in, and the USPS conveniently forwards all your mail to the new address.

Let’s say I want to steal from, say, John Smith, who lives in Houston, Texas. I can walk into a post office in, say, Newport, Minnesota, fill out the form, put a stamp on it, and give it to the guy behind the counter. That’s it. A few days later, mail for John Smith starts coming to me.

It really is that easy. It happened to my friend, Ann and her husband. Here is her story.

This gets better. When the credit card companies find out about John’s new address, they’ll start sending mailings to me. Paper statements have complete account numbers, which means I’ll own John’s credit card numbers. If I want John’s online banking password, I can call the bank, give them John’s new address, and maybe persuade them to reset his password. Or, maybe in a twist of irony, I’ll tell them John is a fraud victim and persuade them to cancel John’s old credit card and send a new one to me.

But relying on my social engineering skills to manipulate a telephone banker into giving me access to John’s information is risky. I have John’s address; now I need something John knows. His Social Security Number would be helpful. I’ve heard there are underground markets where I can buy Social Security Numbers, but I’m not sure where to find the best deals. No problem. Here’s the About page of a website named DeepDotWeb with lists of marketplaces, convenient category ratings, and all kinds of helpful consumer information. They’re even recruiting writers. Maybe I should sign up.

And what weapons does John have to fight back? The US Post Office will send a notice to John’s old address about his new address. Yep. Thanks to the USPS, stealing somebody’s identity is as easy as filling out a form.

Sooner or later, of course, the real John will find out somebody at my address stole his identity. But by then, it will be too late. I’ll live like a king for a few weeks and ruin John’s credit before robbing my next victim. Maybe I’ll use DeepDotWeb to find another marketplace and sell John’s Social Security number.

Who said crime doesn’t pay?

By the way, please don’t complain about publicizing a site like DeepDotWeb. If I could find it with a half-hour of Google searches, so can anyone else. Bad guys collaborate in underground forums all day long. Good guys won’t win by isolating ourselves from information.

Outraged? I know I am.

This should be easy to fix. When I change my US Mail address in person, I have to visit a post office and pick up the form. Why not fill out the form right there and give it to somebody behind the counter, along with my ID? At least I have to go the trouble of getting a fake ID that way. Why does the Post Office want me to mail it in later with no proof I am who I say I am?

Maybe it’s time to make noise with our government officials. I found a contact link for the Postal Regulatory Commission. Maybe if several thousand people submit complaints, maybe they’ll get somebody’s attention.  Or maybe they’ll disappear into a bureaucratic black hole.

Nah. Forget all that. I want to get rich quick. My name is Donald J. Trump. My old address is 1600 Pennsylvania Avenue, Washington D.C.  My new address is P.O. Box 111, Newport, MN., where I really did spend $15 in March, 2018, to rent a post office box for three months with no ID required.

Reboot your Internet router to fend off Russian hackers. And other fairy-tales.

It was all over the news. Russian hackers are inside home Internet routers across America, spying on us, stealing our identities, meddling with elections, and who knows what else. But don’t worry – just reboot that little box with all the wires connected to it and it all goes away. And if reboot is too technical a word, then unplug it and plug it back in. Just like your toaster. And to really make sure, press a little teeny tiny button and reset it back to its factory settings (which will probably break your Internet connection, but just call your ISP and they’ll fix you right back up). Here are a couple links to typical fluff articles:

Sometimes, we dumb things down so much, the information is worse than worthless.

Why is anyone surprised about Russian attacks? The United States and Russia have been adversaries since the end of WWII. If Russian hackers can find a way to use our Internet connections as a weapon, we should spend less energy on outrage and more energy understanding and defending against it.

More importantly, why do we throw away our critical thinking skills when the subject is technology? Does it bother anyone that this problem has been growing since 2016 and nobody noticed it until recently? I understand that not everyone in the United States is a software engineer, but even toddlers use cell phones and computers these days. Isn’t it about time the public acquired some Internet literacy?

Forget the Internet for a minute. If your car acted badly, and the suggested cure from the service department was, turn it off and back on again, would that be acceptable? What if the cure were to disconnect and reconnect the battery cables – the equivalent of a reset? Would you be curious about what went wrong and why? And wouldn’t you want it really fixed? Why do we accept weenie fluff around Internet technology when nobody in their right mind would put up with it anywhere else?

Here is a more substantive article from Brian Krebs: FBI: Kindly Reboot Your Router Now, Please. And a pointer to the original Cisco Talos blog that describes the attack, named VPNFilter, and what Cisco did about it.

And indeed, the Talos short-term recommendation is, reboot, and eventually reset our SOHO (Small office/Home office) Internet routers. The recommendation makes sense. But it’s not the whole picture. And the popular media short-changes the public by failing to inform about the broader context.

Here is a summary of what’s going on. Somebody – probably Russian hackers because the people who analyzed the malicious software noted similarities between what they found on SOHO routers and Russian code from other attacks – planted malicious software in thousands of SOHO routers. The malware has at least two components; one is in the system boot image and phones home for marching orders. The other is only in memory and contains the downloaded marching orders. These may change every time the router phones home, which explains why the analysts don’t know all the details around this attack.

“Phone home” means contacting a command and control mother ship server over the Internet. Apparently, VPNFilter drones find their mother ship via a DNS name. DNS, or Domain Naming System, translates names to IP Addresses. Think of DNS as kind of like a phonebook on the Internet, which comes in handy when the mother ship moves. When the mother ship moves to a different IP Address, its masters can update its DNS records, and VPNFilter drones around the world can still find it.

This worked until recently, when the FBI seized that domain name and pointed the name to its own servers. So, when  compromised SOHO routers phone home, now they contact the FBI instead of the Russians.

Wonderful.  Our tax dollars at work. Factory-reset our routers and make the world safe for democracy again. Except, it doesn’t. Here is the dirty little secret with consumer Internet devices nobody likes to talk about. They all use old kernels with known vulnerabilities and none of the consumer vendors offer credible support. Does anyone seriously believe any consumer router vendor will spend money on software updates for a $50 box, and more money to hold consumers’ hands through an update process? Which means, after consumers factory-reset their routers, sooner or later, the Russians will build a new and smarter mother ship and come find them again. But this time, US law enforcement may not get lucky.

What do we do about it? SOHO router vendors and Internet service providers need to step up their games. Consumers pay a monthly fee for Internet service. And since Internet service providers usually bundle routers with monthly service, part of that fee should include frequent router updates, access to a router update site, and prominent and easy-to-follow update instructions.

Somebody needs to educate the public about what SOHO Internet routers do and how to maintain them. I’m not advocating turning everyone into network engineers. But with cars, everyone knows what the steering wheel, gas, and brake pedals do. How many consumers even know how to identify their Internet routers? This has to change. At minimum, every consumer should know how to login to their Internet router, install updates, turn off remote management, and change (and record) its password.

We can beat back Russian hackers. And anyone else who wants inside our homes over the Internet. But we need to care enough first to take action. The media is in a position to lead the way. Up to the challenge?