Got Tape? You Can Steal an Identity

June 16, 2006 — -- A simple home-grown experiment by one crafty citizen showed just how easy it can be to steal someone's personal information.

Rob Cockerham was tired of getting pre-approved credit card applications in the mail and he reacted the way most of us do by cutting them up and throwing them in the trash.

But Cockerham wondered if that was enough to stop a thief from getting a credit card under his name.

So, he tried an experiment. He tore up a credit card application into tiny pieces, then reassembled all the scraps. Then he taped the whole thing back together. Next, Cockerham crossed out the address and wrote his parent's address instead.

You'd think no bank would accept this mess. But Cockerham sent it off just to make sure. He began documenting the process on his website, www.cockeyed.com and waited for the mailman.

"My father called me and said, 'I have some mail here,'" Cockerham said.

Amazingly his prank worked, and he soon found one thing thieves don't want you to know: It's ridiculously easy to use someone else's good credit to get a credit card in your name -- no questions asked.

"The most outrageous thing is that nobody stopped and said 'what is this?'"

said Bob Sullivan, the author of the identity theft book "Your Evil Twin." "If these red flags didn't set off an alarm bell at a credit card company, what would?"

Chase bank says they take fraud seriously -- and that damaged applications are often electronically scanned -- so no one may have seen its condition. And Cockerham's parents address may have been in his credit file since he did live their years earlier. After 20/20 contacted the bank they promised to change their policy and call applicants when they receive damaged applications. If your credit cards are hit by thieves you're usually not liable for the money they stole, but you could face a huge hassle cleaning up the mess.

There are other threats as well to your financial information, including the massive data thefts at companies that keep your personal records. Even small time crooks can easily buy the lastes technology and then use it to rip you off. Tiny devices like such as a portable credit card reader -- which we bought over the internet for $440-- are all anyone needs to steal your information. The crooks then recruit shop clerks, hotel desk workers and restaurant cashiers -- who swipe your card to pay your bill, then give it a second secret swipe in the tiny reader. And you'll never know until the monthly bill arrives.

The information on the credit card reader, which holds 2000 account numbers, can then be downloaded onto a computer and sold through internet marketplaces to other thieves who then rack up charges on your accounts. And that's not the only high tech heist the bad guys wish we weren't telling you about.

In an ATM scam the thief rigs an ATM by putting his own card reader on top of the real one to capture your card information, and uses a hidden camera like this to see you enter your PIN number.

To hear more about these scams, we went online and chatted with a cash machine crook. He told us he bribes ATM maintenance workers thousands of dollars to install a wireless device that transmits users' information to the thief. Sullivan says your best defense against all this is to closely watch your accounts.

"If you wait for a monthly statement and you throw it in your desk, and you don't look at it for another month, the thief is going to be two months ahead of you and that's going to be way too late to stop things," Sullivan said.

And the next step in high-tech could make life even easier for crooks. The technology is already in the Exxon Mobile Speedpass used by millions to easily charge gas. It contains a tiny chip, called an RFID, that is now being added to everything from credit cards to passports. The RFID or Radio Frequency Identification chip is activated by a signal -- from the gas pump. But Johns Hopkins professor Avi Rubin and his graduate students uncovered a security flaw.

"I don't think the thieves are happy that we've released our research results," Rubin said.

Rubin demonstrated those results at the offices of his company, Independent Security Evaluators. A colleague showed us how a laptop equipped with a special receiver can be hidden away in a bag for easy use. Then all it takes is a stroll down the street to get the laptop within about 6 inches of a Speedpass in a passerby's pocket. In just a quarter of a second the laptop grabs the Speedpass account information -- like an electronic pickpocket.

"It is and the interesting thing about an electronic pickpocket is you don't even have to touch the person," Rubin said.

The data is encrypted, but Rubin's team found that it's an easy code to break. Their computers needed about 25 minutes to do the job.

At an Exxon station they fill up on gas, then use their copy of the Speedpass to pay -- and even load up on junk food all on what would be the unsuspecting victim's dime. Exxon Mobile says Speedpass is secure and that no crooks have done this yet. And if they did its customers wouldn't have to pay.

"The bottom line is that people always underestimate the sophistication of the bad guys," Rubin said.

And Rubin warns that as this new technology spreads to everything from regular credit cards to passports -- all our information could be at risk unless security is beefed up. The industry says the move is well under way in its latest technology.

Tips to Protect Yourself

You can now go to www.annualcreditreport.com for a free look at your credit report-- and make sure there are no strange accounts.

Ignore "phishing" emails and phone calls pretending to be from your bank or credit card company and asking for your account information

Call 888-5-OPTOUT to register for the credit card version of the "do not call" list.

You'll then stop getting most of that pre-approved credit card junk mail.

Buy a shredder to destroy any documents with personal information.