
How I met my identity thief - pepys
https://stories.californiasunday.com/2015-07-05/how-i-met-my-identity-thief/
======
late2part
Good article, thanks for posting. A good friend of mine maintains that there
is no such thing as Identity theft. What we call identity theft is simply bank
fraud. However, in a brilliant marketing reframing, the financial industry has
made the consumer the victim, instead of the financial institution.

Unlike a Gilliamesque world in which a bad actor assumes your identity,
generally a bad guy gains access to your resources, bypassing the protections
set in. While the consumer is guilty of this sometimes, the victim harmed is
almost always the institution, not the consumer; and yet the consumer is
framed as the victim.

In a signature based authentication system, the banks suggest YOU are the
victim of identity theft if someone gets your credit card number when it's
their authentication system that was 'hacked.'

Similarly, checking account numbers, etc.

Of course there are exceptions, people use bad passwords, they allow others to
get their info, etc.

But, I do think this term "identity theft" is often overused.

~~~
ableal
If your friend is the Patrick Kelly who contributed the comment quoted below
at [http://www.cringely.com/2015/04/15/where-the-money-is-or-
was...](http://www.cringely.com/2015/04/15/where-the-money-is-or-was/) , his
words should get more circulation

 _" ""

“Identity theft” is a lie. There is no such thing as “identity theft”, it’s
all fraud. The term “identity theft” was created to put the burden back on the
consumer, away from financial institutions. The actual problem is that the
cost of actually verifying identity is higher than financial institutions want
to bear. Most of the cost would be in missed loan opportunities. Financial
institutions don’t want to bear the cost of verifying identity so they
experience fraud (surprise!) and then tell us that somehow we have to protect
our identity. It’s insane.

If it was legally required that you appear in a bank with an ID to get a loan
or a credit card, imagine what would happen to “identity theft”. There’s
nothing wrong with filing electronically, but how about having people come to
the post office, with ID and a thumb drive, show ID and sign a log, then file
from there?

"""_

~~~
makomk
It's not an uncommon idea. There's a Mitchell and Webb sketch about it too
that you may be able to find online somewhere.

~~~
walterbell
Here you go:
[https://m.youtube.com/watch?v=oOQBpHN_kS0](https://m.youtube.com/watch?v=oOQBpHN_kS0)

------
msvan
> If you’re not famous, no one cares what you have to say, but if you’re
> famous, it doesn’t matter what you’re talking about, people pay attention
> and like you.

This is the most interesting comment in the whole story, in my opinion. I
might be taking it entirely out of context, but I wonder if, as our world
grows larger and more automated, celebrity becomes a relatively more important
form of capital. The growing prosperity and connectedness of the world
population creates a new class of consumers to be influenced by celebrity,
which is infinitely replicable due to the internet. Meanwhile, typical jobs
get robotized whereas social capital is hard to automate away.

Celebrity has always been an object of desire, but it probably feels more
attainable these days. There are more niches to fill and easier distribution
channels for it. We used to compete for attention in our vicinity, but the
internet makes us small and has us pining to be noticed. [/armchair analysis]

~~~
Kortaggio
A good keyword is "attention economy" if you're interested in further research
on the topic--it's an interesting hypothesis about how "information" is no
longer the dominant mode of economics. Your post reminds me of this article:
[http://markmanson.net/attention](http://markmanson.net/attention)

------
jondubois
Sorry for sounding cynical, but this hacker just hacked his way into the
author's brain (social engineering). Of course he likes chicken biryani. I
also like chicken biryani! Now tell me what your favorite drink is and I'll
tell you what mine is!

Successful/influential people tend to greatly underestimate the lengths that
some people will go to just to put thoughts inside their influential brains.

When you let someone else's thoughts get inside your brain, you are giving
them power over you. You should only give that power to people you actually
trust, not random people who hacked into your account.

I think that's why it's so hard to reach influential people (aside from the
fact that they get zillions of emails per day). At least at a subconscious
level, they must feel like their brains are constantly under assault by
foreign thoughts (often coming from people who are trying to gain something
out of it).

The mind is like a sponge, it absorbs everything around it. People believe
that they have control over what they believe, but it's not the case. Your
environment will decide for you what you believe.

That's why brainwashing works and why there are so many terrorists. Everyone
is vulnerable.

~~~
GhotiFish
Always good to remind people:

Everyone is vulnerable.

You are included in everyone.

------
joergsauer
Interesting article, but more details on how the attack succeeded would have
been worth reading. Was it a problem with password reset in the Harvard email
system, i.e. was publicly available information used to answer a verification
question in combination with an arbitrary email address? Or was it a social
engineering attack, i.e. did the attacker convince somebody at Harvard to
initiate a password reset using this information?

~~~
jakejake
From the article "Itz very simple sir… Im hacked your account in 2 min… Im
learned ur boi (bio) from internet… and create gmail account like yours then I
fill the submit form with my email and Harvard send mail the Password change
link.. That it…"

~~~
nchelluri
So I don't quite understand that... Trying to piece it together.

Perhaps the Harvard email system will allow you to send a Reset Password link
to an arbitrary (?) email address if you correctly identify some "identity
verification" questions, and this guy was able to glean the answers to those
questions from reading the article author's bio?

~~~
jakejake
Didn't sound like it was too awfully difficult but yea, pretty thin on the
details. Here's Harvards password reset instructions...
[http://huit.harvard.edu/reset-your-harvard-
password](http://huit.harvard.edu/reset-your-harvard-password)

------
anonacct37
This seems like the modern day equivalent of joy riding. I wonder whether this
young hacker will clean up his act and later laugh at this conversation with a
journalist or if this is the first step on a slippery slope to hardened
criminal?

~~~
e40
_This seems like the modern day equivalent of joy riding._

Exactly. However, there's a wiff of sociopath in the responses, ever so
slight. He seems to not feel remorse about things I would never do.

~~~
GhotiFish
I noticed that as well. Everything was "happening to him". His girlfriend
cheated on him. The world just isn't taking him seriously, he's obviously down
on his luck and this was just a cry for attention yada yada yada.

Efficiently re-contextualizing each of his actions in an attempt to garner
sympathy. It's not a slam dunk but there is a possibility of some psychopathic
characteristics here.

For the record, I'd lay odds at 2% ish. If I was on Baratunde Thurston side of
the conversation though, I would be operating on that assumption that he is
one.

------
iopq
In what world does Facebook constitute someone's identity?

OH NO SOMEONE HACKED MY AOL ACCOUNT BETTER CALL THE FEDS

~~~
quicklyfrozen
The world in which people get fired for things they post on FB.

------
TwoBit
Facebook was set to use the Harvard email address as the reset emsil address?
The lesson here is to be very careful about what kind of email provider you
use for a reset address. Clearly the weakest link here is that shitty Harvard
email administration.

------
Zekio
Great article, wish i had such an experience when getting an account hacked

~~~
dharma1
My thoughts too, both seem to be pretty decent people

~~~
imjustsaying
Being stalked can be flattering.

------
antonius
No blackmail? No money in return? This hacker was definitely more considerate
than your typical hacker with ill intentions.

~~~
sombremesa
Seems like a young person making some bad calls in life and enjoying the
thrill of doing things you're not supposed to do or be able to do.

Can definitely be a slippery slope, though.

------
curiousjorge
100 years of British oppression have created a uniquely insane breed of online
thugs, why do they all use "Sir" online? Do they actually believe they portray
an air of dignity and respect?

I know people blame poverty and stuff but so did Taiwan, Japan, Germany, Korea
have all gone through far worse state but you never see the same behavior.
People leave their cars with keys or wallet hanging out while passed out drunk
in Korea, and miraculously you are belongings and yourself is intact. If you
don't believe me just go to Korea or Japan.

~~~
Manishearth
"Sir" is a common way of addressing someone "above you" in India.

In general folks in India have a policy of "respecting elders" and "those
above you" (teachers, your boss, etc), but this is mostly faux respect in the
form of honorifics and not arguing with statements by these people. I don't
like this too much (grew up in the States, people earn respect there), but
sometimes I do it too in some contexts because it's a social norm.

I don't think this has anything to do with British oppression. Sir is just an
honorific applied willy-nilly by Indians both online and offline.

~~~
cardiffspaceman
It is willy-nilly IMHO. Over the phone an Indian (or is the custom also common
in other countries too?) spoke to me, a peer and I might add a Yankee, with a
"sa" at the beginning of half his sentences. During the call I parsed this as
"um" or "yep" would be parsed, and after the call I thought maybe it was a
"sir" in a non-rhotic accent.

