Source: at 17 I was running a black-hat hacker collective and had, through a series of bad choices, got pretty deep into the 'real-world' side of that business: fraud. The day after my 19th birthday my house was raided by the US Secret Service and the UK Serious Organised Crime Agency in a worldwide coordinated swoop that took in dozens of loosely affiliated people. I have since completely rebuilt my life, so I don't mind anonymously sharing this.
Stealing an identity is trivially easy. Society revolves around relationships of trust between organisations and individuals, and the trust runs amazingly deep. The basic information you need to do it is publicly available: date of birth, mother's maiden name (on the birth certificate and parents' marriage certificate respectively, copies available on request from the records office).
Carrying out the ID theft takes resources and balls. You'll need to be able to manufacture ID documents, or have access to someone who does. Nowadays you can buy them on one of the onion dark markets. Generally you want a driving license, as this is the easiest to forge form of ID that gets you complete access. Banks, governments, etc. will accept it.
Sadly, making driving licenses is not too hard - document security is pretty weak. You'll need to make yourself some ultra-high resolution scans, trace the entire design in illustrator, and then get hold of some printing equipment. You usually want to print on teslin (http://en.wikipedia.org/wiki/Teslin_(material)), and laminate with a high-quality laminator. UV seals can be easily replicated by hacking an epson printer to use modified cartridges with UV pigments injected into them. Holograms can also be replicated by dusting your laminate with interference pigments and reverse-printing in clear ink to fix the design. It can all be done on commodity hardware.
With a driving license and dob/mother's maiden name you can then access a huge amount of someone's sensitive information, and more importantly, control their relationships with organisations. I don't want this to be a tutorial, so I'll simply say that with several more pieces of information you can take out credit in someone's name, control their existing accounts (e.g. by adding yourself as a new cardholder), or start causing trouble in their name.
A final word of caution. While it's easy to get people's information from government records offices, it's even easier to get it from them personally. We used to call people and social engineer them into giving us their DOB, bank account numbers, secret words, etc. Don't be stupid with your information: never tell someone your data down the telephone unless you called them. Oh, and if you're thinking of committing identity fraud, think again. It's not hard to pull off, but you're not smart enough to do it without getting caught. Everyone gets caught in the end.
Actually my biggest lesson about identity theft is that most people just don't need to worry. The negative effect of identity theft in 9999/1000 cases is just the inconvenience of correcting the mistakes by informing various institutions about it. In the last 5 years or so, banks have got very good at clearing up the mess fast.
You need to assess the risk, taking into account the very low probability of having your identity stolen and the fairly low inconvenience, against the time and effort it takes to take protective measures. Don't live in fear of it.
That said, the single best way to protect yourself from random ID theft is to use a decent bank with good fraud protection. In the UK, Barclays and HSBC are very good, Natwest and Halifax are very bad. Citibank is a bad US one.
This isn't true at all. You generally don't have to worry about credit card theft, you're not liable. ID theft is completely different.
If someone steals your ID and drains your bank account it's going to be much harder and more time consuming to get your money back. If someone opens credit cards under your ID it will be easier to correct than losing your bank account but can still be very time consuming. Often people discover the issue when they're applying for new credit, such as a mortgage. Correcting your credit issues can take months to resolve. They could lose a house they're trying to buy if they don't get approved.
Well, I just disagree. My experience is that recovering your bank account after fraud is trivial. Fixing fraudulently obtained credit takes longer, but basically just involves going through a formal process with credit reference agencies and lenders. If you want to protect against this, you can get a credit record protection service from any of the major credit agencies, where they alert you if there is any activity on your credit record s you can fix it.
edit: nobody should be so unaware of their own credit record that they lose a house sale because of undiscovered fraud. Keeping on top of it is very cheap and as simple as registering on a website (UK example: https://www.creditexpert.co.uk)
Don't overuse any website that lists your name, DOB, first pet's name, mother's maiden name, your high school (and maybe even the teachers, including your favorite one), the street you live on, and so on.
The hard part, I imagine, is testing that's a good-enough fake. Standing in front of the passport agent or getting pulled over are probably the worst possible times to learn your print was an eighth of an inch off in the wrong place.
Yeah, there are a few hard parts that I left out. Making it 'good enough' is hard, but for a reason I found surprising when developing the methods. Making the design look exactly right is quite easy, but making it feel perfect is damn-near impossible. The way it bends and the texture in your hands are qualities of the exact manufacturing process and materials, and you can never quite nail it with a knock-off.
That said, most people will never hand them to a customs agent, and I had reports that mine were accepted as ID by police officers on several occasions. Maybe the forger is more sensitive to the differences than most.
You know a small subsample of the total number of people committing fraud. I'm a former blackhat / ID thief / fraudster too. I worked for the US secret service for 2 years and saw what percentage of people were caught. And those were just the online fraudsters we knew about.
Source: a long time ago I read several books on this topic because I collected odd books and I found three of them in an estate sale. The instructions below are how this was done in the early 90's and earlier, but today, with increased security and faster records access, the information is probably well out of date.
Traditionally, the best way to do this has always been to establish a solid "breeder document". This is a document used to procure other documents and assure someone that the person is who they claim to be. Typically this was a birth certificate.
There were two general ways of doing this. One way was to apply for the birth certificate of someone already alive, but living in another state and unlikely to travel internationally (assuming you wanted a passport). However, this is less likely to be successful today given the widespread information available on everyone.
The other way was to acquire the birth certificate of someone who was deceased. In theory, you want someone who was born in one state and died in another to ensure that the birth certificate won't be stamped as "deceased".
One thing to be avoided is to scan news stories of people who died in well-publicized accidents: if others have applied for the birth certificate (having the same idea in mind) too many times, a certificate may get flagged as suspect and extra scrutiny be applied to requests for it.
Once you have the birth certificate, you then start obtaining "supporting" documentation, such as library cards, or maybe register for a local community college and get a student ID (those are often easy to get and are readily accepted as valid ID).
Eventually you'll want to apply for a state-issued ID card. Some states have stricter requirements than others. There was a time when you could apply for one with a library card and your birth certificate, but those times seem to be long-gone. States will generally require a social security number, too.
Applying for the social security number was always the tricky bit. One source recommended altering your "photocopied" documents to show that you were under-age and then apply by mail (the Social Security card doesn't list your age, after all). If you are ready to retire, file to correct the "bookkeeping error" that incorrectly lists your age. I am suspicious of whether or not this would work.
As you can see, the process is essentially one of building momentum of starting with small, easy-to-acquire documents and working your way up the chain. It was a long, slow, laborious process and it used to be that acquiring an alternate identity wasn't necessarily illegal so long as you did not due so for purposes of fraud. Today, I believe it's illegal in all fifty state.
That being said, I wouldn't try this today (hell, I never would have tried it when it was still feasible). It's worth several penal slaps on the wrist.
I'm sure that a cunning person can take the plan above and work out how to acquire a new identity today, but I'd not recommend it.
>for the right price (a couple of hundred thousand, last I heard), will get you a diplomatic passport from a dodgy country
I don't buy this. Sure you'll be able to buy a passport, but a diplomatic one - I doubt it. And if by some miracle you do pull it off then the country issuing the passport will be so dodgy that nobody recognizes it anyway.
Actually it's quite possible. some (all that I know of actually) African countries issue diplomatic passport not only to foreigners acting on behalf of government but those who work for multinationals so if someone can get you signed up as an 'employee' of a multinational, getting a diplomatic passport gets easy from there
You're right, this information is very dated. The "dead baby" method has been dead for a long, long time. Using someone who died when they're older is even less likely to work since they would have had an SSN issued and it'd be in the social security death index (SSDI).
The SSDI is based on a self-reporting mechanism. If you acquired the birth certificate of someone who had never acquired a social security number or whose death had not been reported, it shouldn't be in the SSDI.
Thus, while it might be hard to verify whether or not someone is in the index, there are many people who are not in said index. Consider: why does someone's death get reported to Social Security? So someone else can claims the death benefits. There wouldn't be much incentive to do that for a child.
That being said, the older you are, the harder it would be to explain why you never had an SSN, making this much harder to pull off today.
Update: That being said, it appears that the US switched to a national data collection system in the 1990s. It's the NVSS (National Vital Statistics System, http://www.cdc.gov/nchs/births.htm) which will track the births and deaths for you.
Let me be the first to welcome those fine representatives of three letter agencies to this discussion. I hope you enjoy your stay and enjoy watching the process of having turned almost a whole industry against you.
Thanks to your "freedom enhancement techniques" even (most likely) innocent citizens are by now considering using methods previously reserved for high level criminals.
When you use fake-quotes like "freedom enhancement techniques" and someone discovers that no three-letter agency or government organization has ever actually said such a thing -- that such a quote isn't exactly grounded in reality (Google only turned up http://www.dailykos.com/story/2010/01/31/832543/-President-P..., which was satire), they're inclined to believe "Hey, if they weren't entirely truthful with this aspect of their argument, maybe I shouldn't bother checking out the rest of the stuff they said."
Call it seeing the forest for the strawman; either way, there's enough of an argument to be made by sticking to the facts.
It is frustrating that quotation marks have come to have two, almost perfectly opposite meanings (the traditional "words someone actually said" and the new "words no one actually said"). I guess the battle against the new usage is lost though.
I think it's interesting - Proust talks about this, an intonation to show detachment.
As he spoke I noticed, what had often struck me before in his conversations with my grandmother’s sisters, that whenever he spoke of serious matters, whenever he used an expression which seemed to imply a definite opinion upon some important subject, he would take care to isolate, to sterilise it by using a special intonation, mechanical and ironic, as though he had put the phrase or word between inverted commas, and was anxious to disclaim any personal responsibility for it; as who should say “the ’hierarchy,’ don’t you know, as silly people call it.
People have always used air quotes to show they're quoting someone's exact words, and also when they're being sarcastic and making up a quote. It's just hard to tell when people are being sarcastic in text.
2) Enter a witness-protection program by testifying against murderous criminals
3) Buy one on the black market. This can be as simple as a barely-passable driver's licence for underage drinkers, or as sophisticated as a complete set of papers (birth cert, etc) forged by a master [http://www.ted.com/talks/sarah_kaminsky.html]
4) Steal (or trade) someone else's established identity
5) Create an identity for a child who died shortly after birth.
To do this last one you:
- Ask the birth registration office for a copy of the birth certificate
- Use that to get a national id number (like a SSN in the US or SIN in Canada)
- Use those to open a bank account
- Use those to get a credit card (probably a secured card meaning you have to keep a positive balance on the card)
- Buy a course at a driving school. Let them get everything ready to take the driving exam and as a bonus you get to use their car. They also add legitimacy by implicitly vouching for your identity
- Get a driver's licence
- Use everything you already acquired above to get a passport
Here's one anecdote - a woman I know has a very youthful appearance. Inevitably when she has to provide ID, the person reading her ID will exclaim that she can't really be XX years old. They think it is a compliment, but it enrages my friend because that person has now disclosed her actual age to anyone near by, including any acquaintances that might be accompanying her.
So, she asked me to create a fake-id to use in such situations. We made a really low quality id - a laminated "state id" (not even a driver's license) from one of the more obscure states a thousand miles away from her residence. Completely ginned up, not even intended to look like the actual id from that state. The information on the ID was correct, except that her age was listed as ten years younger then she really is.
She's been happily using that fake-id in those circumstances where they are just being nosey and there isn't a legal requirement for an id. Being nosey means they feed that information into databases at companies like Blue Kai. The result is that she has a shadow identity in those systems that is exactly 10 years younger. If you look her up on a website like spokeo there are typically two entries - one for her true age and one of the fake-id age.
Anyway, the lesson I learned from all that is GIGO - these commercial profiling databases are no better than the quality of information that goes into them and the controls on that information are no better than a minimum wage clerk taking applications at Costco or the local gym franchaise.
If you intend to use a fake-id simply as a way to compartmentalize the pervasive tracking rather than commit fraud it does not take much. You don't need a birth certificate from a deceased child, or to bribe someone at the passport office. Just get yourself a fake-id like that available near most colleges and start using it - most of the people you show it too couldn't care less about its authenticity, even if they knew how to check they don't bother because it's not their job.
The one bit of tactical advice I have is to look up name frequencies and pick ethnically appropriate names that are very common. That will help to make your information blend in with all the other people with the same name.
On the flip side of these fine folks, you can obtain a real new identity with relative ease, and totally legally. Of course, this will not prevent someone truly dedicated to locating you, but it will make it much more difficult.
0) Pay off all of your debt
1) Go to a small town
2) Legally change your name
3) Regenerate all of your essential documents, with your new name
4) Move to a big city
5) Change your lifestyle entirely (use the internet only where necessary, use cash wherever possible, don't log back into facebook/hacker news, etc)
6) Don't give someone a reason to come looking for you (i.e. pay your taxes regularly, don't become a missing person, etc)
If you don't apply for credit, it's harder to pull a credit report on you. The public record portion of a credit report is also not comprehensive - they only obtain easily gathered public information (and are usually only interested in bankruptcy and felony findings). For example, my wife's name change is not recorded in her credit report. Hence the small city, and the recommendation to use cash, not debt. The alternate names section typically relies on you obtaining credit under the new name, using the same SSN.
Your SSN is only going to really be used for a very specific set of instances - most frequently job related (and then protected by a number of laws).
There will always be a trail for someone to follow, but as long as you don't have someone with the resources of the government looking for you, the trail will be very hard to follow.
The first thing to do is realize that there are only a few limited situations in which you are ever legally obligated to tell the truth (or to say anything at all).
Allow that to empower you and the truth will literally set you free. Truthfully, you are almost always free to lie. Find those boundaries and tiptoe without crossing them.
I imagine that even if you are able to take advantage of some of the other advice in this thread about gaining actual documents and whatnot, you are more likely to get caught if you aren't willing to stretch the truth or lie.
"Out on the edge you see all kinds of things you can't see from the center."
I really enjoy watching fox news or listening to rush limbaugh and I find that the longer I take it in, the more I learn how to hone this practical skill.
I agree with you, but I don't think you should consider the act of using multiple identities itself to be lying. Or at least, calling it that seems harsh. Do actors lie when they use stage names? Are authors lying when they publish under pen names?
Sure, some may use nicknames or professional names because they're more marketable. But others use pseudonyms for privacy protection. They want to compartmentalize their own identity, and I consider that a perfectly valid purpose.
Sure it's valid.. and in the US, if I'm not mistaken, it's expressly legal to call yourself whatever you want - as long as you aren't doing so to commit a crime.
So during day to day business and life, you can call yourself whatever you want. Others can insist on identification if it's important to them, and that gets trickier.. but using a pen-name on a book or a hotel reservation is no different than using a fake name at starbucks while waiting for your coffee.
Forging documents is of course illegal, so that puts a crimp on things - but there is no particular reason that you are required to use your "real" name except when dealing with government documents (and things that rely on them)
Those are both examples where you would heavily expect suspension of disbelief so I don't think they're analogous to the purpose the OP is asking about. You're not testing your skills against people, you're testing them for people.
which is why you never talk to the police, or the Feds: http://www.youtube.com/watch?v=6wXkI4t7nuc
Can't post this often enough, because it takes a lawyer to explain that even if you're "innocent" (scare quotes, ha ha), you're in danger
On top of all the other steps, you'll want to get cosmetic surgery to alter your face to match the new identity.
In the US at least the FBI has a program in collaboration with every state DMV to perform facial recognition on drivers licenses applications. This has been used to catch people who tried to generate fake identities to escape sex-offender registration for instance. 
If your new identity is going to be vulnerable to someone posting your picture to facebook, it's not strong enough.
There used to be, a few years ago, an onion site relating exactly to this topic, they had a wiki-style setup with everything you would need to get this operation done and even where to obtain the resources needed for it.
Biometrics is going to make fake identities a thing of the past unless you figure out how to effectively cross borders. Biometrics is even becoming a problem for CIA HUMINT operations because its hard to fake who you are when fingerprints and iris scans are being used.
If you're talking about a real world fake identity (eg. social security, passport, etc) then it seems to come down to falsifying documents or paying off a worker to create the documents for you. This is a lot easier in some countries than others - for example, getting a fake Egyptian passport or Zimbabwe passport is likely to be incredibly easy right now. Once you have the passport, getting a tourist VISA to just about anywhere is generally incredibly easy.
If you're talking online fake identity, way easier. Head over to some local place that has internet access - a coffee shop, etc. Sign up for a facebook account and a google account using a fake name. Well done, you're now a new person.
If you plan to use these fake identities to commit crimes, however, then I wouldn't recommend it. Once law enforcement has a warrant it becomes easy enough to head over to that cafe and tracking someone down is what cops do. But for privacy and posting stuff online? Works 100% as long as you keep your fake traffic completely separate.
Hey Y'all, this response really exceeded my expectations! Snark aside, linking me to the hiddenWiki was probably the most helpful single response. Im new to this kind of question in a lot of ways, so it's all been pretty helpful, debate about quotes aside.
Didn't create the hn identity via tor, but luckily after the one signup (not telling from where) I'm able to log in that way.
I guess the big question for a lot of people was "why?" and I bet no one will believe me when I say that this is an intellectual exercise for me, thus far. Sort of one way of getting at the deeper question of identity construction. Thus, the heath bunting reco was relevant.
The one piece of info that would really round this discussion out, though, is an examination of how the other side would attack a ginned-up id. Any insights, deep or googleweb would be appreciated.
A friend of mine works for Child Protective Services and gets exposed to some very volatile and unstable people. He gets threats from cases he's assigned, but thankfully nothing too serious or pervasive. Now that he's got a kid on the way, he's a bit more concerned. The only thought I had was to create an alias, but I'm really not sure how someone would go about doing that.
That book might be a great start for him, but if anyone has recommendations, I'm ears.
".....Suppose you wish to send $25,000 from Vancouver, British Columbia, to a friend in Helsinki, Finland. You would hand $25,000 cash to a Vancouver money changer (Hawaladar) in Vancouver, and receive code words (or an agreed signal such as a secret handshake) and a contact address in Helsinki. No actual cash moves out of Canada. Instead, when your friend gives the code to the correspondent hawaladar in helsinki, he will receive the equivalent in euros (less a commission) from money that is already there. To review:
-There are no written documents. The exchanges are based on mutual trust (perhaps for that reason unpopular in the United States?).
-Only local currencies are used. Thus, if you are sending money from the UK to Mexico, you pay in pounds and the receiver in Mexico collects in pesos.
-This exchange cannot be traced because no money crosses a border.
Hawala (Arabic: meaning transfer), also known as hundi, is an informal value transfer system based on the performance and honour of a huge network of money brokers, which are primarily located in the Middle East, North Africa, the Horn of Africa, and the Indian subcontinent. It is basically a parallel or alternative remittance system that exists or operates outside of, or parallel to traditional banking or financial channels.
I suppose the system only works as long as the net sum of all transactions arriving (+) and departing (-) any given location is zero in the long term. But I can imagine there are locations that are net payers and others that are net receivers of money. What happens then, to settle the difference?
This is straightforward, simple. The funds never cross borders. This is old, established popular exchange system. I expect there are more Hawaladars than there are brick and mortar banks. See Wikipedia.
I understand that money never needs to cross borders. But presumably this only works when there are enough local senders of money to offset the "incoming" funds to be collected by local recipients.
My question was what happens if, for example, people in Helsinki are always only recipients? The Finnish branch of the organisation is providing them with Euros, but if there are no Finnish senders of money (or more likely: the Finns as a group simply don't send as much as they receive) where do the Euros come from?
> There are no written documents. The exchanges are based on mutual trust (perhaps for that reason unpopular in the United States?).
This would make it less popular in most of the developed world, with some exceptions, including (possibly) ones in the US. It's the difference between high- and low-context cultures, with the Arab world being generally more high-context than most of the US, with the exception of the South and Texas.
In addition, some subcultures are fairly low-context even if they exist in a generally high-context culture. A "Good Old Boy's Network" is going to be low-context regardless of where it is. https://en.wikipedia.org/wiki/Old_boy_network Exclusive? Yes. Exclusionary? Hell, yeah. Those are the costs of being able to do business on a handshake.
One tip to avoid being a victim is to never answer those online security questions with a real answer because they can be easily figured out (I usually answer with a password that I don't even bother to remember).
An important aspect of this is to create a fake biometric. I am thinking fingerprint and iris. I work in the area of fake biometric detection, and let me tell you its quite easy to make a fake fingerprint. Clearly, its hard to create a fake biometric that impersonates someone else, but a new fake one is easy.
Indirectly related to your question: you can find some interesting food for thought from the Delhi episode of Scam City. By the end of the episode the host has a paper trail of (phony) medical problems and, eventually, his own death certificate.
A number of states now require at least some kind of substantiation of your identity to get a copy of the birth certificate, although what exactly you can use varies, and sometimes you can apply by mail with photocopies.
The last 2 (U.S.) state Ids I have applied for have required 4 types of information(in the last year or so, in different states). 2 documents showing an address (proof of residence in the state), a social security card, proof of status in the U.S. (a valid passport or various birth certificate like documents), and proof of identification (these documents carry varying weight, an ID from another state is a good one...).
I needed a birth certificate, the options for getting that were to send a photocopy of my driver's license (certificate mailed to that address) or have a parent apply for one.
Just don't try to create an HN account while connected via that network that starts with a "t" and rhymes with "door". Your account will be hellbanned with quickness (even if you don't do anything wrong).
Why do you need "a" identity as in singular, why can't you have multiple identities, and it seems easier to adjust your lifestyle to require minimal identification rather than to get "a" new identity.
You can go to immense efforts to subscribe to 2600 magazine without the bank or the mailman or the FBI knowing who you really are. That's all very impressive in a way. But for the overall system, it turns out to be a heck of a lot easier, cheaper, safer, and just plain ole better to walk to the nearest B+N and buy an issue with cash.
This seems to come up over and over WRT identity. Changing how you use it is simpler than changing the identity itself.
I've heard some apartment rental companies are a pain, running all manner of checks and requiring all kinds of paperwork. Then again your average illegal unzoned HOA denied landlord simply wants cash for a "good tenant". And the guy who sleeps over at his friends apartment couch for cash as a roommate has no documentation at all.
Gearing up to use a grocery store loyalty card with a fake id for your fake checking account at the fake address with the fake loyalty card to save 15 cents on an apple takes a lot of work and risk and money, or ... you could just pay cash at the full price at the farmers market, probably cheaper than the supermarket anyway.
The outside the box thinking will help a lot more than a magical set of documents ever will. And I don't even have any use for this stuff, imagine what I could do if I put my mind to it.
I think by "change how you use identity" I mean a lifestyle change not a minor procedure change.
As per your example, most people with no identity issues tend to walk into the car dealer and buy a car with a loan and the dealer runs a credit check on them before they even get to test drive (happened to me...). I agree, walking in with a duffel bag of cash is not going to work.
On the other hand, why not buy a "decent" project car for cash from a private citizen, then spend cash at car shops upgrading it to a quite nice hot rod?
Or the meta question of, why buy a car? If a decent fake ID is so expensive, and the cost of detection is so high, why not just pay a cabbie or live in NYC and not own a car?
The startup lesson here, if any, is optimize the big picture, then once that is done, work on optimizing the little picture stuff.
If the cost, both financial and risk, of having a car while remaining private is very high, then don't have a car.
On the other hand, as far as I know, fake profiles on facebook are no big deal, just put enough up not to be suspiciously empty. One important datapoint is I'm not operating under a fake ID, and I had a FB account years and years ago back when it was new and just opened to the public, it was a total waste of time, so after awhile I deleted it, and absolutely no one cares. Its right up there with being one of those guys who doesn't own a TV and tells everyone about it all the time. So a guy operating under a fake identity has at least one anecdote that at least one guy with a real identity found not having a FB account to be completely totally unimportant to modern living.
People who discuss living outside the identity system never seem to mention our explosively growing illegal population. This stuff has all been figured out, if you're willing to learn spanish and be friendly. If a hispanic looking dude can get away with calling himself an illegal, and everything turns out OK, then I can probably call myself a German illegal, or whatever. Germans have pretty good records and might cooperate with the locals... How about my becoming a south african illegal? That would probably work.
I would suggest the following (it's definitely not a one off ala day of the jackal, but it seems feasible.
* Start with modern world bribe money (say 500k)
* find out who works at mid-level of the passport office
* approach them with the following (true) story - we are MI6, or at least a small department of it. We have to travel to various countries, but these days once my iris is scanned as Joe it's very awkward coming in 6 months as Frank on a different job. So we need people like you to swap in and out iris scans as we need them, no traces left.
We will show you how to steal your bosses password.
* if you chosen correctly, she is already working for a different agency and is happy to increase the salary again.