Educated Guesswork: Jury duty phishing

« Really really small | Main | Level(3) and Cogent re-peer »

October 26, 2005

Jury duty phishing

Oh, this is very clever:

10-26-05 - The newest form of identity theft is targeting one of America's least favorite obligations, jury duty. Scammers pretend to be court officials taking victims' private information over the phone.
Scammers call their victims at home claiming to be a jury coordinator. They say that you didn't show up for jury duty and a warrant has been issued for your arrest.
When you say you didn't get a summons they ask for your Social Security number and date of birth to verify their information, and that's where they get you.
Martha Rhynes, jury coordinator, says, "We never call and ask anyone for their Social Security number, date of birth, or other personal information."
Martha Rhynes is a real jury coordinator in Grayson County. She says the courts only communicate with potential jurors by mail, not by phone. That includes no-shows.

As has been observed before, phishing is a social attack. Such attacks work best when the victim has a real opportunity to cooperate. I'd say avoiding getting arrested is a pretty good incentive. To make things more effective, people don't interact with the criminal justice system that often, so they don't have enough experience to realize the call is improper.

Posted by ekr at October 26, 2005 10:56 PM | Filed under:

Comments

It looks to me like the rise of phishing scams on the internet has created a market for stolen identity information, and has also taught a lot of criminals the idea behind getting that identifying information. The painful part is that this wouldn't be a problem, except that almost every business tries to use cheap but lousy techniques to verify your identity before issuing credit (one way or another). This means that a few numbers (SSNs, credit card numbers, etc.) are enough to get a substantial payoff for a crook. This also means that it's going to be really hard to stop this by getting people to do better identification.

I expect there's going to be a huge push for using whatever magical biometric "unforgeable" ID cards we end up getting in the next few years for all kinds of stuff like this, just to stop the huge level of fraud. Using them online will be possible only if they're basically smartcards, but that's quite possible. There will still be phishing style scams after that, but they will be a lot less effective. (I hate the thought of a national ID with biometrics and a smartcard bundled into the bargain, but I'll bet that's the solution we end up with.)

--John

Posted by: John Kelsey at October 27, 2005 6:27 AM

You could just reduce a lot of the phishing by simply requiring photo ID for applying for credit, either in person at the financial institution or by getting the things notorized.

But until the cost of fraud to the BANKS is greater than the $20/new customer cost for notorization/a person examining, they will oppose this tooth and nail.

Posted by: Nicholas Weaver at October 27, 2005 8:18 AM

I think identity theft is a growth industry, and we're going to see more sophisticated attacks and also a lot more attempts, using many different technical means. The big problem here is that it's an industry--there are people who are making their living doing this, and they're going to be willing to adapt to additional speedbumps put in their way to keep making their living this way. They are capitalized now, so they can spend money one way or another to improve their attacks. The kind of added security that might have stopped the rise of online identity theft rings five years ago won't be sufficient to stop the criminals now.

Posted by: John Kelsey at October 27, 2005 11:27 AM