It’s remarkable how quickly a stolen purse or wallet can morph into full-blown identity theft, and possibly even result in the victim’s wrongful arrest. All of the above was visited recently on a fellow infosec professional whose admitted lapse in physical security led to a mistaken early morning arrest in front of his kids.
On the morning of Feb. 20, Lance Miller was arrested in front of his two children by local sheriffs in Golden, Colo. Miller, a managing partner at cybersecurity recruitment firm Curity, had discovered his wallet was missing three days prior to his arrest, reported it to the local police and canceled his credit cards. In the meantime someone had drained his checking account of approximately $5,000, and maxed out his credit cards for almost another $5,000.
“I was standing there in front of my kids saying, ‘You guys are crazy. Do I look like a burglar?'” Miller recalled. “The cop goes, ‘Well, I don’t know what a burglar looks like,’ and they put me in cuffs and in the car.”
Miller said it wasn’t until the 30-minute, handcuffed drive to police station that the local police and the local sheriff’s office began comparing notes, discovering in the process that they’d grabbed the wrong guy and removing the cuffs. Miller soon learned the thief who’d stolen his wallet had impersonated him during multiple traffic stops. A car the impostor was driving also was spotted speeding away from the scene of a burglary, but Miller said the police in that case didn’t give chase in that case because it wasn’t a violent crime.
“He started doing all kinds of stuff, and when he got pulled over he gave them my ID,” Miller said. “The first time he got pulled over and gave them my ID he was riding shotgun in a car with stolen plates that hadn’t yet been reported stolen. They let the guy go that night but then came and arrested me the next morning.”
Miller’s arrest came less than 24 hours after the local Arvada Police Department called to alert him that someone had tried to use his credit card at a nearby bank. Not long after that, a fuel station owner called the cops after getting suspicious about a customer and writing down his license plates.
“When we got to the [police] station, the police chief met me in the parking lot and apologized, then brought me 3 cups of coffee,” Miller said.
According to Miller, the police eventually arrested the guy suspected of stealing his wallet and other crimes that were previously pinned on Miller. The authorities now believe the man responsible is one John Tyler Waldorf, a 37-year-old suspect who had at least 16 warrants for his arrest pending in surrounding counties in connection with burglary and other alleged offenses.
Miller said investigators told him that Waldorf was suspected of associating with a white supremacist crime ring involved in identity theft, drug dealing and serial burglary.
“When these guys are not in prison, they’re expected to earn for the gang,” Miller said. “And apparently one of the best earning methods for these guys is ID theft.”
Louisville, Colo. police issued a bulletin explaining that Waldorf and his associates were known to have entered unlocked vehicles in the driveways of local residences and grabbed the garage door openers to the homes. “The suspect(s) entered the homes through the garage doors and stole items of value,” the police explained. “Both homes were occupied during the burglaries.”
Miller allows that the thieves in his case didn’t need to open the garage or enter his home: He’d absent-mindedly left his wallet in the car overnight while the vehicle was parked in the open garage. He now vows to tighten up his personal security habits.
“We live in a pretty nice area, and I got lulled into the idea that the garage was safe,” he said. “But in the end, it’s all on me. I’m an infosec guy, and if I can’t practice better operational security like that at my house, I should get the hell out of this industry.”
If your wallet or purse is lost or stolen, it’s a good idea to do most – if not all — of these things:
-File a police report as soon as possible to establish a record of the loss. If possible, get a physical copy of the police report at some point. You may be able to file a report and obtain a copy of it online, or you may have to go down to the local police station and pay a small administrative fee to get a copy. Either way, this report can be very useful in getting you a freeze on your credit file or an extended fraud alert at no cost if you decide to do that down the road.
-Contact your bank and report any checks or credit/debit cards lost or stolen. Most banks issue credit and debit cards with “zero liability” provisions, meaning you’re not on the hook for fraudulent charges or withdrawals — provided you report them promptly. The Truth In Lending Act limits consumer liability to $50.00 once a credit card is reported lost or stolen, although many card issuers will waive that amount as well. Fraudulent debit card charges are a different story: The Electronic Fund Transfer Act limits liability for unauthorized charges to $50.00, if you notify your financial institution within two business days of discovering that your debit card was “lost or stolen.” If you wait longer, but notify your bank within 60 days of the date your statement is mailed, you may be responsible for up to $500.00. Wait longer than that and you could lose all the money stolen from your account.
-Contact one of the major credit reporting bureaus (Equifax, Experian, Innovis and Trans Union) and at the very least ask to put a fraud alert on your file, to prevent identity theft in the future. By law, the one you alert has to share the alert with the other three. The initial fraud alert stays on for 90 days. If you have that police report handy, you can instead request an extended fraud alert, which stays in effect for seven years.
-Fraud alerts are okay, but consider placing a security freeze on your credit file with the major bureaus. For more on the importance of a security freeze, check out How I Learned to Stop Worrying and Embrace the Security Freeze.
-Order a free copy of your credit report from one of the major bureaus. By law, you are entitled to a free report from each of the bureaus once a year. The only real free place to get your report is via the site mandated by the federal government: annualcreditreport.com.
Jeez.
I debit/credit cards remain in a secure location known only to me under lock and key with the keys stashed in unlikely places. I’ve been called paranoid by some friends but some changed their minds after they got ripped off. I only carry my cards when I plan on buying something I can’t get with the cash I have on hand. I think it’s worth the effort. Lock it up, people! Safe Guard it! Are you paranoid if They ARE OUT TO GET YOU?
“Just because you’re paranoid doesn’t mean they’re not out to get you!”
Or you may prefer Andy Grove, former CEO of Intel: “Only the paranoid survive.”
There’s also Sigmund Freud who said, “Even paranoids have real enemies.”
You’re only paranoid until you are proven to be insightful.
What happens if you have an emergency and need a credit card? I always carry one credit card on my person for just such emergencies. As long as it’s on me, they won’t be able to get it, and if they do, I’ll know about it right away.
Ridley Scott, Michelle King, Robert King et. al. should make a Good Wife episode about this!
This looks like right out of the movie Identity Thief
What a doofus. He deserved it.
How?
Please explain how he deserved it.
He LEFT HIS WALLET IN HIS CAR IN THE DRIVEWAY.
Doofus. He admits fault.
With the car unlocked, no less
Deserves is far too harsh of a word. He didn’t deserve to have his identify stolen and be arrested in front of his kids for forgetting his wallet in his car. When you leave your house unlocked, do you deserve to be tied up and robbed?
Great article. There are many in my community who leave their car out. I wonder how many have the garage door opener in them.
I do live in a safe rural neighborhood but the garage door opener in car thing (especially on the visor in the car thing) is something I’m sloppy about because I tend not to put the car in the garage during the summer and I don’t make a point of locking it. I don’t think it’s a big risk but I’ll take this as a reminder to be more careful about that sort of thing.
Is that a recent photo, Gordon? With all the facial recognition software available, l certainly wouldnt be posting MY likeness above a confession of my sloppy personal security!
Our car is out because it cannot be in the garage (not really built for a car). Garage door opener on my key chain. You cannot get into the house via the garage. not attached to the house.
Here is where I am at:
1. Garage is detatched from house
2. No electric garage door opener; lock is manual with key
3. Keys, wallet, etc are on bedside table and I am a light sleeper
4. Every morning, before I leave the house, I check the wallet
and make sure that all cards/licenses/etc are still there.
5. My passport is locked up at home unless I am traveling.
I check it’s location at least once per week to verify that its
still there.
6. Bank sends me email/IM for everything over $3.00 from/to
any of my accounts
He left his wallet in his car, his car unlocked and his garage door open. No one where I grew up would do any one of those three. Ever.
It’s a ‘quadrifecta’ is he leaves the car running while doing ‘short’ errands
Says more about society than it does about him. Whatever happened to “if it’s not yours don’t take it”?
What do you mean what ever happened to “if its not yours than don’t take it”??? What planet have you been living on? There have always been and always will be thieves.
Society, has created it’s own restraints. Those restraints are not normal to the rest of the world. If you would look at animals, they show even in packs, that they steal from each other. It’s the same from primates to avians to fish. Even does and cats. Like he said, he will try to break a habit. The lesson should be for his children. To teach them security.
Unfortunately the powers that be want to outlaw cash, so we’ll need to carry our cards all the time.
The ‘powers that be’ cannot afford to outlaw cash since the vast majority of them rely on the untraceable aspect of it to commit some of the biggest crimes ever. Prime example: HSBC money laundering fiasco. If banks aren’t a ‘power’ then I don’t know what is. I mean, no one was ever criminally charged for that. Now that’s ‘power’, right?
Nobody did time because HSBC paid a $1.92 billion (with a “B”) fine. I’m sure that was part of the negotiations. Big question – what was done with the fine money?
Who wants to outlaw cash? Can you be more specific?
You can start with former Treasury Secretary Larry Summers, whose signature is on many bills in circulation today.
https://www.washingtonpost.com/news/wonk/wp/2016/02/16/its-time-to-kill-the-100-bill/
Google the term “capital controls” …
Just google “war on cash”. From declarations by establishment mouthpieces to increasingly stringent withdrawal limits, you’ll find plenty of evidence.
Amazed that this article was written in the future…
14
MAR 16
The 14th day of March, 2016. Pi day!
I agree. I’ve always disliked how Brian does the formatting of the date. It’s non-intuitive. Still, this is the first website I crack open with my coffee in hand.
Dear America,
We’re sorry international standards confuse you.
Yours kindly,
The Rest of the World.
Dear “The Rest of the World”,
That is not the international standard for date formats.
We kindly refer you to ISO 8601.
Warm regards,
The International Organization for Standardization
OH Locker, give me a break. You go have two young kids and tell me you don’t forget stuff – its called sleep deprivation doofus! Maybe this story will help others in similar situations.
Once again “lowest common denominator rules” We all have had momentary lapses in best practices. Heads up.
Another common testament on why the ID theft company I use monitors “all that matters” including drivers license, SSN, medical info files, etc. and has teamed up with another company who provides legal services 24/7. They found 70% of identity theft evolves into legal issues.
Glad to see that everything worked out the right way in the end – it’s terrifying that these creeps are walking into people’s occupied houses.
The relatively comical outcome here is not guaranteed – be smart, be aware, and be sure to protect yourselves!
I guess you can call this identity theft, but it wasn’t what I, and most security professionals, would call it. He didn’t use the information in the wallet to create new accounts, just just handed over the guy’s license to the cops when he was pulled over.
What I would like to know…how much did Waldorf look like Miller? I’m willing to bet he didn’t modify the license to put his picture on it. Either they look an awful lot alike (and have the same hair, eyes, weight, etc) or the cops who accepted that license need to have their eyes examined.
With drivers licenses good for eight years now hair and beards may be a lot different from the photo.
Interesting story but the cops have some questions to answer
i) Does the John Tyler Waldorf resemble Lance Miller?
ii) Why was John let go after his arrest considering … “John Tyler Waldorf, a 37-year-old suspect who had at least 16 warrants” ….”They let the guy go that night”
They let him go because they thought he was Lance Miller, IT guy with no criminal record, not John Tyler, guy with a bunch of warrants.
Great article, very informative and I will be changing some things in my home.
Re: Locker
No one DESERVES to be a victim of any crime, no matter what the circumstances are. We once lived in this country and we could leave cars unlocked and nothing would be stolen. Years ago, no garage door had a lock. Only criminals and smart alecks think someone deserves to be a victim of crime.
Wait until you reach old age and see if you remember everything on every day.
“Years ago, no garage door had a lock.”
Umm, what? How many years ago are you talking about, exactly?
I grew up in a house built in the 60’s, every door (including the garage) had a lock. Same with all the neighbors, and same with my grandparent’s house, which was probably at least 20 years older, if not more. And we lived out in the country, 20 minutes away from the nearest small town, with neighbors I could count on one hand.
Maybe you’ve been lucky, but trying to make it sound like we used to be in a trusting, lock-free utopia is silly.
Just another piece of anec-data: I grew up in the 60s and 70s, and our house had a lock on the front door which we used when everyone was gone, perhaps once a week. The back door used a skeleton key and was never locked except when we went out of town. The doors were never locked at night, and often left open for air flow. And we lived within blocks of our downtown.
So there were at least pockets of trusting, lock-free areas. Not utopias, since the problems were just different.
“That Girl’s” apartment door didn’t have a lock, and she lived in NYC!
I grew up in a town of 20,000 people in the 60’s. My parents, who both worked, didn’t lock the front door or the garage during the day because we kids needed to get in after school and they worried more about us losing the keys than about burglary. It wasn’t this century that I convinced them they really needed to lock their car, especially when they visited me in Northern Virginia. Times have changed….
Oops: “It wasn’t *until* this century…”
“Not long after that, a fuel station owner called the cops after getting suspicious about a customer and writing down his license plates.” Which guy’s license plates, the perp’s or Lance Miller’s? Were Lance’s plates also taken? Were they plates of the stolen car? A run on the plates should have brought up more discrepancies…
How were the thieves able to drain Miller’s checking account? Did they gain access to his PIN?
I would imagine that they used his debit cards for Visa or Mastercard purchases, which do not require PINs. Personally, I consider debit cards to be “shredder food” – I’ve seen the same thing happen to friends of mine. As BK noted in his article, the rules for getting your money back from debit card fraud are much tighter than they are for credit card fraud. Sometimes banks are really good about handling it, but it’s not always the case.
If it’s run as a credit (i.e. without the PIN), credit card rules apply. You are only liable for $50 (max) due to fraud, the rest is refunded as soon as you show them a police report.
Another site to get free credit reports as often as you want is creditkarma.com. No fees, just ads for credit products. I have been using it for several years and have never paid them for anything. The ads are not overbearing. (Note: I am not affiliated with creditkarma.com)
He LEFT HIS WALLET IN THE CAR?!
Geez… why should anyone trust him for any kind of security.
mark, who grew up in a slum
Not everyone has grown up in a slum.
I’ve lived in places where you dare not leave anything unlocked, even if you’re right there.
I’ve also lived in places where people don’t realize that houses and cars actually have locks, since they never use them.
All within the continental US
Not everyone lives in a war zone… I’m sure he’s learned his lesson either way…
I never leave my car without locking it, even to just return a Redbox movie. A friend of mine was in a stand alone phone booth and stopped his truck with the motor running & the door open 2 feet from the booth, some guy jumped in & drove off before he knew what had happened, never recovered it.
My wallet, keys & phone never leave my pants pocket except to be used or charged.
My wallet stays in my hand until license, cc or whatever is out of it is back in.
I also unplug my computer from the modem when not on line.
Run ESET NOD 32 everyday along with SuperAntiSpyware every day, Windows Defender once a week.
“This Reader” – I had a terrible habit of of putting the checkbook on the car dash and did so one night we went grocery shopping; went to pay for the groceries and no checkbook; went out to the car and there it was lite up for all it’s glory under a light. Don’t do that anymore!
Garage door – our garage is a separate from the house and I would go out some mornings and find it open or I would come back and find it open and would swear I had closed it. Thought it was a gray hair thing. I was at the local garage door company on an unrelated business and mentioned it. They told me it could be either lightening or someone has a remote that is programmed the same. Put the garage door opener on a light switch and have had no problems since then. Okay it takes a few minutes to wait for the door to come down and throw the switch, but it sure beats finding my door open.
That’s a really interesting (and good) idea if you can easily add a switch to the circuit for your garage door. Since you are likely to not need it when you are at home, flip it on when you go to leave and then flip it off when you get back.
That button is labeled ‘vacation’ on some garage door openers.
Add another thing to do after your credentials are stolen and you have your police report – carry a copy with you at all times. It can help sort out future arrest mixups faster.
Ask your bank to replace your Visa/MC debit card with a straight ATM card with no Visa/MC logo. The latter requires a PIN for everything, but the debit card does not require PIN for purchases.
For shopping, use your regular credit card and its more generous fraud liability protection. Don’t use a debit card that a thief can use to drain your bank account directly.
This is my recurring nightmare – one day being wrongfully accused, arrested and ultimately convicted of some bizarre crime.
Probably best to avoid risky & ambigious situations… like asking a hooker or a kid around the schoolyard for directions. :S
Well since the last name is “Miller” and he lives in Golden, CO Head Quarters for COORS he would be arrested just based on that. Right?
But what about the build in garage opener buttons you program for your car? Keep it all locked up including your garage door now too.
Lance thanks for sharing your story buddy lots of good take away’s and dialogue for today’s state of criminal affairs. Tip-of-the-hat
Ken,
Those buttons implement the HomeLink protocol. I have two vehicles with it and in one, the buttons won’t work unless the ignition is on. I don’t know about the other because it lives outside.
Few vendors of the integrated Homelink buttons restrict usage based on key position, since on egress it would mean asking the user to turn the car on before the door is open. Better to either remember to lock your car or just put the car in the flipping garage. It irritates me to an irrational degree when I see someone putting their $40,000 car out in the drive while they have $400 worth of ^*$% in their garage wasting space.
Three vehicles, two car garage.
“Few vendors of the integrated Homelink buttons restrict usage based on key position, since on egress it would mean asking the user to turn the car on before the door is open.”
We just push the garage door opener button mounted on the wall as we enter the garage from the house.
The first twelve years of my life raised in a rural area near Seattle, no one locked their doors. 12 to adult in San Jose our front door was never locked, except at bed time once everyone was home for the evening. Into the early 1980’s most of my life was spent in major Western metropolitan areas with little security risk. In the early 1980’s everything seemed to change and everything, including cars, had to be locked at all times, even when driving. Then in 2001 something miraculous happened, I retired early and moved to a rural spot in the Mid-West. Southern Missouri to be exact, and found that no one locked their doors, during Summer they left their car windows down in the super market parking lot, and in the Winter they would leave their cars running in the same parking lot! What a difference location makes! Today people are more security conscious than before, but there is seldom any need for me to lock my house or vehicle. Where I do have or at least attempt to practice higher security protocol is with my on-line electronic access.
Brian,
Why do you include Innovis as one of the major credit bureaus? I have always heard there were just the three. if you have explained this elsewhere can you provide a link?
Sure. I’ve mentioned it in a few stories, but here’s one
http://krebsonsecurity.com/2014/03/are-credit-monitoring-services-worth-it/
Hi this is earth have we met? LOCK YOUR CAR and at the very least, take your wallet in with you! Come on