Author Jim Stickley has stolen credit cards, created fake ATMs, hacked social security numbers and robbed banks. But he's no criminal. Stickley was hired by companies to find their security flaws. In his book "the Truth About Identity Theft," Stickley writes about how vulnerable people can be having their identities stolen. In this excerpt, he warns that people should think twice about what they throw away.

Part II: The truth about trash

One man’s trash is another man’s identity
Through the years, I have broken into numerous banks through hundreds of different attacks. Though each was different, the main objective was often the same: to gain access to the cash or confidential information. I was once approached by a large financial institution that was not only concerned about the security of its physical locations and its network, but also had concerns about the risks associated with upper management. This institution asked that I also investigate whether its management team could be attacked in a way that might allow an identity thief greater access to its organization.

So each afternoon I waited in the parking lot and watched members of the management team get into their vehicle. Then I followed them home. Within a couple of weeks, I had each of their home addresses. Since I had no permission to break into their homes and poke through their personal belongings, I opted for the next best thing: their garbage.

Through the years, I have been amazed at the things you can find in the trash. There is big business for identity thieves in personal garbage. More importantly, once you put your garbage out on the street for trash pickup, it usually becomes open to the public. This means that if I am so inclined, I can take that garbage and bring it home, which is exactly what I did. Each week I would snap on my rubber gloves and go through every item of trash: grocery store shopping lists, sticky notes with phone numbers, a private invitation for a little girl to a friend’s birthday party, and much more. As I continued to go through the managers’ trash, I was able to compile a list of their service providers: water bill, phone bill, gas and electric, cable, and so on. I could use this information not only to gain access into their lives but, if I wanted, to take over their lives.

Ultimately, I decided to use the billing information for the bank managers’ Internet service providers as an access point for my attack. Using the information I gained from the bills, I contacted the managers and explained that I was from that company. I told them that we were updating our services and that, for them to continue to have Internet service, they would be required to install updated software. I explained that the software would be arriving within the next week.

Because I was also able to reference their past billing information during the call, the victims never suspected a thing. Within a week, they each received a package in the mail that contained “upgrade software” and instructions. One by one, the managers installed the software.

Of course, the software they had just installed was actually malicious and designed specifically to allow me to access their computer via the Internet from anywhere in the world. Shortly after they installed the software, I was on their computers going through all their files. Within a few short days, I had usernames and passwords to corporate systems and even VPN access, which allowed me to connect directly to the financial institution’s internal network.

When I submitted my report to the executives at the organization, they were obviously floored. None of them had ever suspected that I had targeted them at home, even though they had all signed waivers allowing me to do so. They said they were being cautious about emails that were being sent to them, as they were convinced that is how I was going to try to get in; but the idea that I would go through their trash and use that against them had never crossed their minds.

Now, you might be asking yourself what that story has to do with identity theft. Sure, I was able to gain access to that financial institution by attacking its employees at home, but technically the employee was never placed directly at risk, just the employer. In reality, those employees turned out to be far more vulnerable than I would have imagined. However, since I was not hired to test them personally, I just bypassed those opportunities and stayed focused on my primary target: the bank.

If you own a credit card, you are probably used to the clutter of junk mail that comes on behalf of the credit card company. While most of the junk included with your bill is harmless, the issue occurs when the credit card company decides to make it easier for you to spend money. Credit card checks have become a lucrative business for credit card companies. These checks can be used just like regular checks to pay anything from other credit card bills to buying food at the grocery store. Because you can use these checks in situations where credit cards would not have been accepted, they allow you a new freedom to continue to rack up credit card debt. These checks are often included with numerous other documents that are all stuffed into your monthly credit card statement.

While attacking the bank’s management team, I found many of these checks still inside the opened statement envelope, which had been dropped in the trash. All I had to do was take these checks and go on a shopping spree. (I didn’t, of course, but were I to have been a real thief, I would have just tapped into a veritable gold mine.)

There were other identity theft attack opportunities made available to me during these tests. Each bill that I found contained great information. For example, on the cable bill, the victim’s name, address, and account number were available. In addition, I could see the total of the current bill, the amount of the previous bill, and if they paid it. Using just this information, I could call the victim, explain that I was from the cable company, and say that we had not received a payment for this month’s bill. The victim, of course, would say he had paid it, and I would argue that he may have sent a check, but we had not received it, so it may be lost in the mail. I would explain that, though unfortunate, his service was being turned off and he would have to incur a fee to have it reenabled.

I would then offer the victim the ability to pay the bill via a credit card or check over the phone. I would explain that if his other payment did finally show up, it would be destroyed. Again, it is important to note that mentioning the victim’s previous payment amount and when it was received helped lend me credibility. The victim would relent and give his credit card number or checking account number and bank routing number. Once complete, I could’ve simply taken that information and gone on a buying spree.

There is a simple solution to avoiding this kind of attack: Shred everything. I mean it. Everything! If you are throwing away any paper that contains personal information, shred it first. Shredders come in a few different types, but I highly recommend that you spend a little extra to make sure that it does cross-cut shredding and can shred CDs and credit cards. This type of shredder runs faster and shreds more items at a time, allowing you to spend less time standing in front of it.

Remember: One man’s trash truly can be another man’s treasure. Unfortunately, one man’s treasure might actually be stolen from another man’s identity. So start shredding.

Dumpster diving for profit
In the previous Truth, I spoke about what people throw away when they are at home and the risks that come with it. However, those risks are nothing compared to what my coworkers and I have discovered while dumpster-diving throughout the years. While many states have started prosecuting companies for discarding consumers’ confidential information insecurely, it seems the majority of the world has simply not paid attention.

In early 2007, Radio Shack allegedly dumped more than 20 boxes containing private information for thousands of customers. A man rummaging through the dumpster found the boxes and reported it. In April, the State of Texas filed a civil law suit against Radio Shack for allegedly exposing its customers to identity theft. The suit claimed that the company “failed to safeguard the information by shredding, erasing, or other means, to make it unreadable or undecipherable before disposing of its business records.”

The fact that the data was discovered comes as no surprise. The simple fact is that throughout the hundreds of dumpsters that I have had the pleasure of “visiting,” it has been a rare day that I come away empty handed. Most often I leave with enough confidential information to keep the average identity thief in business for months, or even years. I have found social security numbers, copies of drivers’ licenses, credit applications, credit card numbers, complete names and addresses, and phone numbers — all in the trash. And those are just the obvious things.

A company we recently tested was actually throwing away the drug test documentation on all of its potential new hires. Each document included the name, address, social security number, and the results of the test. Not only was the company putting that person at risk of identity theft, but it was also a walking time bomb for a lawsuit. Imagine if one of those potential employees had failed that test and the information was made public? The fallout could have been devastating on all sides.

At another location, a financial institution was discarding confidential information, including copies of loan applications, social security numbers, banking account numbers, and more. But in this case, instead of placing the items in the trash dumpster, the institution was placing the information in bins located outside the facility designated for recycling. I have noticed that this seems to be part of a growing trend in confidential information leaks. In general, people are interested in the green movement, and instead of throwing items that need to be shredded into the appropriate designated shred areas, they are placing the documents into the recycle bin.

MORE FROM TODAY BOOKS: MONEY

Suze Orman: Tips to pay off credit cards

Suze Orman: Tips to pay off credit cards How to get rich from your ‘Big Idea’ Book excerpt: Tips for successful investing ‘Buy-ology’: Movies, TV and why we buy Richard Branson: Doing business his way Want to make more dough? Read this Identity theft: Your trash, their treasure How to succeed in business? Play nice Frustrated with gas prices? Ditch the ride! Excerpt: ‘You’re So Money’   Add Today Books: Money headlines to your news reader: