All The World Over, Your Stolen I.D.

MSNBC is running a story about a massive identity theft which is apparently traceable to people who ordered wireless service from Verizon. If you've gotten service online from Verizon, you might want to check your credit card bill post-haste. And make sure to cancel your Social Security number and date of birth too.

Re:Why it took so long ?

This is what happens when you trust too much of your personal information to a 3rd party. I'm not blaming the user, of course, but the companies that convince the average internet user that is "safe" to trust on them.

As if that weren't bad enough, the article points out that "subagents" are often used to collect the information. So, even if a user trusts Verizon or AT&T (no comment), they are actually dealing with the subagent that they probably wouldn't trust.

And, to make matters worse, sometimes these subagents have subagents! From the article: AT&T Wireless spokesperson Danielle Perry confirmed that in at least two of the cases, the customers had signed up for AT&T Wireless service through Advanced Digital Solutions, which she described as an "unauthorized subagent's subagent that has gone bankrupt." In other words, we aren't responsible for the work we farmed out, it's beyond our control, it's their fault not ours.

What ever happened to SSN "not for identification"

Today it seems every insurance provider, utility, car lot, etc., won't even talk to you until you show the number that says its for "social security purposes only".

What about intersex?

A recent new scientist article mentioned that about 1 in 2000 people are born intersex instead of male or female. When they get better lobbying organisations just think about all the bools that will have to be changed to chars or enums :-)

Bah! What about Feb 30 in Sweeden?

When Sweeden was on the Julian calendar, they wanted to switch GRADUALLY to the Gregorian calendar rather than by dropping 12 days all at once. So they dropped every leap day from 1700 to 1740.

So 1700 (which should have been a leap year in the Julian calendar) was not a leap year in Sweden. However, by mistake 1704 and 1708 became leap years. This left Sweden out of synchronisation with both the Julian and the Gregorian world, so they decided to go *back* to the Julian calendar. In order to do this, they inserted an extra day in 1712, making that year a double leap year! So in 1712, February had 30 days in Sweden.

Later, in 1753, Sweden changed to the Gregorian calendar by dropping 11 days like everyone else.

There was a sweedish king born on Feb 30, 1712. Also known as "the man without a birthday".

Re:Bah! What about Feb 30 in Sweeden?

[unitron]

Shouldn't 1700 have *not* been a leap year? Leap years come every 4 years on years divisible by 4 (1996, for example), unless divisible by 100 (like 1900 or 1700), unless divisible by 400 (like 1600 and 2000), so 1600 was a leap year, 1700, 1800, and 1900 weren't, and 2000 was.

Those things that come around every year are birthdate anniversaries, by the way. You only get one birthday, and you're really too young at the time to properly appreciate it.

Re:brithdate?

[Don+Negro]

I was legally a female for 5 years because of a similar mistake. When I went to get my driver's license when I turned 16, the DPS clerk typed F instead of M, and voila, I was female. They couldn't correct it because in Texas it takes the act of a judge to change your sex on a legal document.

When Texas transitioned to it's new license format, they apparantly decided that instead of migrating the database, they'd just have the clerks reenter everyone's information as they came in for renewal, and this time the clerk got it right, and just like that, my manhood was restored.

Weird, huh? I've still got a copy of my old license around here someplace.

Don Negro

I'm glad to see that Corporations

[jd]

are being totally responsible with personal data.

Y'know, America could salvage its image -and- make a real impact on crime, if "System Admining Under The Influence" and "Data Warehousing, Without Due Care And Attention" were hanging offences.

(Brings a whole new meaning to "Blue Screen Of Death".)

Re:I'm glad to see that Corporations

[.pentai.]

When he said Primary Key he wasn't referring to a database. He was referring to life in the US. A SSN is like, the key to totally mess with someone's life. You can get any other information (fairly) easily with it.

Re:I'm glad to see that Corporations

[Asgard]

There was a certain range of social security numbers that were assigned twice. Of course they can't be changed, so the uniqness of the social security number is not guaranteed.

Re:I'm glad to see that Corporations

[Frizzle+Fry]

So what should they use?

--

Re:I'm glad to see that Corporations

[Sir_Real]

This isn't (totally) the Corporations fault. Social Security numbers are like the primary key of all primary keys. Nothing as simple as a (semi-predictable) 9 digit number should be used to identify and empower the change of a persons entire financial identity.

On a side note, out school e-mail system uses the last 4 digits of your social security number in your e-mail address. The last 4 digits are the ones that are hardest to find. I was told (please confirm) that the first 3 are derived from the state you were born in and the year. The next two identify the county (or hospital?) of your birth. I asked to have my e-mail changed.

Andrew

Re:I'm glad to see that Corporations

[pmz]

To be pure, a database should never rely on the social security number as a primary key. It is NOT unique. It has been corrupted by criminals (some people have several SSNs, I've heard). It also limits you to the United States. Database designers who put the SSN in a primary key role are acting naievely.

The SSN may be included as an attribute of United States citizens, but it shouldn't have a role greater than that.

Re:Drivers Licenses!

[Jaeger]

Last time I renewed my licence over here in Colorado (when I turned eighteen just under three years ago), they wouldn't put my SSN on my licence because I didn't have the card with me. The number on the licence seems to be a unique, state-assigned identifier; it has been the same ever since I got my non-driving ID many years ago.

Re:Golly, why are SS#'s everywhere?

[JimBobJoe]

You can still fight the mandatory photograph. Vermont and New Jersey issue licenses without photographs still, as does Quebec. Many states do on religious objection as well.

License to E-Commerce + SSL Certificates

[valmont]

OK I've really had it with irresponsible IT personel unable to plug blatant security holes.

I've seen many entities out there like "Trust-e" which review privacy practices and policies for e-commerce sites, but I really don't think any of them out there is big on auditing network and systems security practices. Even if they do, those companies are hired at-will by the sites conducting e-business to give themselves more credibility.

Face it people, I really am starting to believe that statements like "This is a secure site because it uses SSL and strong encryption and ... [insert heart-warming buzzwords here]" are nowadays flat out lies for too many e-commerce sites. Those sites are not secure. They store passwords and social security numbers in clear text in databases that reside on the same machine as the web server, which prolly runs way more services than it really needs to because "hey, we can get a pretty fast server up and running in no time and for really cheap, by getting ourselves a cheap pentium and sticking red hat linux on it". "OK, well it looks like the red-hat installation went fine ... let's connect to localhost on port 80 ... ooo see the pretty Apache default page? Great! Well Sir, looks like we're good to go and ready to stick a shopping cart on this puppy!"

The danger doesn't lie in "packet sniffing" anymore. There has been such a hype over the whole "eavesdropping" over a transaction as it is being made, that it looks like this is the only thing irresponsible systems administrators ever worry about: "Well, we need a secure server that does that SSL thing. To do that we need to shell out a couple hundred bucks and apply for a Verisign ID so people don't get nagged by their browser when they hit our site. Verisign will tell people we are who we say we are."

Big deal. Am I supposed to feel good now? In light of what I've been reading for the past few years ... I'll say NO.

The danger truly lies in HOW and WHERE sensitive consumer data is being stored. *This* is what matters and what should get thoroughly audited.

If a site possesses an SSL certificate from Verisign, it should be illegal for the owners of this site to request a consumer's highly-sensitive,permanent and personal data like a Social Security Number (credit card numbers don't apply here as those can easily be changed), unless their SSL certificate also comes with some kind of SEAL of approval from some government-sponsored network and systems security auditing.

I do realize I'm going a little far with government involvment, but we're talking about protecting data issued to every citizen by the government in the first place. You're talking about people's lives: their ability to buy a house, open a 401k account, even get work! I have been victim of identity theft in the past after my mail was stolen, fortunately it didn't go too far as I think they didn't get their hands on my SSN, but it truly poisoned my life for a while. I came back from christmas vacation only to find someone had gone on a shopping spree courtesy of me with several of my credit cards and realized they had applied for and shopped with a couple others in my name! Yes some credit-yielding entities don't even ask for your SSN to open an account.

If government involvment isn't the solution, then users should somehow get educated and notified with a message along the lines of "Although this site encrypts all its transactions, its network and systems security practices have not been audited by [INSERT GLOBAL ENTITY NAME HERE]-approved party and may be exposed to security holes".

Better yet, the W3C could work on amending the HTML specification to define a new type of form input field: INPUT type="secure-ssn" name="userssn", which browsers would ONLY display if a site's SSL Certificate contains information stating that this site's security practices were audited and approved. If that is the case, the browser could 'automagically' display the field as [][][]-[][]-[][][][] with a 'secure key' near it which could be clicked to explain what this all means, and possibly remove that field from any scripting-bound client-side Document Object Model so that data could not be evilly manipulated within sites open to cross-site scripting vulnerabilities. The browser could further insure that the value of this field could only be submitted to a form whose "action" attribute points to a secure protocol. The browser should have built-in validation of this field to compensate for its lack of access thru scripting. Browsers should not allow this field's value to be pre-populated on page load unlike other input fields so users would have to re-enter their SSN every time they see the field.

Now with that standard special-looking "social security" form input field, people could be educated to only enter their social security number in such an input field. If they do enter their SSN on any other type of form input field, then they should know they're further exposing themselves to identity theft.

These are just initial ideas, but further brainstorming should help finding a solution that would work to protect people's privacy on-line.

What do you guys think?

Golly, why are SS#'s everywhere?

[Brian+Stretch]

I mean, really, FDR promised us that Social Security #'s would never mutate into national ID cards...

That's what we get for giving Big Brother a new toy.

And to top it off, SocSec is a pyramid scheme.

Re:Golly, why are SS#'s everywhere?

[Pope]

Up until the 90's (I think), most Canadian drivers licenses didn't have pictures on them either.

Then again, with an 18 or 19 drinking age, we're a damn sight less paranoid about checking ID. I was in Denver visiting my Dad, went into the liquor store, bought some booze and wasn't carded; we went to a restuarant less than a mile away, I order a drink and get carded! (I'm 30). When I worked for a supermarket in MA that had wine and beer, my boss said "Card anyone who looks under 35."

Pope

What? Bear is driving car? How can that be?!

Re:Golly, why are SS#'s everywhere?

[jmauro]

Actually since 1943 FDR has been a liar. The SS Numbers have been used as national ID ever since. They are supposed to be required by all states for Driver Licenses as well (airports are required by law to reject any DL without the number on it.), but most states and airports allow you to ignore that rule. The problem really isn't government use, but the fact that every coorperation on the planet has decided this will be the primary key for the user, instead of making up their own. And then they'll use the number for both authentition and identification, compounding the problem even more. Is it really that hard for someone to generate a new random number for a user. I'm sure RSA could help somehow on this one, since they really like generating random numbers. I doubt we'll ever get rid of the silly things now, even if the Social Security department collaspes.

Re:Golly, why are SS#'s everywhere?

[djfiander]

Of course, in Canada it's been illegal to request (our equivalent of) a person's SSN unless the requestor needed it to provide income tax information to the government for several years now. Thus, my bank, (maybe) my credit card company, and my employer all know my SSN, nobody else does. I don't even need it to get my passport.

Re:Golly, why are SS#'s everywhere?

[lxnt]

Now how can you be sure that neither your bank, employer, (or maybe) your insurance company's clerks don't accidentally forget feeding some printout with tons of SSNs (or just one - yours) thru a shredder? Or dumping supposedly "old" computer without bashing and burning the HDD? Not even mentioning them going bankrupt.

Re:Golly, why are SS#'s everywhere?

[aozilla]

That's the great thing for these people. Their Social Security number will never again be used for identification, because there will be a nice little note about the incident on their credit reports. It's very simple to get creditors to stop relying on your social security number. Simply have a note added to your credit report, that your SSN has been comprimised.

Re:Golly, why are SS#'s everywhere?

[BSarp]

It's not just corporations that overuse the SSN as a form of ID - universities are guilty of this practice. I go to Carnegie Mellon, where the primary form of student ID is - you guessed it - the student's SSN. International students get (psuedo)random numbers, but we American citizens are not so lucky.

In fact, in an economics course I took freshman year, the staff kept track of students' grades in a big database, using the students' ID numbers as the keys (minus the last 2 or 3 digits, if I recall correctly). Occasionally, individual grade updates would be sent to each student enrolled in the course, along with all their other info from the database (ID, total points, etc.).

You can almost imagine what happened next: there was a mistake, and the course staff accidentally (!) sent out an email to all students in the course containing grades and ID information for all the students. Oops.

This debacle finally got the administration to at least consider the implications of using the SSN as a form of ID. Of course, being a bureaucracy, nothing concrete has been done yet...oh well. This seems to demonstrate the abject stupidity of using this kind of ID - I mean, thank God the items in the database were only released to a small group of college students - the consequences could have been much worse than they were.

Re:Golly, why are SS#'s everywhere?

[tetranz]

It irritates me that in the USA, driving licenses seem to be used as a default id card. Most (all?) states will issue a non driving 'driver license' for people who don't drive. When I first moved to the USA I had a problem in a big store using a credit card from home. I don't know what the problem was but they called their credit card processor who I think called Mastercard or the bank in my home country. They insisted on seeing my foreign driving license number. They looked at me as if I had two heads when I explained that back home a driving license is used to prove you are qualified to drive and banks are for keeping money and the two don't intersect.

Re:Golly, why are SS#'s everywhere?

[bartle]

It's not just corporations that overuse the SSN as a form of ID - universities are guilty of this practice. I go to Carnegie Mellon, where the primary form of student ID is - you guessed it - the student's SSN. International students get (psuedo)random numbers, but we American citizens are not so lucky.

Yeah, I made the same mistake. The university I went to would've let me change my ID number if I had been thinking of it, but I was just a freshman and filled out the form anyway. I don't think they actually use your SSN for anything other than their internal records, so you could probably make one up and get away with it. In retrospect I wince at all the places I unknowingly gave my SSN to...

But if you pay cash, troubles may get worse

[unitron]

"Paying cash is very likely to flag you as a potential terrorist requiring extra security screening, though."

Or as a drug dealer, and since you'll probably be carrying all your available money on you in cash (being afraid of not being able to get it out of a bank), that will be considered as further "evidence" that you're traveling for the purpose of dealing drugs and that the money is intended to be used for drugs, so even if they can't actually haul you in front of a judge and jury on charge of "looking like he was fixin' to go deal drugs", they can arrest your money, and you have to prove that your money is innocent.
Before you can go to court to do that, you have to put up a cash bond of an equal or greater amount, but that doesn't actually bail your money out, so now you've got twice as much money being held hostage.

Domains..

[Chutzpah]

Coulden't Network Solutions track down the domains that were registered, then cancel them, or even better try to trace where the domains are so they can tryck down who did this. They could probably trace someone to an ISP just bi either checking the DNS servers on the domain or concating the hosting service and getting them to log next time the person connects to the server to upload files, connect to IRC (prolly half of them are vanity hosts for IRC) or whatever.

Heh...

[Chutzpah]

I got a SSN for a summer job I had in the US working at a summer camp last year, I am probably never going to use it again and my SIN (Social Insurance Number) is NEVER requested because it's illegal unless they NEED the info (employer, bank and sometimes Credit Card Company) I'm not even sure that the SSN is still valid, I think it expired when my work visa expired.

Re:Don't Give Out Your SS #

[fishbowl]

>I personally think the ending to "Fight Club"
>would solve this problem once and for all.

Killing yourself during a grandiose delusion?

The real problem is lack of strong authentication.

[rthille]

If a company is going to take a SSN, a birthdate, a name and address as proof of identity, then they need to be responsible when it turns out that the person supplying the information is not me.

Now if I sign their application with my 2048-bit private key (public key on file with the CC company and with the credit reporting agencies), that's something different :-)

Robert

Re:WARNING! Gayer than goatse.cx link above

[ergo98]

Oh man...you realize you just made that trolls (and many like him/her(s)) day, don't you? One must never acknowledge being caught out by comp-u-geek or its friend goatse.cx.

(-5 Moronic)

[smileyy]

Do the math, slappy.

Re:(-5 Moronic)

[smileyy]

Well, the original problem was stated in the (perhaps implied) context of birthdays excluding the year.

In that context, 367 people guarantees that two of them will share the same birthday, excluding the year.

If we expand this to a human lifespan of 120 years, then you only need on the order of (120 * 366 + 1) = 44,000 to get a birthday collision, including the year of birth.

If you want to count stinking rotting corpses, or the not-yet-born in your million, piss off.

Re:(-5 Moronic)

[mskfisher]

i should've looked further - all i'd found when i originally posted was a Java applet that computed random birthday combinations.
here's a more in-depth look:

http://forum.swarthmore.edu/dr.math/faq/faq.birthd ayprob.html

my stats class lent me an intuition about the subject, but i'm rusty on the mechanics of higher-level probability computation - else i would've provided a proof for my preposterous claim, sorry...

Re:(-5 Moronic)

[quintesson]

What's the problem here? Even in a room of one million, there's always a chance (however tiny) that one of them has a unique birthday.

Perfect..

[grub]

Now when my RealDoll shows up at the house, I can just tell my wife "Damn identity thieves are playing with my Visa card!"

:)

What to do if it happens to you

[thegrommit]

Here's a good post on fool.com about how one woman went about recovering from the theft of her identity.

Re:Assimilation

[JAZ]

saying which... when Bell and GTE were merging and before they picked a name, I thought the choice should have been Bell OR GTE.

Re:Too much information

[ethereal]

Well, if you simply refuse to give out your SSN, most companies (banks and insurance companies excepted) will shrug and move on. They are collecting it simply because most people happily and blithely give it to anyone who asks.

Here's an interesting story on that topic - apparently this man's been mostly successful in his life without an SSN, except for getting a new driver's license.

Remember: it's a "Microsoft virus", not an "email virus",

Re:Too much information

[HiThere]

Any central point of control reflects a problem in the system design. Your proposed solution, "Some trusted third party", creates a new niche for contol hungry psychopaths to operate. Creating such niches is bad system design. The person who inhabits it now may be trustworthy, but that says nothing about the person who will occupy that position in 50 years. Or 5. Or 1. People move about. Management changes. Boards or directors realign their positions. Beancounters look for ways to trim expenses. Any of these can severly damage a proposed measure of protection, which will prevent the office from getting out of control. So don't design it in, in the first place.

Caution: Now approaching the (technological) singularity.

Importance of the SSN

[jjs]

Most younger people (college students) do not fully understand the importance of a SSN. At a Florida school, in which I attend, scantron test scores are organized via your SSN, which also happens to be your student number. When signing up for classes you provide your SSN on a list of students waiting in line.

No one questions it. People just give it out freely. They don't care if someone takes their schedule, grades, or degree audit. Simply amazing, yet sad. --Josh

Re:Importance of the SSN

[Corvidae]

At both institutions I went to, you can refuse to provide it (I did). Many applications say something like "If you don't want to give us your SSN, we'll give you an ID number to use instead." As a consequence, my student numbers started with 993 and 999, respectively.

There ARE other options.

Re:Importance of the SSN

[UberLame]

No one questions it. People just give it out freely. They don't care if someone takes their schedule, grades, or degree audit. Simply amazing, yet sad. --Josh

Yes, it is sad. How could things go so wrong that students have to jealously guard their student ID numbers and other numbers.

At my school, I changed my Student ID. They made it rather hard to to. Then, they wouldn't tell me what the new one was after changing it. I couldn't register or do anything. I finally got a friend who had access to the computer system to look it up for me.

Sometimes, I still use the SS#. Like, if a professor says that the computer username is my initials followed by the last 4 digits of my SS# (because he is assuming that people didn't get the Student ID changed), I do exactly what he says, and then cause a lot of trouble over it not working.

Too much information

[Midnight+Thunder]

This goes to show you that there needs to be controls over what sort of information a company can ask from an individual. Sure the are probably exceptions to the rule, but date of birth and social security numbers should not be necessary to open an account with anyone, but a bank.

Maybe this is where we need to use the approach of trusted third party authorization. Basically the only person you share this trusted information with is your bank and it is the bank who gives to a unique, time based, validation id to share with the company you are buying the service from. If a bank is incapable of keeping your details secret, then you know that you don't want an account with them.

Re:Too much information

[ConceptJunkie]

Well, if you simply refuse to give out your SSN, most companies (banks and insurance companies excepted) will shrug and move on. They are collecting it simply because most people happily and blithely give it to anyone who asks.

The SSN is becoming so close to the mark of the Devil as described in Revelation that it's not funny. Even if you're a non-believer, it's gotta be pretty creepy to think that the U.S. government is acting in a way that was prophesied as a sign of the end times 2000 years ago. Not what the Founding Father's had in mind, I think.

Re:Too much information

[ConceptJunkie]

Thanks. I deliberately don't know my wife's SSN, although I would recognize it if I saw it, and I've purposely never even seen my kids'. We have _never_ given out their SSN's to anyone as far as I know. I'll have to ask my wife, because that unelected fourth branch of government, the insurance companies, may have forced our hand at some point.

Re:Too much information

[Rude+Turnip]

I can see the usefulness in a bank having one's social security number. Afterall, they do pay you interest/dividend income on things like:

checking/savings/money market accounts
CDs (not the musical kind)
mutual funds/stocks

The income from all of these items is taxable income. It's no different than your employer having your SSN for tax purposes. However, I do believe that banks and large financial institutions should maintain a "Chinese wall" policy regarding the sharing of information among their operating divisions and especially business affiliates.

Re:Too much information

[bluebomber]

date of birth and social security numbers should not be necessary to open an account with anyone, but a bank

And what is special about a bank? Since the banking industry was deregulated a couple of years ago, your bank is also (check all that apply):

• an insurance company
• a stock broker
• a "financial supermarket"
• a real-estate broker
• a mortgage broker
• a credit-card issuer
• a venture capital firm
• a bond underwriter
• a market maker (nasdaq) or market specialist (nyse)

Your bank not only isn't capable of keeping your details secret, it doesn't want to. Your personal information is a MONEY MAKER!

And don't trust the government either: the state of South Carolina (I think it was SC, I may be a little off) was selling drivers' license photos for drivers licenses to private companies!

About damn time

[tweek]

Now maybe we can get some legislation making it illegal for companies to ask for a social security number or use it as any sort of identifying number for accounts. TECHNICALLY, it IS illegal for anyone other than financial institutions and the government to use it as an identifying number but companies currently get around asking for it by saying it's for credit approval. Then they just use that number for your account.

Re:About damn time

[aozilla]

Hmm, or you could just let the companies that accept social security numbers as identification get screwed over. I'm not paying for anything which I didn't personally promise to pay for. No court of law will ever force me to.

Addendum: And what form is that???

[humphrm]

Just in case I was being naive, I checked INS.

(http://www.ins.usdoj.gov/graphics/exec/whereis/ qu ery.asp)

"form to smuggle illegal immigrants": No documents matched the query.

And what form is that???

[humphrm]

The data include Social Security numbers, driver's license numbers, date of birth and credit card information - everything a criminal would need to open an online bank account, apply for a credit card, even create the paperwork necessary to smuggle illegal immigrants.

Uhh, what paperwork is necessary to smuggle illegal immigrants? does the government have a form for this?

Birthdate stolen!

[Black+Parrot]

I'm glad you put out this warning. I've discovered that over 16,000,000 people around the world are claiming my birthday as their own!

--

Re:Birthdate stolen!

[mskfisher]

no, there is always a finite chance that someone would have a unique birthday. unless you were rouding up, because i think it would be getting pretty close to 100%...

Re:Birthdate stolen!

[mskfisher]

pardon me, i've been misreading that time and again.
i hope the link i provided was interesting, anyhoo.

stupid, stupid! >smack<

Re:Birthdate stolen!

[slamb]

> > I suppose it is also true if there are 367 people in the room, there is a 100% chance two of them share the same birthday.

> no, there is always a finite chance that someone would have a unique birthday

No. There are only 366 possible birthdays (365 most years). If everyone in the room has a unique birthday, there can not be more than 366 people there.

This is a pretty simple idea, but it actually has a name - The Pigeonhole Principle.

Re:Birthdate stolen!

[slamb]

Notice the two greater-than signs in the first quote, and the one in the second. They weren't from the same post. The post I replied to stated that the first statement was false, which is wrong. The second statement was apparently his justification for saying that...but the two things aren't at all the same.

Re:Happened to me! Lost savings & checking & MORE

[cybrthng]

You can't be to cautious! Just make sure your working with good people or good businesses. Just be prepaired. My situation hit me in the middle of cross country commutes, my birthday and an attempted vacation which was all screwed because my checking and savings were locked and my credit cards were being declined as soon as the checks were bouncing for payments.

Deal with good banks, good credit card companies and good stores and you shouldn't have any problem.

Give up on online banking as well, just isn't worth it. I can't imagine the risk of having fraud and not knowing if it is the online bank problems or simply the fact you don't have anyone to see other then people over the phone if you do have problems!

Happened to me! Lost savings & checking & MORE

[cybrthng]

Last month i saw charges posting for firecash.com and traced them to online gambling casino's based out of south africa.

It cost me over 5,000 in lost charges, but luckily Visa has a 0 tolerance on fraud charges. For those with "Stolen Identity" change your SSN and DL # NOW because they can effectiley call your bank and change your PIN number or obtain existing PIN #'s and Mac/ATM withdrawals are NOT guranteed nor protected.

Firecash.com is an offshore billing company that does transactions for 3rd party billing companies so this is ONE WEBSITE TO WATCH. I have already filed complaints for both the casino, the casino's processor and firecash.com because they allowed charges with incorrect name, address, phone number AND expiration date to post.

It took over a month to get my money back, every check i wrote bounced, i couldn't pay my mortgage and i didn't get to do shit for my birthday. DON'T LET THIS HAPPEN TO YOU.

Keep 2 seperate banks. Be it as simple as a 2nd savings account or something with your work or local credit union. Don't put all your eggs into one basket. Since i had reported fraud the bank was required to lock ALL MONIES Until the dispute was processed and that alown takes days since they have to file affidavites and work with security departments of visa and such.

This sucks for alot of reasons, and i feel sorry for those who will be screwed for years to come.

Basically cost me my job since my credit cards put me on old because the payments bounced and i traveled 100% of the time.. airlines don't accept cash or promises to pay for tickets. Even my corporate card was locked because i had made a payment with a check that bounced because the account was locked before they deposited it.

So now i have disputes with check authorization companies, letters to my creditors, affidavites to my mortgage company, copies of statements and official letters to my car loan companies and letters to the 3 major credit departments just to fix up MY credit.

Take care of yourself, and don't put all your eggs in one basket. I never used my visa check card online, and now i don't even let my bank link my check card to my savings for rollover protection because that is how i lost every dime i had since the charges kept coming and the bank kept on transfering from savings to pay for them.

scary world we live in when people can generate numbers, steal your identity and post the charges and make out.. if it takes a bank 1 month to investigate that is way to long in the history time since website logs are archived or gone, ip's have long changed (on dhcp or dynamic dialups) and well, you should understand how things work.

Re:Happened to me! Lost savings & checking & MORE

[truesaer]

The more I think about this, the more I think I need to do something to protect myself. I order a LOT of stuff online. And not just with the large companies, but with eBay sellers and Yahoo store sellers, etc.

I did get an American Express Blue card, though I haven't used it. Maybe it would be worth my time to get the smart card reader and generate those temporary CC numbers.

Re:Happened to me! Lost savings & checking & MORE

[FredGray]

Basically cost me my job since my credit cards put me on old because the payments bounced and i traveled 100% of the time.. airlines don't accept cash or promises to pay for tickets.

Actually, at least all major US airlines do accept cash for tickets. Paying cash is very likely to flag you as a potential terrorist requiring extra security screening, though.

Re:Happened to me! Lost savings & checking & MORE

[Kareena+Bhagnani]

Keep 2 seperate banks. Be it as simple as a 2nd savings account or something with your work or local credit union. Don't put all your eggs into one basket.

For added security, open the separate bank account using somebody else's name, birthdate and SSN.

Re:Slashdotters should be overjoyed!

[WNight]

Actually, yes. It does please me that these problems are becoming widespread.

It's the same as releasing an exploit to crash webservers. If script-kiddies take out a bunch of high-profile sites, like amazon or the whitehouse, it'll force people to beef up security. This prevents someone with a more insidious motive from doing the same thing later. (ie bn.com DoSing amazon (or paying kiddies to do it.))

Similarly, if a large number of people get their identity stolen by small-time crooks, it'll force us to fix the system before someone organizaed gets into it and really fucks us up.

Hmmm. Would be an interesting DoS... Automate identity theft, rack up huge charges to overseas companies for non-refundable products. Because the order was with a valid card, Visa/MC wouldn't be able to reverse the charges to the company. Hit them with a few billion in bad charges all in a month.

You know, we're almost at the point where a skilled hacker could wipe out a good chunk of the western economic world. The benefit is that the hardest hit would be those with the least real value, companies whose holdings are mostly stock, or debts, etc.

It won't be all that long...

1 in 5 sounds about right to me

[joshwa]

If not worse!

I should know-- I've just had my identity stolen. Somebody opened up a credit account at Gateway (in addition to other places) and bought a computer for himself! All in all there are $2000 worth of fraudulent charges-- fortunately they're not on my credit cards, so I won't have to pay them in order to conduct daily business.

The Credit Bureaus are a PAIN in the butt to deal with-- I've had to re-open the investigations on my accounts several times-- becuase Gateway and others report that the account is "under investigation," the credit bureaus interpret that as saying the account is mine!

The police are even worse-- it's been 6 weeks since I originally filed my complaint, and only this week have I actually recieved a call from a detective! These things just SIT there until they either get lost or fall onto somebody's desk.

I could have been completely screwed over by this if my circumstances were a little different-- I have been looking for a place to live, and almost all landlords in NYC require credit checks on all applications. With those nasty adverse items on my report (even with a victim statement), I would never have stood a chance getting an apartment. I decided to rent a room instead until things settle down a bit with my credit (and my job), so it hasn't kicked me in the ass yet.

Identity theft is REAL! I'm really surprised more testimonials haven't been posted here... I know of three other people off the top of my head who this has happened to.

I still don't know how they got the information-- a security breach, a disgruntled university employee, intercepted mail... no idea. I haven't lost my wallet or anything.

Maybe that detective will be able to tell me something useful... we shall see.

Re:1 in 5 sounds about right to me

[slickwillie]

The police are even worse-- it's been 6 weeks since I originally filed my complaint, and only this week have I actually recieved a call from a detective! These things just SIT there until they either get lost or fall onto somebody's desk

Hey, give the police a break. They've got SERIOUS CRIMES to investigate, like violations on the DMCA.

not illegal according to this...

[Smallest]

http://www.cpsr.org/cpsr/privacy/ssn/ssn.faq.html -c

Re:Right to not divuldge your SS#

[Smallest]

goverment agencies are restricted as to what they can do with it. private orginizations aren't restriceted. they can ask for it, even require it. but, you're not required to give it to them.

-c

Re:When will people learn?

[C.Su]

This poster nailed it.

Why would a company need any sensitive information for more than N minutes? Or in the Verizon Wireless case however long it takes to conduct a credit check.

While this isn't a permanent solution (in the future authentication systems should or will obviate the need to ever give over sensitive personal information), it seems like a very reasonable policy for the present.

A wireless plan that doesn't involve your SSN...

[gsherman]

http://www.tracfone.com

You buy the phone outright, with no preset plan (or credit check,
or SSN/bdate divulgences), then pay for minutes as you need them
using your credit card, for which you've already established
respectable credit/identity. There seem to be less points of failure
with such a system.

IANAS - I Am Not A Shareholder; I just like the company...

Re:When will people learn?

[Znork]

Who cares about SSL? SSL is important for maybe one billionth billionth of the time your data is in someone elses hands. Ok, so the data is encrypted in transfer. Who cares, when the recieving company is happily saving away your data on a NT machine running It Isnt Secure? Every script kiddie and their grandmothers little dog can wait until two seconds after you press submit and dig the data out of there after that soooo secure SSL transaction.

To protect yourself:

Never enter nondisposable data. Use a disposable email address. Use a disposable CC number (or at the very least a low-limit creditcard). Never enter Social Security numbers (fake one, or use another option). Avoid using your real name. Avoid entering your real phone nr. Dont enter your age. Dont enter your profession. Make the data worthless and corrupt.

In my opinion the only way to handle this problem is to make it illegal for any company to store any sensitive information at all. They need the information? Fine, they get to have it for the 5 minutes they need it, then it MUST be wiped.

Hackers stealing the data is just one simple way the data gets out. Social engineering to disloyal employees through mergers acquisitions etc etc are other ways.

If you ever give out the information it will be stolen and misused.

Re:Slashdotters should be overjoyed!

[Zenki]

No this does not make me happy, because when it comes to money, companies assume I'm guilty until I prove myself innocent...

Makes one wonder...

[zook]

...if handing over fingerprints for every credit card transaction isn't a bad thing.

(shudder)

Re:I am NOT a number. I am a FREE MAN!

[Hershmire]

According to /., you are User #213387.

Have a nice day.

Drivers Licenses!

[wiredog]

Most states, but not Virginia (it's an opt-out in Va) and Utah, use the SSN as the drivers license number. So when someone steals your wallet, they've got your SSN and birthday. Then all they need is mothers maiden name (probably on your birth certificate) to complete the ID theft.

Re:Drivers Licenses!

[aonifer]

It's also an opt-out in Iowa. The lady was really thrown when she asked me if I wanted a different number from my SSN on my license and I said yes.

Re:Drivers Licenses!

[Ghengis]

None of South Carolina, Georgia, and New Jersey use SSNs for DL numbers. It might be easier (and a shorter list) to find states that actually DO.

Re:Drivers Licenses!

[Wiggin]

I have had drivers licenses in Minnesota, Michigan, and Utah. And the neither Michigan nor Minnesota used the SSN for the Drivers License number. Utah also doesn't use the SSN for the drivers license number, but it is an option to put your ssn on your drivers license (isn't that just a wonderful idea?).

Re:Drivers Licenses!

[Merk00]

Maryland also does not use the SSN for a driver's license.

Re:Drivers Licenses!

[fobbman]

Hmmmm...not Oregon, Washington, or California.

Re:Drivers Licenses!

[UberLame]

There is no SS# printed on my PA license. I don't know what is encoded on the magnetic strip though.

Re:Drivers Licenses!

[yellowjacket03]

In Kansas you have the choice and Texas doesn't use your SSN.

I just used this to get out out of my contract

[alexjp]

I've been trying to cancel my Verizon Wireless contract for several months now (I no longer use my cell phone) but they've refused to let me out of the contract without paying them $170.

After reading this article, I called them.

Me: Hi, I just read an article that said that people are stealing social security numbers out of your databases and posting them on the Internet. I wanted to know what personal information of mine you have in your database.

Verizon: Hold on, let me check

Verizon: We have your ssn, but not your date of birth or driver's license number.

Me: Can you remove my ssn from your database?

Verizon: Hold on, let me check...

Verizon: No, we need to have that number for credit reporting purposes.

Me: Well, I'm really concerned about identity theft....

Verizon: All I can offer is that we can close your account at no charge, or we can put a password on it.

Me: Well, I guess I'm going to have to close my account...

And in less than 10 minutes, I got around the early termination fee!

Slashdotters should be overjoyed!

[Monte]

Every time we get a story about another bust.com doing the big sleep and selling it's customer info, the wails and gnashing of teeth are thunderous. Slashdotters love anonymity, and hate being profiled.

Now imagine if identity theft becomes commonplace - this will result in all that "personal info" becoming worthless, and will make demographic profiling useless. Massive identity theft will wind up increasing real anonymity - because anyone could be using "your" ID numbers and passwords.

No longer will you have to worry about someone connecting your nick to your "real name", and fearing repercussions over your "free" (as in speech) speech. "I didn't post that, some stinking pinko identity stealer did!" I'd think the cypherpunks should be breathing hard by this point. Heck, they may try to encourage identity theft!

Doesn't this make you happy? Those big companies won't be able to treat you like a number anymore, because that number could be a bunch of people. We'll finally be able to cast off the oppressive yoke of corporate pigeonholing and catagorization of people!

...and get back to actually going to the store with cash in hand for your CDs, DVDs and blank CD-Rs. Ah well, that's the price you pay for progress, right?

Maybe the thieves WERE spammers!

[Tackhead]

Consider this:

One victim - $4000 lost - "Most of the charges were at Network Solutions".

Another victim "was called by his bank Monday and told a criminal had charged $1,000 on his card over the weekend at Network Solutions"

Now, I'm just speculating, but what kind of criminal do we Slashdotters know of that has a need to register lots and lots of domains, and has a use for lots and lots of credit card numbers, (that is, has a use for lots of CCs, a few of which would be used to register bogus domains, but the majority of which would be used to sign up for $20/month throwaway dialup accounts that get nuked within hours of signup...)

If my hypothesis is correct, all we need to do is follow the trail from the CCs to the domains to the dialups to the whackamole users.

Y'see, if the $KILOBUCK charges are going to domain registrars, it'd be pretty easy to figure out what domains were registered, and if they were appearing in spams.

And if we find the domains in spams, we can get the spammers' general geographical location by looking at reverse DNS from the throwaway dialups with which he spews. We can also learn from the "Send money to" snail-mail dropboxes (usually a Mail Boxes Etc. type of place) in the spams. Follow the money.

If there's only one or two spammers, I'll bet we also find that he and/or his associates have (in addition to the domain registry carding) been doing credit fraud on lots of cards the $TWENTYBUCK range to sign up throwaway dialup accounts. (Umm, and mailboxes at MBE ;-)

Or maybe our Bad Guy is hiring others to spam on his behalf. In this case, we have 100 "work at home" suckers, most of whom lost money to the ringleader, and we only need one to turn state's evidence.

Of course, all of this is mere speculation. But it would account for much of what's appeared in our inboxes over the past year, wouldn't it? There are probably only a few spammers who would have the capacity to run such an operation, and their real-life identities are known. In my more paranoid fantasies, I imagine that this identity theft might have been done on behalf of one or more of them.

The wheels of justice grind slow. But they grind fine.

Not a Verizon Wireless issue really..

[iamsure]

Read the article all the way before submitting, sheesh. While its in vogue to knock Verizon Wireless, notice that it is not by any means limited to them.

Numerous times they mention the AT&T connection, and the URDigital.com connection. In fact, URDigital is the name of a folder specifically listed in the IRC transcript.

This looks to be a multiple vendor issue, not limited to one company.

These views are mine, not my employers.

Called Verizon Wireless Customer Service

[decaffeinated]

Their response:

"We dispute the facts presented in this article. The cases of reported identity theft are not correlated to the fact that many victims purchased a cell phone online from Verizon Wireless. We view these events as a coincidence."

Uh huh. Having recently purchased Verizon wireless service at a retail outlet, I really have no choice now but to go purchase credit reports at Equifax and Experian.

Sigh.

Obviously someone didn't read the article...

[jmccay]

You can't cancel your Social Security number. Date of birth would be an obvious one that is impossible.

pre-reporting fraud?

[mnot]

from a MF article:

You need to put a fraud alert on all three of your credit reports. This has three effects: 1) You get a free copy of your credit report, 2) they remove your name and address from the pre-approved offers list, and 3) any new credit grantor will be instructed to telephone you to verify that you really want to open the account.

Hmm, this sounds like a pretty good deal. I wonder if you can "pre-report" fraud for these benefits... legally?

Re:Can ask or should ask?

[plague3106]

No, there needs to be regulations. If there aren't, a company can say 'no account for you' for not wanting to provide any information they want. They need to be told what information can be collected to establish an account, and not allowed to refuse service to anyone that doesn't want to give out more.

Re:Can ask or should ask?

[plague3106]

The problem is that if there are not restrictions, there will be no companies that don't require an SSN for example. Thats your first problem. The second problem isthat you can't read. What i said was that companies should not be allowed to refuse service if you don't want to give up more information then they absolutly need. I didn't say they couldn't ask for an SSN, i just said they shouldn't be allowed to turn you down if you choose not to give it to them. Thats not telling you waht info you may or may not give, its tell the companies what info they may REQUIRE for you to establish an account. You say its not my place to decide how much info you give away? Well, you're basically deciding how much info i must give away. It also amazes me how stupid people can be. You're will to sell your private information for a cheap watch, or a few cents off your pepsi. Its stupid b/c not only are you giving up your privacy (a dangerous thing to do), you're also selling yourself short. Think how much the companies pay for your info...and you get that cheap watch? How about i exchange a pencil for your wife's wedding ring? You enjoy the pencil, i'll sell the ring for a few hundred.

Don't pay into SS or give out your SSN

[pngwen]

Actually you aren't legally required to give that number to anyone except the social security agency. If any company attempts to deny you service based on refusal to give out your social security number they will have violated the social security act and will be liable for time in a federal prison.

Also, you don't have to pay into it. It's a voluntary program just like over 90% of federal income tax. For more information on the opt in programs the IRS wants you to believe you're required to pay read Title 26 of the United States code. Unless you are a non resident alien, working for a foreign corporation, received a petition from the secretary of the treasurey, or manufacture producst susseptible to excise tax, You aren't required to pay federal income tax.

Request your IMF file from the IRS. Most of the time you'll see yourself classified as 4035, working for a foreign corporation. You don't have to file, you don't have to pay. Any employer that witholds tax is guilty of fraud, and the IRS's notices violate section 9b of RCP US code title 18 so you can refuse them for fraud. The law scares them. Enjoy!

Re:Social Secuirty # and you

[Ghengis]

Legally, they cannot require you to give them your SSN. That number if for use by the government only, but we've let business in general have access to it by giving it when they ask. A Credit Card application, for example cannot REQUIRE you to give your social security number. If they do, it's illegal

How do we know if we were revealed????!!

[Kefaa]

Any idea how someone might tell if we were revealed to the world?

Somehow I do not think AT&T, and especially Verizon will be helpful in providing this to their customers.

Re:How do we know if we were revealed????!!

[sydney094]

I'm just pissed off that I had to learn about this here... instead of from *surprise* Verizon. I am one of those lucky few that did order a phone from them online... Yes, I know I was an idiot.

Alas...

Re:How do we know if we were revealed????!!

[actiondan]

Try doing an internet search for you social security number - that will show if it has been posted on any websites (once there has been enough time for your search engine of choice to do the necessary spidering)

Of course, the story is about details being posted to a chat room so this might not help in this case...

actually....

[neowintermute]

A few weeks ago my brother saw some statistic on television that in your entire lifetime, the chances of someone stealing your identity are like 1 in 5. While I thought this was a ridiculously high number at the time and laughed at him, maybe this story can lend some viability to it.

http://www.redpolygon.com
http://www.hyperpoem.net

Re:actually....

[haruharaharu]

I would think 1 in 5 is a bit low, actually, especially with the corporate stewardship of my identifying data.

Sue?

[cc_pirate]

What's to stop these people from suing Verizon and their distributors for their $hitty security? I mean it should be VERY easy to prove the financial damage they have been caused. We KNOW that if this had happened to a corporation, whoever had screwed up would be in jail (right Dmitry?). I personally would sue them for every dime I ever thought I would spend fixing this and add on 200% for damages. This is the only way businesses will stop treating our information so casually. We have to make them pay when they screw up and pay BIG TIME!

SINful

[hey]

The Canadian equivalent to Social Security Numbers is Social Insurance Numbers or S.I.N. The name too ironic! Of course, SINs are misused like SS#'s.

It used to be you didn't need a SIN until you got your first job (at -maybe- 16 years old) but now many parents are required to get one for their kid's Registered Education Savings Plan (RESP) - sometimes in the first year of the baby's life. Welcome to the system, Junior!

Re:Don't Give Out Your SS #

[toupsie]

You didn't have to in the past, but now it is the law.

It went into effect during the Clinton Administration. I think it was 1995 when it was passed from big business wet dream into law.

Re:Don't Give Out Your SS #

[toupsie]

I tried to post the answer but everytime I get this message:

This comment has been submitted already, 276711 hours , 19 minutes ago. No need to try again.

Must be a government conspiracy!!! You can get the answer by searching the SSA FAQ at http://www.ssa.gov/.

Don't Give Out Your SS #

[toupsie]

Straight from the SSA

Giving Your Number To Others

If a business or other enterprise asks you for your Social Security number, you can refuse to give it to them. However, that may mean doing without the purchase or service for which your number was requested. For example, utility companies and other services ask for your Social Security number, but do not need it; they can do a credit check or identify their customers by alternative means.

Giving your number is voluntary even when you are asked for the number directly. If requested, you should ask:

why your number is needed;

how your number will be used;

what happens if you refuse; and

what law requires you to give your number.

The answers to these questions can help you decide if you want to give your Social Security number. The decision is yours.

Our primary message is this--be careful with your Social Security number and your card to prevent their misuse.

If you think someone is misusing your number, ask us for the leaflet, When Someone Misuses Your Number (Publication No. 05-10064).

Originally your SS # was never supposed to be given out to anyone! But big business beat up big brother and started using it to profile each and every American. In fact, the business community forced the Government to require *all* citizens to have a SS #. So now from the second you pop out of your mother's private parts, you have to be registered with the SSA.

I personally think the ending to "Fight Club" would solve this problem once and for all.

Re:Don't Give Out Your SS #

[nido]

It's only a requirement if your parents want to deduct you off of their "income tax", or if they save money in your name.

---

Re:Don't Give Out Your SS #

[Corvidae]

Actually, no... you don't have to be registered with the SSA from birth. I was SSN-less until I got my learner's permit (at the sad, sad age of 18). It's not a requirement... after all, how is a 6 week old child going to pay the SSA? =)

Re:Don't Give Out Your SS #

[Corvidae]

Do you have a reference for that? Not intending to be argumentative, simply curious. =)

Re:Don't Give Out Your SS #

[Corvidae]

I've been getting that sometimes, too. Ah well. I'll take a look.

Thanks. ;)

Re:Don't Give Out Your SS #

[FrankHaynes]

Social Security Administration writes:

Our primary message is this--be careful with your Social Security number and your card to prevent their misuse...

...since the government was so incredibly short-sighted as to devise a system that is transparent and fraught with holes that can allow others to make your life a living Hell.
Gee, thanks for that sage advice!

Re:When will people learn?

[pne]

Who cares about SSL? SSL is important for maybe one billionth billionth of the time your data is in someone elses hands. Ok, so the data is encrypted in transfer. Who cares, when the recieving company is happily saving away your data on a NT machine running It Isnt Secure?

Or if the data is encrypted with SSL during transfer but then appended to a file that lives below the docroot and whose name can be guessed from some hidden parameters in the form? I, er, heard that this happened to a University's online bookstore (they've since fixed it); while the hole was open one could supposedly read all about other people's orders: credit card numbers, email addresses, etc.

Makes you wonder?

[gordzilla]

Just what a goldmine HailStorm is going to be for this sort of thing.

Re:brithdate?

[Ravagin]

Yech. Not at all. I was actually thinking of attempting to tamper with the delivery of the baby.

I guess that's only slightly less weird....

-j

Re:I am NOT a number. I am a FREE MAN!

[Ravagin]

You are number six?

Re:brithdate?

[Ravagin]

Wow. There's a story.

But, you know, if you had a time machine, you could keep all that from happening.

-j

Re:brithdate?

[Ravagin]

Gosh, here in Maryland, it takes the act of a surgeon to change your sex.

...oh. Legal document. 8)

-j

brithdate?

[Ravagin]

and date of birth too.

Quick! To the time machine!

("no, listen you have to hold on for at least *checks watch* two more hours. no, i can't tell you why. oh, damn. nurse!")

Or something....
-j

Re:brithdate?

[BitchAss]

Quick! To the time machine!

Geeze - not to be rude or anything but I pictured you sitting with your parents trying to stop them from gettin' it on for another couple of hours. *shudder*

Re:brithdate?

[ichimunki]

AC, I realize that it's best that they require documentation before changing a record. However, in this case they could view the entire record history and see when the change was made without supporting documentation or authorization. The fact that they require documentation to fix their own mistake of changing it in the first place is what I find amusing/found annoying.

Re:brithdate?

[ichimunki]

You laugh! But my birthdate was once changed without my permission or knowledge. I had filed a routine name change form with Social Security, and some dumb clerk introduced a typo into my record turning 11 for November into 1 for January. I found out about it a few YEARS later, while speaking to an IRS agent (who was verifying my identity and apparently the IRS gets a feed from the SSA, and when she asked for my birthdate told me she had something different).

When I called the SSA to discuss this, they tried to act like they really hadn't made a mistake, and get this: it was now illegal (and they tried to shift the blame to President Clinton for signing the law) to change that part of my record without my filing a certified copy of my birth certificate and a request form. Yes. Your government has outlawed the practice of correcting its own mistakes.

And we're worried about corporations? At least most companies don't have standing armies and navies and immense stockpiles of nuclear weapons.

Re:brithdate?

[japhmi]

At least most companies don't have standing armies and navies and immense stockpiles of nuclear weapons.

yet.

p.s - most companies?!?

Re:brithdate?

[yellowjacket03]

Did you have to whip it out for the judge? Or did he just take your word for it?

Boycott SS# forms

[JasonVergo]

I'm going to refuse to give out any personal information from now on. If they want my business, they'll have to trust me and not me trusting them. Since it seems obvious that we can't trust them.

basic math...

[nido]

...teh gov't who probably would lose half my benefits if I changed #'s.

half of almost nothing is still almost nothing. I haven't been following it all that closely, but didn't George W.'s social security task force say recently that without reforms the social security system was going to start going broke in 15 years or so? And that they'd have to cut "your benefits" to keep the system solevant? Another argument for not "investing" 15% of your yearly wages with "the government". (What's that you say? "it's only 7.5%?" Tell me all employers would keep their matching 7.5% if they didn't have to pay the social insecurity tax, i'll laugh at you).

---

or...

[nido]

you could just stop using "your" SS# entirely. Get rid of all the credit cards you gave the number to, change your driver licence number (if you have one, notice there's no 's', at least in Arizona, most other states too I believe), open new bank accounts without the number attached (US banks only need a number [TIN or SSN] for interest bearing accounts), change your employment structure so that you won't need a number (contract work, or use a payroll service like American Contracting Services), etc.

There are some good suggestions under "GENERAL ADVICE ON OPERATING WITHOUT A SSN" towards the bottom of this page..

---

Illegal immigrant paperwork? Huh?

[bopo]

The data include Social Security numbers, driverÕs license numbers, date of birth and credit card information Ñ everything a criminal would need to open an online bank account, apply for a credit card, even create the paperwork necessary to smuggle illegal immigrants.

And here I've been thinking that the major impediments to sneaking into the U.S. were fences, dehydration and big guys with shotguns. Turns out it's red tape.

Re:Illegal immigrant paperwork? Huh?

[Tuonenkielo]

Well, with a large enough bunch of correct identities, you could bring a whole shipment of people, with real papers, into harbor. No need to try to find the weak point of the border, just come straight in, let the cargo show the correct (but not theirs) ientities, and voila, one shipment in country, next one coming in soon....

Spam worse than ID theft?

[Dr_Cheeks]

"What's even worse is when companies go under. Consider this ........ some vulture comes along and buys their lists with your name and personal info and in turn sells it to several other companies just drooling over the new people to spam"

Well, that'd suck for sure, but I think that getting spam would be preferable to some b*stard getting all my personal details including my CC number, running up a huge bill, opening accounts in my name and leaving them overdrawn, and basically screwing up my credit forever.

Re:Spam worse than ID theft?

[Anixamander]

You can avoid this problem by doing what I do...vigilantly maintain maxed-out, shitty credit. That way no one can make charges to existing accounts or open new ones. Thank god I got a head start on this in college. Little did I know when I was buying rounds for my friends that i was actually safeguarding my identity.
--

Something I never knew

[Dr_Cheeks]

From the article:

"...date of birth information cannot be canceled and reissued..."

Thank God we've got MSNBC to point out stuff like this!

Re:Something I never knew

[spood]

Uh oh. Don't tell the hindus...

Re:Something I never knew

[Anixamander]

I was going to change my birth date to something else, but all the others were taken. This is worse than trying to get an AOL screen name.
--

Passing it on

[galego]

The source provided MSNBC.com with a two-hour slice of log files from the chat containing information from about 50 people.

And now folks at MSNBC are now impersonating you as well...isn't that great!

Who the hell is this 'source' person anyway!?!?!? He's doing a great job of helping the whole data security thing, aren't he?

Galego

Re:Interesting banner ad...

[The+Larch]

What an excellent idea, having all your identities conveniently managed by Windows. No more having to log out of Hotmail to check another mailbox, or forgetting to delete your signature from an anonymous posting.

It'll save time when propagating worms, too -- you just have to receive the worm once on your work email account and it can forward itself using your work identity, your home identity, any of the pseudonymous identities you use to post on the not-quite-mainstream newsgroups and discussion forums, etc. It can even mix and match the contact lists for an amusing effect!

Seriously, who would bet Windows will not leak information between your identities? Microsoft's C compilers insert arbitrary chunks of your disk into compiled binaries!

No can do, Michael

[alexburke]

And make sure to cancel your Social Security number and date of birth too.

From the linked article:

Experts say the victims could be dealing with the potential identity theft for years; unlike credit card numbers, Social Security numbers and date of birth information cannot be canceled and reissued.

So much for that idea...

--

Re:No can do, Michael

[Vegeta99]

in VERY RARE cases (witness protection) they will reissue them.

Social Secuirty # and you

[hrieke]

wow...
I think the first thing that should be done here is that the requirement of a SSN on any application for a credit card or phone number, etc should be out right banned.
Second, these phone companies should run a two week advertisement announcing the thief of this data and that all people should check with their credit card companies and credit rating companies. The hacked companies should also report this to the credit reporting companies!
I also think the companies should be libel for a million dollars of damage per incident (person).
Finally a quick google search on legal uses of social security numbers turns up quite a few things worth reading: SSN FAQ

Re:Interesting banner ad...

[zerOnIne]

for those who are interested, a while ago I also got an interesting little screen seemingly advertising MSN AntiTRUST. this was back in january while MS was still tangled in litigation, and the antitrust movie was just coming out...

maybe i just attract weid banner ads?
-----

Interesting banner ad...

[zerOnIne]

did anyone else get an ad of OfficeXP for this article? I took a screen shot of mine: "For Identities, One Password." Maybe it's just the lack of sleep but I find this very amusing :)
-----

SSN?

[stilwebm]

You have to give your social security number to get a cell phone? Is $40/month such a risk that they have to run a full credit check? I've never purchased wireless in my name, so this is news to me.

Re:SSN?

[stilwebm]

Nobody's It is is my employer's name.

Re:SSN?

[hearingaid]

They need your SSN to do a credit check?

Here in Canada, all they need is your name, address, and a number.

Any number. A MasterCard will do.

The only thing I need to give out my SIN for is when I'm employed (the employer needs it) or when I file my taxes.

Wow, Americans and bureaucracy. Wacky.

Re:SSN?

[nohonor]

If you never purchased wireless in your name. Who's identity did you steal.

"There is no honor among thieves"

Re:SSN?

[emoeric]

yeah they do a full credit check, at least with cingular. Since i'm a college kid with no credit of my own as of yet (i use mom n pop's credit card when need be), i had to dish out a $250 deposit to assure them i'd be paying for my splendid service.

|---------------|

its not just Verizon Wireless

[alanjstr]

Its also AT&T Wireless. It seems to come from haivng a credit check run when you're purchasing online. So far, one bankrupt background checker is suspected.

Okay, let's see them get around this!

[fobbman]

I'll just encrypt my social security number using the strong ROT13 encryption that Adobe uses.

Er, I may have to put more thought into this. Let me get back to you on that.

Re:Okay, let's see them get around this!

[srvivn21]

More thought? Hell no! That's a great idea. Anyone who does decrypt it can be arreseted! ;o)

Re:To protect yourself....

[dazed-n-confused]

Better link here.

Re:When will people learn?

[mrgoat]

Contrary to what some people may say about giving out false information to cell phone companies (which won't work very well...they do check your credit. Ok, ok, so you can fake that; great, one felony on your record then), the only real option is to not participate. That's it.

Use services that you can pay for in cash or check only. More importantly, use services where you have the option of interacting with a human being who can actually make decisions. This will limit you to local or regional services. So you don't have a cell phone anymore...boo hoo. Chances are, you REALLY don't NEED one anyways.

The only exception to that "cash-n-carry" rule should be for institutions that you feel are important enough to contract services from. Your local college, for example, or your local utility. Local is nice. Local means you can find a real person who can be held locally accountable for their actions, i.e., you get to see their face when you legally or physically beat the snot out of them for being morons with your info. They know this is a possibility. They don't want that, so they will be *slightly* more careful than some faceless trans-national conglomerate.

Chances are, being local only, they will require MUCH less data from you. Most locally owned places that I go to only require that I flash a valid ID and this month's utility bill to start an account with them. Much better than your ID info, SSN, DOB, Mothers Maiden, and all that other crap being entered into some hackable database somewhere.

The only exception has been local banks and credit unions, but with them my information goes onto paper and usually stays there.



mrgoat

And that's not all...

[mcrbids]

This identity leak may or may not be Verizon's fault - but their web stuff isn't the cleanest.

I wrote a program to interface with their web-cellular messaging gateway.

In the process, I found three form errors on the gateway page. Something so simple, and they'd managed to screw it up three times!

But what if it's me?

[mcrbids]

How would I find out if I was on that list? I bought a Verizon Cell phone recently!

Re:Solution is at hand

[PHoliday]

I think I'll start working on embedding readers in the seats of subway trains and then I'll develop a blackmarket surgical procedure to implant stolen ID's in other people's asses...

Identity alteration

[SillyWiz]

Amusingly, I've just changed my identity (for a perfectly legal, albeit not common, reason) and the experiences have been both entertaining and somewhat worrying.

I arrive at a bank. I hand them a passbook for an account opened in, like, 1976 by my mother. It's never been updated since so there's no signature on the account. And I succeed in changing the name AND the mailing address attached to the account in one go. Oh, to further complicate things, my current gender differs from the one attached to the accounts..

Required: 1 birth certificate in old name. Easily obtained in about 1/2 hour from the registry office. 1 statutory declaration. Mine was drawn up properly, witnessed by a second solicitor, but as a friend put it, it's just some typing with magic writing on it that everyone trusts. I have no doubt one could knock up a forgery in about ten minutes. And they were looking at a PHOTOCOPY of it. And a driving licence in my new name which has the new mailing address on it.

Now the only hard part of that to get is the latter - again, mine is legit. But fake driving licences are not hard to get hold of... the new photocards may make it marginally harder, but I doubt it would pose a serious problem to people with scanners and high-res printers.

But given what I was doing I'd have expected them to phone and check up on at least one of the documents. No - they just photocopied the things (to protect their backsides in case of problems) and got on with things.

And so this continued.. bank after bank after bank, my AA membership, my investment accounts, my inland revenue information...

In fact Barclaycard and the Halifax bank were the only hard ones. Barclaycard because they allegedly have no idea how to rename an existing account - complete crap if you ask me, afterall half their userbase is likely to change their name when they get married.. So they're creating me a new account, closing the old one and doing a balance transfer. I'm expecting this not to work, by the way - if they run a credit check for the new account they'll find there's no history of me...

Halifax managed to order me a new card. Which arrived in an envelope addressed to me in my new name, but which had my old name on the front.

So two places had problems because of incompetence. Everyone else just let me do it. I don't think a single one has done more than photocopy already second generation photocopies of documents and then start typing into databases.

Several of them have done this stuff over the phone, given cursory access checks. Like, knowing my postcode as well as the account number. {Having not moved that long ago, I read the postcode off the same bit of paper as the account number.. :-}

I'm surprised identity theft doesn't happen MORE often..

Re:Can ask or should ask?

[krlynch]

If there aren't, a company can say 'no account for you' for not wanting to provide any information they want.

And why exactly is that a problem? How does that violate your rights? Or mine? If a company won't give you service without an SSN, then go somewhere that will. Or buy one of those "prepaid" phones. Pay with cash instead of credit cards. Buy in person instead of over the phone. But don't get the government involved in telling me who I can and can't give information to. If I want to give my SSN to a company for a discount or for a higher class of service, why shouldn't I be allowed to do that. Telling companies what they can and can't ask for is ultimately a restriction of MY rights to "life, liberty, and the pursuit of happiness"; it isn't your place to decide for me what I can and can't give away.

Re:thats a lot of domains....

[tringstad]

Thats a lot of #####sucks.com's to be registered. I wonder how many it takes to rack up $4000. It has to be a few.

Nah. You could probably do that with 2 or 3 domains using Network Solutions as your registrar...

&nbsp&nbsp-Tommy

IIS or Apache?

[rmpotter]

Well, just wanted to point out that if it had been an IIS system that had been hacked, most of this thread would consist of the usual MS bashing and OSS chest beating.

In this case, according to Netcraft, it looks like the hacked servers were probably running Apache and Netscape Enterprise.

Shhhhhh! Don't tell anyone! But remember, the next time something similar happens on a Windows platform, moust of you WILL HAPPILY drag Microsoft's name through the mud.

Re:Online privacy and Microsoft Passport

[la1n]

MS Passport == "mark of the beast"???

Re:thats a lot of domains....

[Poor+Soul]

...then two months ago there were $4,000 in false charges on his Visa card. "Most of the charges were at Network Solutions," he said.

Thats a lot of #####sucks.com's to be registered. I wonder how many it takes to rack up $4000. It has to be a few.

Hmm... now we know how verizon registered all those variants of verizonsucks.com and fuckverizon.com


--Josh

In the words of Homer Simpson... "Mmmmm... beer."

its not on the license, but they still require it

[Mr+44]

Due to new (fucking lame) Federal Laws regarding "deadbeat dads" who owe child support, all state DMV's are required to collect SSNs. They are not required to put them on the license or do anything with them besides turn them over to the feds.

Check out WA State law, especially the part where the legislature says "the use of social security numbers on licenses is inappropriate, intrusive, and offensive".

(note - please don't point out that this is only for commercial licenses. Read carefully - The federal deadline has passed so its now required for all licenses).

Re:When will people learn?

[martyb]

Anything that requires entering anything more personal (and cancelable) than a credit card number is probably best not done over the web

Agreed, but what good does that do when a company chooses to move ALL its customer data gathering applications to the web? Would anyone like to comment on this scenario?

As a cost-cutting measure, it certainly seems to make sense for a company to move to a single platform for the acquisition of new customer information. Just put a web terminal in each brick-and-mortor store, right? Better still, they can also use them in call centers for handling customers who call in their order (say, in response to an advertising campaign). Heck, can even use it for the data entry of the mail-in-forms, too! They've already got the web-enabled on-line tools to do this, so leverage that investment and use that tool as our sole means of data acquisition.

The result, it seems to me, is that the user is less and less able to protect themselves from personal data being stolen. Maybe I'm being paranoid, but I'd expect that SSL and the like was being used for the Verizon (and AT&T) web applications, too, yet this theft has occurred nonetheless. Could it be that we are once again running into the dangers of monocultures (put it all on the web) and the prolifieration of diseases (hacking web sites with larger and larger stores of data)? What can the average user do to protect themselves in such situations?

Security Policy

[Octoberfest]

People always stress the technical aspects of security, but this Verizon story is a good example of what happens when you don't have a well-designed security policy. I can't stress how important policy is to the field of security in general, computer or otherwise. Experienced security professionals need to consider everything, and think about loopholes like the ones Verizon obviously missed.

Whoops! :)

Justin Cheung

Fraud Alert Consumer Statements

[TheNarrator]

These guys should really put fraud alerts on their credit report. Fraud alerts are short statements that you can ask Experian, Transunion and Equifax to put on your credit report telling anyone who would be reviewing your application for a credit approval of a credit card or some other product that you have been the victim of identity theft. They usually ask to call a certain phone number and verify information with the individuals before proceeding.

Social Security Number structure

[dfenstrate]

Yeah, you're more or less correct.

http://www.cpsr.org/cpsr/privacy/ssn/ssn.structure .html

Two Words

[smagruder]

Generated GUIDs.

Steve Magruder

Wrong about Passport

[Planesdragon]

Windows XP RC1 works just fine without passport enabled. I can check my e-mail, browse the web, use web servers, publish web pages, and even send error reports--all without sending MS a single fact about me.

Passport's just integrated, so if I *wanted* all of MS's shiney new toys (MSN Messenger, .Net, etc) I could use them. But if I don't want to, then WinXP is just like what Win2k should have been--the product of putting NT and 9x in a room with some spanish fly and waiting nine months.

I am NOT a number. I am a FREE MAN!

[tenzig_112]

I just want to say for the recod that my identity cannot be stolen.

I will not be pushed, filed, stamped, indexed, briefed, debriefed, or numbered! My life is my own!

Re:scary

[japhmi]

Isn't it time digital authograps (PGP signatures or whatever) are necessary for online activities?

Well, this article talks about how digital signatures are not really the same as written signatures (and the article was even discussed on /. Very interesting article.

It's about time.

[canning]

you might want to check your credit card bill post-haste. .

*checking statement* "What the hell is this monthly charge from Verizon? They've been doing this monthly, like clockwork! Someone has to put a stop to this.

Why it took so long ?

[C0vardeAn0nim0]

I mean, with thousands of companies acquiring our data, or "invading our privacy" as many /.ers may cry, is amazing that it took all this time for someone crack the database of any of these companies to steal the data and use it for criminal purposes.

This is what happens when you trust too much of your personal information to a 3rd party. I'm not blaming the user, of course, but the companies that convince the average internet user that is "safe" to trust on them.

It's time for the internet business in general to assume a humbler position and inform their costumers of what kind of risk is involved.

--

I.D.

[Kryptolus]

All The World Over, your identity are belong to us.

*sigh* This is getting old.

Followed your instructions in the article, but ...

[WillSeattle]

And make sure to cancel your Social Security number and date of birth too.

When I cancelled my date of birth, I was unable to access all the sites the DCMA requires age verification at.

Good thing I didn't cancel my driver's license while I was driving ....

Re:Solution is at hand

[UberLame]

because then someone will have their ass chip removed, and a new ass chip implanted that can be reprogrammed.

Can ask or should ask?

[truthsearch]

I don't think there should be any regulation on what companies can be allowed to ask, if that's what you're implying. If a person is willing to give out personal info, then so be it. But at the same time, people should be smart enough to know not to give just anyone their most personal info. If everyone said, "No, I'm not giving you my social security number; you're not the social security department of the US." then no companies would be asking for it. Companies require it because it's helpful to them (guaranteed unique ID) and people are willing to give it out. It's the general population's fault for giving out too much info and the company's fault for not being secure enough. But I'll bet neither problem is going to stop Verizon from making a lot of money selling phone service.

---

Can you imagine..

[baptiste]

Its bad enough having to get new credit cards - but I can't imagine the hassle and disruption that would be caused by changing my Social Security # both on the part of the dirtbag comapnies that want my SS# and teh gov't who probably would lose half my benefits if I changed #'s.

THink about the hell you'd go through changing SS#'s the next time someone asks for it! :) I used to be more laid back aout it - but am quickly starting to challenge companies that want my SS# - too bad - get another ID to use.

I'd have to rate changing SS3's above the nightmare of getting a new checkin gaccount or switching to a new health plan!

But beyond that - I'm a Cingular customer - so I'll have ot wait my turn to have my info sold er stolen.

Re:Can you imagine..

[archen]

Next thing you know they'll use SSN's for social security... Like I'll ever see any of that money I'm paying in for it. So I spend my working portion of my life paying in for this bar code (SSN) and at the end I get rewarded with a $5 a month check. Whee, thanks Uncle Sam.

Not living in the USA, ...

[reynaert]

... I'm afraid I'm going to have to ask some clueless questions.

* What are SSN's used for? (and for what purpose were they originally intented?)

* Why do you need to give it when buying a cell phone? Why do they need your driver's license number??? (What if you don't have one?)

When stopped being your name, address and autograph being enough?

scary

[Ubi_NL]

In Europe this pretty much doesn't give that much trouble as you will always need an authograph. Isn't it time digital authograps (PGP signatures or whatever) are necessary for online activities? Microsoft is in favour of it...

No wonder...

[RevDobbs]

A buddy of mine recently got new wireless service through Verizon, but in the last week he's looked different... about half a foot shorter, maybe 50 lbs heavier, too.

Whatever... he's spending money like water and treating everybody at happy hour, so it's all good...

God bless those Albino Ninjas...

Right to not divuldge your SS#

[ehud42]

What are the rules in America for who can ask for your SS#?

As I understand it, in Canada, only parties that are going to be involved in your taxes (employers, banks, Canadian Customs and Revenue Agency, etc) are allowed to ask you for your Social Insurance Number.

There are a lot of other groups that ask for it, because it makes for a very convenient unique identifier, however, as a Canadian, I believe I am allowed to refuse without loss of service.

I never give out my SIN unless it's actually legally required.

Assimilation

[stebalo]

First they assimilate Bell and GTE, now all the users shall also be assimilated.

Behold! Witness the founding of the Borg collective!

When will people learn?

[krugdm]

Hopefully, a story like this on a news site like MSNBC will be read by more internet newbies than if it were on CNet or something. People need to be educated that they nedd to always hold a little bit of paranoia on the internet, especially when shopping. Anything that requires entering anything more personal (and cancelable) than a credit card number is probably best not done over the web. Even if you think the company is "reputable", stuff like this happens, and probably more often than is published.

Re:Solution is at hand

[Uttles]

I wish I knew who these sense-of-humor-deprived moderaters were so I could personally open up a can of home grown whoop ass on each and every one of them.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I knew my privacy was worth the effort!

[CathodeJack]

A few months ago, the company I work for made me switch my mobile service to Verizon. I insisted on doing all business at one of their stores, paid cash for the phone and setup fees, and absolutely refused to give them my social security number. In addition to all this self inflicted inconvenience, Verizon went to great efforts to make the whole process more of a huge pain in the ass because I refused to give them my SSN. It took two weeks, three visits to their store, one letter, and a lot of grief from my boss (only some of which was directed at Verizon) before my phone was finally turned on. Moreover, getting warranty service from them without giving them my SSN was also quite annoying and tedious.

Now, after reading this article, I'm damn glad I went to all that trouble, and I'll definately do exactly the same in the future.

Never give the bastards any more information than they absolutely need. And they never need your Social Security Number. If Verizon spent as much effort protecting the personal information of their customers as they did trying to get the same information out of me, they might not have had this problem. They say they need your SSN to make sure they can trust you, but the real question any time someone wants your SSN is whether or not you can trust them.

Hey, that works!

[EvilStein]

Cuts down on the junk mail, too. I haven't seen one of those dumb "You're preapproved!" credit card offers in YEARS!

uhhh.

[EvilStein]

AT&T has prepaid wireless, too. They don't have my SSN at all.

people will lose faith.

[mandria]

Lot of people are propably going to lose their faith in ordering goods online now. If Verizon, a very big company, couldn't manage to keep the information secure, imagine what can happen with smaller stores.

To protect yourself....

[cobol4me]

...you *can* legally change your SS# *if* you can prove that your current one has been used in ID theft and exposes you to similar crimes in the future.

Link here.


this .sig really belongs to my purusa

thats a lot of domains....

[Ryan_Terry]

...then two months ago there were $4,000 in false charges on his Visa card. "Most of the charges were at Network Solutions," he said.

Thats a lot of #####sucks.com's to be registered. I wonder how many it takes to rack up $4000. It has to be a few.


DocWatson

One more reason to distrust the .NET

[cnelzie]

Of course this had nothing to do with Microsoft. Although, Microsoft is wishing to hold all of our personal data like Credit Cards and other information. I am not sure about all of you, but these recent problems with Credit Cards and other things being stolen are the reason that I have always refrained from buying things online.

Does anyone know what operating system was involved as the server that held this critical data? I would imagine it was based on some Microsoft platform due to Micrsoft's laughable security. Although it is also very possible that it was held on servers with terrible administrators.

Is it the server software or the administrators at fault? Could it also be the fault of the person(s) that chose the server platform for this e-commerce site?

--
.sig seperator
--

Curious

[Gzusfreak]

I wonder how they could steal my identity... I'm always told that I am nobody, and how/why would you steal nobody's identity?

Forget the Credit Card Statements...

[A+Commentor]

Most people will quickly notice additional charges on the credit cards... the more important thing is getting a Credit Report. Having gone though this several years ago... You need to get a credit report from each of the 3 Credit Agencies, look for both new accounts and new Inquiries into your credit report. It takes a while before a new account shows up, but as soon as credit is applied for, an inquiry is added.

Contact each company that has requested a report. Try to determine if an account was created(can be tough for some of the major companies that have alot of different types of credit accounts, to determine with line of business an account was applied for.

Get them to fix any other problems on the credit report and send you a new copy... this should all be free.

They will refuse to remove the inquiries even though they are frauduelent, but if anything is else is wrong (address, employer, etc) that was place on the report from the credit applications the thief use can be removed. Sometimes it will take several cycles to get everything fixed up, but this can work to your benefit. One of the inquiries, claimed no account was open... after getting the third report an account for that company showed up. Now with an account number it was easy to track down and contact the proper people to get it removed.

If accounts where opened and used, you will likely be required to sign Noterized letters saying you did not open or authorize these accounts.

Also be sure to add a statement to all three of the credit agencies reports. It should contain that you have been a victim of identity theft, and if they've acquired the report to grant credit, contact me a home xxx-xxx-xxxx, or work xxx-xxx-xxxx, to verify that I have request it before opening any credit. This will prevent the instant credit at some of the stores, but it is much safer.

New, From Verizon Wireless: Person Forwarding

[Unknown+Bovine+Group]

Now, from Verizon Wireless: We know you're busy. Sometimes you don't have time to enjoy the money you're making. That's why we at Verizon have come up with PERSON-FORWARDING. We forward your identity to a less busy person who can spend your money on your behalf. Just another service to make your life easier from Verizon Wireless.
</James Earl Jones voice>

Hey wait a minute. Bell Atlantic became Verizon. I used to have them. Crap.

Re:Boring life

[CmdrTaco+on]

Stolen identities doesn't happen as often as you think, you know...

Online privacy and Microsoft Passport

[agupta_25]

Such incidents only make you wonder how long it will be before we are all victims.
With the release of Windows XP, you will *REQUIRE* a passport to get any meanigful work done ... Instant Messaging, reading e-books, reading e-mail ... the list is endless. XP will keep hounding you for signing up for a passport.
Now I know that passport does not require your social security number ... as of now. But isn't it conceivable that sooner or later, Microsoft will tie up with online service providers that DO require a social security number. And then ... Whammo! you HAVE to give up another piece of critical info to store on Microsoft servers.
If Microsoft Passport ever takes off, it could be a huge target for Identity thieves and given Microsoft's track record at security one can only wonder how long it will be before *YOUR* identity is stolen.
Some privacy groups are going after XP and trying to stop this massive hole from being created. One can only pray that they succeed. Read this article.

Just the tip of the iceberg

[Mr.+Eradicator]

What's even worse is when companies go under. Consider this: You give your confidential info to a company to sign up for their service. They go bankrupt and try to salvage what they can by liquidating everything they still have ... including lists of personal info. So some vulture comes along and buys their lists with your name and personal info and in turn sells it to several other companies just drooling over the new people to spam.

That's Mr. Eradicator to you.