Slashdot Mirror
Cringely on Identity Theft
Boiled Frog writes "Prompted by the theft of his mail, Cringely investigates how easy it is to steal identities from government publications. In this article he explains how he got the identities of 300,000 people which he calculates to be valued at $65 billion dollars. If Cringely can do it, anyone can."
I had my identity stolen about 8 years ago. It suuuuuked!
In San Francisco, when some people move out, they throw all this crap they don't need anymore on the curb. I saw this thoughout the city, time and time again, so when it came time for me to move, I did the same.
I got rid of almost everything! This included, tons of old papers - possibly old pay stubs. Big NO NO! At one point, I even noticed some people looking through the big pile. "Just people who like crap", I thought.
Six months later, the Postmaster General Attorney's office in San Jose calls me saying they've arrested someone on postal fraud that had my name and info in his little black book. It was under a section that basically was ready to have a drivers license and social security card issued in my name with this guy's picture!
To make a long story short, the guy went to prison and I had to notify all agencies where I had any type of id or credit/bank card to put a watch on them for the next six months.
My lesson learned: shread everything.
However, online, this is a totally different issue and the only thing I can suggest and do about that is to check into companies and try to make sure they are responsible about how they store your credit-card information. I've personally written to all the online companies I use to ask as how they protect my information. If it ever seemed like they weren't up to snuff, I explained my concerns and asked for some sort of reassurences. Although, I must admit, that's not the best thing and sometimes letters to the BBB and other groups/agencies are necessary.
There is so much personal information out there and some people are so uninformed about who not to give this information to or how to secure the information that they have been given. This problem will only get worse. I for one have no idea how to deal with it.
Not everything is analogous to cars. Car analogies rarely work.
Watch out - this could happen to you.
I mean, he's no H4Xx0R god or anything, but he seems to be fairly knowledgable.
He tried to kill me with a forklift!
"...valued at $65 billion dollars"
Come on editors, I know it's early on the West Coast, but really.
Some bastard stole my identity and wrote that article under my name!
why you use a PO box, like I do.
Don't have to worry about such things.
Jeez, Cringely. First you ordered a book from amazon.com, one of the most consumer-hostile companies on the Internet given their "privacy policy" and dependence on trivial patents.
Then, you expect the corrupt government postal service to deliver it on time.
Here's a tip, Cringely. Go to this place called a "book store." It sells books for cash. You may have been able to "save" 50 cents on a Kelley Blue Book from spamazon.com, but how much is your privacy worth?
Pay for everything in cash. Never work for an employer that demands your Social Security number; if asked for it, make one up and use it instead. The algorithm for validating SSNs is freely available. Don't trust your money with "banks" or "credit cards." The only way to prevent identity theft is to protect your own identity as if it were a golden object -- or, as the French say, un objet d'or.
I'm not Seth Finkelstein. I still speak the truth.
I'll only go as high as $50 billion and not a penny more!
"People" using "unnecessary" quotes should be "shot".
I'm usually not paranoid, but talk of identity theft, and nearly being a victim (copied credit card when I visited Mexico), convinced me subscribe to a credit monitoring service. They notify you right away of changes to your profile, and give you free periodic credit reports. I'm trying to start a small business, so it's more important now than ever.
True Credit turned out to be the cheapest at $11/quarter for the basic service. This is not a referral link, and I'm not affiliated with them in any way. Just sharing information.
You cant prevent crimes from happening, you can only improve the ability to catch the criminals, and reduce the damages.
Worried about ID theft? Keep a close eye on your credit card bills, credit scores, etc.. Buy a paper shredder. Shred all bank statements and whatnot before you throw them out. Internet-shminternet, dumpster diving is the fastest way to someone's finances. Get the carbons at the gas station, or stores where they still use the old carbon-thinger credit card machine.
Cringely is a blowhard trying to scare people, but frankly this isn't news. Using the 'net really doesn't make this easier - it's always been easy.
I knew someone who got screwed big time by a gas station who would keep the carbons, and double bill her every time she filled up, the cash going straight into the owners pocket. She was a dope for letting it go on so long, as she never bothered scrutinizing her Visa bills. Turned out the station was owned by a Russian mobster. This was long before the world wide weeb.
I don't need no instructions to know how to rock!!!!
Most instutions will cover your butt now if you get your ID stolen. So it isn't the money that costs you, its the work.
You have to apply for coverage, and show evidence that your ID was in deed stolen. That can take months or years! And a lot of effort goes into all that. One of the worst parts is trying to restore your credit rating. While the whole process really shouldn't cost very much money ( $1000) it costs a quarter of your life to repair all the damage.
Slashdot Syndrome: the sudden, extreme urge to correct someone in order to validate one's self.
If I were Cringely, I would have sold those names and now be the proud new owner of Microsoft. Free the source!
I mean, come on, it *is* easy to steal someone's identity, but what doesn't get enough attention is the human factor. Not enough people are willing to actually query oddities and if a document looks vaguely official, they'll accept it. After all, if you were trying to sign someone up for a credit card, would you query their ID and lose the possible comission?
From the article:"No, I mean what are you going to do about replacing my book?"
"Why would we replace your book?"
"BECAUSE YOU LOST IT????"
This is exactly why I use Fed Ex or UPS when ordering things. They can track your packages and they take responsibility when they screw up. Perhaps the Postal Service could take a lesson?
Visit Jonesblog and say hello.
think i'm making this up?
Naw, I think you saw it on the Simpsons.
I don't need no instructions to know how to rock!!!!
If you're in the UK; you can register your name / address combination with CIFAS:
http://www.cifas.org.uk
The service is operated on behalf of the UK financial institutions by Equifax; and will add a layer of authorisation to your name / address combinarion when arranging credit etc. It probably means that you won't be able to buy stuff on instant credit; but the for the hassle that identity theft can bring I think it's worth it. Registration costs 12 quid for 12 months.
Personally i'm amazed that institutions will lend large amounts of money without a definite proof of your identity; but I guess that's consumer forces for you - Dixons want you to be able to walk out of their store with that 32" wide screen TV purchased on instant credit. For all the sales that brings; they absorb the liability.
It also helps if you keep your bank account overdrawn, all your bills behind, and just generally be a lousy target for ID Theft.
At least, that's my suggestion.
Pretend you're, oh, say, Donald TRump. Run up a bunch of bills, then go bankrupt. You'll still have the junk, and if your credit rating is -1000, then your identitiy is useless.
Vote Quimby!
I'm a moron. Mod me to oblivion, I guess that's how it goes. That's what I get for using a calculator too fast.
philcrissman.com.
Possibly this wouldn't be such a big problem if a more relevant credit history was availiable to people without haivng to pay, wait, and damage their credit just to get a report.
Scare-mongering anyone???
.
Maybe someone on slashdot knows: why doesn't my bank teller ask me for photo ID?
All they ever ask to see is the bank book. Are bank accounts not tied to actual people, but instead are transferable, simply by giving away the bank book? If not, why don't they ask for my government or bank-issue photo ID?
The above post is an editorial, the poster cannot and will not be held responsible for all or in part for it's contents
the IRS. I imagine SSN is used routinely to identify for tax information, social security, insurance purposes...
-
Pssst, Mr. Hawking. Try that one again.
$65 billion dollars
Did you get it that time? Lets try again..watch closely now!
----> $ <----65 billion ----> dollars <----
Did that help?
Did you even read the post? He's not talking about the amount.
Next time, RTFP.
Thank God my Slashdot user ID is still safe.
Steal an identity. Use it every day. If somebody steals your stolen identity then no big loss....
In the article it is mentioned that your Social Security Number is used as a universal identifier and as "proof" of identity.
This is not a good thing.
I work in the medical records/medical billing industry and a patient's SSN is one of the vital bits of information we collect and use to help index records.
Also the patient's date of birth.
For billing purposes, we need the patient's home address.
The health insurance company also needs all this information. In fact, if we don't supply all of the patient's personal information, they often don't pay claims.
We try to protect private information. We have yearly training, and monthly filers reminding us of the importance of protecting confidential infromatin. We have every bit of discarded paper shreded, and we have pretty good locks on our doors, and we have a fairly paranoid firewall, but the truly determined employee could always get their hands on thousands of patient records with everything needed for identity theft.
It's probably the same way at Hospitals and Insuance companies too. Too many people have access to private information, and the social and technological controls on it are too weak.
I hope that no one who has access to my personal information decides to do a bit of creative fundraising.
I don't have any answers, but we ought to think of solutions pretty soon.
We do a few things rather differently, and I don't think this kind of mail theft would be at all likely to happen here.
First, we don't have those crazy mailboxes on posts out in front of our properties, where anyone can (a) see you have mail and (b) take it. Instead, we have a letterbox, usually in the front door, and items get posted through this and end up inside the house. The key point being that you need access into the premises to obtain delivered mail. Casual theft of mail is simply not that easy.
If you plan to be away for any length of time and you don't want mail to be delivered, you can arrange to have the post office hold all your mail, and then deliver it all on a specified date when you expect to be back. This is a chargeable service, which costs around 5 if I recall correctly, and has always worked very well for me.
Comment removed based on user account deletion
Wreck your credit score every 7 years by declaring bankruptcy.
:-)
Then no one will want to steal your ID
So rise up, all ye lost ones, as one, we'll claw the clouds.
An on-topic book. More people should be concerned, especially with the SSN being used as a universial identification number.
It's the latest trend in Mathematics! In reality he's got data worth about $.35, but when you extrapolate $200,000+ per infraction, he's on a goldmine!
I propose they start teaching this in textbooks in elementary school! Then everyone will have access to this revolutionary idea!
---- Move SIG...For great justice!
My identity was stolen a while back. Fortunately all he did was use my driver liscense to get store credit where he purchased a power washer. This was as far as he got before being aressted. Makes me wonder why in the world he would steal my idenity and not buy something better than a power washer.
My solution to discurage anyone from stealing my identity has been to default on all my student loans, consistently pay my credit cards a few month late, and write anti-government propeganda letters to the local paper (amazingly, I still have my DoD security clearence!). The scammers run screaming...
Anybody know what CD or federal agency he is referring to? I want to know if I'm at risk?
In the last couple of months there have been an increasing amount of very sophisticated email scams.
For instance, E-Gold members (and others) have been receiving emails like this
Dear e-gold user.
At 09.05.2003 our company was attacked by unknown
persons. Out administrators is working on the database restoring.
If you have an active account, please check if it is still active, your
current balance is right and all transactions can be processed.
If you find that your account is inactive, please letus know
immediately at e-mail service@e-gold.com
To check your account, please click on the link below:
https://e-gold.com/sci_asp/payments.asp
It looks official, doesn't it? And the link looks ok too. But it is an html email, and the actual link went to a page located at e-gold2.com, which looked exactly like the real e-gold site. Thus the fraudsters were able to get peoples log-on details. More here.
In the UK, many people have been receiving emails that look as if they are from Barclays bank (one of the biggest in the UK). It is a similar scam to the e-gold one. More here.
I myself have recieved and email asking me to update my ebay account details. Only on close inspection did I realise that it was a fraud.
I find this extremely worrying. Personally I am probably like many Slashdotters - paranoid about security and difficult to catch out. However most people aren't like that, and this new type of scam email is an extremely worrying development, because it could catch a lot of people out. People really need to be informed about this type of scam, but I've yet to see much in the press about it. Any journalists reading..?
My wife and I tried buying something on the web on this one particular site. It asked me to register since I was buying stuff for the first time there. Filled up everything on the "new account" page and hit "register me". The page came back in error saying the id I was trying to register was already taken so I had to try another one. Not so bad. What was bad though was THE PAGE RE-LOADED WITH ALL THE FIELDS IN IT PRE-FILLED WITH THAT ALREADY-EXISTING USER ID's DETAILS! Address, phone number, first/last names everything on there for the taking.
Scaaary. We politely backed out of the site and decided to buy elsewhere.
Recently I signed a new cellphone contract and they *would not* allow me to sign the contract without giving them my SS# (which I imagine is for a credit check). What's the legality of that? Is there any way to avoid handing over SS#'s in these situations? Its terrifying that cell-phone services have huge databases of millions of Social Security numbers.
Anyone?
------ The best brain training is now totally free : )
It's not so much incoming mail that's the problem - your identity can easily be stolen from stuff you throw out - especially if you have those large community bins and not a private wheely bin.
Pre-printed credit card application forms are the killer - not only do they give the thief a name and address; but the application has probably been pre-screened so you know that the victim is credit worthy.
Take a thrown out bank statement and a utility bill into Comet and you can walk out with a home cinema system.
SSN should never be used as a validator. They should be treated as part of a person's name, distinguishing them from other people with the same name.
If the govt announce that by 2006, they were going to publish everyone's name and SSN, and if you currently use SSN as a validator, you need to change now or face fines of $100k/day, maybe we could do something about this.
But I doubt it will happen.
Say what you will about him, but almost anything of Cringelys that i've read turns out to be insightful and informative, and this article is no exception.
nope. actually i saw it close up after my
mother died. she continued voting for 8
years. absentee.
Public records are better if you want to be a crook because the Freedom of Information Act makes them completely available.
Cringely was quite correct when he identified two parts of the problem: the ubiquity of using SSN as both an identifier and as authorization (or using credit card numbers this way).
It would really be much better if the institutions we dealt with would accept identities and authorizations that were only valid for the specific transactions we conducted with them.
But no, "people can't remember all those numbers". Well, people ought to have a private key that is really private, and public keys that anyone can use to verify that person X really authorized some transaction Y.
But rely upon government to come out with a bad solution to this problem.
The FoIA safeguards, which are important to keeping government transparent and more accountable to the people, will be abolished (as they have already been for various cases deemed to involve national security or "terrorism"), to "increase security for the citizens".
We'll be trading a great deal in terms of liberty and knowledge of whether our government is acting properly for very little in the way of security.
"Provided by the management for your protection."
... atleast his getting an investigation :)
Did you RTFP? The poster was referring to the fact that the dollar sign signifies dollars; thus it is redundant to say "$65 billion dollars". "$65 billion" or "65 billion dollars" would have been correct.
Next time, use your brain.
After I had my ID swiped by a ID-less loser, I started taking precautions:
Xerox/scan all your bank cards, credit cards, drivers license, etc front and back. Write down all the contact info and make sure you keep a copy in a safe place. NOT YOUR WALLET! If anything is lost or stolen call immediately!
Open a second bank account to use for online transactions. I transfer only the amount of money I need to cover gas, lunch, online stuff to it. I don't use an ATM card on my primary checking/savings. If someone grabs a carbon, they don't get access to anymore than the few bucks I keep as a buffer.
And as many have and will say here: Don't give out your SSN, check your credit report regularly for new lines of credit and shred early - shred often!
It would be bad, but what if...?
:)
What if, upon finding accounts in your name that weren't yours, with hefty balances, you simply took the money out and closed the accounts?
Sure, the guy'd probably come after you for "his" money when he figured it out, but you could report the identity theft and tell the government "an eye for an eye" and they'd let you keep the money, right?
Riiiiiiiight
"Sometimes the truth is stupid." - Lawrence, creator of Prime Intellect
I pay cash for most stuff.
Government of the people, by corporate executives, for corporate profits.
When I applied for my mortgage, it was the first real time I've ever wondered about my credit rating. I asked, and the bank employee said "Oh, you have nothing to worry about! You have amazing credit!"
Not really understanding how I could have amazing credit with only a single credit card with a limit of $500 to my name, I requested a credit report and when it came I was quite surprised -- listed on there were several credit cards, each with a perfect record of payment.
I wasn't the victim of identity theft...just human error. The person who actually owned those cards had the same name as me (an uncommon name) and somehow our credit reports became merged or something.
Last year my wife, a lawyer-to-be and volunteer with student legal services, took a guy's case who was charged with multiple counts of driving without insurance, without a license, speeding, you name it. This person claimed he had never gotten these charges and was at a loss to explain what was going on. After contacting an officer who had made one of the arrests to talk about it, she was told "Oh, I remember that guy. He was covered in tatoos and piercings." Only her client wasn't. Somehow this guy had gotten some form of ID that said he was the victim. If it hadn't been for that officer her client would probably have to serve jail time.
While not the final solution, I sure hope that biometric IDs arrive soon. Otherwise the system is just way to easy to exploit!
"The market alone cannot provide sufficient constraints on corporation's penchant to cause harm." -- Joel Bakan
For example my wife's step-mother KNEW all the kids personal info, SSN, etc.
Lo and behold my wife has a Sprint account to an address she has never lived at!
The low thing, Sprint claiming to send an identity theft investigation form, sends what is actually a 'transfer' of the account to US. How fcsk'd up is that!
So its not hard, and your own family might do it to you.
JoeR
D'oh! I get it now!!! $65 Billion or 65 Billion Dollars, not $65 Billion Dollars (65 billion dollars dollars).
Ok, I am insane now.
666-607: 6th floor apartment of the beast
I can't believe that a dozen people responded to the original post and only one knew what he was even saying.
"$65 billion dollars" - think "redundancy" - expand that to words:
"sixty-five billion dollars dollars"
Along the same lines as ATM machine, PCB board, etc.
The truth about Scientology, Xenu, and you: Operation Clambake
I need some money(being unemployed), who do I sell my info to?
Just let me make sure I get that email about creating a new credit file first!
moo.
I believe I speak for everyone here when I say "YOU FAIL IT!"
I realize that this column is mostly about identity theft, but is anyone else bothered by the idea that the USPS, given specific instructions to hold your mail, can just go ahead and deliver it, and then not be responsible for the screw-up (and the resulting havoc)?
Couldn't you sue them if that happened? There are damages involved here, so I don't see why they can get away with it.
Your mileage may vary, but mine is constant.
There is certainly a degree of catch-22 involved between convenience and security. When my wallet was stolen with license and SS card (dumb to carry both but I recently needed them starting a new job)a few years back, I was glad that I was able to get a new drivers license with no identification except a birth certificate copy I was able to get with just my SS number and no identification - but the ease of doing so certainly gave me pause for thought.
In addition to the sound advice of shredding, a good idea is to lock your credit reports from being issued without your consent and opting out of pre-approved CC offers. Instructions for both at this article - http://abcnews.go.com/sections/scitech/TechTV/tec
I'm just thankful my house has a mail slot that drops into an inaccessible bin inside the home.
It Is the Nature of Information to Transgress Artificial Boundaries
What's really going to suck is when it actually happens to one of those high-profile, illuminati/politicians, there's going to be yet another increase in Orwellian-type citizen monitoring and authentication laws, most likely in the form of some Patriot II act.
What worries me is not so much the people that try to steal identities, because as most of us understand how its perpetrated, its easier for us to avoid and/or control the consequences, but when some crazy system gets put into place 3 years from now by the Republican cronies because of some silent passing of a Partriot Act clause. I for one don't feel like having to provide a blood sample to get into my office, or giving a sperm sample for a new home loan ala Gattaca.
Hades, PoD: Official Advocate
The newest scam are VINs, the vehicle identification number. Once you have that and the proper books, you can cut keys.
With the key, you just drive it off the shopping mall lot. And there's no sign of forced entry, so the insurance company says "you left the key in the ignition, tough for your claim. Happened to us on vacation. And 10 year old clean cars are in more demand for the body parts, it isn't just the new Hondas.
Tape over that damned number.
That's MC Hawking to you, Biotch!
You comment cost me $LOL Dollars
666-607: 6th floor apartment of the beast
If you want to see his articles every week, linked from Slashdot, why not turn on the "I, Cringely" Slashbox via User Preferences? That way, some other article can make it to Slashdot.
That's funny, in Louisiana the Dead are all registered Democrats. Wonder what's so different about the Afterlife where you live that everyone would vote Republican. Maybe I should move to your state before I die if that means I get to hang out with a bunch of Conservatives once I kick the bucket. ;)
Sorry, just can't take an AC post seriously...
Maxim: People cannot follow directions.
Increases in truth directly with the length of time spent explaining them
It might be something about the SF Bay area. No, really -- I've lived in three different places (metro Detroit, DFW, and Cali) and the mail-mishaps-per-year number has been way higher in California, so bad that the local congressperson (Anna Eshoo?) actually got involved at one point.
D'oh! I get it now!!! $65 Billion or 65 Billion Dollars, not $65 Billion Dollars (65 billion dollars dollars).
Curse you, Vash the Stampede!
Cringely got his 300,000 IDs from a publicly available government data source. He barely did any work to get them; all it took was some ingenuity to cross-reference two separate sources.
This is why centralization of data is bad. The convenience isn't worth it when the consequences are destroyed livlihoods or, at least, seven days stolen from a person's life (175 man-hours average to resolve identity theft).
So, why are so many people begging for things like social security in the first place? Nationalized health care? Federal income tax? TIA? The percieved benefit of these things is superficial, when much deeper and more dangerous rifts are just waiting to surface.
A person's identity has many more dimensions than simply address, SSN, and mother's maiden name, but government complacency has filtered into nearly every aspect of our lives and our businesees to create a timebomb of terrible proportions.
Healthcare article at Kuro5hin
"Chringly on Ide...." /me tunes out
Wouldn't a national ID card be a remedy for this ? I've lived in the US and I was struck by how anonymous all your transactions are when you use your credit cards, go to the bank etc etc.
I now live in Sweden and you can't use a credit card without an ID, upon which your face and your handwriting is displayed. It makes it alot harder to use someone else's credit card, for instance.
To me, a personal ID is something to protect my privacy, not invade it. And don't think that just because you don't have a national unique ID that you aren't perfectly traceable for the gov't. It's a small thing to crossreference insurance databases with credit card, INS, IRS and DMV databases. That particular thing has to be made illegal through legislation.
Oh, I can't help quoting you because everything that you said rings true
And even if you did insure it, they wouldn't necessarily do anything about it. When I shipped a laptop at the UPS Store recently, when I insured it I had to sign a disclaimer stating that the insurance would only pay off if it was lost, not if it was broken in transit. Apparently they've had a lot of people shipping pre-broken computers to claim the insurance payoffs.
Editor Emeritus and Senior Writer, TeleRead.org
to get crap like this fixed is to publish the personal information of high government officials. And their immediate families.
Publish all the information for Ashcroft, the Prez and Vice Prez, Speaker of the House, the Supreme Court justices. Hell, all of the Congressmen/women on both sides of the camps.
While we're at it, publish the info of all the high-rollers that line the pockets of said Congressmen/women.
Then, and only then, will they take notice and (hopefully) take measures to make it more difficult to steal one's identity.
Cruising the internet on my TI-99/4A @ a whopping 300 baud!
Mailboxes, Etc. was purchased by UPS so I don't think they'll have any problem doing deliveries there.
ROFLMAO... yeah, you're right. I missed that totally and completely.
:)
I guess I should have RTFAC (carefully)
"Sometimes the truth is stupid." - Lawrence, creator of Prime Intellect
The Social Security Indentifier is internally coded to indicate date of issue and where it was issued.
If the fraud is so bad that you need a new SSN, you'll have a hard time getting a job. Validating the SSN is the first thing employers do, if you're a thirty year old with an SSN issued last year, you won't be hired.
Something that he doesn't mention but immediately came to mind - I live in a house and have one of those curb-side mailboxes. Anyone can swing by soon after the mailman does his delivery and go through my mail.
I found this place that sells a "locking mailbox": http://www.oregontrailbox.com/
I think I'm going to get one from them. If you come across anything better, or have experience, please reply.
grisha.org
Use cash your entire life and there's no way you're going to get a mortgage... just one of those great paradoxes of life.
Financial institutions will not lend money to you unless you show that you have a good credit history, and that means spending and paying off your debt. If you always use cash, then you will never build up the credit history you need to be able to get things like a car loan, a mortgage for your house, etc.
If you can afford all the above with cash, then kudos to you, and go for it, but if you're like every other joe out there, it's better to establish a credit history early, ie. in college, and then make sure it's clean as a whistle.
e-loan offers similar service, and will give you a credit score each month, for a cost of $30 for an entire year (that's $7.50 a quarter). For $40 a year you can get the credit report too.
This is not a referral link, and I'm not affiliated with them in any way. Just sharing information.
"If at first you don't succeed, lower your standards."
Could you email me how you stole 300,000 identities? Send it to cowboyneal, I'm using his identity today :)
---
Lousy rotten karmic retribution.
And it isn't a very good deal in some respects. For one thing, they post your credit report online for 1 month of every three for you to look at. What part of "there is no such thing as a secure website" do they not understand?
So, if you sign up for this severice, you pay them to make you more vulnerable in some respects.
Oh, and as for SSN being a universal identifier. It is against Federal Law to require the SSN in anything expect payroll transactions and banking transactions. When people ask for it, inform them that it is against the law to ask for it and make them give you another option.
Has he ever thought about a career in piracy? He'd make an excellent Dread Pirate Roberts.
Cheers,
Ian
Will anyone hazard a guess as to what CDROM's he is referring to? :)
Notice the Whois headline today? I wonder if you can get that on CDROM.
It's same philosophy as Car alarms. They dont prevent theft, they just encourage you to take the other guy's car because it's less trouble.
While not the final solution, I sure hope that biometric IDs arrive soon. Otherwise the system is just way to easy to exploit!
I think I'd rather someone stole my ID card than kill me for my eyeballs.
Any computer person should understand the problem here: SSN is the USERNAME, not the PASSWORD. But it is being used as a password. SSN does what is supposed to do just fine. It is a unique name (or ID, if you wish... a string is a string is a string...). It should not be considered a password. Simple solution... SSP, Social Security Password, which the gubmint can require only to be stored as a hash or encrypted. That would raise the bar a lot. -- John.
Cringley actually sounded smart! the world is ending tonight!
Most states include Social Security numbers in their voter registration databases, nearly all of which are open to the public and many of which are searchable online.
The voter registration is just one more piece of information that can come back and haunt you- and apparently, it does.
The moral of the story is this: Before the government starts coming up with (and implementing) more brilliant ideas (like a national ID), we should be very careful to remember that its the government's own abuse and/or carelessness that's likely to cause the biggest problems. Although shredding documents with sensitive information can be a good preventive measure, it does NOTHING to prevent the kind of abuse that Cringely brings to light.
Another potential source of information (not mentioned by Cringely) are the documents that are routinely discarded by law firms, accountants, and medical establishments.
Troll-la-la, troll-la-la
Mod it down, mod it down
It's not the real Seth Finkelstein
I've heard the rate at which people who commit identity theft get caught is around 1 in 7000.
So you have a much better than 99.9% chance to just do it to your heart's content and walk away with the money. That's pretty freakin' scary. A crime where you never have to see your victims, never have to face any consequences, and make tons of money. Can you imagine what would happen if a misguided Robin Hood decided to popularize the techniques and teach them to America's poor? Would the entire banking industry collapse at once? With a million people doing it simultaneously you would obviously overload the already overloaded investigative ability of the gov't and probably change the ration to 1 in 100,000 getting caught.
Once I came home in the evening and got a message on the answering machine to call my card company asap because of possible fraudulent charges. I soon enough called the number they gave me and identified my card number and password. Then I told them about my message and they started looking it up on the computer. After 30 seconds the guy says that the compter is slow and other excuses. After another 30 seconds he apologizes and suggests I call back later since the computer seems down. So I put down the phone and then it suddenly hits me that I have no idea way to verify that the other side was the credit card company. It didn't feel right that a major financial company would have computer problems like this. So now I immediately called back the number on the back of my card and got through okay. They did verify that I had fraudulent charges and canceled my number. I asked them about the other number but they were not too concerned and guessed it might be an internal fraud line number.
In conclusion I still don't know if the original number was real or not.It could have been the card thieves trying to trick me. After getting the new card, I checked my credit report an month later to verify nothing new had been opened. The lesson I learned is to never use a number you cannot authenticate when doing sensitive stuff like this.
I think something very vital is being missed here. Your name, address, phone numberm and SSN is not your identity. This is all public information. The problem is that we treat this information as if it was our identity.
Are people really suggesting that this information be "secret"? The SSN is not meant to be secreat, can not really be secret, and every SSN card says explicitly that it is not meant to be secret.
Surely we are not suggesting that one's name, address, and telephone number be secret.
The problem is that this non-secret, non-unique information is used to identify people for many significant transactions. I.E. Driver's license, Mortgages, Credit Cards, etc...
The other problem is many people are opposed to instituting any kind of authoritative nation wide identification system.
Put aside your libertarian angst for a second and imagine if we did have a national DNA registry that positively and uniquely identified everyone. Sure we have all seen Gattaca and imagine ways of forging DNA derived identification, but it would be much harder.
Much harder than the current system where all the tokens we use to identify ourselves are from non-secret, non-uniquely identifying information sources.
No, this is not some off-topic rant.
Here in Canada, if you pay by credit card they have a policy of swiping your card twice. Once through the credit card machine and once through their own system. Why do they need it through their own systme I have no idea.
I hate that they have a swipe copy in their system accessable by their employees. If I ever get my identity stolen I bet you its going to be from them.
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
here's a link to that Wired article. Pretty interesting reading, I hadn't known that the Infoworld Cringely was fake.
I've tried to make it as secure as possible: ;)
- Limit giving out personal info to anyone
- Cross-shred anything with info on it
- Give out 867-5309 as my phone number
But, ever tried not to provide your social etc for:
- Doctor's office (They will want payment at time of visits). I've begged with them not to use my SS#, but it's an easy and unique identifier, they said.
- Electric company (They wanted $300 cash in lieu of a SS#)
I agree with the first poster about the mailbox, but outside of apartments or high-rises, how many lockable mailboxes have you ever seen? I'd like to, but it's probably against my HOA anyway.
We provide much of the information that could be used against us, as a convenience for ourselves.
New passports are only given out by the city-hall, and you have to turn over the old one, or show signed police-statements that you lost the previous one. (I suppose that they will corroborate with my home-address which is also known at the city hall for lost passports)
How come photo-ids aren't required in the US?
Han-Wen Nienhuys -- LilyPond
I exercise caution when I can. I'm a packrat by nature, but anything with important information about myself, or even about my employer is shredded. I have two shredders; one for speed and a nice cross-cut model. :)
Part of the problem is the government's willingness to give out the information. It's outrageous that this information would be given to political hopefuls. What is wrong with a cheap bulk mailing? What is wrong with a voluntary list, where you can sign up with your party (sans SSN) to receive flyers?
The other part of the problem is agencies, both public and private, that insist on having an SSN when they don't need it. Starting very recently, some government agencies are collecting SSNs of people who wouldn't even know better to question it, (I know about it from the "inside.") And the retention of the information is a problem too. Not so much with the SSN, but credit card numbers. I don't understand why banks still have a single account number of checking account status, making deposits and making withdrawals. Also, credit applications take the SSN at face value, even though it's easily memorized and duplicated. How come they never bother to call or investigate the applicant to verify?
About post and parcel services: The Amazon.com purchase wasn't really the focal point of the article, it was the credit report. And yes, there is a difference between regular postal parcel and UPS/FedEx. You can request than an adult signature be required. They can't leave it without a signature. Unforunately, it could be anyone's signature.
His local post office is treating the case in an appalling manner. His mailbox is federal property. It is a pretty serious crime to remove items from it, regardless of whether the recipient is on leave. Something's wrong with that picture.
About having a PO box: This doesn't prevent gathering this information by dumpster diving, or simply getting a copy of the CD-ROM.
Fred
"A fool and his freedom are soon parted"
-RMS
I registered for a credit card from Natwest in the UK - weeks went by and I heard nothing, then one day I gets a phone call asking me to confirm the details I'd filled in on the form: name,dob,password (sound fishy yet?) - I got suspicious but the person on the other end confirmed that I'd ordered a card for my wife too so I thought only the bank would know all this and continued, laughing at my own overly-suspicious nature! Oops. a week after that the (real) natwest credit card fraud dept phoned me up to confirm my latest purchases (on a credit card I'd never even see, no matter signed for or sign the back of). Needless to say I was a bit annoyed - the thieves had stolen my credit cards on delivery (i.e. they probably worked FOR the post office) and then used all manner of other method to find out more about me so they could do more with my credit cards and related documentation. so watch out folks, their's bad 'uns about!
An employer is not required by law to obtain an employees Social Security number. The law requires only that they ask for it. (How can they be required to obtain an employees SSN, when in fact, there is no legal requirement that a person obtain an SSN in the first place?)
Take a look at this.
Here's a relevant excerpt (And please ignore the religious component... That's not the point.):
For those that would die defending it, Freedom
has a sweet taste that the protected will never know.
Last night when I got home from work there were two electric scooters waiting in front of my garage. They had just been delivered by FedEx. I was surprised, because I hadn't ordered any scooters lately (ever) and wasn't expecting any. I drew up a very short list called "Friends of the scooter" who might have sent them as gifts, but alas, no luck after a few quick phone calls. So my hunch was either a)credit card fraud or b)computer glitch from company I had already ordered from.
I called the scooter merchant this morning, and sure enough, someone had used my wife's AmEx card number to order the scooters and ship them to an address just a few miles away. Thankfully, as the nice owner of the scooter co. informed me, they have a policy of only shipping to the billing address and the sweaty-toothed madman didn't get his precious scooters. Ha!
So since the nice owner of the scooter co. shared the IP address of the person who made the order, and being a huge internet nerd, I have already traced the origin (via nslookup) to an AOL user who was logged in and using AOL at 11:53am on 9/7/03. I might just have the means to track this guy down. I'm turning this over to the credit card company immediately, but the "sue everybody" American in me wants to go after this bastard for mental anguish, lost time returning the scooters, making this post, etc., and emotional damage to my 3 year-old daughter who was understandably excited about the scooters (perhaps even as excited as me!).
What do you think?
Story repeated at my blog
slashsearch.org - slashdot search. powered by google.
Due to a data entry error, the payee's bank presented a check to my bank for payment, with the amount of the check miscoded as 10x the actual amount written on the check. Since the funds in my checking account were insufficient to cover the check, my bank raided my savings account for the money necessary to cover the check. I only found out about it when my checks started bouncing and I got an account statement. I eventually got the bank to fix the problem and recovered all of the money that had been mistakenly paid out.
The bank officer didn't think there was anything wrong with the bank's computer taking money from one account to cover a deficit in another account. No humans were involved. It is cheaper for the bank to run everything on automatic pilot and only involve humans when there is a complaint to investigate.
Mea navis aericumbens anguillis abundat
My wife was trying to get a security clearance for a job and it was taking forever. She was called down to talk to security who asked "are you aware there are warrants for your arrest on charges of drug smuggling?
Apparently, there is a woman in my wife's home state with the same name as my wife, who somehow got a hold of my wifes SSN.
This woman not only messed up her credit, but gave this SSN when she was arrested and later skipped town.
Needless to say, it was a long time before my wife's credit was cleared up, and she must have set a world record in longest investigation for a clearance.
Meanwhile, some retard at Sun Trust bank mis-typed a SSN of some hispanic woman who bounced checks and ended up entering my SSN in the report. I discovered this while trying to get a mortgage and open an account after moving states. Of course, it doesn't matter if I'm a white male and the bounced checks were by a hispanic female, since we had the same SSN we are obviously the same person. Therefore, I couldn't even get a savings account until I cleared it up with Sun Trust, who of course refused to admit they made a mistake and gave me the run around for weeks.
All this despite the fact I cross-cut shread everything.
I rarely buy anything with checks. But when I do, I get a little bit peeved. I wish those clerks wouldn't just wave my check around for anyone to see. I wish they'd treat it like it has confidential information, because it DOES! My bank routing number, by account number, my name, address, telephone number.
You'd think someone would train these register monkeys that they're holding a sensitive document in their hand, instead of proudly displaying it for anyone who wants my personal account information.
Read more on VIN numbers and stoen cars at snopes.com:
http://www.snopes.com/crime/warnings/vin.asp
As stated in the link, I highly doubt anyone can just steal a car of the shopping mall lot. It takes too long to get a key made. You will be home by then. Also, I think covering the VIN number may be illegal in some states/countries.
~afniv
"Man könnte froh sein, wenn die Luft so rein wäre wie das Bier"
Richard von Weizs
What is the post office going to do? Nothing. hundreds of thousands of mailpieces, some containing financial and personal information, goes through some of the larger metro Post Offices everyday. You think your carrier is going to remember anything about that one piece of mail from you know who that should have been there last week? The postal inspectors will look into the obvious more severe cases, but the have their limitations also. FBI doesn't even look into every case either.
As far as getting reimbursed for one shipment from Amazon, read above to understand why Cringley repeats the "we'll investigate it phrase", something I say everyday.
If you think that FedEx or UPS will solve the problems, then you might be right. Of course you get what you pay for. If you pay for the same type of delivery from USPS, express mail, then you also get tracking, insurance for up to $100, service to a PO box (if needed), and all for less. If you look for minimal cost, expect minimal service.
What a weird system..
Points? Sounds kinda like a game.
Over here we have debit cards (with almost unlimited credit, which is interest free for two months). If you overshoot your credit and don't pay, you will get a textual remark that must be removed after two years. No points or anything.
They have begun keeping seperate databases with late payers though. Or rather, they register people who don't have money problems, but still don't pay their bills.
How small a thought it takes to fill a whole life
"By leaving it open you lower your avaliable credit."
This is not correct. Despite this, financial advisors repeat this like a mantra.
Those price points do indeed have some limited substance behind them. (In UPS's case, I think it's 714's.)
I bought this house and you know I'm boss
Ain't no h'aint gonna run me off
But if you want to steal 30000 people's information, nothing beats a computer. With a large enough selection, you can hit each victim for a tiny sum, and fly under the radar. Ever hear that Law Enforcement (bless their simple little hearts) won't chase down fraud unless the damages are large enough? This means that if you hit one person for %50k, you get caught. But if you hit 200 people for %250 each, you live fat and happy 'till the end of your days. Harvesting tens of thousands of records at a time makes this strategy workable, but you do need a computer to pull it off.
Just wait until a politician gets his identity stolen.
Then we'll have the opposite problem -- post a comment anywhere under someone else's nickname and go to jail!
Joe
http://www.joegrossberg.com
You cant prevent crimes from happening, you can only improve the ability to catch the criminals, and reduce the damages.
Sure you can, especially when the current security system is virtually non-existant.
My proposal is simple:
* 2 key-pairs are issued every individual by the DMV
* The first (public) key is freely given to everybody
* The second (private) key is stored on a chip in a credit-card sized pocket calculator like device, or smart card. ($5-$10 device which is paid by the driver upon issuance)
When you need to prove your identity, you will be challenged with a random number, which can only be encrypted with the private key and verified by the public key.
* Challenger gives you random number
* Your encrypt device encrypts number with private key
* Challenger verifies encryption with public key.
In the event a private key is comprimised, the corrisponding public key will be published on a public database (which keys institutions should be required to check) and a new private key will be issued.
The encryption community has come up with many solutions for this problem over the last few decades, and I know the consumer electronics and card issuance industry (which I used to work) would love nothing more than the government to stop dragging it's heels and select one of the many drafted standards.
We can solve this problem without creating another government institution or delegating it to one corporatation.
Why aren't nerds pushing for an open and honest solution to this problem? Aren't solving problems like this a nerd's wetdream?
Like I said before, even a half-assed scheme would be better than our current social-security passwords.
Don't like my solution? What are your ideas?
"Communism is like having one [local] phone company " - Lenny Bruce
What do identity thieves do once they have the necessary information? They go out and get an ID.
Along the same lines as ATM machine, PCB board, etc.
My personal pet peeve: CD disc. My high school had this librarian who would always call them CD discs, and that irritated the piss out of me (she probably spelled it "disk"). So I went up to her one day and told her that was redundant, since when you blowup CD, yadayadayada. She told me "Well, that's what I call it, and I'm an intellectual." Stupid bitch.
Like what I said? You might like my music
Everyday consumers should not be afraid of having their identity stolen. This is an issue that is overblown by the media and other entities that have an interest in scaring people to sell their own often-unneeded "solutions".
A good example are the credit card companies that promote their cards as being superior because they offer "online fraud protection." In most cases, this is mandated by law and not some special feature they've exclusively come up with.
The Fair Credit Billing Act of 1976 basically protects consumers from a variety of unauthorized charges. It doesn't matter if your identity was stolen, if your credit card was charged by an unauthorized party, you're usually not liable.
The real danger in identity theft is for people who actually try to use stolen credit cards and the merchants who allow them to process those transactions erroneously - they might be exposed to liability, but by Federal Law, the consumer is generally well-protected.
It should be pointed out however, that the new era of debit cards and direct-deposit transcations are not covered under the Fair Credit Billing Act. The smart consumer does NOT use a debit card; and only uses a credit card, which offers protection against fraud not found in other methods of payment.
UPS has a brilliant business model. You see, there are two distinct parties in the delivery business: the shipper, and the reciever. Knowing that the shipper is the one with the money, UPS focuses on them.
Your description reminds me a bit of tow trucks in a place where "roam towing" is enforced. An apartment complex, for instance, signs a deal with a towing company that says they can roam their lots any time and tow away any car without a valid parking sticker. This comes at the car owner's expense, of course. So you've got the backwards situation of the person who's paying for the service as the very person who doesn't want the "service" at all. So it should come to no surprise that the towing company will only take cash. It's quite a scam.
You want a sig? I can get you a sig... Hell, I can get you a sig by 3 o'clock this afternoon... with nail polish.
"Hi, ups, wheres my package? You dropped it off?? With who? You did get a signature, as required, right? You dont? Gee. Thats too bad. Now, about the reimbursement, could you put me through to claims?"
YEah, its fraud. SO is charging extra for signature required items and not getting a signature.
All Troll + "offtopic" mods are meta moderated as "Unfair", because you abused the system.
Cringely, I ownz0red j00.
Cringley violated the DMCA!!
If I did it, I'd be arrested, called a criminal, and thrown in jail.
Especially since I've had it happen.
Clear, Dark Skies
You pass over your whatever card and stick in a finger, (retinal scan and/or DNA sample depending on the degree of security desired,) the machine send sends the biometric data to the center for verification and they get back an encrypted (yes, its not perfect) pass/fail reply.
Getting a fail reply means the transaction, entry or access is denied. In some cases, this would lead to immediate arrest for attempting an unauthorized access or ingress.
That would discourage low-level identity theft as soon as the word gets out.
The higher-level stuff which is usually done in a more secure check-in environment would be better controlled and the same actions could be taken as they are now when somebody gets caught.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
The same mail theft leading to attempted identity theft thing happened to me last year. Even better, the guy's court date is coming up in LA. Anybody want to Slashmob the jerk's trial?
Short version is, my entire family goes to Morocco and Italy for a month. While we're gone, the person who was supposed to be picking up the mail, ehm, forgot, let's say. So, when the morons at our escrow company decided to send the DEED to the house in regular ol' 1st class mail, not certified, not registered, and sure as hell without calling first, some nutbar picked it up.
Thank god he was too stupid to realize he was holding a $1,000,000+ piece of paper, with loan documents that included SSNs, account numbers, dates or birth, and (don't ask) mother's maiden names.
"Life's funny sometimes." "And sometimes it isn't." --Cat's Cradle
I bet there are only a few named GreenCrackBaby.
In your freakin dreams Cringely! He's like the FOX NEWS of the Nerd community, coming up with the most ludicrous scenarios: Hide a computer in your attic to thwart P2P copyright issues; have users pay per e-mail in order to stop spam; jeeez, and now he thinks he could easily deploy identity theft techniques to make a fortune...
Doing what you claim is a lot more difficult than you want people to believe. Just knowing someone's personal information isn't often enough. You have to have access to their property, mail, telephone and other services in order to do things like acquire and activate a forged credit card. I'm not saying it's not possible, but nowhere near as 1-2-3 as Cringely claims.
Also, when you use these bogus cards (or try to impersonate someone) you leave a trail of incriminating evidence. The only way to exploit these resources is in subtle, barely-profitable ways, and even then you have to find gullable merchants who won't check out the transaction. You can't merely get cash; you have to buy stuff and the larger the transaction, the more the merchant will scrutinize the order.
And let's say you have Joe Blows credit card now. If he's like most consumers, he's got a $3000-$4000 limit. To siphon your claim of $217k you'd need to max out more than SIXTY bogus credit cards -- all in a 4-6 week period.
The whole idea is ridiculous.
I once walked into a large superstore chain and bought a Winchester Model 70 in .270 calibre without showing ID. The $5/hr paid clerk did a whole lot -- he asked for my name and social, address, phone number. I filled out the forms. He called the FBI clearing house. I came back a week later, paid, picked up my gun. He wouldn't sell me ammo at the same time, but coming back ten minutes later was OK and he rang up a pack of 150grain shells. In all this I didn't once show my ID. The store policy clearly states that I'm supposed to, but the clerk never asked so I never volunteered it.
Sometimes it's not the policy, but the training of employees that makes an effective system completely useless.
Three months later, I get a call from ATT wireless about my enormous phone bill. I told them they must be mistaken so they tried a couple of different things to verify that I was me, then called the cell phone to do the same thing. Obviously the person on the cell phone couldn't answer the questions.
As far as I know, the only thing that happened was the cell phone account being closed. I would have gladly paid the bill if they would have just given me the cell phone number and a list of called/incoming numbers.
My plan was to find the bastard and call him by my name while beating the shit out of him untill he fessed up that he wasn't me and told me I have the wrong guy.
This just in from www.steelmailbox.com
...even accidental blows from snowplows."
"That's where our heavy duty, vandal-resistant steel mailboxes can change your life. They are built to withstand typical vandal abuse from baseball bats, rocks, bricks, M-80's, canned goods*
*One vandal boasted at our Grisly Tales of Mailbox Bashing message board that he'd demolished his neighbor's mailbox with a "can on beans [sic]."
'And now for something completely serious...'
I'm ordering a combo mailbox, and package locker for my home. I get so many deliveries from not only USPS, but FedX, et. al. that my front door gets littered with packages on some days. My major concern is not ID theft, but just plain theft. I hate it when I order a six-pack of hot new bass lures, and some neighborhood snotnose snags them from my front porch.
"Oh drat these computers, they're so naughty and so complex, I could pinch them." --Marvin the Martian
really shouldn't cost very much money ( $1000) Am I the only one here that doesn't have $1000 to kick around? You people make me feel more and more poor everyday.
I named my son after myself with a different middle name. A couple of months after he was born I got a call asking to talk to him. I told the caller no. When he asked why, I said beacuse he was too young to talk. This guy was with collection agency trying to recover on a bad school loan.
Recently, I got notified by the Division of Child Welfare that they were going to start garnishing wages for back child support. I don't owe any child support, having just had the one wife. I called and got an answering machine that said they would try and get bck to me in 2 days. I then called the newspaper. 15 minutes later the DCW called very apologetic about the mix up.
Moral: Identity is very important yet is not treated as such by either the government or private companies. This needs to be made a bigger issue. If you have problems, be sure the media knows. Write letters to the editor and to your elected officials. There is a lot of money being made by selling your personal information. Its going to take a lot of people making noise before it changes.
Want to see who is selling your personal info? Here's how: When you sign up for anything, instead of just putting your name, put the name of the place your are registering with. For example: if your name is John Doe and you are registering with SlashDot, instead of entering your name as John Doe, you wouold enter J SlashDot Doe. That way when you get any mail, email, phone calls etc, you will know exactly where they came from.
Your friend and well-wisher
m0smithslash
http://www.ferociousflirting.com
A tinfoil hat thought:
/. about software that works with a scanner to "unshred" shredded paper. (I'm too lazy to find it right now).
I believe there was an article recently here on
If this exists, then you need to BURN your documents. Or, shred then BURN those things.
For a while, I used to rip up stuff and then recycle it, but now I have 2 fireplaces and a firepit so I BURN that stuff. (Sort of unrelated, but I heard of someone who signed up for as much junk mail as possible and heated his house by BURNING the junk mail.)
It is not cheap or free to get an MBE box, but if you are frequently away from your residence it will make your life much easier. MBE will also receive packages from both the post office and private carriers (UPS, Fedex, Airborne, DHL, etc.). MBE will not release a package that requires a signature to anyone except you (and they will get your signature to cover their butt). In Mountain View there are more private commercial mail receiving agencies (the term the post office uses) than post offices. I suspect it is the same in other towns.
Stuart Eichert
ISBN [International Standard Book Number] number
JSP [Java Server Pages] pages
omnia tua castra sunt nobis
What I want out of a financial institution is the following:
- never send superchecks in the mail
- every time I call them, require me to provide my password before talking about ANYTHING
- every time they call me, authenticate who they are with a password from their side; or have me call them back at a number which is established at account signup time
- issue me a smartcard with an embedded chip that allows me to digitally sign all transactions I undertake offline
- for online transactions, allow me to use the web with strong encryption to issue a single-use disposable credit card number with a specified cap and time limit
The technology for all of these things has existed for years. If someone would step up to the plate and deliver, I'd feel much more secure.- First they ignore you, then they laugh at you, then ???, then profit.
...too late, it already HAS BEGUN!
I fondly remember when I owned a PC computer that used the DOS operating system. Now, I run MacOS X 10.2, with a fancy GUI interface on an LCD display. I plug it into an uninterruptible UPS power source and print things on a Hewlett-Packard HP LaserJet III.
That is not correct. The law places restrictions on how government agencies can use your social security number, but private companies are generally not covered by such laws.
The Privacy Act of 1974 requires government agencies to declare why they have the authority to request it, whether it is voluntary or manditory to disclose it, what they will do to it and what happens if you don't provide it. Also, the Act requires that those agencies that request your social security number, but do not require it, must provide a mechanism for alternative identification number. But, and this is important, the law applies to government agencies only. Also, if the agency was using social security numbers as identifiers prior to 1975, they may continue to use them.
The business about the SSN not being some sort of universal identification number springs from the notification on the card that it is not for use for identification purposes. You'll find, though, that there is no law forbidding its use as an identification number.
And, incidentally, the Privacy Act of 1974 carries no penalties for its violation.
-h-
There are some state laws that prohibit using it for identification. Vermont springs to mind.
Also, the law you mention is not the one I was talking about. Private companies are not allowed to use it either. Having worked in payroll systems for several large corporations, where we have employees in many states, this stuff is all covered.
The flip side is that many people ignore the law anyway. And there does not seem to be much enforcement.
When the original Social Security act was written, many wre concerned about creating an Ad Hoc national ID number. So, it wa written into the original act that the SSN would ONLY be used for purposes related to taxation and administration of the social security system.
;)
IT IS ILLEGAL FOR ANYONE ELSE TO DEMAND YOUR SSN.
This means that anytime you are being paid, receiving money, or itmes that may result in tax credits, it is legal, so everything related to employment, prize winnings, interest payments, etc is fine.
However, fo insurance comanies, doctors offices, Departments of Motor Vehicles, and even the police, it is illigal for them to demand it, although they can request it.
But, you must be insistent and sometimes a bit devious to effect this.
When you are signing up for any insurance or signing up with a doctor or medical office, the SSN is the first thing they demand. With the insurance company, if on paper, just enter "Issue New ID" in the SSN field. If talkng to a person, they will tell you that they need the SSN to proceed. Insist that this is illegal, that they have other procedures, and ask to speak to their manager. The person will resist for some time, then come back sheepishly and tell you that they can issue another number. For doctors offices, give them the number that the Insurance company issued, as if it was the real number.
For DMV, you usually have to check for some special exception on a form or even get a special excemption form, and you may have to forego some kind of conveniences, e.g., you may have to go to the office to renew, instead of them sending the card.
With the police it is a bit more tricky, especially when some officer in Junior Gestapo mode is demanding your info at a traffic stop. I've found that they appreciate neither being told the fact that they have no right to demand that information, nor being asked if they are going to be paying me something. The best route is to simply say "I don't remember it exactly, and I don't want to risk giving you false information", which they cannot really argue with (they don't know that it only takes you 4 seconds to permanently memorize any 47 digit sequence you encounter
All of this is well worth avoiding all the extra links that could be made by anyone fishing in your data.
If the bank allows someone claiming to be you to empty your bank account, isn't that the bank's problem? Can't you go to the bank with a lawyer and say, "That's not my signature. *I* did not withdraw these funds. *I* cannot be held responsible." Hm?
I guess it is identity paranoia day here at /. . Anyway, this does bring up the issue of how much information needs to be out there. Personally, i think a system of identity verification could be a killer for idenity thieves. I am not talking about a govmint issued ID that will freak a lot of people out here, I mean like a DNA based encrypted PIN. Or something. Just a thought.
Last year I bought a cell phone account from Cingular. A month later, a "friend" stole the cell phone and registration paperwork from my apartment, and started making calls. I called Cingular to report the phone as stolen. The following week, I called to check on the status of the account, and was told that my account was active again and charging minutes!
It seems that the theif called Cingular up, and using the information on the initial bill, impersonated me and reactivated the phone. Cingular happily reactivated the phone without any further confirmation. They stuck me with a rather large bill, and to this day the stolen phone is still in use.
If the bank allows someone claiming to be you to empty your bank account, isn't that the bank's problem? Can't you go to the bank with a lawyer and say, "That's not my signature. *I* did not withdraw these funds. *I* cannot be held responsible."
Voila!! You're now in business again....
Wish I could remember the comedy routine I heard that this was a part of...hilarious...and some of it made sense in a strange way.
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
One paragraph from the article recommends thus --
Can someone explain the rationale behind this? Shredding makes sense to me, but why the warning about outgoing mail?
Is the danger that you can't trust the postal employee, or that someone can get into your mailbox before the mail can be collected?
If it's the former, and the postal employees shouldn't be trusted, then why is dropping the mail off at the post office any safer? For that matter, why trust the whole system?
If it's the latter, and the danger is that someone will get into your mailbox, does it help if your mailbox has a lock on it? In my building, the mailboxes are controlled by two keys: I've got the key for one lock, and the post office has the key for the other. Random passers-by can't just open the door & grab whatever may be in the box, which I've always assumed protects me a bit.
Is the recommendation to avoid sending mail from home boxes, even if you have a lock? If so, what's the argument for this? I'm genuinely curious...
DO NOT LEAVE IT IS NOT REAL
Did you know that the crime of identity theft ist virtually unknown in Europe (at least in Germany, where I live)?
And there are some obvious reasons for this:
- Nobody in Europe has mail boxes without a lock. European mailbox are usually flat, upright, rectangular boxes with a slit on the top of the front where the mailman drops the letters and they fall down a slide so you cannot get them out without using either very long pliers or, of course, the key to unlock the door at the back.
- No bank would give you a checking account or a credit without checking your ID card and making a photo copy of it and noting the number. (Remember that in most European countries (except e.g. the UK) every citizen is required to have a national ID card which you show whenever somebody has to be sure of your ID. (These cards have all kinds of witty security features to make them really hard to counterfeit.)
- All laws and courts agree that a reasonbable proof that somebody did make a business transaction is a signature on a piece of paper, or at least some computer record showing that the customer has entered a secret PIN. 'Secret' meaning, that nobody else should be able to know it. (PINs are printed out by the banks' computer systems and put in a sealed envelope without any employees being able to look at them.)
- Especially, if you told a court that a business transaction was valid because you checked the caller's identity on phone by asking for his SSN (or some lcoal equivalent of this), his date of birth or his mother's maiden name, the judge would probably only laugh at you.
While staying for half a year in California, I was quite astonished about the lax way of checking identities common in th US.
(For example, I got liability insurance for the used car I bought by just phoning the company. The guy asked for my Visa card number, then said 'Fine. Your car insurance is valid starting now, i.e. 4:13 pm.' That was great and convenient, but after all, I still prefer the European way, where they'll first ask 'So, how do we know, that this was your credit card number, and not taken from some receipt you picked out of a trash can?'. As the very least they would want proof of your address so that they can send you a court summons in case you tried a fraud.)
Come on people, let's use the correct term: Identity Fraud. Let's not continue to conflate copying and theft. If someone pretends to be you for fraudulent purposes, they haven't stolen your identity -- you still have your identity and you're still you. If anything, they've made a "copy" of your identity, but you still have the original.
It's fraud, plain and simple, and any "Identity Theft" criminals will be charged with "fraud", not theft. Don't continue to use the scaremongering term that the media made up in order to put more fear into everyone.
I once saw this locking mailbox that had a compartment below it that you could probably get a 1'x1'x2' box into...so UPS, etc had a place to securely put the smaller shipments. It wouldn't go on a pole, but was freestanding about the height of a regular mailbox. Another option this place had was putting a larger door, like the lower one, that you could build into the wall of your garage so UPS, etc could drop boxes into your garage.
Anyone know where these can be found...I don't remember?
Sure, you tell the post office to hold your mail, and the postman not only holds your mail, he knows which days you are not there making it much easier to find all your hidden treasures.
This is not a made up incident, I know of a former police office that did exactly that. Checked all the houses on the list of those to check while the owners are away, and robbed them. He was caught when one time the owners returned early and he was called to their house just minutes after he left, and couldn't make it (despite just answering from that neightborhood) because the back of his cop car was filled with their treasures. (this was before I was born, the guy lived in the same neighborhood as my mom)
p.s. technically it isn't robbed, but burgeler is too hard to spell.
The real factor is if you have less than 35% of your available credit currently in use. So if you have racked up a lot of debt, closing accounts will drop your score if the ratio (credit used vs. credit available) goes up a level (I think there is a 50% and 75% mark as well)
Close your old accounts only if your credit ratio will not be greatly affected, otherwise wait until you pay off enough debt to make it worthwhile.
Security is inversely proportional to the commitment of one desiring to circumvent it.
When I did my time with Canada Customs, some of the more seasoned officers used to always tell us to check people using drivers licences from West Virginia (yeah, the cigarette smuggler's state) a little more carefully. Why? Well, assuming that they didn't tighten up things since then, all they require for ID to get a drivers license there is a birth certificate and for you to pass the driver's test. We actually caught a few illegals that way. Little tip guys, if you're going to use an ID that says you're an American, don't keep a guayanese passport in the car with your picture on it. It's not always possible to check too deeply into birth certificates. It's possible if it's fairly recent and the person was born in a hospital. Otherwise, you basically have to take the document at face value. American birth certificates, aren't much as far as documents go. They're mostly printed on plain paper, with zero security features. Once you have the drivers license, you now have a piece of government issued photo id. With that to back up your fake birth certificate, you can apply to the US gov to get a Social Security Number, and Congratulations, you've not only got yourself a new Identity, but you're a freshly minted US Citizen. None of this will stand up to heavy scrutiny, because if you dig far enough, you can find out that the social ins number didn't exist until a month ago, and there's no record of James Bond Born in Tulsa, OK, on April 1, 1984. That level of scrutiny isn't routine, and isn't generally available except to law enforcement, so it's probably good enough to get yourself a few credit cards before moving on to your next life. I would hope that the state and federal governments in the USA have improved things since then -- especially with 911. I kind of doubt the US federal gov would issue a passport based on such a shakey identity, but you never know. Think about this before you blame Canada for your terrorist problems.
I'd love to stalk my wife but she's got this bleeding problem.
Here is the text:
INTRODUCTION OF THE ``SOCIAL SECURITY NUMBER PRIVACY AND IDENTITY THEFT PREVENTION ACT OF 2003'' -- (Extensions of Remarks - July 25, 2003)
[Page: E1637] GPO's PDF
---SPEECH OF
HON. E. CLAY SHAW, JR.
OF FLORIDA
IN THE HOUSE OF REPRESENTATIVES
FRIDAY, JULY 25, 2003
Mr. SHAW. Mr. Speaker, use of Social Security numbers is rampant. When Social Security numbers were created in 1936, their only purpose was to track a worker's earnings so that Social Security benefits could be calculated. But today, we literally have a culture of dependence on Social Security numbers.
Businesses and governments use the number as the primary way of identifying individuals. All of us know how difficult it is to conduct even the most mundane transactions without having to provide our Social Security number first. It's no wonder identity theft has become the fastest growing white collar crime.
Worse yet, terrorists, including those responsible for the September 11th attacks, misuse SSNs in order to assimilate into our society.
Barely a day goes by without hearing more examples of the truly devastating effects of identity theft. Just this month, at a Ways and Means Subcommittee on Social Security hearing, we learned about a widow whose husband died in the September 11th attacks on the World Trade Center--an illegal immigrant used her deceased husband's Social Security number to get a driver's license and to work. We also heard about individuals whose credit was ruined, who were arrested for crimes they did not commit, and who spent years and hundreds or even thousands of dollars out of their own pockets trying to clear their names because of identity theft often facilitated by obtaining the individual's Social Security number.
Concerns about identity theft are increasing dramatically. According to the Federal Trade Commission, identity theft is the number one consumer complaint--amounting to 43 percent of complaints received in 2002. In fact, my state, Florida, is sixth in the nation in the number of identity theft victims per 100,000 people.
Clearly, there is need for a comprehensive law to better protect the privacy of Social Security numbers and protect the American public from being victimized. Today, I re-introduce the ``Social Security Number Privacy and Identity Theft Prevention Act of 2003,'' which is similar to bipartisan legislation introduced during the last Congress. In the public and private sector, the bill would restrict the sale and public display of Social Security numbers, limit dissemination of Social Security numbers by credit reporting agencies, make it more difficult for businesses to deny services if a customer refuses to provide his or her Social Security number and establish civil and criminal penalties for violations.
Based on the thoughtful comments we have received, this new legislation reflects a small number of fair and appropriate modifications, including the following:
In response to concerns about potentially preventing necessary disclosures of the SSN and the impact on businesses, customers, and the economy, the U.S. Attorney General will be able to authorize the sale, purchase and display of SSNs only when necessary and with restrictions to assure the Social Security number would not be used to commit fraud or crime and to prevent risk of individual harm.
Based on feedback from employee benefit plan administrators, the legislation makes clear that sale and purchase of Social Security numbers does not include its submission for administering employee benefits.
In response to concerns regarding vulnerabilities in the Social Security Administration's process of issuing Social Security numbers, the bill tightens controls by requiring a photo ID; raising the standards for issuing Social Security numbers to babies; and restricting reissuance of Social Security number cards.
In response to concerns about the need for stronger, clearer penalties for SSN misuse, the legislation provides enhanced criminal penalties for repeat offenders and fo
Forwarding mail is a little harder now. Last time I moved I got a notice from the post office that the previous owner had forwarded his mail, and if I was him to call them, otherwise discard the notice.
Of course I discarded it. It is fun to comptemplate calling and canceling that forwarding, then forwarding his mail to someplace else.
Unfortunatly most security is breakable with very little thought, even if you sovle one problem it is often at the expensive of introducing or making easier a new one.
Times have changed and computers have proliferated, and I've only done some casual investigation, but I've never found any guarantee by the US government that the SSN is unique.
I delved into this up a while ago for a project at work.
Due to the way they are assigned, it seems the SSAN cannot be unique in all areas.
The SSAN is assigned by state or area. The first 3 digits denote what state the number was assigned in.
For instance, an SSAN created for a New York resident gets 050-134 as the first 3. That leaves 86 million possible combinations. Fair enough, since the pop. of NY is currently ~18 million. A lot left over to prevent duplication.
New Hampshire doesn't seem to be too bad. A pop of 1.2 million, and SSAN's from 001-003. Just over 50% free combinations.
Consider though all the people who were born there, and have passed away. You may be getting a recycled SSAN.
But consider Florida. The pop. of Florida is currently ~15.2 million. Florida SSAN's range from 261-xx-xxxx to 267-xx-xxxx. Leaving a possible 7 million combinations. How can that be truly unique? (Ok...a LOT of Florida residents moved in from out of state, but still).
California is just as bad. SSAN's from 545-573 (28 million combo's), with a population of 32.5 million.
North Carolina, with a single SSAN group (232) has a population of just under 8 million. Unique? Doesn't seem to be.
Attach the person's name to the SSAN, and you get pseudo uniqueness. Joe Blow, 001-01-0001 will be the only one. But that is only uniqueness through chance, not truly unique.
Cringley admitted stealing 300,000 identities, with a worth of $65 billion, and the FBI/DoJ haven't arrested him for 'computer theft'??
If he was 'C71n9l@y', we'd have a '"Free Bob!" Defense Fund' up and running faster than you can say 'PATRIOT Act'!
Mod Karma -1: I sed bad wurds. If I cep my mouf shut, I wud be at riyses.
Others have been implying you're stupid not to have called the number on your card rather than the number on your answering machine, but I agree with you.
One does need to be careful: the natural thing to do is to call the number in the message, because who wants to call the generic number on the card and get lost in call tree hell when they have what should be the direct line to the right department?
And, as you said, when you did call the credit card company, they had no idea whether the number you had from the message was one of theirs or not: after all why would the monkey on the end of the phone necessarily know all of the fraud department's numbers?
So yeah: I think it is wise to be wary about these things.
Lord Pixel - The cat who walks through walls
A little bigger on the inside than out
...is the absurdly low standards some organizations apparently have for saying that they "identified" someone.
Well, two problems with using DNA as a secret for identification purposes:
A. DNA is not unique -- consider identical twins, for example
B. DNA is not secret either; certainly no more secret than fingerprints. You leave piles of copies in the form of hair and shed skin cells whereever you go.
Wish I had some mod points for this one...oh well, I have karma to burn.
Power corrupts. PowerPoint corrupts absolutely.
My house has two doors, laundry room downstairs and living room upstairs. I never use the living room door, and seldom even open it.
About 10 years ago, I ordered a videotape that came with a free poster. About a week after it had been delivered (a very rainy week) I found it outside the living room door, where the UPS guy left it. The tape was shrinkwrapped and fine, the poster was a soggy mess.
That prompted me to put up a sign at that door to prevent future occurrences of this.
A couple years later I ordered a fairly expensive cordless phone/answering machine combo. Several days after it was due to be delivered, I still had no package. Called up to check on the status and found it had been delivered several days before. I open the living room door and lo and behold, there is my package, sitting on the landing. UPS completely ignored the hot-pink, 11"x8.5" sign tacked to the door where someone knocking at that door could not miss it. In 72-point bold type, the sign said "ALL DELIVERIES TO BASEMENT DOOR."
I called up and reported never receiving the package, and got a second phone on UPS' dime, which I later gave to someone as a gift. Thanks, UPS!
I like your solution.
I'd like it even better if it would permit me to maintain multiple identities, as well as the public/private authorization (and the little box that I keep in my position to cut down on trojans - that sure looks like a bona fide Windows password dialog box to me - guess I'll type in my passphrase!).
That way, sleazy_4of12 could buy porn, while upstanding_4of12 could pay his utility bill, etc.
There's really no need for the utility company to be able to know anything except that I want some service and that I am capable of paying for it.
Unfortunately, the powers that be would not like losing correlatable information about me that exists presently, so I doubt my multiple identities with authorization scheme would fly. But it's technically feasible.
"Provided by the management for your protection."
FBI is bound to see this and finally arrest Cringley. I hope they dont let him write his stupid column from the prison, saving $16 billion in emotional trauma to the readers :)
DO NOT PANIC
You are the first intelligent and lawful participant in this forum.
.info forums.
Social Security Number is known as a irrevocable trust fund of the United Nations. It is a three-party agreement, contractual, and is not lawful to force upon anyone. Today, all of Social Security Number requirments are fraudulent.
For more information on Social Security and howto conquer this mark of the beast, visit Familyguardian.tzo.com (aka http://chansen.tzo.com).
And last, for those of us that think we are beneficiaries of banks, hence that think we are not creditors, get whipe the United States corporation's sand^H^H^H^Hlies from your eyes and take the lawful money quiz and as well visit the Gold is Money
tried to get a gov. clearance. Background check reveals I have the same one as an older lady who currently in Fl. ::shrugs::
:-)
I just hope she doesn't try to enroll at my University.
Fuck Beta. Fuck Dice
I bet $1000 that some hater of cringely did it, totally. Hands down!
...are available and are a standard screen in several lines of business, fraud detection, etc.
If you want to use a PO Box to hide, get one from a local non-franchised business, and inquire specifically about their disclosure policies.
He read the earlier /. article and downloaded the Whois database.
OK... so Cringely brings the point of how apparent this crime is, how easy it is, and how the government will do nothing about it - and if they do it won't work. Well how about writing how he thinks it should be solved!! You just can't rant about how something sucks and how the government will do shit all to fix it, and not post HOW you think this issue should be handled. Before that mongrel starts bashing anything I would like to see how he would deal with the current situation.
how many issues with this system?
- I just got mugged. Suddenly I can't prove I'm who am I, while some lowlife punk just proved he's me and bought a Ferrari. And I can't even drive it!
- My batteries have run out. Can you trust me to be me until I can replace them?
- "Mr Anderson, it seems you lead two lives." Sorry, no. I don't want it to be possible to easily track me, have everything I do recorded. It's already bad enough with my bank, credit card companies, credit agencies, etc, keeping tabs on me to a large degree.
I have no ideas on an alternative. I like being anonymous. Sometimes I just want to dress up in girly clothing and pretend to be someone else.
~Cederic
Today everyone puts confidential information on forms, etc. and submits them "securely". Well, SSL is a good start but the biggest cause of identity theft is the human factor. For those of you who have a Paypal account, maybe you got an email in the past couple months that said your account was being verified..blah..blah... Have any idea how many people fall for that crap? I train people for a living to teach them how to stop this type of information theft and yet my own family still calls me up to ask if it was bad for them to have entered all their personal information in a piece of email.
Kinda reminds me of when the popups started appearing that looked like Wintendoze had an error but were really adverts for some corporate sleezeball to sell his lame software...pfft.
0x09F911029D74E35BD84156C5635688C0
With Identy Theft, credit card fraud is only the beginning. See how you like it when they turn in your stolen identity when busted for traffic or other crimes, when they buy a car on your identity and wreck it, or something else.
Without even having my identity stolen, someone of hte same name in the next town created enough problems for me with stupid crimes like traffic accidents and gas station holdups, which made the paper while I was making the paper for my results ininternational sports comptitions. Made for answering some interesting questions with sponsors, but I could clear it up in minutes.
I cannot imagine trying to clear it up with a stupid cop who's jsut doing his job with a (stolen identity) warrant for my arrest in his computer. And I know of people who've had that problem.
Please think a little bit before you speak.
If the govt announce that by 2006, they were going to publish everyone's name and SSN, and if you currently use SSN as a validator, you need to change now or face fines of $100k/day, maybe we could do something about this.
...
You are verry evil and think stealing $100,000 fiat US dollars (see goldismoney.info forums) by most-anticipated use of military force will solve problems. I suppose, as usual, you will respond to requests on howto re-inforce the collection of this fine by use of the same STANDING ARMY held over our heads that is also used to infringe upon the allegedly un-infringible 2nd Ammendment to the Constitution for the united States of America? Or perhaps, that you ignore that a State cannot diminish the rights of "We, the People" because States are Public corporations that are subserviant and created by mankind and thus no groups of mankind operating under a fake/artificial name (ie McDonalds, Levitz Furniture, Arco Gas) can compel contracts (steal) or diminish the unalienable rights from "We, the People"? But you forget, the standing army used to protect us only applies to "citizens of the United States" (from the Act of 1871, to create a government for Washington D.C., aka United States Corporation), thus a Security Agreement must exist by the forming of the three-party agreement (contract) of an alleged "citizen of the United States" to be Secured by the U.S. Military (just another corporation)? That explains why there aren't any "We, the People" remaining in these united States of America, and that only exists the alleged United States and the alleged non-state private corporations operating as "State of *" fictions and that the Emergency War Powers Act does not allow the existance of anything but "citizen of the United States". If you think I'm wrong, then perhaps you should read this page of cornell law of the United States corporate code and I quote the pertinent information,
(* means my emphasis, ** means my quote)
TITLE 28 > PART VI > CHAPTER 176 > SUBCHAPTER A > Sec. 3002.
Definitions...
(2) "Court" means any court created by the Congress of the United States, *excluding the United States Tax Court.
(**Congress didn't create the United States Tax Court, and as well all the courts are financed by the Federal Reserve System! Congressman McFadden discloses the Federal Reserve is a private corporation and as well discusses the fraud!)
(3) "Debt" means -
(A) an amount that is *owing *to *the United States on account of a *direct *loan, *or *loan *insured or *guarunteed, by the *United States; or
(B) an amount that is *owing *to the *United States on account of a fee, duty, *lease, *rent, , *service, *sale of real or personal property, *overpayment, *find, *assessment, *penalty, restitution, *damages, *interest, tax, bail bond forfeiture, reimbursement, recovery of a cost incurred by the United States, or *other source of indebtedness to the United States, *but *that *is *not *owing *under the *terms of a *contract *originally *entered into by only *persons *other than the United States;
(**Anything outside of the United States is not debt! The use of Federal Reserve Notes, aka fiat money, is an adhesion contract that constructivly declares you are received it as a loan from the United States! It is debt money! Gold and Silver are exempt of being used as debt money, as they are Lawful Money!**)
(8) "Judgment" means a judgment, order, or decree entered *in *favor *of *the *United States in a *court *arising *from a *civil or *criminal proceeding *regarding a *debt.
(13) "Security Agreement" means an agreement that creates or provides for a *lien.
(15) "United States" means -
(A) a Feder
Secured Party, Without Prejudice, UCC 1-207: Creditor
The point I'm making is that the amount of actual "identity theft" perpetrated does not warrant the amount of publicity this issue has generated.
I would suspect the figures published do not distinguish between the various types of "unauthorized use" which don't really involve what we consider "identity theft", and the issue IS OVERHYPED. If a child takes his mother's credit card and charges something, is that "Identity Theft?" How about the guy who pays for the phone sex service and then tries to charge it back when his wife finds out? I would bet that all the "fraud" figures incorporate these types of transactions and are used to inflate the impression that the credit companies are losing much more revenue to third-party criminals taking peoples' identity.
I'm sure many people can cite experiences where they have been victims of unauthorized charges, but I'd bet most of these were either accounting mistakes or members of their family or friends using their cards. In contrast to the impression Cringely's article states that there seems to be a big market for people going through peoples' trash and premeditating identity theft. I don't believe the statistics when scrutinized, would substantiate this.
To succeed at identity theft generally requires more of a skill in social engineering than a lot of hardcore personal information on the mark. I'd argue that a good SE doesn't need to go through a person's trash - he can coerce the information he wants from the mark himself. Most people are terminally stupid. Whose fault is that? How do you protect yourself against stupid people who pay $153 for a bottle of Leptoprin and are so easily manipulated?
I locked myself out of my truck a few years ago. Instead of paying to have someone jimmy it open for me and possibly damaging things, I called up the local Toyota dealership to see if they could make me a new key.
The VIN was on my proof of insurance, so I told it to them over the phone, and had someone drive me there to pick it up.
No one ever asked me for proof of ID. I had never even been to this particular Toyota dealership before! All I did was walk in and say I needed to pickup my key!
Someone said that by the time the key is made, your car probably isn't sitting there anymore at the mall. But what about your day job, where your car sits everyday? A good thief could probably notice how long the same cars stay there, write down some numbers, have keys made, and the next day come back for them!
It's not rocket science after all...
I used to take a Cisco class in high school and the teacher thought DNS stood for 'distributed name server' and he STILL called them DNS servers even though it would be a redundant statement in his mind. Needless to say I knew more about routers than he did, lol. High school teachers.....
I totally agree that using a person's SSN as a global identifier is a baaaaaaad thing.
What people's complaints here amount to is that knowing the ID number for a person tells them the ID number for a person. Whether this is an SSN or anything else, the problem is still there.
Why not just require a password, too? The government (Social Security Agency? Federal Trade Commision?) would then just have to verify "Yes, that is this person's current password."
I called the scooter merchant this morning, and sure enough, someone had used my wife's AmEx card number to order the scooters and ship them to an address just a few miles away.
So since the nice owner of the scooter co. shared the IP address of the person who made the order, and being a huge internet nerd, I have already traced the origin (via nslookup) to an AOL user who was logged in and using AOL at 11:53am on 9/7/03. I might just have the means to track this guy down.
... if you are making ONLY the narrow point that published fraud figures don't usually make the best useful distinctions between 'unauthorized use' (e.g., 'borrowing' by a household member), straight ccard fraud (double charges, using info off a carbon slip, etc.). and full 'Identity Theft' (where the SSN and other core info is used to get new accounts, etc.). then we agree. It would be nicer to have better data. I cna even agree that the ccard companies probably fudge the distinctions to sell more 'protection' products, which is smarmy behaviour in their interest.
We also agree that we cannot protect the stupid from themselves, and I would not want to (Go Darwin!). So that all seems a relatively minor point.
In contrast, your presentation seems to imply more than that, i.e., that Identity theft itself isn't much of a problem. If so, then we strongly disagree. Identity theft does not require only dumpster diving or social engineering. RXC's example used mail theft and pointed out egregious failures of the govt to protect our data. The rampant overuse of SSN as a UNID is a horrific security flaw in our society, promulaged by lazy IT managers, who don't ant to think or resist this request.
If we are going to have master keys to our identities, then they need to be MUCH better protected from abuse than are SSNs.
Cheers.
it obviously isn't worth $65 billion.
The scenarios you describe are not made any worse with cryptographic smart card.
- You get mugged now, mugger has your wallet with your driver's license and he can pretend to be you. And now, he doesn't even have to mug you, he can just use information from your mail or some database to buy that Ferrari and make you get stuck with the bill.
- What batteries? Batteries are unnecessary.
- The smart card would only be used when you have to identify yourself anyway, so it won't increase anybody's ability to track you. If you don't have to identify yourself, then don't. If you do have to identify yourself, they can track you anyway whether you used a credit card, SSN, driver's license, or anything else. Worse yet, it's easier for somebody to use your credit card/SSN/DL to make it appear that you've left a trail of dastardly deeds.
---------
There is inferior bacteria on the interior of your posterior.
I graduated from an international school in Iran, so my sphincter starts to quiver when someone mixes up Mideastern capitals. Otherwise, the poster is correct. For years you could (and probably still can) buy reprints of classified US documents at bookstores in Tehran.
Luke, help me take this mask off
1. If you give a fraudelent SS # to an employer, good luck trying to collect anyhting from SS when you need it. I am one of those people that never use my given name but a shorter version of it. You know how your alias comes up on the credit reports? Pretty cool until you start thinking about walking into SS to collect. At least all the different names have the same SS # but it still looks funny having 3-4 names that you have to justify. Bottomline, not a real smart idea to fudge your SS # or your given name 2. My wife went thru this recently. Luckily I don't think anything came of it but it bought up another problem associated with this type of crime. It seems that completely unbeknownst to us, there was another woman running around town with my wifes name running up cards and not paying. Since the phone is listed in my wifes name, the CC company calls her and starts reading her the riot act. We backtrack and get this other ladies information, where she used to live, her last 4 digits of her SS #, etc. Luckily we found this out and have been able to head off any potential problems. You have got to shred everything that has any kind of personal info on it. Everyone we talked to recommended this. Think about all the junk CC offers you get and throw away. Imagine if someone was taking them, filling them out and submitting them? Not much of a stretch, is it?
MMORPG Fan? Prove your worth!
What a bank considers an ID confirmation is just pathetic. I mean, come one, Mother's maiden name when every other bank also uses it? 4 digit pin codes?
They belong back in the 19th century!
We need to task the NSA, or a DARPA project, or any serious professional, with coming up with a secure banking id system, one that meets serious security standards, and just get the damn problem fixed. I think that if you picked any code breaker at random and gave him the task, he'd come up with something a hell of a lot better than what we got. If you held a nice contest, it would come out really nice.
If we got some modern crypto-spooks involved, if we could get to where the KGB had to sweat even a little to crack our identity system, identity theft would be a crime very few could give a try. Just try reading a few books about what the KGB and CIA have to do to crack each other's security, and then compare that to mother's maiden name and social security number.
That is the solution.
As a minor improvement, all credit cards should be required by law to have photos on them that were supplied by the government, and verified to be the unique current registered photo for that id.
All transactions not serious crypto-verified should be illegal to report to a credit agency.
I should have prefaced my proposal by emphasizing that this idea is not a National Identification system, rather it's an authentication service to enable you to better protect your assets.
The only involvement the federal government would have would be mandating the States to implement the standard. The states would be free to purchase the devices from any manufacturer who meets the security specification.
The manufacturer will pay for all inspection costs and will accept liability if thier device is cracked because of failure to meet the specification.
Verification algorithms would be written and published in most programming languages (Probably RSA).
Now to address your scenarios:
1. I just got mugged. Suddenly I can't prove I'm who am I, while some lowlife punk just proved he's me and bought a Ferrari. And I can't even drive it!
That's when you call a 1-800 number where you enter your public key and a password to revoke your public key. Oh, and I hope your mugger looks like your twin, because the Ferrari dealership will ask for your driver's license which will have your public key on it.
As long as your revoking your public key, you might want to cancel your credit cards while your at it.
After that, the prodecure is the same as getting a replacement drivers license. You'll need a copy of birth certificate, passport, or another approved document verifying who you are who you claim.
If two different people attempt to claim to be the same person withen a short period, then the latter person will probably be detained at the DMV or Post Office until he/she can verify thier identity. Meanwhile, all public keys will be revoked until the matter is settled.
2. My batteries have run out. Can you trust me to be me until I can replace them?
No I won't trust you, because your device is solar powered like many pocket calculators.
3. "Mr Anderson, it seems you lead two lives." Sorry, no. I don't want it to be possible to easily track me, have everything I do recorded. It's already bad enough with my bank, credit card companies, credit agencies, etc, keeping tabs on me to a large degree.
Think of this as your social security number. You don't give your social security number away letting everybody track you.
Neither do you give your private key to everybody, rather you would only give it to people and organizations you trust.
Furthermore, I would add legislation that would fine any company who required your private key for doing business. The security of this system works best when it's using sparringly and above all voluntary.
"Communism is like having one [local] phone company " - Lenny Bruce
Cringely is a blowhard trying to scare people, but frankly this isn't news. Using the 'net really doesn't make this easier - it's always been easy.
His point actually, is that with the information he got for free on CD courtesy the federal government, he could have potentially stolen something to the tune of 63 billion dollars. Sure, it's easy to steal from one person by dumpster diving or double charging, but that's chump change. When you have the identities of hundreds of thousands of people, stealing as little as $8000 from each one means you're sitting on your own private island in the carribean with as many bikini babes as you like, while you watch the entire American banking system collapse on TV.
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert
Sorry, Austin Powers is on TV, and I just can't help it...
<DrEvil>
You must pay me... Sixty five Billion Dollars! Muahahahaha!
</DrEvil>
Okay, I'm better now....
Good judgment comes from experience.
Experience comes from bad judgment.
1 key - Government Verification
1 key - Corrisponding with Drivers License
(Use sparringly for occasional verification in financial affairs.)
50 additional keys - Which could be registered and published under Aliases of your choosing by a third-party registration service?
I believe this sort of system should be implemented as a core specification which the states would be required to adopt.
Manufacturers of devices would have stricter standards subjecting the manufacturers to severe penalties if they fail to meet the standards. They would also have to pay for government testing.
Like I mentioned in my other email. This would NOT be a National ID system that would be used everywhere, rather a voluntary authentication service to be used sparringly. Furthermore, it would be illegal for any company to require a public key.
I do like your idea, which I think should be handled with additional public keys.
"Communism is like having one [local] phone company " - Lenny Bruce
I don't know if anyone else is dissing him, but I certainly wouldn't be upset with anyone who did.
I haven't cared enough to document every single piece of complete misinformation I've seen from him, but there have been plenty.
The most glaring example I can think of off the top of my head:
In the following article Cringely slams Earthlink for a lot of really good reasons, but then follows it up with:
Every single assertation in this paragraph + 1 sentence is 100% factually untrue, and can easily be proven as such by anyone with a free CD from Best Buy - except for the fact that the EULA technically does give Earthlink the right to install whatever they want.
That said, Cringely does occasionally make some solid, informative (and informed) points. I give his comments about the same weight as I do any other slashdot commentary. Sometimes he's informative, interesting, and insightful. Others, he's a troll :)
This is my sig. There are many like it, but this one is mine...
Selective Service Administration
Remember, Amateurs built the ark. Professionals built the Titanic
Your scheme will only be instituted after the accountants conclude it will cost less than the amount currently being lost to identity theft.
European friends! It isn't "United States", it's THE United States
I am sorry to burst your bubble but a lot of mailboxes do not have a lock ... especially in small appartment buildings .... (like my mailbox).
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
Of course, I didn't travel all Europe before making this claim, and so, I mainly talk about my home country, Germany. And here, the bubble still holds. Pity, you didn't mention where you're living. BTW, so, you are not worried aboutr someone stealing your mail? (I know building standards are not the same throughout Europe, but although IANAL, I'd say if you're a tenant, at least in Germany your landlord would be required to fit a lock on the mailbox, as required by postal regulation and DIN national standard.)
The DMV charges fees for most services, and I would propose that people pay a $20-30 fee to cover the costs.
That shifts it to YOUR bottom line. Would you pay $20-$30 to protect your financial assets?
All the DMV would have to do is buy the devices in bulk (which they really end up reselling), print the public key on your driver's license, and support a simple revocation database.
"Communism is like having one [local] phone company " - Lenny Bruce
I killed Tupac!
NIC Card
Your credit card information wants to be free.
Sad that the title to your post makes me immediately think of Eminem rather than whatever game show he took that from.
Your credit card information wants to be free.
Unless you live in California (and perhaps other states, I can't say for sure). Here you are legally required to list your address as:
123 This St.
PMB #666
Anytown, CA 99999
which makes it fairly obvious you've got a Private Mail Box.
IIRC, this stems from folks using PMBs for fraud (rather ironic in this context). Under the old rules, as you suggest, your mailbox could look like real brick-and-mortar, giving an air of a "legitimate business" to any shmo with $5/month. Beverly Hills was the most popular PMB address in the state for a while, and may still be, just 'cause it looks impressive, I guess.
"... insert the Windows NT Workstation 4.0 compact disc with your computer turned off." - NT installation manual