Slashdot Mirror
Cringely on Identity Theft
Boiled Frog writes "Prompted by the theft of his mail, Cringely investigates how easy it is to steal identities from government publications. In this article he explains how he got the identities of 300,000 people which he calculates to be valued at $65 billion dollars. If Cringely can do it, anyone can."
I had my identity stolen about 8 years ago. It suuuuuked!
In San Francisco, when some people move out, they throw all this crap they don't need anymore on the curb. I saw this thoughout the city, time and time again, so when it came time for me to move, I did the same.
I got rid of almost everything! This included, tons of old papers - possibly old pay stubs. Big NO NO! At one point, I even noticed some people looking through the big pile. "Just people who like crap", I thought.
Six months later, the Postmaster General Attorney's office in San Jose calls me saying they've arrested someone on postal fraud that had my name and info in his little black book. It was under a section that basically was ready to have a drivers license and social security card issued in my name with this guy's picture!
To make a long story short, the guy went to prison and I had to notify all agencies where I had any type of id or credit/bank card to put a watch on them for the next six months.
My lesson learned: shread everything.
However, online, this is a totally different issue and the only thing I can suggest and do about that is to check into companies and try to make sure they are responsible about how they store your credit-card information. I've personally written to all the online companies I use to ask as how they protect my information. If it ever seemed like they weren't up to snuff, I explained my concerns and asked for some sort of reassurences. Although, I must admit, that's not the best thing and sometimes letters to the BBB and other groups/agencies are necessary.
There is so much personal information out there and some people are so uninformed about who not to give this information to or how to secure the information that they have been given. This problem will only get worse. I for one have no idea how to deal with it.
Not everything is analogous to cars. Car analogies rarely work.
Watch out - this could happen to you.
I mean, he's no H4Xx0R god or anything, but he seems to be fairly knowledgable.
He tried to kill me with a forklift!
"...valued at $65 billion dollars"
Come on editors, I know it's early on the West Coast, but really.
Some bastard stole my identity and wrote that article under my name!
why you use a PO box, like I do.
Don't have to worry about such things.
I'll only go as high as $50 billion and not a penny more!
"People" using "unnecessary" quotes should be "shot".
I'm usually not paranoid, but talk of identity theft, and nearly being a victim (copied credit card when I visited Mexico), convinced me subscribe to a credit monitoring service. They notify you right away of changes to your profile, and give you free periodic credit reports. I'm trying to start a small business, so it's more important now than ever.
True Credit turned out to be the cheapest at $11/quarter for the basic service. This is not a referral link, and I'm not affiliated with them in any way. Just sharing information.
You cant prevent crimes from happening, you can only improve the ability to catch the criminals, and reduce the damages.
Worried about ID theft? Keep a close eye on your credit card bills, credit scores, etc.. Buy a paper shredder. Shred all bank statements and whatnot before you throw them out. Internet-shminternet, dumpster diving is the fastest way to someone's finances. Get the carbons at the gas station, or stores where they still use the old carbon-thinger credit card machine.
Cringely is a blowhard trying to scare people, but frankly this isn't news. Using the 'net really doesn't make this easier - it's always been easy.
I knew someone who got screwed big time by a gas station who would keep the carbons, and double bill her every time she filled up, the cash going straight into the owners pocket. She was a dope for letting it go on so long, as she never bothered scrutinizing her Visa bills. Turned out the station was owned by a Russian mobster. This was long before the world wide weeb.
I don't need no instructions to know how to rock!!!!
Most instutions will cover your butt now if you get your ID stolen. So it isn't the money that costs you, its the work.
You have to apply for coverage, and show evidence that your ID was in deed stolen. That can take months or years! And a lot of effort goes into all that. One of the worst parts is trying to restore your credit rating. While the whole process really shouldn't cost very much money ( $1000) it costs a quarter of your life to repair all the damage.
Slashdot Syndrome: the sudden, extreme urge to correct someone in order to validate one's self.
If I were Cringely, I would have sold those names and now be the proud new owner of Microsoft. Free the source!
I mean, come on, it *is* easy to steal someone's identity, but what doesn't get enough attention is the human factor. Not enough people are willing to actually query oddities and if a document looks vaguely official, they'll accept it. After all, if you were trying to sign someone up for a credit card, would you query their ID and lose the possible comission?
From the article:"No, I mean what are you going to do about replacing my book?"
"Why would we replace your book?"
"BECAUSE YOU LOST IT????"
This is exactly why I use Fed Ex or UPS when ordering things. They can track your packages and they take responsibility when they screw up. Perhaps the Postal Service could take a lesson?
Visit Jonesblog and say hello.
Never work for an employer that demands your Social Security number; if asked for it, make one up and use it instead.
Yeah, cause this will never come back to bite you in the ass. I'm quite sure that when your employer finds out that you gave them a fraudulent SSN, you'll all just have a great big laugh over it, and they won't be calling the Department of Homeland Security or anything.
It hurts when I pee.
If you're in the UK; you can register your name / address combination with CIFAS:
http://www.cifas.org.uk
The service is operated on behalf of the UK financial institutions by Equifax; and will add a layer of authorisation to your name / address combinarion when arranging credit etc. It probably means that you won't be able to buy stuff on instant credit; but the for the hassle that identity theft can bring I think it's worth it. Registration costs 12 quid for 12 months.
Personally i'm amazed that institutions will lend large amounts of money without a definite proof of your identity; but I guess that's consumer forces for you - Dixons want you to be able to walk out of their store with that 32" wide screen TV purchased on instant credit. For all the sales that brings; they absorb the liability.
Possibly this wouldn't be such a big problem if a more relevant credit history was availiable to people without haivng to pay, wait, and damage their credit just to get a report.
Maybe someone on slashdot knows: why doesn't my bank teller ask me for photo ID?
All they ever ask to see is the bank book. Are bank accounts not tied to actual people, but instead are transferable, simply by giving away the bank book? If not, why don't they ask for my government or bank-issue photo ID?
Pssst, Mr. Hawking. Try that one again.
$65 billion dollars
Did you get it that time? Lets try again..watch closely now!
----> $ <----65 billion ----> dollars <----
Did that help?
In the article it is mentioned that your Social Security Number is used as a universal identifier and as "proof" of identity.
This is not a good thing.
I work in the medical records/medical billing industry and a patient's SSN is one of the vital bits of information we collect and use to help index records.
Also the patient's date of birth.
For billing purposes, we need the patient's home address.
The health insurance company also needs all this information. In fact, if we don't supply all of the patient's personal information, they often don't pay claims.
We try to protect private information. We have yearly training, and monthly filers reminding us of the importance of protecting confidential infromatin. We have every bit of discarded paper shreded, and we have pretty good locks on our doors, and we have a fairly paranoid firewall, but the truly determined employee could always get their hands on thousands of patient records with everything needed for identity theft.
It's probably the same way at Hospitals and Insuance companies too. Too many people have access to private information, and the social and technological controls on it are too weak.
I hope that no one who has access to my personal information decides to do a bit of creative fundraising.
I don't have any answers, but we ought to think of solutions pretty soon.
Comment removed based on user account deletion
Wreck your credit score every 7 years by declaring bankruptcy.
:-)
Then no one will want to steal your ID
So rise up, all ye lost ones, as one, we'll claw the clouds.
It's the latest trend in Mathematics! In reality he's got data worth about $.35, but when you extrapolate $200,000+ per infraction, he's on a goldmine!
I propose they start teaching this in textbooks in elementary school! Then everyone will have access to this revolutionary idea!
---- Move SIG...For great justice!
My solution to discurage anyone from stealing my identity has been to default on all my student loans, consistently pay my credit cards a few month late, and write anti-government propeganda letters to the local paper (amazingly, I still have my DoD security clearence!). The scammers run screaming...
In the last couple of months there have been an increasing amount of very sophisticated email scams.
For instance, E-Gold members (and others) have been receiving emails like this
Dear e-gold user.
At 09.05.2003 our company was attacked by unknown
persons. Out administrators is working on the database restoring.
If you have an active account, please check if it is still active, your
current balance is right and all transactions can be processed.
If you find that your account is inactive, please letus know
immediately at e-mail service@e-gold.com
To check your account, please click on the link below:
https://e-gold.com/sci_asp/payments.asp
It looks official, doesn't it? And the link looks ok too. But it is an html email, and the actual link went to a page located at e-gold2.com, which looked exactly like the real e-gold site. Thus the fraudsters were able to get peoples log-on details. More here.
In the UK, many people have been receiving emails that look as if they are from Barclays bank (one of the biggest in the UK). It is a similar scam to the e-gold one. More here.
I myself have recieved and email asking me to update my ebay account details. Only on close inspection did I realise that it was a fraud.
I find this extremely worrying. Personally I am probably like many Slashdotters - paranoid about security and difficult to catch out. However most people aren't like that, and this new type of scam email is an extremely worrying development, because it could catch a lot of people out. People really need to be informed about this type of scam, but I've yet to see much in the press about it. Any journalists reading..?
My wife and I tried buying something on the web on this one particular site. It asked me to register since I was buying stuff for the first time there. Filled up everything on the "new account" page and hit "register me". The page came back in error saying the id I was trying to register was already taken so I had to try another one. Not so bad. What was bad though was THE PAGE RE-LOADED WITH ALL THE FIELDS IN IT PRE-FILLED WITH THAT ALREADY-EXISTING USER ID's DETAILS! Address, phone number, first/last names everything on there for the taking.
Scaaary. We politely backed out of the site and decided to buy elsewhere.
I love the smell of trolls in the morning. I bet your employer will love reporting your taxable income to the IRS with a fradulant SSN. I guess it is true that you're identity will be protected if you keep all of your money in a big wad of unmarked nonsequental bills under your matress, but banks offer other services beyond mere identiy theft that you may be interested in.
Oh, you forgot one thing. Make sure you never ever give out your true name, no matter who it is. Once they have your real name they'll own you. Also, make sure to use the heavy duty aluminum foil, the regular stuff doesn't block the mind-reading rays for crap.
I read the internet for the articles.
Recently I signed a new cellphone contract and they *would not* allow me to sign the contract without giving them my SS# (which I imagine is for a credit check). What's the legality of that? Is there any way to avoid handing over SS#'s in these situations? Its terrifying that cell-phone services have huge databases of millions of Social Security numbers.
Anyone?
------ The best brain training is now totally free : )
I don't suppose you thought about the fact that the suggestion is hilariously funny?
Your employer is the one entity which is required to ask for your SSN -- it's used to pay your FICA and Medicare taxes, as well as to route your employer's contribution to your account. Those taxes? Well, if Social Security is still around when you retire, they're what sets your benefit level...
Public records are better if you want to be a crook because the Freedom of Information Act makes them completely available.
Cringely was quite correct when he identified two parts of the problem: the ubiquity of using SSN as both an identifier and as authorization (or using credit card numbers this way).
It would really be much better if the institutions we dealt with would accept identities and authorizations that were only valid for the specific transactions we conducted with them.
But no, "people can't remember all those numbers". Well, people ought to have a private key that is really private, and public keys that anyone can use to verify that person X really authorized some transaction Y.
But rely upon government to come out with a bad solution to this problem.
The FoIA safeguards, which are important to keeping government transparent and more accountable to the people, will be abolished (as they have already been for various cases deemed to involve national security or "terrorism"), to "increase security for the citizens".
We'll be trading a great deal in terms of liberty and knowledge of whether our government is acting properly for very little in the way of security.
"Provided by the management for your protection."
After I had my ID swiped by a ID-less loser, I started taking precautions:
Xerox/scan all your bank cards, credit cards, drivers license, etc front and back. Write down all the contact info and make sure you keep a copy in a safe place. NOT YOUR WALLET! If anything is lost or stolen call immediately!
Open a second bank account to use for online transactions. I transfer only the amount of money I need to cover gas, lunch, online stuff to it. I don't use an ATM card on my primary checking/savings. If someone grabs a carbon, they don't get access to anymore than the few bucks I keep as a buffer.
And as many have and will say here: Don't give out your SSN, check your credit report regularly for new lines of credit and shred early - shred often!
The truth about Scientology, Xenu, and you: Operation Clambake
I need some money(being unemployed), who do I sell my info to?
Just let me make sure I get that email about creating a new credit file first!
moo.
I realize that this column is mostly about identity theft, but is anyone else bothered by the idea that the USPS, given specific instructions to hold your mail, can just go ahead and deliver it, and then not be responsible for the screw-up (and the resulting havoc)?
Couldn't you sue them if that happened? There are damages involved here, so I don't see why they can get away with it.
Your mileage may vary, but mine is constant.
There is certainly a degree of catch-22 involved between convenience and security. When my wallet was stolen with license and SS card (dumb to carry both but I recently needed them starting a new job)a few years back, I was glad that I was able to get a new drivers license with no identification except a birth certificate copy I was able to get with just my SS number and no identification - but the ease of doing so certainly gave me pause for thought.
In addition to the sound advice of shredding, a good idea is to lock your credit reports from being issued without your consent and opting out of pre-approved CC offers. Instructions for both at this article - http://abcnews.go.com/sections/scitech/TechTV/tec
I'm just thankful my house has a mail slot that drops into an inaccessible bin inside the home.
It Is the Nature of Information to Transgress Artificial Boundaries
What's really going to suck is when it actually happens to one of those high-profile, illuminati/politicians, there's going to be yet another increase in Orwellian-type citizen monitoring and authentication laws, most likely in the form of some Patriot II act.
What worries me is not so much the people that try to steal identities, because as most of us understand how its perpetrated, its easier for us to avoid and/or control the consequences, but when some crazy system gets put into place 3 years from now by the Republican cronies because of some silent passing of a Partriot Act clause. I for one don't feel like having to provide a blood sample to get into my office, or giving a sperm sample for a new home loan ala Gattaca.
Hades, PoD: Official Advocate
The newest scam are VINs, the vehicle identification number. Once you have that and the proper books, you can cut keys.
With the key, you just drive it off the shopping mall lot. And there's no sign of forced entry, so the insurance company says "you left the key in the ignition, tough for your claim. Happened to us on vacation. And 10 year old clean cars are in more demand for the body parts, it isn't just the new Hondas.
Tape over that damned number.
Social security is not a voluntary system. Your employer is required to make contributions to your account; failing to do so is a federal offense. Failing to make your own contributions is merely tax evasion. (FICA is not a contribution, it is a tax, and it is so named under the federal code.)
Not true. At least, not true in the legal sense, here in the US.
Look at a piece of currency, see where it says "This note is legal tender for all debts private and public". That means the law says this is money, and if you "tender" it to pay a "debt", it must be accepted.
Thats why currency came to being - back in the olden times every bank printed their own "currency" and noone would accept it because noone knew what was legit and what wasnt. So you had the era of people carrying around little pouches of gold dust, and a shot of whiskey costing a "pinch", and of course bartenders with giant oversized ham-fists.
The feds stepped in to fix it and said "this is money, this is how you pay people, and they may not refuse it".
Of course, you can always go buy a postal money order.
I don't need no instructions to know how to rock!!!!
Something that he doesn't mention but immediately came to mind - I live in a house and have one of those curb-side mailboxes. Anyone can swing by soon after the mailman does his delivery and go through my mail.
I found this place that sells a "locking mailbox": http://www.oregontrailbox.com/
I think I'm going to get one from them. If you come across anything better, or have experience, please reply.
grisha.org
Has he ever thought about a career in piracy? He'd make an excellent Dread Pirate Roberts.
Cheers,
Ian
It's same philosophy as Car alarms. They dont prevent theft, they just encourage you to take the other guy's car because it's less trouble.
I've heard the rate at which people who commit identity theft get caught is around 1 in 7000.
So you have a much better than 99.9% chance to just do it to your heart's content and walk away with the money. That's pretty freakin' scary. A crime where you never have to see your victims, never have to face any consequences, and make tons of money. Can you imagine what would happen if a misguided Robin Hood decided to popularize the techniques and teach them to America's poor? Would the entire banking industry collapse at once? With a million people doing it simultaneously you would obviously overload the already overloaded investigative ability of the gov't and probably change the ration to 1 in 100,000 getting caught.
Once I came home in the evening and got a message on the answering machine to call my card company asap because of possible fraudulent charges. I soon enough called the number they gave me and identified my card number and password. Then I told them about my message and they started looking it up on the computer. After 30 seconds the guy says that the compter is slow and other excuses. After another 30 seconds he apologizes and suggests I call back later since the computer seems down. So I put down the phone and then it suddenly hits me that I have no idea way to verify that the other side was the credit card company. It didn't feel right that a major financial company would have computer problems like this. So now I immediately called back the number on the back of my card and got through okay. They did verify that I had fraudulent charges and canceled my number. I asked them about the other number but they were not too concerned and guessed it might be an internal fraud line number.
In conclusion I still don't know if the original number was real or not.It could have been the card thieves trying to trick me. After getting the new card, I checked my credit report an month later to verify nothing new had been opened. The lesson I learned is to never use a number you cannot authenticate when doing sensitive stuff like this.
I think something very vital is being missed here. Your name, address, phone numberm and SSN is not your identity. This is all public information. The problem is that we treat this information as if it was our identity.
Are people really suggesting that this information be "secret"? The SSN is not meant to be secreat, can not really be secret, and every SSN card says explicitly that it is not meant to be secret.
Surely we are not suggesting that one's name, address, and telephone number be secret.
The problem is that this non-secret, non-unique information is used to identify people for many significant transactions. I.E. Driver's license, Mortgages, Credit Cards, etc...
The other problem is many people are opposed to instituting any kind of authoritative nation wide identification system.
Put aside your libertarian angst for a second and imagine if we did have a national DNA registry that positively and uniquely identified everyone. Sure we have all seen Gattaca and imagine ways of forging DNA derived identification, but it would be much harder.
Much harder than the current system where all the tokens we use to identify ourselves are from non-secret, non-uniquely identifying information sources.
here's a link to that Wired article. Pretty interesting reading, I hadn't known that the Infoworld Cringely was fake.
I've tried to make it as secure as possible: ;)
- Limit giving out personal info to anyone
- Cross-shred anything with info on it
- Give out 867-5309 as my phone number
But, ever tried not to provide your social etc for:
- Doctor's office (They will want payment at time of visits). I've begged with them not to use my SS#, but it's an easy and unique identifier, they said.
- Electric company (They wanted $300 cash in lieu of a SS#)
I agree with the first poster about the mailbox, but outside of apartments or high-rises, how many lockable mailboxes have you ever seen? I'd like to, but it's probably against my HOA anyway.
We provide much of the information that could be used against us, as a convenience for ourselves.
New passports are only given out by the city-hall, and you have to turn over the old one, or show signed police-statements that you lost the previous one. (I suppose that they will corroborate with my home-address which is also known at the city hall for lost passports)
How come photo-ids aren't required in the US?
Han-Wen Nienhuys -- LilyPond
An employer is not required by law to obtain an employees Social Security number. The law requires only that they ask for it. (How can they be required to obtain an employees SSN, when in fact, there is no legal requirement that a person obtain an SSN in the first place?)
Take a look at this.
Here's a relevant excerpt (And please ignore the religious component... That's not the point.):
For those that would die defending it, Freedom
has a sweet taste that the protected will never know.
Last night when I got home from work there were two electric scooters waiting in front of my garage. They had just been delivered by FedEx. I was surprised, because I hadn't ordered any scooters lately (ever) and wasn't expecting any. I drew up a very short list called "Friends of the scooter" who might have sent them as gifts, but alas, no luck after a few quick phone calls. So my hunch was either a)credit card fraud or b)computer glitch from company I had already ordered from.
I called the scooter merchant this morning, and sure enough, someone had used my wife's AmEx card number to order the scooters and ship them to an address just a few miles away. Thankfully, as the nice owner of the scooter co. informed me, they have a policy of only shipping to the billing address and the sweaty-toothed madman didn't get his precious scooters. Ha!
So since the nice owner of the scooter co. shared the IP address of the person who made the order, and being a huge internet nerd, I have already traced the origin (via nslookup) to an AOL user who was logged in and using AOL at 11:53am on 9/7/03. I might just have the means to track this guy down. I'm turning this over to the credit card company immediately, but the "sue everybody" American in me wants to go after this bastard for mental anguish, lost time returning the scooters, making this post, etc., and emotional damage to my 3 year-old daughter who was understandably excited about the scooters (perhaps even as excited as me!).
What do you think?
Story repeated at my blog
slashsearch.org - slashdot search. powered by google.
Read more on VIN numbers and stoen cars at snopes.com:
http://www.snopes.com/crime/warnings/vin.asp
As stated in the link, I highly doubt anyone can just steal a car of the shopping mall lot. It takes too long to get a key made. You will be home by then. Also, I think covering the VIN number may be illegal in some states/countries.
~afniv
"Man könnte froh sein, wenn die Luft so rein wäre wie das Bier"
Richard von Weizs
What is the post office going to do? Nothing. hundreds of thousands of mailpieces, some containing financial and personal information, goes through some of the larger metro Post Offices everyday. You think your carrier is going to remember anything about that one piece of mail from you know who that should have been there last week? The postal inspectors will look into the obvious more severe cases, but the have their limitations also. FBI doesn't even look into every case either.
As far as getting reimbursed for one shipment from Amazon, read above to understand why Cringley repeats the "we'll investigate it phrase", something I say everyday.
If you think that FedEx or UPS will solve the problems, then you might be right. Of course you get what you pay for. If you pay for the same type of delivery from USPS, express mail, then you also get tracking, insurance for up to $100, service to a PO box (if needed), and all for less. If you look for minimal cost, expect minimal service.
You cant prevent crimes from happening, you can only improve the ability to catch the criminals, and reduce the damages.
Sure you can, especially when the current security system is virtually non-existant.
My proposal is simple:
* 2 key-pairs are issued every individual by the DMV
* The first (public) key is freely given to everybody
* The second (private) key is stored on a chip in a credit-card sized pocket calculator like device, or smart card. ($5-$10 device which is paid by the driver upon issuance)
When you need to prove your identity, you will be challenged with a random number, which can only be encrypted with the private key and verified by the public key.
* Challenger gives you random number
* Your encrypt device encrypts number with private key
* Challenger verifies encryption with public key.
In the event a private key is comprimised, the corrisponding public key will be published on a public database (which keys institutions should be required to check) and a new private key will be issued.
The encryption community has come up with many solutions for this problem over the last few decades, and I know the consumer electronics and card issuance industry (which I used to work) would love nothing more than the government to stop dragging it's heels and select one of the many drafted standards.
We can solve this problem without creating another government institution or delegating it to one corporatation.
Why aren't nerds pushing for an open and honest solution to this problem? Aren't solving problems like this a nerd's wetdream?
Like I said before, even a half-assed scheme would be better than our current social-security passwords.
Don't like my solution? What are your ideas?
"Communism is like having one [local] phone company " - Lenny Bruce
Over here we have debit cards (with almost unlimited credit, which is interest free for two months).
Where is "here"?
This is not correct. Despite this, financial advisors repeat this like a mantra.
It's partially correct. By leaving a bunch of available credit around (unused credit cards), you increase your accessible credit. When deciding whether to extend credit to you, creditors usually look at this number. Old credit cards that you never closed => larger amount of available credit (that you don't use) => lower amount of credit that you do use.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
The same mail theft leading to attempted identity theft thing happened to me last year. Even better, the guy's court date is coming up in LA. Anybody want to Slashmob the jerk's trial?
Short version is, my entire family goes to Morocco and Italy for a month. While we're gone, the person who was supposed to be picking up the mail, ehm, forgot, let's say. So, when the morons at our escrow company decided to send the DEED to the house in regular ol' 1st class mail, not certified, not registered, and sure as hell without calling first, some nutbar picked it up.
Thank god he was too stupid to realize he was holding a $1,000,000+ piece of paper, with loan documents that included SSNs, account numbers, dates or birth, and (don't ask) mother's maiden names.
"Life's funny sometimes." "And sometimes it isn't." --Cat's Cradle
Three months later, I get a call from ATT wireless about my enormous phone bill. I told them they must be mistaken so they tried a couple of different things to verify that I was me, then called the cell phone to do the same thing. Obviously the person on the cell phone couldn't answer the questions.
As far as I know, the only thing that happened was the cell phone account being closed. I would have gladly paid the bill if they would have just given me the cell phone number and a list of called/incoming numbers.
My plan was to find the bastard and call him by my name while beating the shit out of him untill he fessed up that he wasn't me and told me I have the wrong guy.
That is not correct. The law places restrictions on how government agencies can use your social security number, but private companies are generally not covered by such laws.
The Privacy Act of 1974 requires government agencies to declare why they have the authority to request it, whether it is voluntary or manditory to disclose it, what they will do to it and what happens if you don't provide it. Also, the Act requires that those agencies that request your social security number, but do not require it, must provide a mechanism for alternative identification number. But, and this is important, the law applies to government agencies only. Also, if the agency was using social security numbers as identifiers prior to 1975, they may continue to use them.
The business about the SSN not being some sort of universal identification number springs from the notification on the card that it is not for use for identification purposes. You'll find, though, that there is no law forbidding its use as an identification number.
And, incidentally, the Privacy Act of 1974 carries no penalties for its violation.
-h-
When the original Social Security act was written, many wre concerned about creating an Ad Hoc national ID number. So, it wa written into the original act that the SSN would ONLY be used for purposes related to taxation and administration of the social security system.
;)
IT IS ILLEGAL FOR ANYONE ELSE TO DEMAND YOUR SSN.
This means that anytime you are being paid, receiving money, or itmes that may result in tax credits, it is legal, so everything related to employment, prize winnings, interest payments, etc is fine.
However, fo insurance comanies, doctors offices, Departments of Motor Vehicles, and even the police, it is illigal for them to demand it, although they can request it.
But, you must be insistent and sometimes a bit devious to effect this.
When you are signing up for any insurance or signing up with a doctor or medical office, the SSN is the first thing they demand. With the insurance company, if on paper, just enter "Issue New ID" in the SSN field. If talkng to a person, they will tell you that they need the SSN to proceed. Insist that this is illegal, that they have other procedures, and ask to speak to their manager. The person will resist for some time, then come back sheepishly and tell you that they can issue another number. For doctors offices, give them the number that the Insurance company issued, as if it was the real number.
For DMV, you usually have to check for some special exception on a form or even get a special excemption form, and you may have to forego some kind of conveniences, e.g., you may have to go to the office to renew, instead of them sending the card.
With the police it is a bit more tricky, especially when some officer in Junior Gestapo mode is demanding your info at a traffic stop. I've found that they appreciate neither being told the fact that they have no right to demand that information, nor being asked if they are going to be paying me something. The best route is to simply say "I don't remember it exactly, and I don't want to risk giving you false information", which they cannot really argue with (they don't know that it only takes you 4 seconds to permanently memorize any 47 digit sequence you encounter
All of this is well worth avoiding all the extra links that could be made by anyone fishing in your data.
I guess it is identity paranoia day here at /. . Anyway, this does bring up the issue of how much information needs to be out there. Personally, i think a system of identity verification could be a killer for idenity thieves. I am not talking about a govmint issued ID that will freak a lot of people out here, I mean like a DNA based encrypted PIN. Or something. Just a thought.
Did you know that the crime of identity theft ist virtually unknown in Europe (at least in Germany, where I live)?
And there are some obvious reasons for this:
- Nobody in Europe has mail boxes without a lock. European mailbox are usually flat, upright, rectangular boxes with a slit on the top of the front where the mailman drops the letters and they fall down a slide so you cannot get them out without using either very long pliers or, of course, the key to unlock the door at the back.
- No bank would give you a checking account or a credit without checking your ID card and making a photo copy of it and noting the number. (Remember that in most European countries (except e.g. the UK) every citizen is required to have a national ID card which you show whenever somebody has to be sure of your ID. (These cards have all kinds of witty security features to make them really hard to counterfeit.)
- All laws and courts agree that a reasonbable proof that somebody did make a business transaction is a signature on a piece of paper, or at least some computer record showing that the customer has entered a secret PIN. 'Secret' meaning, that nobody else should be able to know it. (PINs are printed out by the banks' computer systems and put in a sealed envelope without any employees being able to look at them.)
- Especially, if you told a court that a business transaction was valid because you checked the caller's identity on phone by asking for his SSN (or some lcoal equivalent of this), his date of birth or his mother's maiden name, the judge would probably only laugh at you.
While staying for half a year in California, I was quite astonished about the lax way of checking identities common in th US.
(For example, I got liability insurance for the used car I bought by just phoning the company. The guy asked for my Visa card number, then said 'Fine. Your car insurance is valid starting now, i.e. 4:13 pm.' That was great and convenient, but after all, I still prefer the European way, where they'll first ask 'So, how do we know, that this was your credit card number, and not taken from some receipt you picked out of a trash can?'. As the very least they would want proof of your address so that they can send you a court summons in case you tried a fraud.)
He read the earlier /. article and downloaded the Whois database.
Today everyone puts confidential information on forms, etc. and submits them "securely". Well, SSL is a good start but the biggest cause of identity theft is the human factor. For those of you who have a Paypal account, maybe you got an email in the past couple months that said your account was being verified..blah..blah... Have any idea how many people fall for that crap? I train people for a living to teach them how to stop this type of information theft and yet my own family still calls me up to ask if it was bad for them to have entered all their personal information in a piece of email.
Kinda reminds me of when the popups started appearing that looked like Wintendoze had an error but were really adverts for some corporate sleezeball to sell his lame software...pfft.
0x09F911029D74E35BD84156C5635688C0
it obviously isn't worth $65 billion.
What a bank considers an ID confirmation is just pathetic. I mean, come one, Mother's maiden name when every other bank also uses it? 4 digit pin codes?
They belong back in the 19th century!
We need to task the NSA, or a DARPA project, or any serious professional, with coming up with a secure banking id system, one that meets serious security standards, and just get the damn problem fixed. I think that if you picked any code breaker at random and gave him the task, he'd come up with something a hell of a lot better than what we got. If you held a nice contest, it would come out really nice.
If we got some modern crypto-spooks involved, if we could get to where the KGB had to sweat even a little to crack our identity system, identity theft would be a crime very few could give a try. Just try reading a few books about what the KGB and CIA have to do to crack each other's security, and then compare that to mother's maiden name and social security number.
That is the solution.
As a minor improvement, all credit cards should be required by law to have photos on them that were supplied by the government, and verified to be the unique current registered photo for that id.
All transactions not serious crypto-verified should be illegal to report to a credit agency.
Selective Service Administration
Remember, Amateurs built the ark. Professionals built the Titanic