Slashdot Mirror
Identity Theft-What Can Really be Done w/o a SSN?
TheItalianGuy asks: "Many of us that work in the financial sector are bombarded with daily security threats. One of the biggest these days is Identity Theft. My fellow comrades and I have been really grilling each other on differing scenarios on what could be done with what information. However, it all seems to come back the the Social Security Number. Financial companies have other controls in place (customer service verification checking, account passwords, etc) to ensure identification. But in order to be of any use, a bad guy would really need someone's SSN. Absent of that, other information would be useless. Right? That's what I would like to ask Slashdot folks. What could be realistically done with customer information without a SSN? Account numbers, address, maybe a phone or payment amount. Is that really dangerous to the customer if only those get compromised?"
Stalking
It seems to me that SSN would be of moot importance if you have everything else. Especially for lower age victims where "Im sorry sir, i dont know my social security number" might be a valid answer..
Considering so many uses only request the last four digits, that makes the SSN a really insecure PIN in some cases. Insecure because it's only 4 digits, and because it never changes.
"Everything you know is wrong. (And stupid.)"
Moderation Totals: Wrong=2, Stupid=3, Total=5.
123-45-6789 Do your worst!
If you had someone's credit card, you usually dont need any other type of ID at all.
Or if you were buying something online, and you had someone's credit card info and what not, you could make purchases without the SSN.
Account numbers, address, maybe a phone or payment amount. Is that really dangerous to the customer if only those get compromised?
Why don't you post your credit card account number here and find out? Or, if you'd rather, you can email it to me privately.
Secession is the right of all sentient beings.
I think a lot has to do with knowing who to talk to; the problem of not having a SSN can also be solved via identity theft. At the school I'm getting my Master's from, you can call the financial aid office and get information on your account by using your name. I've always thought it was convenient, but I can certainly see how it's very dangerous.
I remember watching a specail about identity theft, and basically the point of the special was that with just a name and address, they were able to gather basically everything about the person. So with enough dedication and the right resources, getting a SSN is possible. Which is why i have since moved to 123 fake street.
30% Troll, 50% Underrated, 10% Interesting
Score:5, Troll
While a lot of Universities are moving away from this, a lot of schools still use SSN for all kinds of identification and logins and such. Just by paying careful attention during different freshman events, like, applying for a student ID, a person can get these information rather easily.
Some companies don't check your SSN, so you (and everyone else) could use a fake SSN to register there. And if you have the social skills, you can talk allot of companies to give you the SSN that goes with the name. Off course I'm talking about crappy companies, but there are allot of crappy companies that require you to give your SSN to register for their services.
If you had someones birth certificate you could then find out their SSN. As well as apply for a passport.
Account numbers, address, maybe a phone or payment amount....
:)
Please post your info here, and I'll see what I can do
It's called an aggregation attack. If you have all the pieces but the SSN, not only is it relatively trivial to obtain access to the SSN, but it's pretty much superceded by everything else.
The truth about Scientology, Xenu, and you: Operation Clambake
Isn't the question more along the lines of "What CAN'T be done with a SSN?" Seriously - almost every financial transaction needs this number, which as far as I know wasn't ever supposed to be a national ID number. It seems like the overarching importance of a SSN is what makes identity theft so easy. There have been several times where I've not had all the security information when talking to a representative on the phone, but the fact that I knew my SSN trumped everything.
$45 per U Colocation Special
Why does every company still legally insist you provide that information? Isn't it illegal to ask if you're NOT a federal institution.
I've worked for companies who game my SSN to my health-insurance company as my member ID. Why do they need it, and what the hell is it being used for as my member ID? Yes, with you SSN, people can do a lot of evil things. Handing it out willy-nilly (without asking you) is jut as bad.
But why is it legal for an employer to just hand this out to third parties? I think the abuses of how people use SSNs stems from the fact that way too many companies ask for it, and way too many companies hand it out to their vendors without any real regulatory restraints.
IMO, it should be illegal to pass out that information without my consent. But I've seen too many examples of my employer passing it on without asking me.
Lost at C:>. Found at C.
Personally, I dont care if someone steals my stupid identity. Identity theft is only a concern if you need credit. Why do corpoations use SSN's to identify people? That said, I am more afraid of the govt. stealing my identity and throwing me in jail. What a crappy system SSN's are. Hell I would post my SSN on here. Hell, make me a shirt with my SSN and address information printed on it.
Incidentally, Richard Nixon's social security number is 567-68-0515; there are many cases where a given agency doesn't actually need your number, and it's perfectly appropriate to give them his instead. Have fun.
I used to carry a bottle of whiskey for snake bite. And two snakes. -Nefarious Wheel
I hate to flip the question at hand on its head, but a friend of mine got himself into a potential landmine of a problem last week when he possibly *LOST* his SS ID card at the subway station. (We're all still praying for him to find it elsewhere, but the chances of that are pretty grim. Guess that'll teach him to start using a wallet like us normal people. But a better lesson would probably be to just not carry the damn thing around - how hard is it to memorize 9 digits anyway?) He said he didn't think a person's SSN could be changed. Any advice on what he should do or be prepared to deal with?
Stay sentient. Don't drink bad milk.
By college age you have used your social to fill out god-knows-how-many college applications, college loans, car loans, drivers license, etc. Before 18 you shouldn't be in the position to have access to something requiring a social security number unless you have access to it (IE: a bank account)
-everphilski-
I never thought I'd have an issue with identity theft, as a Vice President at a top 5 U.S. bank (in IT, of course). Two years ago, I was building a MythTV DVR PC, and wanted to get a good deal. I scoured the internet for the lowest prices on every individual component, and along the way, apparently ended up giving my Visa CheckCard number to the wrong person.
Suffice to say, they did not need my SSN, or anything beyond what would normally be used to purchase items online. I found out when my card was denied at a store - the theif had emptied my primary checking account, and because I had overdraft protection, the attached savings account in one night. Nice thing was, the bank immediately reimbursed me for the fraudlent purchases, followed up with the police, and prosecuted. (Not simply because I am an employee, mind you - but I did get something most people in my situation don't, follow-up. Typically, the bank reimburses a customer and follows up with the authorities separately - without ever contacting the customer again unless required.)
Now, I use a random card number service associated with my credit card to purchase anything on the internet. It may not be the worst form of identity theft, but it can be inconvient, expensive, and time-consuming to recover. I had to deal with bounced checks for bills, and set the fraud alert on my credit bureaus as a result of this. It's certainly worth using a temporary card service if your bank or credit card company offer it.
Just my "It happened to me" tale, but it's one we hear over and over again these days.
"Adventure? Excitement? A Jedi craves not these things."
Start with google and Zabasearch and go from there. I would suggest running a background check on yourself..... well you get the picture.
-Palal
Having forgotten the password to my bank account's online access, I walked into my bank and asked to get a new password. Somewhat to my surprise, they didn't ask me for ID or even my account number. I would like to think it is because I am one of the few doctors in my small town, but if so, the lady at the desk wouldn't have asked my name, then how to spell it! Not only is my account visible, but so is our practice's bank accounts...I hope your bank's security is better than mine!!
Building a healthy future; Connecting communities
Recent efforts to place authentication responsibility on the financial institution will, at any end, come back to the consumer. It will be up to the consumer to provide enough secret information about themselves in order to verify their identity which in turn relys on the security of the entire channel of communication. All of this from the microphone on the computer to the guy who sweeps the floor at some phone company, to the cable guy outside your house, and to the honesty of the police tapping your lines without a warrant these day. You could fall victim to this by running any kind of 802.11x, encrypted or not. Id like to say I am paranoid, but Ive had the displeasure of being the recipient of abuse@ for a large AS with more than a quarter of a million IP's. It gets pretty ugle and honestly folks, there is no end is sight as long as we cant fix the bugs in our own machines.
You are about to give someone a piece of your mind, something which you can ill afford...
"So how exactly do I own if all i have are these few details from a romanian site?"
Many scri^W^W^Wsecurity professionals await your responses
Even if it were true that you couldn't do much without a SSN (which many before me have pointed out is not true at all), how difficult is it to get your grubby hands on an SSN anyway? Institutions have been using them as id numbers for YEARs.
I remember reading an article where a reporter gave someone who specializes in digging up info on people just HIS NAME. No SSN.
A little while later he managed to figure out the SSN. He used that to get credit reports. Once he had the credit reports, he found out every conceivable bit of personal info.
Within 3 weeks, the expert got the reporter's complete bank statements, all stock accounts, he knew every financial detail you can imagine. He even found some accounts the reporter had forgotten about. He said, "the only thing I can't get are medical records because those aren't digitally stored" -- well that's changing too of course.
How did he do it? Once he got the credit report, he would just call up a bank or brokerage house and announce in a loud, authoritative voice "I'm conduction an *offical* investigation into such and such and I need this and that info" and because he knew how to do it correctly the person on the other end would blurt everything out immediately almost 100% of the time.
"Attack submarine, designed to seek and destroy enemy submarines and surface ships. Their other missions range from intelligence collection and special forces delivery to anti-ship and strike warfare. It is a multi-mission vessel, capable of deploying to forward ocean areas to search out and destroy enemy submarines and surface ships and to fire missiles in support of other forces."
Sounds pretty serious. If you have an SSN, you should definitely not let another person or country get hold of it. Frankly, I'm amazed that anyone in America can get an SSN, but that's liberty for you.
Different Year/Month/Day Born
Different town I was BORN in (yes that was one of the "secret" questions)
Different Mother's Maiden Name (actually I have several of these and rotate them or combine them...)
Different Town and ZipCode where I live
A non-existant Favorite Pet
Same Gender though....
I did sign on to Classmates.com as one of the kids I hated.
I started getting emails from all the girls that would never go out with me in High School!
I couldn't reply though because it was the "free" version of Classmates.com, however, I took comfort knowing the guy I was impersonating could not sign up as himself as I had already taken that position!
karma's a bitch ain't it?
I like microcars
At least in Texas, the checking account-linked debit cards offer no protection, and no recompense in the case of fraud.
If I consent to be charged $3000 for a gold ring and recieve yellow-painted tin instead, then, unless the merchant corrects the error:
If I have a credit card, I can initiate a chargeback.
If I have a check card, I must place a stop-payment on the check, which will not help unless I realize the mistake before my check does.
If my card is stolen, then:
credit - Visa/MC will protect me (terms vary) from charges exceeding the initial $50. or so.
check - my protection begins when 1) I report the card stolen, or 2) when the bank sees that my account is empty - which may not be for 3 days because of check "floating" time.
Why should someone presume that a hacker can intercept a credit card number but NOT the cvs number when used in a transaction?
I would say go to the post office and fill out a change of address form just before tax time. Fill it out for your target person, and drop it in the mail somewhere around Dec 31st. Have the forwarding address sent to you (or better yet a PO Box or something.
A lot of companies send W2's in the mail I would imagine...and they will have your SSN on them. So now you have bak statements, SSN, credit card stuff, just about everything in some cases.
This seems pretty easy when you think about it...which is why I always have my bills and credit card statements delievered online, preferably not to an email address directly, but so that I have to go view the bill each month with a password protected page...at least then someone has to be sniffing my network at the actual time I type the info in (and hopefully then it will be a secure page).
Fortunately, messing with someones mail is a pretty serious federal offense, so most people will not cross this line and redirect your mail. Also, the post office eventually sends out a notice to the old address which basically confirms the change of address, so you would have to intercept that as well in order to delay the person from finding out you're stealing their mail.
This is probably all pretty far fetched, but certainly possible under the right circumstances.
I've been helping a relative with Alzheimer's, and I've been able to do pretty much anything I wanted, aside from dealing with actual money.
Telephone service is particularly easy to mess with; I just called repairs and ordered service changes and no attempt was ever made to check on me. I was able to add and delete services, change phone numbers and billing addresses, etc. I didn't even have be at the service location to order any changes.
For utility accounts, all the info I've ever needed was on the bills. Again, I was able to change services, update billing records, etc. all without any difficulty. It's been very convenient for me to be able to set things up without having to muck around with Powers of Attorney and so on, but it gives me the shivers to realize what must be possible to one "skilled in the arts".
Once you have utility bills with your address on them you can establish a residence and a lot of stuff follows from that. For instance, I could easily get a library card and enroll my kids in school in the town where this relative lives.
With a little bit of creativity I could probably do stuff with money, too. I guess it's a good thing I'm honest, huh?
Considering that acquiring the SSNs of large groups of people is as easy as getting a desk job in certain businesses or educational institutions, I'd say getting an SSN is probably the EASY part of identity theft. How much can be done without having one would seem to be a moot point.
I suppose it all depends on what you consider to be potentially damaging information. You may not be able to run up my credit card if you possess my account number with my cellphone company but you will have access to information I consider private. Imagine, for example, an employer suspecting you of having contact with a rival company. It would be possible, with information other than your SSN, to obtain copies of your call records. I would consider this a breach of privacy and potentially damaging.
I expect (though I don't always trust) any company I give my personal information to keep that information private no matter what that company perceives the potential damage of that information to be. The bad guys are often more inovative than the good guys and who knows what they can do with any given piece of data?
You guys know this SSN thing was dictated by db schema developers. What's a good primary key...hmmmm...SSN! yeah that'll do. Hey that could also be a good default password. Yeah or login name! This is great as long as every other financial or educational institution doesn't pick up our idea.
SSN isn't the problem. Anytime you have a national universal "user id come password" you're asking for it. Inside a state DL#s are probably somewhat a commodity in dark hat circles. Though not as usefull in financial situations.
Isn't SSN and other more personal info available from credit reporting agencies with some $$ and a name for any jackass?
When you open a bank account do they check that your SSN matches your name?
I often give a fake SSN especially when I think the organization asking for it shouldn't, like when I get cell phone service for example.
Why is the ID the government uses to key their database
so valuable ? Because the system is BROKEN. SSN should
be (and actually pretty much is) public information,
just like your name. Anything requiring secure authentication
should use a shared secret (such as a PIN) or some even
more secure mechanism. Using a non-secret value as a
shared secret is just plan brain damaged. I'm constantly
amazed that this never comes up in the press coverage
of 'identity theft' (which should really be called
'identity offered for the taking by idiot financial companies').
Perhaps you should pick up a copy of "The Art of Deception", or realize that all of a persons *private* should be kept *private*, not just because it can be a security risk, but because you've been trusted with information that the client wouldn't likely wear on the back of their shirt.
A little old lady had moved a year earlier, and a credit card co. sent her "checks" to use against her credit card... to the old address. So, whoever moved in there (or whoever stole the mail) was using the checks before they expired for things that were nondescript. Wrote the checks to pay some bills and buy some things, local address sure come on in no id required.Yes it is that easy and that simple. However, if you have all the pieces it gets much worse.
I'm waiting for RIDS - Retinal Identification System, gonna use my glass eye, eh Sammy?
A computer once beat me at chess, but it was no match for me at kick boxing. Emo Philips
Theft implies that someone takes something from you which you no longer possess. You still own your identity after "identity theft"; it's just been tarnished by some douchebag. Therefore, it is not right to call it "identity theft"; we should call it "identity infringement" (or just plain old "fraud") so as not to confuse the issues.
Just curious as to what you can do with a SSN and no other information. I suppose you can try to find the rest of the information of the person that the SSN belongs to... but isn't it weird that so much of our identity relies on a single number?
I wonder, does anyone even *need* an SSN to do much 'identity theft'? Sure, it is often demanded on forms, etc... But of those that ask for SSN, how many organizations actually verify it or use it in a matter that would implicitly verify it? I think someone's identity could be well-tarnished just with a name and address.
After all, banks in the US long ago stopped checking signatures on checks to see if they actually match... They basically will cash any check with a scribble on the signature line. I suspect the handling of SSNs might be similar in some circumstances.
Not a bad safeguard in the US, but what about foreign companies and transactions, alot of people have dealings with companies from many countries and your US SSN just isn't a factor.
Out and out identity theft might be ruled out but someone with your personal information could still cause you serious problems.
I'm in my first semester back to college from a 14 year break. I've only showed my ID twice (when I was getting my books and when I got my school ID). Every other time, it's social security number recited to show who I am. Don't have my driver's lisence when I get pulled over? No problem. I have the DL number memorized, which usually surprises the officer enough to let me go (not that this happens regularly, mind you).
I don't know about anyone else, however I view information such as you've listed as being privileged. Said information may not be so described legally as being privileged or confidential, but that's just how I feel about them. SSN is the most critical of course, but you said discount it. Account numbers, mailing address, Names, birthdates, familial relations and phone numbers could all be gleaned by some amount of investigation by a person or persons so inclined at getting it; it'd be a lot of work, but it could be done. You then have a picture of "me," who I am, what I do, why I do, etc. You might be able to do something with this, like call up Dominoes and order a pizza, or get online and buy a book from Amazon. If you call the right guy at 1st National Bank of Bumfuck, you might just be able to break into my account and steal my money; how much is that guy getting paid to look out for my interests?
All this being said, if a company doesn't do what I consider adequate protection of my information, I don't want to do business with them. It's not that a malicious user couldn't get it any other way; I just don't want to make it any easier for them to get to me. Let them go hog-heaven on the blue-hairs that don't know any better.
And I haven't even talked about your real question. What could one do with a "lowly" account number? Well you tell me. Let's say that's all Joey Malicious has on me. Has he hacked in to your network? Does he have access to your applications and know how to use them? Do you KNOW he hasn't? All I know is that when I call the credit card company, they want the account number and SSN. Are they typing it in with me and can't proceed without me, or are they verifying my answers against what they see on the screen?
What if Joe Malicious works for your company? I'd say you, as a member in the financial industry, are in a much better place to answer this question. YOU need to tell ME that my fears are unfounded, that technically Jane Helper can't review my account info and do a transfer without my account number AND SSN AND mothers maiden name AND first-born sons' DNA because she has to enter it into the system as well. Of course, most financial institutions don't disclose their security practices (or lack thereof) for obvious reasons. None of us outside your "closed-source" way of operating can truly trust the process. All we know is that the threat is real, and we have little control of the problem.
In Australia, the closest equivalent we have is the TFN (Tax File Number). The only people that end up with it are:
As far as I can tell, it is NOT an offence to refuse to give it to any of these groups. That includes the Tax Office themselves. There are consequences of not quoting it, however. Namely, all tax payable is taken out at the maximum tax rate. To not give it to the ATO means that your tax return can be delayed while they search for you by name and DOB.
Also, it's pretty crap as ID for banks, because all they get is a small note on the screen of your account details that says "TFN received" or similar. This makes much more sense, IMHO.
In theory there is no difference between theory and practice.
In practice, however, there is.
Any number of fast food restaurants and mall stores will be happy to take your credit card for smaller purchases, without doing any form of identification. Some don't even require you to sign anything! My local grocery store gas station is happy to do that.
I have "check ID" on the back of each of my cards. That's usually ignored, even when they look at the signature, which they rarely do. I know someone who only uses a wavy line as a signature when asked to sign an electronic pad, and that is never questioned, either. Anecdotal remarks from past Slashdot articles on the same issue indicate that even writing obviously fake names or 'do not pay' remarks are accepted.
If someone can copy your magstrip, or even just your credit card number if they know how the banks encode that stuff, they'll have a ready line of credit until the next time you check your bill. And even though you will likely get the charges dropped, (my cards promise to wave the $50 deductible, too) it will still be a hassle, screwing up your finances while you have to change automatic payments to reflect new account numbers, etc.
In my case, getting American Express to take my complaint seriously took a couple of months, even though the charges were coming from some foreign country, possibly because the repeat charges were under $20 each month. At one point I was told there was no need to change my number, it was probably a billing error, and I'd have the money refunded; the next month I was in the phone queue again, asking a "supervisor" why they didn't remove the charge and demanding an account freeze and new number. I'm guessing the credit card industry still doesn't care all that much, because they take a certain amount of fraud as granted when they charge stores who accept their cards, and also customers who carry balances. the more convenient they make it, the more they can charge stores who offer it. And the stores usually get stuck with the bill if it's fraud, anyway. So we end up paying, one way or another, for their business practices.
It amazes me that a government agency in charge of 'managing' a computer security -- sorry, Assurance -- program would use such an item for a User ID. Even more amazingly, when I started the program, that little lock in the bottom right-hand corner wasn't even there! OPM did not appreciate me addressing the irony of websites security when I started the program.
My side job requires me to do office support for small businesses and this is something that I have noticed: Verizon DSL requires NO real information from me other than "I am performing work for so-and-so. I need to reset the master password." I have done this on at least 10 occasions in the past 12 months or so. Their idea of verification is to ask: "are you authorized to make changes to this account?"
After I get the master password reset, I can:
1: Add, remove or access all sub email accounts
2: Cancel the service
3: Upgrade the service, etc.
However, Comcast, the other major provider in the area, has an incredibly anal password reset process, that involves your account numbers, SSN's, etc... It's always a bitch to do.
Now, from the persepective of a systems support guy, Verizon's proceedure is AWESOME. Makes my life easier.
But you can be damn sure that when I get their FIOS service that I am going to demand some form of account lock that cannot be deactivated by anyone but myself.
Well, soon all you'll need to do is to clone someone's RFID tag and you'll be good to go. I can see many Christians turn hackers once you're required to have the mark of the best implanted into your body.
[ brakken ]
That system just doesn't work, all the paranoia about not having a universal ID, yet you all have some sort of ID (driver's license, SSN, etc). In other countries, it's standard to have a national ID, which is similar to a passport, and required for important paperwork (at least in my country, a card ID is also available, much better for everyday use). Identity theft is unheard of, and easily proven.
I have all of the info necessary for stealing this guy's identity except his SSN. What all can do without it?
Signed,
John Q. Criminal
So here's my short tale.
:-) [not me, but I've seen it before].
I've never had an identity theft, or any other issues, but I have a lot of financial accounts.
Every bank, every company, and every place that questions my credit tends to request my SSN. Some, if I ask "can i give you something else", respond affirmatively, but most do not. So your SSN is distributed to any company that you ask for financial consideration.
For the rich, that never changes, really, so its rare you worry about it, unless your stupid. If your lower class, you'll never be a victim, if only because you'd never be approved for new credit (for most cases..)
It's the middle class that gets killed. The middle class changes accounts as it serves their benefits (ccard interest rates, cash back, etc). These incentives mean little to the wealthy as they've negotiated (close to) prime rates, but it means the world to those who pay 26% on their cards
Basically, yes, your SS is protected, untill you give it away... But the rich dont need to, the poor dont need to, and the middle class cant afford to deal with identity theft. _That's_ why its an issue.
[Mind you if someone below middle class gets hit, its even harder, but its rarer for them to be targeted, cite above...]
-- (appended to the end of comments you post, 120 chars)
Ebay must be run by a con artist who wants your credit card just to verify your identity!
Don't worry- they don't want to charge anything to your account. They just want your account
numbers for their database. Sounds like pure bunko.
Should this be a red flag?
Would be to have some bank deposit slips. You already have a name and an account number. Just give a sob story about how your wallet got stollen with your license in it. All you have to be able to do is produce some form of ID that is convincing... Say, an old high school photo ID. If you have someone thorough, then they'll ask additional information. If not, then you're as good as gold as long as you don't get too greedy and try to pull out too much money. I only say this because it happened to me. I was mugged, I have an honest face, and I pulled out cash of my own account. Not too hard. Trust me.
Every piece of data is another tool to be used in social engineering attacks. The problem is that when they have enough info about you, they can often convince you (or others, such as employees at your bank or doctor's office) that it is okay to give them the SSN as well.
This is why it is important to try to teach people to treat requests for sensitive info (SSN or other) with deep suspicion. Doing this is as hard as trying to teach non-computer literate people about good browsing habits, for I think similar reasons.
The environment makes the nature of the threats complex, requiring complex behaviors to remain relatively safe. Americans are accustomed to having things explained in 7 minute segments between commercials. If you can't make it simple, many people just lose interest.
Your SSN is visible to many people who ought not really to have it; it's a time bomb. The one that bothers me is every clerk in a doctor's office, where the SSN is present on every insurance form, in most cases. (Some companies have conciously stopped using SSNs, and that's a great idea...).
SSN is, of course, the hot button piece of ID. The really dumb part is that your SSN is your password for a number of transactions. Unchangeable and nearly public, of course.
Unfortunately the other pieces of information can act as pseudo "passwords" as well. For example, if you know someone's name, account, and address, you can intercept PINs from the mailbox (though it's a felony), and have at their bank account. For most medical offices, as long as you can rattle off a name and birthdate, they'll consider you who you say you are. That's changing, at least in our organization, as we've begun encouraging people to give us a copy of their photo ID to minimize such issues.
All you need is one piece of information if you are a good con man.
In other words, the SSN may in fact be critical to most realy disastrous identity thefts, but a smart thief can get the SSN based on very little prior information.
For example, you can get a official copy of a birth certificate with a wink and a smile. With that you can register for classes at the local community college. A student ID with your birth certificate is enough to get your Social Security card, even if you don't know the number. Student ID can also qualify as proof of residence in an area, which combined with the aforementioned social security card and birth certificate is enough to get a state ID or drivers license.
Badda boom, you have a complete identity, including paper trail, without anything more complicated than forging a signature
To me the question isn't how easy is it to get an SSN, but rather how easy is it go get rid of an SSN wiout getting clobbered by the system. After all, if can't be abused if it isn't valid.
I personally, would love nothing more than to dump my SSN. First, what am I gonna get out of it? social security! Ha what a laugh, anybody under 50 will probably witness a UFO sighting first. Second, I consider myself a honest and transparent person, but really, it's none of the states business where I invest my money, do my banking, and earn my income. These people are supposed to be public servants, they should be the ones inconvenienced by a lack of tracking mechanisims, not me.
Hell even the name is a lie, "social security". Well excuse me but forcing people and employers to pay into a retirement scheme is not socialbe, it is a racket, and for most peope that's a felony in all 50 states. It's also not "sceirity", does anyone really believe anymore that it will provide security in your elder years? I'm serious, is there anybody??? At all???
Dear Slashdot:
You'd be surprised at what you can get with a phone number.
I speak from experience as everyone knows mine.
Sincerely,
Jenny, 867-5309
Why on earth would you need a SSN? Obviously there are some things you can do easier (or at all) with it than without but, if you really need one for your scam, then just make one (or use a duplicate or...). In most cases though, I'd be happy with their account number and password.
I had someone open up a checking account in my name back in the mid 1980's. The bank didn't even requre a ID for god sake. Needless to say, my mom received a call from the bank stating that I was writing bad checks, when she asked for a physical description about me, the lady came back and said I was like 5'4". Considering I'm over 5'10" they cleared me and sent that asshole to prison.
Another stupid idea is certain states here in the US allow people to put their SSN as a ID number on their drivers license.
Dana
Life was hell, then I discovered Linux...
From my ideas page.
A private-key credit/debit card.
Prevent identity theft (if you can keep your hands on your card) by using challenge-response authentication. The POS terminal sends your card a challenge, the card encrypts the challenge and sends it back, and the POS terminal checks it using your card's public key (which it fetches from the credit card company). Bonus points: put a key pad on the card, so that your key is protected with a password, and you know your password isn't going into random hostile machines.
Forward me your Account numbers, address, maybe a phone or payment amount and I can show you how much damage is possible!!! :-P
----- Concentrate on promoting more than demoting.
Since Social Security numbers are non-random, could they be sourced? The first 3 digits are where you were born geographically, and if you knew the year, you could narrow it down to a few thousand possibilities, right? then use death records or something to narrow that further?
I don't know what impact this has on the discussion, but it seemed important to consider.
IHMO SSH should'n be a way to securely identify people. They should be considered as alternative name of someone. Its posible that two people live in same city on even on same address, with exacly same name. But you can refer then with SSN. That is what SSN is for, not some 'secure pin'. If you want to identify people, ask passport, drivers license, or something with picture on it.
MOD PARENT UP
True identity theft is when somebody opens new accounts using your identity, obtained using surreptitious means.
Now having said that, isn't the fault really with the credit issuers for making it too simple for credit to be obtained fraudulently? Why should it fall back on the poor, unsuspecting consumer, when the credit issuers are really to blame?
This is classic. I hate the dumb link sales crap
I regularly refuse to provide SSN when talking to credit card companies. ("Sorry, I don't give that information out over the phone.") Only a few times I've had to insist that meant not even the last four digits, and it was always like come on don't make this hard, never like what, you think your line is tapped or something?
Alternate verification procedures vary a lot depending on the service. The business account only checks contact phone number and mailing zip code. Personal accounts start with the same and usually mothers maiden name, and maybe the code on the back of the card and/or the names of other people on the account.
Once I was connected to their fraud and/or security department to perform the verification. About double the number of questions, but the last one lowered my respect for the process, it was Do you usually pay of the card or usually run a balance. Come on, I'm gonna breeze through all those questions and choke on a 50/50 question? It should have been "To the nearest $1000, what is your usual balance?" or something
One time (either the same, or something with credit limit or jewelry) they wanted to know recent purchases. And not the stuff on the most recent statement, they wanted to know yesterday's supermarket, that I went to a gas station, etc.
The only time they actually refused to do something without SSN was when I called to have my credit limit raised (earlier requested it be lowered, so it wasn't above what they were otherwise willing to give me).
Other SSN-related information:
When establishing non-financial accounts you can often insist they not use SSN.
One place really pissed me off because they already had my SSN and when I asked they change it, they kept the last four digits the same. Thanks, not like every moron company in the country thinks that's the magic number proving identity. Changing numbers is worth it. A friend broke into my school account and emailed me my SSN and my friend's. Except mine was a 999-xx-xxxx number. ha ha ha. Just because you're paranoid doesn't mean they're not out to get you. Truer words never spoken. Plus these days people are catching on that if their databases are compromised with SSN's in it they'll have a rough time of it. That goes quadruple for businesses subject to California law, where they're required to tell you when they're dumb and get burned by their dumbness. So I've seen places that previously wanted SSNs reissue ID's with completely account number schemes.
I made a mistake here and wrote "clerk Richard Nixon", yet it should be changed to read as "clerk Richard Milhouse". You know how these things go... Also I can emphasize a little thing about words of art;
Remember to not alienate from the birth-right that the people are endowed by their creator; Richard and Milhouse were created nearer to what people think as God as opposed to NIXON or RICHARD MILHOUSE NIXON or another occurence of "Richard Milhouse Nixon" unrelated or forged on papers as to defraud a simple and often quiet peacable man (either male or female) standing on soil or land. I take a more scientific stance on these things, but I try to work them out hand-in-hand that no ill will come to anyone. If it didn't hurt anyone's charisma, just change every appearance of the text "God" or "Almighty God" to "truth" and then that will still not change anyone's animosity towards anyone. Just recognize the living birth-right as opposed to the Freemason-issued Hospitaliar "Certificate of Birth" and you can trump anyone that coerces testimony for a SSN or related redundant enumeration to subject someone to a foreign agent and principle on the other-side of the known seas (world).
without prejudice
To elaborate (but at risk of going off-topic), the basic idea is that if someone wants to store information about you, you should have the right to make them store it on your machine. They can sign it or whatever to prevent you from tampering with it, but if they want to see it again, they should have to ask your permission. As long as it's reasonable, you can let them see it--unless you change your mind. Even including your SSN.
This is not really as radical as it might seem. Only a few years ago, pretty much all of your personal information was stored in your punkin head, so to speak. If someone wanted to know about you, they HAD to ask you. From that perspective, the essential principle of the Fifth Amendment is that you didn't have to tell them if you don't feel like it. However, these days it is increasingly less necessary to ask you anything--someone else already owns your data.
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
The large penetrations of institutions you read about have the ALL information needed for a credit card scam on you packaged and available for sale online for about $100 per. Thats many millions of accounts. So the threat is the underworld run botnets that force decription of major institutions through massive denial of service attacks that defeat the encryption algorithyms. The threat is actually the collapse of the currency of the state.
Let's not forget the potential of false-immigration and the legit SSNs issued thru INS. I've not only heard of but also seen in action how mexico issues national identities, and how easy it would be for one of those (falsified or legit) to become an american citizen, and inherently get a real SSN....oh, the possibilities.
For a long time I used to look at my SS card every time I wanted to use the number. Besides, AFAIK, most banks want to see your SS card.
One thing that bothers me is that a person's credit report is tied to their SSN. So if you want to look up your credit report, apply for credit, or do anything signficant financially, your SSN is required. And then there's some new provision to the Patriot Act, according to financial institutions, that they like to use as an excuse to require a person's SSN. Is this legitimate? I know that there was a law in 76 or 80 that mandated that a consumer was under no obligation to ever give out his SSN to companies, but I've also found in some circumstances, such as applying for credit, if you refuse to divulge this information, they will not accept your application. Are there really any alternatives?
And does anyone have any experience with the commercial "free credit report" companies? They obviously take peoples SSN's. I've wanted to pull my credit report but have been wary of providing a SSN to some third party over the net.
Thoughts? Comments?
I'm this guy: http://marc.theaimsgroup.com/?w=2&r=1&s=derekm+hac kunix.org&q=a
And these are my vitals:
Derek P. Moore
PO Box 10051
Kansas City, MO 64171-0051
SSN 323-80-9292
Uh oh, someone is really gonna fuck me over now... I'm shakin' in muh boots.
-=/\- Jizzbug -/\=-
Well, for total identity theft you probably need the SSN. However, a lot can be done without the SSN. Given someone's name, address and birthdate you can get a forged driver's license that'll fool most clerks. If you also have their driver's license number, it'll fool most electronic checking systems as well. Know their checking account number and that gives you enough to write checks in their name. Know their credit-card number and expiration date and you've got enough to run most credit-card transactions. Just knowing the name and checking account number gives you enough to submit an electronic check against their account (you'll have to move fast to get the money out of your account and disappear before they notice the discrepancy, but if you've got that forged driver's license you can probably open a throwaway account easily enough).
Looking at it, a name and date and place of birth seems to be enough in most cases to get an official, certified birth certificate for that person sent to you. Just make sure to pay by money order, not credit card. A birth certificate's a stepping-stone to a lot of... interesting things.
In New Jersey, USA there are several laws regarding the possession of the physical documents when operating a vehicle... doesn't matter if you can hand draw a beautiful rendition of your license including the picture done in charcoal, you'll still get hit with a $180 ticket for not being able to present the actual license, registration, and insurance card on demand.
I wish there was a choice that said "Factually Wrong -1" when I mod.
1) Walk into registrar of Births/Deaths/Marriages
2) Claims to be Joe Bloggs, citing correct date and place of birth
3) Walk out with birth certificate for Joe Bloggs
4) Get driver's licence in name of Joe Bloggs
5) Get bank account in name of Joe Bloggs
6) Engage in fraud as Joe Bloggs, getting hold of $500k worth of stuff on 7-day invoices
8) Ditch all identifying material, returning to your old identity
9) Watch in the news some weeks later about some poor sucker called Joe Bloggs who is up on counts of fraud totalling $1M odd.
The real question is not how easy it is to do bad. It is very easy to bad, such as steal a Social Security Number, Impersonate someone, etc. The larger question is 'why do we do bad' given our power- and 'how do we become better'?
Seeing as microcars didn't really give a direct answer to any of the questions you asked, I'll hazard an educated guess:
Ok so who's credit do you buy your house with?
Not online.
Do you have a new car?
Not online.
How did you get your electricity turned on?
Not online.
Have you opened a bank account recently?
Not online.
Have you applied for a credit card in the last 10 years?
Not online.
How about your driver's license and auto insurance, propert taxes and simple shit like getting diapers at wal-mart when you are out of cash.
Not online.
What could be realistically done with customer information without a SSN?
Duhhhhh.... you can use almost any personal info to *get* another person's SSN.... such as:
Name and address
Name and former address
Name and DOB
DOB and current or former address
etc...
There are many places (no I won't give you links) on the Internet where you give them any of the above pairs of data and for US$4 or so, you get SSN, and from there you have the keys to a whole dossier of personal information. I did it a few times for local TV stations who periodically do a "special report" on identity theft and how easy it is.
The consequence of this is that you should not give people your birthdate or address unless they keep it secure.... so yup, I get no birthday greeting from the mates at work (my dumbass employer used to put all the employee birthdays for the month in the monthly company newsletter... but I put a stop to THAT nonsense.)
If you can grab a hold of a person's email account (sniff their non-SSL web/pop/imap login and password), you have access to:
... because they all email your password to your registered email account when you claim you lost your password or account information.
- eBay login (buy stuff online)
- paypal account (get access to a credit card or back account for paying for things)
- bank account (look at all of their recent transactions - do bill-pay)
- Amazon (order some books and gear)
- most eCommerce sites (buy more stuff)
- domain names (take their domain names and web sites and blogs)
- tax returns (get them from their Intuit login - - - get SSN here?)
- cell phone (see who they call; order yourself a phone)
Make sure your email provider offers encrypted (SSL) access to your email.
-ez
Well, one thing that comes to mind are two different major telco's I deal with. I have a great working relationship with both of the companies. (I'll give you a hint, one starts with a "V" and the other with a "Q".) I've done things with both of these companies you should never be able to get away with. I'm not doing it illegally - I could get permission from the folks who actually want the work done. However, neither of these carriers asks for enough identifying information to be useful. We have backchannel phone numbers into God-Knows-Who call centers. If we need a line to be moved, we just provide addresses and phone numbers. Once in a while we'll get hassled a bit, but it's just a matter of giving a line of BS to get past them.
In the event we need something strange done, we have reps we work with. If we asked for some info on the account, such as a SSN, I wouldn't be surprised if the reps would quietly provide it.
So, don't give your SSN to utilities folks. Your electric company doesn't need it.
----- obSig
The parent post links to an irrelvant content, "Piccard Song."
In this Slashdot article, look for comments by user NRAdude. It will exhibit a good study on how to negotiate coerced testimony for a SSN. I thought it a great treatise.
Before 18 you shouldn't be in the position to have access to something requiring a social security number unless you have access to it (IE: a bank account)
Execpt for standardized testing (CAT, Ohio Basic, SAT, ACT, etc) college applications, school transcripts, drivers license applications...
I knew my SSN by 3rd or 4th grade. I'd already seen it 2 or 3 times on the California Achievement Test.
--
Google innovative? Phhfft! This is Zombo-com!
OOPS! I just picked up the meaning of your sentence as I was hitting submit :oops:
--
Downloading in Firefox got you down? Cheer up
Is we need to stop treating SSNs like proof of identity. Just because you know my name, doesn't prove you are me, neither should knowing my SSN. I mean what is it, after all? It's an identifier. The problem we face is that there is no gaurentee of uniqueness in names. If you are John Paul Smith, I'd be willing to bet you can find another person in the same city with that precise name, never mind the whole US.
So, we need something more to allow us to uniquely identify a person for various things. It is important, for example, for a bank to be sure you are the John Paul Smith they are thinking about when considering your creditworthniess for a loan. Well, since everyone in the US has, at least in theory, a unique SSN, that solves the problem. Name + SSN = a near certianty that you are dealing with the person you think you are.
However, much as a name isn't a proof of identity, neither should an SSN be. SSNs should be something that it doesn't matter if someone knows any more than if they know your name. It should be used just to establish who you claim to be, something else then is needed to verify that, indeed, you are that person.
One can obtain the SSN with the info you have described. All it takes is a bit of social engineering.
There is no "-1 offended" or "-1 you don't agree with me" mod options for a reason.
Through a series of circumstances my former gas company (Columbia Gas of Ohio) was never willing to explain, I had my account with them cancelled by someone who may not have known I existed. This happened several years ago when I was renting a house. This fellow from the other side of town changed his billing address to mine, then cancelled his account. I noticed because one month I got a bill for "Gregorio Santos" but not one to me. The next month I recieved no bill at all. It turned out that when Mr. Santos cancelled his service, it didn't just cancel his account, but rather service at that address.
The point I'm trying to get to is that without knowing I existed, someone else cancelled my account with my gas company. In order to find out what happened, I had to provide my name, phone number, social security number, and father's middle name. It really unnerved me that things like this can happen without the service company noticing.
Check by phone is certainly easy and convenient. However, it is the easiest way to rip someone off. Just tell Sprint or your mortgage bank what you can read off of any check and BOOM! You've just made a payment and your credit is golden. If the person that you stole the funds from doesn't realize it and notify the bank within 60 days then they ain't gonna do anything about it. The thing is is that this little transaction is done via an ACH file. Which is a flat field text file with all of the information that those check by phone people ask. The ACH system is based on "trust". The bank "trusts" its customer to send it good transactions to put into the system and the receiving bank "trusts" that the transaction that it will debit from your account is good. Every facet of banking IT work is audited as many as three times a year! Layers of security and logging are dictated if the bank is going to stay in the good graces of the feds. But the ACH file is a freakin joke. It isn't secure and there is no PIN number or anything else to confirm that the transaction is authorized. Only the "trust". I have suggested to both NACHA and SWACHA the inclusion of a PIN for these transactions. I got in such a heated argument with the president of SWACHA that many thought it was going to come to blows. The argument against such a minor addition -- 4 characters to a 92 byte record is trivial. But they feel that any change would be an admission of a system weakness. Sure it would cause some change in programming code, but it would save bank customers and personel both money and time. I've been trying to get this change for more than a year now and am still not successful. If anyone reading this thinks they have a contact that will be helpful that would be great. If anyone has a better solution to this one piece of the ID theft issue I'm open to it too.
1: False alarms will not help you. Having someone keep track of your large purchases is probably a good idea, but that's not stopping someone from buying a cell phone, gas, groceries, etc.
2: Your are not responsible for purchases made with a stolen, or fake card. It is only when someone makes an account in your name that you really get in trouble.
3: Most people make the same logical mistakes that you do, and I'm not going to check someones card when they order pizza. If I intended to stop fraud (which is a valiant pursuit), I'd get an intership with the FBI. I'm sure workers at many of the places you shop will share my view.
"And we have seen and do testify that the Father sent the Son to be the Savior of the World"
1 John 4:14
This may be where the lack of statistical IP is not a good thing. On second thought I'd say storing your information in you punkin head is a better idea than on your HD. Hard drives fail, and you dont want to leave ports open to banks... or anyone else who you dont trust.
"And we have seen and do testify that the Father sent the Son to be the Savior of the World"
1 John 4:14
Not only does this information jump start a police investigation, but it also tells you which database was broken into and thus which set of customers to warn about possible impending credit card fraud.
I had my identity stolen without the use of my SSN and it took me several years to clear my name. In short, a small, scrawy, red-headed meth-head tweaker got a drivers license issued by the state in my name. I was lucky enough to have a detective on the other side of the state alert me a day before a warrant was to be issued in my name.
So in a six month period this idiot was able to get my license suspended in three counties, multiple traffic violations, driving without insurance infractions, driving a stolen vehicle, and countless drug dealing and drug possession charges.
Can someone do damage without your SSN? F$CKiN A! I spend countless hours appearing in front of Judges, DA's, Court Clerks, Law Enforcement Officers, and lawyers and regardless of how much evidence I had, I was regarded with contempt and suspicion until someone could verify I wasn't lying and pardon me.
In the end they caught the son of a bitch and he did 18 months for the Identity Theft charges (He's still in pound me in the ass state prison due to all the other charges in his name and my name). The interesting point is that I had to argue in front of a judge that it would be pointless to keep a drug charge on my record that I didn't commit just so that they could track the crime back to me from his record. By the way, they dropped the drug charges because he pled guilty to ID theft (that's how I got the last stain on my record removed). Government...
The time I lost in wages (I was a contractor at the time) and the hell he put me through trying to clear my name which isn't easy when people look at their computer screens and think your a drug dealin dope fiend is enough for me to hope he's still being anal raped by some large man named Bubba. So you ask the question can someone cause damage without your SSN? They could send you to prison if you don't find out in time and clear your name. All they need is a few corrupt government employees and your first and last name.
phase 1: voice recognition built into the IVRS or by other means ...
and
phase 2: traditional questions ... and the blah
should make things pretty strong if the voice thingy works out ...
A credit card is *not* identification. And unless the laws have changed, it is illegal for merchants to use it as such. Sure some tried, but the credit card companies put a stop to it. Maybe there's another wave of stupidity.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Of course some people may complain about "big brother" and things like that, but what should be considered is that this actually is a further step to avoid identity theft. It may also be a cost issue, but what is the price of an identity theft? (ok, if I'm using another person's ID when registering a proof of purchase that may at worst cause some irritation if the victim gets some funny commercials dropping into his mailbox, but if I'm signing for a loan at a bank it's a different issue.)
See the SSN as a convenience key for looking up more details - not a proof of identity!
---
You can have peace. Or you can have freedom. Don't ever count on having both at once.
Robert A. Heinlein
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
>It's actually never legally allowed to
>require a social security number; "they"
>can request it, but not demand it
In some countries (France, Germany...) it is never asked (even forbidden ?). AFAIK, the only persons having access to my SSN in France are the one who need it (employer, doctors...). I lived 16 months in Germany, I was never asked mine (and I had none in this country).
And a SSN would be of little use here. We only had fraud cases with illegal immigrants without social security using the ID of a parent - at the expense of the State Social Security and insurance companies.
Not to say that identity stealing is impossible here, far from that, but not having this unique key seems to make it a bit more difficult... until now, at least.
Christophe (Don't hesitate to point out my spelling and grammar mistakes, I want to learn - Thanks).
As a UK citizen who's recently moved to America, I can assure you that it is almost impossible to get anything done without a SSN.
I finally got one last week, which hopefully means I can actually apply for things now.
To be quite honest, I think the sheer quantity of forms would put off any would-be criminal...
Kayamon
Your target sends their laptop or desktop out to a service center, such as Geek Squad. Using some social engineering you get ahold of their receipt. Call the store daily to see if "your" computer is done. As soon as it is, rush in, pay the balance, and take it home. You can steal whatever they've got stored on it.
Even worse, you might not even have to get their receipt. Call the store claiming to be the person. If they ask for a service order number or something like that, then claim you don't have your receipt with you and give them the magic phrase: "can't you just look me up?" Again, swoop in when the repair's complete, introduce yourself as Mr. Target, pay the balance, and take "your" computer home. They probably won't ask to see your receipt or service contract. If they do, then you already know what to say: "can't you just look me up?"
Sure, service centers have procedures in place to prevent this exact scenario, but people are just way too trusting.
Each and every entity above can revoke the key at any time.
Merchant can revoke a transaction or deny a consumer (due to poor credit). Consumer can revoke identity if stolen with assurance it won't be used again ever. Arbitrator can authenticate/reject for both parties.
Zero identity theft.
This would require a smartcard that generates rotating public key protected by a PIN/fingerprint (I'm not big on biometric, but consumer ease of use is the key here).
Significant technical hurdles remains with regard to "WHOM" process the public-private key verification as it takes CPU-time. Perhaps the smartcard has advanced enough to the point where it can sign the keys.
Given three sets of identity aggregate information:
and you will have an EXCELLENT chance of nailing the person down.
Then go over to any one of those paid people finder lookup and presto, SSN.
Perfect recipe for identity theft (groan).
Please see my Slashdot post in how best to solve this problem.
To make changes to an account over the phone (at a large ISP in America) we need a combination of the following:
- Account holder, Account Security Question
- Account holder, last 4 digits of payment method + Full Address
- Account holder, ANI match + Full Address
Generally speaking, ANI spoofing services can fool it, as the ANI readback is from Caller ID, not true ANI.
Now, what really can be done over the phone, after its verified?... - Cancel Account
- Change price plans
- Sign up Premium Services
- Bump Session
- Request information on price plan
- Request session history (date/timestamps of sign ons)
So, in summation, worst case scenario - you can get someone to be billed a little higher amount, or merely discontinue service. These things can be reversed in a matter of minutes (like reactivate an account for example). And credit can be issued in the event they got charged more.
It's a fact. An armed society is a polite society, and a society armed with attack submarines is extremely polite indeed. On balance, SSNs in America prevent more deaths than they cause, even when you include accidents and children getting ahold of the subs. Can you cite even a single reported instance of violence between individuals in America when both were armed with SSNs? I didn't think so.
They can take my attack submarine when they pry my cold dead hands from the periscope!
I'd wager to say that most identity theft takes place without a fast-attack nuclear submarine. I mean it might help and all, but maintenance is a bitch and you're probably a lot better off just using normal social engineering methods.
Why not hash the SSN with a key which could be decided by the organisation that needs proof of your id? you could use a program, or a public terminal at their office or even a simple JavaScript online, and it would be as easy as entering two numbers and pressing ok. They can then compare the hash by submitting the key to the database of SSN's.
This comment does not represent the views or opinions of the user.
Well, my SSN is 75020521279278 and my credit card number 24313134174 and my bank accound number 224552124 and my pin is 1929, What else do you need?
"I used to have that really cool,funny sig
http://www.straightdope.com/mailbag/mcredit.html
Thanks for playing. You lose.
...Also, I didn't know Buggalo could fly.
I am in australia and (at the time) had my own phone line with Telstra.
I wanted to change it to AAPT because AAPT were cheaper.
Due to some issue somewhere the phone number was mixed up so I ended up recieving bills for someone elses phone number. (what tipped me off was that it listed calls to 13 numbers even though at the time it was only used for internet dialup and had never had a phone plugged into it)
In this case, its AAPTs fault for not checking that all the pieces of ID provided to them match up (phone number, address, telstra customer number or whatever it is etc)
Dear NRA,
Because of our efforts "Every man/woman/child in arms" I am now the proud owner of SSN-761 "Springfield".
Too bad there are no SSN-racks for my pickup truck.
Do you now where I can get some discount Tomahawk cruise missiles?
Friendly Fire Forever
NoSuchGuy
P.S. Take my SSN from my cold, dead hands!
Grundgesetz * 23. Mai 1949 - 30. November 2007 - http://www.vorratsdatenspeicherung.de/
I went to my bank's atm to pull out some money right a few weeks after getting my atm card. I forgot the pin, so I walked inside, and without any proof of ID, I got my pin change, and in the process saw the teller's pin to the machine that sets the pin number for CC's, and the manager's PIN because he had to reset the teller's pin, plus a sheet that had all the info I needed to fake to be the manager to get the manager's pin reset. This makes me afraid of what someone who is good at social engeneering could do, but he would be caught on a lot of cameras if he did what I did.
You really shouldn't limit analysis of how bad an information-leak is by limiting access to other information.
If I obtain records which I can use if i get the corresponding SSN, i'm nearly in an exploit situation, all I need is the SSN.
Even worse, if I somehow wrongly obtained a SSN, I just the data you rate not-too-threatning-wihtout-SSN to do exploit.
SSN isn't that hard to obtain, it passes through millions of computer-systems as a unique-id on persons, which is just its function. SSN should never be used as an identity-proof.
SLOGEN [ http://ungdomshus.nu : Sebastian cover music]
I was feeling quite pleased with myself, but wasn't expecting what happened next: the telemarketer said: O.K., but then went on to confirm a few more things! I asked why they wanted that information; he said to send out the card. I asked what about the Federal Law that required my SSN to open an account? He said, "we're a finanial institution. We already have your SSN. I'll just put it on the form". And in a few days I had a new credit card with a 15 grand limit, even though I had refused to give a bank my SSN.
I do protect my SSN to the extreme. (Once a rental car place tried to refuse to rent me a car if I wouldn't put it on the form. I told them fine, just put that in writing and I'll leave and be back with my lawyer. I got the rental car without giving a SSN.) But don't kid yourself that people can't do things without it.
I'm an American. I love this country and the freedoms that we used to have.
In the US the system is set up so that ad-hoc electronic funds transfers occur by having the recipiant withdraw money from the account of the sender.
In Europe, I understand that the reverse is true. If you want to make an electronic payment the payer electronicly deposits money in the account of the payee. This is a much saner system.
The whole electronic check scenario is potentialy much more dangerous than credit card fraud.
Does this mean that I can find all the pr0n in existence at 127.0.0.1?......
3 Minutes later.....
Look! There it all is!!!
Honesty may be the best policy, but by process of elimination, dishonesty is the second best policy.
I will admit I haven't worked there in about 5-6 yrs, but from the scripts I've heard the associates go through when I call, it doesn't sound like it's changed much.
I was quoted out of context in my autobiography...
Depends on the intention of the badguy and how business usually is done in the companies involved along the way.
For example divert snailmail to a P.O. box, contact bank on and say you need a new credit card, the new card along with pin code would be snailmailed to you, and upon receipt you will need to activate the new card which would close the old one (which was still valid during the wait for new card). Cash in on victims account.
Now this would only be good, unless victim notices the missing mail for the time being. And if Post office nor bank consultant would require, some more personal information for issuing divert of mail and request for new card.
Clark Howard recommends that one never carry checks outside the home, and that they only be sent to reputable places and used only to pay bills. The reason is precisely what you are asking: identity theft.
See, if someone steals your checkbook*, he can write checks on your account and take them to various places. Faking the necessary driver's license and credit card is not difficult, so he can pass these checks easily. If he does this and checks start to bounce from your account, one of the payees can swear out a warrant for your arrest! Then, if you ever get stopped by the police for any reason, such as a minor traffic violation, you will be arrested on the spot.
All this without a SSN.
* - or has checks made using the routing and transit numbers on a check you sent him. NEVER SEND PERSONAL CHECKS TO STRANGERS!
... but for what it's worth. http://members.cox.net/yro.yro/
My grandmother was paranoid about her SSN and its privacy. She did not give it out to anyone. Most people's drivers license numbers are their ssn too, but hers was a different number by her request.
She spent about an hour at Sears one day, trying to apply for a Sears charge card. They requested her ssn, but she would not give it. After about an hour of them calling around to figure out what to do about it, she did get the charge card and did not have to give her ssn, but the drones at the counter had to scramble for an entire hour to figure out how to get her the card without her ssn.
So while this may be possible, it is not always easy.
Also remember, for things like business transactions, in most cases they can require you to do anything short of violate your civil rights. Your option of course is to just not do business with them. AFAIK, not having to give out your ssn is not a civil right, so they could make this a requirement for them to do business with you?
Also, it's possible that what you are getting (cc, or whatever) is using your ssn as a unique identifier. So if you use a popular ssn, or really anything short of your ssn, you are risking duplication in their database. It won't be so funny when you start receiving credit card bills from 10 other people that are all using Nixon's ssn for their IDs. It looks reasonably safe to make up a number starting with 000, since that region code was not used. For simplicity sake you might just change the first three to 000. Again this could potentially produce database duplication, but the odds would be greatly reduced.
It's also possible that some automated processing may choke on a number that starts with 000, simply because according to the rules it's not supposed to exist. (that could actually be somewhat humorous, I bet you could crash numerous data processing systems with an array-out-of-bounds error when it tries to hash sort your SSN)
I work for the Department of Redundancy Department.
Has anyone else been in a similar situation and can advise on whether or not its likely they will try and open a new credit card under my name and SSN with a new address?
It would be music to any non-profit organization's ears: an unexpected $1,000 donation. But the offer came with dirty strings attached, and the surprise donation to California-based Urban Age Institute was hardly a gift at all. Instead, it placed the organization right in the middle of an extensive -- but elegantly simple -- worldwide scam.
Within days, $10,000 worth of checks were written against the non-profit's accounts and cashed by a woman in Georgia. She in turn wired money to Nigeria. The incident left the organization's leaders wondering: Is it that easy to raid anyone's checking account? The answer, according to banking experts interviewed for this story, is yes.
Armed with just a checking account number and bank routing number, criminals can create checks at whim, experts and law enforcement authorities say.
Most consumers presume that checks must be signed by an authorized account holder. That's ordinarily true, but not in the case of so-called "demand drafts." These look just like checks, but indicate "signature not required" or a similar message in the authorized signature area. And generally, banks cash them just like valid, signed checks.
one community bank surveyed demand drafts and found 73 percent to be fraudulent.
Last year, MSNBC.com exposed a Web site named PharmacyCards.com that was creating demand draft checks and withdrawing $139 from checking accounts all over the United States. The Federal Trade Commission later sued the site and alleged it had attempted to steal $10 million with bogus demand drafts.
And on and on and on...
If the g'vt kept the data on you that google does you'd better believe you'd be calling it "doing evil"
Here's a problem for you: we export goods from Canada to the US. As of a couple of months ago, we can no longer export single shipments to individuals in the USA without having their SSN number attached to the invoice/shipping docs.
What's up with Homeland Security that they are forcing the exposed usage of SSN numbers? And all this to import a gym mat?!
My cellular provider has had a policy for a long time of having users set a password to be produced whenever speaking to a customer sales rep or a retail rep about the account. Despite this, for the longest time, they would ask "Could I have your password or SSN?"
The good news, however, is this: I used a strong password (a memorized, but random string of letters and numbers), and was able to ask a CSR to set my account so that the SSN was not acceptable ID. Thus far, they have honoured this request. Since that point, the question has always been for my password.
www.wavefront-av.com
A friend of mine works for a well known publishing company. One day she asked me for just my name and address. She plugged this into her Lexis-Nexis database and pulled up an amazing ammount of information about me, my parents/family etc. She also told me the first six digits of my social-security number. Just from my name and address! She also was able to correctly identify several banks I do business with.
If you think about it, we all use the LAST four digits of our SSN repeatedly for pins, passwords, all kinds of things. At T-Mobile for example, if you email customer service (over an INSECURE form on their website) they request the last four of your SSN. (!?) Tons of other companies use this information regularly and openly.
The bottom line is that just with someone's name and address you can easily get access to not only their family members, and bank account info, you can easily get the first 5 digits of someone's SSN, which you can then, with not so secret methods, get the last four.
As a person who has worked in banks, I have seen how poor some people can be when it comes to security. They ask questions like "what was your last withdrawl/deposit", address information, etc. Sometimes you can even negotiate with them "oh i don't have this information, how baout this"...sometimes it is because they have no clue about security (their fault more then the banks), sometimes they don't care, and sometimes they are so much into trying to make the customer happy (especially if the customer starts to get irritated). Yea it is scary and doesn't take much skill... you can easily (and legally) try this by calling your bank. Try and get your banking information (obviously this is not illegal) but just act dumb, and limit your information to what you got from say a dropped check, or deposit slip.
I mod down so you can mod up. Your welcome.
> ...it all seems to come back the the Social Security Number. Financial
> companies have other controls in place...to ensure identification.
Many of which are very poor controls; so poor as to be nonexistent in many organizations.
> But in order to be of any use, a bad guy would really need someone's SSN.
Yes, AND no.
> Absent of that, other information would be useless. Right?
Wrong. http://catless.ncl.ac.uk/Risks/18.04.html#subj11.1
http://catless.ncl.ac.uk/Risks/16.30.html#subj4.1
http://catless.ncl.ac.uk/Risks/14.88.html#subj3.1
http://catless.ncl.ac.uk/Risks/23.84.html#subj5
http://catless.ncl.ac.uk/Risks/10.24.html#subj5.1
> That's what I would like to ask Slashdot folks. What could be realistically
> done with customer information without a SSN?
Well, you've set up an arbitrary experiment there. It's a school experiment, a teaching tool. Good for learning, but not reflective of real-world constraints.
The question implies some constraints. Restated as a classroom question, it reads:
-----
John Doe's mother's maiden name is Mary Roe. His address is 1313 Mockinbird Lane, Anytown, IA. He works at Nationwide Insurance, and he has a checking account at Bank of America. Without using a social security number, perform the following tasks: A-Withdraw $N from John Doe's checking account. Etc.
----
The real world equivalent problem is:
John Doe's mother's maiden name is Mary Roe. His address is 1313 Mockinbird Lane, Anytown, IA. He works at Nationwide Insurance, and he has a checking account at Bank of America. Perform the following tasks: A-Acquire additional personal information about John Doe, including his SSN B-Using this data, including the SSN, withdraw $N from John Doe's checking account. Etc.
----
The school question is a useful learning tool, work exploring; but if the student can't normally perform the tasks without an SSN, you can't feel confident or safe. The real world problem just adds one more task at the beginning; "Get SSN," which is often trivial when you have the other data.
Some examples of trivial SSN exposure, the black market in personal data, and some just interesting:
http://catless.ncl.ac.uk/Risks/6.80.html#subj1.1
http://catless.ncl.ac.uk/Risks/21.82.html#subj8.1
http://catless.ncl.ac.uk/Risks/22.94.html#subj14
http://catless.ncl.ac.uk/Risks/23.11.html#subj5.1
http://catless.ncl.ac.uk/Risks/19.19.html#subj1.1
http://catless.ncl.ac.uk/Risks/7.66.html#subj3.1
http://catless.ncl.ac.uk/Risks/21.07.html#subj6.1
> Account numbers, address, maybe a phone or payment amount. Is that really
> dangerous to the customer if only those get compromised?
"Is it really dangerous to your business network if -only- your firewall fails."
No; but how can you assume that you -know- when other security measures are compromised? Sometimes all it takes is a quick trip to the victim's mailbox.
http://catless.ncl.ac.uk/Risks/23.86.html#subj3.1
http://catless.ncl.ac.uk/Risks/20.80.html#subj6.1
Why would you assume that someone would have to work without a SSN number? They are trivial to get - you can just ask people for it in the right circumstances.
There is a movement in this country. At first, I considered it fringe, but I have found substantial truths in the claims of the fringe group. The group is the "tax patriot" or "tax protestor" group. It depends on which side of the fence you are on.
;-)
Anyway one of the key "features" of the income tax is that it is only enforceable against those that have a TIN (taxpayer id. number - for foreigners in the US) or SSN (non-foriegners). So the question is then "who needs a SSN?". Well if you are a born in a state of the United States, you most certainly do NOT. This is demonstrated by you having to APPLY for a SSN. Once that is the case then the IRS can track you. Without an SSN, you can't fill out their documents, and they cannot identify you. (Mind you, this does not stop them from collecting levies and leins on accounts that do not have a SSN associated)
How did we get SSNs? Your parents most likely applied for one for you. Why did they do that? Because they (or their parents) were convinced by a famous duck named Donald they needed to pay taxes to support WWII. (It was supposed to be a temporary 2 year tax). Well in order to get a dependent deduction on their taxes the IRS requires the SSN of the dependents claimed. So that is why you have one. That and a lot of places ask for one, without any legal basis to do so.
You can get a bank account without a SSN. I believe Wachovia has done this, and I am sure there are otehr banks that will do it when pushed. However these accounts come with a limitation: there is no interest paid on the account. That would/could create a taxpayer income liability, which must be reported to the IRS via a 1099-INT. Some argue that even interest is nto taxable. I am not going to delve into that can of worms here, but you should be able to see now that SSNs for most people are indeed optional. (You are likely to not have one if your parents never claimed you on their taxes, which is unlikely).
WARNING: There is a lot of rhetoric in the "tax protestor" community. You must investigate what you year. A lot is true. a lot is not. Take everything with a grain of salt before you have verified its claims. The above is what I have found to be true. But don't take my word for it!
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
1. most people don't give out their SSN online yet parts of their identity (mostly pertaining to their wallet) get stolen all the time.
2. asking us all to provide all the ways to invade someone's privacy is not going to help matters at all.
I don't mean to minimize the life experience you describe, and there is absolutely no justification for the actions of the drugged idiot who screwed up your ID, but I have to ask this:
Analytically, can you really make an equivalence between the hours of your life that were 'stolen' from you, the angst, frustration, and contempt that you felt, and having someone anally rape the perpetrator?
You are justifiably angry with the person who selfishly stole your identity so that he could live without consequences, but would it be just for him to be sexually abused while doing his prison time?
Respectfully,
Anomaly
But Herr Heisenberg, how does the electron know when I'm looking?
Here in South Africa we use an ID number which is the equivalent of a social security numnber. Recently quite a few cases have been reported where women wanting to get married find out that they are already married when they try to register to get a new ID document issued with their new surname.
They found that they were already registered as married to a foreigner, mostly from Nigeria. Once the Nigerian obtains the ID number of a suitable "wife" he proceeds to file a marriage certificate. He then applies for South African citizenship showing he is married to a South African woman.
It has become such a problem that the South African government has provided a feature on their website where you can check if you are married or not by providing your ID number.
When I was living in the USA I made sure to shred all credit card statements and to get a credit report every year. I think that at least are basic precautions anyone should take.
The *biggest* issue that I still see is companies using someone's SS as the account number on invoices. The typical scenario: 1) Poor fool receives his trash collection bill. 2) He pays it and throws the receipt in the trash can. 3) Dumpster diver finds the receipt and notices that the account # is the same length as a SS# Presto, instant ID theft. I've personally seen the victims of this scenario. The other common rouse is good ol' fashioned phishing. You'd be surprised how many people will still give up their SS# when a free gift is waived in front of them. Again, I've seen this while monitoring network traffic.
I think you have a valid point. And I think it could easily be adapted for use by companies like google. Instead of storing your information on their servers (search history, advertising clicks, etc) they could easily be stored in cookies on your computer. Google could check that data when you submit a search to bring you more targeted results and advertising, and use the anon summary data on their side. This would allow you to control what you want to share. You could delete the cookie, or even clean out parts of it on your own to alter its effect.
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
Even without a SSN, it's very simple to obtain all the information about where you currently live, phone numbers, where you have lived in the past, who lived with you, who you are related to and where they live, certain items you might own like real estate, boats, etc. any liens against your property and so on. The SSN is typically attached to this info, but it's easy to get all this without the number.
"First, contrary to popular belief, the sig on the back of the card is not there for identification purposes,"
Yes it is. You clearly have never heard of the concept called "signature authority". It's been around ever since people started signing contracts. It's what companies use to establish who can sign checks for the company. You filled out such a card when you opened up your bank account. And yes, clerks are supposed to verify that the signature matches.
Don't be so quick to criticize others when you clearly don't know what you are talking about.
If you dispute this, please cite some authoritative sources.
The best way to predict the future is to create it. - Peter Drucker.
The US Post Office won't accept credit cards that are not signed regardless of the ID you are carrying and they have a big sign that states that in the Post Office. That is the only place that I have ever had a card turned away for not being signed.
...can be found here.
http://www.ssa.gov/history/ssn/geocard.html
The first three digit group is geographical, but only related to the area of the office where you APPLIED for the card. It has no real correlation to the location of your residence or of your birthplace.
The second two digit group is merely descended from an internal paper filing system; the system was run for decades without computers. No useful data here, not even on your race or gender (another bad internet rumor).
My father bought a small office building a year ago, and I was in charge of meeting the tech-demands.
One day, we realized that the phone bill was still being issued under the previous owner's name. So I called SBC for a change of ownership.
Change of ownership of a telephone line. Could it be done without the owner's SSN? You bet.
I simply told them that the previous owner left for Korea and it is impossible to contact him. They asked no further questions and changed the ownership to my father's name on the spot.
No talking to manager, no more questions, nothing.
Now, I WAS talking to a Korean representative, and they realize that some of the people aren't used to the American SSN culture. Not only it would be tough to explain the entire American-culture over the phone, but also I didn't see anything else they could do about it at this point either(actually they were almost thankful that I called because we could've simply not paid our bills but not get flagged for it since it's not our ssn). I wouldn't be surprised if they get that kind of requests ten times a day either.
In my case, I was telling the truth(the guy DID leave for Korea for good), but I could clearly see possibilities for abuses.
Try being a member of a minority community. It sometimes helps you to cut through the system.
At our company, we do pre-employment screening for Fortune 500 companies. When filling out these online employment surveys, we HAVE to get the end users SSN. It is the ONLY identifier that is unique to that person and will follow that person throughout their entire lives. We have to collect it to tie their post-hire data to their pre-hire data.
How else can we identify people? First/Last Name? Over 20% of women between the ages of 20 and 30 will have their last name changed due to marriage. Address? People Move. e-Mail? People change emails. Phone? People change phone numbers.
I think what frustrates me about this whole SSN and identity theft issue is that people will hand over their SSN on paper "IRL" without thinking twice about it's physical security after that. Loan Applications, Job Applications, Legal Forms, etc., etc. all require you to give your Social. Do people ask, "Will my SSN be protected from anyone else seeing it on this paper?" (SSL), "Will my SSN be stored in a protected file cabinet with a combination lock? (Secure Servers, Encryption)". When filling in these forms, do you look over your shoulder suspiciously to make sure nobody's trying to see your SSN as you're entering it (Sniffing/Packet Capturing)?
It's just ridiculous how people treat their information security between online and offline. As an online service provider, It drives me NUTS how there are LAWS in place making it mandatory for us to encrypt parts of a persons information and meet 'payment industry security requirements' to be able to handle this information, where as at my local Taco Bell, job applications will sit on the managers back desk for a week, open to ANY prying eyes who may walk by. Should we make a law for that too?
Anyways, I think the REAL question that should be asked is WHAT CAN WE USE THAT HAS THE SAME PROPERTIES AS THE SSN? I'm all for using something else, but it has to be just as unique and follow that person for their entire lives.
The Liberty that was sunk in 1967 was neither a battleship nor a submarine, it was an American spy ship (ELINT boat) that was sunk by the Israeli Air Force either as a show of independence or in a tragic mistake, depending on which covey of career liars you are willing to believe.
The Israelis ended up paying over $13 million USD in compensation to various parities in the US, so if the sinking of the Liberty was really saber-rattling on the part of Israel it was extremely poorly executed.
The day before, Israel bombed one of their own troop columns, incidentally. The Israeli Air Force of the day was more enthusiastic than skilled.
Dear Slashdot,
I can't seem to find any one else's SSN. How can I rip people off without this information?
Thanks,
TheItalianGuy
As mentioned in the my other post, further down the post tree, IANAL, however, I am a financial crimes investigator at the local Sheriff's Office. I feel like there is a huge misconception about identity theft. Using someone else's credit card at a gas station without that person's permission, is not ID theft, it's fraudulent use of a credit card. Actual ID theft is almost exclusively done through the use of the victim's social security number. SSN's, contrary to their original "intent," are serial numbers for US citizens. If you do not believe this, try to go to college, get a loan, get a credit card, etc. To my knowledge, you can't steal someone's ID without having or getting their SSN. You still need a few more nuggets of information, easily found on various websites around the net, but you can actually make do without that information. You CANNOT, however, make do without an SSN. As far as I can tell, in the US, it is impossible to get credit from any company without an SSN. I think account numbers are dangerous because it's possible to derive an SSN from that. Addresses and such are also dangerous, because it makes up part of the information that is required to commit ID theft. Furthermore, account numbers can be used in all kinds of fraudulent activity. All you need is the routing number off of a check, and a check number to rack up some massive bills on someones account. As it has been pointed out in another post, most criminals do not physically have possession of the credit card, just the number. I think it is incumbent upon any company with identifying information, to take due dilligence in protecting that information, be it address, phone numbers, etc. To address the idea that financial institutions have verification processes in place, I say, we need more. I cannot place the blame on the institutions et al. because most of that information is leaked through social engineering. Believe it or not, that still exists. From my experience, once a criminal has a victim's SSN, they go on a rampage, opening as many accounts as possible via telephone, or in a store. Most of the time, when a victim comes to me with an ID theft case, they believe there is only one account opened fraudulently. I direct the victim to check their credit report, and they find 5 or 6 fraudulent accounts, to their surprise. My advice? Protect that SSN at all costs, and check your credit report at LEAST once a year, twice a year if you can. It only costs about $10 US, so why not? Believe me when I say, $10 is worth it to detect ID theft, because once it happens, it is a BEAR to try to get it taken care of.
it's absolutely amazing how stupid people are.
upon the advice of my lawyer, i have no sig at this time
By federal law you cannot get a hunting license unless you give your SSN to the clerk, which is then checked against a list of those not paying their child support. (This is one of those complex laws that get around the federal government not being allowed to make such a law - the states have to have such a law or they don't get federal funds)
For many financial transactions your are required to give your SSN.
In theory social security is optional. However once I'm in I can't get out. My parents signed me up when I was 2 (or before, I'm not sure - today most parents sign their kids up when they are born, but the law was slightly different back then). It is a big scam that I want out of - I'd prefer to put that money in my own retirement and insurance plans.
What you really need to do, is scout around a bit. Pick someone you know is a low-profile person in the area, but makes a decent amount of money. No point it stealing from the poor, right? ;-)
Some paycheck companies still print your SSN on your paycheck, if so, complain about it to your paycheck company/employer. Some companies also mail paycheck stubs home, so be sure to check your victim's mailbox on a Thursday or Friday to get the info. Since you're there, grab his pizza coupons too - you might need them later.
If there's a monthly statement in the mailbox, you're in luck. You can find out what bank he/she goes to, have access to where that person is, how often they frequent the area, and what they like to eat, wear, do, and so forth.
Call the bank. If it's like my bank, you can verify yourself as the account holder just by answering these questions, three. What is your home address? What is your checking account number? What is the airspeed velocity of an unlaiden swallow? Just kidding about the last one.
Once verified, you transfer an unsaid amount to an account of your choice, then withdraw the full amount and close the account when funds are available. Usually, this is done over a 24-hour period. This also works best near the holidays as most people are spending money and wrapping gifts too quickly to balance their checkbooks.
With money in hand, SSN, address, checking account information, and a fistfull of pizza coupons, you can now order a large, hand-tossed pie with sausage and peppers, go on vacation, and be referred to as Angela Veeto. Now that you were clever enough to have the bank issue you another card (which activates upon first use and discontinues the previous card at the same time), and intercepted it at the victim's house, you can finally go on a 24-hour spending spree at the nudee-bar. It's just that easy.
-- Game Developers: Stop porting badly-textured games from crappy console systems!
(Or did you specify 'no reseller rights' when you signed up for Blockbuster membership or your last subscription to TV Guide...)
Even apart from the obvious fact that it's grossly disrespectful of your customers' desire for privacy, this sounds suspiciously like an attempt to rationalize lighter (and thus presumably easier) security for data other than SSN, and that strikes me as a really bad idea.
Just because you have a firewall, that doesn't make it safe to run all the machines behind it wide open and unpatched. In exactly the same way, keeping SSNs (theoretically) well protected doesn't make it safe to leave the rest of your customer's data lying around. Users will download and run strange email attachments, or browse untrusted web sites, and they're past the firewall. By the same token, if you fail to protect "lesser" personal data, it gives an attacker more things with which to correlate SSNs he may have obtained elsewhere, but, hypothetically, without explicit mappings to names.
Privacy is a larger issue than just preventing somebody in <random_city> from being able to impersonate me, and the fact that it is difficult to attach a dollar value to it doesn't mean your customers don't care. Do the right thing, and protect it all.
This would be scary. One of my least interesting work assignments is to send the FICA payroll to the federal govenment for 130,000+ US employees. If our HR and payroll systems didn't store the SSN, this trivial assignment would take years.
70% of statistics are made up.
I work for a large insurance company that handles many different types of insurance. The department I work for handles the professional liability policies of medical professionals. I can't speak for the other departments, but our team does NOT deal with social security numbers whatsoever.
When customers call in with questions or changes, we just verify their name, address and phone number. With that information we are basically authorized to give whatever information is requested and make any changes we are allowed via phone. If they need any major changes, they just fax in their client number and whatever they need.
This to me is a huge surprise. I would imagine all kinds of identity theft could run rampant. But apparently it hasn't been a very big problem because the procedure hasn't changed in years.
So, without having a social security number, you can still affect many changes to someone's policy, and also retrieve quite a bit of information about them, as long as you know their name and sometimes just an approximate address.
Kinda scary.
You're nothing; like me.
All this talk of protecting our SSNs got me thinking, who do I have to give my number to when I'm asked for it? So I went to the source to try to find out, Social Security Online.
Much to my surprise, when I drilled down two pages (click "Your Social Security Number & Card", then "Protect your Number", both on the left menu), I get a page that says:
"This fact sheet is no longer available. It was removed from www.socialsecurity.gov because it has been discontinued."
http://ssa.gov/pubs/ssn_1.html
Discontinued! What the hell is that about? This is going to involve much more searching than I originally thought.
I'm sure a lot of "entrepreneurial thieves" buy whole lists of Social Security Numbers. I've had a con call up about once every year for three years, pretending to be from a collection agency "trying to clear up a matter". He tells me my wife's social security number and wants me to verify it, with an old address. I tell him, that the number is almost right, but the address is wrong. Of course, he tries a few more veiled threats and calls every time to get more info -- this just leads me to believe that he is looking for a home address so that he can open an account in her name. He probably has a SSN and a name, but the name is pretty common so he is trying to place her with a list of about 10 addresses in the state-- you get the idea.
Think about how many people have had access to your SSN -- at school, medical, financial, anywhere you got credit, utility and phone companies, even video stores... etc. So, of all those places, there is at least one or more minimum wage/disgruntled workers who have access to a gold mine in accounts (not that low pay makes it more likely -- just the relative value). I've heard so many stories of really big companies losing databases of customer data -- and those are what you've heard about. I would think, that like 90% of everyone has their SSN available to crooks by now. They are just cherry-picking and using the data at their whim. Identity theft for any of us just depends on when our Name + SSN + Residence is most easy for the crook. So, I don't think this whole issue of "what can people do without the SSN" is what you should worry about. It is; when will they get around to using yours.
My suggestion is that we make the SSN a relatively public ID -- but with a private key available only to the person and a government ID agency. The Government Identification Agency would merely verify to any vender, service or institution, that you are who you say you are.
Anyway, this problem won't go away until a few Senators have the problem or the Financial Institutions lose too much money.
>>"ad space available -- low rates!!!"
Does anyone else think the above sounds like a recipe for disaster?
I get very annoyed and concerned that there are companies out there that collect, store, and sell my personal information to basically anybody that is willing to pay for it. Credit bureaus are a prime example of this.
I've been wondering if it would be feasable to write down all of my personal information (name, address, phone, SSN, Mother's maiden name, etc.) and copyright this information. The next step would be to send out Cease and Desist letters demanding that my copyrighted personal information be removed from their databases and demand royalty payments for the personal information that they've sold for profit.
I might even want to store my personal on encrypted media to get coverage under the DMCA. If the RIAA and MPAA can get away with it, It seems that I should be able to do the same.
What people fail to see is that most identity theft happens with students who have loans. Have a student loan? What's your loan number? I bet that 90% of the time a student's loan number is the same as their SSN plus 1 extra digit -- typically a 0 or a 1. Guess where that loan number gets printed all the time? On the notice the school sends you about your financial aid status, the bill the school sends you for tuition, the letter thanking you for paying your bill and letting you know how much of your loan you have left. Its all over the place, and it most likely has your SSN as the account number.
... SSN+1.
But what could someone do with your student loan number? They could get a credit report listing all of your other info. How? Well the letter your school sends you probably has a verifiable address you've lived at for at least the past 6 months, it probably has your school id (network id, etc) where someone can jolly on to the school's website, type in the id and pull up your permanent address (white pages get the parents name/phone), get your birthdate, and any other info the school leaks.
So they call up the credit check company, give your name, your address, your parents address, your SSN, maybe your credit card number, your birthdate, and then they love to verify a loan for over a couple thousand dollars... like your student loan
Man, that was some tough work to get a college kid's entire credit report and start turning their life into a nightmare.....
I am assuming that to get the credit report you had to give this operation your SSN. If they're as dodgy as you suspect, that would be worrying me... FYI, http://www.annualcreditreport.com/ is the only site recommended for requesting the free government-mandated free annual credit report. And even there you should watch for pre-checked boxes requesting paid services you don't want.
Comply with Visa/MC's PCI (pdf warning):
i sa/ops_risk_management/cisp_PCI_Data_Security_Stan dard.pdf?it=search
http://usa.visa.com/download/business/accepting_v
If its information that you don't think someone who gets a backup tape should be able to read, then you better encrypt it.
At a minimum, you should look at encrypting all the account numbers, ssn's, credit card numbers, and the like. Encrypting text data -- such as names and addresses will likely impose a significant usability performance on your system.
Not quite true; a few are legally required to have it (EG: your bank, which is required to file tax forms with the IRS), but there aren't a lot. Government agencies entitled to ask are also required to provide the statute that says that they can.
in fact, on various forms, I give any of three different names (with or without my middle name, or with middle and first transposed) with my SSN.
You are in general legally allowed to use whatever name you want as an alias, save for purposes of committing criminal fraud. (EG; Johann Gambolputty de von...) I routinely give any of the 26 letter of the alphabet for my middle initial, in order to see where my junk mail comes from. A former freind of mine a few years back had secondary credit cards issued in the name of his SCA persona; he has a blast with telemarketers, since anyone asking for the persona gets to talk with someone extremely patient and polite... but utterly unfamiliar with anything that's happened since 1536. =)
But giving a false SSN (as opposed to a legal alias) is a different story, likely to be a headache for any living legitimate holder of that number (making Nixon's a good choice), and may be criminal fraud under some circumstances. If you're going to play games like that, be sure to check the law carefully first.
//Information does not want to be free; it wants to breed.
The IRS only started to ask for the SSN on tax documents in the mid 1970s. Part of this was to help with the automation of tax record keeping. They had access to the SSN earlier due to FICA information and other employer records, but at that time it was used only for payment into the social security trust fund directly, and tied more directly to the Social Security Administration.
In the mid-1970s the IRS decided to require you to demonstrate the existance of any dependants and/or spouse that you claim on the income tax return. Interestingly, about 10 million children suddenly ceased to exist as soon as this requirement was added, which encouraged Congress to expand the use of the SSN as a means to reduce fraud. Obviously the 10 million kids who disappeared never existed in the first place, and were often "made up" to help get a few more "dependents" to reduce tax liability.
I didn't apply for my SSN until I was 16 years old, and that was because I worked at a job that required a SSN for FICA payments. I didn't need it earlier. My children, on the other hand, had a social security application given to me in the hospital where they were born with a strongly worded statement that if I didn't apply while in the hospital that it would be considerably more difficult to apply afterward, and that I wouldn't be able to claim them for tax purposes until I applied for their SSN.
The number represented by the SSN is not that big of a deal to me, and is independent of the discussion regarding income taxes and social security existing at all. This is a number that is established by a government to uniquely identify all people within its borders. This unique identity can be done with letters or words even to make it less harsh, but that unique identity does have some practical value. I don't want to go to jail just because I happened to have the same name as somebody else who committed a crime, just as an example. That this number is tied to some political ideas that have sometimes negative connections leads to some general disparagement of the number in the first place. Also, being reduced to a mere number is a "de-humanizing" experience, and brings up things like soldier serial numbers and the numbers tatooed on Jews during the holocaust of Nazi Germany. Most people feel they are more than a mere number written down somewhere.
Hi There, after reading some of the replies, I'm not sure if you got your question answered. Organized crime has created a multi-billion dollar industry in theft of ones identity. Most people are consumed by the notion of credit card fraud/theft, yet according to the FTC (2004), credit card fraud represents less than 29 percent of the global problem. Keep in mind that someone can assume your identity and commit crimes in your name. They can get a job in your name, they make the money... guess who the IRS comes after for the taxes? There was a case of an Illinois man arrested for drug trafficking in California. He spent ten days in jail before they realized he'd never been to California. Try calling Citi-Bank to fix that problem. Feel free to watch the short movie at: http://www.prepaidlegal.com/idt/m_browne Hope you find value in the information provided.
I see there were some insightful comments to the original posting. But again, without a SSN one cannot get credit in anyone's name. I'm not blaming the college-age folks with no real-world experience talking about some things they only think makes sense. But to keep things on the same page, know these: Banks have many controls in place to protect themselves, customers' & customer data. Only a few of these controls are on the technical side. Frauds happen mostly in the areas of actual live paper (yes, it's not a paperless world), social engineering over the phone (sweet talking and sounding dumb over the phone, it's not a new trick). Auditors, examiners, & regulators are quite careful to know processes that take place. "Magnetic media" data protection is just one slice of the pizza. Don't go by media reports that sensationalize remote hacking attacks. Big banks are no longer targets, but their service providers are. This is because the SP's don't have the $$ that the bigger banks do. This makes them more of a target because they may also excuse not having the controls banks have in place because they are not regulated as heavily as the big banks are. Requirements are significatly less. It's those organizations that are targets because they may have the same customer data the big banks have in a less secure environment. Banks protect themselves by not releasing SSN's on customers and tracking them a different way. Hense, what would you really do if you got your hands on a payment statement? Could you make another payment for the person? See their balance?
This amuses me, considering that I work in a legal office and on our lawsuits we redact the defendant's SSN except for...you guessed it, the last 4 digits. Top flight security, that.b er_(United_States)) *shrug* Although I guess with a random enough sampling, it's about as close to random...
That seems, to me, to be a very odd choice given people born in the same area at a reasonably close time, will have those first five digits in common. (http://en.wikipedia.org/wiki/Social_Security_num
This sig has absolutely no significance and serves only to take up screen space and waste the time of the reader.
You ask what can be done with information about someone other than their SSN. First off, the SSN should only be released to the US Goverment. Anyone else asking for it is technically breaking the law. Let's run through a few use cases here.
1) I can call your bank, get your debit card reissued, and change the PIN number. Your checking account is now empty because I have your name, address, phone #, account #, and last three withdrawals.
I don't have an SSN.
2) I've just called the electric company and told them that you've moved. Your power is cut off and you come home to a nicely defrosted freezer. No SSN required.
3) Let's say I'm someone you know - an ex-boy or girl friend with a grudge. I can send spoofed emails to your work place, pretending to be from you, about your co-workers.
4) I can go and obtain identification that says I am you. Once I get the identification that says I am you, I can probably get your SSN from someplace like one of the credit bureaus.
Any piece of information that's leaked to me will allow me to obtain other bits that I don't already have in my possession. I don't understand why this question got asked in the first place. It's terribly basic.
2 cents,
Queen B
HDGary secures my bank
Don't let someone bring mail matter and abandon it in a box. A post office, regulated by the Domestic Mail Manual Service Regulations, can hold general delivery mail default for 30 days (strictly to the code), but when postal patrons and non-customers fall away from enforcing the code then they only hold the general delivery mail for about 10 days (as it is now). Any mail not delivered is stamped RETURN TO SENDER, NOT DELIVERABLE, or NO SUCH PERSON AT THIS or THAT ADDRESS.
General delivery has been used since the end of Lincoln's Civil War; in the "field." Technically, all mail matter dropped off in a box in the "field" is general delivery. Before general delivery, for thousands of years there was held first a general post. Also, look in the Civil Rights Act, as it plainly states that postal patrons do NOT present identification.
without prejudice
Everything /could/ be done with out a ssn. A ssn is simply a "unique" number idenitfying who you are supposed to be. If the major Financial institutions decided to they could implement a system which assigned a different combination fo public and private "keys" to provide the functionality of the ssn. And there are many other ways like the PGP key signings, which if tracked properly could allow for trusted and compromised id's.
--Tim
TKrabec Pahh
I think the whole signature thing is stupid. I asked one merchant about them, and she said that she just throws them out at the end of the day.
Apologies if the merchant in question is someone you like or are close to, but: she's a moron. I handled till receipts of one kind or another in various jobs for a total of about 4 years. We were required to save the credit/debit card receipts for our own protection. It wasn't about protecting the customer at all (or at least, not so much), it was so that if the customer disputed a charge, we could immediately pull the receipt (or rather, the corporate office could) and demonstrate prima facie that a physical person wielding that card actually entered our shop and purchased goods or services for which they signed a charge slip as payment. If it were fraudulent and it slipped by us, it might still be reversed, but at least we would have performed some minimum amount of fiduciary duty rather than being a complete idiot about it.
If it had ever happened (although it didn't) that a customer disputed a charge and we couldn't do that, then it's game over, case closed, zip up your fly. Charges automatically reversed, and our merchant fees would go up if it happened often enough.
If word ever got out amongst this merchant's customers that she threw away their charge slips, a) they could start reversing charges willy-nilly on her and she'd end up broke and with no credit card capability and no recourse against either one, b) they'd likely be really pissed off that she was so cavalier with a sensitive legal document like that. That's how a lot of bad guys get your info in the first place -- dumpster-diving. If she's going to throw stuff like that away, she needs to burn it (your basic shredding isn't good enough, it's still too easy to piece that stuff together even with a crosscut shred).
-- Old Man Kensey
Arm-chair "patriots" are the fringe group that you speak-of; they don't study, don't know how to talk relative to the dispute at hand, don't use affidavits, and are not polite. In the Internal Revenue Code sworn to and from the agents of that INTERNAL REVENUE SERVICE, it is dubious as to the intent of the words "unlawful tax protester" that are privileged to an agent to distinguish and re-classify any (even non-subjective) person. It is not made clear wether a person is distinguished as an unlawful-tax protester or an unlawful tax-protester. Without even a jot of a pen, a person can be declared as such; packaged and sent to a grey hotel with bars on the windows and pay the exorbient rent even when not given a key and compelled to sit.
Here is UNITED STATES CODE; TITLE 42 > CHAPTER 7 > SUBCHAPTER II > 408
408. Penalties
Release date: 2003-07-24
(a) In general
Whoever--
(6) willfully, knowingly, and with intent to deceive the Commissioner of Social Security as to his true identity (or the true identity of any other person) furnishes or causes to be furnished false information to the Commissioner of Social Security with respect to any information required by the Commissioner of Social Security in connection with the establishment and maintenance of the records provided for in section 405 (c)(2) of this title; or
(8) discloses, uses, or compels the disclosure of the social security number of any person in violation of the laws of the United States;
shall be guilty of a felony and upon conviction thereof shall be fined under title 18 or imprisoned for not more than five years, or both.
There is a distinction in the Internal Revenue Code between a SSN, a TIN,
and an individual TIN (iTIN). The distinction is first seen in
CODE OF FEDERAL REGULATIONS, TITLE 26, SECTION 301.6019-1
Identifying numbers.
(a) In general--(1) Taxpayer identifying numbers--(i) Principal
types. There are several types of taxpayer identifying numbers that
include the following: social security numbers, Internal Revenue Service
(IRS) individual taxpayer identification numbers, IRS adoption taxpayer
identification numbers, and employer identification numbers. Social
security numbers take the form 000-00-0000. IRS individual taxpayer
identification numbers and IRS adoption taxpayer identification numbers
also take the form 000-00-0000 but include a specific number or numbers
designated by the IRS. Employer identification numbers take the form 00-
0000000."
That Internale Revenue Code distinguises and admits a SSN is the same form as a TIN and a individual TIN (hereinafter distinguished as ITIN). I have a quote from the Commissioner of Social Security, which I hope you have good faith exists, that I don't have time to search further in my records; Commissioner is approximately quoted that any a
without prejudice
You don't need to look far. Here is a resource of a particular Affidavit, for the North-Carolina American Republic, that shows the difference between the three United States and America. Enjoyable, that all the easy work has been done today; comes Now that hard work.
without prejudice
The reason people ask for the last four digits of your SSN is that with your name, address and the four digits, you can use ChoicePoint's ProId system to obtain the complete SSN, as well as your history of prior addresses. With this, it is trivial to convince your bank, etc. to open the door. The obvious question is how hard is it to get a commercial account at ChoicePoint. Check all the news stories from last January and Feb for that.
Actually, I'm certain that the truth about Dubya would have prevented him from having any political career at all.
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
Bottom line is there is usually a wa around having to give a SSN (In California for example you can just give the last four digits), if someone has the lasst four of your Credit Card number and your name they can find out all of the other information online with a little bit of effort, the more they get the easier it becomes.
I hate this other guy and want to take his money and screw him up. Gosh, there are so many ways but they all seem to need his SSN. Say, ./ folks: how can I make his life miserable and clean out his account even though I don't have that crucial bit of info?
Thanks,
some-guy-with-a-gmail-account.
... here in Nigeria. It really extends our horizons ...
Replace "personal machine" with "personal web site".
It's the classic Control vs Caching problem, the only way to control the data is to prevent, by law, caching of the data.
If anybody can keep a copy of your personal information, then nobody has control of your personal information, and that's the entire point. Only you should have control of your personal information.
I don't have an SSN (it's a voluntary system, even the SSA will freely tell you that). I have obtained a car loan, and they still found my info by using just name and address, the confirming some of my other accounts. I have a bank account, and same thing, they researched to make sure I didn't have some background of ripping off banks and writing bad checks.
The SSN is a convenient way to get everything under one unique key, but it's not the only way to find things. Name and birthdate are the other top identifiers. Address adds a lot, then you have the others like phone number, mother's maiden name, employer, etc. Any two or three of those are enough to learn most of the others. Once you have a few key items, your identity can be abused easily.
Let's go back to my car loan. They used my name and address to find my info. Asked about some accounts, if they were mine. Now at that point they were telling ME what the accounts are, and asking me to confirm them. Had I been a thief, I'd have that info to use in the future. They asked if I'd lived at a couple of former addresses on my record, again telling me, not asking me, what they were. More good info. They told me what my score was and what they could offer for terms. Note that all that happened WITHOUT SHOWING ID YET.
If I want to use your identity, I guarantee I can with just your name and address and a color printer and maybe a day's work. There are $500 printers on eBay that can make a duplicate of a state license that would fool anyone but an ID expert, right on a plastic card like our state uses. I take that and go test drive some cars, then social engineer my way into seeing the credit report. They aren't supposed to show it, but I've asked many times and nobody has refused (they want to sell a car, not piss you off). With all that extra info, I own you. If I really want to get fancy I check your trash for any mail or other interesting tidbits, but that's not really necessary.
If you start me out with even more data, the process becomes even faster. The SSN is just a frill, nice to have, but not necessary.
Hello,
If you were to some how get some ones SSN through death record. For instance if no one filed a death record couldn't you say I need this information and give them some phony type of death record and say I need the SSN to fill in this info, and bob's your uncle you should be in like flint?
Example: give me a copy of one of your checks, and I could drain your entire checking account. That's without ANY access to your bank's computers or hacking any systems. Using a completely legal mechanism (in an illegal way). That is just one example of how vulnerable you are even without your SSN being compromised. Obviously, there's no way I will describe how to do it, but it's remarkably easy. In case you are wondering I am CEO of company in California called Truston that helps victims of ID theft and financial fraud. We're launching our web service in January 2006. http://www.trustoncorp.com/
How is it redundant? This occurs later on in the movie than the quote he originally posted.
Have you metaroderated recently?
Schools SELLING the STUDENT INFORMATION to outside sources need to learn a financial lesson of their own. Schools require a persons SSN# to be admited...etc.
I "bought" a house in february. It was $100k. If I had put that same amount into google stock I could have bought at least 3 houses of the same amount.
*rolls eyes* And if you'd put it on the table at Vegas, you might have easily multiplied your investment too. There was nothing certain about the Google IPO (assuming you were lucky enough to be able to get shares). It was a relatively safe risk given how long Google has beena round and how good their public opinion is, but you could have just as easily lost out on it. Just look at the people who invested in Intel at the wrong time. Or worse, some of the Internet bubble start-ups...
This sig has absolutely no significance and serves only to take up screen space and waste the time of the reader.