Slashdot Mirror
Identity Theft-What Can Really be Done w/o a SSN?
TheItalianGuy asks: "Many of us that work in the financial sector are bombarded with daily security threats. One of the biggest these days is Identity Theft. My fellow comrades and I have been really grilling each other on differing scenarios on what could be done with what information. However, it all seems to come back the the Social Security Number. Financial companies have other controls in place (customer service verification checking, account passwords, etc) to ensure identification. But in order to be of any use, a bad guy would really need someone's SSN. Absent of that, other information would be useless. Right? That's what I would like to ask Slashdot folks. What could be realistically done with customer information without a SSN? Account numbers, address, maybe a phone or payment amount. Is that really dangerous to the customer if only those get compromised?"
If you had someones birth certificate you could then find out their SSN. As well as apply for a passport.
It's called an aggregation attack. If you have all the pieces but the SSN, not only is it relatively trivial to obtain access to the SSN, but it's pretty much superceded by everything else.
The truth about Scientology, Xenu, and you: Operation Clambake
He needs to start by contacting the three big credit agencies and alert them to potential identity theft this will make opening a new CC or any new line of credit more difficult with only his SSN.
t mini.htm
... get on it immediately because the theives will as well.
Contact info:
# Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
# Experian: 1-888-EXPERIAN (397-3742); www.experian.com; P.O. Box 9532, Allen, TX 75013
# TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790
More information about what to do is at the FTC's website
http://www.ftc.gov/bcp/conline/pubs/credit/idthef
Please check out the section titled: "IDENTITY THEFT VICTIMS: IMMEDIATE STEPS". Tell him not to wait on this
We don't need no stinking sig!
I'm pretty sure the grandparent post meant that the SSN is used as a Personal Identification Number, in that services require you to give them the last four digits of your SSN in order to verify that you are who you say you are (which is what a PIN does), and for that purpose it is a poor form of personal identification. I don't think that GP meant it's a bad idea to use your SSN as a PIN number... that's pretty much a given (I hope).
(Disclaimer: I am not a security expert. I am not a financial expert. I am not any kind of expert. Don't blame me if sh?t hits your fan.)
Let's say you want to purchase something online with credit. But you don't want your credit card number floating around in various databases on the internet. And you don't like entering it multiple times into multiple websites; this increases the chances that someone will attack you successfully.
So you go to your credit card's website (which you trust). You tell them you want to make an online purchase of no more than $500 (let's say), and you want to do it this month. They give you a fake credit card number X and tie it to your real credit account.
When you go to pay for your item from company foo.com, you give them credit card number X. Now foo.com alerts your credit card company you've used X to make a purchase of (let's say) $400.
The credit card company notes this transaction, and from now on, X can only be used to make purchases from foo.com. So if Mallory was sniffing your traffic and decides to make a porn site purchase two hours later, he will be unsuccessful. Or if the folks at foo.com try to cheat you and charge you twice for your $400 purchase, they too will be unsuccessful (because that would put X over the $500 limit you set).
Also, after that one month time limit, the X itself expires so that even foo.com can't use it anymore.
You can make a separate fake credit card number for every company you intend to buy something from online. If any one of them is sniffed, the damage is minimal. I know for a fact that CitiBank offers this service -- I'm sure plenty of others do as well.
1) Walk into registrar of Births/Deaths/Marriages
2) Claims to be Joe Bloggs, citing correct date and place of birth
3) Walk out with birth certificate for Joe Bloggs
4) Get driver's licence in name of Joe Bloggs
5) Get bank account in name of Joe Bloggs
6) Engage in fraud as Joe Bloggs, getting hold of $500k worth of stuff on 7-day invoices
8) Ditch all identifying material, returning to your old identity
9) Watch in the news some weeks later about some poor sucker called Joe Bloggs who is up on counts of fraud totalling $1M odd.
Did you hear this on daytime talk radio or something? This is stupid for several reasons:
First, contrary to popular belief, the sig on the back of the card is not there for identification purposes, but rather to indicate that you accept the terms of your cardholder agreement. If you do not sign the card, you cannot legally use it. Period.
Second, if you want to protect yourself, you are much better using a credit card than a debit card. A typical credit card has a much better fraud protection policy than a debit card (might want to read the terms of service). Also, if your account is accessed illegally, with a credit card they have the credit card company's money (or actually, the store's money) while for a debit card they have drained real money from your personal checking account.
Third, the merchant is not required to obey your stupid writing on the back. In fact, if they are doing their job they would require you to sign the card for real to make sure you have agreed to the terms of service. That is why it is perfectly reasonable for a clerk to ask you to sign a card that you present to them unsigned - because your signature is not for ID purposes.
Lastly - most identity theft happens WITHOUT STEALING YOUR PHYSICAL CARD. Geez.
Your cop and lawyer friends either don't like you, or perhaps have merely assumed the identity of lawyers and cops in order to get personal information out of you. You didn't show them your card, did you?
The first three numbers refer to the area. There was a 001-01-0001, although it wasn't the "first issued". Read all about it: First SSN & Lowest Number.
Not only does this information jump start a police investigation, but it also tells you which database was broken into and thus which set of customers to warn about possible impending credit card fraud.
I had my identity stolen without the use of my SSN and it took me several years to clear my name. In short, a small, scrawy, red-headed meth-head tweaker got a drivers license issued by the state in my name. I was lucky enough to have a detective on the other side of the state alert me a day before a warrant was to be issued in my name.
So in a six month period this idiot was able to get my license suspended in three counties, multiple traffic violations, driving without insurance infractions, driving a stolen vehicle, and countless drug dealing and drug possession charges.
Can someone do damage without your SSN? F$CKiN A! I spend countless hours appearing in front of Judges, DA's, Court Clerks, Law Enforcement Officers, and lawyers and regardless of how much evidence I had, I was regarded with contempt and suspicion until someone could verify I wasn't lying and pardon me.
In the end they caught the son of a bitch and he did 18 months for the Identity Theft charges (He's still in pound me in the ass state prison due to all the other charges in his name and my name). The interesting point is that I had to argue in front of a judge that it would be pointless to keep a drug charge on my record that I didn't commit just so that they could track the crime back to me from his record. By the way, they dropped the drug charges because he pled guilty to ID theft (that's how I got the last stain on my record removed). Government...
The time I lost in wages (I was a contractor at the time) and the hell he put me through trying to clear my name which isn't easy when people look at their computer screens and think your a drug dealin dope fiend is enough for me to hope he's still being anal raped by some large man named Bubba. So you ask the question can someone cause damage without your SSN? They could send you to prison if you don't find out in time and clear your name. All they need is a few corrupt government employees and your first and last name.