Slashdot Mirror

← Back to Stories (view on slashdot.org)

Identity Theft-What Can Really be Done w/o a SSN?

Posted by Cliff on from the protecting-your-data dept.

TheItalianGuy asks: "Many of us that work in the financial sector are bombarded with daily security threats. One of the biggest these days is Identity Theft. My fellow comrades and I have been really grilling each other on differing scenarios on what could be done with what information. However, it all seems to come back the the Social Security Number. Financial companies have other controls in place (customer service verification checking, account passwords, etc) to ensure identification. But in order to be of any use, a bad guy would really need someone's SSN. Absent of that, other information would be useless. Right? That's what I would like to ask Slashdot folks. What could be realistically done with customer information without a SSN? Account numbers, address, maybe a phone or payment amount. Is that really dangerous to the customer if only those get compromised?"

6 of 533 comments (clear)

  1. Considering... by Jace+of+Fuse! · · Score: 5, Insightful

    Considering so many uses only request the last four digits, that makes the SSN a really insecure PIN in some cases. Insecure because it's only 4 digits, and because it never changes.

    --

    "Everything you know is wrong. (And stupid.)"

    Moderation Totals: Wrong=2, Stupid=3, Total=5.
    1. Re:Considering... by shanen · · Score: 4, Insightful
      Anyone who is dumb enough to use part of their SSN as a PIN deserves whatever happens. My own policy is to generate a random number each time I need a new PIN. (Four coin tosses per digit, converting from hex to decimal. Actually less, since 11 and 101 are terminators.)

      Anyway, the entire question of personal privacy is rapidly becoming moot. It's not just that our fear-mongering overlords want more power over each of us, but also that we have no barrier to protect privacy in this modern age. Do you have any idea how much of your personal data is stored out there? Of course not--but the organizations storing it (mostly companies and governments) can do whatever they want with it. My contention is that we need to extend the Bill of Rights to explicitly state that your personal information is part of your property and should be protected from search or seizure without probable cause.

      --
      Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
  2. Why is that even the question? by Pantero+Blanco · · Score: 4, Insightful

    Considering that acquiring the SSNs of large groups of people is as easy as getting a desk job in certain businesses or educational institutions, I'd say getting an SSN is probably the EASY part of identity theft. How much can be done without having one would seem to be a moot point.

  3. Re:Bank card number by PCM2 · · Score: 4, Insightful
    At least in Texas, the checking account-linked debit cards offer no protection, and no recompense in the case of fraud.
    I'm not sure what you mean by "check card" in the above, but the protections on ATM debit cards in Texas are similar, though not the same, as the protections afforded to credit cards. You are not liable above $50, provided you report the card stolen in a timely fashion.
    --
    Breakfast served all day!
  4. Re:SSN by happynut · · Score: 5, Insightful
    It's actually never legally allowed to require a social security number; "they" can request it, but not demand it, unless "they" are a government agency
    This is somewhat true, but pretty misleading. Private companies cannot require a social security number, but they can make providing it a condition of doing business with you.

    For more info, see:

    http://www.faqs.org/faqs/privacy/ssn-faq/
    http://archive.cpsr.net/cpsr/privacy/ssn/SSN-Priva te.html

  5. Re:What I feel by Eivind · · Score: 4, Insightful
    Just because you know my name, doesn't prove you are me, neither should knowing my SSN

    Bingo.

    It's two different problems really. One is: How do you get a unique handle on a person ? As you say, name won't work, there's more than one "John Smith", adding in physical adress leads to duplication, because people move, so "John Smith, Bourbon Street" can very well be the same person as "John Smith, Pennsylvania Avenue".

    Adding birthdate helps, but is still no guarantee, there could be two John Smiths both born on say 9.9.1979

    For this problem the SSN is a decent solution. If we're talking of the person with SSN XXXXXXXX it's pretty likely we're talking of the same person, assuming every person has exactly one SSN (which ain't true, but it's atleast sorta close)

    However SSN is a *lousy* way of verifying identity. Knowing it is no evidence at all that you are the person to which the number belongs.

    Over the course of a life you hand out your SSN to several dozens or even several hundred different entities, you don't want all of those to later be able to pretend to be you. (or someone breaking into the computer of one of those)