Slashdot Mirror
Identity Theft-What Can Really be Done w/o a SSN?
TheItalianGuy asks: "Many of us that work in the financial sector are bombarded with daily security threats. One of the biggest these days is Identity Theft. My fellow comrades and I have been really grilling each other on differing scenarios on what could be done with what information. However, it all seems to come back the the Social Security Number. Financial companies have other controls in place (customer service verification checking, account passwords, etc) to ensure identification. But in order to be of any use, a bad guy would really need someone's SSN. Absent of that, other information would be useless. Right? That's what I would like to ask Slashdot folks. What could be realistically done with customer information without a SSN? Account numbers, address, maybe a phone or payment amount. Is that really dangerous to the customer if only those get compromised?"
Some companies don't check your SSN, so you (and everyone else) could use a fake SSN to register there. And if you have the social skills, you can talk allot of companies to give you the SSN that goes with the name. Off course I'm talking about crappy companies, but there are allot of crappy companies that require you to give your SSN to register for their services.
Why does every company still legally insist you provide that information? Isn't it illegal to ask if you're NOT a federal institution.
I've worked for companies who game my SSN to my health-insurance company as my member ID. Why do they need it, and what the hell is it being used for as my member ID? Yes, with you SSN, people can do a lot of evil things. Handing it out willy-nilly (without asking you) is jut as bad.
But why is it legal for an employer to just hand this out to third parties? I think the abuses of how people use SSNs stems from the fact that way too many companies ask for it, and way too many companies hand it out to their vendors without any real regulatory restraints.
IMO, it should be illegal to pass out that information without my consent. But I've seen too many examples of my employer passing it on without asking me.
Lost at C:>. Found at C.
Incidentally, Richard Nixon's social security number is 567-68-0515; there are many cases where a given agency doesn't actually need your number, and it's perfectly appropriate to give them his instead. Have fun.
I used to carry a bottle of whiskey for snake bite. And two snakes. -Nefarious Wheel
I hate to flip the question at hand on its head, but a friend of mine got himself into a potential landmine of a problem last week when he possibly *LOST* his SS ID card at the subway station. (We're all still praying for him to find it elsewhere, but the chances of that are pretty grim. Guess that'll teach him to start using a wallet like us normal people. But a better lesson would probably be to just not carry the damn thing around - how hard is it to memorize 9 digits anyway?) He said he didn't think a person's SSN could be changed. Any advice on what he should do or be prepared to deal with?
Stay sentient. Don't drink bad milk.
I never thought I'd have an issue with identity theft, as a Vice President at a top 5 U.S. bank (in IT, of course). Two years ago, I was building a MythTV DVR PC, and wanted to get a good deal. I scoured the internet for the lowest prices on every individual component, and along the way, apparently ended up giving my Visa CheckCard number to the wrong person.
Suffice to say, they did not need my SSN, or anything beyond what would normally be used to purchase items online. I found out when my card was denied at a store - the theif had emptied my primary checking account, and because I had overdraft protection, the attached savings account in one night. Nice thing was, the bank immediately reimbursed me for the fraudlent purchases, followed up with the police, and prosecuted. (Not simply because I am an employee, mind you - but I did get something most people in my situation don't, follow-up. Typically, the bank reimburses a customer and follows up with the authorities separately - without ever contacting the customer again unless required.)
Now, I use a random card number service associated with my credit card to purchase anything on the internet. It may not be the worst form of identity theft, but it can be inconvient, expensive, and time-consuming to recover. I had to deal with bounced checks for bills, and set the fraud alert on my credit bureaus as a result of this. It's certainly worth using a temporary card service if your bank or credit card company offer it.
Just my "It happened to me" tale, but it's one we hear over and over again these days.
"Adventure? Excitement? A Jedi craves not these things."
I remember reading an article where a reporter gave someone who specializes in digging up info on people just HIS NAME. No SSN.
A little while later he managed to figure out the SSN. He used that to get credit reports. Once he had the credit reports, he found out every conceivable bit of personal info.
Within 3 weeks, the expert got the reporter's complete bank statements, all stock accounts, he knew every financial detail you can imagine. He even found some accounts the reporter had forgotten about. He said, "the only thing I can't get are medical records because those aren't digitally stored" -- well that's changing too of course.
How did he do it? Once he got the credit report, he would just call up a bank or brokerage house and announce in a loud, authoritative voice "I'm conduction an *offical* investigation into such and such and I need this and that info" and because he knew how to do it correctly the person on the other end would blurt everything out immediately almost 100% of the time.
I've been helping a relative with Alzheimer's, and I've been able to do pretty much anything I wanted, aside from dealing with actual money.
Telephone service is particularly easy to mess with; I just called repairs and ordered service changes and no attempt was ever made to check on me. I was able to add and delete services, change phone numbers and billing addresses, etc. I didn't even have be at the service location to order any changes.
For utility accounts, all the info I've ever needed was on the bills. Again, I was able to change services, update billing records, etc. all without any difficulty. It's been very convenient for me to be able to set things up without having to muck around with Powers of Attorney and so on, but it gives me the shivers to realize what must be possible to one "skilled in the arts".
Once you have utility bills with your address on them you can establish a residence and a lot of stuff follows from that. For instance, I could easily get a library card and enroll my kids in school in the town where this relative lives.
With a little bit of creativity I could probably do stuff with money, too. I guess it's a good thing I'm honest, huh?
I suppose it all depends on what you consider to be potentially damaging information. You may not be able to run up my credit card if you possess my account number with my cellphone company but you will have access to information I consider private. Imagine, for example, an employer suspecting you of having contact with a rival company. It would be possible, with information other than your SSN, to obtain copies of your call records. I would consider this a breach of privacy and potentially damaging.
I expect (though I don't always trust) any company I give my personal information to keep that information private no matter what that company perceives the potential damage of that information to be. The bad guys are often more inovative than the good guys and who knows what they can do with any given piece of data?
Seriously - almost every financial transaction needs this number
I don't need an SSN to withdraw money from my ATM, or make a deposit. And it should be kept that way. Anything that has a frequent transaction rate (financial transactions, university logins, bank logins, etc) should never use anything involving a SSN. By increasing the frequency of transactions involving SSN, you remove the user's will to protect this number. It begins to become more of a hassle for them to use this number, thus they'll do anything they want to make it easier for them to use the number (writing it down on notes, cards, sharing is easily to get from step A to step B). By making it rare to use the number, you also increase the user's protectiveness towards the number as well as the amount of information in exsistence using the number (transaction receipets, database entries, etc), causing eless things to become compromised. So if we apply the same ideas, any number, or piece of information that is used freequently, can be easily obtained. While information that is not frequently used, is harder to obtain, and more easier to secure since you have less of a paper-trail.
A little old lady had moved a year earlier, and a credit card co. sent her "checks" to use against her credit card... to the old address. So, whoever moved in there (or whoever stole the mail) was using the checks before they expired for things that were nondescript. Wrote the checks to pay some bills and buy some things, local address sure come on in no id required.Yes it is that easy and that simple. However, if you have all the pieces it gets much worse.
I'm waiting for RIDS - Retinal Identification System, gonna use my glass eye, eh Sammy?
A computer once beat me at chess, but it was no match for me at kick boxing. Emo Philips
I talked with a few lawyer and cop friends about this and put on the back of my check card (I don't use credit cards), "ASK FOR PHOTO ID" in big, red letters. My understanding is since I've notified the Credit Union of this, in writing, if anyone uses a fake card in person, or steals it and doesn't show an ID, the merchant is at fault, since they did not check the signature and ask for the ID, as stated in place of the signature. I don't worry too much about it, though. They are excellent at detecting any sign of fraud activity, and have called me several times to verify transactions outside of my normal purchase habits. I'd much rather get false alarms like that then have them ignore it.
I don't know about anyone else, however I view information such as you've listed as being privileged. Said information may not be so described legally as being privileged or confidential, but that's just how I feel about them. SSN is the most critical of course, but you said discount it. Account numbers, mailing address, Names, birthdates, familial relations and phone numbers could all be gleaned by some amount of investigation by a person or persons so inclined at getting it; it'd be a lot of work, but it could be done. You then have a picture of "me," who I am, what I do, why I do, etc. You might be able to do something with this, like call up Dominoes and order a pizza, or get online and buy a book from Amazon. If you call the right guy at 1st National Bank of Bumfuck, you might just be able to break into my account and steal my money; how much is that guy getting paid to look out for my interests?
All this being said, if a company doesn't do what I consider adequate protection of my information, I don't want to do business with them. It's not that a malicious user couldn't get it any other way; I just don't want to make it any easier for them to get to me. Let them go hog-heaven on the blue-hairs that don't know any better.
And I haven't even talked about your real question. What could one do with a "lowly" account number? Well you tell me. Let's say that's all Joey Malicious has on me. Has he hacked in to your network? Does he have access to your applications and know how to use them? Do you KNOW he hasn't? All I know is that when I call the credit card company, they want the account number and SSN. Are they typing it in with me and can't proceed without me, or are they verifying my answers against what they see on the screen?
What if Joe Malicious works for your company? I'd say you, as a member in the financial industry, are in a much better place to answer this question. YOU need to tell ME that my fears are unfounded, that technically Jane Helper can't review my account info and do a transfer without my account number AND SSN AND mothers maiden name AND first-born sons' DNA because she has to enter it into the system as well. Of course, most financial institutions don't disclose their security practices (or lack thereof) for obvious reasons. None of us outside your "closed-source" way of operating can truly trust the process. All we know is that the threat is real, and we have little control of the problem.
In Australia, the closest equivalent we have is the TFN (Tax File Number). The only people that end up with it are:
As far as I can tell, it is NOT an offence to refuse to give it to any of these groups. That includes the Tax Office themselves. There are consequences of not quoting it, however. Namely, all tax payable is taken out at the maximum tax rate. To not give it to the ATO means that your tax return can be delayed while they search for you by name and DOB.
Also, it's pretty crap as ID for banks, because all they get is a small note on the screen of your account details that says "TFN received" or similar. This makes much more sense, IMHO.
In theory there is no difference between theory and practice.
In practice, however, there is.
All you need is one piece of information if you are a good con man.
In other words, the SSN may in fact be critical to most realy disastrous identity thefts, but a smart thief can get the SSN based on very little prior information.
For example, you can get a official copy of a birth certificate with a wink and a smile. With that you can register for classes at the local community college. A student ID with your birth certificate is enough to get your Social Security card, even if you don't know the number. Student ID can also qualify as proof of residence in an area, which combined with the aforementioned social security card and birth certificate is enough to get a state ID or drivers license.
Badda boom, you have a complete identity, including paper trail, without anything more complicated than forging a signature
From my ideas page.
A private-key credit/debit card.
Prevent identity theft (if you can keep your hands on your card) by using challenge-response authentication. The POS terminal sends your card a challenge, the card encrypts the challenge and sends it back, and the POS terminal checks it using your card's public key (which it fetches from the credit card company). Bonus points: put a key pad on the card, so that your key is protected with a password, and you know your password isn't going into random hostile machines.
I've had a Sprint cell phone account with a fake SSN for two years.
One might argue that, considering most people who receive email still respond to phishing attacks (I cannot quote the number off-hand, but I know it was recently posted on a major), that any other seemingly innocuous information could be used to fashion target-specific phishing attacks. It seems probable that a regular person (my grandmother, aunt, father, etc.), already succeptible to scams, would be doubly so if transaction/account/address-specific information were included. All scams rely on the illusion of credibility and the addition of ANY specific information, regardless of source, gives credence to what should be dismissed offhand.
Since Social Security numbers are non-random, could they be sourced? The first 3 digits are where you were born geographically, and if you knew the year, you could narrow it down to a few thousand possibilities, right? then use death records or something to narrow that further?
I don't know what impact this has on the discussion, but it seemed important to consider.
As we understand it now, someone hacked into the student directory database (or a student with access sold the data) and we all started getting calls to our dorm phones. I personally recieved two calls as did at least one person per room (which is abnormal since it has only been a month and a half and none of us use these numbers) telling me something about sending me a credit card. I never stayed on the line long enough (if I wanted one I would get it myself, never succomb to the telemarketers so I hung up the first time and the second time I acted really excited about it until a point...then I asked if she liked it up the ass...she asked "did you learn that in school" with a bad accent) but apparently some people did and ended up giving away all of their info including SSN.
These people should be smart, they go to a top university, but they still gave out their info to a telemarketer and now most of them have finished talking to the authorities about it.
Bottles.
To elaborate (but at risk of going off-topic), the basic idea is that if someone wants to store information about you, you should have the right to make them store it on your machine. They can sign it or whatever to prevent you from tampering with it, but if they want to see it again, they should have to ask your permission. As long as it's reasonable, you can let them see it--unless you change your mind. Even including your SSN.
This is not really as radical as it might seem. Only a few years ago, pretty much all of your personal information was stored in your punkin head, so to speak. If someone wanted to know about you, they HAD to ask you. From that perspective, the essential principle of the Fifth Amendment is that you didn't have to tell them if you don't feel like it. However, these days it is increasingly less necessary to ask you anything--someone else already owns your data.
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
Well, for total identity theft you probably need the SSN. However, a lot can be done without the SSN. Given someone's name, address and birthdate you can get a forged driver's license that'll fool most clerks. If you also have their driver's license number, it'll fool most electronic checking systems as well. Know their checking account number and that gives you enough to write checks in their name. Know their credit-card number and expiration date and you've got enough to run most credit-card transactions. Just knowing the name and checking account number gives you enough to submit an electronic check against their account (you'll have to move fast to get the money out of your account and disappear before they notice the discrepancy, but if you've got that forged driver's license you can probably open a throwaway account easily enough).
Looking at it, a name and date and place of birth seems to be enough in most cases to get an official, certified birth certificate for that person sent to you. Just make sure to pay by money order, not credit card. A birth certificate's a stepping-stone to a lot of... interesting things.
Each and every entity above can revoke the key at any time.
Merchant can revoke a transaction or deny a consumer (due to poor credit). Consumer can revoke identity if stolen with assurance it won't be used again ever. Arbitrator can authenticate/reject for both parties.
Zero identity theft.
This would require a smartcard that generates rotating public key protected by a PIN/fingerprint (I'm not big on biometric, but consumer ease of use is the key here).
Significant technical hurdles remains with regard to "WHOM" process the public-private key verification as it takes CPU-time. Perhaps the smartcard has advanced enough to the point where it can sign the keys.
Fourth: You bring up 2 points about the signature. You say, "the merchant is not required to obey your stupid writing on the back." Then, in the same paragraph (actually, the next sentence), you say, "In fact, if they are doing their job they would require you to sign the card for real to make sure you have agreed to the terms of service." Do you always go back and forth on everything like that? Yes, it is supposed to be signed, and my note requires them to check for ID, which is signed. I checked, and it counts. So, in line with your 2nd sentence, yes, they are supposed to check -- which contradicts your 1st sentence.
---
There is no flip-flopping involved. I'm going to call you Bob, and your bank CitiJoe for clarity. The merchant (as in, the person that you are paying money, which CitiJoe will transfer them money, knowing they can collect from Bob, which is you) has no obligation to follow any instruction written by Bob on the credit card. They are under no contract with you. You present your card, and since it has the visa logo on it, they understand that they can figure out that your bank is CitiJoe and that CitiJoe will pay them the money. The merchant could care less who you are, as long as someone pays for their merchandise. In this case, it is CitiJoe. In the meantime, there are contractual obligations between the merchant and Visa that requires all credit cards presented to be signed by the user of the card. By signing the card, you are agreeing to the terms of service of the card, as was mentioned in the GP. If you look at the back of the card, it says "Authorized Signature - Not valid unless signed." This means that the Credit card is not valid to be used in any facility if it is not signed. Since it is not signed, it is not valid, and cannot be used. If you write "SEE ID," then you have not signed the card, and have not agreed to the terms of the card, and cannot use the card. Is this clear? No flip-flopping involved.
In fact, merchants are not supposed to require your ID at all. Somewhere along the line, the credit card execs wanted to make credit cards "easier" than checks, and not require presenting identification because that makes it less easy than checks. However, this regulation is usually relaxed because of paranoid people like you.
bananas like monkeys.
Odd. Im an Australian citizen that lived for a short time in California. I have an American Citibank account that I opened using my passport and nuttin more. Dont have a SSN or greencard(I was working remotely... wasnt breaking any immigrantion laws).
An SSN is not a password. This focus on SSN secreacy is fucking stupid. SSN should not be used they way it is. If I become a victim, you can bet id sue the organizations that lend credit or anything in my name with a mere SSN...
;)
And of course were going the other way. Credit cards require less and less verification. I wonder whats their source of income when they loose money, that encourages them to be so lax. Its not odd that the media keeps pushing the idea that identity theft forces the victim to pay up as opposed to the company that allowed it
I'm pretty sure the grandparent post meant that the SSN is used as a Personal Identification Number, in that services require you to give them the last four digits of your SSN in order to verify that you are who you say you are (which is what a PIN does), and for that purpose it is a poor form of personal identification.
And you seriously can't consider tossing a coin 16 times to generate four random numbers anything but neurotic. It would be quicker to just look at four license plates passing by and take the first number from each one.
My grandmother was paranoid about her SSN and its privacy. She did not give it out to anyone. Most people's drivers license numbers are their ssn too, but hers was a different number by her request.
She spent about an hour at Sears one day, trying to apply for a Sears charge card. They requested her ssn, but she would not give it. After about an hour of them calling around to figure out what to do about it, she did get the charge card and did not have to give her ssn, but the drones at the counter had to scramble for an entire hour to figure out how to get her the card without her ssn.
So while this may be possible, it is not always easy.
Also remember, for things like business transactions, in most cases they can require you to do anything short of violate your civil rights. Your option of course is to just not do business with them. AFAIK, not having to give out your ssn is not a civil right, so they could make this a requirement for them to do business with you?
Also, it's possible that what you are getting (cc, or whatever) is using your ssn as a unique identifier. So if you use a popular ssn, or really anything short of your ssn, you are risking duplication in their database. It won't be so funny when you start receiving credit card bills from 10 other people that are all using Nixon's ssn for their IDs. It looks reasonably safe to make up a number starting with 000, since that region code was not used. For simplicity sake you might just change the first three to 000. Again this could potentially produce database duplication, but the odds would be greatly reduced.
It's also possible that some automated processing may choke on a number that starts with 000, simply because according to the rules it's not supposed to exist. (that could actually be somewhat humorous, I bet you could crash numerous data processing systems with an array-out-of-bounds error when it tries to hash sort your SSN)
I work for the Department of Redundancy Department.
I don't mean to minimize the life experience you describe, and there is absolutely no justification for the actions of the drugged idiot who screwed up your ID, but I have to ask this:
Analytically, can you really make an equivalence between the hours of your life that were 'stolen' from you, the angst, frustration, and contempt that you felt, and having someone anally rape the perpetrator?
You are justifiably angry with the person who selfishly stole your identity so that he could live without consequences, but would it be just for him to be sexually abused while doing his prison time?
Respectfully,
Anomaly
But Herr Heisenberg, how does the electron know when I'm looking?
I should state that all documents were shredded after collection and that no information was actualy used in any malicious manor.
... enough for me to hope he's still being anal raped by some large man named Bubba.
Dude. Regardless of him getting caught, its pretty clear that you were and are much better off, even considering what he did "to you". Even though (I'm assuming here) he didn't know you or do it intentionally to you.
Nobody deserves to be raped. To me its the most degrading thing you can do to a person. The only thing I can think of thats in the same ballpark or worse is torture over time. Rape is not a sexual thing, its a power thing. In prison, you don't have too much power over jack anymore, so establishing dominance over others that is not easily punishable is a thing to do. Rape is one best way to establish said power, and there are few consequences involved.
I've been in jail once for a nonviolent offense in which nobody was hurt, and one morning I was brushing my teeth and out of corner of my right eye I saw a large man, maybe named Bubba, that was looking out of my cell door "to see if the coast was clear". I was terrified, but I had to do something, so I asked him "What's up?" He kept looking, and I heard some people outside in the common area picking a fight or whatever. He was just trying to stay out of it, but let me tell you, I was very scared.
As I said, the whole time you were indirectly and directly involved with this guy, he was already worse off than you. There is no reason to add insult to injury. Maybe this happened to you to teach you some compassion for people. I dunno. But wishing rape on anybody, is pretty fucked up in my opinion.