Slashdot Mirror
Identity Theft-What Can Really be Done w/o a SSN?
TheItalianGuy asks: "Many of us that work in the financial sector are bombarded with daily security threats. One of the biggest these days is Identity Theft. My fellow comrades and I have been really grilling each other on differing scenarios on what could be done with what information. However, it all seems to come back the the Social Security Number. Financial companies have other controls in place (customer service verification checking, account passwords, etc) to ensure identification. But in order to be of any use, a bad guy would really need someone's SSN. Absent of that, other information would be useless. Right? That's what I would like to ask Slashdot folks. What could be realistically done with customer information without a SSN? Account numbers, address, maybe a phone or payment amount. Is that really dangerous to the customer if only those get compromised?"
Considering so many uses only request the last four digits, that makes the SSN a really insecure PIN in some cases. Insecure because it's only 4 digits, and because it never changes.
"Everything you know is wrong. (And stupid.)"
Moderation Totals: Wrong=2, Stupid=3, Total=5.
If you had someones birth certificate you could then find out their SSN. As well as apply for a passport.
It's called an aggregation attack. If you have all the pieces but the SSN, not only is it relatively trivial to obtain access to the SSN, but it's pretty much superceded by everything else.
The truth about Scientology, Xenu, and you: Operation Clambake
Incidentally, Richard Nixon's social security number is 567-68-0515; there are many cases where a given agency doesn't actually need your number, and it's perfectly appropriate to give them his instead. Have fun.
I used to carry a bottle of whiskey for snake bite. And two snakes. -Nefarious Wheel
I never thought I'd have an issue with identity theft, as a Vice President at a top 5 U.S. bank (in IT, of course). Two years ago, I was building a MythTV DVR PC, and wanted to get a good deal. I scoured the internet for the lowest prices on every individual component, and along the way, apparently ended up giving my Visa CheckCard number to the wrong person.
Suffice to say, they did not need my SSN, or anything beyond what would normally be used to purchase items online. I found out when my card was denied at a store - the theif had emptied my primary checking account, and because I had overdraft protection, the attached savings account in one night. Nice thing was, the bank immediately reimbursed me for the fraudlent purchases, followed up with the police, and prosecuted. (Not simply because I am an employee, mind you - but I did get something most people in my situation don't, follow-up. Typically, the bank reimburses a customer and follows up with the authorities separately - without ever contacting the customer again unless required.)
Now, I use a random card number service associated with my credit card to purchase anything on the internet. It may not be the worst form of identity theft, but it can be inconvient, expensive, and time-consuming to recover. I had to deal with bounced checks for bills, and set the fraud alert on my credit bureaus as a result of this. It's certainly worth using a temporary card service if your bank or credit card company offer it.
Just my "It happened to me" tale, but it's one we hear over and over again these days.
"Adventure? Excitement? A Jedi craves not these things."
"Attack submarine, designed to seek and destroy enemy submarines and surface ships. Their other missions range from intelligence collection and special forces delivery to anti-ship and strike warfare. It is a multi-mission vessel, capable of deploying to forward ocean areas to search out and destroy enemy submarines and surface ships and to fire missiles in support of other forces."
Sounds pretty serious. If you have an SSN, you should definitely not let another person or country get hold of it. Frankly, I'm amazed that anyone in America can get an SSN, but that's liberty for you.
I've been helping a relative with Alzheimer's, and I've been able to do pretty much anything I wanted, aside from dealing with actual money.
Telephone service is particularly easy to mess with; I just called repairs and ordered service changes and no attempt was ever made to check on me. I was able to add and delete services, change phone numbers and billing addresses, etc. I didn't even have be at the service location to order any changes.
For utility accounts, all the info I've ever needed was on the bills. Again, I was able to change services, update billing records, etc. all without any difficulty. It's been very convenient for me to be able to set things up without having to muck around with Powers of Attorney and so on, but it gives me the shivers to realize what must be possible to one "skilled in the arts".
Once you have utility bills with your address on them you can establish a residence and a lot of stuff follows from that. For instance, I could easily get a library card and enroll my kids in school in the town where this relative lives.
With a little bit of creativity I could probably do stuff with money, too. I guess it's a good thing I'm honest, huh?
Considering that acquiring the SSNs of large groups of people is as easy as getting a desk job in certain businesses or educational institutions, I'd say getting an SSN is probably the EASY part of identity theft. How much can be done without having one would seem to be a moot point.
Mine is 000-00-0002 (Damn Roosevelt!)
A little old lady had moved a year earlier, and a credit card co. sent her "checks" to use against her credit card... to the old address. So, whoever moved in there (or whoever stole the mail) was using the checks before they expired for things that were nondescript. Wrote the checks to pay some bills and buy some things, local address sure come on in no id required.Yes it is that easy and that simple. However, if you have all the pieces it gets much worse.
I'm waiting for RIDS - Retinal Identification System, gonna use my glass eye, eh Sammy?
A computer once beat me at chess, but it was no match for me at kick boxing. Emo Philips
I talked with a few lawyer and cop friends about this and put on the back of my check card (I don't use credit cards), "ASK FOR PHOTO ID" in big, red letters. My understanding is since I've notified the Credit Union of this, in writing, if anyone uses a fake card in person, or steals it and doesn't show an ID, the merchant is at fault, since they did not check the signature and ask for the ID, as stated in place of the signature. I don't worry too much about it, though. They are excellent at detecting any sign of fraud activity, and have called me several times to verify transactions outside of my normal purchase habits. I'd much rather get false alarms like that then have them ignore it.
Breakfast served all day!
All you need is one piece of information if you are a good con man.
In other words, the SSN may in fact be critical to most realy disastrous identity thefts, but a smart thief can get the SSN based on very little prior information.
For example, you can get a official copy of a birth certificate with a wink and a smile. With that you can register for classes at the local community college. A student ID with your birth certificate is enough to get your Social Security card, even if you don't know the number. Student ID can also qualify as proof of residence in an area, which combined with the aforementioned social security card and birth certificate is enough to get a state ID or drivers license.
Badda boom, you have a complete identity, including paper trail, without anything more complicated than forging a signature
Since Social Security numbers are non-random, could they be sourced? The first 3 digits are where you were born geographically, and if you knew the year, you could narrow it down to a few thousand possibilities, right? then use death records or something to narrow that further?
I don't know what impact this has on the discussion, but it seemed important to consider.
To elaborate (but at risk of going off-topic), the basic idea is that if someone wants to store information about you, you should have the right to make them store it on your machine. They can sign it or whatever to prevent you from tampering with it, but if they want to see it again, they should have to ask your permission. As long as it's reasonable, you can let them see it--unless you change your mind. Even including your SSN.
This is not really as radical as it might seem. Only a few years ago, pretty much all of your personal information was stored in your punkin head, so to speak. If someone wanted to know about you, they HAD to ask you. From that perspective, the essential principle of the Fifth Amendment is that you didn't have to tell them if you don't feel like it. However, these days it is increasingly less necessary to ask you anything--someone else already owns your data.
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
Did you hear this on daytime talk radio or something? This is stupid for several reasons:
First, contrary to popular belief, the sig on the back of the card is not there for identification purposes, but rather to indicate that you accept the terms of your cardholder agreement. If you do not sign the card, you cannot legally use it. Period.
Second, if you want to protect yourself, you are much better using a credit card than a debit card. A typical credit card has a much better fraud protection policy than a debit card (might want to read the terms of service). Also, if your account is accessed illegally, with a credit card they have the credit card company's money (or actually, the store's money) while for a debit card they have drained real money from your personal checking account.
Third, the merchant is not required to obey your stupid writing on the back. In fact, if they are doing their job they would require you to sign the card for real to make sure you have agreed to the terms of service. That is why it is perfectly reasonable for a clerk to ask you to sign a card that you present to them unsigned - because your signature is not for ID purposes.
Lastly - most identity theft happens WITHOUT STEALING YOUR PHYSICAL CARD. Geez.
Your cop and lawyer friends either don't like you, or perhaps have merely assumed the identity of lawyers and cops in order to get personal information out of you. You didn't show them your card, did you?
The first three numbers refer to the area. There was a 001-01-0001, although it wasn't the "first issued". Read all about it: First SSN & Lowest Number.
Not only does this information jump start a police investigation, but it also tells you which database was broken into and thus which set of customers to warn about possible impending credit card fraud.
I had my identity stolen without the use of my SSN and it took me several years to clear my name. In short, a small, scrawy, red-headed meth-head tweaker got a drivers license issued by the state in my name. I was lucky enough to have a detective on the other side of the state alert me a day before a warrant was to be issued in my name.
So in a six month period this idiot was able to get my license suspended in three counties, multiple traffic violations, driving without insurance infractions, driving a stolen vehicle, and countless drug dealing and drug possession charges.
Can someone do damage without your SSN? F$CKiN A! I spend countless hours appearing in front of Judges, DA's, Court Clerks, Law Enforcement Officers, and lawyers and regardless of how much evidence I had, I was regarded with contempt and suspicion until someone could verify I wasn't lying and pardon me.
In the end they caught the son of a bitch and he did 18 months for the Identity Theft charges (He's still in pound me in the ass state prison due to all the other charges in his name and my name). The interesting point is that I had to argue in front of a judge that it would be pointless to keep a drug charge on my record that I didn't commit just so that they could track the crime back to me from his record. By the way, they dropped the drug charges because he pled guilty to ID theft (that's how I got the last stain on my record removed). Government...
The time I lost in wages (I was a contractor at the time) and the hell he put me through trying to clear my name which isn't easy when people look at their computer screens and think your a drug dealin dope fiend is enough for me to hope he's still being anal raped by some large man named Bubba. So you ask the question can someone cause damage without your SSN? They could send you to prison if you don't find out in time and clear your name. All they need is a few corrupt government employees and your first and last name.
Bingo.
It's two different problems really. One is: How do you get a unique handle on a person ? As you say, name won't work, there's more than one "John Smith", adding in physical adress leads to duplication, because people move, so "John Smith, Bourbon Street" can very well be the same person as "John Smith, Pennsylvania Avenue".
Adding birthdate helps, but is still no guarantee, there could be two John Smiths both born on say 9.9.1979
For this problem the SSN is a decent solution. If we're talking of the person with SSN XXXXXXXX it's pretty likely we're talking of the same person, assuming every person has exactly one SSN (which ain't true, but it's atleast sorta close)
However SSN is a *lousy* way of verifying identity. Knowing it is no evidence at all that you are the person to which the number belongs.
Over the course of a life you hand out your SSN to several dozens or even several hundred different entities, you don't want all of those to later be able to pretend to be you. (or someone breaking into the computer of one of those)
Each and every entity above can revoke the key at any time.
Merchant can revoke a transaction or deny a consumer (due to poor credit). Consumer can revoke identity if stolen with assurance it won't be used again ever. Arbitrator can authenticate/reject for both parties.
Zero identity theft.
This would require a smartcard that generates rotating public key protected by a PIN/fingerprint (I'm not big on biometric, but consumer ease of use is the key here).
Significant technical hurdles remains with regard to "WHOM" process the public-private key verification as it takes CPU-time. Perhaps the smartcard has advanced enough to the point where it can sign the keys.