What Web Surfers Can Find Out About You

cweditor writes in with an updated version of a story the likes of which you might have read before, What the Web Knows About You. But reporter Rob Mitchell found out vastly more about himself (his research subject) online than he could have even a year or two ago. The big difference is that state and local governments are putting online digitized records, often with Social Security numbers and other personal details intact. Mitchell ends by questioning how much good it does for banks or credit card companies to require 4, 5, or more independent identity "factors" before providing access to account details, when most or all of the factors they request can be found online about nearly anyone.

Furthermore

They will see that I am suave, handsome, and well-groomed. Also I have a shapely nose. Will you marry me. My address is on the webernet.

Re:Furthermore

[kbrasee]

You had me at "webernet". I would +1 Funny this if I had points.

Re:Furthermore

I modded him +1 funny but it got knocked back down again.

they found that

Anonymous coward was the first to respond here

Bad News

[El+Torico]

I googled my name and found 3 obituaries.

Re:Bad News

Ahhh!!!!!!! a ghost of /. past!!!! Stay away! Harbinger of death!

Re:Bad News

[Mr.+Sketch]

Well, if google says you're dead three times, who am I to claim otherwise?

Re:Bad News

[morgan_greywolf]

That's okay. I googled my name and found three wedding announcements! By the end of the next month, I'll be married to four different people!

Re:Bad News

[siriuskase]

What's the big deal? Just because you are now dead doesn't mean you never had a life or three.

Re:Bad News

[Jason+Levine]

I googled my name and my site came up #4 in the listing. There were a lot of other people with my name, though. Years back, I didn't see any reason not to use my real name while online. Perhaps I was naive or perhaps it was a simpler online time. Either way, circumstances have changed. I don't want to go about "killing off" my accounts on various sites (like Slashdot) and starting over, but any new sites I sign into I want connected to a username that isn't my real name. It's one reason why I decided to start my new blog under a pseudonym. (No, I'm not posting the pseudonym here. That would link my pseudonym and my real name up in Google listings.)

Re:Bad News

[MyLongNickName]

Yeah. But one of your wives is photographed here.

Re:Bad News

[fprintf]

You better watch out, when you get famous enough for a Wikipedia entry, the authors will use that as a citable source and you will *never* get your death-date correct.

Re:Bad News

[vlm]

We have the identity of the fifth cylon!

Re:Bad News

[geobeck]

Phone conversation overheard in a bank:

"Hello, Mr. Anderson? This is Washington First National Citi Wells Fargo Mutual. I'm afraid we are unable to process your loan request. Well, unfortunately it appears that you're dead. Yes, it is surprising. My sincerest condolences on your recent loss.

Well, according to your obituaries, you initially died on October 12, 1982, of trauma resulting from a car accident. Wow, that looked like a terrible accident. I hope you didn't suffer too much. Then on February 23, 1997, you were decapitated in an industrial accident... oh, I'm glad to hear you're feeling much better. Except for being dead, of course.

"Mr. Anderson, no, I'm sorry, we cannot approve a loan to a dead person. You may be feeling fine, but Google says you're dead. Well, killed by an IED in Iraq most recently. 2005? You don't remember being there? Well, that doesn't prove anything because you're dead; I wouldn't expect you to remember it.

"Mr. Anderson, please calm down. It's not healthy to get so agitated. I mean, it's definitely not healthy to be dead, but there's no need to make matters worse... Yes, as a matter of fact I did find an obit for myself. Died after a lingering coma. Fortunately, it's not a problem, because being brain dead is not an impediment to my line of work. Yes, I'm sorry, please feel free to re-apply when you're not dead. Goodbye."

Re:Bad News

[LandDolphin]

Or can't still vote!

Re:Bad News

I Googled myself and could not find anything as I am an anonymous coward!

Re:Bad News

[BrettJB]

"Results 1 - 10 of about 2,080,000 for Anonymous Coward. (0.21 seconds)"

Sorry, but I'm calling a little over 2 million data points of BS on this one...

Re:Bad News

[kklein]

I, too, used to use my real name. Then, time went on, I grew up, mellowed, and suddenly the political screeds I penned in the heady days of youth looked like, um, really bad ideas. And in one case, I was a complete sanctimonious prick and was correctly called out for it...

I've been on pseudonyms ever since. I have a lot, and they are kind of characters depending on what kind of presence I want to have on that site. Slashdot is the only place where I kinda just speak freely, although this is also a pseudonym.

Re:Bad News

It doesn't matter what Google says, he's not dead until NetCraft confirms it.

Re:Bad News

[PitaBred]

I googled my name, and I was only on one listing, and that was just a page at a company I used to work at. Very little personally identifiable. The rest are all for lots of other people sharing my name... sometimes it's good to be common ;)

Re:Bad News

I think we've all made the "mistake" of linking a pseudonym to our given name at some point. Im posting as AC because I can't figure out how to log in on this terminal, but my real name is Jason Levine

Re:Bad News

[ccady]

I got better.

Re:Bad News

[genner]

I googled my name and found 3 obituaries.

Your not dead until Netcraft confirms it.

Re:Bad News

[luaplevap]

Phone conversation overheard in a bank:

"Hello, Mr. Anderson? This is Washington First National Citi Wells Fargo Mutual. I'm afraid we are unable to process your loan request. Well, unfortunately it appears that you're dead. Yes, it is surprising. My sincerest condolences on your recent loss.

Well, according to your obituaries, you initially died on October 12, 1982, of trauma resulting from a car accident. Wow, that looked like a terrible accident. I hope you didn't suffer too much. Then on February 23, 1997, you were decapitated in an industrial accident... oh, I'm glad to hear you're feeling much better. Except for being dead, of course.

"Mr. Anderson, no, I'm sorry, we cannot approve a loan to a dead person. You may be feeling fine, but Google says you're dead. Well, killed by an IED in Iraq most recently. 2005? You don't remember being there? Well, that doesn't prove anything because you're dead; I wouldn't expect you to remember it.

"Mr. Anderson, please calm down. It's not healthy to get so agitated. I mean, it's definitely not healthy to be dead, but there's no need to make matters worse... Yes, as a matter of fact I did find an obit for myself. Died after a lingering coma. Fortunately, it's not a problem, because being brain dead is not an impediment to my line of work. Yes, I'm sorry, please feel free to re-apply when you're not dead. Goodbye."

I believe that's straight out of the movie "Hackers".

Re:Bad News

[Frosty+Piss]

Well, if google says you're dead three times, who am I to claim otherwise?

Isn't that the standard at Wikipedia?

Re:Bad News

I'll just post it to /b/ and see how long that takes. No, j/k, dude. But I think you said too much.

Re:Bad News

Not a problem. I've had a wiki entry, then it was marked for deletion. If it comes up again, I'm sure it'll be deleted again. It's the wiki way of life. Wrong info and deleted info. I stopped donating money when a page that I contributed to was deleted. Not the page done about me, I don't know the people involved. And now, just like a 2 year old, I bitch about wiki. Always doing their best to annoy.

Re:Bad News

[geobeck]

I believe that's straight out of the movie "Hackers".

I must be psychic then; I've never seen that movie.

Re:Bad News

[cleatsupkeep]

Be sure not to have all the weddings on the same day in 4 different castles to women who have different numbers of eyes.

It doesn't end well.

Re:Bad News

[davester666]

Unfortunately, posting on slashdot can be used as proof that you have no life.

Re:Bad News

[speedingant]

I'd like to see a death report from you to proof it, thanks.

Re:Bad News

[harry666t]

> had a life or three

Now that's someone who took "get a life" a little too seriously perhaps?

Re:Bad News

I took my anonymity a step further and have pseudonyms for real life, too - the name I use for work is not my real name. It seems to be the only way to have a fully private Private Life.

It's already taken for granted that actors, writers, porn stars, prostitutes, and Indian call centre staff will use a fake name for work - why not everyone else?

Hi. I'm Bob.

Re:Bad News

[GoodNicksAreTaken]

You were also turned in to a newt?

Re:Bad News

[luaplevap]

Indeed! There's a scene with almost exactly those words. Angelina Jolie and Johnny Lee Miller have just hacked the FBI file on a NY police officer.

Re:Bad News

[TaoPhoenix]

Hello.

Poignant little post, so let's take a good look at it.

I answer "Both" - you were (forgiveably) naive and it WAS a simpler online time, so that's a draw. Take my theory that it might have called for a peculiar brand of wisdom to see correctly into the future to now.

We do know that when suitably annoyed, the Great Online Collective can pivot-leverage some expert to dig up *anyone*. Some cases are a little harder than others. But the flip side of the Long Tail is that it's also too much bother to really roast anyone if they haven't totally ticked you off.

I think this is the absolute cusp of the switchover into Web 3.11 (to coin a joke) which sees the UltraSharing of Web 2.0 as a good thing gone sour. The problem is far, far tougher than most of them think. It goes to the thundering core of how our entire species survives, crashing into a technology that never existed.

It used to be that Fame = Money (barring mistakes.) Now we got Notoriety is Free. 15 million people view a YouTube video and all they get is a few ad link hit revenue? You gotta be kidding me.

The late 1990's had a weird mood because it felt like a compressed timeline. Courtesy of American business culture, if you hyperfocus on Now, you get fantastic distortions which they then use to try to sell you stuff. Problem is, Next Month rolls around.

With the fade of Web 2.0, we have to take a serious look at deciding "what do I do with myself now?"

Obama has sent clear signals that he is ratcheting down the "1984-Live" culture that Bush got America into. But even he has to compromise to survive his term.

For the next decade-ish we'll struggle to learn Anti-Troll skills, and salacious gossip will be so truly boring that it won't matter. Web 3.11 will have a Pro-Privacy bent, to the theme that people can completely remold themselves as "personal brands" like corporations do. I'd like to think I represent the barest early example.

Re:Bad News

Hehehe I found this: http://www.youtube.com/watch?v=8gYhMqO_Wck

I don't think that's me, unless someone took a video camera to the distant past.

Re:Bad News

[Ihmhi]

+1 Trance Gemini quote.

Re:Bad News

Mr. Anderson as in Fred Anderson?

http://en.wikipedia.org/wiki/Not_Dead_Fred

Re:Bad News

[syousef]

I, too, used to use my real name. Then, time went on, I grew up, mellowed, and suddenly the political screeds I penned in the heady days of youth looked like, um, really bad ideas. And in one case, I was a complete sanctimonious prick and was correctly called out for it...

I've been on pseudonyms ever since.

It appears you've given up on integrity. That's what you learn from being wrong in your youth??? And you're proud of this?

How about learning to stand by what you say, or admitting you're wrong. Much better approach than continuing to say things you can't later justify but doing it anonymously. You're a true AC.

Re:Bad News

Ride on, real name brothers. Apparently I donated $7600 to the Mitt Romney campaign.

O RLY?

Re:Bad News

[Hognoxious]

if google says you're dead three times, who am I to claim otherwise?

Google schmoogle. Did you check netcraft?

Re:Bad News

No... *I* am Jason Levine.

Re:Bad News

[Cowmonaut]

Oh just go away. It's Monty Python, not Andromeda.

Fanbois...

Re:Bad News

[jdmetz]

I know you're joking, but apparently all that is needed for the Social Security agency to declare you dead is for a coroner to mistakenly type your SS#. From there it will get to your credit reports and pretty soon all your accounts will be frozen. Here's someone who had it happen recently.

Re:Bad News

[jcrousedotcom]

Funny thing is - I used to be the IT guy at a Credit Union and I was up on loans, one of the loan officers showed me some lady's APPROVED loan request - her credit report actually showed she was dead! :)

She had great credit though. :)

Re:Bad News

AAAAAAAAAAARRRRRRRRHHH!!! Worse than goatze!! DONT click it! JUST! DON'T! DO! IT!

Re:Bad News

I googled my name and found 3 obituaries.

Jesus. Is that you?

Quit doing that. You freaking everyone out!

Re:Bad News

[Ihmhi]

http://en.wikiquote.org/wiki/Andromeda#.22Fear_and_Loathing_in_the_Milky_Way.22

Gerentex: [to Trance] Aren't you dead?
Trance: I got better.
Gerentex: Huh. Lucky you.

Is that line really from Monty Python? I can't recall it from the few movies/shows I've seen.

RE: Bad news

Last post. :-(

Re:Bad News

[naz404]

Mr. Sketch?

Re:Bad News

[naz404]

on the other hand, it can be used as proof that... um. um. I posted? @_o??

Re:Bad News

[atraintocry]

Your post prompted me to check my own googlabiltiy (or whatever you want to call it). Not that I hadn't before. But this time I only tried my name and variations on it.

There's a lot of "me"s out there. Good luck to anyone trying to find the real one with only my name to go on. Sometimes having a really common name pays off, as in my case :)

CWEditor can grab a spoon and eat my ass

Nice MASSIVE WALL of ADs, you douche.

Facebook

I have a mostly blank facebook account just because some people I know use it.
Since date of birth is so widely (mis)used as a security question, I use a false dob and people often wish me happy birthday a week or so before it actually is.

Re:Facebook

[Hashi+Lebwohl]

I have the same problem. My name is Jesus, and I registered using DOB of 25/12/01, and now absolutely everyone thinks it's my real birthday. Sheesh, as if shepherds would be out shepheding in the middle of winter. Some people....really.

Re:Facebook

[renegadesx]

Sounded like a good idea at the time right? Worked for Mithras :)

Re:Facebook

[Opportunist]

That's actually a bigger problem than you think, those so called "security questions" are a huge security risk, at best.

"Where have you been born?"
Check your CV.

"What's your mom's maiden name?"
Check your bloodline on any "find a relative" page.

"What was your first car/pet/whatever?"
Check Facebook or other social page.

"What is your favorite color?"
Check your personal homepage for background.

And so on. If you want to be save with your "security questions", treat them like another passphrase. My hometown is TdafU5s. No, I have no idea what it was called before the earthquake.

Re:Facebook

[u38cg]

Don't mung a date of birth by altering a single digit - electronic submissions will often silently accept these on the assumption that they are a typo. So for example, $EVILDOER can open a credit card account in your name, and the fact you've munged your date of birth slightly will not cause the process to fail.

ID information available to the public

[LoadWB]

I have complained about this crap for years to my credit card companies, phone companies, mortgage company, and even my college. How can they claim to protect your account information when their verification questions are all publicly available information? (In the case of the colleges, students are often asked to sign in for roll or exams using a social security number, and that sheet is either passed around or otherwise completely viewable.)

At least some allow you to select a special pass phrase. Only one of my vendors will not allow me access to the account if I do not provide the pass phrase. Every one else has a way around that.

Security. Pfah.

Re:ID information available to the public

[CannonballHead]

I'm always surprised that more "secure" websites don't let users use their own security question. It makes no sense to just always use "mother's maiden name" or "city of birth" or whatever. Why can't I use my own security question and pick something that I actually am one of the few people that know (me and maybe my wife or something)?

I'm not sure adding one more column to a database is going to produce a ton more overhead :)

Re:ID information available to the public

[siriuskase]

The secret is that they don't ever check to see if it really is your SS#. they just need a uniquie 9 digit number. Make one up.

Re:ID information available to the public

[siriuskase]

Just pretend you have two moms. Make up a nice name for your real mom's girlfriend. Maybe even a man's name. Some women have masculine names.

Re:ID information available to the public

[Captain+Splendid]

Interestingly enough, I just signed up for online banking with RBC. Not only do they let you choose the security questions, you can't access your account until you've written out three of them (and their intended responses.) I was suitably impressed.

Re:ID information available to the public

More than that, you don't have to put *anything* there. At least where I live (Washington state), there's always a little asterisk that says that you're under no obligation to enter your SSN if you don't want to.

Re:ID information available to the public

Except some universities use your SSN as your student ID. The university I attended (a very large university) used to, although someone finally woke up and decided that was a horrible idea. But even that was fairly recently... within the past 6 years.

Re:ID information available to the public

[Attila+Dimedici]

If you made up a name, how do you remember it 3 years later?

Re:ID information available to the public

[zehaeva]

why not just put in a odd answer? for city of birth put the city of your fathers/mothers birth, or the name of your first pet? and for your mothers maiden name your grandmothers maiden name or the city of your birth? or the title of your favorite book, or the name of your favorite author. so long as you know what to substitute all should be fine.

Re:ID information available to the public

[nine-times]

If you make it up, how do you know that it will be unique?

Re:ID information available to the public

No no no... not unique, uniquie. Totally different word. Duh.

Re:ID information available to the public

[Luyseyal]

Well, the name is sequential based on year so you can guess within a year or two pretty easily. It also has Unicode characters of dubious displayability. And a monkey.

-l

Re:ID information available to the public

[LaskoVortex]

If you made up a name, how do you remember it 3 years later?

The idea is to have a set of false, made up answers that you *always* use to the same old security, so you don't forget them. No one is going to find that stuff on line because it's not affiliated with you except in your imagination. If you are afraid of forgetting your passwords and to remember passwords like "d8u*mF@3KowcCR", use an encrypted password keeper.

Re:ID information available to the public

[plague3106]

They aren't unique anyway.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=300161

Re:ID information available to the public

[dkleinsc]

That's why my mother's maiden name is "f03itncvl102$#(2l$" (for purposes of site logins).

Re:ID information available to the public

[s.bots]

If you are afraid of forgetting your passwords and to remember passwords like "d8u*mF@3KowcCR", use an encrypted password keeper.

Shit, now I have to change all my passwords AGAIN, just like after someone else posted my old one, 09:F9:11:02:9D:74:E3:5B:D8:41:56:C5:63:56:88:C0

Re:ID information available to the public

[DreamsAreOkToo]

why don't you then? My security question is always "What do you listen to to calm you down?"

Nobody will ever guess my security question... Because my mother's maiden name or my pet's name isn't "Rammstein" (or whatever my answer *really* is...)

Re:ID information available to the public

[Tubal-Cain]

I like... How's the broadband up there?
Wait. Washington. Redmond Washington... Microsoft Headquarters...
Nevermind.

Re:ID information available to the public

[EGenius007]

The main problem with that plan would be when a site you are registered for is compromised in some way. If you're using the same security response and the interested parties can determine your usernames at other sites then having a site-specific password no longer offers reliable protection.

Without unique user ID + password + security responses for every web-registration you're forced to complete, an encrypted password keeper may be the only practical solution. Of course, then you run the risk of losing all your online identities due to a failed/stolen hard disk...

Re:ID information available to the public

The biggest problem isn't security questions for accounts that you open. For that, you just monitor your statements to ensure that there's nothing on there that wasn't you and it's really simple to dispute a charge.

The huge gaping security hole is people opening new accounts in your name. It's also a much harder problem to solve since you need a way to prove that you are you without any prior interaction between you and the company and, in most circumstances, without any in-person interaction.

Re:ID information available to the public

use an encrypted password keeper.

Care to share any good ones? I use Password Safe, but it's not ideal for non-login (i.e., username/password) information management.

Re:ID information available to the public

[interval1066]

Listen; I have the answer to the entire security mess. It involves another number, but its the LAST number you'll ever need. What we'll do it tattoo it on your forehead and your left palm...

Re:ID information available to the public

[0100010001010011]

You constantly use it. I have about 3-4 pseudonyms that I use everywhere. First one I flipped through the phone book and pointed to a name. That was my first name. Repeat for last. I use it everywhere.

Now I have a mysql database full of 2000 census data. I found a website that had it all in CSV, I imported it along with a variable for frequency. So I can decide if I want an obscure name and by gender. It also scrapes Yahoo for an address with someone matching my last name, twice. It then merges the address line and city. I originally used it for FreePay's "Free iPod" scam thing where I would just make someone up and create it. At the peak of the 'free*' boom I had a grease monkey script to register.

Oh those were the day....

Re:ID information available to the public

[ArcadeNut]

You can't make up the question, but you can make up the answer... nothing says you have to use REAL information in those questions....

Most of the time, its none of their business anyway...

Re:ID information available to the public

Why can't I use my own security question and pick something that I actually am one of the few people that know (me and maybe my wife or something)?

A while back, a friend of mine was running a student forum, which used ID numbers as a login, and allowed people to set their own question for password resets. He was having a serious problem with people claiming their accounts were being broken into. After a while, he noticed that only men were complaining. He ran a script to pull out the answers to the security questions, and found that 20% of the answers were "8 inches".

Re:ID information available to the public

That's the same password I have on my luggage!

Re:ID information available to the public

[Jherek+Carnelian]

The idea is to have a set of false, made up answers that you *always* use to the same old security, so you don't forget them. No one is going to find that stuff on line because it's not affiliated with you except in your imagination.

So it isn't quite publicly available, but it is available to anyone with at least administrative access to the sites you've signed up on and used the same information (and chances are that info gets stored in a cleartext file or at best a database). So if you use the same info at all websites it reduces your security to that of the least secure website you've given the info to.

Re:ID information available to the public

Sometimes there are names you never forget.

A secret, imaginary lover.

(Suddenly becomes funnier when you actually meet someone who looks and acts exactly like someone who you've imagined -- it happened to me a couple of times.)

Re:ID information available to the public

[harry666t]

This is a very good question. The immediate answer I've thought of is:

Things like this usually do have some kind of checksum as the last digit (I know PESEL numbers in Poland do). Make up one with an invalid checksum and pray they do not actually check them (although I know for sure that some of the assigned PESELs have an invalid embedded checksum).

Re:ID information available to the public

[HiThere]

Have it tattooed onto your shoulder? That should work, of course, you'd need a mirror to read it.

Re:ID information available to the public

[T+Murphy]

You can always set your own questions. Just set the answer to "Mother's maiden name?" to "Scottsville Elementary".

Re:ID information available to the public

Yeh, like 'what is the name of your 3rd mistress?'

Re:ID information available to the public

[corbettw]

Hey, that's the combination to my luggage!

Re:ID information available to the public

[Beryllium+Sphere(tm)]

078-05-1120 will not collide with a real person.

Re:ID information available to the public

It doesn't have to be. How many databases of people are using SSNs as a primary key? Most use an incremental and irrelevant number since not all customers have SSNs.

Banks deal with foreign people living in their nation all the time. Here is the US, an illegal immigrant can open up an account without a SSN.

I wouldn't be surprised if in most cases, SSNs are just there so you can verify the last 4 digits over the phone to support persons and it's something the average retard won't forget.

Re:ID information available to the public

In my country your student number can also be used as part of proving your identification for other government or commercial services

Re:ID information available to the public

[muckracer]

> If you made up a name, how do you remember it 3 years later?

Easy: Post-It on monitor... :-)

Re:ID information available to the public

[Hognoxious]

The usual problem with fictitious data: you forget.

Re:ID information available to the public

[Hognoxious]

I don't know why, and I certainly don't agree, but there are a lot of people who seem to prefer using a "natural key".

As to the foreign people, there's probably a workaround involving certain invalid numbers that the system is hardcoded to accept. You see crap like that at WTF all the time.

Re:ID information available to the public

[internerdj]

I've recently begun concidering swapping up the answers on my security questions for important websites that don't let me ask my own. Or just completely making up arbitrary but consistent answers for common questions. It doesn't protect me from credit card or loan application fraud but it does make my financial institution logins harder to guess.

Re:ID information available to the public

Social Security numbers aren't unique either.

Re:ID information available to the public

[jgtg32a]

That's my mother's maiden name you insensitive clot

Re:ID information available to the public

123456789 seems unique to me...

Multi-Factor Authentication

[rlp]

Real multi-factor authentication requires some thought and the expenditure of time and money. Is it any wonder that some banks have implemented extremely LAME (mother's maiden name, pick a picture) versions of two factor authentication. Ideally, it should be (choose at least two): something you know, something you have, and something you are (and perhaps somewhere you are). Something you know is typically an ID / password pair. Something you have can include a one time pad (Gibson's perfect paper password), an RSA dongle, a Yubikey, or even a cell phone (bank sends key as text message). Something you are is biometrics: fingerprint readers, retina readers, etc. (There's an amusing and horrible joke based in this in a "Red Dwarf" episode). Finally, you can have location based authentication: IP / Mac addresses (potentially spoofable), physically secure workstations (with optional armed guard), etc.

Re:Multi-Factor Authentication

[guruevi]

Actually banks have to keep your money safe to keep your business so they are the ones that implement the best (imho) workable authentication. All banks these days have SSL certificates (I think required by law), they have some sort of picture system where the bank shows you something to authenticate who THEY are (so MITM are more difficult as long as your or their computer isn't compromised) and then they have a username and password which the user is responsible for and a lot of banks are implementing (optional for now, required for certain transactions) an RSA-keyfob-like structure (whether it be on your cellphone or they charge you for a keyfob) where you get a one-time generated key that is valid for less than 10 minutes. Some accounts (>10.000) get that stuff for free.

Sure you can think of more safe versions of the above but in the end it has to be 1) usable by the very people we hate so much: Computer Illiterate Users 2) affordable for the common man (a free checking account with less than $100 in doesn't even cover the costs to provide online banking let alone extra's) 3) not drive customers away because of reason 1 or by being so complicated or expensive nobody wants to use it.

Re:Multi-Factor Authentication

[twiddlingbits]

Mulit-factor authentication is NOT expensive (i.e dongles or RSA keyfobs) and doesn't have to be elaborate. I built a credit report site 10 yrs ago that used MFA. We would ask you user name and then based on that we asked the name of a two creditors and an information for each that only you would know and gave your 4 pairs of choices to chose from. For example the amount of your mortgage and the bank plus say your auto loan bank and car make/model, two of those pairs were correct two were false but not obviously so. If you passed that then you had a secret 8 character password (letters, numbers, upper & lower case plus characters) we gave you when you logged in. The ONLY time your SSN was needed was the initial setup of the account. A one-time pad is just that one-time. And each end of the transaction has to have the same pad and be on the same key sequence. That's not easy to do for 1000's of user and keep in sync, a digital certificate or PKA is easier. If you wanted the most secure MFA you need to go with biometrics plus physical, such as scanning your fingerprint/retina and then a perhaps a keypad/password with a response profile (people generally enter the keys with the same frequency and timing..if that measurement is out of tolerance incorrect you may have a breach or maybe just a bad keypad day). Then you have an armed guard on the INSIDE who has a roster of names and pictures he can validate you with. No electronic substitute yet for the old Mark I Mod 0 human eyeballs and judgement. Pretty much anything else (excepting 1 time pad) can be spoofed in one way or another. Whatever MFA you determine needs to be a)easy to user (users are idiots) b) inexpensive c) as secure as possible given a and b. There is such as thing as "too secure" for usefulness.

Re:Multi-Factor Authentication

[JesseMcDonald]

Based on your description, your credit-report site used single-factor authentication. You asked for more than one data point, but all the data together amounted to just one factor, something the user knows. It's not multi-factor authentication unless you add something the use has, or is.

Plus, you were apparently handing out the user's private information before they were authenticated. Sure, it was mixed in with misleading data, but it would still dramatically narrow down the search space for anyone trying to invade the user's privacy.

Re:Multi-Factor Authentication

[techno-vampire]

And let us not forget 4) not tied to any specific computer architecture or OS. It should be usable from Windows, Linux, FreeBSD, Mac or whatever else you want to use.

Re:Multi-Factor Authentication

[bakuun]

In Sweden, all banks provide a challenge/response - based physical keyfob to their customers, for free. I still find it amazing how bad bank security is in most other countries. Many banks just have passwords... all it takes is a keylogger. Insane.

Re:Multi-Factor Authentication

[twiddlingbits]

At the time this site was built that was considered pretty good security, it passed the checks by the banks and other agencies reporting your credit info into the database the site used. Joe Public isn't going to have a RSA token or such to have a 100% seperate factor! So we used a factor only they would know which was right! Yes it was based solely on user knowledge, as I said there is a balance between usabilty, cost and level of security!

Re:Multi-Factor Authentication

[dotancohen]

Actually banks have to keep your money safe to keep your business so they are the ones that implement the best (imho) workable authentication. All banks these days have ....

And then require you to use IE. Blah.

Muah hahahaha!! Almost invisible!

[joelmax]

Muah Hahahaahaha!!! My facebook page doesn't even make it into the first couple pages of google, thanks for lots of people in much better paying positions having my name!!

Re:Muah hahahaha!! Almost invisible!

[Captain+Splendid]

Yeah. I've always kinda hated my generic, North American last name, but coupled with my biblical first name (which I do like), it makes me almost invisible online despite Facebook page, etc.

Re:Muah hahahaha!! Almost invisible!

[techprophet]

Same here. Gotta love it!

Re:Muah hahahaha!! Almost invisible!

generic, North American last name... biblical first name

Are you by any chance Jesus Jones?

Re:Muah hahahaha!! Almost invisible!

[mandark1967]

"Captain" is your biblical name?

Re:Muah hahahaha!! Almost invisible!

[pjt33]

237 instances in the Authorised Version, 94 in the New American Standard, and 22 in the New International. It's perfectly Biblical.

pipl

[Finallyjoined!!!]

Check it out, you will all be surprised what it will find:

http://www.pipl.com/

Re:pipl

[aztektum]

Sweet! I've lead such a useless existence, pipl isn't able to find anything about me!

Re:pipl

[John+Hasler]

I also seem never to have made it to the deep end of the Web.

Re:pipl

[El_Muerte_TDS]

Holy crap, they know I post on slashdot.

Re:pipl

Not surprising in the least. There are many of these services online and the free ones are little more then goggling your own name if anything.

OTOH there are pay services like lexis.com and others that i used to use in my skip tracing days. Now with nothing more then a name and a county i could usually get everything from SSN's to VIN numbers of cars you have/do own. DL number's phone number's (including potentially unlisted). Hell itll tell me if your married divorced (with links to the pdf's of the court papers if available). Employment history (with a list of associates employed at the same places around the same times as you.

About the only thing it wont tell me is your dog's name so there is no surprise to me.

I dont even have to go online to find out your address and phone numbers. If i know what kind of car you drive. Chrysler has an 800 number that you put in the first 5 digits of the last name and it will give me address and phone number on record...

Re:pipl

Au contraire, assuming you're from Elmwood:

You use(d) Debian, you post to slashdot, comp.os.linux.misc, sysadminforum, marc etc. etc. "Goodbye RedHat"??
:-)

Re:pipl

Sweet! I've lead such a useless existence, pipl isn't able to find anything about me!

Perhaps you shold just learn to spell your own name.

Re:pipl

Wow, they found people claiming to have information that they'll sell to you... Truly impressive...

Re:pipl

[Chosen+Reject]

They don't even have me on /. A bunch of results, but only one of them actually applies to me. All thanks to Dave Grohl.

Re:pipl

[Darth]

None of the items it found were me.

Re:pipl

[commodoresloat]

either it's crap, or I'm in hiding. I checked my real name and found three hits on addresses I haven't lived at for nearly a decade, listings for my parents at addresses they've never lived at, and about 40 hits to other people, and hits to two of the several hundred web pages over the years that have had my name on it. This really isn't helpful for finding me, and I'm not trying to hide - I would think it would be pretty useless against someone actually trying to hide something.

Re:pipl

It found a link to my great-grandfather's "non-famous" grave (yes, I have the same name). That's as close as it got to me. Guess I'll go home and ponder my obscurity.

- T

Stupid Slashdot.

[Creepy+Crawler]

<Page 1>
Why
Cant
You

<Page 2>
Provide
A
Link

<Page 3>
So
Everything
is

<Page 4>
on
One
Page?

how abut a link here

Re:Stupid Slashdot.

This is one of those instances where I don't mind that the article is spread out over a number of pages. This is because the content presented on each page takes a few minutes to read. This is in stark contrast to a site like tomshardware where you can read the contents of the page before the ads have finished loading.

Re:Stupid Slashdot.

God that was annoying. Are you trying to tell us something?

Re:Stupid Slashdot.

Mod Parent Down!

Re:Stupid Slashdot.

Damn you for not closing your tags! My brain doesn't know how to format your post.

Search all you want

[MarkusQ]

Mitchell ends by questioning how much good it does for banks or credit card companies to require 4, 5, or more independent identity "factors" before providing access to account details, when most or all of the factors they request can be found online about nearly anyone.

Psha. Search all you want, and you'll never discover whether "rw^j8*=1IF9d" is my mother's maiden name, my favorite desert, or where I got my first kiss. And it won't matter anyway, 'cause that's not actually one of the strings I use.

--MarkusQ

P.S. And for an added level of security, I'm not really me, nor am I the person I told the bank I was.

Re:Search all you want

[CannonballHead]

... In fact, not only is my name not actually my name nor am I even the person I actually am, I actually don't bank at the bank I have account with. It's all a ruse.

We should all just go by the name of "Linus."

Re:Search all you want

Hello, Bruce, good to you see again!

Re:Search all you want

my favorite desert

Gobi? Sahara?

Game! doesn't need your personal information

[Mad+Merlin]

I find it really irritating when a site requires you to give them (made up) personal information when it clearly doesn't need it. That's why Game! doesn't ask for any personal information whatsoever. Of course, that's probably a drop in the bucket compared to everybody pouring their life into Facebook...

Re:Game! doesn't need your personal information

[theredshoes]

I don't know, I don't think most people are on private status. And really funny pics or reading someone's status doesn't really give you much insight into a person on Facebook.

I am not happy about the mortgage information online, but if it is public domain there is not much you can do. I would rather someone know that I am taking my dog for a walk or going to the grocery store before they knew how much I paid for a house, what my address is and what my social security number is through a scannable document.

Re:Game! doesn't need your personal information

Astroturf much?

It is good SSN becomes totally public

[140Mandak262Jamuna]

Social security number has never been designed to be a fool proof identity verification authentication tool. High time the government site get hacked and all the SSNs of ALL Americans are out in the public. Then the onus will be on the banks and others to actually verify people's identity and come up with real authentication mechanisms. Right now it is a joke. Any Tom Dick or Harry can impersonate me if he knows my name and my SSN. How ridiculous is the expectation that I have to take efforts to keep my SSN secret, while the banks and credit issuers have no obligations to check if the applicant is really who he/she says who he/she is?

What? Anonymous Coward? you dare me to publish my SSN? Get lost. It does not make sense for me to do it alone. But if the entire person-SSN map of all people becomes public, it will actually help us all.

Re:It is good SSN becomes totally public

[PeanutButterBreath]

Social security number has never been designed to be a fool proof identity verification authentication tool. High time the government site get hacked and all the SSNs of ALL Americans are out in the public. Then the onus will be on the banks and others to actually verify people's identity and come up with real authentication mechanisms. Right now it is a joke. Any Tom Dick or Harry can impersonate me if he knows my name and my SSN. How ridiculous is the expectation that I have to take efforts to keep my SSN secret, while the banks and credit issuers have no obligations to check if the applicant is really who he/she says who he/she is?

I would also like to see the day that all this gets so out of hand that none of this "personal" data can be used as a legitimate means of identity verification, i.e. when identity theft is not my problem, but the problem of whatever sucker institution failed to do due diligence and was taken by some crook.

Scratch that -- that day is long past, and nothing has changed. Greasing the wheels of commerce still trumps (what should be) my right to remain blameless and unconcerned when failed morals and policies of strangers collide. For that matter, selling id protection and clean-up service is an industry unto itself, no doubt with its own lobbyists reminding our politicians that they create jobs and tax revenue (and campaign contributions).

Re:It is good SSN becomes totally public

[wtarreau]

It's amazing that you Americans have such problems with your identities. I think it is because you don't have an ID card. Here in France, there's no such problem. I can give my SSN to anyone, because it's not used as an authentication system, just identication for a few things. It's written in plain numbers on some non-confidential papers and it causes no problem.

The reason is that we all have an ID card which is delivered after several controls have been performed. So we all present our ID card to prove our identity when paying by cheque, when we want to take money out of the bank, etc...

I regularly read about Americans taking care of destroying any ID information they can have so that nobody can reuse it. This sounds so much prehistoric to us out there that almost nobody believes it ! And I think that you're now in a situation where it will be difficult to make people accept the concept of the ID card simply because they will fear that someone somewhere will then know their ID. It's a shame, really.

Now don't get me wrong. ID stealing also happens here but is very rare because they require that the imitator either has got your ID card and looks exactly like your photo, or that he owns a fake ID card, which happens but is very limited due to the various security items which are not trivial to reproduce for the average Joe around.

I really hope that in 10-20 years you'll have got out of this archaic system, it's really a shame !

Re:It is good SSN becomes totally public

[davidsyes]

It's HIGH time that existing SSNs be relegated to status of "compromised" and that they be -- where voluntarily accepted -- used as "public keys", with all official government, law enforcement, legal, financial, and educational, or security agent/law enforcement officials records assigned new, non-public overlay/reference number.

Those who feel they have not yet been compromised can choose to remain as they are. Those of us wanting a newer layer of privacy (for the categories above) should get it, and the new number made up should be in a program where those not authorized to possess, use, utter, share, swap, or otherwise exploit it would suffer draconian, painful, and unerasable pain.

Re:It is good SSN becomes totally public

Now don't get me wrong. ID stealing also happens here but is very rare because they require that the imitator either has got your ID card and looks exactly like your photo, or that he owns a fake ID card, which happens but is very limited due to the various security items which are not trivial to reproduce for the average Joe around.

I really hope that in 10-20 years you'll have got out of this archaic system, it's really a shame !

It is a shame but it doesn't sound like you are in much better shape. Thanks to our underage drinking laws, we have just about the most advanced ID-faking equipment and skilled artisans in the world (aka, teenagers). An ID card doesn't help much online or for setting up automatic payments. Most establishments with which I do business never see me nor do I see them.

There is no getting around the need for a LAP (long-ass password).

Re:It is good SSN becomes totally public

[B1ackDragon]

As another poster alluded to, we have ID cards, but they aren't mandatory, and they are given out at the state (rather than federal) level.

Seems the big problem is that credit card companies, other stores which offer cards, and banks (to a lesser extent) are so eager to give out credit they don't require we use them.

So I'm not familiar with France... do you really need your physical ID to borrow money? If so, then I would say you do indeed have a more advanced system.

Re:It is good SSN becomes totally public

And how exactly do you use your physical national ID when you do call your bank to start a new account, or when you use the internet to initiate a service? If I want right now, I can open a bank account just using the phone, calling from the State of Texas to the State of California. Can you sit at home in France and call a bank in Poland (so within the pathetic EU), and open a bank account? I don't think so. How would you use your ID in such a scenario, please? Don't be a smart ass, having a national ID requires that you personally move your body to the bank, stay in line, etc. This limits pretty much your available services to your local town, which is pretty pathetic. The great freedom we have to _initiate_ businesses anywhere in 50 states has a price to pay, and that is the impersonation.

Re:It is good SSN becomes totally public

So that all works well for in-person but what about online? I think that's where the majority of fraud at least starts (they may end up doing some of the transactions at ATM's or merchants in person).

The limited bandwidth we have for an online transaction makes impersonation much easier -- almost anyone with half a brain can do that. It takes some money and real talent (acting basically) to get a good fake ID and stand in front of someone in person and convince them of your assumed identity.

Re:It is good SSN becomes totally public

[Ihlosi]

How would you use your ID in such a scenario, please?

By using an ID verification service. Duh!

The process works like this: You fill in the form at the banks web site, they send you a letter with the instructions for the process (here in Germany, the most common one is called PostIdent), you move your behind to the nearest post office, present them with the letter from the bank and your ID, and they'll send the data to the bank.

Absofrickinlutely no need to show up at the bank in person, just at the nearest post office.

The great freedom we have to _initiate_ businesses anywhere in 50 states has a price to pay, and that is the impersonation.

As you see, we have that freedom, too, and pay with a small inconvenience for a greatly reduced risk of impersonation. Online banking is very popular here, see banks like ING-DiBa, comdirect (part of Commerzbank), etc, etc, etc. If things were as limited as you believe they are, none of these banks would exist. Sorry to bust your bubble there.

Re:It is good SSN becomes totally public

[MadMidnightBomber]

Bzzt! He's right.

A SSN is identification (user name), but gets used for authorisation (password) as well. Dumb, dumb, dumb.

Because everyone else seems to realise that e.g. my National Insurance number is printed on a card, it can't possibly be a secret and thus the tax people only use it to match it up to their database, not as a "secret" to authenticate me.

Re:It is good SSN becomes totally public

[Dan541]

Well it's the banks loss if they are so acceptable to fraud.

Re:It is good SSN becomes totally public

[houghi]

In Belgium each card has a chip that you can read.
http://eid.belgium.be/nl/Achtergrondinfo/De_eID_technisch/index.jsp for (source)code including Linux.

No need to give a social security number or anything else.

Re:It is good SSN becomes totally public

We can use our Driver's License or unique bank id cards that are issued by the bank. The reason the government doesn't just issue id cards to everybody is cost. France being a socialist country, French people have to pay way more in taxes than Americans do so the government can afford to do that for their citizens. Americans have to fend for themselves because we are mostly capatalist.

Re:It is good SSN becomes totally public

[maxume]

The magic-number-as-identity problem will not be solved by adding new magic numbers.

Re:It is good SSN becomes totally public

Two reasons why we don't have a national ID card:

First, there's this thing about states rights vs. federal government power. This also ties in with a dislike of the idea of being required to carry "papers", although it's not a direct thing it relates to freedom of travel/movement.

Second (and probably more of the reason) we have a lot of religious Christian nutjobs who have decided that any kind of required ID card is the whole "Mark of the Beast" thing from Revelations & will herald the End of the World. Seriously.

Re:It is good SSN becomes totally public

[wtarreau]

If you can't get in person to the establishment you want to get in relation with, it's very common that this establishment sends you papers by snail mail, and require a lot of information in return, as well as some original papers which can only be delivered by a local office such as the town council. I can assure you that this is really not a problem. Many people here in France, Germany and I believe most of Europe have no problem subscribing to services, ordering hardware abroad, etc...

Also interestingly, all the persons I know who have got their bank account pumped without their consent had ordered things in the US. Here in the old europe, it's far less common due to the number of verifications at every stage in the process.

In fact, the buyer is protected, and the service provider has the responsibility for ensuring he will get paid. That's the reason why most companies require a lot of information to ensure you're a real person who will pay them.

Re:It is good SSN becomes totally public

[wtarreau]

France being a socialist country, French people have to pay way more in taxes than Americans do so the government can afford to do that for their citizens.

1) France is not a socialist country, re-read your books
2) In France, you actually have to pay for an ID card, so it's not everyone who pays for everyone. And even if it was, it would not really be a problem as every individual would be supposed to have one ID card. I just looked on mine and it had cost me about $20 20 years ago. That's reasonable.

names

[xaositects]

Luckily, there are a ton of people with my name who are much more open on the web than I am. Producers, directors, artists, musicians, writers, attorneys general, you name it. 10 pages of Google still didn't come up with anything close. I guess there is a plus to having a really common name.

Re:names

[PhreakOfTime]

There is also a negative.

Im assuming you havent had the pleasure of some data entry monkey messing up your common name, with the pinhead who defaulted on all his loans and has warrants out for his arrest?

Have fun with that, its more likely to happen than you think.

Re:names

[xaositects]

Actually, before my gf and I bought our house, I had to straighten out something like that. Some dude with my name who hadn't paid his car payment or something. They were able to straighten it out using my social security number.

Among other things...

[mr_mischief]

they found that most /. posters are bored, self-important, anti-social, regular garden-grade assholes in general, or some combination thereof. Me? I'm more bored and an asshole. Others fit the criteria differently.

Interesting people with my name

[theredshoes]

Tony Blair's Ex bodyguard and some lady that owns an original Unicorn Jones art piece. I am luckily fairly invisible I guess.

Re:Interesting people with my name

My name, while actually fairly unique, belongs to a prominent lawyer, a medical researcher, a terrible photographer, and a man who has been dead for 8 years.

I don't have a Facebook, MySpace, or blog. And oddly enough, the place where I got married doesn't make their records database searchable. Cool. I'm invisible.

Re:Interesting people with my name

[PeanutButterBreath]

Tony Blair's Ex bodyguard and some lady that owns an original Unicorn Jones art piece. I am luckily fairly invisible I guess.

But a little bit less so given what you just posted. . .

Re:Interesting people with my name

I am not a terrible photographer

Re:Interesting people with my name

[theredshoes]

I doubt anyone would really cyber stalk me from here, more cyber annoy me to the point of kicking their ass so I think I am fine. The people on here would most likely send me grandma or lesbian porn spam because they think they are funny. They also might create a fake profile to befriend me or my boyfriend at the time to play email games. Another tactic a Slashdot type might take would be to break into my AIM account and write stupid crap and pretend to be me and generally embarrass the heck out of me. That is Slashdot's speed pretty much.

Nobody in their right mind would want my identity, I have shit credit after widowhood, I buy everything with cash. If someone tried to steal my credit life they would be SERIOUSLY DISAPPOINTED.

I am uncomfortable about the general public having my mortgage information though, I think that should be more personal, but it isn't.

Re:Interesting people with my name

[MRe_nl]

Vicki McPherson.

Re:Interesting people with my name

[theredshoes]

Well you are quite the detective, please don't sign me up for porn spam, thanks in advance. LOL

Re:Interesting people with my name

I'm not dead, either!

Re:Interesting people with my name

[MRe_nl]

Sorry, couldn't resist, took about two minutes, the bodyguard did it ( in the Starbucks, with the pistol ).
; )

Re:Interesting people with my name

[theredshoes]

LOL, Time to break out Clue I guess. It's fine.

Clue Online

Re:Interesting people with my name

[TaoPhoenix]

William Holley, is that you?

Inspirational

[DoofusOfDeath]

Ask not what You can learn from the Web,
but what the Web can learn from You.

Google your SSN?

[damn_registrars]

Do people regularly google their own SSNs? I have contemplated trying mine, but I'm a little apprehensive about where it might end up and what it might get electronically tied to.

Re:Google your SSN?

[vlm]

Dash format 123-45-6789 will return the math result.

Searching on a nine digit integer will generally provide a few pages where it's used as an internal ID number. For example this slashdot comment had a URL with a SID value of 1106263, now if that were a couple powers of ten larger... someday slashdot UIDs will be nine digits long, etc.

It is alot of fun to search on your phone number, see what else it's used for in other area codes.

Searching on dead peoples SS# will probably pull up a social security death index page, although I don't have a number to try.

Re:Google your SSN?

[Kyaphas]

Try 567-68-0515.

Tell the peeps in the suits and dark glasses I said "hi".

Re:Google your SSN?

Spooky, I just googled mine and some guy from italy uses it for his myspace address
His myspace address is www.myspace.com/mySSN#

Re:Google your SSN?

[n6kuy]

SSN's for dead people aren't secret.

You can look 'em up here.

Re:Google your SSN?

[skeeto]

Just don't directly follow any results. The site you go to gets to see that you did a search for a 9 digit number, what the number was, and because you connected they also have your IP address. An SSN tied to an IP address: that's only ~63 bits of info but can tell them a lot.

Re:Google your SSN?

Google a number range.

1...9

Or something similar.

Re:Google your SSN?

[Dan541]

http://www.google.com/alerts comes in handy for this sort of thing. I have it set to tell me if my phonenumber appears online.

The 'Final' Soution

[MisterMikeyG]

Human Embedded RFID Chips

Re:Bad News (for El Torico), but good for us...

"found 3 obituaries" and "a ghost"

That means, (according to this article), we can now find and share out El Torico's bank account. Its what he would have wanted.

Oblig. Terminator quote

[phreakincool]

"You're dead, honey!"

Just make an answer up

[dfm3]

I treat "verification questions" as another password. City of birth? gc5f*kmn. Mother's maiden name? r4#dcViop. And so on. Most institutions don't have a problem with it. And if they do, you can still just use a random word. "Okay, okay, my first pet's name was really Albuquerque."

Re:Just make an answer up

[The+Angry+Mick]

"Okay, okay, my first pet's name was really Albuquerque."

aofdsnpqewv daddee? ;odufbpqa9euiejrnvqe

Sorry about that. The cat . . .

Re:Just make an answer up

As an unrelated side-note, your random character strings have a very low amount of entropy. All the keys are very close to each other on a qwerty keyboard.

It's worse than that

[roc97007]

My credit union suddenly adopted an "enhanced security" system where they come up with 10 personal questions (you don't have a choice which ones) and you have to provide answers to each one.

I looked over the questions, and decided I didn't want anyone knowing that information, even my bank. Called them and asked to opt out of the program. Was told that their system administrator said it was a new federal requirement. (Is this true? I haven't seen this practice at the competing credit union that has my car loan, or at the bank that has my mortgage.) They said it was for my own protection and there was no way to opt out.

I asked if I could use an additional, randomly generated password instead. (I already used a random string for my main password.) She said no, it had to be personal information.

I said it was an invasion of privacy and asked them what happens when their system administrator scoops all this personal information for his own use? (That was probably unfair, but I was getting annoyed at that point.) I pointed out that if everyone was required to use this system (which I still hadn't verified), Sysadmin from bank A could take your answers and use them to compromise your accounts B, C and D -- For instance posing as the account owner and answering the "magic question" (which is often a personal question) to reset the account password. She said that she didn't know about that, but I had to live with it.

I'm willing to bet that the "enhanced security" answers aren't even encrypted.

So with a little experimentation, I discovered that the "enhanced security" system will take any string as an answer. So, for instance, to the question "what is your maternal grandmother's middle name" (I actually don't know the answer.) you could answer "20382-0qopw" (string was generated by pounding on my keyboard) and the answer will be accepted.

I also found out that you could put random strings (or a rude phrase) for each answer, or use the same passphrase for every answer, and the system will accept it.

This opened whole new vistas of "security".

So, for my daughter's account, which doesn't have much to lose, I set all her "enhanced security" questions to the same passphrase, (you will never guess it, don't even try) and set up different passphrases for each security question for my accounts.

One big win to making up your answers is that a bad guy can't use the information to break into accounts in other institutions. Even if it's sold to a third party or published on the internet, the information only works with that one account. Moreover, there's no way someone can research my family history and come up with "asawi0egh" for my mother's maiden name. (Again, generated by slapping the keyboard a few times.)

In other words, don't buy into it. Treat it as just another password that you make up yourself.

How does one keep track of all these passwords? Find a secure password keeper application and use it religiously. Sourceforge is a good place to look. Some even work on PDAs.

Re:It's worse than that

Yes, they are required to do this. Or more accurately, they're required to use two-factor authentication, and they're claiming that using "something you know" and "something else you know" qualifies as two factors.

Re:It's worse than that

[Eberlin]

So, for my daughter's account, which doesn't have much to lose, I set all her "enhanced security" questions to the same passphrase, (you will never guess it, don't even try)

1234 what do I win?

Re:It's worse than that

[amirulbahr]

One big win to making up your answers is that a bad guy can't use the information to break into accounts in other institutions. Even if it's sold to a third party or published on the internet, the information only works with that one account. Moreover, there's no way someone can research my family history and come up with "asawi0egh" for my mother's maiden name. (Again, generated by slapping the keyboard a few times.)

We must be related.

Re:It's worse than that

[BenihanaX]

How does one keep track of all these passwords? Find a secure password keeper application and use it religiously. Sourceforge is a good place to look. Some even work on PDAs.

Just don't forget to backup your password file. I learned that the hard way (who would have thought a 2 year old drive can fail catastrophically after having 20 year old computers work just fine).

Re:It's worse than that

[mgblst]

So with a little experimentation, I discovered that the "enhanced security" system will take any string as an answer.

Really? So you discovered that the program doesn't actually know this personal information about you? And it can't actually tell the difference between a normal grandmas name, and a random string? So you figured out that the system wasn't actually AI alive? Congratulations.

Re:It's worse than that

[roc97007]

Exactly. There's a copy in my pda, a copy on my home computer, and a copy on my work computer. Should be sufficient.

Re:It's worse than that

(you will never guess it, don't even try)

I bet it is 12345 :)

Re:It's worse than that

[roc97007]

Oh, don't be like that.

Let me give you an example. When I got my American Express corporate card, part of the activation process was to create a PIN. The process is done through a voice menu system. The message suggests that you use your mothers birthdate (month and day).

My intention was to make the PIN a random four digit string. Turns out the system would not accept a four digit string that was not a valid month and day. They actually had software in place to make sure you didn't pick the 32nd of Grune.

So, yeah, I am surprised that this system would accept a grandmother's middle name that included numbers and punctuation characters. Or a "first pet's name" of "Your mother was a hamster and your father smelt of elderberries". ("By the time I had finished calling him in to dinner, he starved to death." But I digress.) Or that it didn't bother to check that my daughter's high school, hospital where she was born, and maternal grandmother were all coincidentally named "none of your damned business, monkey boy". [1]

I half expected to see the message "That name is not valid. Your grandmother's middle name must match an entry in 'The perfect book of baby names'. Available on Amazon." Or, more likely, get an email from the bank something to the effect "Our IT department does not appreciate your thoughts on their personal habits. You will have to re-enter your personal information to access your account."

[1] None of those are the real passphrase, of course.

Re:It's worse than that

[emddudley]

Well you seem to have figured out the secure way to answer the security questions: use a psuedo-identity.

Make up a fake persona and use that as the basis for all of the answers. Even if someone discovers your mother's maiden name, they won't know about the mother that's all in your head.

Re:It's worse than that

[roc97007]

Agreed, but for it to be effective, you have to make up a different fake persona for each account. You certainly wouldn't want to use the same fake persona for multiple accounts. That would only mean that the police wouldn't know whom to notify when "Norm D. Plume" got completely cleaned out.

Re:It's worse than that

[dwpro]

I gotta tell ya, it isn't as easy to validate data as you might think. There are some strange names out there, and the minute you make it too stringent someone will roll along with a name like "Ã¥esop D'Jord the 2nd" and you'll get a support call.

Inventor

[venuspcs]

Apparently I was at one time an inventor for IBM and co-invented the "Scannerless message concentrator and communications multiplexer"....what ever the hell that is!

I'm the only one with my name

[abbyful]

I haven't came across anybody else with my name. Only 3 people in my state have my last name, and that's my parents and me. I don't know how many in the entire USA have my last name, but it can't be more than 20.

Which one?

[macraig]

Ummm, I'm confused... do I Google my birth name or one of my too-numerous-to-mention split cyber-personalities?

Re:Which one?

[Cro+Magnon]

Well, when I google my main cyber-persona, I get a lot of info on prehistoric cavemen. I can't imagine how that happens.

Re:Which one?

[macraig]

When I Google mine (not the "me" I use here), I get a bunch of Star Trek pseudo-history and references to Spock's home planet. That, and vacation package offers and passport services. Nifty!

Very strange...

[lazlo]

I find it quite odd that this article was written by Bob Mitchell. Usually when someone writes about how they've discovered that google knows everything about them, the byline is something like Corvus McLazerpants. Although I don't personally know of this guy, I'm guessing that he must be popular enough that the other few thousand Bob Mitchells of the world providing chaff for him have an insufficient pagerank to be effective.

Times Changes

[olddotter]

I used to think that people who were afraid to give out their SSN probably also slept with tinfoil hats on. Now I only give it to companies that have to report something to the IRS. If someone isn't reporting income to the IRS, they don't need a SSN.

Re:Times Changes

[KPexEA]

We have a small mail-order business in Canada selling die-cast model cars and if a US customer orders over $200 worth of model cars, we need to supply Fedex their SSN so they can pass that along to Homeland Security so the shipment can clear US customs. We do get a fair number of customers who refuse, but there is nothing we can do about it, most of our long-term customers don't have a problem with it.

Re:Times Changes

[HiThere]

Have the customer break it up into two $100 orders?

Privacy is Dead

See also: Privacy is Dead

If you want real privacy

[extrasolar]

I don't usually have these problems. Just use someone else's identity, bank account, gmail etc, and you're set.

Giving false answers is the key

[marcus]

To making online security questions real gates. The only places that have my real info are the places that really need it. Even then the answers that I give to the security screen questions are certainly not true.

What is the name of my first pet?
Last three places I worked?
Childhood friend?
Favorite sports team?
Favorite president?
etc.

Anybody that knows the real me and knows the true answers to these questions will not be able to log on to my bank accounts using those "right" answers.

I construct passwords and these answers based on the site name itself and something else that is easy to remember. Using shapes is pretty simple. Things like: my yahoo email password makes a "Y" shape on the keyboard.

FOSS (of sorts) Anonymizer Service

[religious+freak]

I recall reading the last few of Arthur C. Clarke's books; he mentioned, a few times, a social movement geared toward intentionally providing misleading and incorrect information about people on the web to provide for a more anonymous society... or at least one where you couldn't find everything out about someone with just a click of a mouse.

I'm actually quite surprised something like that has not actually come into being, because I believe the odds of stopping your info from going online is pretty close to zero. But if you have a bunch of other misleading stuff, at least only you and your friends know what's true and what's not.

It's an interesting concept.

How did they get that info?

[JayAitch]

I googled to find my name on a site called reunion.com along with the last 3 cities I lived in, my brother, father, mother, and live-in ex-girlfriend all associated with my name. Kinda scary when I generally hold tight on my personal information whenever possible.

Re:How did they get that info?

[retchdog]

Credit bureaus have long tentacles...

What's interesting to me, is that the three of them have slight discrepancies between them, which means that they actually "compete" in some way.

well howdy!

[zogger]

Ezekiel Running Bear, is that you?

Re:well howdy!

[Captain+Splendid]

Nice!

Won't work

[Jeremy+Visser]

Not if you're signed in to your Google Account, not if you're not signed into your Google Account either! (Whoda thunk it?)

Google will still have the data in their logs, even if the sites you visit don't have it.

Even if you're not signed in, the search will still be tied to your IP address for 18 months, or whatever Google's "anonymisation" policy is.

You could use Scroogle, which claims to store no cookies, and re-route your request through a random IP address out of their pool, but who's to say they'll not keep logs as well?

Only way to be sure is to not even look.

Oh God

[Jorophose]

Could you imagine the horror of four mothers in law?

Re:Oh God

[maxume]

1 or 4, either way, you only need to rent a single backhoe.

I know what you mean...

I stopped using my real name after some gay guy started stalking me in an online game. I've been pseudonymous ever since in games, chat and whatnot, except with a handful of people I trust.

You can always make a new pseudonym. You can't start a new life.

Re:We might...

[TaoPhoenix]

Unless you're REALLY good at this game, "Widowhood" is female. (The male is Widowerhood). So, my condolences. Care for a date?

Re:Bad News (for El Torico), but good for us...

[Bastard+of+Subhumani]

And his pr0n stash. To spare his mother from finding it and being embarassed, obviously.

You are all noobs.

[professorguy]

Hey, pipl found some of my blog posts from 1985! That means I've been posting on the internet for 25 years. All the rest of you are noobs!

Re:You are all noobs.

[John+Hasler]

> All the rest of you are noobs!

Some of us actually have been active on the Net for 25 years. There were no "blogs" in 1985 but there was Usenet. I doubt that anyone at Pipl has ever heard of it, though.

Re:You are all noobs.

[professorguy]

Here's one of those times text just doesn't convey enough. The word "actually" above sounds like you don't believe I have been on the net 25 years. To be clear: I have.

Yes, my so-called "blog" is just a series of Usenet submissions. Apparently my earlier ones from 1984 either didn't make the cut or were lost through technical mistakes.

I'll admit that I used to love alt.*. How long ago? Back before censorship destroyed it. Back before email addresses had @ signs. Hell, back before spam if you can imagine such a thing.

Those were the days. Now you kids get off my lawn!

tried my SSN

[ghostlibrary]

I looked up my SSN. Google told me it equaled -1958, and also said look up "More about calculator." Either the web knows I'm in the sciences, or I need to remove the dashes when googling it.

SSN 'safety' is insane, but it's not about the ID

[arete]

Here in the US, we have government issued IDs. And they're required for plenty of things, especially in person. We don't have the Post Office as part of the system you're referring to, but that's not the biggest problem.

The problem is that there's no possible way to even reasonably verify whether a moron is who they think they are online without having already laid some groundwork. (Like mailing something to prove address) Anything they can know, someone else can know. And as a parent mentioned, the skip-tracing people have AT LEAST as much information as a major credit card you just applied for - available for a couple $.

And the credit reporting agencies and credit companies here want you to be able to get drunk and call up and apply for a credit card and get instant gratification for it with no verification whatsoever...

They ought to have to at least mail you something at the address on your credit report and call you at the phone number on your credit report. If the credit reporting agency wants to do that and setup a secret PIN with you, you could share that secret with a credit card company...

They DO mail your PINs out, so you can't take too much direct cash from a fraudulent app - you can only buy an infinite quantity of goods. So that proves they know how to keep it safe - they just don't value ensuring that you're the right person to give credit to... because the incentives aren't in place.

Re:SSN 'safety' is insane, but it's not about the

[wtarreau]

OK, so you're precisely demonstrating that the laws protect the service providers and not the individuals.

If an online bank does not even require you to send officially stamped papers to prove your ID, then there's a real problem. Here it would not happen because such a bank would not be paid and would have no resort. That's why they're asking for a lot of papers.

It seems some poeple fear that it would slow the process down, but in fact it would not. How many times a week do you open a bank account ? This is typically the thing which can suffer several days latency for paper verification.