What Web Surfers Can Find Out About You

cweditor writes in with an updated version of a story the likes of which you might have read before, What the Web Knows About You. But reporter Rob Mitchell found out vastly more about himself (his research subject) online than he could have even a year or two ago. The big difference is that state and local governments are putting online digitized records, often with Social Security numbers and other personal details intact. Mitchell ends by questioning how much good it does for banks or credit card companies to require 4, 5, or more independent identity "factors" before providing access to account details, when most or all of the factors they request can be found online about nearly anyone.

Re:ID information available to the public

[CannonballHead]

I'm always surprised that more "secure" websites don't let users use their own security question. It makes no sense to just always use "mother's maiden name" or "city of birth" or whatever. Why can't I use my own security question and pick something that I actually am one of the few people that know (me and maybe my wife or something)?

I'm not sure adding one more column to a database is going to produce a ton more overhead :)

Re:ID information available to the public

[Attila+Dimedici]

If you made up a name, how do you remember it 3 years later?

It is good SSN becomes totally public

[140Mandak262Jamuna]

Social security number has never been designed to be a fool proof identity verification authentication tool. High time the government site get hacked and all the SSNs of ALL Americans are out in the public. Then the onus will be on the banks and others to actually verify people's identity and come up with real authentication mechanisms. Right now it is a joke. Any Tom Dick or Harry can impersonate me if he knows my name and my SSN. How ridiculous is the expectation that I have to take efforts to keep my SSN secret, while the banks and credit issuers have no obligations to check if the applicant is really who he/she says who he/she is?

What? Anonymous Coward? you dare me to publish my SSN? Get lost. It does not make sense for me to do it alone. But if the entire person-SSN map of all people becomes public, it will actually help us all.

Re:It is good SSN becomes totally public

[Ihlosi]

How would you use your ID in such a scenario, please?

By using an ID verification service. Duh!

The process works like this: You fill in the form at the banks web site, they send you a letter with the instructions for the process (here in Germany, the most common one is called PostIdent), you move your behind to the nearest post office, present them with the letter from the bank and your ID, and they'll send the data to the bank.

Absofrickinlutely no need to show up at the bank in person, just at the nearest post office.

The great freedom we have to _initiate_ businesses anywhere in 50 states has a price to pay, and that is the impersonation.

As you see, we have that freedom, too, and pay with a small inconvenience for a greatly reduced risk of impersonation. Online banking is very popular here, see banks like ING-DiBa, comdirect (part of Commerzbank), etc, etc, etc. If things were as limited as you believe they are, none of these banks would exist. Sorry to bust your bubble there.

Re:It is good SSN becomes totally public

[maxume]

The magic-number-as-identity problem will not be solved by adding new magic numbers.

Inspirational

[DoofusOfDeath]

Ask not what You can learn from the Web,
but what the Web can learn from You.

Re:Multi-Factor Authentication

[guruevi]

Actually banks have to keep your money safe to keep your business so they are the ones that implement the best (imho) workable authentication. All banks these days have SSL certificates (I think required by law), they have some sort of picture system where the bank shows you something to authenticate who THEY are (so MITM are more difficult as long as your or their computer isn't compromised) and then they have a username and password which the user is responsible for and a lot of banks are implementing (optional for now, required for certain transactions) an RSA-keyfob-like structure (whether it be on your cellphone or they charge you for a keyfob) where you get a one-time generated key that is valid for less than 10 minutes. Some accounts (>10.000) get that stuff for free.

Sure you can think of more safe versions of the above but in the end it has to be 1) usable by the very people we hate so much: Computer Illiterate Users 2) affordable for the common man (a free checking account with less than $100 in doesn't even cover the costs to provide online banking let alone extra's) 3) not drive customers away because of reason 1 or by being so complicated or expensive nobody wants to use it.

Re:ID information available to the public

[LaskoVortex]

If you made up a name, how do you remember it 3 years later?

The idea is to have a set of false, made up answers that you *always* use to the same old security, so you don't forget them. No one is going to find that stuff on line because it's not affiliated with you except in your imagination. If you are afraid of forgetting your passwords and to remember passwords like "d8u*mF@3KowcCR", use an encrypted password keeper.

Re:ID information available to the public

[dkleinsc]

That's why my mother's maiden name is "f03itncvl102$#(2l$" (for purposes of site logins).

Re:ID information available to the public

The biggest problem isn't security questions for accounts that you open. For that, you just monitor your statements to ensure that there's nothing on there that wasn't you and it's really simple to dispute a charge.

The huge gaping security hole is people opening new accounts in your name. It's also a much harder problem to solve since you need a way to prove that you are you without any prior interaction between you and the company and, in most circumstances, without any in-person interaction.

Times Changes

[olddotter]

I used to think that people who were afraid to give out their SSN probably also slept with tinfoil hats on. Now I only give it to companies that have to report something to the IRS. If someone isn't reporting income to the IRS, they don't need a SSN.