What Web Surfers Can Find Out About You

cweditor writes in with an updated version of a story the likes of which you might have read before, What the Web Knows About You. But reporter Rob Mitchell found out vastly more about himself (his research subject) online than he could have even a year or two ago. The big difference is that state and local governments are putting online digitized records, often with Social Security numbers and other personal details intact. Mitchell ends by questioning how much good it does for banks or credit card companies to require 4, 5, or more independent identity "factors" before providing access to account details, when most or all of the factors they request can be found online about nearly anyone.

Bad News

[El+Torico]

I googled my name and found 3 obituaries.

Re:Bad News

[Mr.+Sketch]

Well, if google says you're dead three times, who am I to claim otherwise?

Re:Bad News

[morgan_greywolf]

That's okay. I googled my name and found three wedding announcements! By the end of the next month, I'll be married to four different people!

Re:Bad News

[siriuskase]

What's the big deal? Just because you are now dead doesn't mean you never had a life or three.

Re:Bad News

[Jason+Levine]

I googled my name and my site came up #4 in the listing. There were a lot of other people with my name, though. Years back, I didn't see any reason not to use my real name while online. Perhaps I was naive or perhaps it was a simpler online time. Either way, circumstances have changed. I don't want to go about "killing off" my accounts on various sites (like Slashdot) and starting over, but any new sites I sign into I want connected to a username that isn't my real name. It's one reason why I decided to start my new blog under a pseudonym. (No, I'm not posting the pseudonym here. That would link my pseudonym and my real name up in Google listings.)

Re:Bad News

[geobeck]

Phone conversation overheard in a bank:

"Hello, Mr. Anderson? This is Washington First National Citi Wells Fargo Mutual. I'm afraid we are unable to process your loan request. Well, unfortunately it appears that you're dead. Yes, it is surprising. My sincerest condolences on your recent loss.

Well, according to your obituaries, you initially died on October 12, 1982, of trauma resulting from a car accident. Wow, that looked like a terrible accident. I hope you didn't suffer too much. Then on February 23, 1997, you were decapitated in an industrial accident... oh, I'm glad to hear you're feeling much better. Except for being dead, of course.

"Mr. Anderson, no, I'm sorry, we cannot approve a loan to a dead person. You may be feeling fine, but Google says you're dead. Well, killed by an IED in Iraq most recently. 2005? You don't remember being there? Well, that doesn't prove anything because you're dead; I wouldn't expect you to remember it.

"Mr. Anderson, please calm down. It's not healthy to get so agitated. I mean, it's definitely not healthy to be dead, but there's no need to make matters worse... Yes, as a matter of fact I did find an obit for myself. Died after a lingering coma. Fortunately, it's not a problem, because being brain dead is not an impediment to my line of work. Yes, I'm sorry, please feel free to re-apply when you're not dead. Goodbye."

Re:Bad News

[LandDolphin]

Or can't still vote!

Re:Bad News

[kklein]

I, too, used to use my real name. Then, time went on, I grew up, mellowed, and suddenly the political screeds I penned in the heady days of youth looked like, um, really bad ideas. And in one case, I was a complete sanctimonious prick and was correctly called out for it...

I've been on pseudonyms ever since. I have a lot, and they are kind of characters depending on what kind of presence I want to have on that site. Slashdot is the only place where I kinda just speak freely, although this is also a pseudonym.

Re:Bad News

I think we've all made the "mistake" of linking a pseudonym to our given name at some point. Im posting as AC because I can't figure out how to log in on this terminal, but my real name is Jason Levine

Re:Bad News

[ccady]

I got better.

Re:Bad News

[Frosty+Piss]

Well, if google says you're dead three times, who am I to claim otherwise?

Isn't that the standard at Wikipedia?

Re:Bad News

I took my anonymity a step further and have pseudonyms for real life, too - the name I use for work is not my real name. It seems to be the only way to have a fully private Private Life.

It's already taken for granted that actors, writers, porn stars, prostitutes, and Indian call centre staff will use a fake name for work - why not everyone else?

Hi. I'm Bob.

Re:Bad News

[Hognoxious]

if google says you're dead three times, who am I to claim otherwise?

Google schmoogle. Did you check netcraft?

Re:Bad News

[jdmetz]

I know you're joking, but apparently all that is needed for the Social Security agency to declare you dead is for a coroner to mistakenly type your SS#. From there it will get to your credit reports and pretty soon all your accounts will be frozen. Here's someone who had it happen recently.

ID information available to the public

[LoadWB]

I have complained about this crap for years to my credit card companies, phone companies, mortgage company, and even my college. How can they claim to protect your account information when their verification questions are all publicly available information? (In the case of the colleges, students are often asked to sign in for roll or exams using a social security number, and that sheet is either passed around or otherwise completely viewable.)

At least some allow you to select a special pass phrase. Only one of my vendors will not allow me access to the account if I do not provide the pass phrase. Every one else has a way around that.

Security. Pfah.

Re:ID information available to the public

[CannonballHead]

I'm always surprised that more "secure" websites don't let users use their own security question. It makes no sense to just always use "mother's maiden name" or "city of birth" or whatever. Why can't I use my own security question and pick something that I actually am one of the few people that know (me and maybe my wife or something)?

I'm not sure adding one more column to a database is going to produce a ton more overhead :)

Re:ID information available to the public

[siriuskase]

The secret is that they don't ever check to see if it really is your SS#. they just need a uniquie 9 digit number. Make one up.

Re:ID information available to the public

[siriuskase]

Just pretend you have two moms. Make up a nice name for your real mom's girlfriend. Maybe even a man's name. Some women have masculine names.

Re:ID information available to the public

[Attila+Dimedici]

If you made up a name, how do you remember it 3 years later?

Re:ID information available to the public

[zehaeva]

why not just put in a odd answer? for city of birth put the city of your fathers/mothers birth, or the name of your first pet? and for your mothers maiden name your grandmothers maiden name or the city of your birth? or the title of your favorite book, or the name of your favorite author. so long as you know what to substitute all should be fine.

Re:ID information available to the public

[LaskoVortex]

If you made up a name, how do you remember it 3 years later?

The idea is to have a set of false, made up answers that you *always* use to the same old security, so you don't forget them. No one is going to find that stuff on line because it's not affiliated with you except in your imagination. If you are afraid of forgetting your passwords and to remember passwords like "d8u*mF@3KowcCR", use an encrypted password keeper.

Re:ID information available to the public

[dkleinsc]

That's why my mother's maiden name is "f03itncvl102$#(2l$" (for purposes of site logins).

Re:ID information available to the public

[s.bots]

If you are afraid of forgetting your passwords and to remember passwords like "d8u*mF@3KowcCR", use an encrypted password keeper.

Shit, now I have to change all my passwords AGAIN, just like after someone else posted my old one, 09:F9:11:02:9D:74:E3:5B:D8:41:56:C5:63:56:88:C0

Re:ID information available to the public

The biggest problem isn't security questions for accounts that you open. For that, you just monitor your statements to ensure that there's nothing on there that wasn't you and it's really simple to dispute a charge.

The huge gaping security hole is people opening new accounts in your name. It's also a much harder problem to solve since you need a way to prove that you are you without any prior interaction between you and the company and, in most circumstances, without any in-person interaction.

Multi-Factor Authentication

[rlp]

Real multi-factor authentication requires some thought and the expenditure of time and money. Is it any wonder that some banks have implemented extremely LAME (mother's maiden name, pick a picture) versions of two factor authentication. Ideally, it should be (choose at least two): something you know, something you have, and something you are (and perhaps somewhere you are). Something you know is typically an ID / password pair. Something you have can include a one time pad (Gibson's perfect paper password), an RSA dongle, a Yubikey, or even a cell phone (bank sends key as text message). Something you are is biometrics: fingerprint readers, retina readers, etc. (There's an amusing and horrible joke based in this in a "Red Dwarf" episode). Finally, you can have location based authentication: IP / Mac addresses (potentially spoofable), physically secure workstations (with optional armed guard), etc.

Re:Multi-Factor Authentication

[guruevi]

Actually banks have to keep your money safe to keep your business so they are the ones that implement the best (imho) workable authentication. All banks these days have SSL certificates (I think required by law), they have some sort of picture system where the bank shows you something to authenticate who THEY are (so MITM are more difficult as long as your or their computer isn't compromised) and then they have a username and password which the user is responsible for and a lot of banks are implementing (optional for now, required for certain transactions) an RSA-keyfob-like structure (whether it be on your cellphone or they charge you for a keyfob) where you get a one-time generated key that is valid for less than 10 minutes. Some accounts (>10.000) get that stuff for free.

Sure you can think of more safe versions of the above but in the end it has to be 1) usable by the very people we hate so much: Computer Illiterate Users 2) affordable for the common man (a free checking account with less than $100 in doesn't even cover the costs to provide online banking let alone extra's) 3) not drive customers away because of reason 1 or by being so complicated or expensive nobody wants to use it.

Re:Multi-Factor Authentication

[twiddlingbits]

Mulit-factor authentication is NOT expensive (i.e dongles or RSA keyfobs) and doesn't have to be elaborate. I built a credit report site 10 yrs ago that used MFA. We would ask you user name and then based on that we asked the name of a two creditors and an information for each that only you would know and gave your 4 pairs of choices to chose from. For example the amount of your mortgage and the bank plus say your auto loan bank and car make/model, two of those pairs were correct two were false but not obviously so. If you passed that then you had a secret 8 character password (letters, numbers, upper & lower case plus characters) we gave you when you logged in. The ONLY time your SSN was needed was the initial setup of the account. A one-time pad is just that one-time. And each end of the transaction has to have the same pad and be on the same key sequence. That's not easy to do for 1000's of user and keep in sync, a digital certificate or PKA is easier. If you wanted the most secure MFA you need to go with biometrics plus physical, such as scanning your fingerprint/retina and then a perhaps a keypad/password with a response profile (people generally enter the keys with the same frequency and timing..if that measurement is out of tolerance incorrect you may have a breach or maybe just a bad keypad day). Then you have an armed guard on the INSIDE who has a roster of names and pictures he can validate you with. No electronic substitute yet for the old Mark I Mod 0 human eyeballs and judgement. Pretty much anything else (excepting 1 time pad) can be spoofed in one way or another. Whatever MFA you determine needs to be a)easy to user (users are idiots) b) inexpensive c) as secure as possible given a and b. There is such as thing as "too secure" for usefulness.

Re:Multi-Factor Authentication

[bakuun]

In Sweden, all banks provide a challenge/response - based physical keyfob to their customers, for free. I still find it amazing how bad bank security is in most other countries. Many banks just have passwords... all it takes is a keylogger. Insane.

pipl

[Finallyjoined!!!]

Check it out, you will all be surprised what it will find:

http://www.pipl.com/

Re:pipl

Not surprising in the least. There are many of these services online and the free ones are little more then goggling your own name if anything.

OTOH there are pay services like lexis.com and others that i used to use in my skip tracing days. Now with nothing more then a name and a county i could usually get everything from SSN's to VIN numbers of cars you have/do own. DL number's phone number's (including potentially unlisted). Hell itll tell me if your married divorced (with links to the pdf's of the court papers if available). Employment history (with a list of associates employed at the same places around the same times as you.

About the only thing it wont tell me is your dog's name so there is no surprise to me.

I dont even have to go online to find out your address and phone numbers. If i know what kind of car you drive. Chrysler has an 800 number that you put in the first 5 digits of the last name and it will give me address and phone number on record...

Stupid Slashdot.

[Creepy+Crawler]

<Page 1>
Why
Cant
You

<Page 2>
Provide
A
Link

<Page 3>
So
Everything
is

<Page 4>
on
One
Page?

how abut a link here

Search all you want

[MarkusQ]

Mitchell ends by questioning how much good it does for banks or credit card companies to require 4, 5, or more independent identity "factors" before providing access to account details, when most or all of the factors they request can be found online about nearly anyone.

Psha. Search all you want, and you'll never discover whether "rw^j8*=1IF9d" is my mother's maiden name, my favorite desert, or where I got my first kiss. And it won't matter anyway, 'cause that's not actually one of the strings I use.

--MarkusQ

P.S. And for an added level of security, I'm not really me, nor am I the person I told the bank I was.

It is good SSN becomes totally public

[140Mandak262Jamuna]

Social security number has never been designed to be a fool proof identity verification authentication tool. High time the government site get hacked and all the SSNs of ALL Americans are out in the public. Then the onus will be on the banks and others to actually verify people's identity and come up with real authentication mechanisms. Right now it is a joke. Any Tom Dick or Harry can impersonate me if he knows my name and my SSN. How ridiculous is the expectation that I have to take efforts to keep my SSN secret, while the banks and credit issuers have no obligations to check if the applicant is really who he/she says who he/she is?

What? Anonymous Coward? you dare me to publish my SSN? Get lost. It does not make sense for me to do it alone. But if the entire person-SSN map of all people becomes public, it will actually help us all.

Re:It is good SSN becomes totally public

[wtarreau]

It's amazing that you Americans have such problems with your identities. I think it is because you don't have an ID card. Here in France, there's no such problem. I can give my SSN to anyone, because it's not used as an authentication system, just identication for a few things. It's written in plain numbers on some non-confidential papers and it causes no problem.

The reason is that we all have an ID card which is delivered after several controls have been performed. So we all present our ID card to prove our identity when paying by cheque, when we want to take money out of the bank, etc...

I regularly read about Americans taking care of destroying any ID information they can have so that nobody can reuse it. This sounds so much prehistoric to us out there that almost nobody believes it ! And I think that you're now in a situation where it will be difficult to make people accept the concept of the ID card simply because they will fear that someone somewhere will then know their ID. It's a shame, really.

Now don't get me wrong. ID stealing also happens here but is very rare because they require that the imitator either has got your ID card and looks exactly like your photo, or that he owns a fake ID card, which happens but is very limited due to the various security items which are not trivial to reproduce for the average Joe around.

I really hope that in 10-20 years you'll have got out of this archaic system, it's really a shame !

Re:It is good SSN becomes totally public

Now don't get me wrong. ID stealing also happens here but is very rare because they require that the imitator either has got your ID card and looks exactly like your photo, or that he owns a fake ID card, which happens but is very limited due to the various security items which are not trivial to reproduce for the average Joe around.

I really hope that in 10-20 years you'll have got out of this archaic system, it's really a shame !

It is a shame but it doesn't sound like you are in much better shape. Thanks to our underage drinking laws, we have just about the most advanced ID-faking equipment and skilled artisans in the world (aka, teenagers). An ID card doesn't help much online or for setting up automatic payments. Most establishments with which I do business never see me nor do I see them.

There is no getting around the need for a LAP (long-ass password).

Re:It is good SSN becomes totally public

[Ihlosi]

How would you use your ID in such a scenario, please?

By using an ID verification service. Duh!

The process works like this: You fill in the form at the banks web site, they send you a letter with the instructions for the process (here in Germany, the most common one is called PostIdent), you move your behind to the nearest post office, present them with the letter from the bank and your ID, and they'll send the data to the bank.

Absofrickinlutely no need to show up at the bank in person, just at the nearest post office.

The great freedom we have to _initiate_ businesses anywhere in 50 states has a price to pay, and that is the impersonation.

As you see, we have that freedom, too, and pay with a small inconvenience for a greatly reduced risk of impersonation. Online banking is very popular here, see banks like ING-DiBa, comdirect (part of Commerzbank), etc, etc, etc. If things were as limited as you believe they are, none of these banks would exist. Sorry to bust your bubble there.

Re:It is good SSN becomes totally public

[maxume]

The magic-number-as-identity problem will not be solved by adding new magic numbers.

Inspirational

[DoofusOfDeath]

Ask not what You can learn from the Web,
but what the Web can learn from You.

Google your SSN?

[damn_registrars]

Do people regularly google their own SSNs? I have contemplated trying mine, but I'm a little apprehensive about where it might end up and what it might get electronically tied to.

Just make an answer up

[dfm3]

I treat "verification questions" as another password. City of birth? gc5f*kmn. Mother's maiden name? r4#dcViop. And so on. Most institutions don't have a problem with it. And if they do, you can still just use a random word. "Okay, okay, my first pet's name was really Albuquerque."

Re:Facebook

[Hashi+Lebwohl]

I have the same problem. My name is Jesus, and I registered using DOB of 25/12/01, and now absolutely everyone thinks it's my real birthday. Sheesh, as if shepherds would be out shepheding in the middle of winter. Some people....really.

It's worse than that

[roc97007]

My credit union suddenly adopted an "enhanced security" system where they come up with 10 personal questions (you don't have a choice which ones) and you have to provide answers to each one.

I looked over the questions, and decided I didn't want anyone knowing that information, even my bank. Called them and asked to opt out of the program. Was told that their system administrator said it was a new federal requirement. (Is this true? I haven't seen this practice at the competing credit union that has my car loan, or at the bank that has my mortgage.) They said it was for my own protection and there was no way to opt out.

I asked if I could use an additional, randomly generated password instead. (I already used a random string for my main password.) She said no, it had to be personal information.

I said it was an invasion of privacy and asked them what happens when their system administrator scoops all this personal information for his own use? (That was probably unfair, but I was getting annoyed at that point.) I pointed out that if everyone was required to use this system (which I still hadn't verified), Sysadmin from bank A could take your answers and use them to compromise your accounts B, C and D -- For instance posing as the account owner and answering the "magic question" (which is often a personal question) to reset the account password. She said that she didn't know about that, but I had to live with it.

I'm willing to bet that the "enhanced security" answers aren't even encrypted.

So with a little experimentation, I discovered that the "enhanced security" system will take any string as an answer. So, for instance, to the question "what is your maternal grandmother's middle name" (I actually don't know the answer.) you could answer "20382-0qopw" (string was generated by pounding on my keyboard) and the answer will be accepted.

I also found out that you could put random strings (or a rude phrase) for each answer, or use the same passphrase for every answer, and the system will accept it.

This opened whole new vistas of "security".

So, for my daughter's account, which doesn't have much to lose, I set all her "enhanced security" questions to the same passphrase, (you will never guess it, don't even try) and set up different passphrases for each security question for my accounts.

One big win to making up your answers is that a bad guy can't use the information to break into accounts in other institutions. Even if it's sold to a third party or published on the internet, the information only works with that one account. Moreover, there's no way someone can research my family history and come up with "asawi0egh" for my mother's maiden name. (Again, generated by slapping the keyboard a few times.)

In other words, don't buy into it. Treat it as just another password that you make up yourself.

How does one keep track of all these passwords? Find a secure password keeper application and use it religiously. Sourceforge is a good place to look. Some even work on PDAs.

Re:It's worse than that

[roc97007]

Oh, don't be like that.

Let me give you an example. When I got my American Express corporate card, part of the activation process was to create a PIN. The process is done through a voice menu system. The message suggests that you use your mothers birthdate (month and day).

My intention was to make the PIN a random four digit string. Turns out the system would not accept a four digit string that was not a valid month and day. They actually had software in place to make sure you didn't pick the 32nd of Grune.

So, yeah, I am surprised that this system would accept a grandmother's middle name that included numbers and punctuation characters. Or a "first pet's name" of "Your mother was a hamster and your father smelt of elderberries". ("By the time I had finished calling him in to dinner, he starved to death." But I digress.) Or that it didn't bother to check that my daughter's high school, hospital where she was born, and maternal grandmother were all coincidentally named "none of your damned business, monkey boy". [1]

I half expected to see the message "That name is not valid. Your grandmother's middle name must match an entry in 'The perfect book of baby names'. Available on Amazon." Or, more likely, get an email from the bank something to the effect "Our IT department does not appreciate your thoughts on their personal habits. You will have to re-enter your personal information to access your account."

[1] None of those are the real passphrase, of course.

Re:It's worse than that

[emddudley]

Well you seem to have figured out the secure way to answer the security questions: use a psuedo-identity.

Make up a fake persona and use that as the basis for all of the answers. Even if someone discovers your mother's maiden name, they won't know about the mother that's all in your head.

Re:It's worse than that

[roc97007]

Agreed, but for it to be effective, you have to make up a different fake persona for each account. You certainly wouldn't want to use the same fake persona for multiple accounts. That would only mean that the police wouldn't know whom to notify when "Norm D. Plume" got completely cleaned out.

Times Changes

[olddotter]

I used to think that people who were afraid to give out their SSN probably also slept with tinfoil hats on. Now I only give it to companies that have to report something to the IRS. If someone isn't reporting income to the IRS, they don't need a SSN.

Re:Times Changes

[KPexEA]

We have a small mail-order business in Canada selling die-cast model cars and if a US customer orders over $200 worth of model cars, we need to supply Fedex their SSN so they can pass that along to Homeland Security so the shipment can clear US customs. We do get a fair number of customers who refuse, but there is nothing we can do about it, most of our long-term customers don't have a problem with it.

If you want real privacy

[extrasolar]

I don't usually have these problems. Just use someone else's identity, bank account, gmail etc, and you're set.

FOSS (of sorts) Anonymizer Service

[religious+freak]

I recall reading the last few of Arthur C. Clarke's books; he mentioned, a few times, a social movement geared toward intentionally providing misleading and incorrect information about people on the web to provide for a more anonymous society... or at least one where you couldn't find everything out about someone with just a click of a mouse.

I'm actually quite surprised something like that has not actually come into being, because I believe the odds of stopping your info from going online is pretty close to zero. But if you have a bunch of other misleading stuff, at least only you and your friends know what's true and what's not.

It's an interesting concept.

well howdy!

[zogger]

Ezekiel Running Bear, is that you?