Slashdot Mirror

← Back to Stories (view on slashdot.org)

What Web Surfers Can Find Out About You

Posted by kdawson on from the private-first-class dept.

cweditor writes in with an updated version of a story the likes of which you might have read before, What the Web Knows About You. But reporter Rob Mitchell found out vastly more about himself (his research subject) online than he could have even a year or two ago. The big difference is that state and local governments are putting online digitized records, often with Social Security numbers and other personal details intact. Mitchell ends by questioning how much good it does for banks or credit card companies to require 4, 5, or more independent identity "factors" before providing access to account details, when most or all of the factors they request can be found online about nearly anyone.

20 of 234 comments (clear)

  1. Bad News by El+Torico · · Score: 5, Funny

    I googled my name and found 3 obituaries.

    --
    In the land of the blind, the one-eyed man is usually crucified.
    1. Re:Bad News by Mr.+Sketch · · Score: 4, Funny

      Well, if google says you're dead three times, who am I to claim otherwise?

      --
      Things you think are in the Constitution, but are not.
    2. Re:Bad News by Jason+Levine · · Score: 4, Interesting

      I googled my name and my site came up #4 in the listing. There were a lot of other people with my name, though. Years back, I didn't see any reason not to use my real name while online. Perhaps I was naive or perhaps it was a simpler online time. Either way, circumstances have changed. I don't want to go about "killing off" my accounts on various sites (like Slashdot) and starting over, but any new sites I sign into I want connected to a username that isn't my real name. It's one reason why I decided to start my new blog under a pseudonym. (No, I'm not posting the pseudonym here. That would link my pseudonym and my real name up in Google listings.)

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
    3. Re:Bad News by geobeck · · Score: 5, Funny

      Phone conversation overheard in a bank:

      "Hello, Mr. Anderson? This is Washington First National Citi Wells Fargo Mutual. I'm afraid we are unable to process your loan request. Well, unfortunately it appears that you're dead. Yes, it is surprising. My sincerest condolences on your recent loss.

      Well, according to your obituaries, you initially died on October 12, 1982, of trauma resulting from a car accident. Wow, that looked like a terrible accident. I hope you didn't suffer too much. Then on February 23, 1997, you were decapitated in an industrial accident... oh, I'm glad to hear you're feeling much better. Except for being dead, of course.

      "Mr. Anderson, no, I'm sorry, we cannot approve a loan to a dead person. You may be feeling fine, but Google says you're dead. Well, killed by an IED in Iraq most recently. 2005? You don't remember being there? Well, that doesn't prove anything because you're dead; I wouldn't expect you to remember it.

      "Mr. Anderson, please calm down. It's not healthy to get so agitated. I mean, it's definitely not healthy to be dead, but there's no need to make matters worse... Yes, as a matter of fact I did find an obit for myself. Died after a lingering coma. Fortunately, it's not a problem, because being brain dead is not an impediment to my line of work. Yes, I'm sorry, please feel free to re-apply when you're not dead. Goodbye."

      --
      Find environmentally and socially responsible products on http://buy-right.net
    4. Re:Bad News by LandDolphin · · Score: 4, Funny

      Or can't still vote!

      --
      Spelling and Grammar errors have been added to this post for your enjoyment
    5. Re:Bad News by kklein · · Score: 4, Interesting

      I, too, used to use my real name. Then, time went on, I grew up, mellowed, and suddenly the political screeds I penned in the heady days of youth looked like, um, really bad ideas. And in one case, I was a complete sanctimonious prick and was correctly called out for it...

      I've been on pseudonyms ever since. I have a lot, and they are kind of characters depending on what kind of presence I want to have on that site. Slashdot is the only place where I kinda just speak freely, although this is also a pseudonym.

    6. Re:Bad News by Anonymous Coward · · Score: 5, Funny

      I think we've all made the "mistake" of linking a pseudonym to our given name at some point. Im posting as AC because I can't figure out how to log in on this terminal, but my real name is Jason Levine

    7. Re:Bad News by ccady · · Score: 5, Funny

      I got better.

      --
      J'aime mieux les méchants que les imbéciles, parce qu'ils se reposent. -- Alexandre Dumas
  2. ID information available to the public by LoadWB · · Score: 5, Interesting

    I have complained about this crap for years to my credit card companies, phone companies, mortgage company, and even my college. How can they claim to protect your account information when their verification questions are all publicly available information? (In the case of the colleges, students are often asked to sign in for roll or exams using a social security number, and that sheet is either passed around or otherwise completely viewable.)

    At least some allow you to select a special pass phrase. Only one of my vendors will not allow me access to the account if I do not provide the pass phrase. Every one else has a way around that.

    Security. Pfah.

    1. Re:ID information available to the public by CannonballHead · · Score: 5, Insightful

      I'm always surprised that more "secure" websites don't let users use their own security question. It makes no sense to just always use "mother's maiden name" or "city of birth" or whatever. Why can't I use my own security question and pick something that I actually am one of the few people that know (me and maybe my wife or something)?

      I'm not sure adding one more column to a database is going to produce a ton more overhead :)

    2. Re:ID information available to the public by siriuskase · · Score: 5, Interesting

      The secret is that they don't ever check to see if it really is your SS#. they just need a uniquie 9 digit number. Make one up.

      --
      If you must moderate, please moderate as irrelevent, not something bad, because I'm sure someone will find this interest
    3. Re:ID information available to the public by LaskoVortex · · Score: 5, Insightful

      If you made up a name, how do you remember it 3 years later?

      The idea is to have a set of false, made up answers that you *always* use to the same old security, so you don't forget them. No one is going to find that stuff on line because it's not affiliated with you except in your imagination. If you are afraid of forgetting your passwords and to remember passwords like "d8u*mF@3KowcCR", use an encrypted password keeper.

      --
      Just callin' it like I see it.
    4. Re:ID information available to the public by s.bots · · Score: 4, Funny

      If you are afraid of forgetting your passwords and to remember passwords like "d8u*mF@3KowcCR", use an encrypted password keeper.

      Shit, now I have to change all my passwords AGAIN, just like after someone else posted my old one, 09:F9:11:02:9D:74:E3:5B:D8:41:56:C5:63:56:88:C0

  3. Multi-Factor Authentication by rlp · · Score: 4, Interesting

    Real multi-factor authentication requires some thought and the expenditure of time and money. Is it any wonder that some banks have implemented extremely LAME (mother's maiden name, pick a picture) versions of two factor authentication. Ideally, it should be (choose at least two): something you know, something you have, and something you are (and perhaps somewhere you are). Something you know is typically an ID / password pair. Something you have can include a one time pad (Gibson's perfect paper password), an RSA dongle, a Yubikey, or even a cell phone (bank sends key as text message). Something you are is biometrics: fingerprint readers, retina readers, etc. (There's an amusing and horrible joke based in this in a "Red Dwarf" episode). Finally, you can have location based authentication: IP / Mac addresses (potentially spoofable), physically secure workstations (with optional armed guard), etc.

    --
    [Insert pithy quote here]
  4. pipl by Finallyjoined!!! · · Score: 5, Interesting

    Check it out, you will all be surprised what it will find:

    http://www.pipl.com/

    --
    If I had an Ass, I'd call it Fanny Bottom, then I could slap my Ass; Fanny Bottom, on the Arse.
  5. Stupid Slashdot. by Creepy+Crawler · · Score: 5, Informative

    <Page 1>
    Why
    Cant
    You

    <Page 2>
    Provide
    A
    Link

    <Page 3>
    So
    Everything
    is

    <Page 4>
    on
    One
    Page?

    how abut a link here

    --
  6. Search all you want by MarkusQ · · Score: 5, Funny

    Mitchell ends by questioning how much good it does for banks or credit card companies to require 4, 5, or more independent identity "factors" before providing access to account details, when most or all of the factors they request can be found online about nearly anyone.

    Psha. Search all you want, and you'll never discover whether "rw^j8*=1IF9d" is my mother's maiden name, my favorite desert, or where I got my first kiss. And it won't matter anyway, 'cause that's not actually one of the strings I use.

    --MarkusQ

    P.S. And for an added level of security, I'm not really me, nor am I the person I told the bank I was.

  7. Re:It is good SSN becomes totally public by wtarreau · · Score: 4, Interesting

    It's amazing that you Americans have such problems with your identities. I think it is because you don't have an ID card. Here in France, there's no such problem. I can give my SSN to anyone, because it's not used as an authentication system, just identication for a few things. It's written in plain numbers on some non-confidential papers and it causes no problem.

    The reason is that we all have an ID card which is delivered after several controls have been performed. So we all present our ID card to prove our identity when paying by cheque, when we want to take money out of the bank, etc...

    I regularly read about Americans taking care of destroying any ID information they can have so that nobody can reuse it. This sounds so much prehistoric to us out there that almost nobody believes it ! And I think that you're now in a situation where it will be difficult to make people accept the concept of the ID card simply because they will fear that someone somewhere will then know their ID. It's a shame, really.

    Now don't get me wrong. ID stealing also happens here but is very rare because they require that the imitator either has got your ID card and looks exactly like your photo, or that he owns a fake ID card, which happens but is very limited due to the various security items which are not trivial to reproduce for the average Joe around.

    I really hope that in 10-20 years you'll have got out of this archaic system, it's really a shame !

  8. It's worse than that by roc97007 · · Score: 4, Interesting

    My credit union suddenly adopted an "enhanced security" system where they come up with 10 personal questions (you don't have a choice which ones) and you have to provide answers to each one.

    I looked over the questions, and decided I didn't want anyone knowing that information, even my bank. Called them and asked to opt out of the program. Was told that their system administrator said it was a new federal requirement. (Is this true? I haven't seen this practice at the competing credit union that has my car loan, or at the bank that has my mortgage.) They said it was for my own protection and there was no way to opt out.

    I asked if I could use an additional, randomly generated password instead. (I already used a random string for my main password.) She said no, it had to be personal information.

    I said it was an invasion of privacy and asked them what happens when their system administrator scoops all this personal information for his own use? (That was probably unfair, but I was getting annoyed at that point.) I pointed out that if everyone was required to use this system (which I still hadn't verified), Sysadmin from bank A could take your answers and use them to compromise your accounts B, C and D -- For instance posing as the account owner and answering the "magic question" (which is often a personal question) to reset the account password. She said that she didn't know about that, but I had to live with it.

    I'm willing to bet that the "enhanced security" answers aren't even encrypted.

    So with a little experimentation, I discovered that the "enhanced security" system will take any string as an answer. So, for instance, to the question "what is your maternal grandmother's middle name" (I actually don't know the answer.) you could answer "20382-0qopw" (string was generated by pounding on my keyboard) and the answer will be accepted.

    I also found out that you could put random strings (or a rude phrase) for each answer, or use the same passphrase for every answer, and the system will accept it.

    This opened whole new vistas of "security".

    So, for my daughter's account, which doesn't have much to lose, I set all her "enhanced security" questions to the same passphrase, (you will never guess it, don't even try) and set up different passphrases for each security question for my accounts.

    One big win to making up your answers is that a bad guy can't use the information to break into accounts in other institutions. Even if it's sold to a third party or published on the internet, the information only works with that one account. Moreover, there's no way someone can research my family history and come up with "asawi0egh" for my mother's maiden name. (Again, generated by slapping the keyboard a few times.)

    In other words, don't buy into it. Treat it as just another password that you make up yourself.

    How does one keep track of all these passwords? Find a secure password keeper application and use it religiously. Sourceforge is a good place to look. Some even work on PDAs.

    --
    Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
  9. Times Changes by olddotter · · Score: 4, Insightful

    I used to think that people who were afraid to give out their SSN probably also slept with tinfoil hats on. Now I only give it to companies that have to report something to the IRS. If someone isn't reporting income to the IRS, they don't need a SSN.

    --
    Think Deeply. ...