Forgot your password?
typodupeerror
Privacy Security

Identity Theft-What Can Really be Done w/o a SSN? 533

Posted by Cliff
from the protecting-your-data dept.
TheItalianGuy asks: "Many of us that work in the financial sector are bombarded with daily security threats. One of the biggest these days is Identity Theft. My fellow comrades and I have been really grilling each other on differing scenarios on what could be done with what information. However, it all seems to come back the the Social Security Number. Financial companies have other controls in place (customer service verification checking, account passwords, etc) to ensure identification. But in order to be of any use, a bad guy would really need someone's SSN. Absent of that, other information would be useless. Right? That's what I would like to ask Slashdot folks. What could be realistically done with customer information without a SSN? Account numbers, address, maybe a phone or payment amount. Is that really dangerous to the customer if only those get compromised?"
This discussion has been archived. No new comments can be posted.

Identity Theft-What Can Really be Done w/o a SSN?

Comments Filter:
  • Tons (Score:2, Funny)

    by Anonymous Coward
    Stalking
  • Social engineering (Score:2, Insightful)

    by DerekJ212 (867265)
    It seems to me that SSN would be of moot importance if you have everything else. Especially for lower age victims where "Im sorry sir, i dont know my social security number" might be a valid answer..
    • Not Valid. (Score:3, Insightful)

      by everphilski (877346)
      By college age you have used your social to fill out god-knows-how-many college applications, college loans, car loans, drivers license, etc. Before 18 you shouldn't be in the position to have access to something requiring a social security number unless you have access to it (IE: a bank account)

      -everphilski-
      • Re:Not Valid. (Score:3, Interesting)

        by dnoyeb (547705)
        An SSN is not a password. This focus on SSN secreacy is fucking stupid. SSN should not be used they way it is. If I become a victim, you can bet id sue the organizations that lend credit or anything in my name with a mere SSN...

        And of course were going the other way. Credit cards require less and less verification. I wonder whats their source of income when they loose money, that encourages them to be so lax. Its not odd that the media keeps pushing the idea that identity theft forces the victim to pa
      • Re:Not Valid. (Score:5, Interesting)

        by Anonymous Coward on Wednesday November 02, 2005 @11:51AM (#13932519)
        As part of my studies on "How easy is it to steal you"... I walked the UT Quad in Austin on the first day of school with some fake credit card apps... I had 100 apps in the first hour all with SSN, mothers maiden name, birthdays, the whole shebang. we found out that all you have to do is offer a t-shirt and some candy and these kids will give you anything you ask for. We tried asking for absurd stuff like bank account numbers,"This card can also act as a debit card if we have your bank information...", paypal info, "We can tie your new credit card into your paypal account too... all we need is your username and password."... we got everything we needed to totally rob someone... Here is the best part... you know all the disclaimer text on the CC apps... we worded ours to say EXACTLY what we were doing... Not a single person read the information... had they they would have seen that...
        "I certify that the information above is correct and that this application is not a real credit card application. I hear by grant the final holder of this document all rights to this information to use as needed to assume my identity. All information requested on this document can be used to assume my identity. Never give our your personal information out to anyone who does not have direct cause to have this information known."
        its insane what you can get people to give you...
    • by ToezEre (927760)
      One might argue that, considering most people who receive email still respond to phishing attacks (I cannot quote the number off-hand, but I know it was recently posted on a major), that any other seemingly innocuous information could be used to fashion target-specific phishing attacks. It seems probable that a regular person (my grandmother, aunt, father, etc.), already succeptible to scams, would be doubly so if transaction/account/address-specific information were included. All scams rely on the illusi
  • Considering... (Score:5, Insightful)

    by Jace of Fuse! (72042) on Wednesday November 02, 2005 @12:38AM (#13929779) Homepage
    Considering so many uses only request the last four digits, that makes the SSN a really insecure PIN in some cases. Insecure because it's only 4 digits, and because it never changes.
    • Re:Considering... (Score:4, Insightful)

      by shanen (462549) on Wednesday November 02, 2005 @12:59AM (#13929887) Homepage Journal
      Anyone who is dumb enough to use part of their SSN as a PIN deserves whatever happens. My own policy is to generate a random number each time I need a new PIN. (Four coin tosses per digit, converting from hex to decimal. Actually less, since 11 and 101 are terminators.)

      Anyway, the entire question of personal privacy is rapidly becoming moot. It's not just that our fear-mongering overlords want more power over each of us, but also that we have no barrier to protect privacy in this modern age. Do you have any idea how much of your personal data is stored out there? Of course not--but the organizations storing it (mostly companies and governments) can do whatever they want with it. My contention is that we need to extend the Bill of Rights to explicitly state that your personal information is part of your property and should be protected from search or seizure without probable cause.

      • Re:Considering... (Score:2, Insightful)

        by Jace of Fuse! (72042)
        Anyone who is dumb enough to use part of their SSN as a PIN deserves whatever happens.

        I agree. However, that hasn't stopped many services from requiring the last 4 digits of a SSN# for identity verification.

        It's idiotic.
      • Re:Considering... (Score:5, Informative)

        by l3prador (700532) <wkankla@gmaTOKYOil.com minus city> on Wednesday November 02, 2005 @01:37AM (#13930034) Homepage
        I'm pretty sure the grandparent post meant that the SSN is used as a Personal Identification Number, in that services require you to give them the last four digits of your SSN in order to verify that you are who you say you are (which is what a PIN does), and for that purpose it is a poor form of personal identification. I don't think that GP meant it's a bad idea to use your SSN as a PIN number... that's pretty much a given (I hope).
  • credit card info? (Score:2, Insightful)

    by Exocrist (770370)
    If you had someone's credit card, you usually dont need any other type of ID at all.

    Or if you were buying something online, and you had someone's credit card info and what not, you could make purchases without the SSN.
    • I use my wife's CC card (which has her picture on it!) to pick up her perscriptions all the time. These include Vicodin and some other hot street pills...
    • Re:credit card info? (Score:4, Interesting)

      by TheWanderingHermit (513872) on Wednesday November 02, 2005 @01:10AM (#13929935)
      I talked with a few lawyer and cop friends about this and put on the back of my check card (I don't use credit cards), "ASK FOR PHOTO ID" in big, red letters. My understanding is since I've notified the Credit Union of this, in writing, if anyone uses a fake card in person, or steals it and doesn't show an ID, the merchant is at fault, since they did not check the signature and ask for the ID, as stated in place of the signature. I don't worry too much about it, though. They are excellent at detecting any sign of fraud activity, and have called me several times to verify transactions outside of my normal purchase habits. I'd much rather get false alarms like that then have them ignore it.
      • Re:credit card info? (Score:4, Informative)

        by davevr (29843) on Wednesday November 02, 2005 @02:20AM (#13930182) Homepage
        Did you hear this on daytime talk radio or something? This is stupid for several reasons:

        First, contrary to popular belief, the sig on the back of the card is not there for identification purposes, but rather to indicate that you accept the terms of your cardholder agreement. If you do not sign the card, you cannot legally use it. Period.

        Second, if you want to protect yourself, you are much better using a credit card than a debit card. A typical credit card has a much better fraud protection policy than a debit card (might want to read the terms of service). Also, if your account is accessed illegally, with a credit card they have the credit card company's money (or actually, the store's money) while for a debit card they have drained real money from your personal checking account.

        Third, the merchant is not required to obey your stupid writing on the back. In fact, if they are doing their job they would require you to sign the card for real to make sure you have agreed to the terms of service. That is why it is perfectly reasonable for a clerk to ask you to sign a card that you present to them unsigned - because your signature is not for ID purposes.

        Lastly - most identity theft happens WITHOUT STEALING YOUR PHYSICAL CARD. Geez.

        Your cop and lawyer friends either don't like you, or perhaps have merely assumed the identity of lawyers and cops in order to get personal information out of you. You didn't show them your card, did you?
        • First: You seem to miss the part that I notified the Credit Union about it. Without going into details, they supported me.

          Second: The one time I had to deal with fraud, it was useful in pinpointing that all the fraudulent purchases were online.

          Third: As for terms, I go through a credit union, which is great on service and protection, and they have great terms for protecting members, so maybe credit cards help for many, but it doesn't make much of a difference in this case.

          Fourth: You bring up 2 points abou
          • Re:credit card info? (Score:3, Interesting)

            by FryGuy1013 (664126)
            Fourth: You bring up 2 points about the signature. You say, "the merchant is not required to obey your stupid writing on the back." Then, in the same paragraph (actually, the next sentence), you say, "In fact, if they are doing their job they would require you to sign the card for real to make sure you have agreed to the terms of service." Do you always go back and forth on everything like that? Yes, it is supposed to be signed, and my note requires them to check for ID, which is signed. I checked, and it c
        • http://www.straightdope.com/mailbag/mcredit.html [straightdope.com]

          Thanks for playing. You lose.
  • I think a lot has to do with knowing who to talk to; the problem of not having a SSN can also be solved via identity theft. At the school I'm getting my Master's from, you can call the financial aid office and get information on your account by using your name. I've always thought it was convenient, but I can certainly see how it's very dangerous.
  • by pvt_medic (715692) on Wednesday November 02, 2005 @12:42AM (#13929803)
    I remember watching a specail about identity theft, and basically the point of the special was that with just a name and address, they were able to gather basically everything about the person. So with enough dedication and the right resources, getting a SSN is possible. Which is why i have since moved to 123 fake street.
    • "123 fake street"

      Hey, I used to live there!
    • Of course just stealing a peek in someone's wallet or digging the info from their trash is pretty damn easy and wouldn't be likely to be detected if you were careful. Why steal someones cash or credit card, which they'll likely detect, when you can pick their pocket/purse or grab their wallet from their desk, pilfer it for information (digital cam would make it quick), and drop it back undetected.
    • To me the question isn't how easy is it to get an SSN, but rather how easy is it go get rid of an SSN wiout getting clobbered by the system. After all, if can't be abused if it isn't valid.

      I personally, would love nothing more than to dump my SSN. First, what am I gonna get out of it? social security! Ha what a laugh, anybody under 50 will probably witness a UFO sighting first. Second, I consider myself a honest and transparent person, but really, it's none of the states business where I invest my mon
  • Birth Certificate (Score:5, Informative)

    by JeanBaptiste (537955) on Wednesday November 02, 2005 @12:42AM (#13929807)
    If you had someones birth certificate you could then find out their SSN. As well as apply for a passport.

  • Aggregation Attack (Score:5, Informative)

    by camusflage (65105) on Wednesday November 02, 2005 @12:42AM (#13929809)
    It's called an aggregation attack. If you have all the pieces but the SSN, not only is it relatively trivial to obtain access to the SSN, but it's pretty much superceded by everything else.
  • Isn't the question more along the lines of "What CAN'T be done with a SSN?" Seriously - almost every financial transaction needs this number, which as far as I know wasn't ever supposed to be a national ID number. It seems like the overarching importance of a SSN is what makes identity theft so easy. There have been several times where I've not had all the security information when talking to a representative on the phone, but the fact that I knew my SSN trumped everything.
    • by axonal (732578)
      Seriously - almost every financial transaction needs this number

      I don't need an SSN to withdraw money from my ATM, or make a deposit. And it should be kept that way. Anything that has a frequent transaction rate (financial transactions, university logins, bank logins, etc) should never use anything involving a SSN. By increasing the frequency of transactions involving SSN, you remove the user's will to protect this number. It begins to become more of a hassle for them to use this number, thus they'
  • A corrolary .... (Score:3, Interesting)

    by gstoddart (321705) on Wednesday November 02, 2005 @12:44AM (#13929816) Homepage
    Why does every company still legally insist you provide that information? Isn't it illegal to ask if you're NOT a federal institution.

    I've worked for companies who game my SSN to my health-insurance company as my member ID. Why do they need it, and what the hell is it being used for as my member ID? Yes, with you SSN, people can do a lot of evil things. Handing it out willy-nilly (without asking you) is jut as bad.

    But why is it legal for an employer to just hand this out to third parties? I think the abuses of how people use SSNs stems from the fact that way too many companies ask for it, and way too many companies hand it out to their vendors without any real regulatory restraints.

    IMO, it should be illegal to pass out that information without my consent. But I've seen too many examples of my employer passing it on without asking me.

    • Nah. Long term, I think that SSNs should be considered public information. Somebody finding out your SSN should be about as harmful as somebody finding out your hair color.

      What should be illegal is using a person's SSN as an authentication mechanism. If it's considered public knowledge, then companies wouldn't be running around going, "Well, if you're really Bob Smith of Trenton, NJ then what... is.... yoursocialsecuritynumber????"
  • SSN (Score:5, Interesting)

    by PresidentEnder (849024) <wyvernender.gmail@com> on Wednesday November 02, 2005 @12:45AM (#13929822) Journal
    It's actually never legally allowed to require a social security number; "they" can request it, but not demand it, unless "they" are a government agency (and at least in MT, the DMV doesn't make you give them one for a driver's license). Most things are therefore doable without; in fact, on various forms, I give any of three different names (with or without my middle name, or with middle and first transposed) with my SSN. Nobody ever gets mad at me for it, even though my social security card only lists the "right" one.

    Incidentally, Richard Nixon's social security number is 567-68-0515; there are many cases where a given agency doesn't actually need your number, and it's perfectly appropriate to give them his instead. Have fun.

    • Re:SSN (Score:5, Insightful)

      by happynut (123278) on Wednesday November 02, 2005 @02:17AM (#13930172)
      It's actually never legally allowed to require a social security number; "they" can request it, but not demand it, unless "they" are a government agency
      This is somewhat true, but pretty misleading. Private companies cannot require a social security number, but they can make providing it a condition of doing business with you.

      For more info, see:

      http://www.faqs.org/faqs/privacy/ssn-faq/ [faqs.org]
      http://archive.cpsr.net/cpsr/privacy/ssn/SSN-Priva te.html [cpsr.net]

    • Re:SSN (Score:5, Interesting)

      by limekiller4 (451497) on Wednesday November 02, 2005 @04:55AM (#13930562) Homepage
      It drives me nuts when people spout off about something they know precisely nothing about because they overheard it in a conversation. Or, more likely, on Slashdot.

      I run a business myself. I don't collect SSNs but I could. Someone could tell me they wouldn't provide it and then I could tell them that I wouldn't do business with them.

      And it's 100% legal.

      Hell, I could demand their blood type under the same logic and result.

      Sure, it would be suicide for me as a business but for a bank? They don't need you, you need them.

      PLEASE. For the love of fuck, STOP MISINFORMING PEOPLE JUST SO YOU CAN HEAR YOURSELF TYPE.
    • by v1 (525388)
      My grandmother was paranoid about her SSN and its privacy. She did not give it out to anyone. Most people's drivers license numbers are their ssn too, but hers was a different number by her request.

      She spent about an hour at Sears one day, trying to apply for a Sears charge card. They requested her ssn, but she would not give it. After about an hour of them calling around to figure out what to do about it, she did get the charge card and did not have to give her ssn, but the drones at the counter had to
  • by tloh (451585) on Wednesday November 02, 2005 @12:46AM (#13929826)
    I hate to flip the question at hand on its head, but a friend of mine got himself into a potential landmine of a problem last week when he possibly *LOST* his SS ID card at the subway station. (We're all still praying for him to find it elsewhere, but the chances of that are pretty grim. Guess that'll teach him to start using a wallet like us normal people. But a better lesson would probably be to just not carry the damn thing around - how hard is it to memorize 9 digits anyway?) He said he didn't think a person's SSN could be changed. Any advice on what he should do or be prepared to deal with?
    • But a better lesson would probably be to just not carry the damn thing around - how hard is it to memorize 9 digits anyway?

      How many times does he actually have to recite his SSN? In the rare instance that he needs it (employer, government) can't he say "I'll get back to you, I don't have it on me"?

      My SIN (aka Canadian SSN) card lives at home in a drawer. Apart from tax time once a year, I haven't had to give the number out since I started my last job several years ago.

    • He needs to start by contacting the three big credit agencies and alert them to potential identity theft this will make opening a new CC or any new line of credit more difficult with only his SSN.

      Contact info:
      # Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
      # Experian: 1-888-EXPERIAN (397-3742); www.experian.com; P.O. Box 9532, Allen, TX 75013
      # TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790

      More info
    • When I ordered a new card the letter included with it specifically states not to carry it around in a wallet....it's not like you need to show it to someone every day so why take it with you everywhere
  • Let me tell you... (Score:5, Interesting)

    by soren42 (700305) * <`j' `at' `son-kay.com'> on Wednesday November 02, 2005 @12:47AM (#13929832) Homepage Journal
    I never thought I'd have an issue with identity theft, as a Vice President at a top 5 U.S. bank (in IT, of course). Two years ago, I was building a MythTV DVR PC, and wanted to get a good deal. I scoured the internet for the lowest prices on every individual component, and along the way, apparently ended up giving my Visa CheckCard number to the wrong person.

    Suffice to say, they did not need my SSN, or anything beyond what would normally be used to purchase items online. I found out when my card was denied at a store - the theif had emptied my primary checking account, and because I had overdraft protection, the attached savings account in one night. Nice thing was, the bank immediately reimbursed me for the fraudlent purchases, followed up with the police, and prosecuted. (Not simply because I am an employee, mind you - but I did get something most people in my situation don't, follow-up. Typically, the bank reimburses a customer and follows up with the authorities separately - without ever contacting the customer again unless required.)

    Now, I use a random card number service associated with my credit card to purchase anything on the internet. It may not be the worst form of identity theft, but it can be inconvient, expensive, and time-consuming to recover. I had to deal with bounced checks for bills, and set the fraud alert on my credit bureaus as a result of this. It's certainly worth using a temporary card service if your bank or credit card company offer it.

    Just my "It happened to me" tale, but it's one we hear over and over again these days.
    • What's a "random card number service"? Sounds like something a lot of us could use, but I've never heard of it. If the banks where I have credit cards (Wells Fargo and Bank of Montreal) have it, I'm not aware ofit.

      • Lots of credit cards offer disposable CC numbers. They work once for one purchase. Discover, Citicard, and American Express come to mind. Discover even has a craptacular app which fills out online forms for you.
      • by ericbg05 (808406) on Wednesday November 02, 2005 @01:51AM (#13930092)
        What's a "random card number service"?

        (Disclaimer: I am not a security expert. I am not a financial expert. I am not any kind of expert. Don't blame me if sh?t hits your fan.)

        Let's say you want to purchase something online with credit. But you don't want your credit card number floating around in various databases on the internet. And you don't like entering it multiple times into multiple websites; this increases the chances that someone will attack you successfully.

        So you go to your credit card's website (which you trust). You tell them you want to make an online purchase of no more than $500 (let's say), and you want to do it this month. They give you a fake credit card number X and tie it to your real credit account.

        When you go to pay for your item from company foo.com, you give them credit card number X. Now foo.com alerts your credit card company you've used X to make a purchase of (let's say) $400.

        The credit card company notes this transaction, and from now on, X can only be used to make purchases from foo.com. So if Mallory was sniffing your traffic and decides to make a porn site purchase two hours later, he will be unsuccessful. Or if the folks at foo.com try to cheat you and charge you twice for your $400 purchase, they too will be unsuccessful (because that would put X over the $500 limit you set).

        Also, after that one month time limit, the X itself expires so that even foo.com can't use it anymore.

        You can make a separate fake credit card number for every company you intend to buy something from online. If any one of them is sniffed, the damage is minimal. I know for a fact that CitiBank offers this service -- I'm sure plenty of others do as well.

        • by David Jao (2759) * <djao@dominia.org> on Wednesday November 02, 2005 @03:36AM (#13930395) Homepage
          There's another major advantage of one-time-use credit card numbers, one that often goes unappreciated by the customer using the number -- namely, if a one-time-use credit card number is compromised, you know exactly which retailer was responsible for the breach, because each retailer will have a different credit card number of yours on file.

          Not only does this information jump start a police investigation, but it also tells you which database was broken into and thus which set of customers to warn about possible impending credit card fraud.

    • apparently ended up giving my Visa CheckCard number to the wrong person.

      Wait, you're a VP at a bank, and you used a check card online? Not to question your intelligence, but that's not a very bright thing to do.

  • ask slashdot... (Score:2, Insightful)

    by know1 (854868)
    "So how exactly do I own if all i have are these few details from a romanian site?"

    Many scri^W^W^Wsecurity professionals await your responses
  • by katana (122232) on Wednesday November 02, 2005 @12:52AM (#13929859) Homepage
    "Attack submarine, designed to seek and destroy enemy submarines and surface ships. Their other missions range from intelligence collection and special forces delivery to anti-ship and strike warfare. It is a multi-mission vessel, capable of deploying to forward ocean areas to search out and destroy enemy submarines and surface ships and to fire missiles in support of other forces."

    Sounds pretty serious. If you have an SSN, you should definitely not let another person or country get hold of it. Frankly, I'm amazed that anyone in America can get an SSN, but that's liberty for you.
  • by microcars (708223) on Wednesday November 02, 2005 @12:53AM (#13929862) Homepage
    after years of signing up with different on-line thingies that insist on making me use a "secret" question and answer and won't let me leave it blank I now have a separate ID for on-line anonymous usage.

    Different Year/Month/Day Born
    Different town I was BORN in (yes that was one of the "secret" questions)
    Different Mother's Maiden Name (actually I have several of these and rotate them or combine them...)
    Different Town and ZipCode where I live
    A non-existant Favorite Pet
    Same Gender though....

    I did sign on to Classmates.com as one of the kids I hated.
    I started getting emails from all the girls that would never go out with me in High School!

    I couldn't reply though because it was the "free" version of Classmates.com, however, I took comfort knowing the guy I was impersonating could not sign up as himself as I had already taken that position!

    karma's a bitch ain't it?

    • Ohh damn, you lucky bastard! If I were you, I would be sending this e-mail to all of these chicks.

      "Remember the time you sucked my dick in back of the art building? Well everytime I think of that day, it makes me want to ram-rod. That's right! I want to joust you like a loose mule in heat. Common, let me slap dat ASS!!!

      PS. You have the face of a horse. At least it's good for a nice deep throat"

      Okay now. You have your marching orders soldier. You may CUT-N-PASTE at will!

  • I would say go to the post office and fill out a change of address form just before tax time. Fill it out for your target person, and drop it in the mail somewhere around Dec 31st. Have the forwarding address sent to you (or better yet a PO Box or something.

    A lot of companies send W2's in the mail I would imagine...and they will have your SSN on them. So now you have bak statements, SSN, credit card stuff, just about everything in some cases.

    This seems pretty easy when you think about it...which is why I
  • by Crash Gordon (233006) on Wednesday November 02, 2005 @12:55AM (#13929871)
    I've been helping a relative with Alzheimer's, and I've been able to do pretty much anything I wanted, aside from dealing with actual money.

    Telephone service is particularly easy to mess with; I just called repairs and ordered service changes and no attempt was ever made to check on me. I was able to add and delete services, change phone numbers and billing addresses, etc. I didn't even have be at the service location to order any changes.

    For utility accounts, all the info I've ever needed was on the bills. Again, I was able to change services, update billing records, etc. all without any difficulty. It's been very convenient for me to be able to set things up without having to muck around with Powers of Attorney and so on, but it gives me the shivers to realize what must be possible to one "skilled in the arts".

    Once you have utility bills with your address on them you can establish a residence and a lot of stuff follows from that. For instance, I could easily get a library card and enroll my kids in school in the town where this relative lives.

    With a little bit of creativity I could probably do stuff with money, too. I guess it's a good thing I'm honest, huh?
    • One elderly woman compatriot plus a smooth talking scam artist can social engineer their way past any telephone droid known to man. I know, as a former telephone droid (somebody fell for this hook line and sucker at my place of employment, and I swear if I heard the script today I would fall for it, too). Here's how it works: you get a list of easily publicly available information like, say, names and addresses from a source of your choice -- maybe buy a direct mail list, maybe use a public directory, wha
  • by Pantero Blanco (792776) on Wednesday November 02, 2005 @12:59AM (#13929884)
    Considering that acquiring the SSNs of large groups of people is as easy as getting a desk job in certain businesses or educational institutions, I'd say getting an SSN is probably the EASY part of identity theft. How much can be done without having one would seem to be a moot point.
  • Define Dangerous (Score:3, Interesting)

    by fortunate_monk (921451) on Wednesday November 02, 2005 @01:04AM (#13929905)
    I suppose it all depends on what you consider to be potentially damaging information. You may not be able to run up my credit card if you possess my account number with my cellphone company but you will have access to information I consider private. Imagine, for example, an employer suspecting you of having contact with a rival company. It would be possible, with information other than your SSN, to obtain copies of your call records. I would consider this a breach of privacy and potentially damaging.
    I expect (though I don't always trust) any company I give my personal information to keep that information private no matter what that company perceives the potential damage of that information to be. The bad guys are often more inovative than the good guys and who knows what they can do with any given piece of data?
  • Missing the point (Score:2, Insightful)

    by caller9 (764851)
    You guys know this SSN thing was dictated by db schema developers. What's a good primary key...hmmmm...SSN! yeah that'll do. Hey that could also be a good default password. Yeah or login name! This is great as long as every other financial or educational institution doesn't pick up our idea.

    SSN isn't the problem. Anytime you have a national universal "user id come password" you're asking for it. Inside a state DL#s are probably somewhat a commodity in dark hat circles. Though not as usefull in financial sit
  • When you open a bank account do they check that your SSN matches your name?

    I often give a fake SSN especially when I think the organization asking for it shouldn't, like when I get cell phone service for example.
  • by Sfing_ter (99478) on Wednesday November 02, 2005 @01:07AM (#13929915) Homepage Journal
    A little old lady had moved a year earlier, and a credit card co. sent her "checks" to use against her credit card... to the old address. So, whoever moved in there (or whoever stole the mail) was using the checks before they expired for things that were nondescript. Wrote the checks to pay some bills and buy some things, local address sure come on in no id required.Yes it is that easy and that simple. However, if you have all the pieces it gets much worse.

    I'm waiting for RIDS - Retinal Identification System, gonna use my glass eye, eh Sammy?
  • Just curious as to what you can do with a SSN and no other information. I suppose you can try to find the rest of the information of the person that the SSN belongs to... but isn't it weird that so much of our identity relies on a single number?
  • It's the concept... (Score:4, Interesting)

    by mrBoB (63135) on Wednesday November 02, 2005 @01:11AM (#13929937)
    I don't know about anyone else, however I view information such as you've listed as being privileged. Said information may not be so described legally as being privileged or confidential, but that's just how I feel about them. SSN is the most critical of course, but you said discount it. Account numbers, mailing address, Names, birthdates, familial relations and phone numbers could all be gleaned by some amount of investigation by a person or persons so inclined at getting it; it'd be a lot of work, but it could be done. You then have a picture of "me," who I am, what I do, why I do, etc. You might be able to do something with this, like call up Dominoes and order a pizza, or get online and buy a book from Amazon. If you call the right guy at 1st National Bank of Bumfuck, you might just be able to break into my account and steal my money; how much is that guy getting paid to look out for my interests?

          All this being said, if a company doesn't do what I consider adequate protection of my information, I don't want to do business with them. It's not that a malicious user couldn't get it any other way; I just don't want to make it any easier for them to get to me. Let them go hog-heaven on the blue-hairs that don't know any better.

          And I haven't even talked about your real question. What could one do with a "lowly" account number? Well you tell me. Let's say that's all Joey Malicious has on me. Has he hacked in to your network? Does he have access to your applications and know how to use them? Do you KNOW he hasn't? All I know is that when I call the credit card company, they want the account number and SSN. Are they typing it in with me and can't proceed without me, or are they verifying my answers against what they see on the screen?

          What if Joe Malicious works for your company? I'd say you, as a member in the financial industry, are in a much better place to answer this question. YOU need to tell ME that my fears are unfounded, that technically Jane Helper can't review my account info and do a transfer without my account number AND SSN AND mothers maiden name AND first-born sons' DNA because she has to enter it into the system as well. Of course, most financial institutions don't disclose their security practices (or lack thereof) for obvious reasons. None of us outside your "closed-source" way of operating can truly trust the process. All we know is that the threat is real, and we have little control of the problem.
    • What I feel (Score:3, Insightful)

      by Sycraft-fu (314770)
      Is we need to stop treating SSNs like proof of identity. Just because you know my name, doesn't prove you are me, neither should knowing my SSN. I mean what is it, after all? It's an identifier. The problem we face is that there is no gaurentee of uniqueness in names. If you are John Paul Smith, I'd be willing to bet you can find another person in the same city with that precise name, never mind the whole US.

      So, we need something more to allow us to uniquely identify a person for various things. It is impor
      • Re:What I feel (Score:5, Insightful)

        by Eivind (15695) <eivindorama@gmail.com> on Wednesday November 02, 2005 @04:38AM (#13930525) Homepage
        Just because you know my name, doesn't prove you are me, neither should knowing my SSN

        Bingo.

        It's two different problems really. One is: How do you get a unique handle on a person ? As you say, name won't work, there's more than one "John Smith", adding in physical adress leads to duplication, because people move, so "John Smith, Bourbon Street" can very well be the same person as "John Smith, Pennsylvania Avenue".

        Adding birthdate helps, but is still no guarantee, there could be two John Smiths both born on say 9.9.1979

        For this problem the SSN is a decent solution. If we're talking of the person with SSN XXXXXXXX it's pretty likely we're talking of the same person, assuming every person has exactly one SSN (which ain't true, but it's atleast sorta close)

        However SSN is a *lousy* way of verifying identity. Knowing it is no evidence at all that you are the person to which the number belongs.

        Over the course of a life you hand out your SSN to several dozens or even several hundred different entities, you don't want all of those to later be able to pretend to be you. (or someone breaking into the computer of one of those)

  • by aaza (635147) on Wednesday November 02, 2005 @01:12AM (#13929944)
    ...but I feel like giving a different perspective.

    In Australia, the closest equivalent we have is the TFN (Tax File Number). The only people that end up with it are:

    • The Australian Tax Office
    • Your current employer(s)
    • Any bank (credit union, building society etc) that pays interest
    • Possibly private health insurance (due to tax breaks for those that have it) - note: private health is voluntary here

    As far as I can tell, it is NOT an offence to refuse to give it to any of these groups. That includes the Tax Office themselves. There are consequences of not quoting it, however. Namely, all tax payable is taken out at the maximum tax rate. To not give it to the ATO means that your tax return can be delayed while they search for you by name and DOB.

    Also, it's pretty crap as ID for banks, because all they get is a small note on the screen of your account details that says "TFN received" or similar. This makes much more sense, IMHO.

  • Every piece of data is another tool to be used in social engineering attacks. The problem is that when they have enough info about you, they can often convince you (or others, such as employees at your bank or doctor's office) that it is okay to give them the SSN as well.

    This is why it is important to try to teach people to treat requests for sensitive info (SSN or other) with deep suspicion. Doing this is as hard as trying to teach non-computer literate people about good browsing habits, for I think s
  • SSN is, of course, the hot button piece of ID. The really dumb part is that your SSN is your password for a number of transactions. Unchangeable and nearly public, of course.

    Unfortunately the other pieces of information can act as pseudo "passwords" as well. For example, if you know someone's name, account, and address, you can intercept PINs from the mailbox (though it's a felony), and have at their bank account. For most medical offices, as long as you can rattle off a name and birthdate, they'll c
  • A good con (Score:5, Interesting)

    by erikharrison (633719) on Wednesday November 02, 2005 @01:34AM (#13930019)
    All you need is one piece of information if you are a good con man.

    In other words, the SSN may in fact be critical to most realy disastrous identity thefts, but a smart thief can get the SSN based on very little prior information.

    For example, you can get a official copy of a birth certificate with a wink and a smile. With that you can register for classes at the local community college. A student ID with your birth certificate is enough to get your Social Security card, even if you don't know the number. Student ID can also qualify as proof of residence in an area, which combined with the aforementioned social security card and birth certificate is enough to get a state ID or drivers license.

    Badda boom, you have a complete identity, including paper trail, without anything more complicated than forging a signature
  • by kabloom (755503) on Wednesday November 02, 2005 @01:41AM (#13930051) Homepage
    From my ideas [iit.edu] page.

    A private-key credit/debit card.

    Prevent identity theft (if you can keep your hands on your card) by using challenge-response authentication. The POS terminal sends your card a challenge, the card encrypts the challenge and sends it back, and the POS terminal checks it using your card's public key (which it fetches from the credit card company). Bonus points: put a key pad on the card, so that your key is protected with a password, and you know your password isn't going into random hostile machines.
  • Non-Randomness (Score:5, Interesting)

    by ZachPruckowski (918562) <zachary.pruckowski@gmail.com> on Wednesday November 02, 2005 @01:45AM (#13930068)
    Since Social Security numbers are non-random, could they be sourced? The first 3 digits are where you were born geographically, and if you knew the year, you could narrow it down to a few thousand possibilities, right? then use death records or something to narrow that further?

    I don't know what impact this has on the discussion, but it seemed important to consider.
  • First, credit card fraud or theft is not the same thing as identity theft, (even though the credit card banks have tried to spin it that way.)

    True identity theft is when somebody opens new accounts using your identity, obtained using surreptitious means.

    Now having said that, isn't the fault really with the credit issuers for making it too simple for credit to be obtained fraudulently? Why should it fall back on the poor, unsuspecting consumer, when the credit issuers are really to blame?

  • One thing that bothers me is that a person's credit report is tied to their SSN. So if you want to look up your credit report, apply for credit, or do anything signficant financially, your SSN is required. And then there's some new provision to the Patriot Act, according to financial institutions, that they like to use as an excuse to require a person's SSN. Is this legitimate? I know that there was a law in 76 or 80 that mandated that a consumer was under no obligation to ever give out his SSN to compa
  • What can be done? (Score:3, Interesting)

    by Todd Knarr (15451) on Wednesday November 02, 2005 @02:04AM (#13930131) Homepage

    Well, for total identity theft you probably need the SSN. However, a lot can be done without the SSN. Given someone's name, address and birthdate you can get a forged driver's license that'll fool most clerks. If you also have their driver's license number, it'll fool most electronic checking systems as well. Know their checking account number and that gives you enough to write checks in their name. Know their credit-card number and expiration date and you've got enough to run most credit-card transactions. Just knowing the name and checking account number gives you enough to submit an electronic check against their account (you'll have to move fast to get the money out of your account and disappear before they notice the discrepancy, but if you've got that forged driver's license you can probably open a throwaway account easily enough).

    Looking at it, a name and date and place of birth seems to be enough in most cases to get an official, certified birth certificate for that person sent to you. Just make sure to pay by money order, not credit card. A birth certificate's a stepping-stone to a lot of... interesting things.

  • How To Steal ID (Score:3, Informative)

    by Grail (18233) on Wednesday November 02, 2005 @02:05AM (#13930136) Journal
    1) Walk into registrar of Births/Deaths/Marriages
    2) Claims to be Joe Bloggs, citing correct date and place of birth
    3) Walk out with birth certificate for Joe Bloggs
    4) Get driver's licence in name of Joe Bloggs
    5) Get bank account in name of Joe Bloggs
    6) Engage in fraud as Joe Bloggs, getting hold of $500k worth of stuff on 7-day invoices
    8) Ditch all identifying material, returning to your old identity
    9) Watch in the news some weeks later about some poor sucker called Joe Bloggs who is up on counts of fraud totalling $1M odd.
  • Getting acct info (Score:3, Informative)

    by vinn (4370) on Wednesday November 02, 2005 @02:35AM (#13930225) Homepage Journal
    Well, one thing that comes to mind are two different major telco's I deal with. I have a great working relationship with both of the companies. (I'll give you a hint, one starts with a "V" and the other with a "Q".) I've done things with both of these companies you should never be able to get away with. I'm not doing it illegally - I could get permission from the folks who actually want the work done. However, neither of these carriers asks for enough identifying information to be useful. We have backchannel phone numbers into God-Knows-Who call centers. If we need a line to be moved, we just provide addresses and phone numbers. Once in a while we'll get hassled a bit, but it's just a matter of giving a line of BS to get past them.

    In the event we need something strange done, we have reps we work with. If we asked for some info on the account, such as a SSN, I wouldn't be surprised if the reps would quietly provide it.

    So, don't give your SSN to utilities folks. Your electric company doesn't need it.
  • by shoma-san (739914) on Wednesday November 02, 2005 @03:36AM (#13930398)
    I had my identity stolen without the use of my SSN and it took me several years to clear my name. In short, a small, scrawy, red-headed meth-head tweaker got a drivers license issued by the state in my name. I was lucky enough to have a detective on the other side of the state alert me a day before a warrant was to be issued in my name.

    So in a six month period this idiot was able to get my license suspended in three counties, multiple traffic violations, driving without insurance infractions, driving a stolen vehicle, and countless drug dealing and drug possession charges.

    Can someone do damage without your SSN? F$CKiN A! I spend countless hours appearing in front of Judges, DA's, Court Clerks, Law Enforcement Officers, and lawyers and regardless of how much evidence I had, I was regarded with contempt and suspicion until someone could verify I wasn't lying and pardon me.

    In the end they caught the son of a bitch and he did 18 months for the Identity Theft charges (He's still in pound me in the ass state prison due to all the other charges in his name and my name). The interesting point is that I had to argue in front of a judge that it would be pointless to keep a drug charge on my record that I didn't commit just so that they could track the crime back to me from his record. By the way, they dropped the drug charges because he pled guilty to ID theft (that's how I got the last stain on my record removed). Government...

    The time I lost in wages (I was a contractor at the time) and the hell he put me through trying to clear my name which isn't easy when people look at their computer screens and think your a drug dealin dope fiend is enough for me to hope he's still being anal raped by some large man named Bubba. So you ask the question can someone cause damage without your SSN? They could send you to prison if you don't find out in time and clear your name. All they need is a few corrupt government employees and your first and last name.
    • by anomaly (15035)
      I don't mean to minimize the life experience you describe, and there is absolutely no justification for the actions of the drugged idiot who screwed up your ID, but I have to ask this:

      Analytically, can you really make an equivalence between the hours of your life that were 'stolen' from you, the angst, frustration, and contempt that you felt, and having someone anally rape the perpetrator?

      You are justifiably angry with the person who selfishly stole your identity so that he could live without consequences,
    • ... enough for me to hope he's still being anal raped by some large man named Bubba.

      Dude. Regardless of him getting caught, its pretty clear that you were and are much better off, even considering what he did "to you". Even though (I'm assuming here) he didn't know you or do it intentionally to you.

      Nobody deserves to be raped. To me its the most degrading thing you can do to a person. The only thing I can think of thats in the same ballpark or worse is torture over time. Rape is not a sexual thing, its
  • by Dark Coder (66759) on Wednesday November 02, 2005 @04:41AM (#13930537)
    The best conceptual system to replace SSN is the three-public key system.

    1. Initiator (consumer) public key
    2. Receiver (merchant) public key
    3. Arbitrator (government) public key

    Each and every entity above can revoke the key at any time.

    Merchant can revoke a transaction or deny a consumer (due to poor credit). Consumer can revoke identity if stolen with assurance it won't be used again ever. Arbitrator can authenticate/reject for both parties.

    Zero identity theft.

    This would require a smartcard that generates rotating public key protected by a PIN/fingerprint (I'm not big on biometric, but consumer ease of use is the key here).

    Significant technical hurdles remains with regard to "WHOM" process the public-private key verification as it takes CPU-time. Perhaps the smartcard has advanced enough to the point where it can sign the keys.

"The eleventh commandment was `Thou Shalt Compute' or `Thou Shalt Not Compute' -- I forget which." -- Epigrams in Programming, ACM SIGPLAN Sept. 1982

Working...