Identity Theft-What Can Really be Done w/o a SSN? 533
TheItalianGuy asks: "Many of us that work in the financial sector are bombarded with daily security threats. One of the biggest these days is Identity Theft. My fellow comrades and I have been really grilling each other on differing scenarios on what could be done with what information. However, it all seems to come back the the Social Security Number. Financial companies have other controls in place (customer service verification checking, account passwords, etc) to ensure identification. But in order to be of any use, a bad guy would really need someone's SSN. Absent of that, other information would be useless. Right? That's what I would like to ask Slashdot folks. What could be realistically done with customer information without a SSN? Account numbers, address, maybe a phone or payment amount. Is that really dangerous to the customer if only those get compromised?"
Birth Certificate (Score:5, Informative)
Aggregation Attack (Score:5, Informative)
Re:a more pressing question..... (Score:3, Informative)
Contact info:
# Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
# Experian: 1-888-EXPERIAN (397-3742); www.experian.com; P.O. Box 9532, Allen, TX 75013
# TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790
More information about what to do is at the FTC's website
http://www.ftc.gov/bcp/conline/pubs/credit/idthef
Please check out the section titled: "IDENTITY THEFT VICTIMS: IMMEDIATE STEPS". Tell him not to wait on this
Re:Aggregation Attack (Score:3, Informative)
Why are you charging $17 for this [microsoft.com] link?
Re:Considering... (Score:5, Informative)
Re:I would love to help with this experiment (Score:2, Informative)
Huh? You don't think the credit card company is going to issue /mass/ chargebacks /after/ reconciliation to a single merchant account and not go after them tooth and nail for obtaining financial advantage by deception?
Re:Let me tell you... (Score:5, Informative)
(Disclaimer: I am not a security expert. I am not a financial expert. I am not any kind of expert. Don't blame me if sh?t hits your fan.)
Let's say you want to purchase something online with credit. But you don't want your credit card number floating around in various databases on the internet. And you don't like entering it multiple times into multiple websites; this increases the chances that someone will attack you successfully.
So you go to your credit card's website (which you trust). You tell them you want to make an online purchase of no more than $500 (let's say), and you want to do it this month. They give you a fake credit card number X and tie it to your real credit account.
When you go to pay for your item from company foo.com, you give them credit card number X. Now foo.com alerts your credit card company you've used X to make a purchase of (let's say) $400.
The credit card company notes this transaction, and from now on, X can only be used to make purchases from foo.com. So if Mallory was sniffing your traffic and decides to make a porn site purchase two hours later, he will be unsuccessful. Or if the folks at foo.com try to cheat you and charge you twice for your $400 purchase, they too will be unsuccessful (because that would put X over the $500 limit you set).
Also, after that one month time limit, the X itself expires so that even foo.com can't use it anymore.
You can make a separate fake credit card number for every company you intend to buy something from online. If any one of them is sniffed, the damage is minimal. I know for a fact that CitiBank offers this service -- I'm sure plenty of others do as well.
How To Steal ID (Score:3, Informative)
2) Claims to be Joe Bloggs, citing correct date and place of birth
3) Walk out with birth certificate for Joe Bloggs
4) Get driver's licence in name of Joe Bloggs
5) Get bank account in name of Joe Bloggs
6) Engage in fraud as Joe Bloggs, getting hold of $500k worth of stuff on 7-day invoices
8) Ditch all identifying material, returning to your old identity
9) Watch in the news some weeks later about some poor sucker called Joe Bloggs who is up on counts of fraud totalling $1M odd.
Re:credit card info? (Score:4, Informative)
First, contrary to popular belief, the sig on the back of the card is not there for identification purposes, but rather to indicate that you accept the terms of your cardholder agreement. If you do not sign the card, you cannot legally use it. Period.
Second, if you want to protect yourself, you are much better using a credit card than a debit card. A typical credit card has a much better fraud protection policy than a debit card (might want to read the terms of service). Also, if your account is accessed illegally, with a credit card they have the credit card company's money (or actually, the store's money) while for a debit card they have drained real money from your personal checking account.
Third, the merchant is not required to obey your stupid writing on the back. In fact, if they are doing their job they would require you to sign the card for real to make sure you have agreed to the terms of service. That is why it is perfectly reasonable for a clerk to ask you to sign a card that you present to them unsigned - because your signature is not for ID purposes.
Lastly - most identity theft happens WITHOUT STEALING YOUR PHYSICAL CARD. Geez.
Your cop and lawyer friends either don't like you, or perhaps have merely assumed the identity of lawyers and cops in order to get personal information out of you. You didn't show them your card, did you?
Re:Mine is... (Score:5, Informative)
Re:credit card info? (Score:2, Informative)
Getting acct info (Score:3, Informative)
In the event we need something strange done, we have reps we work with. If we asked for some info on the account, such as a SSN, I wouldn't be surprised if the reps would quietly provide it.
So, don't give your SSN to utilities folks. Your electric company doesn't need it.
Re:Let me tell you... (Score:2, Informative)
Re:Missing the point (Score:2, Informative)
Somebody who works for the SSA also once told me that the SSA wants to take legal ownership of all SSNs so that IIRC it would be a crime for a non-governmental entity to require the number for any reason or something along those lines.
(For those who don't know or are dense: SSA == Social Security Administration, SSN == Social Security Number)
random card number services (Score:5, Informative)
Not only does this information jump start a police investigation, but it also tells you which database was broken into and thus which set of customers to warn about possible impending credit card fraud.
Having Your Identity Stolen Sucks (Score:5, Informative)
So in a six month period this idiot was able to get my license suspended in three counties, multiple traffic violations, driving without insurance infractions, driving a stolen vehicle, and countless drug dealing and drug possession charges.
Can someone do damage without your SSN? F$CKiN A! I spend countless hours appearing in front of Judges, DA's, Court Clerks, Law Enforcement Officers, and lawyers and regardless of how much evidence I had, I was regarded with contempt and suspicion until someone could verify I wasn't lying and pardon me.
In the end they caught the son of a bitch and he did 18 months for the Identity Theft charges (He's still in pound me in the ass state prison due to all the other charges in his name and my name). The interesting point is that I had to argue in front of a judge that it would be pointless to keep a drug charge on my record that I didn't commit just so that they could track the crime back to me from his record. By the way, they dropped the drug charges because he pled guilty to ID theft (that's how I got the last stain on my record removed). Government...
The time I lost in wages (I was a contractor at the time) and the hell he put me through trying to clear my name which isn't easy when people look at their computer screens and think your a drug dealin dope fiend is enough for me to hope he's still being anal raped by some large man named Bubba. So you ask the question can someone cause damage without your SSN? They could send you to prison if you don't find out in time and clear your name. All they need is a few corrupt government employees and your first and last name.
The Straight Dope Disagrees with you (Score:3, Informative)
Thanks for playing. You lose.
Re:Just having their bills is enough (Score:3, Informative)
Next time/place you call up you can use the bit of information you gleaned as sort of a privilege escalation attack. i.e. Ethel has her account number written on the paper in front of her but... birthday? Jimmy was born on January 18th, 1974 -- it was the happiest day of her life, save marrying Harold on the 13th of November. But birthday. When was it? I should know my own birthday, but we never really had a party. I lived for the children. Oh, I'm getting old. Just another shriveled old prune who can't remember her own birthday? *sniff* Dearie, you won't tell anyone about this? I wouldn't want Jimmy to worry about me. I'm sure it will come back to me, let me call you back when it does... oh, you can look it up for me? You're so sweet.
Re:Non-Randomness (Score:1, Informative)
The 2nd set of numbers are sequential with a twist. (Odds, then evens, and something to do with 10.) In general, this is *when* you applied for the card.
The last set of numbers is sequential, unless you got your card when the numbers were assigned to a local area.
Re:Birth Certificate (Score:4, Informative)
Heh
B
Re:The Straight Dope Disagrees with you (Score:2, Informative)
Here, read it from the horse's mouth.
http://www.usa.visa.com/business/accepting_visa/o
About three paragraphs from the bottom, it says:
Now, I'm not going to claim that ALL stores WILL do this. Just that VISA is not obligated to honor a request for payment made with a card that is not signed, and the merchant might not be willing to take the risk.
Re:credit card info? (Score:3, Informative)
From http://usa.visa.com/download/business/accepting_v
That doesn't say you must seize the card if it's presented unsigned or signed "ask for id", but it does say to not accept it. Further, it even says merchants are disallowed from asking for ID...huh. I guess I'll sign my damned card now.
Re:SSN (Score:2, Informative)
Re:Not Valid. (Score:2, Informative)
In addition to the late fees and interest charged to the customer as the previous poster mentioned, the CC companies aren't held liable for any of the fraudulent purchases made with a card. It's an absolute racket. When a fraudulent transaction is disputed, the CC company just pulls the money back out of the merchant's account, and usually charges an additional $10-25 chargeback fee just to add insult to injury. So the CC companies have no incentive to limit fraud since it doesn't hurt them.
Of course, I'm speaking from the position of a merchant so I'm biased that way.
Re:Not Valid. (Score:3, Informative)
Get a Citibank Dividend Platinum Select, pay off the balance every month, and after a few months (depending on the credit limit and the charges run through them), receive a $50 rebate check that can be then used to buy other stuff on the same card (true, it's to the 1% rebate tune of a whopping $0.50, or $2.50 at 5% if in a grocery store or gas station, but it's still better than nothing).