Identity Theft-What Can Really be Done w/o a SSN?

TheItalianGuy asks: "Many of us that work in the financial sector are bombarded with daily security threats. One of the biggest these days is Identity Theft. My fellow comrades and I have been really grilling each other on differing scenarios on what could be done with what information. However, it all seems to come back the the Social Security Number. Financial companies have other controls in place (customer service verification checking, account passwords, etc) to ensure identification. But in order to be of any use, a bad guy would really need someone's SSN. Absent of that, other information would be useless. Right? That's what I would like to ask Slashdot folks. What could be realistically done with customer information without a SSN? Account numbers, address, maybe a phone or payment amount. Is that really dangerous to the customer if only those get compromised?"

Birth Certificate

[JeanBaptiste]

If you had someones birth certificate you could then find out their SSN. As well as apply for a passport.

Aggregation Attack

[camusflage]

It's called an aggregation attack. If you have all the pieces but the SSN, not only is it relatively trivial to obtain access to the SSN, but it's pretty much superceded by everything else.

Re:a more pressing question.....

[Unleashd]

He needs to start by contacting the three big credit agencies and alert them to potential identity theft this will make opening a new CC or any new line of credit more difficult with only his SSN.

Contact info:
# Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
# Experian: 1-888-EXPERIAN (397-3742); www.experian.com; P.O. Box 9532, Allen, TX 75013
# TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790

More information about what to do is at the FTC's website
http://www.ftc.gov/bcp/conline/pubs/credit/idtheft mini.htm [ftc.gov]

Please check out the section titled: "IDENTITY THEFT VICTIMS: IMMEDIATE STEPS". Tell him not to wait on this ... get on it immediately because the theives will as well.

Re:Aggregation Attack

[TrappedByMyself]

Want to save thousands of dollars on MSDN? [macrocosmictech.com]

Why are you charging $17 for this [microsoft.com] link?

Re:Considering...

[l3prador]

I'm pretty sure the grandparent post meant that the SSN is used as a Personal Identification Number, in that services require you to give them the last four digits of your SSN in order to verify that you are who you say you are (which is what a PIN does), and for that purpose it is a poor form of personal identification. I don't think that GP meant it's a bad idea to use your SSN as a PIN number... that's pretty much a given (I hope).

Re:I would love to help with this experiment

[Achromatic1978]

The credit card companies will give you your money back, but they still loose money that way and the theif gets away with thousands if not millions of dollars.

Huh? You don't think the credit card company is going to issue /mass/ chargebacks /after/ reconciliation to a single merchant account and not go after them tooth and nail for obtaining financial advantage by deception?

Re:Let me tell you...

[ericbg05]

What's a "random card number service"?

(Disclaimer: I am not a security expert. I am not a financial expert. I am not any kind of expert. Don't blame me if sh?t hits your fan.)

Let's say you want to purchase something online with credit. But you don't want your credit card number floating around in various databases on the internet. And you don't like entering it multiple times into multiple websites; this increases the chances that someone will attack you successfully.

So you go to your credit card's website (which you trust). You tell them you want to make an online purchase of no more than $500 (let's say), and you want to do it this month. They give you a fake credit card number X and tie it to your real credit account.

When you go to pay for your item from company foo.com, you give them credit card number X. Now foo.com alerts your credit card company you've used X to make a purchase of (let's say) $400.

The credit card company notes this transaction, and from now on, X can only be used to make purchases from foo.com. So if Mallory was sniffing your traffic and decides to make a porn site purchase two hours later, he will be unsuccessful. Or if the folks at foo.com try to cheat you and charge you twice for your $400 purchase, they too will be unsuccessful (because that would put X over the $500 limit you set).

Also, after that one month time limit, the X itself expires so that even foo.com can't use it anymore.

You can make a separate fake credit card number for every company you intend to buy something from online. If any one of them is sniffed, the damage is minimal. I know for a fact that CitiBank offers this service -- I'm sure plenty of others do as well.

How To Steal ID

[Grail]

1) Walk into registrar of Births/Deaths/Marriages
2) Claims to be Joe Bloggs, citing correct date and place of birth
3) Walk out with birth certificate for Joe Bloggs
4) Get driver's licence in name of Joe Bloggs
5) Get bank account in name of Joe Bloggs
6) Engage in fraud as Joe Bloggs, getting hold of $500k worth of stuff on 7-day invoices
8) Ditch all identifying material, returning to your old identity
9) Watch in the news some weeks later about some poor sucker called Joe Bloggs who is up on counts of fraud totalling $1M odd.

Re:credit card info?

[davevr]

Did you hear this on daytime talk radio or something? This is stupid for several reasons:

First, contrary to popular belief, the sig on the back of the card is not there for identification purposes, but rather to indicate that you accept the terms of your cardholder agreement. If you do not sign the card, you cannot legally use it. Period.

Second, if you want to protect yourself, you are much better using a credit card than a debit card. A typical credit card has a much better fraud protection policy than a debit card (might want to read the terms of service). Also, if your account is accessed illegally, with a credit card they have the credit card company's money (or actually, the store's money) while for a debit card they have drained real money from your personal checking account.

Third, the merchant is not required to obey your stupid writing on the back. In fact, if they are doing their job they would require you to sign the card for real to make sure you have agreed to the terms of service. That is why it is perfectly reasonable for a clerk to ask you to sign a card that you present to them unsigned - because your signature is not for ID purposes.

Lastly - most identity theft happens WITHOUT STEALING YOUR PHYSICAL CARD. Geez.

Your cop and lawyer friends either don't like you, or perhaps have merely assumed the identity of lawyers and cops in order to get personal information out of you. You didn't show them your card, did you?

Re:Mine is...

[Ksisanth]

The first three numbers refer to the area. There was a 001-01-0001, although it wasn't the "first issued". Read all about it: First SSN & Lowest Number [ssa.gov].

Re:credit card info?

[uspsguy]

If you try to use such a card at my company (just a little one - the Post Office) you will be refused because it is not considered a valid card. That policy is posted at most of our counters.

Getting acct info

[vinn]

Well, one thing that comes to mind are two different major telco's I deal with. I have a great working relationship with both of the companies. (I'll give you a hint, one starts with a "V" and the other with a "Q".) I've done things with both of these companies you should never be able to get away with. I'm not doing it illegally - I could get permission from the folks who actually want the work done. However, neither of these carriers asks for enough identifying information to be useful. We have backchannel phone numbers into God-Knows-Who call centers. If we need a line to be moved, we just provide addresses and phone numbers. Once in a while we'll get hassled a bit, but it's just a matter of giving a line of BS to get past them.

In the event we need something strange done, we have reps we work with. If we asked for some info on the account, such as a SSN, I wouldn't be surprised if the reps would quietly provide it.

So, don't give your SSN to utilities folks. Your electric company doesn't need it.

Re:Let me tell you...

[Anonymous Coward]

If the debit card you use has a Visa or MasterCard logo, it means your bank must give you all of the fraud protections you would get with any Visa or MasterCard credit card. There are some banks running TV ads about how you should use their card because they don't hold you liable for fraud and how quickly they reimburse you. However, by law they cannot hold you liable for more than $50 in fraudulent purchases anyway, and the Visa/MasterCard association rules probably dictate how quickly they must remove the charges from your account, so the protections should be about the same with any bank issuing a Visa/MasterCard debit card. If it is just the bank's debit card (without a credit card logo), the policies may differ somewhat, but the legal liability limit is probably the same.

Re:Missing the point

[Jack Schitt]

I read about this a while back. The SSA does not recycle old (i.e. DEAD) SSNs. The SSA is actually in the process of updating the system IIRC for a 14 digit system versus the out dated 9 digit system which only allows for 999,999,999 numbers. The SSA also refuses to assign any number that contains 666 as well as a few others so the actual number of possible SSNs is less than 999,999,999. Additionally, in certain circumstances, people can request that their number be changed. If this is done, the SSA's record for the new number points to the old number/record. Therefore certain people may have more than one SSN, but must use the newer SSN for taxation purposes.

Somebody who works for the SSA also once told me that the SSA wants to take legal ownership of all SSNs so that IIRC it would be a crime for a non-governmental entity to require the number for any reason or something along those lines.

(For those who don't know or are dense: SSA == Social Security Administration, SSN == Social Security Number)

random card number services

[David Jao]

There's another major advantage of one-time-use credit card numbers, one that often goes unappreciated by the customer using the number -- namely, if a one-time-use credit card number is compromised, you know exactly which retailer was responsible for the breach, because each retailer will have a different credit card number of yours on file.

Not only does this information jump start a police investigation, but it also tells you which database was broken into and thus which set of customers to warn about possible impending credit card fraud.

Having Your Identity Stolen Sucks

[shoma-san]

I had my identity stolen without the use of my SSN and it took me several years to clear my name. In short, a small, scrawy, red-headed meth-head tweaker got a drivers license issued by the state in my name. I was lucky enough to have a detective on the other side of the state alert me a day before a warrant was to be issued in my name.

So in a six month period this idiot was able to get my license suspended in three counties, multiple traffic violations, driving without insurance infractions, driving a stolen vehicle, and countless drug dealing and drug possession charges.

Can someone do damage without your SSN? F$CKiN A! I spend countless hours appearing in front of Judges, DA's, Court Clerks, Law Enforcement Officers, and lawyers and regardless of how much evidence I had, I was regarded with contempt and suspicion until someone could verify I wasn't lying and pardon me.

In the end they caught the son of a bitch and he did 18 months for the Identity Theft charges (He's still in pound me in the ass state prison due to all the other charges in his name and my name). The interesting point is that I had to argue in front of a judge that it would be pointless to keep a drug charge on my record that I didn't commit just so that they could track the crime back to me from his record. By the way, they dropped the drug charges because he pled guilty to ID theft (that's how I got the last stain on my record removed). Government...

The time I lost in wages (I was a contractor at the time) and the hell he put me through trying to clear my name which isn't easy when people look at their computer screens and think your a drug dealin dope fiend is enough for me to hope he's still being anal raped by some large man named Bubba. So you ask the question can someone cause damage without your SSN? They could send you to prison if you don't find out in time and clear your name. All they need is a few corrupt government employees and your first and last name.

The Straight Dope Disagrees with you

[still_sick]

http://www.straightdope.com/mailbag/mcredit.html [straightdope.com]

Thanks for playing. You lose.

Re:Just having their bills is enough

[patio11]

One elderly woman compatriot plus a smooth talking scam artist can social engineer their way past any telephone droid known to man. I know, as a former telephone droid (somebody fell for this hook line and sucker at my place of employment, and I swear if I heard the script today I would fall for it, too). Here's how it works: you get a list of easily publicly available information like, say, names and addresses from a source of your choice -- maybe buy a direct mail list, maybe use a public directory, whatever. Then, you search the list for Ethel, Gertrude, etc -- names which indicate women of a certain age. Then, you have your old woman compatriot call $TARGET (you can just cold call people randomly or make an educated guess -- if she's in a certain neighborhood in Chicago, she probably has an account with LaSalle Bank, etc). She acts very polite but just a little bit on the senile side. "Hello, this is Ethel Victim and I just had a question about my account. Oh, the number? Lets see... it had a two in it, I think. Or was that my insurance. Insurance, such a nasty business, you pay them every month and never see a dime while you're still alive! Haha, I guess I shouldn't be too sad about not having collected then. What were we talking about again, Dearie? Account number? Oh, let me get my boy Jimmie, he knows a lot about banks. He went to school, you know. Thirty-seventh in his class. Jimmy, come over here and talk to Susan from the bank for a minute" *swap to scammer* "Oh, hello. Listen, I'm really sorry but Mom is moving to a home this week and we're trying to get all her affairs straightened out. I put all the documents in my safe deposit box but forgot to get statements stopped to this address. Social security number? Oh, shoot, her card is in the box, too, and thats the other side of town. Listen, we're sort of busy today... I don't suppose I could ask you to look up her account number for me? Thanks Susan, you're a lifesaver. Yeah, Ethel Victim. V-I-C-T-I-M. 101 Oak Place. Want our phone number? OK, I'll get a pencil. Got it, thanks Susan. You have a nice day, too. Oh, I'll tell mom you said that, she'll be so pleased."

Next time/place you call up you can use the bit of information you gleaned as sort of a privilege escalation attack. i.e. Ethel has her account number written on the paper in front of her but... birthday? Jimmy was born on January 18th, 1974 -- it was the happiest day of her life, save marrying Harold on the 13th of November. But birthday. When was it? I should know my own birthday, but we never really had a party. I lived for the children. Oh, I'm getting old. Just another shriveled old prune who can't remember her own birthday? *sniff* Dearie, you won't tell anyone about this? I wouldn't want Jimmy to worry about me. I'm sure it will come back to me, let me call you back when it does... oh, you can look it up for me? You're so sweet.

Re:Non-Randomness

[Anonymous Coward]

My understanding is the 1st 3 are the geographic area from whence applied for the card.
The 2nd set of numbers are sequential with a twist. (Odds, then evens, and something to do with 10.) In general, this is *when* you applied for the card.
The last set of numbers is sequential, unless you got your card when the numbers were assigned to a local area.

Re:Birth Certificate

[beacher]

It's not even that hard - apparently all you had to do was buy a wallet from Woolworth [ssa.gov]. Interesting read - In a nutshell, a wallet manufacturer used a sample SSN in each wallet. Company Vice President and Treasurer Douglas Patterson thought it would be a clever idea to use the actual SSN of his secretary, Mrs. Hilda Schrader Whitcher. Over 5700 people adopted the SSN in 1943.

Heh
B

Re:The Straight Dope Disagrees with you

[hymie!]

And of course, the Straight Dope is never wrong.

Here, read it from the horse's mouth.

http://www.usa.visa.com/business/accepting_visa/op s_risk_management/card_present.html [visa.com]

About three paragraphs from the bottom, it says:

  If the card has a "See ID" in place of a signature...
http://www.usa.visa.com/img/other/card_see_id.gif [visa.com]
      1. Request a signature. Ask the cardholder to sign the card and provide current government identification, such as a driver's license or passport (if local law permits).
      2. Check the signature. Be sure that the signature on the card matches the one on the transaction receipt and the additional identification.

Now, I'm not going to claim that ALL stores WILL do this. Just that VISA is not obligated to honor a request for payment made with a card that is not signed, and the merchant might not be willing to take the risk.

Re:credit card info?

[thc69]

Well, I'll be a monkey's bare-assed uncle. You, sir, are almost entirely correct.

From http://usa.visa.com/download/business/accepting_vi sa/ops_risk_management/rules_for_visa_merchants.pd f?it=search [visa.com] :

Unsigned Cards
While checking card security features, you should also make sure that the card is signed. An unsigned card is considered invalid and should not be accepted. If a customer gives you an unsigned card, the following steps must be taken:
  Check the cardholders ID. Ask the cardholder for some form of official government identification, such as a drivers license or passport. Where permissible by law, the ID serial number and expiration date should be written on the sales receipt before you complete the transaction.
  Ask the customer to sign the card. The card should be signed within your full view, and the signature checked against the customers signature on the ID. A refusal to sign means the card is still invalid and cannot be accepted. Ask the customer for another signed Visa card.
  Compare the signature on the card to the signature on the ID. If the cardholder refuses to sign the card, and you accept it, you may end up with financial liability for the transaction should the cardholder later dispute the charge.

See ID Some customers write See ID or Ask for ID in the signature panel, thinking that this is a deterrent against fraud or forgery; that is, if their signature is not on the card, a fraudster will not be able to forge it. In reality, criminals dont take the time to practice signatures: they use cards as quickly as possible after a theft and prior to the accounts being blocked. They are actually counting on you not to look at the back of the card and compare signaturesthey may even have access to counterfeit identification with a signature in their own handwriting. See ID or Ask for ID is not a valid substitute for a signature. The customer must sign the card in your presence, as stated above.

Requesting Cardholder ID
When should you ask a cardholder for an official government ID? In most cases, merchants may not ask for an ID as part of their regular card acceptance procedures, either when a valid card is first presented or to complete a sale. Laws in several states also make it illegal for merchants to write a cardholder's personal information, such as an address or phone number, on a sales receipt.

You may ask for an official government ID or other personal information whenever you are suspicious about a card or a transaction. If the cardholder refuses the request or you are still suspicious, make a Code 10 call.

That doesn't say you must seize the card if it's presented unsigned or signed "ask for id", but it does say to not accept it. Further, it even says merchants are disallowed from asking for ID...huh. I guess I'll sign my damned card now.

Re:SSN

[cenobyte40k]

Sorry man, you are completely wrong here. SS law is specific in the fact that no one is allowed to use your SS# for anything other than as an ID number to the SS admin. As a result when you ask for the SS number for your W4 form you are within your legal rights. (In fact you are required by law to see proof of such when the form is filled out) If you ask for it or use it for any other reason you are running the risk of being called to task for it. I have found that it is almost impossible to get any agency to go after someone for this crime unless the SS# was used to cause harm(ID theft for example). However if you refuse employment or a bank refuses an account they are running the risk of finding themselves sued over it. (Note that in some case banks have a right to the number because they need to report information to the SS admin) So please for the love of.... Oh never mind just ready the last line of your post.

Re:Not Valid.

[chrissam]

Credit cards require less and less verification. I wonder whats their source of income when they lose money, that encourages them to be so lax.

In addition to the late fees and interest charged to the customer as the previous poster mentioned, the CC companies aren't held liable for any of the fraudulent purchases made with a card. It's an absolute racket. When a fraudulent transaction is disputed, the CC company just pulls the money back out of the merchant's account, and usually charges an additional $10-25 chargeback fee just to add insult to injury. So the CC companies have no incentive to limit fraud since it doesn't hurt them.

Of course, I'm speaking from the position of a merchant so I'm biased that way.

Re:Not Valid.

[Money for Nothin']

I do the exact same thing.

Get a Citibank Dividend Platinum Select, pay off the balance every month, and after a few months (depending on the credit limit and the charges run through them), receive a $50 rebate check that can be then used to buy other stuff on the same card (true, it's to the 1% rebate tune of a whopping $0.50, or $2.50 at 5% if in a grocery store or gas station, but it's still better than nothing). :-)