Identity Theft-What Can Really be Done w/o a SSN?

TheItalianGuy asks: "Many of us that work in the financial sector are bombarded with daily security threats. One of the biggest these days is Identity Theft. My fellow comrades and I have been really grilling each other on differing scenarios on what could be done with what information. However, it all seems to come back the the Social Security Number. Financial companies have other controls in place (customer service verification checking, account passwords, etc) to ensure identification. But in order to be of any use, a bad guy would really need someone's SSN. Absent of that, other information would be useless. Right? That's what I would like to ask Slashdot folks. What could be realistically done with customer information without a SSN? Account numbers, address, maybe a phone or payment amount. Is that really dangerous to the customer if only those get compromised?"

Social engineering

[DerekJ212]

It seems to me that SSN would be of moot importance if you have everything else. Especially for lower age victims where "Im sorry sir, i dont know my social security number" might be a valid answer..

Considering...

[Jace of Fuse!]

Considering so many uses only request the last four digits, that makes the SSN a really insecure PIN in some cases. Insecure because it's only 4 digits, and because it never changes.

credit card info?

[Exocrist]

If you had someone's credit card, you usually dont need any other type of ID at all.

Or if you were buying something online, and you had someone's credit card info and what not, you could make purchases without the SSN.

Depends on the institution

[arootbeer]

I think a lot has to do with knowing who to talk to; the problem of not having a SSN can also be solved via identity theft. At the school I'm getting my Master's from, you can call the financial aid office and get information on your account by using your name. I've always thought it was convenient, but I can certainly see how it's very dangerous.

How hard is it to get the SSN

[pvt_medic]

I remember watching a specail about identity theft, and basically the point of the special was that with just a name and address, they were able to gather basically everything about the person. So with enough dedication and the right resources, getting a SSN is possible. Which is why i have since moved to 123 fake street.

Not Valid.

[everphilski]

By college age you have used your social to fill out god-knows-how-many college applications, college loans, car loans, drivers license, etc. Before 18 you shouldn't be in the position to have access to something requiring a social security number unless you have access to it (IE: a bank account)

-everphilski-

ask slashdot...

[know1]

"So how exactly do I own if all i have are these few details from a romanian site?"

Many scri^W^W^Wsecurity professionals await your responses

Why is that even the question?

[Pantero Blanco]

Considering that acquiring the SSNs of large groups of people is as easy as getting a desk job in certain businesses or educational institutions, I'd say getting an SSN is probably the EASY part of identity theft. How much can be done without having one would seem to be a moot point.

Re:Considering...

[shanen]

Anyone who is dumb enough to use part of their SSN as a PIN deserves whatever happens. My own policy is to generate a random number each time I need a new PIN. (Four coin tosses per digit, converting from hex to decimal. Actually less, since 11 and 101 are terminators.)

Anyway, the entire question of personal privacy is rapidly becoming moot. It's not just that our fear-mongering overlords want more power over each of us, but also that we have no barrier to protect privacy in this modern age. Do you have any idea how much of your personal data is stored out there? Of course not--but the organizations storing it (mostly companies and governments) can do whatever they want with it. My contention is that we need to extend the Bill of Rights to explicitly state that your personal information is part of your property and should be protected from search or seizure without probable cause.

Re:Considering...

[Jace of Fuse!]

Anyone who is dumb enough to use part of their SSN as a PIN deserves whatever happens.

I agree. However, that hasn't stopped many services from requiring the last 4 digits of a SSN# for identity verification.

It's idiotic.

Missing the point

[caller9]

You guys know this SSN thing was dictated by db schema developers. What's a good primary key...hmmmm...SSN! yeah that'll do. Hey that could also be a good default password. Yeah or login name! This is great as long as every other financial or educational institution doesn't pick up our idea.

SSN isn't the problem. Anytime you have a national universal "user id come password" you're asking for it. Inside a state DL#s are probably somewhat a commodity in dark hat circles. Though not as usefull in financial situations.

Isn't SSN and other more personal info available from credit reporting agencies with some $$ and a name for any jackass?

Stupid, stupid, stupid...system

[Anonymous Coward]

Why is the ID the government uses to key their database
so valuable ? Because the system is BROKEN. SSN should
be (and actually pretty much is) public information,
just like your name. Anything requiring secure authentication
should use a shared secret (such as a PIN) or some even
more secure mechanism. Using a non-secret value as a
shared secret is just plan brain damaged. I'm constantly
amazed that this never comes up in the press coverage
of 'identity theft' (which should really be called
'identity offered for the taking by idiot financial companies').

Re:A corrolary ....

[An Onerous Coward]

Nah. Long term, I think that SSNs should be considered public information. Somebody finding out your SSN should be about as harmful as somebody finding out your hair color.

What should be illegal is using a person's SSN as an authentication mechanism. If it's considered public knowledge, then companies wouldn't be running around going, "Well, if you're really Bob Smith of Trenton, NJ then what... is.... yoursocialsecuritynumber????"

Re:Bank card number

[PCM2]

At least in Texas, the checking account-linked debit cards offer no protection, and no recompense in the case of fraud.

I'm not sure what you mean by "check card" in the above, but the protections on ATM debit cards [state.tx.us] in Texas are similar, though not the same, as the protections afforded to credit cards. You are not liable above $50, provided you report the card stolen in a timely fashion.

Are the financial institutions really at fault?

[flaflashr]

First, credit card fraud or theft is not the same thing as identity theft, (even though the credit card banks have tried to spin it that way.)

True identity theft is when somebody opens new accounts using your identity, obtained using surreptitious means.

Now having said that, isn't the fault really with the credit issuers for making it too simple for credit to be obtained fraudulently? Why should it fall back on the poor, unsuspecting consumer, when the credit issuers are really to blame?

Re:SSN

[happynut]

It's actually never legally allowed to require a social security number; "they" can request it, but not demand it, unless "they" are a government agency

This is somewhat true, but pretty misleading. Private companies cannot require a social security number, but they can make providing it a condition of doing business with you.

For more info, see:

http://www.faqs.org/faqs/privacy/ssn-faq/ [faqs.org]
http://archive.cpsr.net/cpsr/privacy/ssn/SSN-Priva te.html [cpsr.net]

Re:credit card info?

[TheWanderingHermit]

First: You seem to miss the part that I notified the Credit Union about it. Without going into details, they supported me.

Second: The one time I had to deal with fraud, it was useful in pinpointing that all the fraudulent purchases were online.

Third: As for terms, I go through a credit union, which is great on service and protection, and they have great terms for protecting members, so maybe credit cards help for many, but it doesn't make much of a difference in this case.

Fourth: You bring up 2 points about the signature. You say, the merchant is not required to obey your stupid writing on the back. Then, in the same paragraph (actually, the next sentence), you say, In fact, if they are doing their job they would require you to sign the card for real to make sure you have agreed to the terms of service. Do you always go back and forth on everything like that? Yes, it is supposed to be signed, and my note requires them to check for ID, which is signed. I checked, and it counts. So, in line with your 2nd sentence, yes, they are supposed to check -- which contradicts your 1st sentence.

Fifth: Yes, most theft happens without stealing my card. So I guess I should just give up and not do anything and not care if it is physically stolen, right?

Sixth: The lawyer friends are my clients, and are thrilled with the service I provide them because it has helped one start a business, another add scads of new customers, and others increase their profit margin and add enough new clients that some have had to hire more people. Some are family friends. As for cops, one, in particular, was talking to me and his cousin, and showed us his card and the note he put on it, as well as giving us a good background explanation, specifically for his cousin.

So you may think it is stupid, but you couldn't provide a reason that stands up to examination for that.

But that's okay -- I wasn't telling you that you had to do it. If you think it's stupid, don't do it. But don't give us a bunch of shallow and invalid reasons why it is stupid when the reasons are less supported than the suggestion.

What I feel

[Sycraft-fu]

Is we need to stop treating SSNs like proof of identity. Just because you know my name, doesn't prove you are me, neither should knowing my SSN. I mean what is it, after all? It's an identifier. The problem we face is that there is no gaurentee of uniqueness in names. If you are John Paul Smith, I'd be willing to bet you can find another person in the same city with that precise name, never mind the whole US.

So, we need something more to allow us to uniquely identify a person for various things. It is important, for example, for a bank to be sure you are the John Paul Smith they are thinking about when considering your creditworthniess for a loan. Well, since everyone in the US has, at least in theory, a unique SSN, that solves the problem. Name + SSN = a near certianty that you are dealing with the person you think you are.

However, much as a name isn't a proof of identity, neither should an SSN be. SSNs should be something that it doesn't matter if someone knows any more than if they know your name. It should be used just to establish who you claim to be, something else then is needed to verify that, indeed, you are that person.

Re:Birth Certificate

[Mad Alchemist]

How? The SSN is nowhere on the birth certificate. If your statement was true an identity thief could walk into the county registrar's office and get the SSNs of everyone born in the county.

Also, a passport application requires [state.gov] proof of US citizenship (for which a birth certificate will work) AND proof of identity (which includes a government-issued photo ID). If you have someone else's birth certificate, the info on that won't match the photo on the ID with your picture on it. (I'm assuming here that they do some checking to make sure the ID is real.)

Re:What I feel

[Eivind]

Just because you know my name, doesn't prove you are me, neither should knowing my SSN

Bingo.

It's two different problems really. One is: How do you get a unique handle on a person ? As you say, name won't work, there's more than one "John Smith", adding in physical adress leads to duplication, because people move, so "John Smith, Bourbon Street" can very well be the same person as "John Smith, Pennsylvania Avenue".

Adding birthdate helps, but is still no guarantee, there could be two John Smiths both born on say 9.9.1979

For this problem the SSN is a decent solution. If we're talking of the person with SSN XXXXXXXX it's pretty likely we're talking of the same person, assuming every person has exactly one SSN (which ain't true, but it's atleast sorta close)

However SSN is a *lousy* way of verifying identity. Knowing it is no evidence at all that you are the person to which the number belongs.

Over the course of a life you hand out your SSN to several dozens or even several hundred different entities, you don't want all of those to later be able to pretend to be you. (or someone breaking into the computer of one of those)

Re:credit card info?

[Havok219]

IANAL, however, I am a financial crimes investigator for the local Sheriff's Office. Identity theft, at its root, is not using someone elses credit card against their will, that is "fraudulent use of a credit card." Identity theft in the Florida statutes, is called "fraudulent use of personal identification." It more or less means name, date of birth, ssn, and any other biographical/biometrical information that can be used to determine your identity from another person.
That being said, I think the original post is aimed at actual fraudulent use of personal ID, or as it is listed on my case files "FUPID" The original poster is correct in asserting that without the SSN, your identity most likely will not be stolen. It is very difficult to open any type of credit account without the SSN, because that is how the credit reporting companies list you. Contrary to its original "intent" the SSN has become a serial number for US citizens. If you don't believe me, try to enroll in college, or get a credit card, or loan, or anything else.
Since this thread is about credit cards, I will touch on that. The parent is correct, in that most credit card fraud happens without the suspect in actual physical possession of the card. 90% of the cases that I work involve a victim that still has possession of the card. They have been victimized by either someone digging through the trash to get their statements, or using their card at an unsecure (pr0n) site, or by some other type of mishandling of the card. Once in awhile, I will get a case where the victim did not use the card in an insecure manner, and I have no clue how the suspect got the information. Furthermore, contrary to our popular belief here at Slashdot, solving a fraudulent use of credit card case is extremely difficult, and proving it in court is that much more difficult. Believe me when I say, the criminals of this world have found a niche here, and they know it, that is why this crime is so rampant. If you don't think this crime is rampant, wake up, and get out of your dream world.
While the parent is correct in his assertion that your signature on the card is only an agreement to the usage of the card, I would argue that writing "see ID" on the back is an added security feature, and can't hurt. There are cases here where someone has taken a card, and used it all over God's creation. While we would love to blame the merchants for not taking the proper security measures, that doesn't get the victim his/her money back. So, in order to try to avert that problem in my personal life, the back of my credit card reads, "see ID."
I will post my thoughts on actual identity theft will appear in another more appropriate thread.

Re:Not Valid.

[trentblase]

If you paying for cable/internet/games/eating out with a credit card then you can't afford them; stop buying them.

That's pure bullshit. I pay for EVERYTHING I can with my credit card. Including my $2 fast food purchase. Why? I have enough cash to pay my balance in full at the end of every month. On top of that, I get at least %1 cash back. That's an instant %1 discount on everything I buy. Some places I get up to %5 back. Since I've never missed a payment, my credit is awesome, and I've run enough money through those cards to have earned an awesome rebate each year. Why give people your hard earned cash up front when you can get a free 30-day float on the money?

Re:Considering how much data is out there?

[jgc7]

To elaborate (but at risk of going off-topic), the basic idea is that if someone wants to store information about you, you should have the right to make them store it on your machine. They can sign it or whatever to prevent you from tampering with it, but if they want to see it again, they should have to ask your permission. As long as it's reasonable, you can let them see it--unless you change your mind. Even including your SSN.

This would be scary. One of my least interesting work assignments is to send the FICA payroll to the federal govenment for 130,000+ US employees. If our HR and payroll systems didn't store the SSN, this trivial assignment would take years.

Re:Having Your Identity Stolen Sucks

[Maltheus]

Yeah, and I've read at least one case where the judge used the Bubba phrase while sentencing someone. I remember thinking that that person should have been able to get off if the judge was knowingly sentencing someone to get raped up the ass. Surely rape falls under the "cruel and unusual" prohibitions in the 8th amendment.

It amazes me how some many people in this country smile with glee as they talk about some prisoner getting raped up the ass. People don't even speak of getting sent to prison anymore, they just talk about the butt buddies that person is going to have. Rape has become synonomous with prison, in our society, and in my mind this invalidates the entire legal system.