Identity Theft-What Can Really be Done w/o a SSN? 533
TheItalianGuy asks: "Many of us that work in the financial sector are bombarded with daily security threats. One of the biggest these days is Identity Theft. My fellow comrades and I have been really grilling each other on differing scenarios on what could be done with what information. However, it all seems to come back the the Social Security Number. Financial companies have other controls in place (customer service verification checking, account passwords, etc) to ensure identification. But in order to be of any use, a bad guy would really need someone's SSN. Absent of that, other information would be useless. Right? That's what I would like to ask Slashdot folks. What could be realistically done with customer information without a SSN? Account numbers, address, maybe a phone or payment amount. Is that really dangerous to the customer if only those get compromised?"
Social engineering (Score:2, Insightful)
Considering... (Score:5, Insightful)
credit card info? (Score:2, Insightful)
Or if you were buying something online, and you had someone's credit card info and what not, you could make purchases without the SSN.
Depends on the institution (Score:2, Insightful)
How hard is it to get the SSN (Score:3, Insightful)
Not Valid. (Score:3, Insightful)
-everphilski-
ask slashdot... (Score:2, Insightful)
Many scri^W^W^Wsecurity professionals await your responses
Why is that even the question? (Score:5, Insightful)
Re:Considering... (Score:4, Insightful)
Anyway, the entire question of personal privacy is rapidly becoming moot. It's not just that our fear-mongering overlords want more power over each of us, but also that we have no barrier to protect privacy in this modern age. Do you have any idea how much of your personal data is stored out there? Of course not--but the organizations storing it (mostly companies and governments) can do whatever they want with it. My contention is that we need to extend the Bill of Rights to explicitly state that your personal information is part of your property and should be protected from search or seizure without probable cause.
Re:Considering... (Score:2, Insightful)
I agree. However, that hasn't stopped many services from requiring the last 4 digits of a SSN# for identity verification.
It's idiotic.
Missing the point (Score:2, Insightful)
SSN isn't the problem. Anytime you have a national universal "user id come password" you're asking for it. Inside a state DL#s are probably somewhat a commodity in dark hat circles. Though not as usefull in financial situations.
Isn't SSN and other more personal info available from credit reporting agencies with some $$ and a name for any jackass?
Stupid, stupid, stupid...system (Score:1, Insightful)
so valuable ? Because the system is BROKEN. SSN should
be (and actually pretty much is) public information,
just like your name. Anything requiring secure authentication
should use a shared secret (such as a PIN) or some even
more secure mechanism. Using a non-secret value as a
shared secret is just plan brain damaged. I'm constantly
amazed that this never comes up in the press coverage
of 'identity theft' (which should really be called
'identity offered for the taking by idiot financial companies').
Re:A corrolary .... (Score:3, Insightful)
What should be illegal is using a person's SSN as an authentication mechanism. If it's considered public knowledge, then companies wouldn't be running around going, "Well, if you're really Bob Smith of Trenton, NJ then what... is.... yoursocialsecuritynumber????"
Re:Bank card number (Score:5, Insightful)
Are the financial institutions really at fault? (Score:2, Insightful)
True identity theft is when somebody opens new accounts using your identity, obtained using surreptitious means.
Now having said that, isn't the fault really with the credit issuers for making it too simple for credit to be obtained fraudulently? Why should it fall back on the poor, unsuspecting consumer, when the credit issuers are really to blame?
Re:SSN (Score:5, Insightful)
For more info, see:
http://www.faqs.org/faqs/privacy/ssn-faq/ [faqs.org]a te.html [cpsr.net]
http://archive.cpsr.net/cpsr/privacy/ssn/SSN-Priv
Re:credit card info? (Score:3, Insightful)
Second: The one time I had to deal with fraud, it was useful in pinpointing that all the fraudulent purchases were online.
Third: As for terms, I go through a credit union, which is great on service and protection, and they have great terms for protecting members, so maybe credit cards help for many, but it doesn't make much of a difference in this case.
Fourth: You bring up 2 points about the signature. You say, the merchant is not required to obey your stupid writing on the back. Then, in the same paragraph (actually, the next sentence), you say, In fact, if they are doing their job they would require you to sign the card for real to make sure you have agreed to the terms of service. Do you always go back and forth on everything like that? Yes, it is supposed to be signed, and my note requires them to check for ID, which is signed. I checked, and it counts. So, in line with your 2nd sentence, yes, they are supposed to check -- which contradicts your 1st sentence.
Fifth: Yes, most theft happens without stealing my card. So I guess I should just give up and not do anything and not care if it is physically stolen, right?
Sixth: The lawyer friends are my clients, and are thrilled with the service I provide them because it has helped one start a business, another add scads of new customers, and others increase their profit margin and add enough new clients that some have had to hire more people. Some are family friends. As for cops, one, in particular, was talking to me and his cousin, and showed us his card and the note he put on it, as well as giving us a good background explanation, specifically for his cousin.
So you may think it is stupid, but you couldn't provide a reason that stands up to examination for that.
But that's okay -- I wasn't telling you that you had to do it. If you think it's stupid, don't do it. But don't give us a bunch of shallow and invalid reasons why it is stupid when the reasons are less supported than the suggestion.
What I feel (Score:3, Insightful)
So, we need something more to allow us to uniquely identify a person for various things. It is important, for example, for a bank to be sure you are the John Paul Smith they are thinking about when considering your creditworthniess for a loan. Well, since everyone in the US has, at least in theory, a unique SSN, that solves the problem. Name + SSN = a near certianty that you are dealing with the person you think you are.
However, much as a name isn't a proof of identity, neither should an SSN be. SSNs should be something that it doesn't matter if someone knows any more than if they know your name. It should be used just to establish who you claim to be, something else then is needed to verify that, indeed, you are that person.
Re:Birth Certificate (Score:2, Insightful)
How? The SSN is nowhere on the birth certificate. If your statement was true an identity thief could walk into the county registrar's office and get the SSNs of everyone born in the county.
Also, a passport application requires [state.gov] proof of US citizenship (for which a birth certificate will work) AND proof of identity (which includes a government-issued photo ID). If you have someone else's birth certificate, the info on that won't match the photo on the ID with your picture on it. (I'm assuming here that they do some checking to make sure the ID is real.)
Re:What I feel (Score:5, Insightful)
Bingo.
It's two different problems really. One is: How do you get a unique handle on a person ? As you say, name won't work, there's more than one "John Smith", adding in physical adress leads to duplication, because people move, so "John Smith, Bourbon Street" can very well be the same person as "John Smith, Pennsylvania Avenue".
Adding birthdate helps, but is still no guarantee, there could be two John Smiths both born on say 9.9.1979
For this problem the SSN is a decent solution. If we're talking of the person with SSN XXXXXXXX it's pretty likely we're talking of the same person, assuming every person has exactly one SSN (which ain't true, but it's atleast sorta close)
However SSN is a *lousy* way of verifying identity. Knowing it is no evidence at all that you are the person to which the number belongs.
Over the course of a life you hand out your SSN to several dozens or even several hundred different entities, you don't want all of those to later be able to pretend to be you. (or someone breaking into the computer of one of those)
Re:credit card info? (Score:2, Insightful)
That being said, I think the original post is aimed at actual fraudulent use of personal ID, or as it is listed on my case files "FUPID" The original poster is correct in asserting that without the SSN, your identity most likely will not be stolen. It is very difficult to open any type of credit account without the SSN, because that is how the credit reporting companies list you. Contrary to its original "intent" the SSN has become a serial number for US citizens. If you don't believe me, try to enroll in college, or get a credit card, or loan, or anything else.
Since this thread is about credit cards, I will touch on that. The parent is correct, in that most credit card fraud happens without the suspect in actual physical possession of the card. 90% of the cases that I work involve a victim that still has possession of the card. They have been victimized by either someone digging through the trash to get their statements, or using their card at an unsecure (pr0n) site, or by some other type of mishandling of the card. Once in awhile, I will get a case where the victim did not use the card in an insecure manner, and I have no clue how the suspect got the information. Furthermore, contrary to our popular belief here at Slashdot, solving a fraudulent use of credit card case is extremely difficult, and proving it in court is that much more difficult. Believe me when I say, the criminals of this world have found a niche here, and they know it, that is why this crime is so rampant. If you don't think this crime is rampant, wake up, and get out of your dream world.
While the parent is correct in his assertion that your signature on the card is only an agreement to the usage of the card, I would argue that writing "see ID" on the back is an added security feature, and can't hurt. There are cases here where someone has taken a card, and used it all over God's creation. While we would love to blame the merchants for not taking the proper security measures, that doesn't get the victim his/her money back. So, in order to try to avert that problem in my personal life, the back of my credit card reads, "see ID."
I will post my thoughts on actual identity theft will appear in another more appropriate thread.
Re:Not Valid. (Score:3, Insightful)
That's pure bullshit. I pay for EVERYTHING I can with my credit card. Including my $2 fast food purchase. Why? I have enough cash to pay my balance in full at the end of every month. On top of that, I get at least %1 cash back. That's an instant %1 discount on everything I buy. Some places I get up to %5 back. Since I've never missed a payment, my credit is awesome, and I've run enough money through those cards to have earned an awesome rebate each year. Why give people your hard earned cash up front when you can get a free 30-day float on the money?
Re:Considering how much data is out there? (Score:2, Insightful)
This would be scary. One of my least interesting work assignments is to send the FICA payroll to the federal govenment for 130,000+ US employees. If our HR and payroll systems didn't store the SSN, this trivial assignment would take years.
Re:Having Your Identity Stolen Sucks (Score:2, Insightful)
It amazes me how some many people in this country smile with glee as they talk about some prisoner getting raped up the ass. People don't even speak of getting sent to prison anymore, they just talk about the butt buddies that person is going to have. Rape has become synonomous with prison, in our society, and in my mind this invalidates the entire legal system.