Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Identity Theft-What Can Really be Done w/o a SSN?

Cliff posted more than 8 years ago | from the protecting-your-data dept.

Privacy 533

TheItalianGuy asks: "Many of us that work in the financial sector are bombarded with daily security threats. One of the biggest these days is Identity Theft. My fellow comrades and I have been really grilling each other on differing scenarios on what could be done with what information. However, it all seems to come back the the Social Security Number. Financial companies have other controls in place (customer service verification checking, account passwords, etc) to ensure identification. But in order to be of any use, a bad guy would really need someone's SSN. Absent of that, other information would be useless. Right? That's what I would like to ask Slashdot folks. What could be realistically done with customer information without a SSN? Account numbers, address, maybe a phone or payment amount. Is that really dangerous to the customer if only those get compromised?"

cancel ×

533 comments

Preventing Identity Theft (-1, Offtopic)

Elite Xizer (915457) | more than 8 years ago | (#13929766)

This website [ytmnd.com] is all you need to prevent identity theft.

Tons (2, Funny)

Anonymous Coward | more than 8 years ago | (#13929767)

Stalking

Hey People (-1, Troll)

Anonymous Coward | more than 8 years ago | (#13929828)

You know what I'd like to know? What can be done at Slashdot with an editor that actually edits and knows how to pick a fucking story? What's with all the lame garbage at this web blog recently? Is Ciffy too busy getting blowjobs from Zonk, and both too busy getting fucked up the ass by Taco? Seems so, because certainly NO ONE is "editing".

Social engineering (3, Insightful)

DerekJ212 (867265) | more than 8 years ago | (#13929774)

It seems to me that SSN would be of moot importance if you have everything else. Especially for lower age victims where "Im sorry sir, i dont know my social security number" might be a valid answer..

Not Valid. (2, Insightful)

everphilski (877346) | more than 8 years ago | (#13929829)

By college age you have used your social to fill out god-knows-how-many college applications, college loans, car loans, drivers license, etc. Before 18 you shouldn't be in the position to have access to something requiring a social security number unless you have access to it (IE: a bank account)

-everphilski-

Considering... (5, Insightful)

Jace of Fuse! (72042) | more than 8 years ago | (#13929779)

Considering so many uses only request the last four digits, that makes the SSN a really insecure PIN in some cases. Insecure because it's only 4 digits, and because it never changes.

Re:Considering... (4, Insightful)

shanen (462549) | more than 8 years ago | (#13929887)

Anyone who is dumb enough to use part of their SSN as a PIN deserves whatever happens. My own policy is to generate a random number each time I need a new PIN. (Four coin tosses per digit, converting from hex to decimal. Actually less, since 11 and 101 are terminators.)

Anyway, the entire question of personal privacy is rapidly becoming moot. It's not just that our fear-mongering overlords want more power over each of us, but also that we have no barrier to protect privacy in this modern age. Do you have any idea how much of your personal data is stored out there? Of course not--but the organizations storing it (mostly companies and governments) can do whatever they want with it. My contention is that we need to extend the Bill of Rights to explicitly state that your personal information is part of your property and should be protected from search or seizure without probable cause.

Re:Considering... (2, Insightful)

Jace of Fuse! (72042) | more than 8 years ago | (#13929900)

Anyone who is dumb enough to use part of their SSN as a PIN deserves whatever happens.

I agree. However, that hasn't stopped many services from requiring the last 4 digits of a SSN# for identity verification.

It's idiotic.

Re:Considering... (0, Redundant)

unixbugs (654234) | more than 8 years ago | (#13929901)

Mod it up. People need to read this.

...we need to extend the Bill of Rights to explicitly state that your personal information is part of your property and should be protected from search or seizure without probable cause.

Mine is... (0)

LTC_Kilgore (889217) | more than 8 years ago | (#13929785)

123-45-6789 Do your worst!

Re:Mine is... (1)

bi_boy (630968) | more than 8 years ago | (#13929806)

Thats what some idiot would have on his luggage!

Re:Mine is... (0, Redundant)

Agret (752467) | more than 8 years ago | (#13929856)

President Skroob: What's the combination?
Colonel Sandurz: One, two, three, four, five.
President Skroob: One, two, three, four, five?
Colonel Sandurz: Yes.
President Skroob: That's amazing. I got the same combination on my luggage.
[Dark Helmet and Sandurz look at each other]

Re:Mine is... (4, Funny)

prockcore (543967) | more than 8 years ago | (#13929889)

Mine is 000-00-0002 (Damn Roosevelt!)

Re:Mine is... (1)

Unleashd (664454) | more than 8 years ago | (#13929931)

You almost had me there ... until I looked at your /. number ...

Re:Mine is... (1)

RLiegh (247921) | more than 8 years ago | (#13929965)

What about it? Typing takes time once you reach a certain age!

credit card info? (3, Insightful)

Exocrist (770370) | more than 8 years ago | (#13929786)

If you had someone's credit card, you usually dont need any other type of ID at all.

Or if you were buying something online, and you had someone's credit card info and what not, you could make purchases without the SSN.

Re:credit card info? (1)

kcbernfeld (880170) | more than 8 years ago | (#13929818)

If you have a credit card, you still need some sort of matching signature, although I'm sure that doesn't really matter anymore. But isn't the center of the Visa Check Card the lack of need for ID?

Re:credit card info? (1)

AuMatar (183847) | more than 8 years ago | (#13929847)

No you don't. Ever used a credit card by phone, internet, ATM, etc. Ever sign it? Nope. Ever leave your cc after signing for a restaurant bill? Nope.

Beyond that- do you ever see anyone flip over a card and check if yours is signed, much less if the signatures match? The first happens once every 20 or so purchases, the last almost never.

Re:credit card info? (1)

brainboyz (114458) | more than 8 years ago | (#13929880)

Whats worse, if it's not signed they'll ask you to sign it right in front of them.

parent is correct (1)

artifex2004 (766107) | more than 8 years ago | (#13929946)

Any number of fast food restaurants and mall stores will be happy to take your credit card for smaller purchases, without doing any form of identification. Some don't even require you to sign anything! My local grocery store gas station is happy to do that.

I have "check ID" on the back of each of my cards. That's usually ignored, even when they look at the signature, which they rarely do. I know someone who only uses a wavy line as a signature when asked to sign an electronic pad, and that is never questioned, either. Anecdotal remarks from past Slashdot articles on the same issue indicate that even writing obviously fake names or 'do not pay' remarks are accepted.

If someone can copy your magstrip, or even just your credit card number if they know how the banks encode that stuff, they'll have a ready line of credit until the next time you check your bill. And even though you will likely get the charges dropped, (my cards promise to wave the $50 deductible, too) it will still be a hassle, screwing up your finances while you have to change automatic payments to reflect new account numbers, etc.

In my case, getting American Express to take my complaint seriously took a couple of months, even though the charges were coming from some foreign country, possibly because the repeat charges were under $20 each month. At one point I was told there was no need to change my number, it was probably a billing error, and I'd have the money refunded; the next month I was in the phone queue again, asking a "supervisor" why they didn't remove the charge and demanding an account freeze and new number. I'm guessing the credit card industry still doesn't care all that much, because they take a certain amount of fraud as granted when they charge stores who accept their cards, and also customers who carry balances. the more convenient they make it, the more they can charge stores who offer it. And the stores usually get stuck with the bill if it's fraud, anyway. So we end up paying, one way or another, for their business practices.

Re:parent is correct (1)

Lehk228 (705449) | more than 8 years ago | (#13929978)

well i guess amex just sucks balls then, i called visa when some drawing software company sold me a $20 download (not a problem) then called my dorm and told me the software i bought was shit (a problem) tried to get me to 'upgrade' to the $100 version (a problem) then wouldn't cancel the order (a problem) they took care of me even though i'm just a lowly college student with an $800 credit limit

Re:credit card info? (1)

Exocrist (770370) | more than 8 years ago | (#13929878)

http://www.zug.com/pranks/credit/ [zug.com] Check that out for signature matching.

Re:credit card info? (1)

kcbernfeld (880170) | more than 8 years ago | (#13929913)

I've seen that before, and I remembered it about 30 seconds after I posted. But thanks for reminding me.

Re:credit card info? (1)

6*7 (193752) | more than 8 years ago | (#13929939)

Why not simply use a (personal(ized)) stamp like they do in Japan (atleast when I last was there 10 years ago). That has to be fool prove.

Re:credit card info? (1)

Anonymous Luddite (808273) | more than 8 years ago | (#13929968)

>> you still need some sort of matching signature

Not on this planet. Have you ever _used_ a credit card? The clerks don't look, don't care. You could write "Osama bin stolen" on the slip and they'd never notice..

Re:credit card info? (1)

Saeed al-Sahaf (665390) | more than 8 years ago | (#13929843)

I use my wife's CC card (which has her picture on it!) to pick up her perscriptions all the time. These include Vicodin and some other hot street pills...

Re:credit card info? (4, Interesting)

TheWanderingHermit (513872) | more than 8 years ago | (#13929935)

I talked with a few lawyer and cop friends about this and put on the back of my check card (I don't use credit cards), "ASK FOR PHOTO ID" in big, red letters. My understanding is since I've notified the Credit Union of this, in writing, if anyone uses a fake card in person, or steals it and doesn't show an ID, the merchant is at fault, since they did not check the signature and ask for the ID, as stated in place of the signature. I don't worry too much about it, though. They are excellent at detecting any sign of fraud activity, and have called me several times to verify transactions outside of my normal purchase habits. I'd much rather get false alarms like that then have them ignore it.

I would love to help with this experiment (1)

jdavidb (449077) | more than 8 years ago | (#13929792)

Account numbers, address, maybe a phone or payment amount. Is that really dangerous to the customer if only those get compromised?

Why don't you post your credit card account number here and find out? Or, if you'd rather, you can email it to me privately.

Re:I would love to help with this experiment (1)

josepha48 (13953) | more than 8 years ago | (#13929821)

I'd rather them post it like a dumb***. Yes SSN is the key to stealing someone's id, but you can charge up a lot with the credit card number. There is a scam out now, where someone is charging 24.99 to credit cards. Yes, it seems like a small amount and many people wont even notice it ( the dumb people who don't review their bill ). Myltiply that number by 10000, and you start to make some doh! The credit card companies will give you your money back, but they still loose money that way and the theif gets away with thousands if not millions of dollars.

Oh, he should post his bank account numbers also.

Comrades in the Financial Industry? (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#13929794)

In the new Facist America, your industry doesn't pay you - you pay your industry.

Depends on the institution (2, Insightful)

arootbeer (808234) | more than 8 years ago | (#13929800)

I think a lot has to do with knowing who to talk to; the problem of not having a SSN can also be solved via identity theft. At the school I'm getting my Master's from, you can call the financial aid office and get information on your account by using your name. I've always thought it was convenient, but I can certainly see how it's very dangerous.

Re:Depends on the institution (1)

kabloom (755503) | more than 8 years ago | (#13929963)

I once called my ISP (a small regional DSL provider) to get my current at-the-moment IP address when I accidentally disabled my DDNS updater.

Same deal. Makes your computer vulnerable for hacks.

How hard is it to get the SSN (2, Insightful)

pvt_medic (715692) | more than 8 years ago | (#13929803)

I remember watching a specail about identity theft, and basically the point of the special was that with just a name and address, they were able to gather basically everything about the person. So with enough dedication and the right resources, getting a SSN is possible. Which is why i have since moved to 123 fake street.

Re:How hard is it to get the SSN (1)

eMartin (210973) | more than 8 years ago | (#13929929)

"123 fake street"

Hey, I used to live there!

Re:How hard is it to get the SSN (1)

MikeFM (12491) | more than 8 years ago | (#13929971)

Of course just stealing a peek in someone's wallet or digging the info from their trash is pretty damn easy and wouldn't be likely to be detected if you were careful. Why steal someones cash or credit card, which they'll likely detect, when you can pick their pocket/purse or grab their wallet from their desk, pilfer it for information (digital cam would make it quick), and drop it back undetected.

SSN and Universities. (1)

LewsTherinKinslayer (817418) | more than 8 years ago | (#13929804)

While a lot of Universities are moving away from this, a lot of schools still use SSN for all kinds of identification and logins and such. Just by paying careful attention during different freshman events, like, applying for a student ID, a person can get these information rather easily.

Re:SSN and Universities. (0)

Anonymous Coward | more than 8 years ago | (#13929853)

because students have soooo much money. ;)

Fake SSN (0, Interesting)

Anonymous Coward | more than 8 years ago | (#13929805)

Some companies don't check your SSN, so you (and everyone else) could use a fake SSN to register there. And if you have the social skills, you can talk allot of companies to give you the SSN that goes with the name. Off course I'm talking about crappy companies, but there are allot of crappy companies that require you to give your SSN to register for their services.

Birth Certificate (5, Informative)

JeanBaptiste (537955) | more than 8 years ago | (#13929807)

If you had someones birth certificate you could then find out their SSN. As well as apply for a passport.

I'll get back to you (0)

Anonymous Coward | more than 8 years ago | (#13929808)

Account numbers, address, maybe a phone or payment amount....

Please post your info here, and I'll see what I can do :)

Aggregation Attack (4, Informative)

camusflage (65105) | more than 8 years ago | (#13929809)

It's called an aggregation attack. If you have all the pieces but the SSN, not only is it relatively trivial to obtain access to the SSN, but it's pretty much superceded by everything else.

Re:Aggregation Attack (3, Informative)

TrappedByMyself (861094) | more than 8 years ago | (#13929990)

Want to save thousands of dollars on MSDN? [macrocosmictech.com]

Why are you charging $17 for this [microsoft.com] link?

SSN is the problem (1, Troll)

nemesisj (305482) | more than 8 years ago | (#13929810)

Isn't the question more along the lines of "What CAN'T be done with a SSN?" Seriously - almost every financial transaction needs this number, which as far as I know wasn't ever supposed to be a national ID number. It seems like the overarching importance of a SSN is what makes identity theft so easy. There have been several times where I've not had all the security information when talking to a representative on the phone, but the fact that I knew my SSN trumped everything.

Re:SSN is the problem (0)

Anonymous Coward | more than 8 years ago | (#13929830)

But there is where you are wrong. You only need to give them your SSN if it's an intrest bearing accnt.

Re:SSN is the problem (0)

Anonymous Coward | more than 8 years ago | (#13929896)

Actually no. My school (Cal state school) used our social security numbers as our sole identification number. It was printed on every student ID. As far as I know, there wasnt a way to opt out. Teachers would use our SSN to post grades and such.

Re:SSN is the problem (3, Interesting)

axonal (732578) | more than 8 years ago | (#13929912)

Seriously - almost every financial transaction needs this number

I don't need an SSN to withdraw money from my ATM, or make a deposit. And it should be kept that way. Anything that has a frequent transaction rate (financial transactions, university logins, bank logins, etc) should never use anything involving a SSN. By increasing the frequency of transactions involving SSN, you remove the user's will to protect this number. It begins to become more of a hassle for them to use this number, thus they'll do anything they want to make it easier for them to use the number (writing it down on notes, cards, sharing is easily to get from step A to step B). By making it rare to use the number, you also increase the user's protectiveness towards the number as well as the amount of information in exsistence using the number (transaction receipets, database entries, etc), causing eless things to become compromised. So if we apply the same ideas, any number, or piece of information that is used freequently, can be easily obtained. While information that is not frequently used, is harder to obtain, and more easier to secure since you have less of a paper-trail.

A corrolary .... (2, Interesting)

gstoddart (321705) | more than 8 years ago | (#13929816)

Why does every company still legally insist you provide that information? Isn't it illegal to ask if you're NOT a federal institution.

I've worked for companies who game my SSN to my health-insurance company as my member ID. Why do they need it, and what the hell is it being used for as my member ID? Yes, with you SSN, people can do a lot of evil things. Handing it out willy-nilly (without asking you) is jut as bad.

But why is it legal for an employer to just hand this out to third parties? I think the abuses of how people use SSNs stems from the fact that way too many companies ask for it, and way too many companies hand it out to their vendors without any real regulatory restraints.

IMO, it should be illegal to pass out that information without my consent. But I've seen too many examples of my employer passing it on without asking me.

Re:A corrolary .... (2, Insightful)

An Onerous Coward (222037) | more than 8 years ago | (#13929956)

Nah. Long term, I think that SSNs should be considered public information. Somebody finding out your SSN should be about as harmful as somebody finding out your hair color.

What should be illegal is using a person's SSN as an authentication mechanism. If it's considered public knowledge, then companies wouldn't be running around going, "Well, if you're really Bob Smith of Trenton, NJ then what... is.... yoursocialsecuritynumber????"

Identity theft (0)

Anonymous Coward | more than 8 years ago | (#13929820)

Personally, I dont care if someone steals my stupid identity. Identity theft is only a concern if you need credit. Why do corpoations use SSN's to identify people? That said, I am more afraid of the govt. stealing my identity and throwing me in jail. What a crappy system SSN's are. Hell I would post my SSN on here. Hell, make me a shirt with my SSN and address information printed on it.

SSN (5, Interesting)

PresidentEnder (849024) | more than 8 years ago | (#13929822)

It's actually never legally allowed to require a social security number; "they" can request it, but not demand it, unless "they" are a government agency (and at least in MT, the DMV doesn't make you give them one for a driver's license). Most things are therefore doable without; in fact, on various forms, I give any of three different names (with or without my middle name, or with middle and first transposed) with my SSN. Nobody ever gets mad at me for it, even though my social security card only lists the "right" one.

Incidentally, Richard Nixon's social security number is 567-68-0515; there are many cases where a given agency doesn't actually need your number, and it's perfectly appropriate to give them his instead. Have fun.

a more pressing question..... (3, Interesting)

tloh (451585) | more than 8 years ago | (#13929826)

I hate to flip the question at hand on its head, but a friend of mine got himself into a potential landmine of a problem last week when he possibly *LOST* his SS ID card at the subway station. (We're all still praying for him to find it elsewhere, but the chances of that are pretty grim. Guess that'll teach him to start using a wallet like us normal people. But a better lesson would probably be to just not carry the damn thing around - how hard is it to memorize 9 digits anyway?) He said he didn't think a person's SSN could be changed. Any advice on what he should do or be prepared to deal with?

Re:a more pressing question..... (1)

mopslik (688435) | more than 8 years ago | (#13929858)

But a better lesson would probably be to just not carry the damn thing around - how hard is it to memorize 9 digits anyway?

How many times does he actually have to recite his SSN? In the rare instance that he needs it (employer, government) can't he say "I'll get back to you, I don't have it on me"?

My SIN (aka Canadian SSN) card lives at home in a drawer. Apart from tax time once a year, I haven't had to give the number out since I started my last job several years ago.

Re:a more pressing question..... (1)

Traegorn (856071) | more than 8 years ago | (#13929869)

You can most definitely request a new Social Security number.

Re:a more pressing question..... (0)

Anonymous Coward | more than 8 years ago | (#13929945)

I have the string 666 in the middle of my SSN and I got a letter when I was about 17 years old asking if I wanted a new number that did not contain the three sixes. I said no, but at least they asked.

Re:a more pressing question..... (1)

tlayne (20529) | more than 8 years ago | (#13929964)

Any advice on what he should do

How about apply for a replacement card? It's really not that big of a deal. You go to the local Social Security Administration, fill out the application for a replacement card, and in a few weeks you have it. Why would you want to change your SSN anyway? Afraid you'll draw too much if they see all that money you made when you were young?

Re:a more pressing question..... (3, Informative)

Unleashd (664454) | more than 8 years ago | (#13929976)

He needs to start by contacting the three big credit agencies and alert them to potential identity theft this will make opening a new CC or any new line of credit more difficult with only his SSN.

Contact info:
# Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
# Experian: 1-888-EXPERIAN (397-3742); www.experian.com; P.O. Box 9532, Allen, TX 75013
# TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790

More information about what to do is at the FTC's website
http://www.ftc.gov/bcp/conline/pubs/credit/idtheft mini.htm [ftc.gov]

Please check out the section titled: "IDENTITY THEFT VICTIMS: IMMEDIATE STEPS". Tell him not to wait on this ... get on it immediately because the theives will as well.

Let me tell you... (5, Interesting)

soren42 (700305) | more than 8 years ago | (#13929832)

I never thought I'd have an issue with identity theft, as a Vice President at a top 5 U.S. bank (in IT, of course). Two years ago, I was building a MythTV DVR PC, and wanted to get a good deal. I scoured the internet for the lowest prices on every individual component, and along the way, apparently ended up giving my Visa CheckCard number to the wrong person.

Suffice to say, they did not need my SSN, or anything beyond what would normally be used to purchase items online. I found out when my card was denied at a store - the theif had emptied my primary checking account, and because I had overdraft protection, the attached savings account in one night. Nice thing was, the bank immediately reimbursed me for the fraudlent purchases, followed up with the police, and prosecuted. (Not simply because I am an employee, mind you - but I did get something most people in my situation don't, follow-up. Typically, the bank reimburses a customer and follows up with the authorities separately - without ever contacting the customer again unless required.)

Now, I use a random card number service associated with my credit card to purchase anything on the internet. It may not be the worst form of identity theft, but it can be inconvient, expensive, and time-consuming to recover. I had to deal with bounced checks for bills, and set the fraud alert on my credit bureaus as a result of this. It's certainly worth using a temporary card service if your bank or credit card company offer it.

Just my "It happened to me" tale, but it's one we hear over and over again these days.

Re:Let me tell you... (0)

Anonymous Coward | more than 8 years ago | (#13929911)

> I never thought I'd have an issue with identity theft, as a Vice President at a top 5 U.S. bank (in IT, of course).

Which is why most banks outsource offshore. Bet your company still does it anyway.

Re:Let me tell you... (1)

belmolis (702863) | more than 8 years ago | (#13929942)

What's a "random card number service"? Sounds like something a lot of us could use, but I've never heard of it. If the banks where I have credit cards (Wells Fargo and Bank of Montreal) have it, I'm not aware ofit.

You really want to find out? (1)

Palal (836081) | more than 8 years ago | (#13929833)

Start with google and Zabasearch and go from there. I would suggest running a background check on yourself..... well you get the picture.

Control my bank account (1)

martalli (818692) | more than 8 years ago | (#13929839)

Having forgotten the password to my bank account's online access, I walked into my bank and asked to get a new password. Somewhat to my surprise, they didn't ask me for ID or even my account number. I would like to think it is because I am one of the few doctors in my small town, but if so, the lady at the desk wouldn't have asked my name, then how to spell it! Not only is my account visible, but so is our practice's bank accounts...I hope your bank's security is better than mine!!

Re:Control my bank account (0)

Anonymous Coward | more than 8 years ago | (#13929932)

About a year ago, I entered a Bank of America location in Fort Worth, TX to set up a new checking account. It was a slow day, so I was escourted into the Vice President's office (apparently the functional branch managers are Pee Wee Vee Pees). When he left the room to get some administrative bullshit, he left his computer logged in.

I hopped on, and wrote word doc equivalent to "wow. you actually left your computer unsecured with a customer in the room."

When he returned, he chuckled a bit, and wanted to continue setting up my account. He was totally unphased.

If you want to respond to this, please contact Kennith Lewis.

Placing responisibilty appropriatly. (1)

unixbugs (654234) | more than 8 years ago | (#13929844)

The burden of proof falls between the consumer and the financial instituion, which is little more than literally something like IOS with its holes or the older kernels, or even Windows machines in the less responsible circuits. I can speak from experience when I say that the proliferation of spyware and the ease of setting up a dot-com over the net with stolen credit card numbers makes it all too easy to maintain and even automate systems of identity theft. It is not an individual 'someone is stalking me' type thing, there is no specific target; but thanks to operating systems like Windows it is all too easy to gain access to more than just your name, address, and ssn. This is just the little finger of organized crime and is such because it is considered petty and easily obtainable. The real money is in hiding it all.

Recent efforts to place authentication responsibility on the financial institution will, at any end, come back to the consumer. It will be up to the consumer to provide enough secret information about themselves in order to verify their identity which in turn relys on the security of the entire channel of communication. All of this from the microphone on the computer to the guy who sweeps the floor at some phone company, to the cable guy outside your house, and to the honesty of the police tapping your lines without a warrant these day. You could fall victim to this by running any kind of 802.11x, encrypted or not. Id like to say I am paranoid, but Ive had the displeasure of being the recipient of abuse@ for a large AS with more than a quarter of a million IP's. It gets pretty ugle and honestly folks, there is no end is sight as long as we cant fix the bugs in our own machines.

ask slashdot... (3, Insightful)

know1 (854868) | more than 8 years ago | (#13929850)

"So how exactly do I own if all i have are these few details from a romanian site?"

Many scri^W^W^Wsecurity professionals await your responses

SSN's are easy (1)

dr. graefy (802665) | more than 8 years ago | (#13929855)

Even if it were true that you couldn't do much without a SSN (which many before me have pointed out is not true at all), how difficult is it to get your grubby hands on an SSN anyway? Institutions have been using them as id numbers for YEARs.

SSN number not necessary (1, Interesting)

Anonymous Coward | more than 8 years ago | (#13929857)

I remember reading an article where a reporter gave someone who specializes in digging up info on people just HIS NAME. No SSN.

A little while later he managed to figure out the SSN. He used that to get credit reports. Once he had the credit reports, he found out every conceivable bit of personal info.

Within 3 weeks, the expert got the reporter's complete bank statements, all stock accounts, he knew every financial detail you can imagine. He even found some accounts the reporter had forgotten about. He said, "the only thing I can't get are medical records because those aren't digitally stored" -- well that's changing too of course.

How did he do it? Once he got the credit report, he would just call up a bank or brokerage house and announce in a loud, authoritative voice "I'm conduction an *offical* investigation into such and such and I need this and that info" and because he knew how to do it correctly the person on the other end would blurt everything out immediately almost 100% of the time.

What the Navy says about SSNs (5, Funny)

katana (122232) | more than 8 years ago | (#13929859)

"Attack submarine, designed to seek and destroy enemy submarines and surface ships. Their other missions range from intelligence collection and special forces delivery to anti-ship and strike warfare. It is a multi-mission vessel, capable of deploying to forward ocean areas to search out and destroy enemy submarines and surface ships and to fire missiles in support of other forces."

Sounds pretty serious. If you have an SSN, you should definitely not let another person or country get hold of it. Frankly, I'm amazed that anyone in America can get an SSN, but that's liberty for you.

I'm already using a Fake ID with no SS number (3, Funny)

microcars (708223) | more than 8 years ago | (#13929862)

after years of signing up with different on-line thingies that insist on making me use a "secret" question and answer and won't let me leave it blank I now have a separate ID for on-line anonymous usage.

Different Year/Month/Day Born
Different town I was BORN in (yes that was one of the "secret" questions)
Different Mother's Maiden Name (actually I have several of these and rotate them or combine them...)
Different Town and ZipCode where I live
A non-existant Favorite Pet
Same Gender though....

I did sign on to Classmates.com as one of the kids I hated.
I started getting emails from all the girls that would never go out with me in High School!

I couldn't reply though because it was the "free" version of Classmates.com, however, I took comfort knowing the guy I was impersonating could not sign up as himself as I had already taken that position!

karma's a bitch ain't it?

Re:I'm already using a Fake ID with no SS number (1)

unixbugs (654234) | more than 8 years ago | (#13929953)

Ok so who's credit do you buy your house with? Do you have a new car? How did you get your electricity turned on? Have you opened a bank account recently? Have you applied for a credit card in the last 10 years? How about your driver's license and auto insurance, propert taxes and simple shit like getting diapers at wal-mart when you are out of cash. What are you going to do with bogus info to further yourself? This is the topic of the article. This post is fucking retarded. Im going to post "HOW CAN I HACK HOTMAIL" next and see what kind of responses I get.

Re:I'm already using a Fake ID with no SS number (0)

Anonymous Coward | more than 8 years ago | (#13929955)

So that was YOU!

Hey you're just jealous cause all the girls WANT ME!

Bank card number (0)

Anonymous Coward | more than 8 years ago | (#13929864)

At least in Texas, the checking account-linked debit cards offer no protection, and no recompense in the case of fraud.

If I consent to be charged $3000 for a gold ring and recieve yellow-painted tin instead, then, unless the merchant corrects the error:

If I have a credit card, I can initiate a chargeback.
If I have a check card, I must place a stop-payment on the check, which will not help unless I realize the mistake before my check does.

If my card is stolen, then:

credit - Visa/MC will protect me (terms vary) from charges exceeding the initial $50. or so.

check - my protection begins when 1) I report the card stolen, or 2) when the bank sees that my account is empty - which may not be for 3 days because of check "floating" time.

Why should someone presume that a hacker can intercept a credit card number but NOT the cvs number when used in a transaction?

Re:Bank card number (4, Insightful)

PCM2 (4486) | more than 8 years ago | (#13930000)

At least in Texas, the checking account-linked debit cards offer no protection, and no recompense in the case of fraud.
I'm not sure what you mean by "check card" in the above, but the protections on ATM debit cards [state.tx.us] in Texas are similar, though not the same, as the protections afforded to credit cards. You are not liable above $50, provided you report the card stolen in a timely fashion.

Easy way to get the SSN? (1)

jmcmunn (307798) | more than 8 years ago | (#13929868)


I would say go to the post office and fill out a change of address form just before tax time. Fill it out for your target person, and drop it in the mail somewhere around Dec 31st. Have the forwarding address sent to you (or better yet a PO Box or something.

A lot of companies send W2's in the mail I would imagine...and they will have your SSN on them. So now you have bak statements, SSN, credit card stuff, just about everything in some cases.

This seems pretty easy when you think about it...which is why I always have my bills and credit card statements delievered online, preferably not to an email address directly, but so that I have to go view the bill each month with a password protected page...at least then someone has to be sniffing my network at the actual time I type the info in (and hopefully then it will be a secure page).

Fortunately, messing with someones mail is a pretty serious federal offense, so most people will not cross this line and redirect your mail. Also, the post office eventually sends out a notice to the old address which basically confirms the change of address, so you would have to intercept that as well in order to delay the person from finding out you're stealing their mail.

This is probably all pretty far fetched, but certainly possible under the right circumstances.

Just having their bills is enough (5, Interesting)

Crash Gordon (233006) | more than 8 years ago | (#13929871)

I've been helping a relative with Alzheimer's, and I've been able to do pretty much anything I wanted, aside from dealing with actual money.

Telephone service is particularly easy to mess with; I just called repairs and ordered service changes and no attempt was ever made to check on me. I was able to add and delete services, change phone numbers and billing addresses, etc. I didn't even have be at the service location to order any changes.

For utility accounts, all the info I've ever needed was on the bills. Again, I was able to change services, update billing records, etc. all without any difficulty. It's been very convenient for me to be able to set things up without having to muck around with Powers of Attorney and so on, but it gives me the shivers to realize what must be possible to one "skilled in the arts".

Once you have utility bills with your address on them you can establish a residence and a lot of stuff follows from that. For instance, I could easily get a library card and enroll my kids in school in the town where this relative lives.

With a little bit of creativity I could probably do stuff with money, too. I guess it's a good thing I'm honest, huh?

Why is that even the question? (4, Insightful)

Pantero Blanco (792776) | more than 8 years ago | (#13929884)

Considering that acquiring the SSNs of large groups of people is as easy as getting a desk job in certain businesses or educational institutions, I'd say getting an SSN is probably the EASY part of identity theft. How much can be done without having one would seem to be a moot point.

Define Dangerous (3, Interesting)

fortunate_monk (921451) | more than 8 years ago | (#13929905)

I suppose it all depends on what you consider to be potentially damaging information. You may not be able to run up my credit card if you possess my account number with my cellphone company but you will have access to information I consider private. Imagine, for example, an employer suspecting you of having contact with a rival company. It would be possible, with information other than your SSN, to obtain copies of your call records. I would consider this a breach of privacy and potentially damaging.
I expect (though I don't always trust) any company I give my personal information to keep that information private no matter what that company perceives the potential damage of that information to be. The bad guys are often more inovative than the good guys and who knows what they can do with any given piece of data?

Missing the point (2, Insightful)

caller9 (764851) | more than 8 years ago | (#13929908)

You guys know this SSN thing was dictated by db schema developers. What's a good primary key...hmmmm...SSN! yeah that'll do. Hey that could also be a good default password. Yeah or login name! This is great as long as every other financial or educational institution doesn't pick up our idea.

SSN isn't the problem. Anytime you have a national universal "user id come password" you're asking for it. Inside a state DL#s are probably somewhat a commodity in dark hat circles. Though not as usefull in financial situations.

Isn't SSN and other more personal info available from credit reporting agencies with some $$ and a name for any jackass?

Re:Missing the point (1)

phasm42 (588479) | more than 8 years ago | (#13930003)

I think SSNs are recycled, so they wouldn't make a very good primary key...

Who checks your SSN anyway? (1)

max born (739948) | more than 8 years ago | (#13929909)

When you open a bank account do they check that your SSN matches your name?

I often give a fake SSN especially when I think the organization asking for it shouldn't, like when I get cell phone service for example.

Re:Who checks your SSN anyway? (1)

jshaped (899227) | more than 8 years ago | (#13929933)

Have you ever really tried to get cell phone service?
Don't they use your SSN to check your credit rating?
I doubt a fake SSN will get you very far...

Stupid, stupid, stupid...system (1, Insightful)

Anonymous Coward | more than 8 years ago | (#13929910)

Why is the ID the government uses to key their database
so valuable ? Because the system is BROKEN. SSN should
be (and actually pretty much is) public information,
just like your name. Anything requiring secure authentication
should use a shared secret (such as a PIN) or some even
more secure mechanism. Using a non-secret value as a
shared secret is just plan brain damaged. I'm constantly
amazed that this never comes up in the press coverage
of 'identity theft' (which should really be called
'identity offered for the taking by idiot financial companies').

Ask Mitnik (0)

Anonymous Coward | more than 8 years ago | (#13929914)

Perhaps you should pick up a copy of "The Art of Deception", or realize that all of a persons *private* should be kept *private*, not just because it can be a security risk, but because you've been trusted with information that the client wouldn't likely wear on the back of their shirt.

while at the bank today.. (5, Interesting)

Sfing_ter (99478) | more than 8 years ago | (#13929915)

A little old lady had moved a year earlier, and a credit card co. sent her "checks" to use against her credit card... to the old address. So, whoever moved in there (or whoever stole the mail) was using the checks before they expired for things that were nondescript. Wrote the checks to pay some bills and buy some things, local address sure come on in no id required.Yes it is that easy and that simple. However, if you have all the pieces it gets much worse.

I'm waiting for RIDS - Retinal Identification System, gonna use my glass eye, eh Sammy?

Identity Infringement != Theft (0)

Anonymous Coward | more than 8 years ago | (#13929916)

Theft implies that someone takes something from you which you no longer possess. You still own your identity after "identity theft"; it's just been tarnished by some douchebag. Therefore, it is not right to call it "identity theft"; we should call it "identity infringement" (or just plain old "fraud") so as not to confuse the issues.

What exactly could you do WITH a SSN (1)

jnguy (683993) | more than 8 years ago | (#13929917)

Just curious as to what you can do with a SSN and no other information. I suppose you can try to find the rest of the information of the person that the SSN belongs to... but isn't it weird that so much of our identity relies on a single number?

Who even needs a SSN? (1)

woolio (927141) | more than 8 years ago | (#13929922)

I wonder, does anyone even *need* an SSN to do much 'identity theft'? Sure, it is often demanded on forms, etc... But of those that ask for SSN, how many organizations actually verify it or use it in a matter that would implicitly verify it? I think someone's identity could be well-tarnished just with a name and address.

After all, banks in the US long ago stopped checking signatures on checks to see if they actually match... They basically will cash any check with a scribble on the signature line. I suspect the handling of SSNs might be similar in some circumstances.

Internationalist (1)

Schwarzgerat (915840) | more than 8 years ago | (#13929923)

Not a bad safeguard in the US, but what about foreign companies and transactions, alot of people have dealings with companies from many countries and your US SSN just isn't a factor.

Out and out identity theft might be ruled out but someone with your personal information could still cause you serious problems.

ID's? No problem (1)

zephris (925151) | more than 8 years ago | (#13929936)

I'm in my first semester back to college from a 14 year break. I've only showed my ID twice (when I was getting my books and when I got my school ID). Every other time, it's social security number recited to show who I am. Don't have my driver's lisence when I get pulled over? No problem. I have the DL number memorized, which usually surprises the officer enough to let me go (not that this happens regularly, mind you).

Re:ID's? No problem (0)

Anonymous Coward | more than 8 years ago | (#13930008)

I didn't even need to show ID to get my school ID, all I had to give was my ID number.

It's the concept... (3, Interesting)

mrBoB (63135) | more than 8 years ago | (#13929937)

I don't know about anyone else, however I view information such as you've listed as being privileged. Said information may not be so described legally as being privileged or confidential, but that's just how I feel about them. SSN is the most critical of course, but you said discount it. Account numbers, mailing address, Names, birthdates, familial relations and phone numbers could all be gleaned by some amount of investigation by a person or persons so inclined at getting it; it'd be a lot of work, but it could be done. You then have a picture of "me," who I am, what I do, why I do, etc. You might be able to do something with this, like call up Dominoes and order a pizza, or get online and buy a book from Amazon. If you call the right guy at 1st National Bank of Bumfuck, you might just be able to break into my account and steal my money; how much is that guy getting paid to look out for my interests?

      All this being said, if a company doesn't do what I consider adequate protection of my information, I don't want to do business with them. It's not that a malicious user couldn't get it any other way; I just don't want to make it any easier for them to get to me. Let them go hog-heaven on the blue-hairs that don't know any better.

      And I haven't even talked about your real question. What could one do with a "lowly" account number? Well you tell me. Let's say that's all Joey Malicious has on me. Has he hacked in to your network? Does he have access to your applications and know how to use them? Do you KNOW he hasn't? All I know is that when I call the credit card company, they want the account number and SSN. Are they typing it in with me and can't proceed without me, or are they verifying my answers against what they see on the screen?

      What if Joe Malicious works for your company? I'd say you, as a member in the financial industry, are in a much better place to answer this question. YOU need to tell ME that my fears are unfounded, that technically Jane Helper can't review my account info and do a transfer without my account number AND SSN AND mothers maiden name AND first-born sons' DNA because she has to enter it into the system as well. Of course, most financial institutions don't disclose their security practices (or lack thereof) for obvious reasons. None of us outside your "closed-source" way of operating can truly trust the process. All we know is that the threat is real, and we have little control of the problem.

I realise that this if for the Americans... (2, Interesting)

aaza (635147) | more than 8 years ago | (#13929944)

...but I feel like giving a different perspective.

In Australia, the closest equivalent we have is the TFN (Tax File Number). The only people that end up with it are:

  • The Australian Tax Office
  • Your current employer(s)
  • Any bank (credit union, building society etc) that pays interest
  • Possibly private health insurance (due to tax breaks for those that have it) - note: private health is voluntary here

As far as I can tell, it is NOT an offence to refuse to give it to any of these groups. That includes the Tax Office themselves. There are consequences of not quoting it, however. Namely, all tax payable is taken out at the maximum tax rate. To not give it to the ATO means that your tax return can be delayed while they search for you by name and DOB.

Also, it's pretty crap as ID for banks, because all they get is a small note on the screen of your account details that says "TFN received" or similar. This makes much more sense, IMHO.

SSN is convenient, even for security folks (0)

Anonymous Coward | more than 8 years ago | (#13929947)

I'm in a computer security (technically 'Information Assurance') program sponsored by the National Science Foundation but 'managed' by the Office of Personnel Management (OPM). OPM requires that we register on their site to post resumes, search for jobs, etc. If you look at the login page [opm.gov] , can you guess what they chose to use for the User ID?

It amazes me that a government agency in charge of 'managing' a computer security -- sorry, Assurance -- program would use such an item for a User ID. Even more amazingly, when I started the program, that little lock in the bottom right-hand corner wasn't even there! OPM did not appreciate me addressing the irony of websites security when I started the program.

Verizon DSL Password Resets (0)

Anonymous Coward | more than 8 years ago | (#13929951)

My side job requires me to do office support for small businesses and this is something that I have noticed: Verizon DSL requires NO real information from me other than "I am performing work for so-and-so. I need to reset the master password." I have done this on at least 10 occasions in the past 12 months or so. Their idea of verification is to ask: "are you authorized to make changes to this account?"

After I get the master password reset, I can:

1: Add, remove or access all sub email accounts
2: Cancel the service
3: Upgrade the service, etc.

However, Comcast, the other major provider in the area, has an incredibly anal password reset process, that involves your account numbers, SSN's, etc... It's always a bitch to do.

Now, from the persepective of a systems support guy, Verizon's proceedure is AWESOME. Makes my life easier.

But you can be damn sure that when I get their FIOS service that I am going to demand some form of account lock that cannot be deactivated by anyone but myself.

RFID (1)

brakken (607726) | more than 8 years ago | (#13929959)

Well, soon all you'll need to do is to clone someone's RFID tag and you'll be good to go. I can see many Christians turn hackers once you're required to have the mark of the best implanted into your body.

SSN is fucked up (0)

Anonymous Coward | more than 8 years ago | (#13929962)

That system just doesn't work, all the paranoia about not having a universal ID, yet you all have some sort of ID (driver's license, SSN, etc). In other countries, it's standard to have a national ID, which is similar to a passport, and required for important paperwork (at least in my country, a card ID is also available, much better for everyday use). Identity theft is unheard of, and easily proven.

Dear Slashdot (1)

csamuel (607788) | more than 8 years ago | (#13929967)

I have all of the info necessary for stealing this guy's identity except his SSN. What all can do without it?

Signed,
John Q. Criminal

SSN Issues (1)

Fubar420 (701126) | more than 8 years ago | (#13929972)

So here's my short tale.

I've never had an identity theft, or any other issues, but I have a lot of financial accounts.

Every bank, every company, and every place that questions my credit tends to request my SSN. Some, if I ask "can i give you something else", respond affirmatively, but most do not. So your SSN is distributed to any company that you ask for financial consideration.

For the rich, that never changes, really, so its rare you worry about it, unless your stupid. If your lower class, you'll never be a victim, if only because you'd never be approved for new credit (for most cases..)

It's the middle class that gets killed. The middle class changes accounts as it serves their benefits (ccard interest rates, cash back, etc). These incentives mean little to the wealthy as they've negotiated (close to) prime rates, but it means the world to those who pay 26% on their cards :-) [not me, but I've seen it before].

Basically, yes, your SS is protected, untill you give it away... But the rich dont need to, the poor dont need to, and the middle class cant afford to deal with identity theft. _That's_ why its an issue.

[Mind you if someone below middle class gets hit, its even harder, but its rarer for them to be targeted, cite above...]

Why does ebay verify identity by credit card? (0)

Anonymous Coward | more than 8 years ago | (#13929975)

Ebay must be run by a con artist who wants your credit card just to verify your identity!

Don't worry- they don't want to charge anything to your account. They just want your account
numbers for their database. Sounds like pure bunko.

Should this be a red flag?

The easiest way to get money... (0)

Anonymous Coward | more than 8 years ago | (#13929991)

Would be to have some bank deposit slips. You already have a name and an account number. Just give a sob story about how your wallet got stollen with your license in it. All you have to be able to do is produce some form of ID that is convincing... Say, an old high school photo ID. If you have someone thorough, then they'll ask additional information. If not, then you're as good as gold as long as you don't get too greedy and try to pull out too much money. I only say this because it happened to me. I was mugged, I have an honest face, and I pulled out cash of my own account. Not too hard. Trust me.

Every piece of data... (1)

Create an Account (841457) | more than 8 years ago | (#13930006)

Every piece of data is another tool to be used in social engineering attacks. The problem is that when they have enough info about you, they can often convince you (or others, such as employees at your bank or doctor's office) that it is okay to give them the SSN as well.

This is why it is important to try to teach people to treat requests for sensitive info (SSN or other) with deep suspicion. Doing this is as hard as trying to teach non-computer literate people about good browsing habits, for I think similar reasons.

The environment makes the nature of the threats complex, requiring complex behaviors to remain relatively safe. Americans are accustomed to having things explained in 7 minute segments between commercials. If you can't make it simple, many people just lose interest.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...