posted
I'm sure everyone is aware of "identity theft", where an attacker can use your name, birthdate, and social security number to obtain credit cards, and even send it to a different address than your residence.
quote:It doesn't take much personal information to apply for a credit card in someone else's name. It doesn't take much to submit fraudulent bank transactions in someone else's name. It's surprisingly easy to get an identification card in someone else's name. Our current culture, where identity is verified simply and sloppily, makes it easier for a criminal to impersonate his victim.
Proposed fixes tend to concentrate on the first issue -- making personal data harder to steal -- whereas the real problem is the second. If we're ever going to manage the risks and effects of electronic impersonation, we must concentrate on preventing and detecting fraudulent transactions.
Fraudulent transactions have nothing to do with the legitimate account holders. Criminals impersonate legitimate users to financial institutions. That means that any solution can't involve the account holders. That leaves only one reasonable answer: financial institutions need to be liable for fraudulent transactions. They need to be liable for sending erroneous information to credit bureaus based on fraudulent transactions.
And everyone knows that SSN's are used everywhere. The Government Accountablility Office gave a report last year on Social Security Numbers and how they are used in the government and the private sector. Here is the conculsion:
quote:SSNs are still widely used and publicly available, although they have become less so in the last year. Given the significance of the SSN in committing fraud or stealing a person’s identity, it is imperative that steps be taken to protect this number. This is especially true as information technology makes it easier to access individuals’ personal information. The increased availability and aggregation of personal information in public and private sector databases and via the Internet has provided new opportunities for individuals to engage in fraudulent activities. Without proper regulations or safeguards in place, SSNs will remain vulnerable to misuse, thus adding to the growing number of identity theft victims.
Basically the SSN is easy to obtain and it is easy to obtain credit with it. It is like Russian Roulette with people's credit.
Following is a description of some of the things you have to do if your identity is stolen (told by a victim):
quote:5) Be prepared to spend at least ½-1 hour per day (or more) each and every day until the mess is cleared up
6) Be disciplined. You need to work on this each and every day....
10) Be organized. Keep a separate file for each creditor. Keep a running diary of each and every contact, letter, response, phone call. Keep a calendar of reminders and follow up tasks, like when you are supposed to receive xyz document or when to follow up after someone has agreed to take something off your report, finally.
11) I cannot stress this enough. When calling each creditor: Write down the number you called, the exact name, extension number, employee number and department of each and every person you talk to, even if they just want to transfer you to another department. Take down the time and date you called and brief synopsis of the conversation. Trust me this comes in handy later when you are able to say, "Sandy Smithers from the Credit department verified that she received the fax yesterday at 3PM and was going to doodledingle the snozit so I can get this removed from my credit report."
...
15) Be persistent. Follow through, follow through, and follow through. I can't say that enough. When the collection agency says they need you to fill out their form and send it back, call and make sure they have received it. If they need to send the form to you first in the mail, cajole them in to faxing it to you. If they won't fax it to you, call after 5 business days if you haven't received it. I had to call one collection agency every day for a month before they would send me their "fraud packet" which they insisted I needed before they could proceed. What did the fraud packet consist of!? A letter with some boxes to check off stating that they needed the very documents I was telling them I already had.
16) Be completely relentless and follow through some more. When the collection agency, creditor or credit reporting agency has agreed to remove the offending bit of data from your record get it in writing and get it faxed to you immediately. If they are not going to fax it, follow through if it doesn't come in the mail within a 5 business days. Then get a fresh copy of your report (all three of them) to verify that it has actually been removed. If it has not been removed, send your written proof to each agency. Follow up again with a copy of your report, ad nauseam.
17) Never, ever, under any circumstances throw away your file(s). I had a collection agency sell the account to another collection agency 4 years after it had been verified as fraud and supposedly cleared. Had I not had all of the correspondence from the last company, I would have had to go around and around with them again.
In other words, you lose all your free time. I figure the only reason this insane system continues is because identity theft doesn't happen to enough people.
Here are some stats on data loss (which probably isn't the biggest source of identity theft, workers on the inside of a company and viruses are probably the biggest source of identity theft).
One day I read this, which humorously suggest we publish all SSN's:
quote:After I got my letter from the Veterans' Administration last week, I started to wonder if anyone in the US' personal information has NOT yet been compromised. By the time you add up a million here and 900,000 there and 4 million over there, you've covered most of the credit-holding and wage-earning population of the US. I'm sure my math is suspect, but I estimate that there are about 156 Americans whose personal information has not yet been compromised. So, the obvious response is to simply put a bullet through the problem. Using a credit card number or a SSN# as a password (because, really, that's all it is - so what if it's longer than 8 characters) is fundamentally doomed to failure. Perhaps the right thing to do would be to publish EVERYONE's SSN# and credit card #s on January 1st next year. That'd give the banks and credit card companies a few months to field some kind of alternative like 2-factor authentication, web-based permit/deny per transaction, or "ship only to" address locking. Clearly, the problem is going to get worse - LOTS worse - before it gets better. So, like pulling off a band-aid: it's best done with one quick painful jerk.
I got thinking about this, and well, it was suppose to be a humorous comment. But I forgot that over time and came up with a scheme.
The root problem is that financial institutions authenticate a person (over phone or internet) by asking them for answers to questions that THOUSANDS of people know. The solution is to publish the answers to those questions so that EVERYBODY knows them: a public social security number database.
The database would have to be opt-in of course. In other words, people would have to volunteer the information. Naturally they would issue a fraud report the the credit institutions and sign up for daily credit monitoring before participating. Naturally this is risky and will cost time and money up front, but the goal would be to stop the problem of identity theft now rather than later.
A centralized database is too risky. What if someone submits a SSN of someone else? Or what if the credit institutions decide to sue the site owner?
Here is the crux of my scheme. Include SSN's in email signatures, blogs, webpages, forum signatures, etc. In other words, people who want to participate just include their SSN in part of their signatures or whatnot and the internet becomes the database. It isn't in one place. All of a sudden the internet is flooded with SSN's and there is no way to remove them and Google is the database search engine. There is nothing anyone can do but adapt to the SSN now being devalued.
The centralized site would have a petition that listed names who commit to publish their SSN on the prescribed date, and it would contain warnings and list resources to help protect people who participate.
I see 2 responses to this. On one side is: "the participants are crazy and deserve what they get". On the other side is: "the participants are taking a needed risk to fix a problem that wont be fixed otherwise."
For this to motivate the companies to do something, this would have to draw enough national attention and support and the number of participants would have to be great enough and have enough clout that the majority opinion is the latter opinion, that this is a good thing.
What do you think? Would you willingly publish your SSN?
Posts: 1209 | Registered: Dec 2003
| IP: Logged |
posted
Until you need to buy a house. And besides, that still doesn't solve the base problem, which is that basically everyone is using our username as the password. Anyone in a networked computer enviroment knows that you need a unique login. SSN is the unique identifer used nationally. But it is also the password! That is insane.
Posts: 1209 | Registered: Dec 2003
| IP: Logged |
posted
I like that analogy--our username is being used as our password. GOOD point.
And my mother's maiden name isn't that hard to get. My grandmother's (maternal) is a little harder. But not hard enough.
Posts: 2880 | Registered: Jun 2004
| IP: Logged |
posted
Authentication is obviously the issue here. I've called my bank and reset my password with information any determined person can get. Since I've thought of this idea and of publishing my SSN ( ) I keep wondering what banks and credit card companies should do to authenticate that I'm really me.
If it involves debt in my name, an actual meeting is the minimum! I think credit cards should be as hard to get as bank loans. It means you have to have ID. It means having someone witness you signing the contract. You might need a co-signer. Etc.
But even ID isn't secure because you can get forged ID with the same information that is used to get credit cards. So there really needs to be a more secure authentication scheme. There are lots of people working on that problem. And I believe more secure authentication can be created if the people with the resources have the correct motivation. And destroying their current method for authentication is probably the only motivation that will work.
It would be nice if the companies were so inundated with false credit card applications that it would be suicide for them to give the credit without improving their authentication. That is the goal. Put the financial risk on them.
posted
I am often amused at the old magic beliefs. Your name, your true name, held power. Who ever knew your name had control over your life, your future and your fortune.
Evil wizards would destroy good people just by using the power of their true name. Demons and monsters could be shackled by the threat of telling others thier true names. Read the Wizard of Earthsea if you doubt.
Today it is the same, though your true name just so happens to be your social security number.
Posts: 11895 | Registered: Apr 2002
| IP: Logged |
posted
We ought to be utilizing our current level of technology to bridge the gap.
For example: Thumbprint scanners are now very inexpensive. Thumbprint identification/authorization for credit/debit card transactions would bring a previously unheard-of level of security. You would still be vulnerable to someone who was dedicated enough to find out where you live, obtain a thumbprint, reconstruct a fascimile and use it that way (or, in the case of using a home-based thumbprint scanner for online credit transactions, someone who intercepts and interprets fingerprint data), but I don't think you'd be any more prone than you are with a regular login/password system.
The problem as I see it is people, both merchants and consumers, have prioritized convenience over security. The recent advent of wireless credit cards swiped in front of a sensor like a building key card have significantly increased the potential for ID/credit theft (as proved within days of the new "foolproof" system being launched). Cashiers still rarely verify credit card signatures against receipt signatures. My business and personal debit cards both have "SEE ID" written on them in big, bold, sharpie letters - and I get ID'd maybe one in five times, and that's an improvement. Online credit card transactions typically process almost instantly, meaning there isn't a human being manually checking over every order (which, admittedly, may not be feasible with all businesses) to ensure nothing appears terribly suspicious. Many online merchants don't even understand how to take the necessary precautions to protect themselves and their customers, and even fewer consumers really understand why they're at risk.
Edit for missing words, because I suck.
Posts: 4313 | Registered: Sep 2004
| IP: Logged |
Printer-friendly view of this topic
![[Smile]](smile.gif)
So, the obvious response is to simply put a bullet through the problem. Using a credit card number or a SSN# as a password (because, really, that's all it is - so what if it's longer than 8 characters) is fundamentally doomed to failure. Perhaps the right thing to do would be to publish EVERYONE's SSN# and credit card #s on January 1st next year. That'd give the banks and credit card companies a few months to field some kind of alternative like 2-factor authentication, web-based permit/deny per transaction, or "ship only to" address locking. Clearly, the problem is going to get worse - LOTS worse - before it gets better. So, like pulling off a band-aid: it's best done with one quick painful jerk.
![[Angst]](graemlins/angst.gif)
) I keep wondering what banks and credit card companies should do to authenticate that I'm really me.
