I wrote an application for a banking client a few years ago that required a valid SSN. In addition to using the information available on ssa.gov to check the validity of a number, I built a simple filter to exclude valid, but otherwise fraudulent numbers. While none of the steps I took are a bulletproof measure against identity theft, they do lighten the load a bit.
I cross-referenced the SSN death index to ensure dead people had not risen from the grave to apply for credit. I also excluded the popular "fake" SSNs used in advertising (http://en.wikipedia.org/wiki/Social_Security_number#SSNs_inv...), and I most definitely added Todd Davis's number to the list. This last step seemed like a no-brainer given all of the publicity at the time.
While I can understand a small boutique store not going to those lengths to prevent a fraudulent account, I am a little surprised that AT&T and Verizon were among the casualties.
A lot of identity theft occurs when people just make up an SSN and use it to gain employment or credit. If they are lucky, the credit file doesn't exist yet and no one is the wiser.
The "theft" part occurs when someone is assigned that SSN starts using it and finds out that they have $300,000 in bad loans on their credit file. This is usually a kid who is applying for student loans or their first car loan. Then they must spend time/money cleaning up their credit file.
Years ago when I first set up my bank account with a big bank(I believe I was 13?), they transposed two of the numbers in my SSN. Ten years later, this mistake was finally caught when somebody attempted to set up an account using their correct SSN, which conveniently was my mistaken SSN.
And that's when I realized how easy it is to steal a person's identity.
We weren't able to use the online verification service , which is the reason I wrote the program I described. It didn't validate a "good" SSN, but rather filtered out bad ones.
Its interesting you could do all this with a SSN. The program I mean. If you can do this easily, then why can dead people still vote... I am being serious.
Voter rolls do not contain your SSN (since volunteers man the registry at polling stations it is considered bad form to put something like this on a list that may just walk out the door at the end of election day.) Voter rolls contain name and address at time of registration or last update to registration. These registries are occasionally purged of dead people when possible, but the risk (a few "dead" people voting) is considered slight compared to the cost of keeping the registry up to date or of disenfranchising someone by mistakenly deciding that they were dead.
> These registries are occasionally purged of dead people when possible, but the risk (a few "dead" people voting) is considered slight compared to the cost of keeping the registry up to date or of disenfranchising someone by mistakenly deciding that they were dead.
The entire identify-theft problem can be solved by a very simple mechanism. If I apply for a loan for a car, the dealer takes my info and tries to run my credit online. Immediately I get an automated phone call that says "Dealer ABC is trying to sign you up for service: AUTOLOAN. To allow this service, enter your 4 digit pin." If I do not have my cellphone, I can directly call a 1-800 number, enter my SSN + PIN and confirm the sign up. I do NOT have to provide any vendor with my PIN.
Who manages/offers this service? Experian/TransUnion etc. could do this for a very small fee. Sure, there would be the issue of lost PINs, unavailability of Internet access, not having your cell on you etc. but I think it could work very well. Right now, it is possible for someone to find out my SSN# from a piece of paper from a trashcan and immediately buy a phone in my name. At least I can change my pin if someone finds out.
There was such a product provided by Debix (http://debix.com). It relied upon a law called the Fair Credit Reporting Act which allowed consumers to place a fraud alert on their credit file, which the creditor was supposed to call. Debix placed the fraud alert on behalf of consumers, but directed the creditor to call Debix which delivered the credit request using exactly such an authentication mechanism that you describe. This was 2003.
Lifelock used the same mechanism (though without the phone authentication, IIRC). Experian sued Lifelock saying that the FCRA did not allow for companies to set fraud alerts on behalf of consumers, only consumers were allowed to set them. In May of last year, a judge agreed with Experian, and Lifelock later settled and stopped using fraud alerts. http://www.finextra.com/news/fullstory.aspx?newsitemid=20078
Unfortunately, this ruling also meant that Debix could no longer set fraud alerts, so they had to cancel this product.
The truth is such a product creates friction in the instant credit market, which is a huge source of income for credit bureaus. So they have very little incentive to slow that process down and would rather just catch any exceptions using monitoring.
The credit bureaus are an industry crying out for disruption. These guys are dinosaurs and are living it large because there is no real alternative. Unfortunately, they also seem to have plenty of political capital to prevent any real legislative reform in this area.
Disclosure: I used to work for Debix and have ownership in the company.
Read my comment below. A similar service already exists with all the credit bureaus. It's called a "credit freeze".
How it works is when you're about to apply for credit somewhere, you ask them "what bureau are you checking?" Then you go online to that bureau and temporarily "thaw" your credit just for that inquiry. And there's a nominal charge for this service.
I have this on my account, and you don't need to go online to "thaw" it. The bureau calls you and asks "did you just apply for an auto loan at a Hyundai dealership in Florida?" and you reply "no, no I didn't", they say "okay, have a nice day", and that's that.
At least that's what happened when somebody tried to use my identity to buy a Hyundai in Florida.
What you described was not the 'thaw' scenario, but rather, what credit freeze is supposed to do, by design.
The 'thaw' scenario would kick in if you were to legitimately apply yourself for an auto loan at a Hyundai dealership in Florida, and have that loan not be rejected.
This proposal allows a seller to avoid being a victim of buyer identity theft, but it provides nothing for a consumer who must prove that he did not sign for an auto loan.
Surely in that case the solution is simple: if he didn't sign for an auto loan, then his signature will not be on file with the auto loan company, and the burden of proof should fall on them to demonstrate that he is who he says he is (by checking suitable ID during the loan application, if necessary).
the real issue here is everyone assuming social security numbers are meant to be 'secret'. It is a terrible way to authenticate someone. There have been recent studies to show how non-random someone's number actually is.
Someone recently suggested the 'nuclear' option of making everyone's social security number public and forcing all institutions to figure out a better model. This may be too extreme but something like that may be necessary
I agree that SSNs are used in a contradictory manner. They are both a universal identifier -- something you have to give to open a bank account, etc., and something that many places use to track your information, and a universal authenticator, wherein only YOU are supposed to know your SSN.
It's like requiring everyone's username to double as their password. It is seriously broken system, something else has to be figured out.
I once worked somewhere where to reset your network password you needed to provide the last 4. As in anyone could use anyone's account without even guessing the password.
To make matters worse, I had my username wrong, and so they helpfully told me "my" SSN, which was someone else's.
We live in a world where I have an 8 digit alphanumeric password protecting my weather preferences, but nothing protecting my credit.
and while we're on the topic of how broken SSN's are...
why is it that the most important piece of identification you receive in your life, that you also need to keep forever, is printed on a crappy piece of paper???
I was really astonished by this when I moved to the US from Canada. Canada gives you a plastic card while after 7 years, my SSN card has pretty much turned into a disintegrating pile of paper dust.
I just get annoyed whenever I'm asked for my social security number for something stupid. They always ask me for it at blood drives, and if I ask why they need it, they get really mad and have never given me a decent answer. If I refuse they assign me a different tracking number but treat me like dirt the whole time.
At least it's not legally required. Every company needs to have an alternative from my understanding. Not sure where this is stated, but at least every company, aside from financial institutions, has allowed me to not use an SSN. It just usually takes a conversation with a couple supervisors and a callback.
The annoying thing is precisely the conversation that is required to convince the person on the other side of the phone call that they do not, in fact, require your SSN.
This always irks me, particularly because I feel uncomfortable questioning protocol. Sometimes I refuse. Sometimes I pay by credit card and they say they need it for confirmation.
In most cases the phone number is the best way to geocode a buyers location. There are a lot of business location analysis going on in the world and geocoding a buyer is a huge part of that.
I usually always give out my phone number (I am a geographer, like I was excited when the census came.) and I have never had calls from the GAP or other stores solicitating anything.
Take off the tinfoil hats and help us geographers!
I had this happen when trying to buy some printer paper. I asked "Why do you need that?" and they said it was so that I could return items without a receipt.
People just kind of latched onto it because it's a number (supposedly) unique to each individual that most people have memorized.
Names don't work because there are many people with the same name, and besides, they are alphabetic. Phone numbers occasionally transfer to others, as do physical addresses, etc. A Social Security number is always unique to its possessor (theoretically) and, for most adults, is available immediately in memory.
As such, it's become a popular "customer ID", as it were, in a lot of systems. If you assign each individual their own ID, they will forget it and mix it up with other IDs from other places, so an SSN is easy for everyone involved.
The problem is that people assume that an SSN is exclusive knowledge and use it as an authenticator -- when something is a universal identifier that you must write on many documents and give to many people (usually along with all other personal stats like address, phone, names, etc.), it just isn't reasonable at all to think that that can function secretly.
When asked for an SSN, a lot of people don't refuse because they imagine the fight would be fruitless and they'd be denied access to the thing they were trying to get. Some people don't understand much about SSNs or how easy it is to steal identities with them, so they don't mind giving it out. There are certain places where an SSN is legally required (for instance, opening a bank account) and sometimes it's hard to know if you're obligated to give the info or not.
Perhaps it wouldn't be so bad if the SSN were used merely as a user ID and there was an authenticator required in each case, but as it is now, in most cases, you can walk in with an SSN and a few widely published data like name and address, and obtain all kinds of loans and accounts from all kinds of places in the name of the SSN's registered owner, because people assume that only the real owner is able to know the SSN. It's this assumption that is responsible for our difficulties.
One of the biggest users of social security numbers for identification is the US military. When my dad was in the army, my mom and I both had his SSN memorized because we had to use it so often on paperwork.
In fact, the US military uses the SSN for the serial number, as in "name, rank, and serial number", the (only) information you are supposed to report to your captors if taken prisoner.
I've always worried that enemy forces would capture our troops, steal their identities, and then ruin their credit.
Anyway, I have access to the SSN of just about everyone in the army over the last five years. The do give the special forces people substitute SSN numbers but other than that it's fairly easy information to get access to if you if you are doing any sort of analysis of army trends.
Hell, they might as well. Our college used them as ID numbers for the first year I was there. We wrote it on all our tests. Forget about it, that stuff isn't secure.
My brother had his identity stolen while he was in school. The perpetrator turned out to be a person who worked in the registrar's office!
When I started grad school they used SSN as the ID number too. I went to the registrar and asked them to change mine. They said they couldn't do it because, as a TA, I was considered an employee and they "had to" use my SSN. You can imagine I wasn't happy.
I was working for the graduate dean's office at my university, and was helping set up a big presentation for new teaching assistants. One of the talks being given was the importance of security and privacy, with a lot of focus on keeping your SSN secure.
As the talk began, the presenter passed around a sheet and asked everyone to sign in - with their name, school, and social security number.
It made it halfway around the big conference hall, and halfway through the talk, before someone finally raised their hand and asked about the incongruity of being at a talk about the importance of keeping SSN's secret, while being asked to sign in with them.
Georgia Tech started off doing this and switched over to a fake 9 digit number while I was there (2001?ish). Since I still remember/recognize it, I use it as my SSN more or less everywhere except for work/W2.
Wow, how long ago was this? Totally a FERPA violation these days. Hell, even the randomly generated student IDs may be private soon. We're already implementing PINs that will need to be entered before staff can talk to students about billing and aid.
Unfortunately these "credit monitoring services" are basically useless. The only real solution is to "freeze your credit" which makes credit inaccessible to anyone unless you provide an unlock code (which temporarily "thaws" your credit). The cost ranges from $3-$10 per person per bureau to freeze a credit report which is considerably cheaper than the $10/month lifelock service. More information on how to do this here:
absolutely. i've had "build a better credit bureau" on my ideas list for a couple years now. it's a multi-billion dollar industry that could be waaaay more consumer-friendly.
lenders are customers, not consumers. but lendees are customers in teh same way facebook's users are customers.
experian and transunion build a business off the backs of consumer data. consumers are reliant on their records, but generally have to pay to get access to them, even to correct a report.
like i said - it's a big, staid, slow-changing opaque industry. looking at it through the right lens makes for a big opportunity.
Thanks for the headsup, no idea how I managed to miss this technique. It's hilarious that this is what it takes to not be screwed by the current credit system.
> It’s not fair to [AT&T] because they’re losing a pretty substantial amount of money.
AT&T isn't even bothering to check photo ID. Being defrauded is a risk they have eagerly assumed. Presumably they make more money this way, despite fraud.
Exactly. I put a majority of the blame on these companies that for some reason can't be bothered to check an ID.
On the back of my debit and credit card I sign it with "Check ID" since the cashier is supposed to at minimum verify the signature. I've had cards stolen multiple times and have had them used before I could cancel them. So much for verifying the signature.
The way I've heard it, your signature on the card is actually your acceptance of the contract with the issuing bank, so they are Not Okay with "check id" there instead. The merchant is just expected to verify that the card has been signed, not try to match signatures (doing that correctly requires very rare expertise).
Obviously I don't expect them to do a point by point comparison of the signature, but they are supposed to at least make sure it's there. Writing 'Check ID' should get them to check my ID every time, but so few even look at the card.
This is a funny prank where a guy went out trying to get people to actually look at the back of the card :)
Your American "identity" is a very cheap business expense if you know you have an "offshore" ID, accounts, and private Island. Cash out, burn house and move out.
There's something that I don't understand about these identity theft cases. If I didn't really sign any document, why should I be held responsible just because someone else used something public (non-private) about me?
P.S. To be more clear: the company giving the loan should prove that I signed the documents, not I that I didn't sign them. The presumption of innocence if you will.
This is why I think companies that incorrectly send you to collections or give credit to someone using your identity should not only be on the hook for the money they lost but also liable to the person they are forcing to clear their name.
Years ago I rented at a crappy apartment complex. When I left their check out basically meant you always owed them ~$200. I paid and moved out of state. 6 months later I get a collections call saying I didn't pay the bill. I told them I paid it, she said it wasn't and said it was going on my report unless I paid that day. Luckily I paid by check and my bank (like all banks I guess now) keeps canceled checks online for pretty much ever. So now I had to go back 6 months and find this check then call the apartment then the collections agency, etc... A HUGE hassle and time waster for me all because the apartment complex employed incompetent people.
The kicker was that the girl trying to collect from me said "people make mistakes and you can't blame them." Um, when I make a mistake and forget to pay a bill you guys jump all over me. You make a mistake and it's still my problem to solve.
It's a weird situation. You're not legally liable for the debt incurred by the thief even if you don't bother to prove anything (although they will still hassle you by phone), but your credit is destroyed.
This is why the Wired article seems a little exaggerated to me.
1) He will never be responsible for any of these claims from merchants ("seller beware")
2) Any major transaction would not go through since they'd pull a credit report and see his profile is frozen (I believe LifeLock just freezes credit for you on your behalf)
Given the above, it seems like this is a trade-off between the time spent getting this stuff off your credit report (I think you would just file an error with the bureau, but perhaps it's more involved), vs. the benefit gained by the marketing tactic.
Actually, I remember reading it and having the exact same reaction the 37 signals guys did in their thread -- so I certainly wasn't immune to the marketing ploy myself.
i guess this could serve as a kind of honeypot so the company can observe the attacks on this guy and then improve the service. but according to the FTC in this article their service doesn't work so apparently it was nothing more than a marketing stunt.
"LifeLock will retain and pay for those third party professional services that are reasonably necessary in LifeLock's judgment to assist you in restoring losses or recovering your lost out-of-pocket expenses caused by such fraud. "
Disclosure: I worked for and have ownership in a competitor to Lifelock.
This goes to show how crafty identity thieves really are -- and how stupid it is to let them get any bit of private data. If they can steal his identity, why not yours? He has staked his reputation on LifeLock's services, and lost. Maybe this will knock some sense into the share-all generation.
Exactly why people have a right to be up in arms about Facebook changing privacy policies without allowing users to opt-in voluntarily.
Identity theft is a serious issue, most young techies haven't been a victim simply because time and risk haven't converged. It can impact your life for years, making it extremely difficult to get a mortgage, car loan, or even land a job in some cases.
Yup. I myself am a "young techy" I started out not caring about the little bits of data I let out. But now I'm really clamping down, identity theft is too real to take a risk.
From the article, the identity thieves don't sound that crafty at all. They basically just filled out an application and were approved at instant loan shops, phone companies, etc., etc. It goes to show how silly it is to have so much resting on our SS#.
Similar thing happened to Jeremy Clarkson when he put his full bank account details in his newspaper column, thinking that no one could actually withdraw money from his account - he was wrong, someone used his details to sign up for charity direct debits.
Why don't you just implement ID cards like in europe and skip this social security nonsense? And ID card has your face and height on it, making it more difficult for someone to pass as you.
I cross-referenced the SSN death index to ensure dead people had not risen from the grave to apply for credit. I also excluded the popular "fake" SSNs used in advertising (http://en.wikipedia.org/wiki/Social_Security_number#SSNs_inv...), and I most definitely added Todd Davis's number to the list. This last step seemed like a no-brainer given all of the publicity at the time.
While I can understand a small boutique store not going to those lengths to prevent a fraudulent account, I am a little surprised that AT&T and Verizon were among the casualties.