I wrote an application for a banking client a few years ago that required a valid SSN. In addition to using the information available on ssa.gov to check the validity of a number, I built a simple filter to exclude valid, but otherwise fraudulent numbers. While none of the steps I took are a bulletproof measure against identity theft, they do lighten the load a bit.
I cross-referenced the SSN death index to ensure dead people had not risen from the grave to apply for credit. I also excluded the popular "fake" SSNs used in advertising (http://en.wikipedia.org/wiki/Social_Security_number#SSNs_inv...), and I most definitely added Todd Davis's number to the list. This last step seemed like a no-brainer given all of the publicity at the time.
While I can understand a small boutique store not going to those lengths to prevent a fraudulent account, I am a little surprised that AT&T and Verizon were among the casualties.
A lot of identity theft occurs when people just make up an SSN and use it to gain employment or credit. If they are lucky, the credit file doesn't exist yet and no one is the wiser.
The "theft" part occurs when someone is assigned that SSN starts using it and finds out that they have $300,000 in bad loans on their credit file. This is usually a kid who is applying for student loans or their first car loan. Then they must spend time/money cleaning up their credit file.
Years ago when I first set up my bank account with a big bank(I believe I was 13?), they transposed two of the numbers in my SSN. Ten years later, this mistake was finally caught when somebody attempted to set up an account using their correct SSN, which conveniently was my mistaken SSN.
And that's when I realized how easy it is to steal a person's identity.
Its interesting you could do all this with a SSN. The program I mean. If you can do this easily, then why can dead people still vote... I am being serious.
The entire identify-theft problem can be solved by a very simple mechanism. If I apply for a loan for a car, the dealer takes my info and tries to run my credit online. Immediately I get an automated phone call that says "Dealer ABC is trying to sign you up for service: AUTOLOAN. To allow this service, enter your 4 digit pin." If I do not have my cellphone, I can directly call a 1-800 number, enter my SSN + PIN and confirm the sign up. I do NOT have to provide any vendor with my PIN.
Who manages/offers this service? Experian/TransUnion etc. could do this for a very small fee. Sure, there would be the issue of lost PINs, unavailability of Internet access, not having your cell on you etc. but I think it could work very well. Right now, it is possible for someone to find out my SSN# from a piece of paper from a trashcan and immediately buy a phone in my name. At least I can change my pin if someone finds out.
There was such a product provided by Debix (http://debix.com). It relied upon a law called the Fair Credit Reporting Act which allowed consumers to place a fraud alert on their credit file, which the creditor was supposed to call. Debix placed the fraud alert on behalf of consumers, but directed the creditor to call Debix which delivered the credit request using exactly such an authentication mechanism that you describe. This was 2003.
Lifelock used the same mechanism (though without the phone authentication, IIRC). Experian sued Lifelock saying that the FCRA did not allow for companies to set fraud alerts on behalf of consumers, only consumers were allowed to set them. In May of last year, a judge agreed with Experian, and Lifelock later settled and stopped using fraud alerts. http://www.finextra.com/news/fullstory.aspx?newsitemid=20078
Unfortunately, this ruling also meant that Debix could no longer set fraud alerts, so they had to cancel this product.
The truth is such a product creates friction in the instant credit market, which is a huge source of income for credit bureaus. So they have very little incentive to slow that process down and would rather just catch any exceptions using monitoring.
The credit bureaus are an industry crying out for disruption. These guys are dinosaurs and are living it large because there is no real alternative. Unfortunately, they also seem to have plenty of political capital to prevent any real legislative reform in this area.
Disclosure: I used to work for Debix and have ownership in the company.
Read my comment below. A similar service already exists with all the credit bureaus. It's called a "credit freeze".
How it works is when you're about to apply for credit somewhere, you ask them "what bureau are you checking?" Then you go online to that bureau and temporarily "thaw" your credit just for that inquiry. And there's a nominal charge for this service.
This proposal allows a seller to avoid being a victim of buyer identity theft, but it provides nothing for a consumer who must prove that he did not sign for an auto loan.
the real issue here is everyone assuming social security numbers are meant to be 'secret'. It is a terrible way to authenticate someone. There have been recent studies to show how non-random someone's number actually is.
Someone recently suggested the 'nuclear' option of making everyone's social security number public and forcing all institutions to figure out a better model. This may be too extreme but something like that may be necessary
I agree that SSNs are used in a contradictory manner. They are both a universal identifier -- something you have to give to open a bank account, etc., and something that many places use to track your information, and a universal authenticator, wherein only YOU are supposed to know your SSN.
It's like requiring everyone's username to double as their password. It is seriously broken system, something else has to be figured out.
I just get annoyed whenever I'm asked for my social security number for something stupid. They always ask me for it at blood drives, and if I ask why they need it, they get really mad and have never given me a decent answer. If I refuse they assign me a different tracking number but treat me like dirt the whole time.
One of the biggest users of social security numbers for identification is the US military. When my dad was in the army, my mom and I both had his SSN memorized because we had to use it so often on paperwork.
Hell, they might as well. Our college used them as ID numbers for the first year I was there. We wrote it on all our tests. Forget about it, that stuff isn't secure.
Unfortunately these "credit monitoring services" are basically useless. The only real solution is to "freeze your credit" which makes credit inaccessible to anyone unless you provide an unlock code (which temporarily "thaws" your credit). The cost ranges from $3-$10 per person per bureau to freeze a credit report which is considerably cheaper than the $10/month lifelock service. More information on how to do this here:
Thanks for the headsup, no idea how I managed to miss this technique. It's hilarious that this is what it takes to not be screwed by the current credit system.
> It’s not fair to [AT&T] because they’re losing a pretty substantial amount of money.
AT&T isn't even bothering to check photo ID. Being defrauded is a risk they have eagerly assumed. Presumably they make more money this way, despite fraud.
Exactly. I put a majority of the blame on these companies that for some reason can't be bothered to check an ID.
On the back of my debit and credit card I sign it with "Check ID" since the cashier is supposed to at minimum verify the signature. I've had cards stolen multiple times and have had them used before I could cancel them. So much for verifying the signature.
There's something that I don't understand about these identity theft cases. If I didn't really sign any document, why should I be held responsible just because someone else used something public (non-private) about me?
P.S. To be more clear: the company giving the loan should prove that I signed the documents, not I that I didn't sign them. The presumption of innocence if you will.
This is why the Wired article seems a little exaggerated to me.
1) He will never be responsible for any of these claims from merchants ("seller beware")
2) Any major transaction would not go through since they'd pull a credit report and see his profile is frozen (I believe LifeLock just freezes credit for you on your behalf)
Given the above, it seems like this is a trade-off between the time spent getting this stuff off your credit report (I think you would just file an error with the bureau, but perhaps it's more involved), vs. the benefit gained by the marketing tactic.
i guess this could serve as a kind of honeypot so the company can observe the attacks on this guy and then improve the service. but according to the FTC in this article their service doesn't work so apparently it was nothing more than a marketing stunt.
"LifeLock will retain and pay for those third party professional services that are reasonably necessary in LifeLock's judgment to assist you in restoring losses or recovering your lost out-of-pocket expenses caused by such fraud. "
Disclosure: I worked for and have ownership in a competitor to Lifelock.
This goes to show how crafty identity thieves really are -- and how stupid it is to let them get any bit of private data. If they can steal his identity, why not yours? He has staked his reputation on LifeLock's services, and lost. Maybe this will knock some sense into the share-all generation.
Exactly why people have a right to be up in arms about Facebook changing privacy policies without allowing users to opt-in voluntarily.
Identity theft is a serious issue, most young techies haven't been a victim simply because time and risk haven't converged. It can impact your life for years, making it extremely difficult to get a mortgage, car loan, or even land a job in some cases.
From the article, the identity thieves don't sound that crafty at all. They basically just filled out an application and were approved at instant loan shops, phone companies, etc., etc. It goes to show how silly it is to have so much resting on our SS#.
Similar thing happened to Jeremy Clarkson when he put his full bank account details in his newspaper column, thinking that no one could actually withdraw money from his account - he was wrong, someone used his details to sign up for charity direct debits.
Why don't you just implement ID cards like in europe and skip this social security nonsense? And ID card has your face and height on it, making it more difficult for someone to pass as you.
[+] [-] bullseye|16 years ago|reply
I cross-referenced the SSN death index to ensure dead people had not risen from the grave to apply for credit. I also excluded the popular "fake" SSNs used in advertising (http://en.wikipedia.org/wiki/Social_Security_number#SSNs_inv...), and I most definitely added Todd Davis's number to the list. This last step seemed like a no-brainer given all of the publicity at the time.
While I can understand a small boutique store not going to those lengths to prevent a fraudulent account, I am a little surprised that AT&T and Verizon were among the casualties.
[+] [-] recampbell|16 years ago|reply
The "theft" part occurs when someone is assigned that SSN starts using it and finds out that they have $300,000 in bad loans on their credit file. This is usually a kid who is applying for student loans or their first car loan. Then they must spend time/money cleaning up their credit file.
http://news.debix.com/index.php/2008/11/teenager-tarnished-b...
Discolsure: I'm a former employee and current investor in Debix.
[+] [-] harshpotatoes|16 years ago|reply
And that's when I realized how easy it is to steal a person's identity.
[+] [-] mey|16 years ago|reply
Verifying the SSN using that service for banking (as I'm reading it) is a clear violation of the system.
Reference (http://www.ssa.gov/employer/ssnvshandbk/ssnvs_bso.htm)
If you were using a different service I'd be interested, as we are always looking for new ways to do validation of accounts.
[+] [-] mikeryan|16 years ago|reply
[+] [-] spoiledtechie|16 years ago|reply
[+] [-] chime|16 years ago|reply
Who manages/offers this service? Experian/TransUnion etc. could do this for a very small fee. Sure, there would be the issue of lost PINs, unavailability of Internet access, not having your cell on you etc. but I think it could work very well. Right now, it is possible for someone to find out my SSN# from a piece of paper from a trashcan and immediately buy a phone in my name. At least I can change my pin if someone finds out.
[+] [-] recampbell|16 years ago|reply
There was such a product provided by Debix (http://debix.com). It relied upon a law called the Fair Credit Reporting Act which allowed consumers to place a fraud alert on their credit file, which the creditor was supposed to call. Debix placed the fraud alert on behalf of consumers, but directed the creditor to call Debix which delivered the credit request using exactly such an authentication mechanism that you describe. This was 2003.
Lifelock used the same mechanism (though without the phone authentication, IIRC). Experian sued Lifelock saying that the FCRA did not allow for companies to set fraud alerts on behalf of consumers, only consumers were allowed to set them. In May of last year, a judge agreed with Experian, and Lifelock later settled and stopped using fraud alerts. http://www.finextra.com/news/fullstory.aspx?newsitemid=20078
Unfortunately, this ruling also meant that Debix could no longer set fraud alerts, so they had to cancel this product.
The truth is such a product creates friction in the instant credit market, which is a huge source of income for credit bureaus. So they have very little incentive to slow that process down and would rather just catch any exceptions using monitoring.
The credit bureaus are an industry crying out for disruption. These guys are dinosaurs and are living it large because there is no real alternative. Unfortunately, they also seem to have plenty of political capital to prevent any real legislative reform in this area.
Disclosure: I used to work for Debix and have ownership in the company.
[+] [-] keltex|16 years ago|reply
How it works is when you're about to apply for credit somewhere, you ask them "what bureau are you checking?" Then you go online to that bureau and temporarily "thaw" your credit just for that inquiry. And there's a nominal charge for this service.
[+] [-] ShabbyDoo|16 years ago|reply
[+] [-] sriramk|16 years ago|reply
Someone recently suggested the 'nuclear' option of making everyone's social security number public and forcing all institutions to figure out a better model. This may be too extreme but something like that may be necessary
[+] [-] cookiecaper|16 years ago|reply
It's like requiring everyone's username to double as their password. It is seriously broken system, something else has to be figured out.
[+] [-] TallGuyShort|16 years ago|reply
[+] [-] smallblacksun|16 years ago|reply
[+] [-] orblivion|16 years ago|reply
[+] [-] keltex|16 years ago|reply
http://clarkhoward.com/topics/credit_freeze_states.html
[+] [-] natrius|16 years ago|reply
[+] [-] cullenking|16 years ago|reply
[+] [-] russell_h|16 years ago|reply
[+] [-] nym|16 years ago|reply
[+] [-] prodigal_erik|16 years ago|reply
AT&T isn't even bothering to check photo ID. Being defrauded is a risk they have eagerly assumed. Presumably they make more money this way, despite fraud.
[+] [-] matwood|16 years ago|reply
On the back of my debit and credit card I sign it with "Check ID" since the cashier is supposed to at minimum verify the signature. I've had cards stolen multiple times and have had them used before I could cancel them. So much for verifying the signature.
[+] [-] ajg1977|16 years ago|reply
[+] [-] orblivion|16 years ago|reply
[+] [-] ciupicri|16 years ago|reply
P.S. To be more clear: the company giving the loan should prove that I signed the documents, not I that I didn't sign them. The presumption of innocence if you will.
[+] [-] smallblacksun|16 years ago|reply
[+] [-] johnnyb4|16 years ago|reply
1) He will never be responsible for any of these claims from merchants ("seller beware") 2) Any major transaction would not go through since they'd pull a credit report and see his profile is frozen (I believe LifeLock just freezes credit for you on your behalf)
Given the above, it seems like this is a trade-off between the time spent getting this stuff off your credit report (I think you would just file an error with the bureau, but perhaps it's more involved), vs. the benefit gained by the marketing tactic.
[+] [-] jsdalton|16 years ago|reply
[+] [-] ajg1977|16 years ago|reply
After all, it's not always the case that product->quality == marketing->quality.
[+] [-] pwhelan|16 years ago|reply
Got what he deserved, especiall yconsidering he was fined for deceptive advertising because of crappy security.
[+] [-] jotto|16 years ago|reply
[+] [-] Groxx|16 years ago|reply
I've never liked those commercials... now I have a concrete reason to dislike the company.
Bring on the ID thefts! He's quite literally asking for it.
[+] [-] orblivion|16 years ago|reply
Or Lifelock is pretty good.
[+] [-] smiler|16 years ago|reply
[+] [-] recampbell|16 years ago|reply
http://www.lifelock.com/our-guarantee
Money quote: "Under the Terms and Conditions, NO money passes directly to our LifeLock members."
http://www.lifelock.com/about-us/about-lifelock/terms-and-co...
"LifeLock will retain and pay for those third party professional services that are reasonably necessary in LifeLock's judgment to assist you in restoring losses or recovering your lost out-of-pocket expenses caused by such fraud. "
Disclosure: I worked for and have ownership in a competitor to Lifelock.
[+] [-] DanielBMarkham|16 years ago|reply
We need more of him.
[+] [-] Tichy|16 years ago|reply
[+] [-] todd_davis|16 years ago|reply
[deleted]
[+] [-] kwyjibo|16 years ago|reply
Doesn't work in the other countries, as long as you don't send in copies of your passport or identity card to claim a fake lottery win ;).
[+] [-] pedalpete|16 years ago|reply
Sub 10k in fraudulent charges on an SSN that is published? Like this?
According to Wikipedia, Identity theft doesn't result in the high dollar figures I was expecting http://en.wikipedia.org/wiki/Identity_theft#Spread_and_impac...
[+] [-] lukeqsee|16 years ago|reply
[+] [-] pxlpshr|16 years ago|reply
Identity theft is a serious issue, most young techies haven't been a victim simply because time and risk haven't converged. It can impact your life for years, making it extremely difficult to get a mortgage, car loan, or even land a job in some cases.
[+] [-] nostromo|16 years ago|reply
[+] [-] robinduckett|16 years ago|reply
[+] [-] rmorrison|16 years ago|reply
I wish there was a way for all CEOs to do something similar. Too bad it's kind of difficult for, say, a social web service.
[+] [-] maxklein|16 years ago|reply
[+] [-] unknown|16 years ago|reply
[deleted]
[+] [-] melling|16 years ago|reply
Everyone is seeing if his ss# is still there?
[+] [-] RabidChihuahua|16 years ago|reply