"What's your social?" How many times have you heard that question, from credit card companies, doctors' offices, and just about every other type of organization? Perhaps you were confident that all these organizations are keeping your "social" completely confidential. I'm not so confident about that, and here's evidence that they're not:
Security experts held a contest this month to show just how quick and effective Google hacking can be. During a technology security-industry meeting in Seattle, contestants using only Google for less than an hour turned up sensitive information -- potentially useful for financial fraud -- on about 25 million people. They dug up various combinations of people's names, dates of birth, Social Security numbers, and credit-card information, including some card numbers apparently left exposed by the U.S. Department of Justice.
Identity Theft Made Easier Hackers Use Simple Tricks With Google, Yahoo Searches To Tap Personal Information By Kevin J. Delaney, Staff Reporter of THE WALL STREET JOURNAL,,,, 29 March 2005
This just adds to all the recent cases where organizations have lost massive sets of identity information on millions of people because they didn't keep even rudimentary security over them.
What can you do?
Well, you can complain every time an organization asks for your social security number. Many times they can just as easily look up your account by your name; they're just being lazy. Many organizations that claim they have to ask for your "social" for security purposes can actually ask for something else, including a password that you can set. That's what "mother's maiden name" actually means. And you can ask whoever you talk to to register a complaint from a customer that their organization is using social security numbers as identifiers at all.
The big problem is of course not that people can use google or Yahoo! to find identity information. The big problem is that so many organizations collect too much such information and then don't bother to secure it.
I think it would be most useful if some organization were to organize a reputation system that made it its business to discover which entities had the most such information visible via the Internet and findable via google or Yahoo! Such an organization could report first to the affected entities, with a time limit before it would make the information public. I don't know how potential liability would be handled in such a case, but once over that little hurdle, such an organization would be doing a great public service and could probably make a bundle advising organizations on what not to publish.
And of course the biggest identity leaks don't come through web search engines, anyway. They come through companies mailing unencrypted tapes or keeping back data on disks that are then stolen. Individuals can't do much about that directly.
"I'm very pessimistic about individual consumers' ability to do much of anything," says Ivan Orton, a senior deputy prosecuting attorney in the fraud division of King County, Wash., and a member of the winning Google-hacking team.
Maybe individually, but collectively customers can vote with their feet. And they can vote with their votes for representatives who will impose liability on companies that are lax with identity information.
-jsq
PS: Thanks to Eileen Gunn for finding this one.
Yup. It's helped when I've refused to give my SSN, stating that by law I don't have to give it to them unless they're actually paying me money. This has worked before when they were desperate for my business (as in credit card companies).
What bugs me is that so many people are using the last four of the "Sosh," thinking that they're being more secure that way, that now even those four digits are widely used as authentication, and are therefore just as dangerous when exposed. Even if we manage to move these organizations off the Social, half of them will try to move to the driver's license number, and then we'll be back where we started.
Posted by: wpn | May 18, 2006 at 11:39 AM
AustinEnergy already asks for driver's license number before telling you anything about your own electric bill.
Very annoying.
Except of course, sometimes they forget and don't ask for any security information, which illustrates that it's probably not very effective.
My speculation is that they're trying to avoid somebody turning off somebody else's electricity, which is laudable, but it's not clear to me that this is a good way to do it.
-jsq
Posted by: jsqrisk | May 18, 2006 at 12:34 PM