Posts

Private Identifiers Not Private

Today’s commerce occurs very much online, with products and services ranging from A to Z. Hence, these many online merchants have hundreds of millions of people around the globe registered with them for convenient purchases.

1PTo verify authentication as the true user of these services, the registrant must supply personal data. If cyber criminals get ahold of this data, much of it can be changed by the user after the breach, such as user name, password and even the address they’ve been using.

However, the Social Security Number and date of birth cannot be changed. When cyber crooks get personal data off of these online retailers and service providers, it invades the customer’s privacy.

Online enterprises must take full responsibility for stolen data. It’s a real serious issue when permanent (“static”) data like DOB and SSN is breached, as opposed to temporary data like a password or answer to a security question.

Of course, the registrants to these sites do bear some culpability when they post their personal data in the public domain. But business sites make posting personal data a requirement to use their site. Unique data like the SSN should not be a requirement.

The online commerce world should know that such a requirement destroys confidence in current and potential customers, and that their competitors who abandon this practice will have the upper hand in gaining and retaining business.

More and more users are realizing that the security systems of online enterprises are weak, putting users at risk for identity theft—a risk that they’re catching onto.

NSS Labs, Inc., a world leader in information security research and advisement, has the following recommendations:

  • Online businesses should limit requiring data that can be shared among other enterprises.
  • Online enterprises should be designed with the anticipation of possible data breaches; this way they’ll minimize risk and be more prepared to mitigate problems.
  • Third-party data breaches should be analyzed by online companies to protect users if data seeps out.
  • “At risk” users should be able to be re-authenticated.
  • Governments need to reassess the idea of using static data like DOB and SSN.
  • Online enterprises must embrace the possibility that legislation will eventually make it illegal to require SSNs from users.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures

Social Security Number: All-Purpose Identifier

Your Social Security number was never meant to serve the various functions it is used for today. Over the past 70 years, the Social Security number has become our de facto national ID. The numbers were originally issued in the 1930s, to track income for Social Security benefits. But “functionality creep,” which occurs when an item, process, or procedure ends up serving a purpose it was never intended to perform, soon took effect.

Banks, motor vehicle registries, doctors’ offices, insurance companies, and even utilities often require a Social Security number to do business. Why do they need it? Sometimes it’s because your Social Security number is attached to government records like taxes or criminal records, but most often it’s because the number is attached to your credit file.

The IRS adopted our Social Security numbers as identifiers for our tax files about 50 years or so ago. Around the same time, banks began using Social Security numbers to report interest payments, and so on.

All the while, Social Security numbers were required for all workers, so their Social Security benefits could be paid. Most people were assigned a number when they applied, sometime around the age of 16. This was until the 1980s, when the IRS began issuing Social Security numbers to track children and babies who were claimed as dependents. By the late ‘90s, it was standard for most hospitals to provide Social Security number application to new moms.

A federal law enacted in 1996 determined that Social Security numbers should be used for “any applicant for a professional license, driver’s license, occupational license, recreational license or marriage license.” The number can be used and recorded by creditors, the Department of Motor Vehicles, whenever a cash transaction exceeds $10,000, and in military matters.

All this leads up to the unfortunate realization that your Social Security number is out there in hundreds, or even thousands of places. It is most definitely not private, nor can it be adequately protected. It’s just like a credit card number. You give it out, you hope the person or company is responsible with it, you hope it’s not breached, but all you can do is monitor your identity’s health and, if your identity is ever stolen, take the appropriate steps in response.

Be sure you have active, comprehensive protection for all of your devices.  McAfee All Access is the only product that lets individuals and families protect a wide variety of Internet-enabled devices, including PCs, Macs, smartphones, tablets, and netbooks, for one low price.

Robert Siciliano is an Online Security Evangelist for McAfee.   See him discuss the use of Social Security numbers as national identification on Fox News. (Disclosures)