Schneier on Security
A blog covering security and security technology.
« Security Measures in New £20 Note |
| Website of U.S. "Right to Privacy" Law Cases »
March 27, 2007
How to Recover from Identity Theft
A 24-point checklist: U.S. specific.
Posted on March 27, 2007 at 1:07 PM
• 17 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I'd like to see some offerings to help with the criminal and medical uses of stolen IDs.
For instance how can you know that someone has bought a house and built a meth lab using your name? Or worse, shown a cop a license with your data after committing a crime?
How do you know when someone uses your ID to obtain medical services in another state? How can you tell if your medical files are then corrupted in one particular hospital system?
I'm finding it interesting that the fundamental rules of protecting oneself from identity theft--like not giving out one's SSN or birth date unneccessarily--are apparently completely disregarded by government hiring agencies.
I recently moved to Arlington, VA and am job hunting. I'd like to work for the NSF, and of course the other job opportunities here are often government or government related.
Apparently, these types of jobs, (and I know for sure NSF and the TSA), REQUIRE that I give up my SSN and birthdate on an ONLINE submission form just to apply for a job.
From the NSF FAQ page:
"Q. I'm uncomfortable using my Social Security Number. Is there any way I can fill out an application without it?
A. No. Your Social Security Number (SSN) is one of the few reliable means government agencies have of distinguishing one applicant from another. We request your SSN under the authority of Executive Order 9397 in order to keep your records straight, other people may have the same name. As allowed by law or Presidential directive, we use your SSN to seek information about you from employers, schools, banks, and others who know you. Your SSN may also be used in studies and computer matching with other Government files, for example, files on unpaid student loans. If you do not give us your SSN or any other information we requested, we cannot process your application, which is the first step in getting a job. Also incomplete addresses and ZIP codes will slow processing. In addition, eRecruit is a secure, encrypted website and your Social Security Number cannot be accessed by anyone who is not directly involved in the hiring process.
Q. Why am I required to provide my date of birth?
A. We ask for your date of birth (DOB) in order to verify your password if you lose or forget it. The only way we can reset your password is to first, verify that you are who you say you are is by matching not only your social security number but also your date of birth. If we do not verify that you are who you say you are, there is a risk that someone else could pose as you and change your information or access your personal data. The selecting official will never see your date of birth; only the HR Specialist could access that information after the position has closed. By requiring both the SSN and DOB we ensure the highest level of security for your information, which is why the system will not allow you to proceed without inputting your date of birth."
So which is it? Who is responsible for the safety of my identity and data, me or the government? Me, or my economic circumstances? I personally don't believe that any agency that has people apply online , and online ONLY, can guarantee my data privacy--it just doesn't make sense, or take into account the nature of the internet and the various parameters of online access and vulnerability. But then again, I have read too much Schneier and had my own real world experiences with "the sure thing of online security".
I actually applied for a low level TSA job at a recent job fair, a job far below my training, just to try to get a job, and the TSA called me and asked me for my SSN. They wouldn't give me a callback number to verify their identity, just told me to go to the web and put my SSN in there. That was for a $12 dollar an hour job. Can you imagine how many poor people are giving out their SSN's to *hopefully* get a job or interview?
I find myself in the gray zone of security tradeoffs--I need an income, so maybe I'll have to compromise my own standards of security and give up my identifying data in a public arena like the internet, just to hopefully be considered for a cubie job. Reminds me of an Orwell novel. :)
Tamara, jobless in the nation's capitol
@ How do you know when someone uses your ID to obtain medical services in another state?
With my health insurance I also have to show a simple insurance card (easy to copy that one) and a retired military ID (no so easy with the scanning bar code data on the back that contains my records). Yes, it can also be forged but unlikely.
The checklist is very helpful and should be part of every organization's security awareness program (teach your employees personal security, and your organization benefits). However, the points of the checklist bring out the main problem of the whole identity theft thing. The victim has to prove victimization--over and over and over with every creditor and company that accepts the stolen identity for as long as that stolen identity information continues to be used. This is so wrong.
Half the problem is damn "pre-approved" half filled in credit card applications that turn up in your mailbox half the time. And you can get a credit card without going face to face with anyone - ie photocopies of ID's faxed etc - these merchants are to blame for these frauds.
The problem of social security numbers is much like the problem of copy protection and DRM, which I believe Bruce and most of his readers agree is simply impossible and mostly pointless to even try.
The government needs to ensure that social security numbers can no longer be used for authentication purposes. It can't be outlawed, it would simply be too burdensome and difficult to enforce.
I believe the answer is to publish a list of every single person with a social security number along with their SSN. Give a year or two advance warning so people can prepare, then put it out there. Once the list is public knowledge then we can give up the pretense of trying to keep the thing secret, and everyone will be forced to find some other, reasonable way of authenticating people. It will probably be a painful transition but the current situation is already painful, and the sooner we start getting rid of it the better off we'll be.
And I say shoot jerks like you.
Unless you are total idiot, these stops are too basic.
Bruce .. Please ... F*****ing Please read the crap before posting .. if we (at least I) sometime believe in your judgment in posting, honor it by not constantly posting useless drivel.
"Unless you are total idiot, these stops are too basic." (sic)
Would sooth_sayer like to give us an example of more advanced fraud recovery please? Some indication of sooth_sayers experience in this field would also be welcome.
I would also ask sooth_sayer to have some kind of respect when comments on a someone else's website. Criticism can be done constructively, otherwise it is usually ignore as drivel itself sir.
With sooth_sayer's comment, we can see that he has a peanut size brain. There is no information that is too basic when you are targeting a large audience. There are thousands of people that don't know the first step in recovering from a fraud. If the post doesn't fit your needs then move on and leave you uncivilized comments to yourself.
NightVision: I agree with your sentiment, but your first sentence was an ad hominem attack on s_s, therefore also an uncivilised comment.
I think you're all being very civilized. I should know - I invented civilization myself. I was the first caveman to insult my enemy instead of clubbing him on the head.
I was also the first guy to impersonate a total stranger and give him a bad reputation. I did it just for kicks. If only I'd known it could be so profitable...
Yes .. I agree I screwed up by mistyping "stops" for "steps".
But the point is .. that THIS blog is presumably serious and the article in question was written for the "masses", so the two don't fit.
Some of the you are too smart that you can sense the size of brain behind a written word, but can't comprehend the written words. This is truly an amazing facility.
Ironically, the lowest paying place I've applied for a job at (Dollar Tree) has the best privacy on a job app I've ever seen.
No copying of ID, No DOB, only last 4 of your SSN, and you provide your full SSN and ID only upon hiring.
With this place, if you don't get hired, you haven't given ID thieves anything to work with. :p
Identity theft comes in many forms. I seem to be prone to what I think of as "address theft." It's not me, they're looking for, but it's had unpleasant impact on my life.
What I find interesting is how often I get calls from debt collection agencies looking for James or Jason mylastname. In the case of Jason, after constantly getting my answering machine filled up with skip tracer messages, I actually called them back after a while, and said "there is no Jason here, and never has been, so please stop calling me." That lasted about six months, then they were back calling me. Once, I even got someone from a collection agency knocking on the door, looking for one of these guys. That time, I called the cops and asked what to do. What you've been doing, they said. Just tell them you don't know these people and go away. These guys even have the wrong gender.
My theory is that since I only use my first initial in the phone listings, someone has borrowed *part* of my identity out of the phone book.
Of course, I have no idea where these listings come from, anyway. A few years back, I went through a spate of lots of dunning letters addressed to a rental tenant of mine (different name, who lives at a property I own in a different city), and still have no idea why they were coming to MY address. (She claimed not to know, either.) Lately, that has shifted to dunning letters to a *male* first name and the tenant's last name, still at my address. There is also someone wanted not just by bill collectors, but by the police all over the state, who uses my address. (His last name is the same as the couple from whom I bought my house, 20 years ago, so my theory is he's some relation. For all I know, he's also James/Jason.)
I doubt they have advice for people suffering from "address theft."
Bruce has railed against better identity authentication as a way of preventing identity theft, preferring instead that identity theft prevention should rely on "authenticating the transactions" like the credit card companies do to deal with fraud. Bruce points out that the credit card companies can spot potential fraud by the patterns of credit card transactions, and will call you to verify a transaction if it looks suspicious. Maybe sometimes. But check out the series on identity theft that MSNBC is running (www.msnbc.msn.com/id/3032600/). Although they have focused so far on credit card fraud, the show illustrates that stolen credit card numbers are used for purchases within minutes of being posted to chatrooms that traffic in stolen card numbers. So where is the authentication of those transactions? It doesn't exist. Bruce, you should reconsider. There is something fundamentally wrong with a system that accepts knowledge of a SSN as "proof" of one's identity. If you claim an identity, there needs to be a better way to prove that you are who you claim to be.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.