Security

TECH BLOG

Social Security, Social Anxiety

Having your private information leaked is bad enough, but having it put on BitTorrent is really the final insult.

Ithappened before with MySpace photos. By most accounts, the private images made available earlier this year via peer-to-peer networks consisted largely of poorly snapped photos of people you didn’t know getting drunk at parties you weren’t at.

Then there was theincident with Harvard, which placed private information, including Social Security numbers (SSNs) from 6,600 of the world’s brightest college applicants, in a place vulnerable to hackers. All that info somehow got seeded into BitTorrent too.

When pro hackers steal your data, you can usually comfort yourself a little with the notion that your info is in the hands of professionals. Sure, they’re professional crooks, but you can at least tell yourself that they probably have millions of peoples’ info, it’s shared only among customers who are willing to pay, and even though they’re targeting your finances, at least it’s a known target you can monitor.

This BitTorrent business, on the other hand, introduces a stronger unknown element: Now your information is roaming free on the Net, vulnerable not only to pro hackers who are after your money but also to amateur pranksters who’ll do who knows what with it, and everyone in between. It’s like being spied on by a handful of peeping toms versus waking up naked on the pitcher’s mound in a crowded baseball stadium, jumbotron and all.

The Harvard information is going to be lingering out there for a long, long time, and unless any of those applicants want to go through the painful process of getting a new SSN, the fact will remain that someone out there has something on them that he or she shouldn’t have.

Even getting a clean SSN is barely worth it, because chances are, it’ll just get leaked again somehow. All it takes is one slip by aclueless and underpaid clerk working in some administrative office, and another scrap of your data is blowing in the wind. Anyone out there who wants a nice list of Social Security Numbers and matching names need not look far.

Then and Now

When SSNs were first issued in 1936, they were basically nothing more than promises of meal tickets for American citizens when they got too old to work anymore. In return, those who signed up would have to let the government track their lifetime income and shave off a little for those already on the dole.

Now, your Social Security number has become perhaps the most important piece of personal information you have. You need one in order to make a legitimate living.

Using a nine-digit number to prove one’s identity may have made sense several decades ago. From a modern perspective, though, it’s a completely reckless system. Computer and network access are no longer limited to trained corporate and government personnel, and even sensitive data goes flying around in messy splashes every now and then.

SSNs have spread far from their original purpose of tracking income. It’s not just about getting a job. You hand it to a stranger every time you get an apartment, apply to a school, or even get a gym membership. Maybe they’ll be careful with it, maybe not.

If not, an identity thief doesn’t need much more than a scrap of paper your landlord forgot to shred in order to open a line of credit in your name. He or she can borrow a few thousand dollars and disappear. Even if you take advantage of the fact that you can get two free credit checks per year, you may not know about a fraud incident for six months — enough time for it to begin causing problems with your credit rating. If you don’t, you may not know about it until your first call from a collections agent. There are plenty more elaborate scams — it’s all up to the thief’s imagination.

The credit rating is the real worry. A loss of a few thousand bucks can be recouped, but damaging someone’s credit report can seriously effect his or her life and future.

Weak Remedies

Matching someone’s name to a nine-digit number — a nugget of information people are expected to hand over to strangers from time to time — has somehow become widely accepted as solid proof of identity. We’ve been forced to have a Social Security number in order to have any measure of social mobility, yet the tools we have to protect it are weak compared to the power the number holds. There are plenty of things wrong with how the system usually works; here are just four:

  • Two free credit checks per year. A lot can happen to a credit rating in six months. Want to know more often than that? You’ll have to pay to check your own information.
  • Opt-out subscriptions. Even if you think it’s ridiculous to have to pay to keep an eye on your own information, you may be tricked into doing it.

    Obtaining your semi-annual free report often means agreeing to a trial subscription for constant access — which soon turns into a paid subscription. It’s pretty easy to miss the fine print telling you you’re about to get hooked into a membership as you plug in all your personal information, especially when the URL you’re visiting is FreeCreditReport.com. Once you’re a “member,” you’ll have to click around quite a while before you find any cancellation options. Try calling the toll-free number, and you’ll get pitched to at least three times before they finally, mercifully let you cancel the subscription before having to pay.

  • The old “one year of free credit monitoring” mea culpa. This is the fruitcake of the identity theft world — a standard gift that everyone tosses around but nobody finds very useful. Once any company or government agencyscrews up big and makes news by exposing thousands of people to identity theft, they give everyone involved a year of free credit checks along with maybe a written letter of apology.

    However, most of the victims of any personal info leak will have the same names and Social Security numbers for the rest of their lives. A year from now, that information will be just as leaked as it was yesterday. They should be given free credit checks for life (though I wonder whether any kind of policy requiring that would make organizations less eager to admit a data leak).

  • The need for LifeLock. LifeLock has been criticized for several things — among themcharging people for something they could do themselves for free. It keeps your name on constant alert with all the major credit bureaus and continuously renews those alerts the moment they expire. Whenever anyone tries to use your SSN for a credit inquiry — or even to open up a new home utility service — you get a call.

    I don’t see anything shady about that specifically. Yes, you can do that yourself, but you can also change the oil in your own car. Most people just prefer to take it to a shop. But why should you have to hire an outside service or make a new round of phone calls every three months just to remind the bureaus to take good care? As gatekeeper of your financial good name, and by basing many of their credit decisions on a fallible ID number you’re more or less required to have, these credit bureaus have injected themselves into your life in a very intimate way. Why should you have to keep them in a constant state of red alert just to find out when someone’s trying to futz with your credit?

Perhaps no system can be perfect, but the system as it exists now calls for something better — phone verification on all new lines of credit, perhaps, or a PIN kept only by credit bureaus and individuals but not by employers or any other third party.

Most solutions would no doubt be expensive to implement, but I wonder how much money creditors and credit bureaus might save by not having to chase after so many claims of identity fraud. Basically, we need a system wherein handing a job application to the shift manager at Burger King does not mean you’re basically handing over the keys to your personal kingdom.

Click here to e-mail Paul Hartsock.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

E-Commerce Times Channels