Identity Theft Search Engine Not Such A Wise Idea
from the look,-there's-me dept
With all of the data breaches that have been in the news lately, it’s understandable that many people would like to know if their personal information was part of the lost data (hint: it probably was). To meet this need, a new site is offering a way for users to search a database of social security numbers and credit cards that have been exposed. This seems problematic for several reasons. As some are pointing out, it seems dangerous to get internet users into the habit of submitting their personal data on the internet to anyone but the most trusted sites. Even if this particular site is completely legitimate, its mere existence will probably spawn shadier imitators. Furthermore, because the site also offers anti-identity theft solutions, that require the user to enter in more personal information, its own database is likely to be a juicy target for attackers. And then there’s the problem of what the user is to do once they see their social security number in the database. Obviously the site would like people to sign up for its own service, but barring that, there’s no obvious next step after someone discovers that at some point their personal data may have been disclosed. While monitoring may be an important tool in combating identity theft, throwing a service out there as a come on for a specific identity theft solution, does not seem like a particularly good idea.
Comments on “Identity Theft Search Engine Not Such A Wise Idea”
The heart is in the right place...
but I don’t think this is a good idea. Its a known fact that in this day and age a database with online access is an attacker’s all you can eat buffet. Not only that but people that dataphish will clamor to create a look-a-like site to take advantage of people. When verification and authentication are getting more difficult to secure and guarantee putting another target (espcially one this juicy) out is bad news. I don’t even want to think of the plight of a customer whose info could be stolen and used by multiple thieves.
wow...
if i was still is mischievous youngster, i’d be drooling over the very mention of this idea.
What if...
Is it just me or does anyone else see the scammers rigging up a system to continuously query random social security numbers until it gets a hit. This would give them confirmation of a valid ID.
Granted, it’s confirmation of one that’s been leaked and could be under watch, but criminals don’t always think that far ahead. Additionally, since most companies are just getting a slap on the wrist, it’s not like there’s any serious monitoring going on …. and I should know. My company has been dragged through the mud often enough to point this out to me.
In the end, I like the idea that consumers would have one place to go to see if their information has been exposed. However, I think perhaps something in your credit report with the big 3 might be more appropriate.
Since US citizens are now entitled to free annual reports, perhaps adding a mandatory section of “Your information was leaked by:” with a listing of company AND leak date might be better with required reporting of leaks to the credit bureaus.
Heck – step up punishment of the leakers. Require them to pay for quarterly reports to be sent to every POTENTIAL victim, not just the actual victims for a reasonable length of time, but no less than 2 years.
I (obviously) haven’t taken the time to think that out, but maybe it’s a starting point. Who knows. All I do know is that many systems are broken here and “something needs to be done for the children….” 🙂 (sorry – couldn’t resist the last line)
Personal Identifying Information
I definitely agree with punishing the leakers. A good start would be to require them to pay a penalty, say $100,000, to each person whose personal info was leaked, each time!! Nothing is going to fix this problem until the laws regulating this kind of activity have some teeth. As it stands right now, a company faces no penalties for carelessness. It is cheaper for them to do nothing and let your info be harvested.
Personal Identifying Information again
Sorry, I forgot the new mandatory tag line at the end!!
I definitely agree with punishing the leakers. A good start would be to require them to pay a penalty, say $100,000, to each person whose personal info was leaked, each time!! Nothing is going to fix this problem until the laws regulating this kind of activity have some teeth. As it stands right now, a company faces no penalties for carelessness. It is cheaper for them to do nothing and let your info be harvested.
“Something needs to be done for the children….”
Re: Personal Identifying Information again
“Something needs to be done for the children….”
and the poor widow woman;
and the abused spouse;
and the out-of-work laboror;
and the handicap;
and the minority;
and on and on and on.
Re: Re: Personal Identifying Information again
The working American is the new minority that you and your kind keep wanting to milk and bilk.
Giving Out Your SSN......
to anyone other than the IRS, your doctor or Social Security should result in destruction of your PC/Mac and a ban from using any technology for 5 years. This includes telephones.
hmmm......
Would it bit easier to just require a business not to store all of our personal information in one database and heavy encrypt it always? Those that don’t conform get the heaver fines etc.
ouch
Dang… Their hearts seem to be in the right place. It’s just a bad idea. 😛
SSN not ID
I have heard of someone who, when asked for his SSN for ID purposes, makes up a number, of the right length, and uses that instead. This number is always the same when dealing with each company, but it is not his SSN. Since an SSN is not supposed to be used for ID, no-one can complain, and he is safe from identity thieves who want to use his details elsewhere.
Brain Dead implementation?
It is hard to know if the implementation is as cryptographically naive as the writeup suggests.
A proper implementation would store a hash in the data base, not the raw data. To query, the hash would be computed locally and the clear text would never leave the user’s computer. More importantly, the clear text would not be stored on the central computer.
To receive VC money, someone has to have thought of this … I hope. Even if the user is entering into a web form, local JavaScript can map the SSN entered into a hash for DB query.
Identity search engine
I could not bring myself to enter my personal information on the site for those very reasons. There should be other qualifiers used to cross reference the information they have on file, if they indeed have it, such as an address used with a date of birth or other qualifiying criteria.