All these days breaches are so great, I'll never need to pay for identity monitoring services again! I'll have 3 free ones at any time from a constant stream of leaks. Keep it up!
Yeah its great until you have your identity stolen. Had a friend who's SSN was taken, and that person took over all their bank accounts and credit cards. Took months for it to sort out and even now still has issues with some systems because they still have not received notice that his SSN was changed (apparently this is very hard to do).
It's also not so great because its happening more and more. This costs companies (and you, as a passed on cost) a ton of money to investigate. It's no longer as simple as "just reload the server from a backup", now lawyers and infosec people get involved.
The Lawyers are the ones who are winning here. They get to bill so many hours now doing this stuff, as their biggest concern is dealing with a company's insurance carrier. Cuz God for bid that your identity is stolen, and you might track it back to a specific leak and sue. Which is nearly impossible to do since this happens so much lately, but the breath of a lawsuit will make Lawyers perk up like a dog when you open a can of dog food.
I can't say too much but I deal with these issues almost daily now. Had two customers last week inform us of breaches, and another one yesterday. All I do now is assist and look into findings (as to why it happened)
The good news is that this continues, I'll be employed forever (with my InfoSec training).
stolen SSN: e-filing a tax return in your name for a big refund that gets sent to the thief. If you learn about your SSN being stolen, contact the IRS stat to put a fraud alert on your account. This happened at a company I worked for, and I shared this tip with my coworkers. One didn't follow my advice, and got hit.
The financial industry’s big mistake was to ever treat SSNs, driver’s license numbers, etc. as secrets. They’re mostly over it now, but for a long time they believed that you knowing my social security number was evidence that you were me.
If everyone involved from the beginning had been clear that these numbers and other identifying information were not in principle or in practice secret, and should play no role in authentication, we would have designed all sorts of systems and procedures very differently, to the extent that data breaches would be much less of a big deal, because merely possessing information about me wouldn’t be much help in impersonating me.
its not that these are being used as ID. Its that these are being stored somewhere period.
I can't say many details but a recent client of mine had their entire Microsoft SQL Database files sucked off their database server. This included names, addresses, SSNs, and everything in between.
Now that data lives on the dark web and is being sold for large amounts of money. If you knew whose information belonged to what people, you'd be saddened that this has happened, as.. I can just say this... these people cannot help themselves most of the time nor have the capacity to even know their identity was stolen. (thats the real crime here, really..)
If there was a good reason to have a Nationalized ID, identity theft would greatly reduced, as its easy to change that number (like you can on your driver's license). SSN.. that's a whole different headache to change that.
I, too, have some information security experience.
My point is that my name and address are not secret. Neither is my birthday. There should be nothing that a fraudster can do with that information that could hurt me in any way. Knowing my name and address and birthday should never be enough to open a bank account in my name, nor to take out credit in my name, nor to file a fraudulent tax return with a big refund, in my name, nor to convince my bank that you're me.
The same ought to be true for social security numbers and drivers license numbers. If we had made it clear from the beginning that those pieces of information were not secret, and that nobody should rely on them for authentication, then having databases full of them be stolen would not be a problem. Heck, publish it all in the phone book for all anyone would care.
“Not for identification” refers to the physical card, meaning that presenting the card shouldn’t be taken as evidence that the bearer is the person named on the card.
As kind of a geeky tangent: people, even bank and many infosec people, are really sloppy in their use of the terms “identify” and “identification”.
My tattered business card that someone picked up from the sidewalk is perfectly good identification: it has my name, address, email and phone. It uniquely identifies me, since nobody else has those same attributes. It identifies me. What it doesn’t do is say anything at all about who the person holding the card is. Of course, pointing at me and saying “that guy there in the blue shirt” identifies me too (see: deictic reference)
What people often mean by “identify” or “present identification” is actually “authenticate your claim of identity,” I.e. present evidence that you are the person you claim to be. That’s where tamper resistant documents with photos or other biometrics, like drivers licenses or passports, come in.
Comments
All these days breaches are
All these days breaches are so great, I'll never need to pay for identity monitoring services again! I'll have 3 free ones at any time from a constant stream of leaks. Keep it up!
/s
2 breach notifications in the past 3 months
The first, from a community college in Michigan where I took 3 or 4 classes. In 1984-1986. Astounding that they still had my info stored.
They offered free enrollment in a monitoring service for 2 years, the more recent vendor was offering the same monitoring service.
yeah
Yeah its great until you have your identity stolen. Had a friend who's SSN was taken, and that person took over all their bank accounts and credit cards. Took months for it to sort out and even now still has issues with some systems because they still have not received notice that his SSN was changed (apparently this is very hard to do).
It's also not so great because its happening more and more. This costs companies (and you, as a passed on cost) a ton of money to investigate. It's no longer as simple as "just reload the server from a backup", now lawyers and infosec people get involved.
The Lawyers are the ones who are winning here. They get to bill so many hours now doing this stuff, as their biggest concern is dealing with a company's insurance carrier. Cuz God for bid that your identity is stolen, and you might track it back to a specific leak and sue. Which is nearly impossible to do since this happens so much lately, but the breath of a lawsuit will make Lawyers perk up like a dog when you open a can of dog food.
I can't say too much but I deal with these issues almost daily now. Had two customers last week inform us of breaches, and another one yesterday. All I do now is assist and look into findings (as to why it happened)
The good news is that this continues, I'll be employed forever (with my InfoSec training).
Another scam that can be done with a
stolen SSN: e-filing a tax return in your name for a big refund that gets sent to the thief. If you learn about your SSN being stolen, contact the IRS stat to put a fraud alert on your account. This happened at a company I worked for, and I shared this tip with my coworkers. One didn't follow my advice, and got hit.
Data breeches
The DB must have fallen out of their pocket.
Once more into the breech
Fixed, thanks.
As long as we are correcting things.....
Henry V says "unto" the breach
The financial industry’s big
The financial industry’s big mistake was to ever treat SSNs, driver’s license numbers, etc. as secrets. They’re mostly over it now, but for a long time they believed that you knowing my social security number was evidence that you were me.
If everyone involved from the beginning had been clear that these numbers and other identifying information were not in principle or in practice secret, and should play no role in authentication, we would have designed all sorts of systems and procedures very differently, to the extent that data breaches would be much less of a big deal, because merely possessing information about me wouldn’t be much help in impersonating me.
Its not ID
its not that these are being used as ID. Its that these are being stored somewhere period.
I can't say many details but a recent client of mine had their entire Microsoft SQL Database files sucked off their database server. This included names, addresses, SSNs, and everything in between.
Now that data lives on the dark web and is being sold for large amounts of money. If you knew whose information belonged to what people, you'd be saddened that this has happened, as.. I can just say this... these people cannot help themselves most of the time nor have the capacity to even know their identity was stolen. (thats the real crime here, really..)
If there was a good reason to have a Nationalized ID, identity theft would greatly reduced, as its easy to change that number (like you can on your driver's license). SSN.. that's a whole different headache to change that.
I think we may be talking past each other
I, too, have some information security experience.
My point is that my name and address are not secret. Neither is my birthday. There should be nothing that a fraudster can do with that information that could hurt me in any way. Knowing my name and address and birthday should never be enough to open a bank account in my name, nor to take out credit in my name, nor to file a fraudulent tax return with a big refund, in my name, nor to convince my bank that you're me.
The same ought to be true for social security numbers and drivers license numbers. If we had made it clear from the beginning that those pieces of information were not secret, and that nobody should rely on them for authentication, then having databases full of them be stolen would not be a problem. Heck, publish it all in the phone book for all anyone would care.
"Not for identification"
The social security card that I got way back in the 1970s had that printed on it. Is this no longer the case?
“Not for identification”
“Not for identification” refers to the physical card, meaning that presenting the card shouldn’t be taken as evidence that the bearer is the person named on the card.
As kind of a geeky tangent: people, even bank and many infosec people, are really sloppy in their use of the terms “identify” and “identification”.
My tattered business card that someone picked up from the sidewalk is perfectly good identification: it has my name, address, email and phone. It uniquely identifies me, since nobody else has those same attributes. It identifies me. What it doesn’t do is say anything at all about who the person holding the card is. Of course, pointing at me and saying “that guy there in the blue shirt” identifies me too (see: deictic reference)
What people often mean by “identify” or “present identification” is actually “authenticate your claim of identity,” I.e. present evidence that you are the person you claim to be. That’s where tamper resistant documents with photos or other biometrics, like drivers licenses or passports, come in.