Here's a lengthy article on the difficulty associated with trying to keep your SSN to yourself. I've sadly found that trying to prevent companies from 'requiring' it just takes too damn long - despite the fact that I know they legally can't 'demand' it.
And on the same note, here's a looksie at what can happen when your SSN and other financial info just gets CONFUSED with someone else's. There are also some more spooky statistics on what can happen when you become the victim of identity theft.
I had a run-in with this recently where a bill collector kept leaving automated messages on my home phone. I knew there was no way I had outstanding bills (I have excellent credit). Well, unless, of course, someone had hijacked my identity and opened a few accounts without me knowing. I finally called the company back, and the first thing they wanted was my SSN. I refused - no way I'm handing out my SSN to a 'company' that hits me with an automated message telling the to call and make sure that my credit rating isn't negatively impacted (it could have just been the phone-equivalent of a phishing scam).
2 or 3 hops later (from one operator to another - since I wouldn't give out my SSN) and I finally got someone who was smart enough to ask me what phone number had been called. They then asked if I was so and so - a name I recognized from having googled my phone number a few years ago - prior to google updating their records. I told them I was not the so and so in question and the company apologized profusely for treating me like a deadbeat... but like so many other things, this whole 'interaction' left me with a small taste of what it must be like to try and sort out your life after becoming a victim of identity theft.
Not too long ago, I got a few calls where my Credit Card company called in to verify "suspicious recent activity" on my card. The thing is, the message left on the machine sounded ... well, fishy. It gave a number to call, and when I called, the first prompt simply said, "Please enter your credit card number now."
*click*
I couldn't even find that number of the back of the credit or on a statement, so how was I to know that was legit?
It turns out, it was indeed a "real" check, and I'm all for that. Heck, question every darn purchase if it protects my identity. I'm thrilled when the cashiers at the store ask to see my license. Please, ANYTHING to help protect me.
But, these efforts need to be tempered with a modicum of intelligence and forethought. You know, this identity stuff is really not that tough and yet many companies just haven't seemed to figure that out yet.
Posted by: Brian | December 06, 2007 at 06:02 PM
Yeah, as geeks we have a sort of sixth-sense for things that might be construed as potential phishing or probing attacks. I guess that's both because we have to code defensively in our applications and such (to ensure that our apps stay above reproach), and because (as geeks) we're constantly getting called on by family members, neighbors, and what-not to fix their machines after they've been spoofed, phished, or whatnot.
What's spooky is that a lot of brick-and-mortar organizations just don't seem to even realize that they need to think this way. And spookiest of all is the fact that the entities that seem to have the hardest time with it frequently seem to be the very folks closest to our financial data.
My experience with Dell a while ago FLOORED me. They sent me this cryptic, one-off, email that said there was a 'problem with my order - would I please call some 800 number for my protection'? Yeah right. If i was a phisher, I'd figure that you could spam that message out to everyone, and 6% of people getting it would have an order with Dell. So imagine how cynical i was when i called and they wanted my SSN before they would even provide ANY information about what was going on. Needless to say I didn't give them that info. What KILLS me though, is that after making a few calls and getting PISSY with the operators in order to have them put me on with their managers, I was able to find out (eventually) that this was Dell's PREMIUM customer support just watching out for me to make sure that I hadn't been the victim of Identity Theft. It was like something out of a security best-practices HORROR novel.
Posted by: Michael K. Campbell | December 06, 2007 at 06:12 PM
Brian wrote:
"I'm thrilled when the cashiers at the store ask to see my license."
The funny thing is VISA and Mastercard discourage this practice. In fact, if your refuse to show your ID the merchant must accept your card anyway. From the Rules for VISA Merchants:
"Although Visa rules do not preclude merchants from asking for cardholder ID, merchants cannot make an ID a condition of acceptance. Therefore, merchants cannot refuse to complete a purchase transaction because a cardholder refuses to provide ID. Visa believes merchants should not ask for ID as part of their regular card acceptance procedures."
They claim its because a crook will probably have fake ID in your name with a signature in their handwriting anyway. It gets more amusing when they also say if a merchant is presented a card without a signature they should ask for government issued ID and have the customer sign the card before accepting it. Gee, what happened to that crook with fake ID all of a sudden. I guess he's using it to get on a plane with a bomb while you're signing your card.
As a merchant I get even more pissed off when VISA & Mastercard oppose the National Retail Federation push to have your card number only stored by the banks.
http://www.nrf.com/modules.php?name=News&op=viewlive&sp_id=380
The long and short of it is the credit card industry doesn't really care about identity theft - they care about profits. Requiring ID to use your card means less people using their card and less profits. Centralizing storage of credit card info at the banks means a bunch of money investing in changing systems and moving all the risk to the bank - not a profitable idea. Better to continue to force the risk on the merchant like they always do.
Posted by: Ralph Day | December 30, 2007 at 09:15 AM