ID "theft" -- so what?

Jörn Schmidt joern2473 at yahoo.com
Wed Jul 13 09:04:37 EDT 2005 

--- John Denker <jsd at av8n.com> wrote:

[...]
> It's only a problem if somebody uses that _identifying_
> information to spoof the _authorization_ for some
> transaction. [...]
> 
> Identifying information cannot be kept secret.  There's
> no point in trying to keep it secret.  Getting a new
> SSN because the old one is no longer secret is like
> bleeding with leeches to cure scurvy ... it's completely
> the wrong approach.  The only thing that makes any sense
> is to make sure that all relevant systems recognize the
> difference between identification and authorization.

See, that's precisely where the problems lies: I could not agree more
with you but the fact that you are completely, 100% right doesn't help
me one bit if T-Mobile's computer system requires that I give them my
SSN (which, by the way, may no longer be the case). 

And there's no point in arguing with the store manager because he
likely doesn't have the power to do anything about it anyway and
probably just doesn't care.

The fact of the matter is that you're making entirely too much sense.
;)

SSNs were never intended to be used for authorization. That's why it
explicitly said "For Social Security Purposes. Not for Identification"
on the bottom of old social security cards. 

These days, federal law says quite the opposite. USC 405 [C] and
subsequent sections state that it's okay for any state or government
agency to require an individual to provider their SSN  "[...] for the
purpose of establishing the identification of individuals affected by
such law [...]". In the Greate State of California, you can, for
instance, not even get a driver's license without telling the DMV your
SSN. Since I don't see a connection between said (semi-)randomly
assigned number and my ability to operate a motor vehicle, I'd have to
wager a guess and say that the CA DMV does indeed use social security
numbers for identification purposes. Fortunately, they don't just go
ahead and use your SSN as your driver's license number, too (IL, I
believe, used to do that). 

And the fact that many private businesses and schools still use SSNs as
unique identifiers and often display them quite prominently for the
world to see (eg. to people working in call centers half-way around the
world) makes matters even worse. 

Because you will often find that people treat you like you're going out
of your way to be a PITA if you refuse to give them your SSN. And
that's all fine and well as long as we're talking about the likes of
T-Mobile. Just use a different carrier, right? Well, they all (used to)
require that you give them your SNN. And so do most telcos, utility
companies, landlords, banks, public schools, community colleges, DMVs,
credit card companies, car dealerships (financing, etc.), cable
companies and pretty much any government agency (state and federal)
that issues any kind of license.

The answer to this dilemma? I'm afraid this time it really is
legislation. Frankly, I'm not even sure if that would work but, at this
time, it's our best shot. Congress won't do anything about this unless
a few representatives have their identities stolen and experience
first-hand what a PITA it is to have to deal with the fallout.

   -Jörn

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list