The Persistence of SSNs, and The Persistence of Thieves
Pete Lindstrom, who knows a good phrase when he reads one, puts forward the claim that the theft of veterans SSNs doesn’t put them at increased risk of fraud. His basic argument is that there’s a lot of people out there with access to lots of SSNs, and monetizing an SSN takes effort.
He’s right. Monetizing an SSN does take effort. But the SSNs don’t really expire. If the people who stole them know what they have, they have years in which to exploit the data. The best way to do that is to wait a year or two for the news to disappear, the credit monitoring to go away, and the pickings to get easy.
If this were credit cards, we could just re-issue them. The lack of compartmentalization around SSNs which makes them convenient identifiers, also means they’re hard to change.
I don’t know why Pete thinks that entrepreneurial criminals won’t rise to the challenge of monetizing a large fraction of a motherlode of ore. There are criminal syndicates who do this already. They’ll scale. If they don’t, other syndicates will show up who will scale.
I look forward to hearing from Pete or Mike Rothman, who wrote “there is no way the bad guys can get to all 26 million records.” [link to http://securityincite.com/blog/mike-rothman/the-daily-incite-june-1-2006 no longer works] Next you’ll be telling me that bad guys couldn’t exploit hundreds of thousands of pwned home computers, the management tools are too hard to create.
[Fixed headline. Thanks Pete.]
There is always the hope, Adam, that some set of reforms will be introduced to minimize the fraud that can be perpetrated with an SSN + other data. On the other hand, a longer delay means that discerning ne’er-do-wells can gather data and run some numbers to select optimal victims.
Still, I think there’s a bigger question: what does fraud that hits the data files of 10% of all Americans look like? At what point do the firms, industries and institutions that are the popular channels for fraud either fix themselves or collapse? Does a world with ubiquitous fraud simply punish those who haven’t adopted the latest soon-to-be subverted identity widget?
Warning — “top of my head” type remarks follow. :^)
Fraud is already ubiquitous. Fraud-by-impersonation is just a late arrival at the party. Traditional, tried and true methods like fake invoices and self-help five-finger employee discounts affect every business that sells or buys anything, and the losses get baked into prices.
As long as ID theft keeps a low profile in the aggregate, firms do not need to fix themselves, because they won’t collapse. The problem with SSNs and the like is more that they can be used as part of a pernicious system of intelligence-gathering that can inflict vastly more damage (at least on those unlucky enough to have a suspicious glance cast their way).