Identity Theft Search Engine Not Such A Wise Idea

from the look,-there's-me dept

With all of the data breaches that have been in the news lately, it’s understandable that many people would like to know if their personal information was part of the lost data (hint: it probably was). To meet this need, a new site is offering a way for users to search a database of social security numbers and credit cards that have been exposed. This seems problematic for several reasons. As some are pointing out, it seems dangerous to get internet users into the habit of submitting their personal data on the internet to anyone but the most trusted sites. Even if this particular site is completely legitimate, its mere existence will probably spawn shadier imitators. Furthermore, because the site also offers anti-identity theft solutions, that require the user to enter in more personal information, its own database is likely to be a juicy target for attackers. And then there’s the problem of what the user is to do once they see their social security number in the database. Obviously the site would like people to sign up for its own service, but barring that, there’s no obvious next step after someone discovers that at some point their personal data may have been disclosed. While monitoring may be an important tool in combating identity theft, throwing a service out there as a come on for a specific identity theft solution, does not seem like a particularly good idea.


Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Identity Theft Search Engine Not Such A Wise Idea”

Subscribe: RSS Leave a comment
13 Comments
Sanguine Dream says:

The heart is in the right place...

but I don’t think this is a good idea. Its a known fact that in this day and age a database with online access is an attacker’s all you can eat buffet. Not only that but people that dataphish will clamor to create a look-a-like site to take advantage of people. When verification and authentication are getting more difficult to secure and guarantee putting another target (espcially one this juicy) out is bad news. I don’t even want to think of the plight of a customer whose info could be stolen and used by multiple thieves.

CP Employee says:

What if...

Is it just me or does anyone else see the scammers rigging up a system to continuously query random social security numbers until it gets a hit. This would give them confirmation of a valid ID.

Granted, it’s confirmation of one that’s been leaked and could be under watch, but criminals don’t always think that far ahead. Additionally, since most companies are just getting a slap on the wrist, it’s not like there’s any serious monitoring going on …. and I should know. My company has been dragged through the mud often enough to point this out to me.

In the end, I like the idea that consumers would have one place to go to see if their information has been exposed. However, I think perhaps something in your credit report with the big 3 might be more appropriate.

Since US citizens are now entitled to free annual reports, perhaps adding a mandatory section of “Your information was leaked by:” with a listing of company AND leak date might be better with required reporting of leaks to the credit bureaus.

Heck – step up punishment of the leakers. Require them to pay for quarterly reports to be sent to every POTENTIAL victim, not just the actual victims for a reasonable length of time, but no less than 2 years.

I (obviously) haven’t taken the time to think that out, but maybe it’s a starting point. Who knows. All I do know is that many systems are broken here and “something needs to be done for the children….” 🙂 (sorry – couldn’t resist the last line)

SPR (profile) says:

Personal Identifying Information

I definitely agree with punishing the leakers. A good start would be to require them to pay a penalty, say $100,000, to each person whose personal info was leaked, each time!! Nothing is going to fix this problem until the laws regulating this kind of activity have some teeth. As it stands right now, a company faces no penalties for carelessness. It is cheaper for them to do nothing and let your info be harvested.

SPR (profile) says:

Personal Identifying Information again

Sorry, I forgot the new mandatory tag line at the end!!

I definitely agree with punishing the leakers. A good start would be to require them to pay a penalty, say $100,000, to each person whose personal info was leaked, each time!! Nothing is going to fix this problem until the laws regulating this kind of activity have some teeth. As it stands right now, a company faces no penalties for carelessness. It is cheaper for them to do nothing and let your info be harvested.

“Something needs to be done for the children….”

|333173|3|_||3 says:

SSN not ID

I have heard of someone who, when asked for his SSN for ID purposes, makes up a number, of the right length, and uses that instead. This number is always the same when dealing with each company, but it is not his SSN. Since an SSN is not supposed to be used for ID, no-one can complain, and he is safe from identity thieves who want to use his details elsewhere.

Dennis Reinhardt (user link) says:

Brain Dead implementation?

It is hard to know if the implementation is as cryptographically naive as the writeup suggests.

A proper implementation would store a hash in the data base, not the raw data. To query, the hash would be computed locally and the clear text would never leave the user’s computer. More importantly, the clear text would not be stored on the central computer.

To receive VC money, someone has to have thought of this … I hope. Even if the user is entering into a web form, local JavaScript can map the SSN entered into a hash for DB query.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...