Date: Mon, 04 Oct 93 14:45:10 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@PICA.ARMY.MIL Subject: Computer Privacy Digest V3#052 Computer Privacy Digest Mon, 04 Oct 93 Volume 3 : Issue: 052 Today's Topics: Moderator: Dennis G. Rears Re: SSN privacy Surveillance Re: SSN privacy Re: GOPHER link to _Directory of Scholarly Electronic Conferences_ re: Lexis Re: SSN privacy Re: Lexis The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@pica.army.mil and administrative requests to comp-privacy-request@pica.army.mil. Back issues are available via anonymous ftp on ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- Date: Thu, 30 Sep 93 18:08:13 EDT From: Dave Niebuhr Subject: Re: SSN privacy >In Computer Privacy Digest V3 #051 Vincent Broerman <0005461808@mcimail.com> >writes: > > >I do not quite understand. Most of it is probably due to my ignorance >regarding hacking and hacking procedures. However, why is SSN privacy such a >big deal. Quite simply, how easy is it for a hacker to "break" into the >social security database and "steal" all of my money/records? > >Can someone enlighten me? It's not so much the breaking into the Social Security database as it is for a person who obtains a SSN belonging to another to be able to then start applying for credit cards, loans, driver's liscenses, etc. and then racking up big bills on those (first three) and the real owner finding out that his/her credit history is full of black marks. Some of the things that can go on a credit history are: Past due payments; court judgements; credit accounts of any type; bankruptcies; tax liens, etc. You name it and it can probably be found on your credit record and all it takes to screw it up royally is for someone to get hold of your number *or* make one up that matches yours and then there will be hell to pay if yoy want a loan of some type. Read the SSN-FAQ that is posted once or twice a month in the alt.privacy newsgroup. It contains a wealth of information. Dave Dave Niebuhr Internet: dwn@dwn.ccd.bnl.gov (preferred) niebuhr@bnl.gov / Bitnet: niebuhr@bnl Senior Technical Specialist, Scientific Computing Facility Brookhaven National Laboratory Upton, NY 11973 (516)-282-3093 ------------------------------ Newsgroups: comp.society.privacy From: Julia Lommatzsch Subject: Surveillance Keywords: Phone, Advertising Organization: Bowling Green State University B.G., Oh. Date: Fri, 1 Oct 1993 17:42:26 GMT Caller ID certainly has heightened awareness of privacy issues. I've been reading THE ONE TO ONE FUTURE, and the authors have some really eye-opening points: "Make Money Protecting Privacy, Not Threatening It". The book describes an example of this concept. Harry H. Hart III runs a company, FreeFone. An extensive questionnaire is completed by participants, and then the information is SOLD to companies who want to advertise. These companies receive all kinds of demographic and psychographic profiles, but no NAMES! Here's how it all comes together. When participants make PHONE calls, they can opt to hear a :05 message; if they listen, FreeFone CREDITS their phone bills by a nickel for each message. Now, if I listen to Hallmark's ad, and I CHOOSE to respond, ONLY then does the company learn my identity. Protecting privacy or surveillance? You tell me. ------------------------------ Date: Fri, 1 Oct 93 13:45 EDT From: John R Levine Subject: Re: SSN privacy Newsgroups: comp.society.privacy Organization: I.E.C.C. >why is SSN privacy such a big deal. Quite simply, how easy is it for a >hacker to "break" into the social security database and "steal" all of my >money/records? There's two questions here. As far as how hard it is to get somone's SSA records, it's trivial. You fill out a card with someone's name and SSN and your address, and send it to the SSA. They send a copy of the SSA records to you. Yes, it's illegal, but the chances of getting caught are low, and the damage to the victim is probably low unless the crook is planning to impersonate the victim and collect retirement benefits, a fairly cumbersome fraud. But that's not the main problem, the bigger issue is that far too many financial records are keyed by SSN, such as credit bureaus, bank accounts, medical insurance and other records, and so forth. Worse, most bureaucracies assume that anyone who presents your SSN must be you. A typical scenario is that a bad guy uses your name and SSN to get credit cards in your name sent to him, he charges thousands of dollars of merchandise on them, and disappears. Happens all the time. Without the SSN this is a lot harder, since in practice, no bank will issue a credit card without an SSN. Regards, John Levine, johnl@iecc.com, {spdcc|ima|world}!iecc!johnl ------------------------------ From: jared@eniac.seas.upenn.edu Newsgroups: comp.society.privacy Subject: Re: GOPHER link to _Directory of Scholarly Electronic Conferences_ Date: 1 Oct 93 21:47:06 GMT Diane Kovacs (DKOVACS@kentvm.kent.edu) wrote: : Please feel free to add Gopher to the list of ways one can retrieve : The _Directory of Scholarly Electronic Conferences_ : Type=1 : Name=Directory of Scholarly Electronic Conferences : Path=1/Computing/Internet Information/Directory of Scholarly Electronic : Conferences : Host=gopher.usask.ca : Port=70 : -- : Earl Fogel : Computing Services phone: (306) 966-4861 : University of Saskatchewan email: earl.fogel@usask.ca ------------------------------ Date: Fri, 1 Oct 93 21:15 EDT From: "James A. Muysenberg" Subject: re: Lexis From what I've read in the past year, all the information Lotus was putting onto CD-ROM was already available through other sources. And just recently I discovered CompuServe also provides this information. FYI. James Muysenberg at dockmaster.ncsc.mil (or whatever appears in the "from" line) ------------------------------ Date: Fri, 1 Oct 93 18:29:10 PDT From: Kelly Bert Manning Subject: Re: SSN privacy In a previous article, 0005461808@mcimail.com (Vincent Broerman) says: >I do not quite understand. Most of it is probably due to my ignorance >regarding hacking and hacking procedures. However, why is SSN privacy such a >big deal. Quite simply, how easy is it for a hacker to "break" into the >social security database and "steal" all of my money/records? > >Can someone enlighten me? > They don't break into a social security DB. In places like Virginia they used to be able to get people's SSNs by looking at lists of registered voters. This was overturned recently in a court case that featured a lot of evidence of how widespread access to SSNs allows fraud artists to impersonate people with good credit ratings, even from another state. In Canada credit bureaus such as Equifax Canada try to use SIN as a unique identifier. The fallacy here is that the fact that someone can recite a name and SSN/SIN does not prove that they are that person. It may simply show that they have previously accessed the same record at the same credit bureau to find out which string of digits the credit bureau is using as a token verification of identity. "Privacy Journal" is a good source of case stories about the types of fraud that can be perpetrated once a scam artist knows which string of digits to reel off for which name. One story reported in the last few years described a woman who had tried to claim benefits after loosing her job, only to discover that someone had already opened a claim and exhaused her benefits. Apparently there is no check to see if a claimant is still contributing. More commonly the fraud artists in another state and city will apply for driver's licences, open checking accounts, take out loans, and charge items, claiming to have just moved. Credit bureaus apparently automatically change the address in their records if the same name and SSN comes in more than once with a new address. Often the first that the person who is being impersonated knows about it is when the police arrest them on a charge of passing bad checks, or when they apply for a loan and are turned down becuase the credit check shows them as having several overdue loans already, as well as an address in another state. "Privacy Journal" stories include ones about people who have been arrested repeatedly, sometimes for extended periods, because someone who discovered their SSN opens checking accounts in their name and uses rubber checks to purchase items. The use of SSN as a supposedly unique identifer of people is essentially worthless. There is never any authentication done to confirm that someone who recites one and the corresponding name is actually the person the SSN was issued to. On the other hand it gives a warm feeling of security to businesses while they are being defrauded and makes life hell for the people who are being impersonated. ------------------------------ From: Scott Coleman Newsgroups: comp.society.privacy Subject: Re: Lexis Date: 3 Oct 93 16:24:32 GMT Organization: University of Illinois at Urbana JTUCKER@vax2.cstp.umkc.edu writes: >I just received a disturbing item in the mail. The following postcard is >from Lexis who is owned by Mead Data Central: >LEXIS FINDER Library --- Coming soon to LEXIS >The FINDER library -- a nationwide "white pages" directory of 111 million >individuals' addresses, phone numbers and more -- is coming soon to your >LEXIS terminal. [...] >Didn't Lotus try this one? So did Compu$teal - and the latter with greater success. Just GO PHONEFILE sometime and you'll be gated to a system which sounds exactly like what you're describing. -- Scott Coleman, President ASRE (American Society of Reverse Engineers) tmkk@uiuc.edu Q: What's the difference between Jurassic Park and IBM? A: One is a complex and expensive theme park, filled with dinosaurs and unreliable equipment -- and the other is a Steven Spielberg movie... Q: What's the similarity? A: They both have clones. ------------------------------ End of Computer Privacy Digest V3 #052 ******************************