Date: Mon, 04 Oct 93 14:45:10 EST
Errors-To: Comp-privacy Error Handler <comp-privacy-request@PICA.ARMY.MIL>
From: Computer Privacy Digest Moderator <comp-privacy@PICA.ARMY.MIL>
To: Comp-privacy@PICA.ARMY.MIL
Subject: Computer Privacy Digest V3#052
Computer Privacy Digest Mon, 04 Oct 93 Volume 3 : Issue: 052
Today's Topics: Moderator: Dennis G. Rears
Re: SSN privacy
Surveillance
Re: SSN privacy
Re: GOPHER link to _Directory of Scholarly Electronic Conferences_
re: Lexis
Re: SSN privacy
Re: Lexis
The Computer Privacy Digest is a forum for discussion on the
effect of technology on privacy. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy
(Moderated). Submissions should be sent to
comp-privacy@pica.army.mil and administrative requests to
comp-privacy-request@pica.army.mil.
Back issues are available via anonymous ftp on ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
Date: Thu, 30 Sep 93 18:08:13 EDT
From: Dave Niebuhr <dwn@dwn.ccd.bnl.gov>
Subject: Re: SSN privacy
>In Computer Privacy Digest V3 #051 Vincent Broerman <0005461808@mcimail.com>
>writes:
>
>
>I do not quite understand. Most of it is probably due to my ignorance
>regarding hacking and hacking procedures. However, why is SSN privacy such a
>big deal. Quite simply, how easy is it for a hacker to "break" into the
>social security database and "steal" all of my money/records?
>
>Can someone enlighten me?
It's not so much the breaking into the Social Security database as it is
for a person who obtains a SSN belonging to another to be able to then
start applying for credit cards, loans, driver's liscenses, etc. and then
racking up big bills on those (first three) and the real owner finding out
that his/her credit history is full of black marks.
Some of the things that can go on a credit history are:
Past due payments; court judgements; credit accounts of any type;
bankruptcies; tax liens, etc.
You name it and it can probably be found on your credit record and all it
takes to screw it up royally is for someone to get hold of your number *or*
make one up that matches yours and then there will be hell to pay if yoy
want a loan of some type.
Read the SSN-FAQ that is posted once or twice a month in the alt.privacy
newsgroup. It contains a wealth of information.
Dave
Dave Niebuhr Internet: dwn@dwn.ccd.bnl.gov (preferred)
niebuhr@bnl.gov / Bitnet: niebuhr@bnl
Senior Technical Specialist, Scientific Computing Facility
Brookhaven National Laboratory Upton, NY 11973 (516)-282-3093
------------------------------
Newsgroups: comp.society.privacy
From: Julia Lommatzsch <jlommat@andy.bgsu.edu>
Subject: Surveillance
Keywords: Phone, Advertising
Organization: Bowling Green State University B.G., Oh.
Date: Fri, 1 Oct 1993 17:42:26 GMT
Caller ID certainly has heightened awareness of privacy issues. I've been
reading THE ONE TO ONE FUTURE, and the authors have some really
eye-opening points: "Make Money Protecting Privacy, Not Threatening It".
The book describes an example of this concept.
Harry H. Hart III runs a company, FreeFone. An extensive
questionnaire is completed by participants, and then the information is
SOLD to companies who want to advertise. These companies receive all
kinds of demographic and psychographic profiles, but no NAMES!
Here's how it all comes together. When participants make PHONE calls,
they can opt to hear a :05 message; if they listen, FreeFone CREDITS their
phone bills by a nickel for each message. Now, if I listen to Hallmark's
ad, and I CHOOSE to respond, ONLY then does the company learn my identity.
Protecting privacy or surveillance? You tell me.
------------------------------
Date: Fri, 1 Oct 93 13:45 EDT
From: John R Levine <johnl@iecc.com>
Subject: Re: SSN privacy
Newsgroups: comp.society.privacy
Organization: I.E.C.C.
>why is SSN privacy such a big deal. Quite simply, how easy is it for a
>hacker to "break" into the social security database and "steal" all of my
>money/records?
There's two questions here. As far as how hard it is to get somone's SSA
records, it's trivial. You fill out a card with someone's name and SSN
and your address, and send it to the SSA. They send a copy of the SSA
records to you. Yes, it's illegal, but the chances of getting caught are
low, and the damage to the victim is probably low unless the crook is
planning to impersonate the victim and collect retirement benefits, a
fairly cumbersome fraud.
But that's not the main problem, the bigger issue is that far too many
financial records are keyed by SSN, such as credit bureaus, bank accounts,
medical insurance and other records, and so forth. Worse, most
bureaucracies assume that anyone who presents your SSN must be you. A
typical scenario is that a bad guy uses your name and SSN to get credit
cards in your name sent to him, he charges thousands of dollars of
merchandise on them, and disappears. Happens all the time. Without the
SSN this is a lot harder, since in practice, no bank will issue a credit
card without an SSN.
Regards,
John Levine, johnl@iecc.com, {spdcc|ima|world}!iecc!johnl
------------------------------
From: jared@eniac.seas.upenn.edu
Newsgroups: comp.society.privacy
Subject: Re: GOPHER link to _Directory of Scholarly Electronic Conferences_
Date: 1 Oct 93 21:47:06 GMT
Diane Kovacs (DKOVACS@kentvm.kent.edu) wrote:
: Please feel free to add Gopher to the list of ways one can retrieve
: The _Directory of Scholarly Electronic Conferences_
: Type=1
: Name=Directory of Scholarly Electronic Conferences
: Path=1/Computing/Internet Information/Directory of Scholarly Electronic
: Conferences
: Host=gopher.usask.ca
: Port=70
: --
: Earl Fogel
: Computing Services phone: (306) 966-4861
: University of Saskatchewan email: earl.fogel@usask.ca
------------------------------
Date: Fri, 1 Oct 93 21:15 EDT
From: "James A. Muysenberg" <Muysenberg@dockmaster.ncsc.mil>
Subject: re: Lexis
From what I've read in the past year, all the information
Lotus was putting onto CD-ROM was already available through other
sources. And just recently I discovered CompuServe also provides this
information. FYI.
James
Muysenberg at dockmaster.ncsc.mil (or whatever appears in the "from"
line)
------------------------------
Date: Fri, 1 Oct 93 18:29:10 PDT
From: Kelly Bert Manning <ua602@freenet.victoria.bc.ca>
Subject: Re: SSN privacy
In a previous article, 0005461808@mcimail.com (Vincent Broerman) says:
>I do not quite understand. Most of it is probably due to my ignorance
>regarding hacking and hacking procedures. However, why is SSN privacy such a
>big deal. Quite simply, how easy is it for a hacker to "break" into the
>social security database and "steal" all of my money/records?
>
>Can someone enlighten me?
>
They don't break into a social security DB. In places like Virginia they
used to be able to get people's SSNs by looking at lists of registered voters.
This was overturned recently in a court case that featured a lot of
evidence of how widespread access to SSNs allows fraud artists to
impersonate people with good credit ratings, even from another state.
In Canada credit bureaus such as Equifax Canada try to use SIN as a unique
identifier. The fallacy here is that the fact that someone can recite a name
and SSN/SIN does not prove that they are that person. It may simply show that
they have previously accessed the same record at the same credit bureau
to find out which string of digits the credit bureau is using as a token
verification of identity.
"Privacy Journal" is a good source of case stories about the types of
fraud that can be perpetrated once a scam artist knows which string of
digits to reel off for which name. One story reported in the last few
years described a woman who had tried to claim benefits after loosing
her job, only to discover that someone had already opened a claim and
exhaused her benefits. Apparently there is no check to see if a claimant
is still contributing. More commonly the fraud artists in another state
and city will apply for driver's licences, open checking accounts, take
out loans, and charge items, claiming to have just moved. Credit bureaus
apparently automatically change the address in their records if
the same name and SSN comes in more than once with a new address.
Often the first that the person who is being impersonated knows about it
is when the police arrest them on a charge of passing bad checks, or when
they apply for a loan and are turned down becuase the credit check shows
them as having several overdue loans already, as well as an address in
another state. "Privacy Journal" stories include ones about people who
have been arrested repeatedly, sometimes for extended periods, because
someone who discovered their SSN opens checking accounts in their name
and uses rubber checks to purchase items.
The use of SSN as a supposedly unique identifer of people is essentially
worthless. There is never any authentication done to confirm that someone
who recites one and the corresponding name is actually the person the SSN
was issued to. On the other hand it gives a warm feeling of security to
businesses while they are being defrauded and makes life hell for the people
who are being impersonated.
------------------------------
From: Scott Coleman <genghis@ilces.ag.uiuc.edu>
Newsgroups: comp.society.privacy
Subject: Re: Lexis
Date: 3 Oct 93 16:24:32 GMT
Organization: University of Illinois at Urbana
JTUCKER@vax2.cstp.umkc.edu writes:
>I just received a disturbing item in the mail. The following postcard is
>from Lexis who is owned by Mead Data Central:
>LEXIS FINDER Library --- Coming soon to LEXIS
>The FINDER library -- a nationwide "white pages" directory of 111 million
>individuals' addresses, phone numbers and more -- is coming soon to your
>LEXIS terminal.
[...]
>Didn't Lotus try this one?
So did Compu$teal - and the latter with greater success. Just GO
PHONEFILE sometime and you'll be gated to a system which sounds exactly
like what you're describing.
--
Scott Coleman, President ASRE (American Society of Reverse Engineers)
tmkk@uiuc.edu
Q: What's the difference between Jurassic Park and IBM?
A: One is a complex and expensive theme park, filled with dinosaurs and
unreliable equipment -- and the other is a Steven Spielberg movie...
Q: What's the similarity?
A: They both have clones.
------------------------------
End of Computer Privacy Digest V3 #052
******************************