Think Your Social Security Number Is Secure? Think Again

It should come as little surprise that Social Security numbers are posted on the Internet. But, says Betty Ostergren, a former insurance claims supervisor in suburban Richmond, Va., who has spent years trolling for them, “people are always astounded” to learn that theirs is one of them.

Mrs. Ostergren, 57, has made a name for herself as a gadfly as she took on a lonely and sometimes frustrating mission to draw attention to the problem. With addresses, dates of birth and maiden names often associated with Social Security numbers, she said, they are a gift to data thieves.

But in the last few weeks, Mrs. Ostergren’s Web site, The Virginia Watchdog — with the help of lobbying from an unexpected ally, America’s farm bureaus — is having an effect.

One by one, states and counties have started removing images of documents that contain Social Security numbers, or they are blocking out the numbers. Four states, including New York, have removed links to images of public documents containing Social Security numbers.

Snohomish County, Wash., for example, said Wednesday that 61 types of documents, including tax liens and marriage certificates, would be blocked. (The documents are supposed to remain public at courthouses or state offices.)

Last week, the Texas attorney general, Greg Abbott, issued a legal opinion that county clerks would be committing a crime by revealing Social Security numbers on the Internet.

“I am almost in a celebratory mode,” said David Bloys, a retired private investigator in Shallowater, Tex., who also highlights the public records issue on his Web site, NewsforPublicOfficials.com.

For people wondering if they should be worried about the security of their own numbers, there is a new tool to help them.

TrustedID, a company that sells services to consumers to give them more control over who sees their credit reports, has compiled a database of compromised numbers that could already be traded or sold on the Internet.

It has created an online search tool, StolenIDSearch.com, where people can check at no cost to see if their number is one that is in a too-public domain.

TrustedID said that about 220,000 people have tested their numbers in the three weeks since the site has been open to the public.

The Social Security number remains the personal identifier not only for government documents, but for credit applications and medical records, as well as video and cellphone stores.

“In the commercial world it is ubiquitous when credit is offered,” said Chris Jay Hoofnagle, a privacy advocate and senior fellow of the Berkeley Center for Law and Technology at the University of California, Berkeley. “It all flows from the credit system and it flows very far.”

Even though Americans are told to protect their Social Security number to prevent identity theft, that is a tall order. The Social Security Administration says its card “was never intended and does not serve as a personal identification document.”

But that has not been true about the number almost from outset. The Social Security numbers that were first handed out in November 1936 as a means for the federal government to track payments to the retirement system was soon used for other purposes. It helps tracks payroll, loan payments, financial transactions and income taxes.

It is necessary for anyone seeking public assistance, like food stamps, or registering for the draft. Congress decreed it be recorded on records including professional licenses, marriages licenses and divorce decrees to better track scofflaws of child support orders.

The Social Security number took on a second role. It allowed collectors of data to link pieces of information together, like a driver’s license record, credit report data, and the information on the warranty card for a toaster. That is a useful tool for marketers and just as useful for criminals.

It was only in 2004 that Congress prohibited states from using the Social Security number on drivers’ licenses. Yet the databases with those numbers still exist and are still sold. Until 2001, states could sell lists with those numbers, which means that most anyone 22 years or older probably will have their name, address, phone number and Social Security number in private databases.

The nine-digit string took on a third role — as a password that was supposed to protect all that private information from snoops and criminals. But its ubiquity defeats that purpose, Mr. Hoofnagle said. “It will pass when the business community no longer needs a Social Security number,” he said.

The Social Security Administration’s Office of Inspector General said that 16 percent of the 99,000 fraud cases it investigated in the 12-month period that ended Sept. 30 involved the misuse of Social Security numbers. One involved an identify theft ring in central Florida. Twelve people were convicted, sentenced to prison and ordered to repay more than $2 million.

About 16,000 incidents are not a lot considering that 240 million numbers are currently in use, and certainly credit card number theft and fraud is much more pervasive.

But credit card numbers rarely are exposed on documents in public view. And if a credit card is stolen or misused, obtaining a new one is a fairly simple process. A new Social Security number is rarely granted. (Indeed, one is limited to three replacements of the green paper Social Security card in a year and 10 over a lifetime.)

Social Security numbers are routinely traded and sold by thieves over the Internet like credit card numbers, says Panos Anastassiadis, chief executive of Cyveillance, an Arlington, Va., company that monitors online fraud attempts for major financial institutions. His company has found caches of them in Web chat rooms where they are offered as samples by criminals selling even larger lists.

They are sometimes obtained by “key logging” software surreptitiously installed on home computers to record what is typed. Some come from so-called phishing attacks in which people are misled into entering the data on fake Web sites of banks or utilities.

The numbers are also out in the open. “People think it is the banks, but banks are very secure,” Mr. Anastassiadis said. “The problem is every dentist’s office has Social Security numbers. Every doctor’s office has them. How secure are these?”

It has been Mrs. Ostergren’s near-obsession to answer that question.

Few things delight her more than finding a number belonging to a celebrity because it draws attention to her cause.

“Oh, my Lord!” she exclaimed recently as she stumbled upon the Social Security number of a member of the boldfaced set as she demonstrated how New York state Web sites display documents containing names, addresses and Social Security numbers. “Let me download this one. This is Donald Trump’s number. I can’t wait to tell him.”

Mrs. Ostergren never got through to Mr. Trump to confirm whether the nine-digit identifier was indeed his, but she has found and tried to notified others, including Kelly Ripa, the actress and talk-show host; Jeb Bush, the former governor of Florida; Porter Goss, the former C.I.A. director; and scores of state legislators, and posted the link to them on her site. (New York later removed links to public documents.)

She has found Social Security numbers on tax liens on the official site of Maricopa County in Arizona. In Florida, as in many states, they appear on a document people sign when they buy furniture or other merchandise on credit.

Mrs. Ostergren wants the documents taken off the Web, and she applies pressure by using the people whose numbers she finds. “I’ve been calling people and telling them that they are exposed,” Mrs. Ostergren said. “It is not very hard to find the numbers,” she said. “They are exposed everywhere.”

Her Web site may be cluttered with so many typefaces that it resembles a ransom note, but she seems to be having an impact. In the last month she found a pressure point: farmers.

Their numbers show up on Uniform Commercial Code filings when they buy machinery or supplies on credit. She showed state farm bureau leaders their numbers; they contacted their state legislators. She has also found common cause with other gadflies like Mr. Bloys.

She has had her share of setbacks as well. Several state legislators tried to ban her from posting information about their personal data that appear in public records. She wins no fans among legitimate companies who sell databases. Removing the data from the Internet slows down their ability to collect public information, but does not stop it.

“There are a lot of people in the data brokerage business who don’t like what I do,” she said.

Corra has for quite sometime maintained that Social Security theft or even “borrowing” is a large and growing problem in the U.S. As this terrific article reports, your Social Security Number is bouncing all over the place. On a relatively benign level they are being sold on the black market and used by Illegal, sorry, undocumented workers to show that they are legitimate and entitled to employment. On a more malicious level, if someone obtains your name, social security number and date of birth they are off and running with identity theft.

As a background checking service, Corra will often find a candidate’s social security number is being used by at least one other person. Frequently, when we run a Social Security Trace, several names will be listed with the legitimate owner. Sometimes the social security number will be totally bogus, but that is a different matter.

With the Federal Government beginning to crackdown on companies who knowingly hire undocumented workers, the last thing your business needs is to be the poster child where the authorities use you to make an example. Considering the cost of a Social Security Trace, any Human Resources Department that doesn’t conduct these searches as part of their preemployment screening process is just being foolish. This and a criminal background check are the two most important searches you can run.

So pay heed to Corra’s excellent advice and check them out before you hire.

We found this alarming article on Information Week.

Hackers Will Join Forces With The Mob In 2007, Security Firm Warns

Cybercriminals are expected to become much more organized and connected in the new year, driving zero-day attacks and upping the ante for online crime, according to a new report.

By Sharon Gaudin

The mob is expected to band together more closely with hackers in 2007 to form a more organized cybercrime community, according to a new report.The beefed-up online crime cooperative will buy, sell, and trade ready-made cyberattack toolkits and exploits using zero-day vulnerabilities, predict analysts at Websense, a Web security company. They also expect Web 2.0 security issues to escalate in the coming year.

“Organized criminals are realizing that the Internet has been a largely untapped resource in terms of generating real profit, until now,” said Dan Hubbard, VP of security research at Websense, in a written statement. “With financial gain on the table, attack methods are improving, and the number of people involved is escalating. Tools and exploits to steal personal, business, and financial information are the hottest commodities for cyber criminals.”

In 2006, cybercrime and the evolution of new cybercriminals were on the rise. Websense predicts that this trend will only increase in the new year, as hackers and organized crime increasingly work together, become more organized, and target their attacks. Because of this, the market for zero-day attack code will become more competitive, and it will drive the number of zero-day attacks and heighten attacks on both clients and servers.

Web 2.0 sites such as MySpace and Wikipedia, which make up an estimated 80% of the top 20 most visited Web sites, are a growing phenomenon and increasingly attractive to cybercriminals. Websense analysts report that Web 2.0 sites, which include social networking sites, are particularly vulnerable to attack because of the constantly changing nature of their content, which is difficult to monitor and secure.

The large population of users and the ability to link users through profiles and networks will lead to more security issues within these communities, the security company reported in its written statement. Social networks aren’t the only targets. According to Websense, business networks are just as vulnerable.

In the face of this most important threat to your business network, Corra realizes you must take whatever measures necessary to secure your company’s Internet operations, databases and proprietary information. But are you also securing your business form within?

While many companies put up surveillance cameras and monitor employee activity on their computers, there are still some who overlook the most obvious and cost effective measure against employee theft of intellectual property. That is the preemployment screening check. The background check.

For just a few bucks you can review a candidate’s past history to best determine if you really want that person as an additional to your work force. In terms of concerns over theft of intellectual property, etc., it is usually best to not just run the criminal background check, but also the credit check and MVR Report. These three searches will often show a behavior pattern that will reveal if someone is either prone to theft of susceptible to outside influences that would either bribe or coerce him into committing crimes against your company.

Running background checks on your job candidates and in some cases your present employees is simply too important to ignore. So remember to take Corra’s advice and check them out before you hire.