Identity Theft Search Engine Not Such A Wise Idea
from the look,-there's-me dept
With all of the data breaches that have been in the news lately, it's understandable that many people would like to know if their personal information was part of the lost data (hint: it probably was). To meet this need, a new site is offering a way for users to search a database of social security numbers and credit cards that have been exposed. This seems problematic for several reasons. As some are pointing out, it seems dangerous to get internet users into the habit of submitting their personal data on the internet to anyone but the most trusted sites. Even if this particular site is completely legitimate, its mere existence will probably spawn shadier imitators. Furthermore, because the site also offers anti-identity theft solutions, that require the user to enter in more personal information, its own database is likely to be a juicy target for attackers. And then there's the problem of what the user is to do once they see their social security number in the database. Obviously the site would like people to sign up for its own service, but barring that, there's no obvious next step after someone discovers that at some point their personal data may have been disclosed. While monitoring may be an important tool in combating identity theft, throwing a service out there as a come on for a specific identity theft solution, does not seem like a particularly good idea.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
The heart is in the right place...
[ link to this | view in chronology ]
wow...
[ link to this | view in chronology ]
What if...
Granted, it's confirmation of one that's been leaked and could be under watch, but criminals don't always think that far ahead. Additionally, since most companies are just getting a slap on the wrist, it's not like there's any serious monitoring going on .... and I should know. My company has been dragged through the mud often enough to point this out to me.
In the end, I like the idea that consumers would have one place to go to see if their information has been exposed. However, I think perhaps something in your credit report with the big 3 might be more appropriate.
Since US citizens are now entitled to free annual reports, perhaps adding a mandatory section of "Your information was leaked by:" with a listing of company AND leak date might be better with required reporting of leaks to the credit bureaus.
Heck - step up punishment of the leakers. Require them to pay for quarterly reports to be sent to every POTENTIAL victim, not just the actual victims for a reasonable length of time, but no less than 2 years.
I (obviously) haven't taken the time to think that out, but maybe it's a starting point. Who knows. All I do know is that many systems are broken here and "something needs to be done for the children...." :-) (sorry - couldn't resist the last line)
[ link to this | view in chronology ]
Personal Identifying Information
[ link to this | view in chronology ]
Personal Identifying Information again
I definitely agree with punishing the leakers. A good start would be to require them to pay a penalty, say $100,000, to each person whose personal info was leaked, each time!! Nothing is going to fix this problem until the laws regulating this kind of activity have some teeth. As it stands right now, a company faces no penalties for carelessness. It is cheaper for them to do nothing and let your info be harvested.
"Something needs to be done for the children...."
[ link to this | view in chronology ]
Re: Personal Identifying Information again
and the poor widow woman;
and the abused spouse;
and the out-of-work laboror;
and the handicap;
and the minority;
and on and on and on.
[ link to this | view in chronology ]
Re: Re: Personal Identifying Information again
[ link to this | view in chronology ]
Giving Out Your SSN......
[ link to this | view in chronology ]
hmmm......
[ link to this | view in chronology ]
ouch
[ link to this | view in chronology ]
SSN not ID
[ link to this | view in chronology ]
Brain Dead implementation?
A proper implementation would store a hash in the data base, not the raw data. To query, the hash would be computed locally and the clear text would never leave the user's computer. More importantly, the clear text would not be stored on the central computer.
To receive VC money, someone has to have thought of this ... I hope. Even if the user is entering into a web form, local JavaScript can map the SSN entered into a hash for DB query.
[ link to this | view in chronology ]
Identity search engine
[ link to this | view in chronology ]