Identity Theft Search Engine Not Such A Wise Idea

from the look,-there's-me dept

With all of the data breaches that have been in the news lately, it's understandable that many people would like to know if their personal information was part of the lost data (hint: it probably was). To meet this need, a new site is offering a way for users to search a database of social security numbers and credit cards that have been exposed. This seems problematic for several reasons. As some are pointing out, it seems dangerous to get internet users into the habit of submitting their personal data on the internet to anyone but the most trusted sites. Even if this particular site is completely legitimate, its mere existence will probably spawn shadier imitators. Furthermore, because the site also offers anti-identity theft solutions, that require the user to enter in more personal information, its own database is likely to be a juicy target for attackers. And then there's the problem of what the user is to do once they see their social security number in the database. Obviously the site would like people to sign up for its own service, but barring that, there's no obvious next step after someone discovers that at some point their personal data may have been disclosed. While monitoring may be an important tool in combating identity theft, throwing a service out there as a come on for a specific identity theft solution, does not seem like a particularly good idea.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Sanguine Dream, 23 Jan 2007 @ 11:40am

    The heart is in the right place...

    but I don't think this is a good idea. Its a known fact that in this day and age a database with online access is an attacker's all you can eat buffet. Not only that but people that dataphish will clamor to create a look-a-like site to take advantage of people. When verification and authentication are getting more difficult to secure and guarantee putting another target (espcially one this juicy) out is bad news. I don't even want to think of the plight of a customer whose info could be stolen and used by multiple thieves.

    link to this | view in thread ]

  2. identicon
    PhysicsGuy, 23 Jan 2007 @ 11:52am

    wow...

    if i was still is mischievous youngster, i'd be drooling over the very mention of this idea.

    link to this | view in thread ]

  3. identicon
    CP Employee, 23 Jan 2007 @ 12:02pm

    What if...

    Is it just me or does anyone else see the scammers rigging up a system to continuously query random social security numbers until it gets a hit. This would give them confirmation of a valid ID.

    Granted, it's confirmation of one that's been leaked and could be under watch, but criminals don't always think that far ahead. Additionally, since most companies are just getting a slap on the wrist, it's not like there's any serious monitoring going on .... and I should know. My company has been dragged through the mud often enough to point this out to me.

    In the end, I like the idea that consumers would have one place to go to see if their information has been exposed. However, I think perhaps something in your credit report with the big 3 might be more appropriate.

    Since US citizens are now entitled to free annual reports, perhaps adding a mandatory section of "Your information was leaked by:" with a listing of company AND leak date might be better with required reporting of leaks to the credit bureaus.

    Heck - step up punishment of the leakers. Require them to pay for quarterly reports to be sent to every POTENTIAL victim, not just the actual victims for a reasonable length of time, but no less than 2 years.

    I (obviously) haven't taken the time to think that out, but maybe it's a starting point. Who knows. All I do know is that many systems are broken here and "something needs to be done for the children...." :-) (sorry - couldn't resist the last line)

    link to this | view in thread ]

  4. identicon
    SPR, 23 Jan 2007 @ 12:22pm

    Personal Identifying Information

    I definitely agree with punishing the leakers. A good start would be to require them to pay a penalty, say $100,000, to each person whose personal info was leaked, each time!! Nothing is going to fix this problem until the laws regulating this kind of activity have some teeth. As it stands right now, a company faces no penalties for carelessness. It is cheaper for them to do nothing and let your info be harvested.

    link to this | view in thread ]

  5. identicon
    SPR, 23 Jan 2007 @ 12:31pm

    Personal Identifying Information again

    Sorry, I forgot the new mandatory tag line at the end!!

    I definitely agree with punishing the leakers. A good start would be to require them to pay a penalty, say $100,000, to each person whose personal info was leaked, each time!! Nothing is going to fix this problem until the laws regulating this kind of activity have some teeth. As it stands right now, a company faces no penalties for carelessness. It is cheaper for them to do nothing and let your info be harvested.

    "Something needs to be done for the children...."

    link to this | view in thread ]

  6. identicon
    Ajax 4Hire, 23 Jan 2007 @ 1:42pm

    Re: Personal Identifying Information again

    "Something needs to be done for the children...."
    and the poor widow woman;
    and the abused spouse;
    and the out-of-work laboror;
    and the handicap;
    and the minority;
    and on and on and on.

    link to this | view in thread ]

  7. identicon
    SPR, 23 Jan 2007 @ 2:25pm

    Re: Re: Personal Identifying Information again

    The working American is the new minority that you and your kind keep wanting to milk and bilk.

    link to this | view in thread ]

  8. identicon
    Dam, 23 Jan 2007 @ 5:32pm

    Giving Out Your SSN......

    to anyone other than the IRS, your doctor or Social Security should result in destruction of your PC/Mac and a ban from using any technology for 5 years. This includes telephones.

    link to this | view in thread ]

  9. identicon
    weebit, 23 Jan 2007 @ 6:47pm

    hmmm......

    Would it bit easier to just require a business not to store all of our personal information in one database and heavy encrypt it always? Those that don't conform get the heaver fines etc.

    link to this | view in thread ]

  10. identicon
    Buzz, 23 Jan 2007 @ 6:48pm

    ouch

    Dang... Their hearts seem to be in the right place. It's just a bad idea. :P

    link to this | view in thread ]

  11. identicon
    |333173|3|_||3, 23 Jan 2007 @ 9:44pm

    SSN not ID

    I have heard of someone who, when asked for his SSN for ID purposes, makes up a number, of the right length, and uses that instead. This number is always the same when dealing with each company, but it is not his SSN. Since an SSN is not supposed to be used for ID, no-one can complain, and he is safe from identity thieves who want to use his details elsewhere.

    link to this | view in thread ]

  12. identicon
    Dennis Reinhardt, 28 Jan 2007 @ 12:29pm

    Brain Dead implementation?

    It is hard to know if the implementation is as cryptographically naive as the writeup suggests.

    A proper implementation would store a hash in the data base, not the raw data. To query, the hash would be computed locally and the clear text would never leave the user's computer. More importantly, the clear text would not be stored on the central computer.

    To receive VC money, someone has to have thought of this ... I hope. Even if the user is entering into a web form, local JavaScript can map the SSN entered into a hash for DB query.

    link to this | view in thread ]

  13. identicon
    Karen, 29 Jan 2007 @ 3:16pm

    Identity search engine

    I could not bring myself to enter my personal information on the site for those very reasons. There should be other qualifiers used to cross reference the information they have on file, if they indeed have it, such as an address used with a date of birth or other qualifiying criteria.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.