Banks Move From SSNs to Personal Details
Dan Solove of Concurring Opinions has interesting thoughts on the movement of banks and other entities that want to verify your identity away from social security numbers (as reported here). That’s a good reform, except their new strategy is nearly as bad: relying on your knowledge of random scraps of personal data they have extracted from public records.
Dan points out that all that data is just as available to fraudsters as was the SSN. He’s right. I would add another independent problem: if the public records are inaccurate (as is so often the case), you may find yourself giving the “wrong” answer about your own personal details. This happened to me once recently. I had the surreal experience of needing to insist to a skeptical customer service rep on the other end of the phone line that I am indeed me and that I knew my own past home addresses better than she did. Turns out there was a typo, of course.
Worse still from the point of view of banks and other institutions who adopt this strategy, quality control is essentially impossible. The error must have been made by some faceless data entry clerk at some other entity with whom I interacted in the past, and the bad info gradually migrated its way into my Choicepoint profile or some similar aggregated dossier.
Filed under: Intermediaries, Privacy, Security
A question I have is why, suddenly, I’m asked to provide this additional 3-digit “security code” whenever I buy something online with a credit card.
The security code appears on my card and not, presumably, on the magnetic strip. I suppose the “genius” of it is that someone who simply swipes my credit card number won’t have the security code unless that person also has access to my card. Fine.
But if I’m the only one holding my credit card, the only way any fraudster will get access to the number is if, at some point, I make a transaction, and some record of the number falls into the wrong hands. And if I’m now required to regurgitate the security code as well to complete a transaction, what’s to keep the fraudster from intercepting my security code as easily as he did the original credit card number?
My guess is that, since I did a lot of online transactions before this new security-code standard was adopted by retailers, the bad guys have had a lot more opportunities to intercept just my credit card number, and only a few opportunities to get my card number and my super-secret special code. So the requirement of entering a security code has some marginal value.
But as time passes, and my super-secret special code passes over the Internet to more and more retailers, the likelihood that it will be intercepted will increase as well.
What then? Am I given another code, once this interceptible data reaches a critical mass? Is there some important factlet that I’ve missed here, or are our credit card numbers going to get longer and longer and longer, for our greater protection (and increased annoyance)?
Ugh. And not remotely on point, so sorry.
I have a data parity problem with my name. I have had to fight with varous financial institutions about what, exactly, my middle name is. When I married, I took my husband’s last name and moved my maiden name to the middle position. The Social Security Office in its infinite wisdom refused to drop my middle name, and so I am “Suzanne M** D** Meehle” in their system despite the fact that legally my name is “Suzanne D** Meehle.” You would not believe the confusion that has caused, or the number of institutions that, having been given my legal name on every scrap of paper I have filled out for them, insist that I do not know my own middle name.