I don’t get it – why are we asking people to put their credit card numbers and social security number into StolenIDSearch.com?
(It’s a site which claims it will search the Internet and files containing lists of exploited accounts/numbers).
Practically everyone in the industry has been persuading wider society not to put your this kind of information into unusual sites. All of that education goes out the window as suddenly the tune is changed.
The design is fancy, it’s “bought to you by TrustID” (whoever they are) and has a “VeriSign Secured” logo on the front page. But that means nothing – even the VeriSign Secured graphic could be fake.
Before anyone asks, this company is genuine with what it is claiming to do. It will search their records and it will help (read:charge) you to sort things out if the worst is discovered.
But the way it asks users to enter their credit card and SSN as the very first interaction with the site begins to break down in the continued positive reinforcement we’ve been trying to educate the wider public about only giving away your social security number or credit card into sites you know (like an online retailer or bank, etc).
Where are they looking?
According to the FAQ:
“The information that powers StolenID Search is found online, by looking in places where fraudsters typically trade or store this kind of information. All information behind StolenID search is publicly available, but not in places where search engines such as Yahoo and Google would look. TrustedID abides by all state and federal laws in the collection and provision of this compromised information.”
Now, I can understand why they are not simply releasing the lists publicly for people to check against – the volume of potentially still-valid numbers in those lists would ultimately empower the fraudsters more than it empowers the users.
However seeing as it’s easy to work out which bank a card originates from via the first initial account numbers, why not simply hand over these lists to the financial institutions (and the United States Treasury Department/Social Security Administration in the case of the SSN’s) to let them sort it out? I bet Mastercard, Visa, AmEx and Co would not only be very happy to take such a list off their hands, but reward them for it too.
Another benefit of the direct approach would be all those poor people who don’t know about the site or don’t use the Internet – they would benefit from the detection of their card number too.
I’m all for using the affordences of the Internet to create new business opportunities. But sometimes there isn’t really a business to be had – and this seems like one of them.
If my credit card number is discovered in one of those lists I need to call my bank, not pay some company called ‘TrustID’ $10 to sort it out. And those lists would be better handed over directly to the financial authorities in the first place anyway.
Clearly the ‘Intel Insider’ powering this operation is the way in which they are able to mine the data from the underground regions of the Internet – but that sounds like an (admittedly less lucrative) consultancy role for the credit card firms, not an end-user service.
How do I find out if my ID has been stolen, I do not understand how or where this can be done.
I was about to use the StolenIDSearch engine, but after reading your artical, it just does not make sense to do so.
I will keep my own eye on personal accounts and work with my own bank regarding security of my credit card and other banking information.
Thanks!
Ron
Thomas – unless you begin to see signs of actual id theft – like credit reports stating you have bad credit, etc – then there is no sure-fire way of knowing whether your ID has been stolen.
If people steal your ID they’re going to keep it to themselves until they intend to ‘use it’ – which is why it is dubious that StolenIDSearch are able to claim they can search these lists. They might have found _some_ of them, but clearly only a very few.
I could work at a cell phone shop, discretely copying everyone’s Social Security Number from their contract application forms, and sharing that list privately with my organized crime buddies in Russia… Your ID has been stolen but how would a search engine like StolenIDSearch ever know?
Ron – I think this is the best course of action to take. That and be mindful as to who you give your ID, esp Social Security Number (if you’re in America), to.
I declined to give my SSN when I was setting up a account (non-financial) somewhere. They wanted to have it as the answer to a secret question, should I forget my password. I didn’t feel that disclosing my SSN (along with my address) was worth the risk so I declined.
I first learned of this stolenidsearch.com website from a TV show (tech trend or something?) aired this past weekend on NBC. I went to the site and was tempted to give it a try to find out, but stopped for the same reason you mentioned in your article. Now I know the reason they were mentioned in the TV show is merely another paid advertisement in disguise of bring the end users the latest techno trend.