Friday, February 23, 2007

Personal Information: Beware the search session

The New York Times has an article on a new service, StolenIDSearch.com, sponsored by TrustedID. You can search for your social security or credit card numbers to see if they're already floating about the Internet:

TrustedID, a company that sells services to consumers to give them more control over who sees their credit reports, has compiled a database of compromised numbers that could already be traded or sold on the Internet.

It has created an online search tool, StolenIDSearch.com, where people can check at no cost to see if their number is one that is in a too-public domain.

TrustedID said that about 220,000 people have tested their numbers in the three weeks since the site has been open to the public.

The Social Security number remains the personal identifier not only for government documents, but for credit applications and medical records, as well as video and cellphone stores.

I went there and typed in my SSN -- according to them, it hasn't been hacked. I was going to type in my credit card number for a similar check, when I stopped and thought, "they have a search session ID on me -- and if I type that number in now, they'll have associated that CC number with that SSN. This is Not A Good Thing."

A problem with the modern world is that databases are everywhere, forever, and creating an a-->b-->c-->d linkage when you've got highly distinct key values (like these ID numbers) is just way too easy. Even with the best will in the world toward TrustedID, I don't think I'll hand them that particular linkage on a whim and implicit trust of the NYTimes.

This same fact is, of course, at least half the reason the modern world works so well -- but it's important that we're all aware that the downside has teeth, too.

As an aside -- this demonstrates the continuing value of journalistic trust. If I'd read that article on RandomInternetNewsSite, I wouldn't have clicked through and entered my SSN at all. I assume the Times has checked these guys out, and that they're fairly legit.

Of course, I assumed that the Times had checked out Dick Cheney and WMDs in Iraq, too :-(

No comments: