Eh, this is messy in the sense if you have an older car that you tend to fix yourself it can be useful for them to have your information.
For example I replaced some kind of ignition pack on my car that had a multi year warranty. I had moved since I bought it an long lost the receipt. It started to go out, and I went to the store, gave them my name, and they were able to swap the unit out then and there.
An alternative is to not actually give them your social security number, but a different number that's not likely to collide with an existing customer's. It's not like they run it past a government database to verify.
What damage could an individual suffer because the data a dealer of auto parts holds about them got in the wrong hands?
And is this just a theoretical danger "Someone could use the pieces of data to impersonate you and then run some kind of social engineering attack against you for which the involved companies will reject to compensate you" or did something like this ever happen to someone here among us and resulted in real financial loss?
UPDATE:
So far all answers are of the form "With the SSN, theoretically, someone could impersonate you".
That is what I meant with my "is this just a theoretical danger" question.
But what concrete harm could someone do with your SSN?
Did anybody here on HN ever had something happen to them because someone got hold of their SSN?
> Very few companies have any way to differentiate between "person who has a SSN" vs "someone else who knows that SSN"
Why is USA like this? The SSN thing has felt ridiculous ever since I moved here. “This is your SSN! It is super top secret important information, do not share with anyone ever” … “Oh also please give this number in plaintext to every company under the sun”
What do other countries generally do? I know many have national IDs, but if the USA had a national ID #, wouldn't that just put us in the same bucket as SSN? X.509 certs with public private keys may offer a solution, but I don't think there are many large countries that have adopted anything like that on a nationwide scale?
X.509 certs still have an authority issue with managing their life cycle, something I personally beleive a competent goverment could figure out, though, but I know there are security experts who are skeptical.
Biometrics offer another possible solution, but privacy advocates have been pretty, leery, perhaps for good reason, of mass biometric collection. What countries have successfully adopted a nationwide biometric identification system?
Other soltions?
I certainly agree SSNs as identification is a.complete.joke, but I am not sure the identification problem is completely a solved solution, either.
Oh SSN as identification makes complete sense. But it can’t also be a password, that’s where these things go wrong.
Growing up in Europe you never hear about identity theft as a thing that exists. I think it’s because you have to present official photo ID when signing any serious contracts.
And the liability for checking your identity falls on companies instead of individuals. This makes them care enough that the problem simply goes away.
PS: SSNs get recycled so they’re not only bad as passwords, they also aren’t very good at identification
> Growing up in Europe you never hear about identity theft as a thing that exists.
> And the liability for checking your identity falls on companies instead of individuals. This makes them care enough that the problem simply goes away.
What nonsense, to claim identity theft is a thing that doesn't happen in Europe! People pretend to be other people to access things they shouldn't almost everywhere. It's not a problem that gets solved at a continent level either - the EU alone has 27 separate States with their own legal systems and rules.
I'm not saying it doesn't happen. I'm saying it's not a big part of public consciousness. You don't have movies that use identity theft as a plot point similar to how "teacher becomes meth dealer to pay for health care" wouldn't make sense as a TV show set in Europe.
Forging a government issued identity card or passport to fit your description and biometrics is a very different beast than skimming someone's SSN. You'd only go to that much trouble for some very serious payout potential.
It is almost like SSN should not be used for Identification, it was never designed for that, and officially The SSN card is not an identification document (ID) ... [1]
>>>Very few companies have any way to differentiate between "person who has a SSN" vs "someone else who knows that SSN".
that seems like a them problem, not a me problem. If they accept that as an ID, and then are defrauded for money why can than them make that my problem?
When I worked at a restruant years ago, the owner got in trouble with wages so he started having to pay everyone with a check. This included the mostly illegal immigrant staffed kitchen. This presented a problem as you need their SSN's to have them legally work there to legally report their income.
But the guys in the kitchen didn't flinch. They just went over to the run down part of town, and the next day all came back with fresh new SSNs. These guys had no idea what an SSN was, just that they needed one and that you can pay a guy to give you one. The owner doesn't care because it's not on him to police the legitimacy of the provided ssns.
So you end up with a bunch of people whose IDs were stolen having to wrangle with the IRS to not get taxed on the pay for a line cook or dishwasher. Totally idiotic and outdated system.
With the exception of current and ex. employees (for which Autozone needs the SSN to withhold tax for the IRS) why would Autozone have the SSN of any customer?
I don't believe I've ever bought any car parts or supplies from Autozone, but I do buy from Advance Auto (they have retail stores near me) and I have never given Advance Auto my SSN to make a purchase (and if the clerk were to have asked, I'd refuse in any case).
Or, does Autozone have an Autozone co-branded credit card with a bank, and these 187k are those who have the Autozone credit card? That would be the only reason I can think of why Autozone would have customer SSN's. The SSN's of those customers that applied for the co-branded credit card.
It isn't clear from the article that this leak isn't just current and past employees. They certainly have that many current and somewhat recent past employees. They may also have SSNs for folks who have commercial accounts. Commercial charge accounts often come with better pricing that a normal retail sale.
I doupt they had been collecting retail customers SSNs on a large scale.
It did leak SSNs for sure. I assume it leaked info about purchases, which would could give you car make/model/year. It could have leaked things like credit card info also.
Consider those questions many services use to verify identity...things like cars you used to own, past addresses, banking relationships, etc. The leak could have exposed some of that directly or indirectly (like cc# include BIN, which gives a name of a bank you're associated with).
Most of this information (with the possible exception of the SSNs) is readily available from data brokers. How do you think those auto warranty scam companies know exactly when your (legitimate) auto warranty expires? They bought the information from a data broker or sometimes directly from your state's MVD.
Maybe not 'financial loss' but my encounter with identity theft cost me around 350 hours of labor to resolve. And I know I wrote 'resolve' but quite frankly there is no end point. Checking the mailbox continues to be a stressful part of the day because it can come back anytime.
Generating paper trails, arguing with call center people, waiting in line at the courthouse, etc. And that's just what I tracked for myself, not other related people like clerks and bankers that needed to research my case.
While I was swimming in that circle I heard about people who suddenly found warrants out for their arrest and shit, too. Don't let other people do fraud with your name, fraud is a crime and the man wants to nail someone for that crime.
Also protip: If you aren't with a 'dedicated internet bank', then change banks to somewhere local after you move. I thought I was sitting pretty with PNC's special out of market HYSA rates until they decided they needed me in their branch which was not very convenient since the nearest branch is about 400 miles away. This turned out not to be a very good security boundary because they also told my thief to come to the branch, and he did and got everything squared away for himself. Still resulted in PTO usage for no good reason on my end.
This isn't the first time they were hacked, and it won't be the last. There are no repercussions here aside from some process shit around notifying folks (that companies get better at doing the more times they are breached...!).
We need laws with teeth similar to HIPAA for personal data usage.
These stories makes me wonder why no standard for keeping customer data has been developed. I mean a company needs my data when I buy something from them and then again when they have to pay taxex. Do they need to have my full info with name, email and phone number? I could send them the same info again if I want to buy something again .. they could keep some hash or unique id used to check that it's really me.
At this point, we should just make the name -> SSN mapping public information by some deadline. They’ve proven to be an uncontrollable secret time and again. The answer is to make SSNs completely worthless to fraudsters.
They're already public, including the name map. Nothing difficult needs to happen other than to convince the general public -- and institutional support staff -- that SSNs are not private information which can be used to securely verify a person's identity.
I think you're pushing upon an idea that's philosophically more significant than "how do we fix/replace SSNs". We really need to start talking about how to verify who a human actually is. I don't see a future where we just have to remember some shitty, leakable password when more and more things are entering some sort of password-based trust system.
I have no ideas for implementation, I just think we're having the wrong conversation.
You might sometimes see people say that a SSN is both a username and a password. What they mean is that it’s used both for unique identification as well as authentication; imagine if your email address was also necessarily the password for your email. There’s nothing wrong with having the identifier. What’s wrong is treating the identifier as though only the person it identifies knows it, which is patently false because that would make it useless as an identifier.
As for what I’d do instead: create an application that is fully managed by the IRS and let me login with some combination of a client certificate, password, U2F device, TOTP, et. al. Have the IRS securely implement something like OAuth (I hear “securely” doesn’t quite fit with “OAuth” but they could implement something custom-built if they want to) so I can get the IRS to tell whoever I need them to tell that I am me.
Ideally, replace IRS with a purposeful identification organization for these purposes and let the IRS use what this new organization gives them.
Its beyond disgusting the banks and corporations and government have gaslit people into believing identity theft and the fraud derived therin is in any sense "YOUR problem, not OUR problem". I would never lift a finger and sue the fuck out of them in parallel both in the court of public opinion and the Court of real opinion (the Courts).
42 comments
[ 3.2 ms ] story [ 103 ms ] threadFor example I replaced some kind of ignition pack on my car that had a multi year warranty. I had moved since I bought it an long lost the receipt. It started to go out, and I went to the store, gave them my name, and they were able to swap the unit out then and there.
What damage could an individual suffer because the data a dealer of auto parts holds about them got in the wrong hands?
And is this just a theoretical danger "Someone could use the pieces of data to impersonate you and then run some kind of social engineering attack against you for which the involved companies will reject to compensate you" or did something like this ever happen to someone here among us and resulted in real financial loss?
UPDATE:
So far all answers are of the form "With the SSN, theoretically, someone could impersonate you".
That is what I meant with my "is this just a theoretical danger" question.
But what concrete harm could someone do with your SSN?
Did anybody here on HN ever had something happen to them because someone got hold of their SSN?
Very few companies have any way to differentiate between "person who has a SSN" vs "someone else who knows that SSN".
> some kind of social engineering attack
It's not really even social engineering at that point. It would take a lot of work to convince a company that person was not who they claimed to be.
Why is USA like this? The SSN thing has felt ridiculous ever since I moved here. “This is your SSN! It is super top secret important information, do not share with anyone ever” … “Oh also please give this number in plaintext to every company under the sun”
X.509 certs still have an authority issue with managing their life cycle, something I personally beleive a competent goverment could figure out, though, but I know there are security experts who are skeptical.
Biometrics offer another possible solution, but privacy advocates have been pretty, leery, perhaps for good reason, of mass biometric collection. What countries have successfully adopted a nationwide biometric identification system?
Other soltions?
I certainly agree SSNs as identification is a.complete.joke, but I am not sure the identification problem is completely a solved solution, either.
Growing up in Europe you never hear about identity theft as a thing that exists. I think it’s because you have to present official photo ID when signing any serious contracts.
And the liability for checking your identity falls on companies instead of individuals. This makes them care enough that the problem simply goes away.
PS: SSNs get recycled so they’re not only bad as passwords, they also aren’t very good at identification
> And the liability for checking your identity falls on companies instead of individuals. This makes them care enough that the problem simply goes away.
What nonsense, to claim identity theft is a thing that doesn't happen in Europe! People pretend to be other people to access things they shouldn't almost everywhere. It's not a problem that gets solved at a continent level either - the EU alone has 27 separate States with their own legal systems and rules.
Forging a government issued identity card or passport to fit your description and biometrics is a very different beast than skimming someone's SSN. You'd only go to that much trouble for some very serious payout potential.
According to this official EU website, identity theft is certainly a thing in Europe. https://www.enisa.europa.eu/publications/enisa-threat-landsc...
>>>Very few companies have any way to differentiate between "person who has a SSN" vs "someone else who knows that SSN".
that seems like a them problem, not a me problem. If they accept that as an ID, and then are defrauded for money why can than them make that my problem?
[1]https://secure.ssa.gov/poms.nsf/lnx/0110201065
They will have lots of help making it your problem, from collections agents and courts and eventually the police.
> SSN should not be used for Identification
I agree that it shouldn't, but it is.
But the guys in the kitchen didn't flinch. They just went over to the run down part of town, and the next day all came back with fresh new SSNs. These guys had no idea what an SSN was, just that they needed one and that you can pay a guy to give you one. The owner doesn't care because it's not on him to police the legitimacy of the provided ssns.
So you end up with a bunch of people whose IDs were stolen having to wrangle with the IRS to not get taxed on the pay for a line cook or dishwasher. Totally idiotic and outdated system.
I think there is an employer obligation: https://www.uscis.gov/i-9-central/form-i-9-resources/handboo...
> AutoZone revealed that cybercriminals have stolen information, including social security numbers
So it’s more than just information about purchases.
With the exception of current and ex. employees (for which Autozone needs the SSN to withhold tax for the IRS) why would Autozone have the SSN of any customer?
I don't believe I've ever bought any car parts or supplies from Autozone, but I do buy from Advance Auto (they have retail stores near me) and I have never given Advance Auto my SSN to make a purchase (and if the clerk were to have asked, I'd refuse in any case).
Or, does Autozone have an Autozone co-branded credit card with a bank, and these 187k are those who have the Autozone credit card? That would be the only reason I can think of why Autozone would have customer SSN's. The SSN's of those customers that applied for the co-branded credit card.
I doupt they had been collecting retail customers SSNs on a large scale.
Consider those questions many services use to verify identity...things like cars you used to own, past addresses, banking relationships, etc. The leak could have exposed some of that directly or indirectly (like cc# include BIN, which gives a name of a bank you're associated with).
https://www.vice.com/en/article/43kxzq/dmvs-selling-data-pri...
Separately, I think the general public now has really high "cyber incident fatigue". It happens so often that nobody cares anymore.
Generating paper trails, arguing with call center people, waiting in line at the courthouse, etc. And that's just what I tracked for myself, not other related people like clerks and bankers that needed to research my case.
While I was swimming in that circle I heard about people who suddenly found warrants out for their arrest and shit, too. Don't let other people do fraud with your name, fraud is a crime and the man wants to nail someone for that crime.
Also protip: If you aren't with a 'dedicated internet bank', then change banks to somewhere local after you move. I thought I was sitting pretty with PNC's special out of market HYSA rates until they decided they needed me in their branch which was not very convenient since the nearest branch is about 400 miles away. This turned out not to be a very good security boundary because they also told my thief to come to the branch, and he did and got everything squared away for himself. Still resulted in PTO usage for no good reason on my end.
We need laws with teeth similar to HIPAA for personal data usage.
Why is this so hard?
What would you do instead of SSN? Or how would you change the process of providing a number for income tax purposes?
I have no ideas for implementation, I just think we're having the wrong conversation.
As for what I’d do instead: create an application that is fully managed by the IRS and let me login with some combination of a client certificate, password, U2F device, TOTP, et. al. Have the IRS securely implement something like OAuth (I hear “securely” doesn’t quite fit with “OAuth” but they could implement something custom-built if they want to) so I can get the IRS to tell whoever I need them to tell that I am me.
Ideally, replace IRS with a purposeful identification organization for these purposes and let the IRS use what this new organization gives them.
We could easily avoid this mess of PII honeypots by repealing the federal income tax. The country was not founded with a claim on your labor.