The Persistence of SSNs, and The Persistence of Thieves
Pete Lindstrom, who knows a good phrase when he reads one, puts forward the claim that the theft of veterans SSNs doesn’t put them at increased risk of fraud. His basic argument is that there’s a lot of people out there with access to lots of SSNs, and monetizing an SSN takes effort.
He’s right. Monetizing an SSN does take effort. But the SSNs don’t really expire. If the people who stole them know what they have, they have years in which to exploit the data. The best way to do that is to wait a year or two for the news to disappear, the credit monitoring to go away, and the pickings to get easy.
If this were credit cards, we could just re-issue them. The lack of compartmentalization around SSNs which makes them convenient identifiers, also means they’re hard to change.
I don’t know why Pete thinks that entrepreneurial criminals won’t rise to the challenge of monetizing a large fraction of a motherlode of ore. There are criminal syndicates who do this already. They’ll scale. If they don’t, other syndicates will show up who will scale.
I look forward to hearing from Pete or Mike Rothman, who wrote “there is no way the bad guys can get to all 26 million records.” Next you’ll be telling me that bad guys couldn’t exploit hundreds of thousands of pwned home computers, the management tools are too hard to create.
[Fixed headline. Thanks Pete.]