[2974] in WWW Security List Archive
Re: Can you say "fraud"? (fwd)
daemon@ATHENA.MIT.EDU (David W. Morris)
Wed Sep 18 07:58:15 1996
Date: Tue, 17 Sep 1996 14:15:38 -0700 (PDT)
From: "David W. Morris" <dwm@shell.portal.com>
To: "Kenneth E. Rowe" <kerowe@ncsa.uiuc.edu>
cc: Mary Irene Wise <auntyem@umich.edu>, www-security@ns2.rutgers.edu
In-Reply-To: <9609170959.ZM531@aslan.ncsa.uiuc.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
On Tue, 17 Sep 1996, Kenneth E. Rowe wrote:
> I would assume this is a scam. If the company is legitimate, then it would
> be like other credit bureau companies ... you would be able to review
> information for accuracy, but couldn't request your name be removed.
I would not make that assumption ... quite the opposite ... I've never
heard of a scam with that much infrastructure associated with it.
Setting up 800#s for example just to collect SSANs is hard to imagine.
Further more, I believe the company involved is a well known data
provider.
But scam or not, the notion of an easily available database of the
information described is a real privacy concern. A few years ago,
Lotus was planning to offer a CDROM with abunch of data. Something,
perhaps the public outcry, got them to back down.
I imagine they feel a need to match the caller they have identified
in their records using the SSAN as a key but that really concerns me.
As I understand the legal restrictions, they don't have the right
to acquire individual SSANs because the folks who generally get away
with requesting your SSAN do so in the context of a credit application
or other financial document which isn't supposed to be shared w/o
permission.
Dave Morris
