Security's Everyman

Security's Everyman

Tuesday, January 23, 2007

Did they really think this through?

Martin writes about a new service being offered that allows you to search for your SS# or CC# to see if it has been stolen or compromised. When I saw this I had to drop what I was doing and post about it. Not because it's BIG news, but because I want as many people as possible to know about this so they can warn their friends. Not because I think the guys who are running it are trying to scam anyone, but b/c it does two things. First, as Martin said, it's another database that has the potential to be breached. Second, it encourages people to give out information that they don't need to be giving out.

The site is

As I said I'm sure they have good intentions, but I'm not liking the way they are going about it. The site has a Verisign SSL Cert, is a service of TrustedID and is endorsed by the Identity Theft Resource Center. All of these are great organizations that work to keep us secure, but I still don't like it.


Anonymous said...

My first reaction was similar; why encourage this kind of thing? Personally, I'm wondering how many people will be willing to give such info to a Web site run by a company that they almost certainly have never heard of. Some will, of course, and perhaps some is too many. But I'm doubtful this will become popular. More on my own blog here:

cdman83 said...

Hello. As you can read on my blog I'm very surprised that they didn't mention the fact that they only store a hash of the information. I see two cases: (a) they do but the marketing suit who wrote the FAQ didn't know this or had no idead about the security implications of this method or (b) they don't, in which case panic, since the people protecting your information are dumb!

As you can read in my blog posting, hashing isn't a 100% (or even 50%) solution, but if they would have mentioned it, I would know that they did at least some thinking before putting this live.

Scott Mitic said...

Hello. In the past few days, we’ve seen thousands of people make comments about our StolenID Search service. We appreciate everyone who sees value in the service as well as those who have questions.

We feel that it makes good sense to help address all those questions in one common forum. Please visit our TrustedID blog (link below), as a venue to find answers to your questions/concerns related to our new service.

Scott Mitic
CEO, TrustedID

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.