My post about the VA Fiasco of losing 26 million personal records (including mine) has struck a chord with some. I thought I would take the time to clarify some things:

1. Emergent Chaos posted a specific response in The Persistence of SSNs, and The Persistence of Theives [sic], reproduced here (in italics) with my commentary (preceded by ‘PL’):

Pete Lindstrom, who knows a good phrase when he reads one, puts forward the claim that the theft of veterans SSNs doesn’t put them at increased risk of fraud.

PL: This is inaccurate. I have stated twice (in the post and in a follow-on comment) that I believe the risk is likely increased. Chris Walsh at Emergent Chaos was the one who brought up the notion that it may have actually decreased (in the comments section), and I find that idea compelling though I am not sold on it.

His basic argument is that there’s a lot of people out there with access to lots of SSNs, and monetizing an SSN takes effort.

PL: Close enough.

He’s right. Monetizing an SSN does take effort. But the SSNs don’t really expire. If the people who stole them know what they have, they have years in which to exploit the data. The best way to do that is to wait a year or two for the news to disappear, the credit monitoring to go away, and the pickings to get easy.

PL: EC is right, SSNs don’t expire. That is why hundreds of thousands of people with access to SSNs will always have the opportunity to commit identity fraud in today’s environment and one or a handful more don’t make much of a difference, and why we need a better authentication scheme that refutes the current notion that SSNs are secret. 

If this were credit cards, we could just re-issue them. The lack of compartmentalization around SSNs which makes them convenient identifiers, also means they’re hard to change.

PL: They should be hard to change, that is what gives the SSN value. There is no reason to change an SSN as identifier; there is every reason to change the way SSNs are used as authenticators. 

I don’t know why Pete thinks that entrepreneurial criminals won’t rise to the challenge of monetizing a large fraction of a motherlode of ore. There are criminal syndicates who do this already. They’ll scale. If they don’t, other syndicates will show up who will scale.

PL: I don’t know who would pay money for this stuff (at least for identity fraud purposes) given the ubiquitous availability of enough SSNs to go around. Any thief knows they are better off with a clear knowledge of their victim, and it isn’t clear they have that with this information. The risk of identity fraud is real, that is why we need to eliminate use of SSN as authenticator (have I mentioned that before? ). 

I look forward to hearing from Pete or Mike Rothman, who wrote "there is no way the bad guys can get to all 26 million records." Next you’ll be telling me that bad guys couldn’t exploit hundreds of thousands of pwned home computers, the management tools are too hard to create.

PL: scaling with computers for trivial reasons is not hard. Scaling with humans can be difficult and/or unnecessary.

2. Michael Farnum writes in the comments:

I think it is more than obvious that the actual percentage chance that I, as a veteran, will get hit with ID theft because of this is low. That has never been the issue. The issue is that there are 26 million veterans who now have their ID floating around somewhere, and it was a preventable event. The sheer stupidity and cluelessness of the VA to not have something in place to prevent this type of problem is the real issue. If someone is creating FUD around this, then shame on them. But don’t discount that this is a real problem that needs to be fixed. By saying that the percentage chance is low is (to some people) tantamount to saying this theft is no big deal and we shouldn’t worry about it.

The VA is making changes, and that is good. But don’t you think your comments could cause some people to relax and reduce the pressure on elected officials and the VA to make something happen to fix this? This DOES NOT need to disappear, whcih is what I am afraid will happen if people start producing arguments such as yours.

I am well aware that in today’s society we may need to make a bigger issue of something simply to elicit what we would consider a reasonable response. To be honest, I struggle with it – do the ends justify the means or not? Currently, I am an advocate of providing clear evidence for each person to decide for themselves without (potentially) being fooled by us.

I agree that the VA needs some better practices, but make no mistake – this stuff is HARD. It constantly surprises me that people think a wave of the magic wand would solve the problem. It isn’t true.

We have made our own bed here by allowing inappropriate use of the SSN (as authenticator) because everyone thinks it is a secret. This issue could easily disappear (wrt identity fraud at least) if there were no way for the SSN to be used inappropriately to begin with. It is a much easier solution, actually, than somehow attempting to police all access to- and use of- SSNs by all.

3. Mike Rothman at Security Incite has a trackback that appears incorrectly linked. Since he agrees with me, I thought I would provide the correct link here .

4. I am a veteran. It is my record, too.