My post about the VA Fiasco of losing 26 million personal records (including mine) has struck a chord with some. I thought I would take the time to clarify some things:
1. Emergent Chaos posted a specific response in The Persistence of SSNs, and The Persistence of Theives [sic], reproduced here (in italics) with my commentary (preceded by ‘PL’):
Pete Lindstrom, who knows a good phrase when he reads one, puts forward the claim that the theft of veterans SSNs doesn’t put them at increased risk of fraud.
PL: This is inaccurate. I have stated twice (in the post and in a follow-on comment) that I believe the risk is likely increased. Chris Walsh at Emergent Chaos was the one who brought up the notion that it may have actually decreased (in the comments section), and I find that idea compelling though I am not sold on it.
His basic argument is that there’s a lot of people out there with access to lots of SSNs, and monetizing an SSN takes effort.
PL: Close enough.
He’s right. Monetizing an SSN does take effort. But the SSNs don’t really expire. If the people who stole them know what they have, they have years in which to exploit the data. The best way to do that is to wait a year or two for the news to disappear, the credit monitoring to go away, and the pickings to get easy.
PL: EC is right, SSNs don’t expire. That is why hundreds of thousands of people with access to SSNs will always have the opportunity to commit identity fraud in today’s environment and one or a handful more don’t make much of a difference, and why we need a better authentication scheme that refutes the current notion that SSNs are secret.
If this were credit cards, we could just re-issue them. The lack of compartmentalization around SSNs which makes them convenient identifiers, also means they’re hard to change.
PL: They should be hard to change, that is what gives the SSN value. There is no reason to change an SSN as identifier; there is every reason to change the way SSNs are used as authenticators.
I don’t know why Pete thinks that entrepreneurial criminals won’t rise to the challenge of monetizing a large fraction of a motherlode of ore. There are criminal syndicates who do this already. They’ll scale. If they don’t, other syndicates will show up who will scale.
PL: I don’t know who would pay money for this stuff (at least for identity fraud purposes) given the ubiquitous availability of enough SSNs to go around. Any thief knows they are better off with a clear knowledge of their victim, and it isn’t clear they have that with this information. The risk of identity fraud is real, that is why we need to eliminate use of SSN as authenticator (have I mentioned that before? ).
I look forward to hearing from Pete or Mike Rothman, who wrote "there is no way the bad guys can get to all 26 million records." Next you’ll be telling me that bad guys couldn’t exploit hundreds of thousands of pwned home computers, the management tools are too hard to create.
PL: scaling with computers for trivial reasons is not hard. Scaling with humans can be difficult and/or unnecessary.
2. Michael Farnum writes in the comments:
I think it is more than obvious that the actual percentage chance that I, as a veteran, will get hit with ID theft because of this is low. That has never been the issue. The issue is that there are 26 million veterans who now have their ID floating around somewhere, and it was a preventable event. The sheer stupidity and cluelessness of the VA to not have something in place to prevent this type of problem is the real issue. If someone is creating FUD around this, then shame on them. But don’t discount that this is a real problem that needs to be fixed. By saying that the percentage chance is low is (to some people) tantamount to saying this theft is no big deal and we shouldn’t worry about it.
The VA is making changes, and that is good. But don’t you think your comments could cause some people to relax and reduce the pressure on elected officials and the VA to make something happen to fix this? This DOES NOT need to disappear, whcih is what I am afraid will happen if people start producing arguments such as yours.
I am well aware that in today’s society we may need to make a bigger issue of something simply to elicit what we would consider a reasonable response. To be honest, I struggle with it – do the ends justify the means or not? Currently, I am an advocate of providing clear evidence for each person to decide for themselves without (potentially) being fooled by us.
I agree that the VA needs some better practices, but make no mistake – this stuff is HARD. It constantly surprises me that people think a wave of the magic wand would solve the problem. It isn’t true.
We have made our own bed here by allowing inappropriate use of the SSN (as authenticator) because everyone thinks it is a secret. This issue could easily disappear (wrt identity fraud at least) if there were no way for the SSN to be used inappropriately to begin with. It is a much easier solution, actually, than somehow attempting to police all access to- and use of- SSNs by all.
3. Mike Rothman at Security Incite has a trackback that appears incorrectly linked. Since he agrees with me, I thought I would provide the correct link here .
4. I am a veteran. It is my record, too.
I really don’t want to get into a tit for tat here, but I have to say that I never said fixing the issue was going to be easy (if that comment was directed at me). I am a security practitioner, so I am well aware of the difficulties of securing a network and stopping stupid people from doing stupid things, magic wand or not.
However, none of that has any bearing on the original point. We do NOT need to down play this issue, and stating that this is not posing much of a danger to vet’s may have that exact effect. The point that SSN’s are easily accessible is not news to security professionals. So by pointing that out to a reading audience of (I suspect) security professionals, you are not giving us anything earth-shattering. It is not that the SSN’s are out there. The issue is that IT HAPPENED. If that data can get out, so can some stuff that is really dangerous (in fact, the VA has admitted that other data besides SSN’s, etc was on the laptop). The pressure on the VA needs to be kept high.
I sincerely thank you for your service from a brother-in-arms.