Re: Re[4]: The end of Phishing in sight?

["Dr. Neal Krawetz" <hf () hackerfactor com>]

On Tue Oct 18 21:00:41 2005, Aditya Deshmukh wrote:
> > DFC> Why is ID theft a non-issue in Europe?
> >
> > There are many many differences in the way social security works - my
> > social security number/card won't get you anywhere. You can't do
> > anything with any of my bank account numbers, 
>
> This is find really disturbing - anyone with an account number can do a 
> lot of things without the signature of the account holder. And there are 
> Thousands of ways to get the account number.
>
> The social security number is only required by buinesses when he 
> transaction  amount is over $5000.
>
> Has anyone tried to give false numbers where it not legally required?
> Does this work over there in US ?

I use an EIN instead of my SSN.
(EIN = employment identification number.)
Anyone with an SSN can get an EIN in about 10 minutes from the SSA.
Here's how the process works:
  - Download the EIN form.
    http://www.irs.gov/businesses/small/article/0,,id=98350,00.html
  - Fill it out.
  - Call the 1-800 number.
  - Read to the operator what you entered into each box.
  - They will tell you your new EIN and send you a confirmation letter later.

You are supposed to have a business reason for getting an EIN.
(And I do have one.)  But truthfully, anyone asking can get one.
If you need to give a company name and don't have one handy, give
"Your name, sole proprietor".  Many times, they don't ask.
(Or pay $5/yr for a registered trade name...)

The neat thing about an EIN (or so I'm told -- I have not yet been in
a position to actually test all of these):

  - It looks like an SSN.  (Usually written with different hyphen positions,
    but it just looks like an SSN.)

  - It can be used to open new bank accounts.
    BUT: most still want an SSN to verify the person opening the account.
    The EIN becomes the registered account identity.  (This is how you open
    a corporate bank account.)  BUT: The SSN does not need to be related
    to the EIN!

  - An EIN cannot be used to open a new credit card or establish a line of
    credit.  I'm told that "credit ratings" are not associated with EINs.
    Using an EIN to purchase a car won't work -- so caching out for carders
    becomes difficult.  (For anyone with a corporate credit card, I'm sure
    you remember giving them your SSN to link to the card...  That's because
    an EIN won't work.)

  - It can be used almost anywhere an SSN can be used.
    Tax records, 1099, etc. are fine -- just specify the EIN.
    (Good for business partners that are explicitly not trustworthy.)

  - The IRS keeps a link from SSN to EIN, but not from EIN to SSN.
    This means, stealing an EIN only compromises the EIN and not the
    entire SSN.  They can compromise my EIN number, but not steal my
    identity.
    (Then again, if you're a big company like IBM, then having your EIN
    stolen can be VERY bad...)

  - Resolving a stolen EIN is much easier than resolving a stolen SSN.
    (One phone call, and no credit bureaus.)

If I'm wrong about any of this, I'm sure someone with tell me. :-)

Do any European countries (or anywhere else besides the USA) have a
concept similar to an EIN?

                                        -Neal
--
Neal Krawetz, Ph.D.
Hacker Factor Solutions
http://www.hackerfactor.com/

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.