3

Various financial institutions, government agencies, etc., use public records information to confirm people's identities, as touched upon in UPS my choice -- How can I access my public records? The information often includes relatives, past addresses, banks that have serviced your loans, cars you've owned, etc.

By definition, if the information is obtained from publicly-available records, anyone should be able to look up this information. I understand that it prevents random strangers from casually guessing my information and cracking my account, but I see ads all the time for $40 instant public records background checks.

If someone wants to break into my financial accounts or download my tax returns and steal my identity, what's to stop them from just searching public records themselves or buying a report? Maybe decades ago it was more difficult to search public records because you had to physically travel around and/or make a lot of phone calls. But in an age when almost everything is instantly searchable, how and why are public records considered "secure enough" to confirm anyone's identity?

Community
  • 1
rob
  • 259
  • 1
  • 11
  • I would disagree that public records are "secure enough" to confirm anyone's identity. They are used primarily as you have concluded which is to simply add one more layer of protection. Several sets of public records, however, would have to be accessed. But really, anyone with insider information gathered from social media or direct contact could spoof an identity verified via the UPS Security Quiz. The risk, however, is primarily to the first package that goes astray. – Val May 27 '15 at 20:09
  • 4
    Because there isn't any other easy way. Passwords, certificates, OTP tokens, etc can be lost/forgotten. Once that happens there isn't anything else you can use to remotely verify the identity of the person. –  May 27 '15 at 20:11
  • 2
    It's an interesting debate space you're opening up, Rob. However it would be easier to discuss the pros and cons of public records *objectively* if you could give a specific context of application: who needs to authenticate you, and who needs or want to impersonate you? – Steve Dodier-Lazaro May 28 '15 at 00:03
  • I think they are still safe, because you can't just change your this things with a little of clicks but rather go physically to a location to do that and at least on Brazil anyway much less information about is public(i think in reality is almost nothing) but no it's not hard to find this kind of info and spoof your identity if there is no more authentication...interesting sites you could see is http://www.spokeo.com/ and http://lifehacker.com/329033/how-to-track-down-anyone-online – Freedo May 28 '15 at 01:11
  • 1
    @Val a few cases in which I've had to verify my identity via information obtained from public records were to create a user account, view my credit or loan history, or apply for credit. In these cases the public records-based questions were not an additional layer of authentication; they were basically the only layer of authentication. I agree with you that information obtained from public records should *not* be considered secure enough, but it seems to me that many institutions do consider it secure enough. – rob May 28 '15 at 04:50
  • @SteveDL I'm not sure I follow why it's necessary to reduce the scope; but for the sake of argument, let's go with the most likely scenario and say a bank needs to authenticate me for the purpose of granting access to the funds in my account or to issue a credit line, and an identity thief wants to impersonate me. – rob May 28 '15 at 04:58
  • 1
    @rob, I was responding specifically to the UPS scenario. I went through a similar "security quiz" (those are air-quotes) when I signed up with the Social Security office. If a person knew my address he could have seen the answer to one of the questions from Google Maps. In regards to UPS, at least UPS had an option which was unmentioned in the question which was the sending of a token via SMS text. The problem with "what you have" type authentication questions is that they are too easily turned into "what you know" questions. (Quick! Somebody kick the soap box away.) – Val May 28 '15 at 14:01

1 Answers1

3

You ask how and why information about you is "secure enough" to serve as an authenticator. The answer is, it's not.

Identifiers must be unique, and there must not ever be a need to change an identifier.

Authenticators need not be unique and must be changeable if the authenticator is compromised. Further, authenticators must not be researchable.

So, example: the SSN is a dandy identifier; it's (supposed to be) unique and seldom if ever changed. It's a terrible authenticator. Literally thousands of people have legitimate access to your SSN and mine: bank, employer, stockbroker, IRS, and others.

Similarly, you cannot (legitimately) change your birth date, mother's maiden name, bank that services your loan of 2005, your first car, and all those other things that people sometimes try to use as authenticators. And they're all researchable.

That, relying on researchable authenticators, is how the IRS managed to give 100,000 tax returns to scammers earlier this year.

Bob Brown
  • 5,283
  • 1
  • 19
  • 28