Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/11/2007
05:38 PM
50%
50%

Do Not Ask Your Customers for Their Social Security Numbers

Do you want to make potential and existing customers feel secure? If so, one item that you need to avoid is asking them for their social security numbers. A poll by Consumer Reports National Research found that close to nine of every ten Americans want state and federal lawmakers to pass laws restricting the use of Social Security numbers. So if you want consumers coming back and ordering products

Do you want to make potential and existing customers feel secure? If so, one item that you need to avoid is asking them for their social security numbers. A poll by Consumer Reports National Research found that close to nine of every ten Americans want state and federal lawmakers to pass laws restricting the use of Social Security numbers. So if you want consumers coming back and ordering products from your Web site, you can ask them for many things, just not their Social Security numbers.Consumers are leery of handing over their Social Security numbers because they may fall victim to identity theft. Unfortunately, that crime has become more common recently: Consumer Reports estimated that there were 10 million cases of identity theft in the US last year. This phenomenon stands in juxtaposition to the growth of ecommerce. Once someone logs onto a small or medium business Web site, the company needs to verify the persons identity somehow.

Historically, Social Security numbers have served as a common way to identify individuals. The use of this form of identification is quite common among financial institutions and retailers, who asked three out of four consumers for their numbers during the last year. About one of every two consumers reported having their health care provider request that information. In other cases, employers or potential employers (44%); insurance companies (36%); government agencies other than the IRS or a state tax body (32%); college or other school (28%); service provider such as cable TV or cell phone carrier (26%); utilities (17%), and merchant or retailer (16%) requested individuals Social Security numbers.

Once these companies collect the ID, they are often careless with it. Consumers reported that their numbers were displayed on the Internet, in public records, on identification cards, and in the mail. Such misuses underscore the need for a new way of identifying individuals online. Rather than a Social Security number, vendors need to develop a universal identification system, such as the Liberty Alliances federated movement, one that all companies can access. Until that time arrives, small and medium businesses may want to rely on other identification mechanisms, such as using telephone numbers or street addresses when trying to verify their customers identity. Though these options are more difficult to implement and more prone to mistakes, these options will make the consumer feel more comfortable and therefore more likely to spend time and money at your Web site.

How does your company verify the identity of potential customers? How vulnerable do you think your system is? What do you view as the silver bullet for verifying online identities?

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31476
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 10.1.3.37598. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the han...
CVE-2021-31477
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of GE Reason RPV311 14A03. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware and filesystem of the device. The firmware and filesystem contain hard-...
CVE-2021-32690
PUBLISHED: 2021-06-16
Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This...
CVE-2021-32691
PUBLISHED: 2021-06-16
Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within th...
CVE-2021-32243
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).