Working on computer security can lead one to become very risk averse.
When is it safe to give out a social security number?That question was impressed on this blogger recently on an excursion for a new wireless service provider. Walking into a store at a mall in Chicago area, everything started out on a good note: new phone, better conditions and finally good-bye to Verizon incompetence. One catch: applying for this service required completing an applicaiton that involved providing SSN. Nothing unusual about this–in the US service providers are dependent on the monthly subscription fees. Customers pay only a small fraction of the cost of the actual device, which is why that fancy unit can retail for $50. Few subscribers notice that the offer comes with strings attached, typically in the form of a 1-2 year commitment to that provider. The massive profit margins on wireless service easily offset the subsidies for the device. (This is also the reason that phones in the US are “locked”; they can only be used with one provider’s network. Europe places much greater emphasis on customer choice and preventing lock-in opportunities; phones are typically unlocked and IIRC there is a requirement that providers unlock phones if the customer chooses to. Bad news for providers and good news for hand-set manufacturers: consumers walk into a store asking for the latest Nokia model and they do not have to worry about which provider it can work with. US mobile phone service is still archaic by comparison.)
For this business model to work, the providers must be able to count on the customer making good on their payments for the 2 years they are locked in. And what better way to gauge that probability than a credit check? This is where the SSN comes in: major credit bureaus will not do a credit check without SSN, for good reason.
That brings us back to the scenario in that Chicago mall: consumer is supposed to recite his/her SSN to the salesperson, who is typing that information into a computer. This is an improvement over filling out a form, where the data also exists in paper copy but still there are too many attack vectors to list: do you trust that person? What about fellow employees watching over her shoulder, as the SSN sits on the screen while we work through the application? (and customer for that matter because the layout of that particular store featured “islands” in the middle of the store where the terminals were located.) Even if the employees are diligient, is that computer infected with spyware? It is a general purpose PC and it has Internet connectivity for sure, because the application data is shipped to Verizon. Were they keeping up with the patches? Did one of the employees use this PC for surfing the web, clicking “yes” to everything along the way?
In the end, this blogger decided against signing up for the service. The staff were very courteous and tried their best: the representative helping us asked if we would be more comfortable if I got to type in the SSN directly in to the application. No dice. (Buying the phone only without a subscription was not an option, because of the economics of subsidized units alluded to earlier.) Greatest irony: after I walked out to browse a completely unrelated store, she tracked me down in another part of the mall, and said that her managed decided it was OK for me to sign up without providing an SSN! Why? Probably because they had decided looking at me (and my significant other, she was present the entire time) that we were a good credit risk. It could have been the way we were dressed or more likely the fact that we were even worried about identity theft enough to pause over providing our SSN suggested we had something to lose. Either way, being concerned enough about providing SSN removed any doubts that a credit check would be necessary. That’s one bit of unintended social engineering to keep in mind for future use.
cemp
Random Oracle 