How Little Bits of Data Threaten Your Identity
CREDIT: Robert Buchanan Taylor/Shutterstock.com
Social Security numbers. Credit card numbers. Bank account numbers. Birth dates. Email passwords. Driver's license numbers. Passport numbers.
Known collectively as personally identifiable information, or PII, these bits of data are what thieves look to steal when they want to take over someone’s identity or get access to bank accounts.
However, these pieces of information are just the tip of the PII iceberg. Anything that identifies you is considered personal information and can put you at risk of identity theft.
"Most people are good at safeguarding Social Security or driver's license numbers," said Adam Levin, chairman of Scottsdale, Ariz.'s, IDentity Theft 911 and Credit.com. "But you should also keep track of your voter's registration card, military ID card and even your library card."
The reason is simple. All of these items lead to even more data about you, data that might be easier to find than you realize.
Silence in the stacks
For example, say I lose my library card. Scanning my card at the self-checkout kiosk reveals my name.
My library's default password system involves a phone number, which isn't too difficult to find for most people. And because it's such an easy password to remember, most people won’t change it.
So anyone who finds my card will have easy access to any information about me stored in the library's system, including the types of books I check out.
That, in turn, could unwittingly reveal a whole lot more about me, my interests and my habits — all useful information for an identity thief or a burglar.
Can I have your insurance card, please?
Even numbers that were created especially to do a better job of hiding your identity may not do as good a job protecting you as you might think, said Philip Becnel, president of the Private Investigators Association of Virginia and managing director at Dinolt, Becnel & Wells Investigative Group in Washington, D.C.
Say your name is something common, like John Smith. You will rely on a non-biometric identifier — anything that helps distinguish you from everyone else with that name and isn't your face, your fingerprint or your iris — to identify yourself.
"An insurance record number, for example, is considered a non-biometric identifier because it is unique to a single person," Becnel said.
"To obtain your information, someone only needs to call the doctor's office using a pretext. The fact that they already have your insurance record number identifies you as the patient whose records are wanted, and it makes the call sound legitimate."
The old college try
Similarly, while many colleges have moved away from using Social Security numbers as student numbers, the new student number is still personally identifiable information and should be safeguarded as such.
"Someone with your student ID number might be able to pose as you and obtain some of this personal information maintained by your school," Becnel said.
"It is fairly common practice now for places that maintain personal identification information to ask you security questions to help ensure that you are who you say you are, so a student ID number alone shouldn’t be the key to the kingdom.
"However, these security questions are fairly easily defeated," Becnel said. "The fact is that knowing any non-biometric identifier about you makes it easier for thieves to assume your identity and steal your information."
Essentially, Becnel added, any non-biometric identifier is by definition personally identification information.
"Imagine if you wanted to steal James Smith's identity, but you didn’t know anything else about him," Becnel said.
"Just knowing where he went to school, the name of the street where he grew up, his mother’s maiden name and, maybe, his astrological sign would tell you quite a lot about him that you didn’t know, particularly if you cross-referenced that information with information sources that are already public."
Watch what you tweet
That non-biometric identifier can also include the information you put on social media. These days, personally identifiable information can include social-media user IDs, especially now that the Securities and Exchange Commission considers social-media services such as Twitter legitimate outlets of financial disclosure.
That means if you're authorized to speak for a publicly traded company, identities such as your Facebook or Google ID, or your Twitter handle, are now auditable entities under the purview of the Sarbanes-Oxley Act.
The bottom line is that if anything can find its way back to identifying you, it is personally identifiable information and should be protected.