Marc Orchant at The Tablet PC Weblog passes along some good tips for preventing identity theft.
Among them:
2. Do not sign the back of your credit cards. Instead, put “PHOTO ID REQUIRED”..
This highlights a problem in general with using the signature as a means of authentication. It relies on the cashier to actually look at the card and, more often than not, they don't. In fact, many drugstores and grocery stores now have machines where you swipe the card yourself - it is never even in the possession of the cashier.
Case in point: When I got a new American Express card, I forgot to sign it initially. I noticed this after the first purchase, where the cashier did not check. As an experiment, I still haven't signed it and have used it extensively over the past three months.
On a related note:
These days, your Social Security Number (SSN) is basically the key to your identity. This is especially true because a lot of your other information is readily available these days (see The Curse of the Secret Question or ask Paris Hilton). Thus, it follows that you should be especially careful about who you give your Social Security Number (SSN) to (in legal terms, this would trigger strict scrutiny). Don't carry your Social Security card in your wallet or, if possible, other cards that contain your SSN (for example, Oxford Healthcare uses the SSN and prints it on the card).
Another problem is that many colleges and other organizations like to use your SSN as identification numbers because it is guaranteed to be unique.
I'm actually fighting a (losing) battle with Fordham right now to change my student id number. It is not printed on my ID card, but it is printed on almost all correspondence with teh school (including documents that also have my name). It is also used on the exams to facilitate 'anonymous grading'.
Privacy Rights Clearinghouse specifically addresses the question of whether a school can use the SSN.
Publicly-funded schools and those that receive federal funding must comply with the Family Educational Rights and Privacy Act in order to retain their funding (FERPA, also known as the "Buckley Amendment," enacted in 1974, 20 USC 1232g). One of FERPA's provisions requires written consent for the release of educational records or personally identifiable information, with some exceptions. The courts have stated that Social Security numbers fall within this provision.
FERPA applies to state colleges, universities and technical schools that receive federal funding. An argument can be made that if such a school displays students' SSNs on identification cards or distributes class rosters or grades listings containing SSNs, it would be a release of personally identifiable information, violating FERPA. However, many schools and universities have not interpreted the law this way and continue to use SSNs as a student identifier. To succeed in obtaining an alternate number to the SSN, you will probably need to be persistent and cite the law. Social Security numbers may be obtained by colleges and universities for students who have university jobs and/or receive federal financial aid. In Krebs v. Rutgers, the court ruled that SSNs are "educational records" under FERPA (Krebs v. Rutgers, 797 F. Supp. 1246 (D.N.J. 1992)).
They also add that, “![Wilted Flower [W]](/emoticons/emotion-52.gif)
hen the school is a private institution, your only recourse is to work with the administration to change the policy or at least to let you use an alternate identification number as your student ID.”
I've not had much luck in talking to the administration. Recently, it looks like someone tried to open an account in my name (or at least initiate an authorized credit check). Luckily, I already placed a credit fraud alert in my report.
What liability, if any, will they have if I am victim of identify theft? I can't imagine it would be too hard to show that they were negligent with the number, especially after I notify them of an attempted identity theft incident.
More to come...
Update: This post wasn't intended as criticism for tip #2 as much as a discussion of how the the signature fails as an authentication measure (at least as at the point of sale). It was originally a side comment on my previous post and, as I kept writing, I decided to move it to a separate post. Unfortunately, it lost some all-important context in the process. I updated the post to reflect what I really meant to say.