Path: utzoo!mnetor!tmsoft!torsqnt!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!wuarchive!cs.utexas.edu!rutgers!ucsd!casbah.acns.nwu.edu!nucsrl!telecom-request From: !carroll@ssc-vax.uucp (Jeff Carroll) Newsgroups: comp.dcom.telecom Subject: Re: 800 Numbers, Voice Mail, and Privacy Message-ID: Date: 16 Feb 91 09:10:19 GMT Sender: news@casbah.acns.nwu.edu Reply-To: Jeff Carroll Organization: Boeing Co. Lines: 40 Approved: Telecom@eecs.nwu.edu X-Submissions-To: telecom@eecs.nwu.edu X-Administrivia-To: telecom-request@eecs.nwu.edu X-Telecom-Digest: Volume 11, Issue 119, Message 4 of 11 In article <74661@bu.edu.bu.edu> rv01%harvey@gte.com (Robert Virzi) writes: >David Gast writes: >> If you call 1-800-544-7544, you can get complete information about the >> fund holdings in Fidelity Funds of anyone whose social security number ... > I tried this and it is not exactly true. In addition to someone's > social security number, you also need to know their account number. I > don't know how Fidelity assigns account numbers, but I would imagine > that this scheme offers significantly more protection than the > four-digit PINs used by banks. I doubt it. In order to get a person's four digit PIN, one must do one of three things: a) crack the bank's computer, b) steal the person's bank card, read the strip, and crack whatever (if any) encryption is used, or c) steal the piece of mail which notifies the subscriber of his PIN, which is only possible in systems which preassign PINs. Otherwise the cracker is facing the expectation of making 5000 inquiries to the bank with the wrong PIN (assuming an unenlightened search strategy). There are many more possible ways to get the whole nine-digit SSN of any person one is likely to be interested in; though in principle the SSN is supposed to be confidential, most people succumb at one time or another to pressure to disclose it, to their employers (who can be pretty free with tossing it around, within their rights) if to no one else. > Is this a change in the security of the system, or just poor reporting > on the part of the WSJ? Might just be an operator who only knows how to search the database by the account number key. Jeff Carroll carroll@ssc-vax.boeing.com