Found my SSN in a cookie?!?!?!

[AmigaMan]

If a site you trust like a bank or credit card company, were putting your SSN in a cookie in plain text, what would you do? Other than suing the company (which wouldn't make sense unless you've lost some money), what else would you do?

I was perusing the cookies I get from a site I trust and found my SSN in there. As a fellow software developer, I'm pissed at the lax security this place has. I'm not sure what I'm going to do about it though...

 

[RedArmy]

I thought you meant you found it in a fortune cookie or some other edible food that tastes good.

 

[Cuda1447]

Originally posted by: RedArmy
I thought you meant you found it in a fortune cookie or some other edible food that tastes good.

same here...

 

[MercenaryForHire]

Originally posted by: RedArmy
I thought you meant you found it in a fortune cookie or some other edible food that tastes good.

 

[So]

Originally posted by: Cuda1447

Originally posted by: RedArmy
I thought you meant you found it in a fortune cookie or some other edible food that tastes good.

same here...

Yeah, lol.

 

[zerocool1]

contact them....

 

[thelanx]

What site is this?

 

[mugs]

Originally posted by: RedArmy
I thought you meant you found it in a fortune cookie or some other edible food that tastes good.

I thought the same...

Does the cookie also store your name, address, etc? Because your SSN is pretty useless without any other information.

150-89-3058 <-- look, I just posted someone's SSN on the internet! Oh no!

It's not like any other domain can access that cookie, and on your bank's site everything should be happening over SSL anyway...

I agree it's not a good practice, but in terms of risk it is very low. Contact your bank and ask them to stop doing it.

They probably use your SSN as your customer number. Ask for a different customer number.

 

[tfinch2]

Originally posted by: RedArmy
I thought you meant you found it in a fortune cookie or some other edible food that tastes good.

 

[txrandom]

Just delete cookies on your computer or any other computer you use, and you don't need to worry? Right?

 

[AmigaMan]

whoops! So it's a WEBSITE cookie, not a fortune cookie, or Tollhouse cookie or anything like that.

I don't know, maybe I'm just mad because of the laziness of the developers. Why can't you come up with some other unique ID that can't be useful to anyone else? And what about cross-site scripting? If someone can carefully craft a link on a site to steal cookies, that sounds like a pretty big deal to me.

 

[mugs]

Originally posted by: AmigaMan
whoops! So it's a WEBSITE cookie, not a fortune cookie, or Tollhouse cookie or anything like that.

I don't know, maybe I'm just mad because of the laziness of the developers. Why can't you come up with some other unique ID that can't be useful to anyone else? And what about cross-site scripting? If someone can carefully craft a link on a site to steal cookies, that sounds like a pretty big deal to me.

If poor programming surprises you, you should check out http://www.thedailywtf.com

My bank used to use your SSN as your login name for their website. They changed that. Now you can change your login name to any string of numbers that is exactly 9 characters long. I wonder what most people pick for that number...

 

[kingtas]

The military prints your SSN on every freakin thing. it is almost impossible to protect it.

 

[mitaiwan82]

 

[Cal166]

Universities/Colleges used to use your SSN for everything as well.

 

[acemcmac]

Originally posted by: Cal166
Universities/Colleges used to use your SSN for everything as well.

My school had a policy that you could put your student ID anywhere they asked for your SSN. The campus cops didn't like that when I went to get my parking pass, called dispatch and had my SSN read to them over unencrypted airwaves. I would have grabbed the man by the shirt and pulled him across the counter to scream at him if he was anyone other than a .45 cal carrying cop. Some cops are FVCKED UP :| :| :| :| :|

 

[randay]

send the cookie to me. I'll protect you!

 

[acemcmac]

I'll flush my cookies when I get home. Good idea

 

[imported_LoKe]

Your SIN/SSN # hasn't been private for a long time. Don't worry about it too much.

 

[daniel1113]

Your SSN isn't private information. It's pretty much on par with your name in terms of value.

 

[aircooled]

Your name and date of birth is worth more than your SSN.

 

[nsx98]

me love cookies...

 

[mugs]

Originally posted by: aircooled
Your name and date of birth is worth more than your SSN.

Mother's maiden name trumps all.

 

[Zedtom]

Originally posted by: mugs

Originally posted by: aircooled
Your name and date of birth is worth more than your SSN.

Mother's maiden name trumps all.

These are all readily available with a genealogical search.
Try googling you name, or your father's, etc.

I had a distant relative send me a huge family history with names, birthdates, parents, and cousins. I was at first surprised, then concerned with all of the information that is in public records.

 

[imported_LoKe]

Originally posted by: Zedtom

Originally posted by: mugs

Originally posted by: aircooled
Your name and date of birth is worth more than your SSN.

Mother's maiden name trumps all.

These are all readily available with a genealogical search.
Try googling you name, or your father's, etc.

I had a distant relative send me a huge family history with names, birthdates, parents, and cousins. I was at first surprised, then concerned with all of the information that is in public records.

I'm not worried. Stealing my identity would be a big step down.