Wanna hear the worst idea in the world?

OK – so maybe this isn’t the *worst* idea in the world – but it’s pretty bad.  Let me explain.

Over the weekend, I was listening to a radio program that mentioned a new site called StolenIDSearch.com.  This site is apparently legit and has even received a write-up in CNET and a video news report from San Jose’s NBC affiliate.  The site’s purported function is to provide a service that allows consumers to find out if their personally identifiable information has been compromised. 

Here’s where, in my opinion, it gets bad… The site’s homepage requests that users enter their SSN or credit card number so that it can run the check to see if it has been compromised.  Hint:  it is smart enough not to take 123456789, so I had to format a plausible SSN by reviewing how valid SSNs are structured.  So, after entering a well-structured SSN, the search engine reported that I was in luck and that the number appears not to be compromised.  It then offers a service which will monitor up to 3 SSNs and/or credit card numbers.  The only fields in the input form are for the numbers and an email address.  Such input forms reek of phishing scams and, in my opinion, should not be trusted.  In the CNET article, the company’s chief executive downplays the danger of entering this information for the search stating, “Just the number has no value unless it comes with your name, billing address, expiration data and security code.”  However, since an email address is also entered as part of signing up for the service, discovering additional information about the person who submitted the data could be a trivial task.

The video news report states that the service finds results unavailable through Google and Yahoo!  That assertion may or may not be true – but I have to question if it is worth the risk.  For me the answer is, “no.”  There are other ways to achieve results similar to what StolenID Search claims.  I would do the following:

• Sign up for a credit monitoring service (or just pull your credit report quarterly)
• Google it yourself.  Don’t just rely on the standard Google query – use the deeper search methods typically referred to as Google hacking (for more info, check here, here, and here
• If you bank online, check your account daily

StolenID Search may indeed offer a service that some see as valuable.  But, from a security perspective, I think it is a bit scary.  Security professionals have been educating users about the dangers associated with blindly entering SSNs or Credit Card numbers into websites – yet here is a supposedly legitimate site, offering a supposedly legitimate security-related service, which comes right out and asks users for this information.