Security Flaws in Common Finances
Security Flaws in Credit Reporting
Security Flaws in Police Reporting

Security Flaws and Finance Dealing with flawed security takes time, money, and energy. It is a waste of precious life. Many problems that result from criminal abuse of the most easily obtained, personal financial information can be so difficult to resolve that an individual could easily waste days on the phone only to end with no obtainable resolution. And there are too many ways a criminal could easily disrupt his or her victims. In this article, I hope to alert every reader about these ways and how wrong the institutions with which we deal are, as they could certainly do better to prevent these harms to our fellow community members. 

Did you know anyone could take money from your bank account as long as they have your routing number and checking account number? This might sound like obvious or even useless information to you until you understand what this simple fact leaves open to the possibilities against you. There are hundreds of people everyday looking at their bank statements, either on paper or through the internet, getting news that will ruin their day, week, or month. "Who authorized $129 to be taken out of my account," they yell. It might be as little as $9 that was taken out of someone's bank account. [top]

The sad fact that needs to be changed is that anyone with that routing number and account number that is clearly printed and visible can steal money from your bank account. These crooks also know that, if they take only a certain amount from your account, that you will give up fighting for those two things of yours that you hold dear. One thing is justice and the other thing is getting your money back. The banks will insist that they can do nothing to stop it and that you must change your account, supposedly according to the rules of NACHA (National Automated Clearing House Association). You should be surprised that NACHA neither creates laws nor enforces them. You should be thinking at this point, "Wait a minute! In the year 2006, with all the awareness of identity theft and all the enhanced identity protections, banks have not made it difficult to steal money, are disproportionately concerned about 'keeping commerce moving', and reference a non-legal institution as their rule source?"

At this point, make a little mental note that I am still only discussing one security-flawed activity out of the many banking activities that exist and that I have not mentioned the many other activities in which we engage, for many, on a daily basis, such as medical or legal information transactions. Also, before I discuss a solution to the money withdraw security flaw, I need to clarify how dangerous the current lack of security is. [top]

"Even in 2006, stealing from a bank is as easy as ever, easier than stealing from one's wallet. Isn't this the opposite of what should be?"

When I mentioned that anyone could withdraw money from another person's account as long as they had the routing and account numbers, we should have thought for a second what "anyone" meant. Think of those groups of individuals who see your checks. "Anyone" would mean anyone in your residence and several people at each and every place of business. It gets worse. "Anyone" who sees your checks can copy and sell the information on those checks, removing the motivation to protect your check information, since it would be difficult for the police to find the person who distributed your check information. To make it easier, criminals do not need check numbers - I already said criminals only need the routing and account numbers. Conclusion: Even in 2006, stealing from a bank is as easy as ever, easier than stealing from one's wallet. Isn't this the opposite of what should be?

I have an idea that would make using checks much safer. The idea is to make it a standard that banking customers would have an option to use what could be called "Safe Checking". Safe Checking would require the use of check numbers and a passcode that would be unique per check number. Every business receiving a check from such an account would know that both the check number and the unique passcode would be required in order to complete the transaction. [top]

How would a business know that it would be dealing with a 'Safe Check'? A national banking standard would require an identifier associated with the account number - appending the account with 'SC', for example - that would indicate that the customer's account was a 'Safe Checking' account. Both the bank and the customer should have the privilege of creating the passcodes for the checks, as long as either party had met passcode requirements such as minimum word length and sufficient variety in the characters. The business receiving the check should be able to verify the legitimacy of each check with the bank (not necessarily that the funds are available, which is a separate issue) immediately. No 'Safe Check' would be usable without the verification of the check information and the passcode and, because the passcode and check number combination would be unique, no checking account information would be reusable and there would be no fear if someone were to sell check information to any criminal.

This idea, in itself, would not prevent the criminal practice of taking money out of any account early or taking more than requested by the customer (or 'victim'). I also have an idea for that. There are variations to the following, all of which would work well. [top]

Briefly, this method would require a third party database. The customer would only need an online ID and one password that could be changed at any time at the convenience of the customer (you). Similarly, the business would have one ID and password per customer service representative. The third party would act as a witness to the fact that both the customer service representative and the customer had agreed to these aspects of any particular transaction: business name, business address, item purchased, the date range within which the money may be withdrawn, and, of course, the amount to be withdrawn. When the third party responds that it received the purchase information and the authorizations from both the buyer and the seller, the third party then serves as a witness to the transaction between business and purchaser by sending an authorization to both parties. As of today, the customer has practically no control of any of these aspects. In fact, the bottom line value of the authorization number is that it could easily be meaningless, since only one party provided that number. The authorization is only meaningful if the business chooses to be open and honest. Still, the bottom line is that you have no control over the honesty of your transaction. My idea would finally share the control equally with the person owning the money - that would be you - instead of solely the party that would be taking your money.

The third party's log of the purchase should be easily accessible to members of the justice system upon permission from either you or the business, if one were to file a complaint against the other. By having a third party playing the role of objective log keeper, few would be foolish (or stupid) enough to try to get away with not following the stipulations to which both parties had agreed. If someone would try to rob you, then that third party log would prove that both the buyer and the seller had clearly agreed on all of the recorded criteria of that transaction. [top]

Security and Credit Reports. Currently, it is too easy to invade someone's personal information through a credit report. One only needs to know someone's name, address, possibly birth date, and social security information in order to violate your personal data. With the acquiring of someone's credit report, a criminal could use the information on the credit report to convince another institution to expose even more personal information about you.

There are too many individuals who have your social security number. These persons are often your coworkers, your local police, businesses with which you have conducted business, businesses at which you have applied for work, and past relatives and associates who have become a part of your life through a past or present marriage or through business partnerships. While some responsible businesses give the customer the impression that the credit reporting companies totally respect your privacy, the fact is that the credit reporting company is in the business of proving to their paying customers that their credit reports provide the most complete and invasive information that they think is legally permissible. [top]

With credit reporting, there is an intrinsic conflict of interest among the aspects of protecting our community's citizens and the fact that the reporting company's survival is totally dependent on being as invasive as possible. Ideally, the existance of any institution should not depend on how well it can violate anyone's privacy. Just as companies make it a practice to limit how much information they can give to someone asking for reference information, there need to be better limitations and controls regarding who gets what information. Again, just as I proposed the control method for both the buyer and seller over their financial transactions, I also propose a method for the owner of one's personal information to be able to work with the central depository of personal information, which is the credit reporting company. The pendulum of privacy control has swung totally outside of the realm of the owner of one's personal information. It is long overdue to put the control back into the owner's hands, as was intended by the signers of the U.S. Constitution.

Before you might accept my proposition, you might need to answer this question for yourself: Why shouldn't someone be able to select which information would be distributed? There is no law - within the Constitution, nature, or common sense - that states that every employment application must be a wide open door to any and all information about someone in any community. In case you haven't noticed, that is exactly the way it is as I write this article. In order to get a job, you do not need to take a lie detector test; yet, you are required to sign off every part of your personal life into their hands, whether you get the job or not. This is as ridiculous as unlawful searches and seizures and it needs to stop. [top]

Here is what I propose: Let the person who owns the information control which information may be distributed, who may see that information, and when that information can be seen. Since I believe citizens under our Constitution should always be respected as the owners their personal information, everyone should be able to tell the credit reporting company how to distribute the information they possess by using either a paper form, the phone, or a web form. I hope you are not saying at this point, "Well, how is someone supposed to get hired if the company can't see everything?" Firstly, I never said that my method meant that a company could not see everything. I said that the owner of the information should be able to control how information may be distributed. The potential employer would be able to know that some items were disallowed and could still either ask the applicant about this information or simply not hire the applicant. At least, the applicant had the rightful control of whether the potential employer, someone the applicant might have had to work under for a long time, could see certain personal information.

Using ID and password control, the citizen could assign an ID and password to the potential employer, terminate the active status of that ID, and set how many times selected information could be accessed using that ID. With such control, potential employers or loan officers would appropriately be at the mercy of the applicant. The applicant would have to "release" his information. Remember above, where I mentioned that a transaction (or authorization) number actually meant nothing regarding security of what happened during that transaction? Similarly, signing a release often means nothing, whether it be medical, business, or credit reporting. With my proposed method, nothing gets released without your approval. The exception would occur when an employee of the credit reporting company had personal ties with someone requesting personal information. The next step would be database-based encryption, which Smart Community is prepared to offer. I will save this for another article.

[top] Security and Police Press Reports. Another breach of security exists where you would least think. It is an old practice for police and the courts to blab every interaction they have with the public. If someone gets a ticket, it's in the news. If someone gets arrested, it's in the news. If someone complains about someone by filing a complaint, it's in the news.

The little excuse that the judicial system has no respect for your privacy because the "tax-paying citizens have a right to know what's being done with their tax money" means nothing. Remember, we all pay taxes to have our privacy protected, not vice versa.

Keep in mind the little fact that everyone is innocent until proven guilty in a court of law. Also keep in mind that the government is supposed to be protecting every citizen's privacy. You can get arrested for being a 'peeping Tom'. Yet it is OK to have your picture displayed around the world because you had a complaint filed against you. The little excuse that the judicial system has no respect for your privacy because the "tax-paying citizens have a right to know what's being done with their tax money" means nothing. Remember, we all pay taxes to have our privacy protected, not vice versa. How many thousands of citizens have had their livelihoods destroyed, their lifelong reputations destroyed, and their families shamed simply because someone was accused of something? If someone were given a ticket for D.W.I because they were affected by an unexpected, allergic reaction to a food or medicine, that someone could lose their job, their family, and their home simply because their privacy was not secured as we expected of any official institution of the U.S. government. If you want to destroy someone in the U.S., simply file a complaint against them and then withdraw it later! [top]

If you now understand how incredible this conflicting behavior of our government is, you still might find it amazing how we all just watch the news without noticing the huge flaw in the security of our personal lives. If someone were accused of something, that person should not have to account to the entire community. Each of us has the accuser, the court, and the U.S. Constitution for that process. You see, thousands of years ago, it was already figured out that, when the accusation of someone becomes public, there is no hope for justice, especially when the accused was innocent. Have we gone mad? I have to say that the publication of accusations is the worst flaw in our current government, a flagrant opposition to Bill of Rights IV, V, VI, VIII, and IX. How much clearer can the law be, where Amendment V, which relates to those accused or held, states,

"... nor be deprived of life, liberty, or property, without due process of law...."

Obviously, when a sworn officer of the law (including everyone in every court and police department) knowingly distributes potentially damaging information to the public, the officer has broken one of the most basically important laws of the land, as that officer of the judicial system knowingly removed the citizen in question from being able to benefit from the Bill of Rights and the U.S. Constitution. Where is one's life, liberty, and property when the benefits of one's entire community have been removed from, not only the accused, the accused's family and friends as well? [top]

The Declaration of Independence and the U.S. Constitution are the most community-oriented documents I know. The intentions and laws of these documents, respectively, were meant to give everyone the broadest chance to succeed in life without unfairly hindering one's neighbor to also have the broadest chance to succeed in life, according to each community member's definition of success, "... in order to form a more perfect union...." The designers and signers of the U.S. Constitution understood that, when all community members can be given the greatest security in their life, liberty, and property, the community, as a whole, will become more perfect. A secure community means a stronger community.jgf 

[top] ...

Criticing government security flaws is not unfamiliar to the author. John Freeman was contracted by the Social Security Administration a couple weeks after 9/11/01 to analyze all of the physical security processes of the entire agency, to include the five headquarters buildings and 1400+ satellite offices.

You might say, "I have community tools such as email and shared schedules. What's the difference?" I'd be happy to answer. Whether you're an Administrative Assistant, CEO, or President of the United States, you belong to at least several communities. While this fact is not new, having a web site that focuses on organizing the entire community concept is.

"Community is the world's largest untapped gold mine. Smart Community is your pick and shovel. Start digging." - John Freeman

People are excellent resources for each other. The world will never be organized enough to make use of all the ways people can help each other. Nevertheless, this site makes precisely that the goal.