What Can Thieves Find Using Your Zip Code?

Feb. 23, 2011— -- I knew very little about her personal life until an online search helped me discover much more about her in less than an hour.

In the late 90s, Jenna graduated from High School in Massachusetts and eight years later she earned a Bachelor of Science degree in legal studies from a leading Catholic University, which came with at least two honors. The 29-year-old lives in the Harlem section of Manhattan.

For eight years, she worked at a bankruptcy law office with branches in seven locations. I assume she's a thrill seeker because nearly four years ago Jenna, whose e-mail address I found while digging around, also took a skydiving class. The names of her siblings and her parents were all at my fingertips.

Of all the things I learned about Jenna I only knew two before I started this Internet search -- her name and ZIP code.

"The information is pretty basic but it's crazy that it came up for free," wrote Jenna. Other than a misplaced letter attached to a sibling's name, all of the information, including her mother's name, was accurate.

It's this information that consumers against the disclosure of ZIP codes attached to full names are attempting to keep merchants from easily piecing together. Earlier this month, the California Supreme Court ruled that requesting postal codes during most credit card transactions violated the Song-Beverly Credit Card Act, a 1971 California law that prohibits businesses from requesting that cardholders provide "personal identification information."

Disclosing ZIP codes allows "people [to] track their purchases. It creates a profile and that information can be shared with other companies and that's dangerous to have that information in one area," says lawyer Gene J. Stonebarger, whose lawsuit triggered the ruling.

The ruling in the Jessica Pineda vs. Williams-Sonoma case has paved the way for numerous lawsuits against major retailers like Wal-Mart, Tiffany & Co., Crate & Barrel, Bed Bath & Beyond, Target Corp., and Macy's Inc. as many consumers question what information retails do have access to.

"Williams-Sonoma preys on its credit card customers who are accustomed to providing their ZIP codes for legitimate verification purposes at gas stations during 'pay at pump' transactions and mistakenly assume that Williams-Sonoma is requesting their ZIP codes to process their credit cards. But, in reality Williams Sonoma's sole purpose for requesting their zip codes is to covertly obtain its customers' home addresses for its own business purposes, including to build a marketing database," Stonebarger wrote in a petition.

Consumers may provide their ZIP codes at the register "because they believe it's required for the transaction," he says. "They're not using it for credit card transactions. The retailer takes that info and uses reverse databases to obtain the individual addresses for things such as marketing or to track spending habits."

A common name doesn't make you less hard to find. "There may be 100 people that share a same name but often there's only one person with that e-mail address or phone number," says Stonebarger.

There's much more data about you to be mined. People increasingly post their personal bits for the world to see on social media sites. The blathering on Twitter, the resume on LinkedIn and the biography on Facebook has made most people easier to find than Carmen San Diego.

But, the most dangerous piece of information you can give out is your birthdate, according to John Sileo, the author of Stolen Lives: Identity Theft Prevention Made Simple.

A birthdate, along with a name and hometown can be used in a formula to recreate your Social Security information, says Sileo. "And, those are three defaults on Facebook."

When searching for details about Jenna, her previous employer, location, college, and a few photos were easily accessible on the Web. When we tried to search for Nicole, another test subject, her Facebook profile was hidden from search results but her resume was available online. Using her resume, in less than five minutes, her childhood address and brother and father's name were revealed.

What did Nicole think about all the information online?

"It's scary! What makes it worse is that I thought I was doing a pretty good job of keeping my online profile clean and by clean, I mean I have so many other projects that I do, I don't want a someone to Google me and know all of my business. I figured knowing my address and number wasn't a big deal compared to you friending me on FB," Nicole said.

But, "you should be worried if someone that is a thief gathers more of your information," says Sileo. "With every piece [of information] you give out in addition, you're upping the chances that it can be used against you."

While Nicole has been successful at keeping certain information hidden on the Web, some important items slipped under her radar. "I like to keep social and work life separate. I think that is my goal so yes I'm upset that you found so much info but to me it wasn't as big of a deal as you finding my Google Picasa pictures or Facebook page... sounds silly but that's what I was concerned with," Nicole said.

"Now I realize that the info that I don't think is a big deal (parents name and number) really is in regards to someone doing significant damage to my credit."

"When people reveal too much personal information, the result is often hacked web sites and other security breaches," wrote Karl Altmann, CEO of Microdasy, an internet solutions company . "With social media use on the rise, we're seeing an uptick in ID Theft and financial fraud."

With identity theives in mind -- more than 11 million Americans were the targets of ID crooks last year according to the Federal Trade Commission -- here are some online tips:

DOLook at the type of machine utilized for credit card transactions to make sure it's similar to others being used in the store. Beware of one-off handheld devices.

Know the reputation of the website and store where you're submitting personal data.

Consider an alias for some interactions. "You need to think in advance as if my worst enemy, greatest competitor and person I respect least in this life is going to have access to this information. If there's no reason to give certain information, I keep that to myself," says John Sileo, author of Think like a Spy.

DON'TDon't give your e-mail address at the register. "Why would someone ask for your e-mail unless they're adding you to a marketing list? Thank you very much I get my spam from the supermarket and it comes in a can," Foley says.

Don't give your phone number at the register. A phone number can be plugged into Google and they can start sending you mailings, Sileo says.

Don't provide your zip code at the register. "You go to a gas pump, the way it verifies your identity if by asking what's your zip code. If you're talking about a merchant or clerk, that's not a part of the credit card processing methodology," says Foley.

Don't give a full address on every Web site you visit or give your birthdate on an open social forum.