Scott Mitic, CEO of the company behind StolenID Search, Wednesday acknowledged some of the concerns, but he maintained that consumer response so far has been substantial. StolenID Search was launched last week by TrustedID, a venture-funded provider of identity-theft protection services based in Redwood City, Calif. The service allows users to check a database containing over 2.3 million compromised records to find out whether their personal information has been stolen or otherwise exposed. Users simply enter their Social Security numbers or credit card details into a search field on the StolenID Web site. If a match is found in the StolenID database, the person is informed of that fact and directed to additional resources for protecting himself from ID theft and fraud. If no match is found, the user is offered the option of subscribing to a fee-based alerting service offered by TrustedID.
So far, more than 100,000 people -- including many from Europe -- have already used the site to see if their personal data has been compromised, said Mitic, CEO of TrustedID. At the same time, a substantial number of online users -- especially bloggers -- have weighed in with reservations about the "potential risks and liabilities" associated with the service, Mitic said.
Posters on several blogs appear to be especially concerned about the wisdom of typing Social Security and credit card numbers into a search field on an unfamiliar Web site. There are also concerns about what TrustedID might be doing with the data that consumers enter on its Web site and what measures the company has in place for protecting the information in its database of compromised numbers.
"My first reaction to the site was: Are you kidding me?" said one reader on the blog downloadsquad.com. "We are told over and over again to be very careful about entering personal info on the web. Now, here is a site that says it will search for stolen ID's, all you have to do is enter your ID," the reader said.
Another reader on the blog consumerist.com called the service a "fundamentally flawed idea used to gather SSNs [Social Security numbers] from users of the site for God-knows-what."
Tom Mahoney, founder of Merchant911.org, an online forum used by merchants to share fraud prevention information, said he had "mixed feelings about the service, as do a lot of others."
"I have no reason to think the company is anything but honest," Mahoney said. And it most probably is taking the precautions needed to protect its database, he said. "But asking someone to enter their Social Security and credit card numbers on a virtually unknown site is going to be a real tough sell," he said.
He also expressed concern that people might mistakenly conclude they are safe if their names do not appear on TrustedID's site. "The 2.3 million records they have is only a drop in the bucket," compared with the tens of millions of records that have been exposed over the past few years. "I guess StolenID Search is probably a start, but they need to amass a lot more records and be a lot plainer about warning visitors that not being in the database doesn't relate to their numbers being safe."
Mitic acknowledged that the company has seen thousands of comments from people since the service was launched. Most of the negative responses are the result of a "combination of a lack of information and irrational fear in the blog echo chamber," he said.
Contrary to what users might assume, TrustedID saves none of the personal information that goes into the search box at the StolenID site, he said. The company is retaining the first six digits of the credit card numbers being inputted on its site to know which bank issued the card, he said. But the last eight digits, which contain consumer-specific data, are purged immediately after each search. The company also stores the first three digits of the Social Security numbers being entered to know which state the card was issued in but nothing else.
"It's almost a curiosity issue for us" to identify the banks and the states that consumers appear to be most concerned about from an identity-theft perspective, he said. All of the data in the StolenID databases has been culled by crawling the Web, chat rooms and Usenet groups, he said.
"After only a week, I can confidently say that this service is tapping into a need on the part of ordinary Americans to know if their personal data is safe," Mitic said.