I'm not a programming expert, nor a process expert, but the way I see it...
... there has got to be a multi-stage process for authentication that does NOT use any CC or SSN. Of course, the responsibility lies with the account owner for maintaining passwords/authentication information.
If you lose the information, no way to recover it.
I say this because it seems (again, I'm not an expert) that these thieves use social engineering mostly in the "data recovery" stage of the process.
The only way to tighten that from my perspective is to put maximum responsibility on the account owner to keep their logins, passwords (again, for multi-stage authentication), and such on hand. Don't have a need to recover your info, and others can't use the recovery process to get to your account.
I guess it wouldn't be a perfect scenario but... this, or lose @N.
I am sorry to hear there are companies allowing these practices, though... sad.
... there has got to be a multi-stage process for authentication that does NOT use any CC or SSN. Of course, the responsibility lies with the account owner for maintaining passwords/authentication information.
If you lose the information, no way to recover it.
I say this because it seems (again, I'm not an expert) that these thieves use social engineering mostly in the "data recovery" stage of the process.
The only way to tighten that from my perspective is to put maximum responsibility on the account owner to keep their logins, passwords (again, for multi-stage authentication), and such on hand. Don't have a need to recover your info, and others can't use the recovery process to get to your account.
I guess it wouldn't be a perfect scenario but... this, or lose @N.
I am sorry to hear there are companies allowing these practices, though... sad.