Should security depend upon keeping SSN and birthdates a secret?

For a long time now, I’ve thought that the entire system of securing access to credit, financial and private medical records, etc by a “secret” number that never changes is pants on head retarded.

Dozens of institutions know millions of social security numbers. In some cases, everyone’s. Simply knowing this arbitrary sequence that never changes shouldn’t provide access to anything. A real security system, one that would block most fraud, would require the use of the other 2 legs of 3 factor security - something you have and something you are.

“Something you have” - there should be electronic ID cards, available from financial institutions and governments that just go all the way and use one time pad for security. The current system - of printing a simple fixed number on a plastic card that is easily counterfeited - is another pants on head unsecure system. Instead, there should be a one time pad on the card, with the RNG seeded using a radioactive isotope and the device programmer isolated physically inside a faraday cage - and the twins to the card each user has should be in actual vaults, guarded by Federal security forces, with FPGAs used in the network facing interface so that no programmable computers are even available to be hacked. (TLDR, you can implement an entire access system for checking one time pad data, from the TCP/IP stack on down, using combinatorial logic instead of a processor with memory and registers. Such a system cannot be “hacked” as it is not programmable and it’s behavior will never change (assuming you use 1 time write FPGAs that are burned using fuses))

“Something you are” - biometric ID doesn’t work for isolated terminals because it’s possible to spoof the ID data itself, making it “something you know”. However, it does work if the system that collects the data is secured, and so you are certain the sensors are collecting the ID data from a physical person and not a data file. So in government offices you’d be able to have your biometric data scanned (fingerprints, retina, iris probably) the first time you get an ID card with a one time pad on it. Whenever you lose the card and need a new one, you’d go back to the office and have your biometrics rechecked to make sure it’s still you. This would make it virtually impossible to get false identification since after the government has your biometrics, they will get a match if you try to get a new identity, and make it near impossible to steal someone else’s identity. Criminals would be forced to steal a person’s physical card, and rubber hose or skim the PIN for it, and their fraud spree ends the moment the user reports the card stolen.

SS# were never supposed to be used as an ID.

But they are, so you have the system we have to day - with all of it’s insecurity.

The system you propose has other problems - if you rely on a biometric database to prove who you are, then anyone who has access to (or hacks into) the database can create forged IDs that are indistinguishable from the real thing. That may be a problem that is worse than the one we have now.

Something always confuses me here. Are there not passwords etc? Is the SSN by itself used to both identify and provide access?

Here in Singapore, we have a government issued ID card, and corresponding ID number (called the National Registration Identity Card number), and every citizen in Singapore has one. It’s commonly given in forms and such, and you use it to access online government services, but only as an identifier - you also have to key in a password. It was a big deal when the government service got hacked and passwords leaked, but the NRIC itself wasn’t a big deal.

Is there no password attached? Really?

Long opinion made short: You’re absolutely right about this.

One thought I’ve had is that accounts of various sorts should have several different “account numbers” attached to them. One would be the “main account” number, by which the account is identified in computer systems. But knowing just this would not necessarily allow much, if any, access to the account.

Then there would be other account numbers – several of them – that would gain different kinds of access to the account. One could be only for depositing money into the account. One could be just for in-person withdrawals. One could be only for in-person debit/credit card transactions. Another could be only for on-line account status viewing. Another for on-line debit/credit transactions. In effect, each separate number would be like a special-purpose password (and they could be actual passwords rather than numbers just as well) that would gain only a specific kind of access to the account.

This way at least, anyone who learned one of my numbers could, at worst, only do limited damage.

There would still need to be good security and encryption at the database server, where all the numbers/passwords are stored. If someone hacked that, they could still get full access to accounts.

A further argument for having several separate numbers/passwords for different kinds of access is that different kinds of access have different security requirements and different practical possibilities.

For example, for in-person transactions, “something you have” or “something you are” (biometrics) would be workable.

But for on-line or telephone transactions, it almost certainly can only be “something you know”. It’s hard to see how “something you have” works for that. Perhaps “something you are” could be workable for on-line transactions as more end-user devices (like iPhones) have things like fingerprint readers.

Oh, but having a password or carrying around a dongle would literally send 25% of Americans into “it’s the Mark of the Beast just as Revelations predicted and it’s time to take up arms against the New World Order” mode. We can’t even deal with the concept of universal health care, and you think “encrypted government data on every person in the United States” is going to fly?

But I totally agree: our system is fundamentally stupid.

Which should be defeated resignation or eager anticipation, since they claim to have foreknowledge of the outcome when the real Mark of the Beast appears. It’s all right there in the book!

Nope, no password.

Although there is no password attached, that is not the problem with SSNs in the U.S. (no public government website, as far as I know, requires an SSN as a logon ID – instead, you are usually asked to create a unique ID number and password).

Instead, the problem with your SSN becoming public in the US is that it can be used by others to establish credit cards under your identify. Here, the three vital pieces of information you need to fill out a credit card application is your name, birthday, and SSN. This is the main worry when it comes to leaked SSN numbers, not that someone can use it to log onto your government website accounts (which, as I said above, rarely, if ever, use your SSN as a login ID).l

Nice idea in theory, but then the problem people currently have with remembering ids/passwords to everything they have access to becomes even worse. We need to improve security without increasing inconvenience for legitimate users or they will just circumvent it (e.g. by using simple variants of the same password for everything).

Not just credit cards.

The person who stole my identity seems to specialize in payday loans.

Segnoid : your above scheme has problems. More different numbers have the following problems :

  1. The numbers don’t change. This means if a hacker does find out your number, he can still commit lots of fraud.

  2. You now have to remember more numbers. It’s hard enough to just remember your social and driver’s license number. I often have to check my card for the second one.

  3. It’s all still “something you know”. You can install malware on the computers that you type those numbers into and steal the information. Or shoulder surf with cameras. Or obtain the numbers from a database. Or phish them from somebody. However the bad guys get the number, once they also know it, they can fraud all the want.

My proposals - “something you have” - essentially a card like I described it would be nearly impossible using any known or theoretical method to copy the physical card. Bad guys would be forced to steal the card, since copying is impossible. The “twin” to the card (the one the bank or government keeps) would similarly be not copyable. So as long as you “have” this card, you can ID yourself, and if bad guys steal the card, you no longer have it and can report the theft. A number that you know does not have this kind of protection.

“Something you are” is to secure access to obtaining these physical cards, since obviously when you start running a system like this, no one has a card like this already to prove who they are.

I recognize and agree with all the above critiques of my suggestions. I meant my suggestion to be a security measure in addition to all the other security measures. Specifically: There should be a separate log-in name / secret number / password for each distinct kind of access to an account; but these should still have all the other normal security measures on them.

Thus, one name/number/pswd to make a deposit (so that anyone who steals your deposit slip info won’t be able to do anything else with that info); another name/number/pswd to make a withdrawal; separate access codes for various in-person transactions vs. the similar on-line or phone transactions. And I understand that this causes password proliferation, but each concerned account holder can make his own choices about using the same or different passwords, or writing them down under your keyboard.

Most of all, we need better security – any security, dammit! – on our sacred not-so-secret SSN numbers. Or better still, y’know, not use them as ID numbers at all, as Og originally intended.