Aren't we a little past secret Social Security numbers?

Okay, I’m old enough to remember when your Social Security number was so low-security that you could have it engraved on a keychain tag by a mail order outfit; so routinely handled that a dumb 14yo could screw up his account by filing more than one name. (Don’t ask.)

And I guess it made a sensible number to use as the National ID we’re not allowed to even talk about.

But once it plus a name was enough to access all kinds of confidential sources, and just that number was a mostly-finished key to a life’s records… wasn’t it jig time to start implementing something better? Instead of, twenty or thirty years on, making that number a Big See-kret being our bulwark against ID theft and records compromise?

Even credit card numbers, by themselves, aren’t half as useful or potential threats any more.

The more you think about how utterly passive the US gummint has been about this, the higher the Whiskey Tango Foxtrot meter goes.

OK, how many databases are using the SSN as the primary key, such that everyone in the database has one SSN and every SSN in the database is associated with one person? Guess, and then multiply it by a thousand, and you might come close. It’s too convenient not to, and even with the level of security we should handle them with, they’re still usually given when asked for.

At this point, you’re not dealing with the Government and its actions. You’re dealing with legacy systems and entrenched behaviors, and those are forever.

It is a whole lot of companies. I used to work as a Systems Analyst for a major benefits outsourcing company that controlled the benefits administration for literally tens of millions of people in the U.S. some of whom I knew personally outside of work. We even did our own benefits administration for our parent company so coworkers there could look up all kinds of personal things about anyone that also worked there. That made things interesting and usually not in a good way.

The primary key on most of our databases was the SSN (and probably still is for all I know). The information contained in benefits databases is astounding. You not only get names, addresses, dependents, salary and benefit selection but also some really personal stuff. The company in question was good in general about HIPAA, privacy training and restricting access to people that needed to know it but I was one of those people and so were all my teammates.

We could see anything we wanted at any time because we needed open access to do our jobs. However, that also meant that any one of us could have pulled off a mega personal privacy heist with just a few keystrokes and a flash drive and there would not have been any way for anyone to detect it. I laugh when I see people going through elaborate measures to pull off much lower level data breaches than we could have done any time we felt like it on our lunch break (or anytime for that matter). All you need to do is get certain types of jobs in the right place. I obviously never did because I have ethics and I am not a criminal but all it takes is one person that works for those types of companies to have different motives. The scary thing is that there really isn’t a way to stop inside jobs completely without crippling the work that needs to be done.

People often argue that personal information floating around in databases all over the place isn’t a problem if only the ‘right’ people have access to it. They wouldn’t say that if they knew how many people that entails and not all of them are ‘right’ by any measure. Even when talking about law enforcement data alone, that still allows access to people that barely finished high school and may be well on their way to doing time of their own. The same is true with medical offices. You may trust your doctor but I have yet to see a medical office in which I would trust the people behind the receptionist desk with any personal information yet they usually have access to it if they really want it.

Okay, so it’s a primary key, and a good one. Why should anyone knowing my SSN be any further into my financial and other records than knowing any other arbitrary index number? Who thought it would be a good idea to use a number many people practically painted on their doorstep as something a lot like a security PIN…and more to the point, why is this still a huge security issue after a couple of decades?

If you are a clever identity thief, a SSN is a great starting point to establish a new identity of your own precisely because such systems are largely automated and impersonal. Combine that with other personal information and the chances of success are very good. It takes many steps but they usually start with a SSN, date of birth and name that is plausible for the person claiming it. Once they use those to establish real credentials, they can do anything from obtaining lines of credit in your name, getting a passport to wiping out your bank or retirement accounts. That isn’t paranoid talk. It really does happen every day and is quite lucrative for the people that are skilled at it.

The people that steal information in bulk and the ones that exploit it for profit are usually separate. One person or group steals the info for hundreds of thousands or millions of people and then they sell it immediately to people that are good at identifying really profitable targets within that data.

Identity theft is not new at all. People have been stealing identities from gravestones for someone of the same sex and age as them since records were kept. The big difference now is that you don’t need to trudge into a cemetery to find an alter-ego. Large databases already contain all of the information you need if you can gain access to even one of them. Ubiquitous credit and debit card scanners also make it easy for someone to install a reader at some place like a gas station or convenience store that will happily give you your money or goods but also records your card number and PIN for a very large involuntary tip later.

Except the one thing your Social Security Number is not, never was, and never can be, is a secret It is not secret. It is recorded in thousands and thousands of databases. It’s printed on hundreds of sheets of tax records. It’s everywhere.

Your SSN should be treated as a publicly known piece of information, no more secret than your mailing address, or name, or phone number. It’s LESS secret than your phone number, since tomorrow after 20 minutes of shopping you can get a brand new phone with an arbitrary phone number. Your social security number is equivalent to your name, the only difference is that it’s a unique identifier, since there are hundreds of thousands of Mike Smiths in the United States.

That is all true if you are thinking completely logically but we are dealing with the real world here. Those thousands of databases that contain your own SSN were often designed so that it is treated as a secure identifier when combined with just one other piece of identification like your mother’s maiden name that is just as easy to obtain for anyone that wants to claim it as their own.

It is worse than that though, the security systems are interlinked so that, if you can beat just a few of them, you can eventually beat all of them. This isn’t theoretical, it happens all the time because the technique works. Have you ever really looked at the set of documents required to get another, more official document? It is often not much more than an SSN, name, date of birth and utility bills for the past few months. Even if a birth certificate is required, those are easily forged because they are just a piece of paper. The first three can be easily stolen through data alone and the utility bills just require a simple lie to your power company (has anyone ever asked you for id when you moved and wanted to switch a utility bill?).

From there, anyone can build up the documents to get a driver’s license and even a passport in someone else’s name (the latter is considered the ultimate proof of id and anyone can do anything with it under your name if the get that). This isn’t something that is easily fixed because it is theoretically flawed. You have to let people prove who they are rather easily because some people don’t have or lose the proof but that leaves the door wide open for potential identity thefts.

Right. Get that. It was a kind of ill-considered choice made in the days when accessing a database meant sitting down at a terminal (which might well have been a teleprinter) in a semi-secure building.

But it’s been decades now that this not-secret number has been the PIN for access to all kinds of records and information. Why is a big SSN breach in JULY 2015, I SAID BACK-TO-THE-FUTURE 2015, GAHDAMMIT still a huge security issue? It’s like reading a headline 2,000,000 KILLED BY FLIPPING CORVAIRS or ANOTHER 100,000 INCINERATED IN PINTOS on HuffPost.

AB: You’re a bright guy & some flavor of IT guy. What is your broad-brush idea of what we ought to migrate towards, and what is the first concrete step we ought to take in that long journey?

A social security number is not a good primary key in a database. Bad idea!

A social security number can be wrong. After a significant chunk of data entry has taken place it turns out that the SS# for a specific individual was misunderstood or, under rare circumstances, changed.

The primary key used in a database should always be utterly meaningless, a serial number generated by the database environment itself, hence never under any circumstances being “wrong” and never, ever, needing to be changed.

I posted a whole thread on this. You didn’t post in it. I posited that security should never have depended upon knowing some arbitrary secret number that others can find out and steal. And, for that matter, the secret number approach, if it were followed, should have been done such that everyone doesn’t know what it is.

Over my life, thousands of people have had access to my SSN. At some points back in school, that thing was on a printout handed out to the whole class. Practically every school or institution I ever intended, they used that number for everything. Last 4 was how you found out your grades in the classes that didn’t just post them by name.

That’s all true. As far as it goes, which IMO isn’t very far.

Assume we have records about person X in database A maintained by organization M and also about person X in database B maintained by organization N.

We (M, N, or some 3rd party) have a legit business goal to link the two sets of X’s records together and use data from each. We have the expressed permission of X to do this.

If each database has issued X its own arbitrary and real-world meaningless primary key as you suggest, then how do we do the linkage accurately and reliably, even assuming all the data in both databases is 100% complete and 100% accurate?

Now let’s assume instead both databases contain some percent of errors, some percent of once accurate but now obsolete data, and some percentage of deliberately false data inserted by bad actors.

Now how do we do the linkage with high reliability?

SSN is no panacea, but the idea of a single logical identifier which is universally recognized to correspond to a single real-world entity is a good thing. SSN has universal recognition (within the USA), but not true absolutely 100% guaranteed one-to-one correspondence with a single real world entity. More like just 99.999%.

LSLGuy, you’re correct - the solution needs to be making the SSN no longer also the means of proving your identity or as a “security” measure. So many people have access to it that it’s trivial to find out other’s SSNs, by the millions, and you can impersonate someone pretty easily knowing little more than SSN, name, and birthdate. Didn’t some of the big thefts give hackers access to millions of SSNs? I would assume that you could purchase SSNs from those hackers on some black market somewhere - wired.com has articles on it, quoting how a credit card or SSN is often worth just a few bucks.

We shouldn’t even waste time trying to keep the SSN a secret.

Well that’s the big problem–the majority of the time there is no expressed permission.

The problem is not one of government, but of private enterprise. Using an SSN as an identifier by the credit bureaus is what has made identity fraud (using SSN) possible. OTOH, even if they opened credt files based on SSN (to tell one Joe Smith from a million others), then converted that to a meaningless number (call it M#) and dropped the SSN from their files completely, that M# would have to be disclosed on credit apps and would end up being used for the same nefarious ends.

It’s not that. Something has to exist to allow individual people to be tracked for the purpose of credit, etc. There needs to be something where almost everyone has just 1 number, so all records can be kept with that as a key. Otherwise, someone could declare bankruptcy and then use a different SSN from then on, and thus steal from the banks. Switching it from the SSN to another number doesn’t solve anything.

The fundamental problem is that banks, etc just take your word for it. “I know a few pieces of information about a person that thousands of people have access to. Trust me, it’s me, loan me some money”

As a point of interest, Australia gets on well enough without a SSN.

We do now have a Tax File Number (introduced in ??? the '70’s ???) but that is used only for tax, it’s not technically compulsory, it’s illegal to use it for anything else, so only a handfull of people will handle it, and it’s kind of illegal to have it as a visible field in a database – it’s not visible to users on our payroll system, but it is stored and does come out in the reports to the tax office.

Also, you now have to prove your identity with a collection of photo id to open a bank account (exceptions for school children)

We haven’t had any problem with bankrupcy identification, no specific problems with identity theft of lack of identification – it also seems to work ok without any problems.

Well, thanks for the pitch, but… I dunno. :slight_smile:

Not because I don’t have ideas, but because the solution is strongly resisted but implemented anyway, and thus badly.

In the US, we have established need for a national ID. (See: all arguments above and a zillion more that are based on the right person proving who they are using a reliable credential that was designed in the internet age… or at least after the primary information recording tool ceased to be a quill pen.) But even using the term brings down howls and cries and objections because we’re such a free and independent people and gummint is so evil and HItler, ya know.

So we’ve created a de-facto universal ID from bits and scraps and patchwork, and it kinda-sorta works for The Man about as well as a real NID, but it doesn’t have the real security and protection that a defined tool would have, but since it’s “most definitely not a National ID” everyone is happy in their illusion of anonymity and freedom.

So I won’t suggest that a genuine NID is the only real starting point for personal and information security in the global internet era. Which means I dunno.

Not really relevant, but it has long been my dream that someone, doesn’t have to be the Government but could be, would offer everyone-from saints to convicted murderers, a chip with a unique code. If you like you can pick the code, perhaps your name with an extra assigned middle name to make it unique. You can obtain as many of these chips as you like each with a unique code. The key step is when you get these chips you have to do it in person and the dispensary goes to great lengths, DNA iris scans fingerprints footprints facial recognition whatever is required, to make absolutely certain that there is a one to one match between the chip and the person. Again, each person can have as many unique chips as she likes. Then it is up to the person to maintain control of each chip. If one is lost, report that loss or suffer the consequences. Make it a major felony to use someone else’s chip. No one will be required to have a chip.

Next, make a reader that can’t be spoofed. Make them easily available to anyone who wants one. I know that is in principle impossible, but again make it a major felony to possess a spoofed reader.