I am studying network security, and I think one of the greatest flaws in our economy is that so many transactions require a SSN. A simple nine-digit number is now the ultimate prize for criminals. I know it is supposed to “tie everything together” Not everything needs to be tied together. In fact, tying everything together is a security disaster. My car dealer doesn’t need to access my medical records, so why use the same ID number for both of them? The college I went to used their own ID numbering system. Why can’t everywhere do that?
It has gotten better. When I was in college about 20 years ago, our Social Security numbers were also our student id and professors posted our grades on bulletin boards all around the university with our SSN as the identifier. Anyone that wanted to could photocopy them for each class and work out the associations in the comfort of their own home which wasn’t that hard to do because they were used for everything and printed right on our student id.
At my last job at a benefits administration company, I had access to not only tens of millions of people’s SSN’s but also names, addresses, family structure, income and everything else someone would need to pull off a very large-scale identity theft scandal across many famous companies. I obviously never abused that access but I could have easily and so could my coworkers that had the same level of access. I could have caused a national shitstorm with a single flash drive if I was so inclined.
Companies are tightening up security around Personally Identifiable Information a great deal but someone like me, a Systems Analyst, always has to have access to large sets of such data to do their job. All it takes is one person like me or steals my access to compromise huge amounts of data.
I don’t think you can replace the SSN with yet another unique text identifier because it is simply replicating the same problem and becomes unwieldy when you require a different one for every account. Cyber-security has never been a targeted interest of mine but lots of smart people are already working on it. There is no one solution that fits every need but biometric or token authentication combined with improved procedures and smart algorithms that identify suspicious patterns of activity are some of the most promising trends being implemented today.
Yes. Yes, we should.
When I lived in Massachusetts years ago, the SSN was also your driver’s license number. Now I’m in New Jersey, and they use a different, unique number for your DL. I assume Mass. has probably changed its system by now, too.
The concept of a unique identifier, by itself, is not an issue. If you think it is, then what you are really saying is that security by obscurity is a real thing - all that the unique identifier does is to make cross referencing easier. Not possible, easier, because if you have a name and some other common info then you could probably cross reference anyway.
The problem is using this unique identifier as something for which it was not intended - a password. You should not be able to gain access to any other information just by knowing the unique identifier.
Countries all over the world have assigned unique identification numbers, and they are useful. They can also be abused by using them for things other than as a unique identifier.
Yes. It’s very reasonable to have a unique identifier for each person in the country, and re-use that identifier.
What is totally fucking insane is when you call someone on the phone, and give them your name, and they ask your for your last 4 digits of your SSN to prove that you’re you.
Seriously? A person’s SSN is public knowledge. It is not secret, any more than a phone number is secret, or a name is secret.
I’ll 3rd the above two comments. I’m a bit of a zealot about this, but your SSN should be absolutely no different from your name – it’s something you tell people so they can identify you. It’s NOT an authenticator, and all of the problems surrounding SSN leaks stem from the facts that banks (mostly it’s the banks, I feel) have built a system that treats your identifier as your authenticator, and will give credit to anyone claiming to be you without actually verifying it.
I may have mentioned this here, but in the military we used to use SSN as our employee identifier (makes sense, everyone had one anyway and it’s just a unique number). But after the banks fucked up and ruined the SSN, the DoD implemented its own unique numbering system. But since too many people who know dick-all about security started using this new number as an authenticator, now we’re in the same boat – DoD IDs are to be kept secret and we’re worried about leaks, even though it’s printed on all of our ID cards (as it should be). Gah!
eta: Your college may have used it’s own identifier because not everyone (foreign students on Visas, say) will have an SSN. Anyone tied into our government will have a tax ID number of some sort, though.
When I worked at my campus bookstore in the 90s, they wanted you to write your student ID (SSN) on your check when you bought your text books. :eek: :smack:
My S.S. card, issued back in 1946, clearly states on the card face that the card is:
"Not to be used for identification."
That obviously didn’t last too long.
How about a more simple solution? Just don’t let everyone have access to everything with a simple number.
If you need to buy a car and the dealer needs to verify you exist, give the social but they can only use it to access government records proving your credit history or something.
If someone wants access medical records and have your SSN, require at least a picture ID from the DMV. Same with credit cards. They shouldn’t be given out if someone simply mails a form in with the correct info, you should be required to physically go to a bank or somewhere and apply in person.
I think the problem isn’t that people know your SSN, its that too many doors are open because of it. I don’t have one master key for the house, the car, the safe deposit box, or my luggage. Why should the SSN give you access to all that?
What about using fingerprints? With advances in technology you can easily press your fingerprint against your device. That’s a little harder to steal than a SS number.
shapens pruners, giggling maniacally
Mine says the same, from 1966.
Biometrics aren’t where they need to be, and every time the fix one problem, people find a way around it. For instance, a fingerprint is just a form of pattern recognition, so early version could be easily defeated by using an image. Fine, so they add a way to check for heat and/or a pulse. There’s methods of defeating that as well. And what happens if a fingerprint is compromised, maybe a cut? what happens when one needs to validate one’s identity remotely? How can you be sure that the reading source is valid?
It seems to me that the best solution is something akin to how the military uses CACs, though it seems even the smartcard technology could be significantly improved. Two factor authentication, something with a PKI infrastructure and a private PIN ought to be the direction that we take identity verification. I also think that with the ubiquity of smart phones, that those can be the primary platform. The phone itself serve sas a form of a token. And for those that don’t want one or can’t afford one, a government issued smart card type or token could be used for transactions with the government, a bank, or whatever. Hell, I already use two factor authentication for my email, facebook, gaming accounts (where implemented) and work accounts and mobile email.
But ultimately, yes, using SSN as a form of a unique identifier is as good as any other key, but it should never be used to validate one’s identity. Sometimes they’ll even do other things like validate part of payment information, address, or whatever. It’s all information that could be obtained from a stolen wallet it’s not remotely secure and our technology and infrastructure is advanced enough that there shouldn’t be an excuse anymore.
Another problem is that SSNs aren’t even very good for unique ID numbers – 9 digits is not nearly enough space for a mid-8-digit population. A properly designed system ought be have some built-in checksum redundancy so that a mistyped string is almost certain to be recognized as an error, and enough redundancy beyond that so that a checksum-valid value would have a low probability of collision with a number actually in use.
The big issue is that for some things, there is a real need for a really high-level identifier. Not so much for actual face-to-face identification, but as a sort of database record identifier.
For example, an issue we see here at work is duplicate patients- there are a surprising number of people with the same name and birthday out there in the same cities. So if you have two John Paul Smiths with birthdays of 4/27/1965 in your system, and one comes in, how do you tell them apart? You can’t start asking if they’re the guy who had the medicinal enema on 3/25; you’d violate privacy regulations. And if it’s an automated feed that matches records behind the scenes with no manual interactions, it would probably kick that back as an exception.
Insurance companies have the same issue- how do they know which John Paul Smith the bill is for? And how do they communicate that with other companies or government agencies?
Having a national-level ID number is one of the only really conclusive ways to do that, and right now, the SSN is kind of the only real way to do it, although with security scares, companies are moving toward less accurate search results, due to not wanting to retain SSN information in their systems.