The nation’s Social Security numbering system has left millions of citizens vulnerable to privacy breaches, according to researchers at Carnegie Mellon University, who for the first time have used statistical techniques to predict Social Security numbers solely from an individual’s date and location of birth.
The findings, published Monday in The Proceedings of the National Academy of Sciences, are further evidence that privacy safeguards created in the era before powerful computers and ubiquitous networks are increasingly failing, setting up an “architecture of vulnerability” around personal digital information, the researchers said.
“My hope is that publishing these results may open a window of opportunity, so to say, to finally take action,” Mr. Acquisti said. “That S.S.N.’s are bad passwords has been the secret that everybody knows, yet one that so far we have not been able to truly address.”
So reports John Markoff in “Social Security Numbering System Vulnerable to Fraud.”
We’ve all known for a long time that the SSN makes a godawful authenticator. And now Alessandro Acquisti and Ralph Gross have put a final nail in the coffin for anyone using the SSN as an authenticator. I would really hate to be on the witness stand defending a decision to let anyone authenticate to my business with “the last four” because “everyone else is doing it.” Now is the time to go to management and talk to them about improving things.
My favorite response is from the Social Security Administration, “There is an Elephant in the Room; & Everyone’s Social Security Numbers are Written on Its Hide:”
For decades, we have cautioned the private sector, including educational, financial and health care institutions, against using the SSN as a personal identifier.
Ahh, decades of advice. How’s that working out for you guys? I’m sure if you tell everyone just once more, they’ll listen. For the rest of you: not getting going on a fix now will turn out to be career limiting.