Comments on: Social Security Numbers are Worthless as Authenticators

By: ID Thief

ID Thief — Sun, 26 Jul 2009 01:56:50 +0000

Consider someone pretending to be you – like an Identity Thief. He/she knows your SSN, Name, Address, Birthdate, and gets your Resume online (all quite simple to obtain). Now consider this ID Thief applying for Jobs and going to interviews as you, using your information and applying for these jobs in your name, pretending to be you. The company just wants the SSN in their hiring system (your SSN provided by the ID Thief) to run a background check and “verify” the information provided by the ID Thief. The SSN check and background check comes back clean because you are a great person and the employment history and other information from your resume matches the company background check. Now, the company offers the ID Thief a job and hires the ID Thief now using your name and identity, starts working, earns money in your name. Now consider after a month this person murders someone in the company or steals something big and simply leaves town to another state and starts all over again. I would say you are screwed and the SSN failed to provide any authentication at all. And we wonder why ID Theft is a serious problem in America. Wake up people… Call and scream at your elected officials Now to prevent employers from using your SSN for autheticataion. And good luck with cleaning up the mess left behind by the ID Thief…

By: ID Thief

ID Thief — Sun, 26 Jul 2009 01:55:07 +0000

By: David Brodbeck

David Brodbeck — Tue, 07 Jul 2009 18:14:33 +0000

The problem, of course, is that a unique identifier is a useful thing to have for tracking things like credit reports; but for political reasons any kind of national ID number is a non-starter. So we’re stuck with using the SSN as a sort of defacto national ID number.

By: Adam

Adam — Tue, 07 Jul 2009 11:18:40 +0000

Student, mckt,
SSNs lack a check digit, and are too short. If you really want an identifier, you want at least 3, preferably 4 digits for issuing government, then at least 10 digits to encode ten billion people (so China and India are covered for a few generations.
So a “perfect identifier” is probably 15 digits, not 9.
(This of course assumes that such a thing exists or is desirable, which it doesn’t and isn’t.)

By: Bob Blakley

Bob Blakley — Tue, 07 Jul 2009 11:13:21 +0000

I’m surprised at the publicity this has gotten; anyone who didn’t move a lot and had siblings already knew that SSNs had these issues. Back before the IRS tightened the child deduction rules to essentially require parents to get SSNs for children before their second birthdays, it was pretty common for a family to apply for SSNs for their kids in a batch when the oldest turned 15 or so and applied for a first job.
This resulted in a set of nearly identical SSNs – same first 5 digits with the last 4 increasing in an obvious pattern. If you were paying even a little bit of attention it was pretty clear how the system worked.
I suppose someone who wants 15 minutes of fame could write the next paper on the not-very-sophisticated algorithms many states used (maybe some still use them; I haven’t checked recently) to derive drivers’ license numbers from SSNs.

By: Adam

Adam — Tue, 07 Jul 2009 11:07:27 +0000

Nicko,
Lots of people are “protecting” the SSN by showing only the last 4 digits. I’ve gotten tax documents from states redacted like this. If an attacker can guess the first 5 44% of the time with my birthday (on the form) and my place of birth (also easily found), then that security measure is pretty poor.

By: mckt

mckt — Tue, 07 Jul 2009 09:53:19 +0000

SSN is not even good for identification:
1. Duplicate SSNs can be, and have been issued
2. SSNs can be changed
3. Not everybody has an SSN (non-citizens and non-taxpayers aren’t required to do so)

By: Gunnar

Gunnar — Tue, 07 Jul 2009 08:40:27 +0000

authentication: something you have (written on your hide)

By: Student

Student — Tue, 07 Jul 2009 07:42:14 +0000

SSN are perfect for Identification. They are a global identifier attached to a person.
The problem is that people use them for Authentication and, even worse Authorization. Given an SSN you need to verify that the person matches the SSN and that he allowed to do what he wants to do. It seems that this is the problem, not the usage of the SSN as an Identifier.
Keeping Identity, Authentication and Authorization apart is too hard for most designers of computer system, which is exactly why security professionals should scream bloody murder everytime something like SSN are used for anything beyond Identification.

By: Chris

Chris — Mon, 06 Jul 2009 23:35:44 +0000

I guess I’m glad I was born in the NYC metro area. Take that, Delaware!
I guess what we really need is a proper government issued universal identifier, eh? (ducks)