Comments on: Might as well give it up: 457-55-5462

Might as well give it up: 457-55-5462

educatedslacker — Mon, 06 Jul 2009 17:59:37 -0800

Researchers have found that it is possible to guess many -- if not all -- of the nine digits in an individual's Social Security number using publicly available information, a finding they say compromises the security of one of the most widely used consumer identifiers in the United States.

Many numbers could be guessed at by simply knowing a person's birth data, the researchers from Carnegie Mellon University said.

Manuscript (PDF)

Study FAQs

By: allen.spaulding

allen.spaulding — Mon, 06 Jul 2009 18:02:09 -0800

I had no idea the CEO of lifelock was a MeFite! Nice touch.

By: nonspecialist

nonspecialist — Mon, 06 Jul 2009 18:11:58 -0800

Of course, using your SSN as a key identifier for all sorts of completely unrelated things, from student IDs to video store memberships, makes it pretty secure in the first place. What gets me is not that SSNs are easy to obtain for an individual -- but that knowledge of one, or even part of one, is frequently considered sufficient to authenticate you as that individual.

By: blucevalo

blucevalo — Mon, 06 Jul 2009 18:15:03 -0800

Yay!

By: rokusan

rokusan — Mon, 06 Jul 2009 18:18:58 -0800

I have often wondered how guessable these were when noticing two very similar ones for same-aged people born in the same town. What's the good reason these are issued at birth now, anyway? What value do they have before you're working age?

By: floam

floam — Mon, 06 Jul 2009 18:19:41 -0800

Looks like you were born in Texas a long while back?

By: floam

floam — Mon, 06 Jul 2009 18:21:33 -0800

Actually I'm not sure it was a long while back. But definitely well before 1988 and you're probably about 30? How close did I get?

By: Knappster

Knappster — Mon, 06 Jul 2009 18:21:52 -0800

What's the good reason these are issued at birth now, anyway? What value do they have before you're working age? Why Should I Get A Number For My Baby?

By: pineapple

pineapple — Mon, 06 Jul 2009 18:38:17 -0800

Yep, it was probably in the late 70's. I'd guess, 1978 or 1979.

By: Xurando

Xurando — Mon, 06 Jul 2009 18:41:29 -0800

I'm not sure I'd trust any organization that calls itself PNAS.

By: inigo2

inigo2 — Mon, 06 Jul 2009 18:45:53 -0800

Of course, using your SSN as a key identifier for all sorts of completely unrelated things, from student IDs Is it ironic then that CMU used to do exactly that? Or just unfortunate?

By: Knappster

Knappster — Mon, 06 Jul 2009 18:55:15 -0800

This guy was ahead of you in line.

By: crapmatic

crapmatic — Mon, 06 Jul 2009 18:55:29 -0800

What gets me is not that SSNs are easy to obtain for an individual -- but that knowledge of one, or even part of one, is frequently considered sufficient to authenticate you as that individual. Yeah, funny about that, I called my brokerage today and they only needed my SSN and my birthdate to authenticate me. Man, it must be really tough for identity thieves to find discarded mortgage applications, official documents, and so forth that have both of those things printed on them.

By: smackfu

smackfu — Mon, 06 Jul 2009 19:18:14 -0800

They were able to identify all nine digits for 8.5 percent of people born after 1988 in fewer than 1,000 attempts. For people born recently in smaller states, researchers sometimes needed just 10 or fewer attempts to predict all nine digits. Isn't this kind of a joke though? It sounds like they are just guessing the last four digits, after knowing the first five by combining the state of birth and date of birth. And they aren't doing a very good job of it, which means they are random. That second sentence I quoted is the worst kind of lying with statistics: it basically says sometimes they got lucky and guessed right straight off, as if that means anything. It seems like they are getting headlines based on predicting the middle two digits of an SSN, which were never intended to be secret in the first place: "The middle two digits are the group number. They have no special geographic or data significance but merely serve to break the number into conveniently sized blocks for orderly issuance."

By: America

America — Mon, 06 Jul 2009 19:19:28 -0800

*looks around the room, sees no one is looking at him, and leaves*

By: DevilsAdvocate

DevilsAdvocate — Mon, 06 Jul 2009 19:21:49 -0800

In other news, it's not really that hard to find out someone's mother's maiden name from public records.

By: dunkadunc

dunkadunc — Mon, 06 Jul 2009 19:22:33 -0800

My old, old copy of How to get Anything on Anybody had a chart mapping regions of the US with certain SSN ranges. And only a couple years ago, I saw a list of SSNs on a professor's door next to grades. Talk of a security breach.

By: smackfu

smackfu — Mon, 06 Jul 2009 19:24:10 -0800

In other, other news, if you really want an SSN, just drive around in early January and steal people's mail. The letters you want say "Important Tax Return Document Enclosed".

By: meinvt

meinvt — Mon, 06 Jul 2009 19:36:09 -0800

Is it ironic then that CMU used to do exactly that? Or just unfortunate? I'm also proud to recall that professors usually used the last four digits when publicly posting grades.

By: Joey Michaels

Joey Michaels — Mon, 06 Jul 2009 19:36:52 -0800

If an infinite number of monkeys were placed in a room with an infinite number of adding machines, they would eventually guess every social security number.

By: scalefree

scalefree — Mon, 06 Jul 2009 19:51:07 -0800

I've known this for going on 20 years now. I can't believe Black Hat is letting this be presented there. What's next, punching a paperclip through the mouthpiece of a payphone to make free calls?

By: allen.spaulding

allen.spaulding — Mon, 06 Jul 2009 20:10:44 -0800

I also remember things about CMU that may or may not be SSN related.

By: scalefree

scalefree — Mon, 06 Jul 2009 20:24:08 -0800

Yeah I remember a large university where the CS department used student SSNs as the authenticator for creating Unix accounts and also used them as anonymous identifiers for posting grades on professors' doors. Bad combination.

By: koeselitz

koeselitz — Mon, 06 Jul 2009 20:28:19 -0800

allen.spaulding: I had no idea the CEO of lifelock was a MeFite! Nice touch. Heh, yeah. In fact, this post does seem... well, sort of like a backhanded form of spam promoting LifeLock or some other credit-protection company. Anyhow, this seems like as good a time as any to point it out: credit-protection programs don't work--they do nothing but place fraud alerts on your credit, and fraud alerts unfortunately do not prevent identity theft. In fact, a little over a month ago, Experian, one of the three major credit-reporting agencies, convinced a judge in California to issue a summary judgement declaring LifeLock's services illegal. This comes two years after the founder of LifeLock resigned in disgrace after the bankruptcies of his former companies were revealed. If you want to save the money that LifeLock charges, you can just issue fraud alerts yourself; it's free, and, well, it's not illegal. And the only have to be renewed every nine months, so it's hardly an inconvenience.

By: Kadin2048

Kadin2048 — Mon, 06 Jul 2009 20:31:30 -0800

inigo2: "Is it ironic then that CMU used to do exactly that? Or just unfortunate?" There's no good reason why the SSN can't be used as a person-specific unique identifier. You should be able to use it for keeping college records, video rentals, drivers licenses, etc., separate. It is a really good, guaranteed-unique identifier. The problem only occurs when some idiots start using it as an authentication mechanism. That is, just because you know what your SSN is, they assume that you must be that person. And that's a really terrible assumption. All SSN-related problems flow from insitutions — particularly financial institutions — using knowledge of the SSN for authentication, rather than purely for identification and keeping accounts straight. If they'd never made the jump from identification to proof-that-you're-you, we'd never be in the mess. But people did, and more unfortunately, rather than going "hey, that's a really stupid way to do business, cut that shit out right now!" we instead kowtowed and started pretending that the SSN was something to be kept secret. Ironically, with the advent of computers that can process and store a lot more information, the SSN is no longer really as useful as a unique identifier as it used to be. When you were storing data on punch cards, having a guaranteed-unique identifier that didn't need to be coordinated, and was also very compact (9 digits!) was pretty nice. Today, you could just pull a GUID out of your backside when you create the new record, and never worry about a collision if it's done right (and like using an SSN, no need for coordination to keep things straight, like you'd need if you arbitrarily assigned sequential ID numbers). So as much as I really hate that we've moved towards using the SSN for authentication instead of records identification, the trend seems to be more in favor of that than against. There are easy non-SSN ways of creating unique IDs today, and a lot of policy has been implemented that essentially made SSNs sensitive/controlled information, even though they never started out that way. All in all, a crappy, out-of-control system and evidence of how something that seems harmless at first glance can really be misused and get out of hand.

By: netbros

netbros — Mon, 06 Jul 2009 20:46:47 -0800

"The serial numbers — the last four digits — can often be guessed using formulas and patterns, he said. It turns out that the Social Security Administration doesn't utilize true randomization to create serial numbers. For example, a graph plotting the numbers issued to Oregon residents in 1996, shown below, shows bands that cluster around certain numbers. In fact, there are five discernable lines. A truly random issue would show dots scattered throughout the chart." "The SSA believes that scheme is so complex that it's sufficiently random," he said. "We show it is way less random than apparently they believe." As a result, instead of a the four digits yielding a 1 in 10,000 chance in guessing SSNs, he said he can improve the odds to at least 1 in 1,000, and in some cases, far less than that." Serial numbers can't have been too random over the years. In 1968 when my brother and I got our SSNs on the same day, our numbers were consecutive. One could perhaps surmise that the next person who walked into the office that day got the number after mine. Not so random.

By: Astro Zombie

Astro Zombie — Mon, 06 Jul 2009 20:54:04 -0800

My brother's number is the one after mine as well! Come to think of it, I also know his mother's maiden name. Oh, man, the next six months are going to suck for Greg.

By: togdon

togdon — Mon, 06 Jul 2009 20:55:47 -0800

My twins have sequential numbers, which I found amusing. The weird thing is that the one born second has the lower number...

By: educatedslacker

educatedslacker — Mon, 06 Jul 2009 20:56:25 -0800

I assure you all I have nothing whatsoever to do with any company like lifelock. I just remember that damn number from all the radio commercials I heard. It makes me laugh because of the number of times that the guy's been hacked. I'd never give out my real SSN... that's fucking stupid. Like lifelock.

By: pineapple

pineapple — Mon, 06 Jul 2009 21:02:28 -0800

Freaky deaky... I just saw my first l!f3l0ck commercial on TV. Way to conjure junk adverts, MeFi.

By: hillabeans

hillabeans — Mon, 06 Jul 2009 21:41:48 -0800

Fuck.

By: julie_of_the_jungle

julie_of_the_jungle — Mon, 06 Jul 2009 22:03:37 -0800

All 4 of my siblings and I were all born in the same (smallish) hospital in a 12 year span and only two of us have the same 3 first numbers.. .hrmm... However, one of my siblings, two years and one week older, has the number after mine. *strolls off to steal full SSNs of siblings and neighbors*

By: shadow vector

shadow vector — Mon, 06 Jul 2009 22:32:52 -0800

My undergrad college's default email addresses and computer logins for all students and faculty were your 3 letter initials followed by the last 4 of your SSN. E.g., abc1234. You were allowed to change/proxy the default name, but lots of people did not. Seeing as this was also during the "Fw: Fw: Fw: Re: Fw: Re: Neiman Marcus Cookie Outrage!!!1!" era, anybody who still hung onto emails going back that far could put together hundreds, maybe thousands of full SSNs with this info.

By: wv kay in ga

wv kay in ga — Mon, 06 Jul 2009 22:46:18 -0800

Good luck using my SSN. I'm broke. Have at it.

By: Malor

Malor — Mon, 06 Jul 2009 22:56:57 -0800

All in all, a crappy, out-of-control system and evidence of how something that seems harmless at first glance can really be misused and get out of hand. This was exactly the sort of criticism that was leveled at the idea of Social Security numbers, that they would become a national ID card, and destroy privacy. But the objections were sneered at, we started the program anyway, and here we are, sixty years later, with a national ID that really fouls us up, AND a program that's been looted into bankruptcy. That's an awfully expensive lesson to learn absolutely nothing from.

By: twoleftfeet

twoleftfeet — Mon, 06 Jul 2009 23:48:45 -0800

I'm one of the few people who can get a new Social Security Number automatically, due to "religious beliefs", because my SSN contains a 666. I've been waiting for a reason to use this.

By: Kellydamnit

Kellydamnit — Tue, 07 Jul 2009 00:10:49 -0800

I think this may only be accurate for people after a certain year- the IRS didn't require it to claim your kids on taxes until 1987, and numbers being automatically issued when births were registered didn't hit for a couple years after that. My sister, three years younger than me, is one digit off from my number. My mom got our cards at the same time- to do her taxes in 1987.

By: koeselitz

koeselitz — Tue, 07 Jul 2009 01:43:52 -0800

Kadin2048: The problem only occurs when some idiots start using it as an authentication mechanism. That is, just because you know what your SSN is, they assume that you must be that person. And that's a really terrible assumption…Today, you could just pull a GUID out of your backside when you create the new record, and never worry about a collision if it's done right (and like using an SSN, no need for coordination to keep things straight, like you'd need if you arbitrarily assigned sequential ID numbers). I agree completely, but…well, I've also always wondered: how would it be possible to use anything else? Aside from some crazy Star Trek-inspired DNA scan, what sequence of digits or characters or otherwise encoded objects could possibly be unique and at the same time secure enough to last more than a generation and usable enough to apply system-wide? The primary applications where people choose to authenticate using SSN are usually applications where there really is no alternative. I'll take an example that, because of a job I used to have, I'm a little familiar with. Say that I'm John Smith, and I'm a licensed contractor or plumber, and I call a bank that I haven't done business with before and ask them for a loan. They're quite happy to give me the loan—I give them my social security number, I give them my birthdate, my address, and my phone number. Furthermore, they get my contractor's license number, and verify that. Maybe if they get freaky about security I give them my wife's maiden name or a reference. Once they've gotten all this, they rest assured that I really am John Smith, that I really do live at the address I gave them, that my credit score is the one showing on John Smith's entry, that I'm the same one who has a contractor's license, et cetera. The trouble is, if I can get a SSN and a date of birth for John Smith, the rest of this information is public and available within a matter of seconds to anyone who wants it. Addresses, phone numbers, family members' names and details, various commercial license numbers, maiden names, etc…all of these things are easy to obtain. So the question is: in order to accurately verify John Smith's identity, what should the bank ask for? I can't think of any piece of information whatsoever that could really verify that somebody is who they say they are. (The only available piece of info for this purpose that I can think of would maybe be driver's license number, but I'm sure that would turn out to be publicly available, too.) Maybe you could require people to appear in person for true verification, but that would (a) cost money and (b) not really guarantee anything, as we all know—IDs can be faked, makeup can be worn, et cetera. Moving up to the human level (from the stark, empty, lifeless machine level on which problems like this actually matter) I don't think it'll ever be possible to identify someone based on information they give you. Ultimately, all of these questions are as futile as the old stand-by “who won the AL pennant last year?” cliché that soldiers are supposed to have used to identify spys in the fifties; shades of Gattaca appear before my eyes as I remark that we're only getting more and more technologically advanced in the private information about people which we can store; we're not getting better at knowing people themselves. As the weird mutant creature inside a guy's belly pointed out to Arnold Schwartzenegger in Paul Verhoeven's awesome movie Total Recall—and by the way he was echoing Aristotle when he said this—you aren't what you remember; you are what you do. Or—to take a somewhat different example—as St. Thomas Aquinas pointed out in his commentary on Boethius' De Trinitate, even aside from the religious question, human beings need faith merely to survive in the societies they inhabit; without some form of it—faith in each other, primarily—society becomes something totally different, something which is certainly not conducive to human survival. I don't think this is a problem technology can solve.

By: flyinghamster

flyinghamster — Tue, 07 Jul 2009 03:08:58 -0800

ive known this for years. thank you 2600. also, spot the grammar errors in the faq for bonus points

By: fraula

fraula — Tue, 07 Jul 2009 03:19:05 -0800

Perhaps something like a passport or a national ID card. I have a hard time understanding arguments against these considering how you have to have a less secure version in the form of an SSN (and/or driver's license) in order to do much of anything. Less secure in that it's not photo ID, not to mention all the fancy-schmancy stuff used on passports nowadays. Could also just get rid of credit reports. They don't have them here in France. To get a mortgage, for instance (something I did last year), you provide proof of employment (or self-employment), proof of income, photo ID, and documentation of any other loans you have. This is because banks refuse to knowingly indebt someone beyond 1/3 of their income for a mortgage. Conversely, if you withhold documentation of other loans in order to get around that 33% limit, you're held responsible. (I don't know how exactly and don't have time to look it up, but recall hearing about a few rare cases. In general people agree with the 33% limit and so very few try to get around it.) For "consumption loans" (these can be lines of credit from a bank, store credit cards, and other credit cards), it's simpler: you declare your income and how much you spend on other loans, and provide photo ID. Again, if you knowingly withhold information and end up with too much debt, you're held responsible for it. (I looked up my SSN range on that Social Security death index search and whoa, the person right after me is in there.)

By: forforf

forforf — Tue, 07 Jul 2009 03:33:22 -0800

koselitz, Couldn't using references solve this? For example, requiring the applicant to disclose a relationship with another financial institution (or other trusted institution)? One can then verify that the applicant has at least maintained that identity successfully for some period of time, and you'd have a better basis for trusting that the applicant is, in fact, the applicant.

By: octothorpe

octothorpe — Tue, 07 Jul 2009 04:33:31 -0800

My undergrad university (the one across the street from CMU) used to mail me letters with my full SS# printed on the mailing label on the front of the envelope. Most, if not all, schools have stopped using SS#s as student numbers by now.

By: languagehat

languagehat — Tue, 07 Jul 2009 05:09:04 -0800

> My brother's number is the one after mine as well! What about Astro Zombie 2 and 3?

By: etaoin

etaoin — Tue, 07 Jul 2009 05:41:25 -0800

I seem to recall being told as a kid that it was illegal to use a Social Security number for any purpose other than taxes and Social Security claims. That obviously has not been true for many years. As far as getting a Social Security number for kids--mine came from China at age 3. I had to get a number for her before the end of the year so that I could claim her on my tax return. But using it on tax returns immediately exposes it through tax-submission services, government offices, etc. The clerk who handled payroll records at my former employer kept everyone's weekly timecards in a folder at her desk. Name/department/Social Security number, written in full, on tabbed folders, for everyone to see. That went on for years.

By: a robot made out of meat

a robot made out of meat — Tue, 07 Jul 2009 06:01:19 -0800

Aside from references, if you put an alert on your report they have to call the phone number that is attached to the report. So, in addition to whipping up the information you had to secure a phone number in my name which delivers its statement to my address, and have neither myself nor the lender notice that I have two active phones at the same address, and have the lender call the newer one. That or steal my cell phone. Either way it takes longer and / or requires intercepting multiple pieces of mail or stealing a possession that I'm sure to miss. This is how it should work by default.

By: mary8nne

mary8nne — Tue, 07 Jul 2009 06:01:39 -0800

in order to accurately verify John Smith's identity, what should the bank ask for? well in the Australia and the UK for pretty much anything you need to provide photo identification (License or Passport) AND a few proof of addresses (letter from council, bank, utilities with your name and address on it). You generally can't do anything without both those. that seems to work.

By: educatedslacker

educatedslacker — Tue, 07 Jul 2009 06:42:51 -0800

What about Astro Zombie 2 and 3? Now I'm just waiting for someone to spend $5 for a Greg Zombie sockpuppet.

By: Kadin2048

Kadin2048 — Tue, 07 Jul 2009 07:27:27 -0800

koeselitz: "I agree completely, but...well, I've also always wondered: how would it be possible to use anything else? Aside from some crazy Star Trek-inspired DNA scan, what sequence of digits or characters or otherwise encoded objects could possibly be unique and at the same time secure enough to last more than a generation and usable enough to apply system-wide? ... I can't think of any piece of information whatsoever that could really verify that somebody is who they say they are. (The only available piece of info for this purpose that I can think of would maybe be driver's license number, but I'm sure that would turn out to be publicly available, too.) Maybe you could require people to appear in person for true verification, but that would (a) cost money and (b) not really guarantee anything, as we all know—IDs can be faked, makeup can be worn, et cetera." You bring up a number of interesting points. The SSN serves well as a unique identifier — a string that's guaranteed to be specific to a particular person and won't repeat, so you can safely use it as a primary key in your database or other system. The problem is using it as a "shared secret," something that only Joe Blow's bank and Joe Blow will know. The problem is, if you use it as a unique identifier, it's not a secret, so the first use case — which I think is what SSNs were actually designed for — undermines its usefulness in the second. The inherent problem isn't authenticating yourself as someone using information. You're correct that there are some problems with that — how can you ever be 100% sure someone you're talking to is who they say they are? (I call this the "T-1000 problem") — but they're a lot more academic than the hugely flawed way that a lot of banks use SSNs. You're totally right that there's a sort of philosophical/ontological problem, when you start really getting into authentication and being absolutely certain of the person you're talking to, especially if you start allowing for edge cases like "what if they have an identical twin who knows everything about them?" or "what if their mind and all their memories got transferred to a different body?" You end up in weird places pretty fast. But that doesn't mean you can't come up with a practical authentication strategy, one that covers most cases that you run into in the world we live in now, that's a hell of a lot better than using SSNs as a secret. Solution 1: Authenticate in person. I think this option gets written off too quickly in many discussions. There's no really good reason why people need to be able to apply for a loan or a credit card without any sort of physical interaction, and allowing them to do so lowers the barrier to fraud tremendously, regardless of anything else you do. So my Gordian Knot solution is just don't allow it. If you need to prove your identity to someone, go there in person and show traditional physical ID documents (which can be forged, but that's a much higher bar than just repeating a SSN over the phone). For long-distance transactions where that's not practical, use trusted third parties of some sort: a bank in California could have an agreement with a bank in Connecticut to do its authentications, and vice versa. Alternately you could make use of the notary system that's already around (although I don't know if the notary system is rigorous enough to be used for financial transactions, it might need higher standards than currently exist in some places). The authentication/identity problem is one that's been dealt with since the dawn of long-distance commerce; we could do worse than to fall back on some of the traditional solutions. Low-tech solutions should always be preferred to "black box" ones that a typical user won't understand and must blindly trust. Solution 2: If we must have an electronic way of doing it, set up a system for online (that is, real-time) verification run by a government agency. Such a system should be opt-in, but the value of the SSN as an authentication mechanism should be completely destroyed — either by mandating that anyone using knowledge of an SSN as an authentication mechanism is wholly liable for fraud resulting from it, or by publishing a master list of names and SSNs thus destroying any hint of secrecy, or both — so that the current practice is ended. The way the system would work is that users would need to contact the SSA (or whoever is going to run this thing; for the moment lets pretend we're in a world where the government is not completely incompetent when it comes to administering large-scale IT projects) and set up a password or PIN. This PIN, unlike their actual SSN, is truly secret and they would be cautioned against giving it out to anyone they don't absolutely trust. To authenticate their identity to a bank, they would give their SSN and PIN, and the bank would perform some sort of hash and run a query to the system, which would give a yes/no response. You could build in checks that would prohibit multiple queries to the same SSN within a set period (to prevent offline cracking), salt to prevent precomputation, etc. It's all pretty well-known stuff. The advantage of this system over the current "give us your SSN to reset your password" system is that it separates the unique identifier from the shared secret, and also lets users change the secret at will. If Joe User accidentally gives out his secret via insecure email, or to a lender he later decides was a bit shady, he can call up the administering authority and change his secret right then. All queries using the old secret will immediately fail. (In thinking about this, you might need to have two passwords; one that gets given out to banks and can be changed online at will, another that's used to change passwords and is never given out — this could be much more complicated and arbitrarily assigned. If a user forgot that one they'd need to go to a SSA office and authenticate in person.) On the whole I am biased heavily towards Solution 1 rather than 2; I think #2 probably risks creating more problems than it solves, just like assigning everyone SSNs created a lot of problems that I doubt were anticipated. (Although I agree with Malor to a certain extent: the SSN has become what its worst detractors always said it would be, a de facto national ID number, when this was promised would never happen.) I think it would be pretty daft to try and solve a problem created by an overreaching government bureaucracy with more government bureaucracy, but in a perfect world it would be an option so I leave it out there. Anyway, if you put me in charge of the whole mess tomorrow, what I'd do is announce that in 12 months, every SSN ever issued would be published alongside the name of the person it was issued to, and just nuke the whole thing from orbit. Let the banks work out a better authentication strategy, and if we can't apply for loans online anymore, than we can't apply for loans online. It's a small price to pay to get rid of the rampant fraud which currently exists, and in many ways ends up being a sort of "lottery tax" — some unlucky person ends up paying huge amounts of time and money so that the rest of us can have the questionable convenience of applying for a new Discover card online. That needs to stop, now.

By: krinklyfig

krinklyfig — Tue, 07 Jul 2009 07:31:11 -0800

"I've known this for going on 20 years now. I can't believe Black Hat is letting this be presented there. What's next, punching a paperclip through the mouthpiece of a payphone to make free calls?" They still make payphones?

By: krinklyfig

krinklyfig — Tue, 07 Jul 2009 07:33:59 -0800

"I seem to recall being told as a kid that it was illegal to use a Social Security number for any purpose other than taxes and Social Security claims. That obviously has not been true for many years." It is, but it's never enforced. UNM used to use the complete SS # as the student ID, which was printed on your ID card and all your paperwork. It was nearly impossible not to have to give it out multiple times a day to several random student employees and admins. They did change to a non-SS-related student ID number some years ago, however, back in the late '90s, IIRC.

By: munyeca

munyeca — Tue, 07 Jul 2009 07:40:53 -0800

In related news, Cornell University managed to lose a computer containing the SSN's of 45,000 students, faculty, and staff last month. I guess I should really give up, now.

By: ALongDecember

ALongDecember — Tue, 07 Jul 2009 08:18:52 -0800

Is it ironic then that CMU used to do exactly that? Or just unfortunate? CMU used to use SSN as an alternate ID form until about 2004 if I can remember. This 2001 article shows it was becoming an issue. The worst thing was having to give your SSN to the local pizza delivery in order to use your dining plan. Luckily they changed to an alternate ID number for everyone.

By: Nelson

Nelson — Tue, 07 Jul 2009 08:24:24 -0800

Social Security Numbers are not secrets. Like credit card numbers and bank accounts, they are data that we freely share with people all the time. Systems that assume they are secrets are broken. OTOH, this quote from the SSA spokesman is all kinds of ignorant: "there is no fool proof method for predicting a person's Social Security Number". Well, maybe not, but now there's more evidence that it's pretty easy to guess someone's SSN. My fucking videogame account has two factor authentication, it astounds me that banks don't offer this protection to US customers. I finally managed to get a token generator for my primary bank account but it took a special request. Needed: a single login system for the Internet. Oh, it's all designed and ready to go! Are there any OpenID providers specializing in really secure authentication?

By: krinklyfig

krinklyfig — Tue, 07 Jul 2009 08:25:20 -0800

"There's no really good reason why people need to be able to apply for a loan or a credit card without any sort of physical interaction" Well, I don't know. All my credit cards are with banks which are not located in this state. I had to prove identity by faxing over documents. This happens when you get a loan at a local broker, who usually has to send info to the originator, which is not usually done in person. Authentication based on a few strings of "secret" data is not a very good method, but in-person authentication is easily faked with the right documents. The way this is done in the crypto world is typically trust-based with public-private keys or certs, like PGP or similar. A secret is still involved, but a public key is available. Public key signatures might be a good place to start.

By: Fezboy!

Fezboy! — Tue, 07 Jul 2009 08:29:31 -0800

I think solution #2 could be improved upon slightly by requiring those who make queries to the SSA register as well. Thus the query is a hash comprised of

query-maker's PID
The target's PID
The target's SSN

and the query-maker's tax ID/SSN/Agency identifying number. The query merely returns a boolean. This requires the putative cracker to obtain four times as many data points *and* the hashing algorithm before appropriating an identity. Also, the scope of the identity theft is limited to those authorized query makers who the cracker has compromised. One could start blocking requests from a tax ID/SSN/etc after N consecutive failed requests or other such safeguards to protect against a compromised query-maker's PID. Like any other centralized authentication system it has its weaknesses but the utility of such a system to distance-mediated commerce outweighs the danger posed IMO. One need not make it impossible to crack, merely unprofitable to the majority of hackers with contingencies rolled in for cases where the system is compromised. Letting both sides of the transaction manage their PIDs and separating authentication from identity should facilitate better security. Getting the PID to the SSA *should* be handled in person and require physical identification but this likely means that users are less likely to change their PID frequently. Then again, after working for a bit in a capacity administering user accounts, I don't harbor any illusions as to the average user picking a strong PID or changing it in any manner that might be called regularity. Still, this is better than assuming an SSN provides meaningful authentication.

By: delmoi

delmoi — Tue, 07 Jul 2009 11:13:20 -0800

Well, if it had any security, then it would be possible to compromise it, but social security numbers were never intended to be a personal identifier. In fact, I believe it's possible to change it. It's been used as a personal identifier because various companies want ways to keep track of us, but that's not necessarily a good reason for there to be one.

By: delmoi

delmoi — Tue, 07 Jul 2009 11:24:19 -0800

Today, you could just pull a GUID out of your backside when you create the new record They could always have used serial numbers. The problem isn't "what to use as a primary key" it's "what to use as a primary key that will match some other database at some other company." And while it would be convenient¹ for companies to be able to do that, that dosn't mean it's a good idea to let them. Why should companies be able to cross check their records on us in the first place? _{1: I actually overheard some old COBOL programmer complaining about how some other agency wasn't using SSNs and saying "why wold you do that"}

By: $5

$5 — Tue, 07 Jul 2009 11:46:15 -0800

It could be worse. Once upon a time, there was a mid-sized Company. Like most most mid-sized companies, the Company decided to treat Social Security numbers as secret information, and so generated a new, unique number to keep track of everyone; that number could be relied upon to uniquely identify a particular person, even if there were two people at the Company with the same name, or if someone got married and changed their name (and Company e-mail address), etc. This number was printed on all Company photo ID cards, and was visible in the online directory. Eventually, it became the number that the payroll department asked for when you wanted to set up direct deposit, the one you gave to human resources if you needed to sign up for health insurance or change it (for instance, if you wanted to add your new baby to your plan), and the one you needed in order to get a parking sticker for your car, or to be seen at the Company walk-in clinic. Of course, you could do a lot of these things over the phone, just by giving out your ID number. And that's where the trouble begins. The internal Company ID number started being used, by itself, as an authentication factor. The problem was that it was still easily accessible to anyone who could use the Internet to get to the online Company directory. Eventually, someone realized that you might be able to get health-related information from the clinic just by calling in and giving the Company ID number, and issued a hurried order to put a stop to this. The solution was to stuff the cat back into the bag—a decree came down from the administration that none of the Company's electronic directories (backend included) would answer queries for the ID number. The Company's carpooling coordination site used the ID number as a unique identifier. So did the online reimbursement form for Company-related expenses incurred by employees. So did the Take-Your-Children-to-Work signup sheet. And so on. Eventually, a compromise was made: the public directory would no longer show the number, but the backend servers would still answer queries for it. This left the Company with two parallel sets of unique identifiers for everybody, both of which weren't actually secret, but were treated as such anyway. This problem is never going to go away until people and systems stop using non-secret information as authentication factors.

By: Eideteker

Eideteker — Tue, 07 Jul 2009 12:46:59 -0800

This is why I always make one up on the spot. If I'm going to need to remember it for authentication purposes later, I'll write it down (or more recently, covertly key it into the cell phone in my pocket). I also always use "ZANGIEF" as my mother's maiden name. No one's called me on it yet.

By: Kadin2048

Kadin2048 — Tue, 07 Jul 2009 13:12:00 -0800

delmoi: "They could always have used serial numbers. The problem isn't "what to use as a primary key" it's "what to use as a primary key that will match some other database at some other company."" Well, if you just use a serial number, you run into problems fairly quickly that require a lot of infrastructure to solve. Let's say you have two people who can add records to the system, and you want them to be able to add them offline (in the case of say, two registration desks located in two parts of campus on Day One at some big university) — you need some way to make sure the serial numbers they give out don't conflict. You could do this by assigning each desk a block of serial numbers, or telling one to use even numbers and another to use odd ones, etc., but this requires a lot of coordination. SSNs are convenient in that they don't require any logic to assign, there's no coordination necessary (the coordination has already been done), they're guaranteed to be unique, and most people already know what theirs is, so you don't have to worry about people forgetting their arbitrarily assigned serial number the next day. That old COBOL programmer was right in a sense; if you're allowed to, there's no reason not to use SSNs — they work really well as a per-person records identification number. If you can take advantage of pre-existing infrastructure like that, it's silly not to. The reason I suggested GUIDs as a replacement is because they still allow independent generation and are guaranteed unique (assuming you use the right kind of GUID), and don't require any sort of central coordination. Each registration kiosk can be completely independent, work totally offline, and still generate IDs without problems. (You don't have to use real GUIDs to get this, of course; you could just create an arbitrary serial number of the form [year][registration kiosk number][incremental serial] and get the same benefits; it's just slight wheel-reinvention.) You still don't get all the benefits of using SSNs when you generate GUID or GUID-like serial numbers though; it's an extra number for users to have to remember or carry around on a printed object (like an ID card). If SSNs weren't abused as an authentication factor, there wouldn't be any problem using them universally for simple organization; all the issues stem from treating them like a secret.

By: inigo2

inigo2 — Tue, 07 Jul 2009 15:30:26 -0800

CMU used to use SSN as an alternate ID form until about 2004 if I can remember. This 2001 article shows it was becoming an issue. While it was still used extensively, I think they pulled it off the student ID cards before that, at least; I want to say...maybe 98 or 99?

By: pineapple

pineapple — Tue, 07 Jul 2009 16:07:13 -0800

Eideteker said: "I also always use "ZANGIEF" as my mother's maiden name. No one's called me on it yet." Uncle Eideteker? Is that you? I need bone marrow.