| Tuesday May 31st 2016

Why REALLY needs your SSN?


The issue is that our SSN was neither designed to be a private number nor something for other organizations to use to identify someone. It’s unfortunate how it’s now used for that and that basically with it, you can take over almost anyone’s accounts. Bruce Schneier talks about using a SSN as ID in his book “Beyond Fear”. I don’t have it on me right now, but the real point was that it was never designed to be used as a form of authentication. Currently, it is used as a form of authentication (proving you are who you say you are), but knowing a single 9-digit number that never changes is hardly proof of your identity. As has been made obvious, somebody merely needs your name and SSN and they can claim to be you. Also, since the SSN isn’t designed to be changed (and is often used as a unique identifier in places where it would be difficult or impossible to change), it is extremely difficult to recover from it being misappropriated. It’s being used to serve the same purpose as a password, and yet it’s neither secret nor changeable.

A truly good authenticator needs to give no more information than it is given. For example, a challenge-response mechanism never divulges any secret, but it does confirm that you know the secret (though it requires the other party know it too). There also needs to be some way to verify the validity of an authenticator. It’s easy to create a counterfeit driver’s license (ask anybody under legal drinking age) and it’s trivial to create a counterfeit SSN card. There needs to be a way that anybody can verify that your authenticator is real and has been properly assigned to you.

The worst part though is using a SSN as an identifier, instead of a student number, health plan number, or other such identifier. Identification is one job, authentication is another. By combining the two, the authentication is lost and only the identification remains. As others have said, when everybody uses a SSN as identification (and authentication), the only thing you need to get a hold of is a person’s SSN to take over their life.

Below is a great article from Time Magazine about a Verizon customer that wants to open an account without giving the Telco their personal information.


Related Posts: On this day...

Leave a Reply

You must be logged in to post a comment.