I read a piece in Ars Technica today that would ordinarily make me want to cry, scream, and then run off into the woods. This piece was entitled "New altorithm guesses SSNs using date and place of birth". Well crap in my cereal... that's no good.
The more I thought about this very interesting algorithm that can guess your SSN using information gleamed from your FaceBook profile - the more the problem seemed to widen. Following the rabbit down the hole I realized something when I hit the dead end.
Over the years we've all been racking our brains trying to figure out how to protect our SSNs, encrypt and tunnel and such... but to what avail? What's been the point when even if you somehow manage to get through life without someone snatching your SSN along with your full medical history from a doctor's office dumpster, or the same information from the website of one of the "big three" credit reporting agencies (you know why I say that...)... so what? Someone can now come along and guess your SSN based on the information you're publicly providing to the badguys for ... free.
My favorite paragraph is this one because it puts things into perspective for the reader...
"That may still seem moderately secure if it weren't for some realities of the modern online world. The authors point out that many credit card verification services, recognizing the challenges of data entry from illegible forms, may allow up to two digits of the SSN to be wrong, provided the date and place of birth are accurate. They often allow several failed verification attempts per IP address before blacklisting it. Given these numbers, the authors estimate that even a moderate-sized botnet of 10,000 machines could successfully obtain identity verifications for younger residents of West Virginia at a rate of 47 a minute."Even a moderately large botnet (and there are many, many more out there larger than 10,000 machines kids) would be able to pick apart a moderately large state in a few days - that should worry the wrinkles right onto your forehead. But wait - there's more...
Writing a "bot" that would go and scrape profile data (place of birth and date of birth) from online profiles isn't rocket science as a colleague of mine (who wishes to remain anonymous, ahem) pointed out. Then feeding that bot's data through this SSN generator could put together a nice package which would effectively be able to open credit accounts all over the damn place with little noise or red flags being set off (more on that another time).
Why am I so calm then? Because this has nothing to do with safeguarding data. Our government in its wisdom (or lack thereof) has chosen to use our SSN as the key to everything financial about us... in fact as far as the US Government is concerned our SSN defines us. If you happen to get your SSN jacked - well then my friend you're out of luck unless you can prove that you are you... and that is seriously problematic for me.
OK, so now we have the background, the problem and I'll crown it with a suggestion for fixing this idiotic self-created mess. First, as painful as it may be, it's time to do away with the SSN as the key to an identity. Second, perhaps our all-knowing new president could sign an executive order or what-not declaring that collection of the "new national identifier" be disallowed and other forms of identification (such as a patient ID??) be used in its stead. I realize this is (a) extremely difficult, costly, and time-consuming and (b) probably not going to happen - but it's worth screaming from the steps of the Lincoln Memorial if someone listens.
This has to stop. Otherwise we may as well go back to putting our SSNs on our drivers licenses and checks because identity theft will simply be another right of passage, like the first apartment, first car, and first credit-card fraud.