Tuesday, July 7, 2009

[RANT] Forget SSNs

Something stranger than usual happened today.
I read a piece in Ars Technica today that would ordinarily make me want to cry, scream, and then run off into the woods. This piece was entitled "New altorithm guesses SSNs using date and place of birth". Well crap in my cereal... that's no good.

The more I thought about this very interesting algorithm that can guess your SSN using information gleamed from your FaceBook profile - the more the problem seemed to widen. Following the rabbit down the hole I realized something when I hit the dead end.

Over the years we've all been racking our brains trying to figure out how to protect our SSNs, encrypt and tunnel and such... but to what avail? What's been the point when even if you somehow manage to get through life without someone snatching your SSN along with your full medical history from a doctor's office dumpster, or the same information from the website of one of the "big three" credit reporting agencies (you know why I say that...)... so what? Someone can now come along and guess your SSN based on the information you're publicly providing to the badguys for ... free.

My favorite paragraph is this one because it puts things into perspective for the reader...
"That may still seem moderately secure if it weren't for some realities of the modern online world. The authors point out that many credit card verification services, recognizing the challenges of data entry from illegible forms, may allow up to two digits of the SSN to be wrong, provided the date and place of birth are accurate. They often allow several failed verification attempts per IP address before blacklisting it. Given these numbers, the authors estimate that even a moderate-sized botnet of 10,000 machines could successfully obtain identity verifications for younger residents of West Virginia at a rate of 47 a minute."
Even a moderately large botnet (and there are many, many more out there larger than 10,000 machines kids) would be able to pick apart a moderately large state in a few days - that should worry the wrinkles right onto your forehead. But wait - there's more...

Writing a "bot" that would go and scrape profile data (place of birth and date of birth) from online profiles isn't rocket science as a colleague of mine (who wishes to remain anonymous, ahem) pointed out. Then feeding that bot's data through this SSN generator could put together a nice package which would effectively be able to open credit accounts all over the damn place with little noise or red flags being set off (more on that another time).

Why am I so calm then? Because this has nothing to do with safeguarding data. Our government in its wisdom (or lack thereof) has chosen to use our SSN as the key to everything financial about us... in fact as far as the US Government is concerned our SSN defines us. If you happen to get your SSN jacked - well then my friend you're out of luck unless you can prove that you are you... and that is seriously problematic for me.

OK, so now we have the background, the problem and I'll crown it with a suggestion for fixing this idiotic self-created mess. First, as painful as it may be, it's time to do away with the SSN as the key to an identity. Second, perhaps our all-knowing new president could sign an executive order or what-not declaring that collection of the "new national identifier" be disallowed and other forms of identification (such as a patient ID??) be used in its stead. I realize this is (a) extremely difficult, costly, and time-consuming and (b) probably not going to happen - but it's worth screaming from the steps of the Lincoln Memorial if someone listens.

This has to stop. Otherwise we may as well go back to putting our SSNs on our drivers licenses and checks because identity theft will simply be another right of passage, like the first apartment, first car, and first credit-card fraud.


mckt said...

You know, this is one of those sad, but all-too-common cases where we get to say "I told you so".

We've been saying for a long time that SSNs aren't identifiers, that they make poor passwords (because they can't be easily changed), that they aren't even always unique.

Now the poor practices that the credit and other industries have been using are demonstrably flawed, and it's going to cost them a lot of time and money to fix this. I hope they learn from it.

Unfortunately, until a few large-scale ID fraud operations get uncovered, they still don't have the incentive to change. A law may do that, so I think you're on the right track.

Dave Hull said...

Great news! The gubment's gonna start randomizing the way it issues SSNs next year.

For the 300 million or so people who already have SSNs, too bad.

Unknown said...

*tinfoil-hat* Ever since I was little I saw the SSN for what it was... an easy way for the MIB's to correlate and keep tabs on us. */ tinfoil-hat*

I hate the fact that a single 9 digit number can somehow make a computer believe I am me, and when ever possible I use alternate forms of ID. The SSN only only valid to me as a account number for my social security benefits, nothing more. I already have to remember or have hand 50+ account numbers and UN's. What's one or two more....

Rafal Los said...

@Richard - You're not paranoid if they really ARE out to get you - remember that

@Dave Yea... too bad for the rest of us - much like every government decision... ever.

Stephan Wehner said...

You write "Our government [...] has chosen to use our SSN as the key to everything financial about us."

Is it not the banks and financial institutions that made the choice ?!


Rafal Los said...

@Stephan- Possibly... but consider your social security number (SSN) is the key to your government benefits and that ties to your entire financial life- just look at your pay stub.