wiredmikey quotes a report from Security Week: U.S. officials are studying ways to end the use of social security numbers for identification following a series of data breaches compromising the data for millions of Americans, Rob Joyce, the White House cybersecurity coordinator, said Tuesday. Joyce told a forum at the Washington Post that officials were studying ways to use "modern cryptographic identifiers" to replace social security numbers. "I feel very strongly that the social security number has outlived its usefulness," Joyce said. "It's a flawed system." For years, social security numbers have been used by Americans to open bank accounts or establish their identity when applying for credit. But stolen social security numbers can be used by criminals to open bogus accounts or for other types of identity theft. Joyce said the administration has asked officials from several agencies to come up with ideas for "a better system" which may involve cryptography. This may involve "a public and private key" including "something that could be revoked if it has been compromised," Joyce added.
Step one and two. (Score:4, Interesting)
Doesn't solve the problem though. You still have high-value information linked to the TID, which ultimately is the root of the problem.
Ultimately you need the TID to be unique to each taxpayer, and a subset/hash of the TID plus additional information to be linked for other (financial) purposes. The IRS should be the only ones able to re-associate you to a unique qualifier.
But, until you eliminate the profit motive for credit bureaus everything will end up being re-assembled. Back to square one.
Virtual SSN - White House Petition ? (Score:3)
Virtual Social Security Numbers
Single use numbers that are aliases for your real number.
To protect consumers from fraud and theft many banks now offer Virtual Credit Card Numbers. They are aliases, pseudonyms, for a real credit card number. They “lock” to the first merchant to use them. If a merchant’s database is compromised and a virtual credit card number is exposed, it is unusable. All charges not or
and to effectively voluntarily change your SSN (Score:2)
To avoid disruption of existing users of the real social security number the real number would remain valid for all users prior to the use of the first virtual number. After the use of the first virtual number existing users of the real number are “grandfathered” but any new organization using it will be disallowed. A consumer may have the option to disallow all use of the real number, requiring
Am I the only one who's immediate reaction to that is "Well, no shit, Sherlock".
Unlink SSN from healthcare
If a SSN is not linked to healthcare, what is its use really??
Uh, Social Security (AKA OASDI). Duh.
National ID? (Score:2)
Sounds like another attempt at a national ID. I am sure it will go as well as all the past efforts.
We already have a national ID - it's called Social Security - so what's the objection to another one?
The cool thing is (Score:2, Funny)
You'll be able to conveniently use your social security number to get your new id number.
Actually, it was just a silly joke.
:-)
My SS Card (Score:1)
Clearly says "not to be used for identification purposes" on it. I guess its an oldie.
String (Score:2)
So, like, you'd go to the SSA website, and they'd give you a string of digits. And you take this string and give it to banks or whatever, and they type it into the SSA website and that brings up who that is associated with. And the owner can revoke their string at any time and replace it with a new one. Better yet, make them all one-time-use, it's not like I REALLY need to use my SSN very often.
Ooooh, I know! (Score:3, Funny)
Blockchain. All the cool kids are doing it! Say it with me... Blockchain!
NoSql.Blockchain.node.js is so last year, keep up!
About friggin' time! (Score:2)
About friggin' time! I've been doing my best to avoid giving out my SSN where it's not required by law since the '80s.
One big hole that has been going on for decades is Medicare:
* Once you're old enough to be on it, you can't get regular health insurance to pay for the portion of your medical work (often all or the bulk of the cost) that Medicare pays for. Regular health plans turn into cover-the-difference supplements. You must sign up for Medicare or pay the charges yourself. (And if you don't
Reporting credit issues to any of the 3? That's libel (deliberate, you should know better) without that proof.
Nice idea.
But truth is an absolute defence against claims of defamation (libel or slander). Seems to me you have a case if, and only if, the information reported is wrong (and the burden of proof for that would be on you).
I like it: A raft of libel suits could make the cost of doing business as a credit reporting agency high enough that it might finish off the business model. (And the time to hit
Time to implement? (Score:2)
Practically half of us are already hacked NOW.
When would something be implemented even if a standard were already agreed upon and mandated? I get the feeling this will be treated like Android security where if you don't invest in X flagship, which is optional and expensive, you're just not covered. 140 million is nearly half of all US citizens. I'm pretty sure we can't just reprint all our forms, reprogram all our websites, rework all our databases and change the mentality towards accepting the new name and
Many organizations have already addressed this problem by not using the SSN as an authenticator, but instead using only the last four digits of the SSN as the authenticator.
They also use these same four digits as a stand-in for the full SSN in a lower-security context, thereby killing two birds with one stone.
It's brilliant.
ID without Auth is still insecure (Score:1)
Changing the ID doesn't help. The problem is we are not authenticating. We need authentication, then the ID does not matter. Sovrin.org [sovrin.org] as a start?
Lemme see... (Score:2)
Banks and businesses require customers to hand over their SSN, despite it being tagged "Not for use as identification", and then subsequently lose them in breaches. Government says let's replace SSN with something else - let's call it SSN2. What do you think will happen next?
Lose Them In Breaches 2, Electric Boogaloo
This. Don't use it as a method of verification and don't require it for verification. It's a stinkin' ID number, NOT a password, for petesake!
The idea of having a person ID number is not wrong; the problem is how it's being used. You don't cut everyone's dick off just because some people are forced to hump their pets.
Guessing works (Score:2)
Since the SSN only has 10 digits and there are 300 million citizens it means (ignoring any restrictions on numbers) that
one-third of the possible values [and possibly effectively many more] are used up. All you need do if you need an SSN and expect it
will not be checked by the Social Security Admin is... guess. And someone will get tagged with that data. With a high probability. That's not good.
Get people to show different ID's (Score:2)
The start to request banks, building societies show the same person exists. Driver licence? Education institution?
Got a mortgage? Credit card? Utility bill? Who is renting a home?
The best way to work out who is illegal, using fake ID or just treaded a social security number is to request layers of other photo ID.
City, state, federal and private sector documents have to start to match going back years.
Does the life story go back to a lot of other valid US id? Doe
Start by breaking systems that shouldn't use it (Score:2)
A simple solution for now would be just to add 4 or 5 digits to the new SSNs that are issued. That would break so many systems that others would have to address the real problem.
Decades ago AT&T had a payroll system that couldn't cope with two employees having the same SSN. It turns out that the SSA has stated that the numbers aren't unique, only unique combined with a last name. If Mary marries Mr Smith and there is a Mary Smith with her SSN, they will reissue her a new SSN. There are millions of
User name equivelant (Score:2)
One's Birthday (Score:2)
Works for the Medical field.
About damned time... (Score:2)
The card I received from them decades ago says it's not to be used for identification. Right there plain as day. But... some time between when I got my card and my daughters got theirs, the SS cards stopped saying that. How long before this new ID will get commandeered for use by businesses and we start the whole game over again?
Maybe I'm wrong... (Score:2)