UT Austin Hit By Massive Security Breach

mrpuffypants writes "Reported in the Austin-American Statesman: The University of Texas' security was compromised over the weekend, leaking out nearly 60,000 records on students, staff, and faculty. Official word from the school can be found here. Most troubling of all is that, like most schools, UT still uses SSNs for student ID numbers, and that was part of the information taken from them in the attack."

All they got...

[FirstManOnMoon]

"Those SSNs that matched selected individuals in a UT database were captured, together with e-mail address, title, department name, department address, department phone number, and names/dates of employee training programs attended. It is important to note that no student grade or academic records, or personal health or insurance information was disclosed."

Phew, I feel so much better now!

Re:All they got...

[stoolpigeon]

They'll get the rest later using the SSN. That and a name are often all you need. Who cares about grades- when they know who you are and have your social you are screwed.

I wish I had known...

[Patrick13]

I wish I had known about it, I would have asked them to change my transcripts to give me a better GPA. :P

Action

[StingRayGun]

What legal action may the students and faculty take? In Washington it is illegal to use a students SSN to identify students. There was groaning at every campus in Washington for weeks. I bet there as glad as me that Washington was so on top of this.

Re:Action

[Gossy]

Why is it such a hassle for Unis to generate their own unique IDs for students?

As I undertsand, the SSN isn't even a *good* unique identifier - for one thing it has no built-in checksum, and it's possible that your number isn't unique (could be wrong on the latter, but it's not really my point..)

Just issuing consecutive numbers to students who enrol is just one extremely simple way to replace using SSNs.

My bank issues me a number that identifies my account, my mobile phone company gives me a number to identify my phone, why is it so hard for unis to issue numbers to identify students?

Why were the unis in Washington so unhappy with the change? Sure, a few thousand people need to be given numbers and that can take a while to physically issue - but if the law allowed, perhaps a phased implementation of the scheme, so new people are given one of the new numbers?

Re:Action

[Orne]

Maybe the ACLU could give them some pointers about what to do...

Re:Action

[number6x]

Social security numbers are not guaranteed to be unique! In the early days it was allowed for an individual to share their number with a non-working spouse. The spouse recieves reduced benefits after the primary has died.

I've contracted at several major health insurance companies. That's where I first encountered records of two individuals with the same number. This is no longer allowed.

I believe the numbers could be re-used after death, but I haven't seen this my self. Maybe someone out there in /.-land has better info on that.

Re:Action

[cdrudge]

Is it illegal to use the number for identification or is it illegal to require the number for identification. I know that the college I attended, they would use your SSN if you provided it, but they would assign another SID if you asked them to without penalty. On financial aid information though, your SSN is required.

Re:Action

[sjlutz]

Actually, it is illegal for anyone to ask for you social security number except for:
1) The purposes of reporting individual tax information (such as wages and salaries).
2) The payment and qualification for social security benefits.
Alot of people do not believe the above, because they have gotten used to it and have accepted that people will use their SSN for means of unique identification number. It's great for database developers to just use your social security number as your customer ID. Because we know that SSN's are unique. Example, if you go to a hospital, what do you think your ID is? Now, you have the absolute, 100% right to refuse to give ANYONE your social security number. (Aside for the above reasons) In the above example, the hostipals will probably insist. But they most definately treat non-americans (either visiting the US or here on a Visa). These people do not have SSN's. The SSN's have become a defacto National ID card only because people have let it become so. That being said, your social security number is NOT a national ID card system, although it is being used like one whether we like it or not.

Re:Action

[Tokerat]

In Massachusetts, it is also illegal to use a student's social security number as identificaion.
So instead, they label it a "Student ID Number" and remove the dashes before they print it on the card. Somehow, that makes it legal.

And in this same world, I can go to jail for backing up my DVDs. Excuse me while I puke all over my keyboard.

Re:Action

[mr.+methane]

There are some "validations" in the SSN. One of them makes it easy to spot a "number picked at random", and the other, which you do need a lookup table for, tells you when the number was issued and in what area of the country it was issued.

Anyone born in the last 15 years has often had an SSN assigned shortly after birth. Previously, it was typically issued when you opened your first bank account, or when you took your first job.

So that, combined with a person's age (or reasonable approximation) has a strong correlation for checking validity.

If you see a 45-year-old male with a brooklyn accent showing up with an SSN that was issued five years ago in Oregon, it would raise an eyebrow or two.

Back to this breakin.. It's time to treat data repositories like banks: Regulate them, and refer anyone who even tries to break into one to www.bop.gov for a nice long visit.

Re:Action

[Third+Normal+Form]

>My bank issues me a number that identifies my account, my mobile phone company gives me a number to identify my phone, why is it so hard for unis to issue numbers to identify students?

Mostly because there wasn't enough of a vocal demand that the schools spend the time and money to do that.

The student information systems that a lot of schools use are written by a small group of companies, and it takes a lot of time and effort to recode those (old, legacy based) systems to use something else as a key. My school just got an upgrade within the last few weeks that just now allows something other than the social security number for the ID.

Thankfully, most states here in the U.S. are writing laws prohibiting the use of the SSN. I think this should have been done years ago, but it wasn't because there weren't enough people demanding it.

Slightly OT - choice of credentials

[1984]

OK, so I can see how a university might come to use SSNs as an identifier. They're unique and everyone already has one. Easy.

But why are SSNs so sensitive? It's like a credit card number -- it's printed some places, gets bandied about in others. Not exactly confidential, and no intuitive or documented boundaries on who should be trusted to with it. So it's a scary number that can be used for bad things, but you'll have to give it out in many circumstances where you aren't fully aware of how it'll be used. Makes it tricky to know who has it, or to make an informed decision about where you use it.

Again, it's easy to see how the practice of using it as a credential has continued (and got worse), but when did it start?

Re:Slightly OT - choice of credentials

[sweetooth]

Google can answer most of your questions with nifty links like this, or this.

Who would have thunk it?

Re:Slightly OT - choice of credentials

[parc]

There's a problem with your statement "They're unique and everyone already has one." First, not everyone has one. You were not legaly required to have an SSN until 20 or so years ago. Of course, without one you can't get social security benefits.

A bigger problem is that everyone assumes SSNs are unique. They aren't. At best they can only uniquely identify 1 billion people. "Easy," you say, "There aren't 1 billion people in the United States." There were 281 million in 2000. The birth rate is 14.5 per 1000, and the death rate is 8.7 per 1000. While the birth rate is declining, the life expectancy of a person is lengthening. Additionally, it can not be expected that the birth rate will continue to decline to 0. This means that, while it won't happen any time soon, eventually there will be more than 1 billing people in the US.
The next problem is that when you die, your SSN is NOT REUSED until your estate is closed, at a minimum. My mother's estate was not closed for nearly two YEARS after her death, and hers was a simple estate. Some accounting setups could cause you SSN to be used for many years after your death.

Re:Slightly OT - choice of credentials

[Greyfox]

Because every company on the planet uses the number to identify you. When you apply for a loan, a driver's license, a credit card or insurance, the Social Security number is all they need. Given yours, I can request a car or home loan in your name, get a nice fat check and skip out of town or out of the country. And you might not ever know about it until the credit collectors catch up with you, you're denied credit or you don't get a job when they run a credit check on you. Assuming they even tell you your credit history is why they didn't hire to. Many employers ignore the laws stating that they have to tell you if that's why they don't hire you.

If someone is using a driver's license acquired in your name with your social security number, they could very well build up a criminal record in your name in some other state. A routine traffic stop could then lead to you getting arrested.

With that in mind, if someone asks you what yours is, the first thing that comes out of your mouth should not be that number. It should be "I don't think you need to know that information." Note that in the historical past (I don't know if this is still true) if you knew someone's name and birth date, you could use an Internet information service to find out their social security number and criminal history.

Re:Slightly OT - choice of credentials

[Politburo]

According to the gov't SSNs are never reused currently. Here is the link. This link may timeout.. but it is in the frequently asked questions at ssa.gov.

Are the stolen records ever used?

[Sgs-Cruz]

I've seen a whole bunch of 'stolen credit card #' type stories on Slashdot lately... the thing is, we never hear about any repercussions of these thefts. Do the thieves ever use the stolen records in large quantities? Follow-up is good :). Any info people have, post it here (I'm thinking of, in response to the Amazon CC# thefts from a few weeks ago, etc.)

Re:Are the stolen records ever used?

[HotNeedleOfInquiry]

Yeah, they get used, mostly in foreign countries. As a merchant who got stiffed for $1700 on one of those uses, I'm not inclined to discuss how it was done on Slashdot.

No offense.

One Copy?

[robi2106]

A smart cracker would already have lined up the buyer(s) for the information (probably spam companies) before doing the crack. At least one copy of the data would have been made at the time of the crack to insure that it doesn't get captured and lost.

But nothing says that these cracker(s) are smart. Possibly just lucky.

robi

Who needs to hack, just work for a university

[efflux]

My school still uses SSN's as student id's. I've found that as a student employee I run into thousands of id's a day. I know it's the same way for a lot of student employees on campus. When will schools learn the benefits of a autogenerated key?

Re:Who needs to hack, just work for a university

[mrtroy]

our university goes by random numbers, unfortunately they use the year you are supposed to graduate! so my student id 2003###### looks out of place in all the first year classes I am in, hopefully the young females dont notice....:P

But I would prefer that to having my identity stolen and have horrible credit, depending on the girls.

from what Ive seen

[odyrithm]

in schools, its very easy to retrieve information, I went round no less than 10 junior schools in my area to get information on the new students that are about to enter the new year in the secondary school I work as the information manager.. NOT ONE of the schools asked me for ID, they showed me to a machine and logged me in and let me walk out of the door with the information on floppy...

Its a very scary.. but what can you do..

Penalties

[Skyshadow]

Am I the only one who thinks that there should be penalties for the hack-ee when private information is stolen?

Not to adapt a blame-the-victim mindset, but I mean really, why is this stuff on an internet-connected machine to begin with? I work in health care, and with HIPAA coming into effect, we've been moving a substantial part of our network off the internet -- if there's no physical connection, we can't get hacked.

This stuff needs to be taken seriously, and not just in punishing the offenders. Look at it this way: If your bank got robbed tomorrow and all the items in your safe deposit box were made off with, would you blame the bank if you found out that the vault was left open and the deposit boxes were made of cardboard? I sure would.

Re:Penalties

[Conare]

"I work in health care, and with HIPAA coming into effect, we've been moving a substantial part of our network off the internet -- if there's no physical connection, we can't get hacked. " Oh really? Something like 60% of breaches are internal. What are you going to do now? Put everyone on their own separate network? We are going to see a lot of medical data stolen since Bush took the teeth out of the HIPAA requirements.

Re:Penalties

[GuyMannDude]

Am I the only one who thinks that there should be penalties for the hack-ee when private information is stolen?

I would imagine that under such a system, no organization would ever admit to being cracked since they would be financially liable. And having some third-party prove that the organization was cracked without access to the computer records would be quite a feat.

GMD

Re:Penalties

[BrianH]

Won't work. Most colleges today have web based facilities that allow students to review and update their registration info. Heck, the college I work for allows web users to do everything from change their name, to register for classes and financial aid, to connect to our alumni association and donate money. When you have that kind of functionality online, you are forced to have realtime (or near-realtime) communications between the backend administrative systems and the frontend web systems. With comprehensive web-based applications like this, you can make them hack-resistant, but never hack-proof.

Re:Penalties

[Minna+Kirai]

there should be penalties for the hack-ee

There is already a penalty of sorts- any corporation victimized in this way will get a big overtime bill from their IT department as it patches the holes and audits the damage. They also claim to lose revenue for the period the systems were offline.

Look at the huge dollar amounts of "damage" that companies quote when they suffer a "hacker attack". Those are big losses- it must be some kind of punishment.

Now, one might say that amount of punishment isn't a sufficient deterrent against poor security, because corporations so far haven't invested enough in prevention.

Are there approaches the government could take to increase the magnitude of that punishment? Yes, two ways:

• Declare that knowingly running an insecure server is a public safety violation. Fine administrators who do this. (This requires more effort from police and lawyers. Maybe someday it will happen)
  
• Spend less government effort pursuing "hackers", and reduce the legal repurcussions once they're caught. This would permit freelance hackers to mete out more punishment towards insecure corporations by attacking them more often. (This reduces the current government expenditures on enforcement and prosecution. But, it'll never happen)
  

Re:Penalties

[RobertNotBob]

but we're doing good stuff .....Patient data terminals on our new network are located in physically secured rooms (locked) in buildings with human security

$$$$$

...require a SecureID to log into...

$$$$$

...all data traffic is VPNed

$$$$$

The physical machine cases are locked and alarmed and the BIOS will commit hari kari if they're improperly opened

$$$$$

...a week of training ...

$$$$$

Wow. What healthcare system do you work for? Are they hireing???

Clarification?

[binaryDigit]

The UT link appears to be /.ed, but when I read it before it sounded like a simple brute force ssn lookup. The attacker simply generated random ssn and sent them against a page that returned information based on ssn. The attacker then simply harvested "positive" hits. The problem was that this interface was exposed to the public and that it had no means of throttling/preventing multiple requests/failed requests.

On another note, UT is phasing out SSN in many aspects of the students life. My wifes UT ID does not contain her ssn, it has a student # now. Though I assume that there are still many points of interface with the UT system that expects to see ssn.

Re:Clarification?

[nfsilkey]

Externally, the SSN is still used at UTexas. Students and staff/faculty find their SSN dabbed all over financial, registration, grading, housing, and employment information. Internally, the SSN is the identification method that makes the world go round in many MANY aspects on campus.

Such a transition will be entirely difficult and time-consuming. The university is interested in making the transition, but the issues which arise from a multitude of departmental management techniques are wide-ranging and difficult to tackle. The recent changes to the UT EID system (a unified login scheme to manage campus life and services) are just the beginning og a long uphill IT battle that is being tackled (...we hope ;).

Changing GPA

[robi2106]

Reading the article (as I am sure everyone already has), would tell you that the informatio nwas not tied in to any student grades. Two different systems / databases.

This does mean a spam has a few thousand live accounts of young (read: target audence) college students (read: active email users).

That is bad in more ways that one.

robi

Yikes...

[TopShelf]

It's amazing how much information you can get kicked back by simply trolling SSN's. This reminds me of the scandal last year with Yale's admissions information, which a Princeton administrator obtained by simply entering SSN's and birthdates on their web site. A brute-force attack like this one, simply adding birthdate to the mix, could have successful results in other places, I'm sure.

Colleges and Universities need to fix systems!

[revcorrupt]

This is NOT the first time, and I do not believe that it will be the last. I work and attend a medium sized college and I happen to know from other employees that our systems have been compromised on several occasions, and in fact they are still being compromised. I do not believe that any critical information has been stolen, but the security of the critical systems at our nations colleges and universities needs to improve. Our college refuses to publicly admit that they have had a serous breach or deny any knowledge of current security problems. It's quit frustrating to be a computer security enthusiast and attend a college that refuses to admit they have a serious problem.

At least the University is acting responsibly...

[Dman33]

"There are six to 12 ways we could have reduced the risk to the database," Updegrove said. "The sad thing is, we didn't do any of them."

It is good to see the University being so frank and honest about this matter. I am sure some heads are gonna roll, but at least the people affected will be provided with information and know how it happened.

Speaking of how it happened... the article does not go into technical details, but I am curious how this database was accessible to the world and was spitting out data to qualifying queries of SSNs without any security context... I am sure someone here on /. has an opinion as to how this happened?

The bigger breach . . .

[GMontag]

This johnny-come-lately "UT" is ripping off the initials and the colors of the original UT (est. 1794 thank you very much)!!

We demand that our child State of Texas cease and decist in the molestation of our look and feel.

Sincerely,
Volunteer Graduate of 1994

PS, The UTK English Department is the Home of the Vowels ;-)

Hey, here's an idea

[buffer-overflowed]

SSN's are valuable because you can use them for identity theft. You can use them for identity theft because they're a national ID card. Something "they" (the mythical them) say they are not.

Apart from that all of the credit reporting, etc. goes through shadow companies that you can do nothing to if they screw you over (IE issue a credit card to a you that's not you).

We need to make using an SSN for identification purposes entirely illegal, credit card companies and banks be damned. Or say it is a National ID and come up with a better way of securing identities.

at least some are getting smarter

[squarefish]

Northwestern recently sent this out to all students:

Dear Students:

The following three bulleted topics are of student interest:

* Social Security Number is removed from WildCARD ID
With complaints about identity theft nearly doubled last year as the fast-growing crime topped the government's list of consumer frauds for the third consecutive year, WildCARD offices on the Evanston and Chicago campuses have started issuing new WildCARD identifications without social security numbers.

The re-designed WildCARDS are being issued at no charge to faculty, staff and students who wish to exchange their existing card for one minus a social security number printed on the front. Those without a card to exchange because it was lost or stolen will be
charged a $15 replacement fee.

"The new purple WildCARD looks the same as the old one, but as opposed to printing the person's social security number that used to be their Northwestern "id" number, we have implemented a shortened "emplid" number which the University is issuing that has no association whatsoever with one's social security number," said Arthur Monge, manager of WildCARD and Vending.

"We are not mandating that WildCARD holders be issued a new card, but the option is available for anyone who feels concerned about having the social security number visible on their existing card. It is a matter of personal choice to replace their existing card for one with an "emplid" number, at no charge, unless they have lost their card or it has been stolen." Since switching to a new WildCARD is optional, it can be done at one's leisure. Existing WildCARDS will continue to work, so if someone doesn't feel the need to have one without a social security number immediately, they can continue using their existing card until it expires.

Northwestern University's multi-purpose, one-card program, WildCARD, was developed nine years ago to provide better identification for members of the University community and to simplify use of existing services, control access, reduce handling of cash, and enhance security. Students, faculty, staff, spouses and domestic partners of active, full-time faculty or staff, authorized contractors working within the University community, Research Park tenants, and individuals affiliated with a University department are all eligible for a WildCARD. For more information, call Art Monge (847) 467-3135 or check the WildCARD Web site at:
http://www.univsvcs.northwestern.edu/WildCard /inde x.html

* New vending machine refund bank locations
If you didn't already know it, there are vending machine refund banks located throughout both campuses. A complete list can be found on the WildCARD & Vending web site at:
http://www.univsvcs.northwestern.edu/WildCard /vend ing.html#refundloc

New locations include the Family Institute at 618 Library Pl (front desk), Lake Shore Center at 850 N. Lake Shore Drive (front desk) and at Wieboldt Hall, 339 E. Chicago (Administrative office, 2nd fl). One is also planned for Galter Library in the near future.

Each vending machine should have a sticker on it that indicates the nearest refund bank. If one is missing, please inform the Evanston Wildcard Office at 7-6843.

* Other tidbits of information:
--The Abbott Hall ATM now sells stamps
--A Pepsi vending machine promotion is taking place now. Pepsi is giving away 80 Willie the Wildcat bobble head dolls. Look for a sticker on your next Pepsi purchase.

SSN as ID number

[TPIRman]

While my university doesn't use the SSN for our student ID number, it still asks students to put it on countless forms and enter it into countless databases. It's always made me uneasy, and I hadn't even thought of the potential for a computer break-in. Rather, I was unsettled that any student worker who checked out a book for me at the library could see my SSN on his screen after scanning my ID card.

But nothing wakes up a university -- especially a state school -- like the threat of litigation. If the cracker followed up and committed full-scale identity theft, the students would have grounds for a lawsuit against the school. Consider the recent New Hampshire lawsuit that dealt with SSNs and other personal information. With the potential for bloodthirsty lawyers, universities might finally get serious about protecting their students' information.

Bush's daughter

[wayward_son]

Doesn't one of Bush's daughters go to UT?

Could this possibly be related?

What's the big panic about SSNs?

[Gordonjcp]

Seriously. In the UK the closest equivalent is a National Insurance number, which you give out to quite a few people. Banks often want this (because it's unique to you, which makes record-keeping easier). Your employer will want it, so their accountants can calculate your tax. Your doctor will probably want it, again, because it's a unique identifier.

Why are Americans so paranoid about who knows their SSN?

Re:What's the big panic about SSNs?

Why are Americans so paranoid about who knows their SSN?

Because it's a lawless and uncivilized colony filled with criminals who will steal your identity to get a free meal at Ponderosa without a twinge of guilt.

Re:What's the big panic about SSNs?

[jaymz666]

Because EVERYTHING is tied to it. Should someone get a hold of your SSN they can get a credit card in your name, or whatever.

Re:What's the big panic about SSNs?

[Fulcrum+of+Evil]

Why are Americans so paranoid about who knows their SSN?

Because I can use your SSN to apply for a credit card in your name and then, when the bill comes due, it falls on your head (until you explain that that wasn't actually you). Then I can do it again.

Re:What's the big panic about SSNs?

[joebp]

Should someone get a hold of your SSN they can get a credit card in your name, or whatever.

I think I see where the problem lies.

It's like security through the obscurity of these numbers.

Re:What's the big panic about SSNs?

[jaymz666]

Essentially, yes. It's a retarded system. It all hinges on an SSN, that can easily be stolen.

Re:What's the big panic about SSNs?

[OrbNobz]

Or close your bank accounts.
Or get a driver's license.
Or sell it.
Or make your life a living hell until you can change it.

- OrbNobz
"Mind if I drive?" "Not if you don't mind me clawing at the dash and screaming like a cheerleader." - Sam n' Max (vice versa anyway)

Re:What's the big panic about SSNs?

[wideBlueSkies]

1. Please mod the parent as insightful. (Or even funny). This is the best description of the problem I've ever heard.

2. It's an antiquated system. Back in the day, before massive amounts of information were available on computer, you'd occasionally hear about a guy who's number was stolen. It's a bad thing, but it was a rarity. The system worked because your number was secret, and there were few real ways to get it.

These days, SSN's are being compromised by thousands at a time. This is a broken system, and it should be fixed.

Perhaps thumbprints or retinal scans as a system of identification. But if you think about it, this leaves us with the same problem. The retinal or thumb image needs to be kept somewhere for the purposes of comparison. The files can be stolen just as easily as SSN's.

Maybe there is no solution.

Re:What's the big panic about SSNs?

[TuxGrep]

Hm. So I need only your name and your SSN ??

Djeez. No wonder you all need a homeland security office and ultraparanoid officials everywhere, if the underlying 'security' mechanisms are SO easy to break.

It may surprise some of you but in the rest of the world you actually need to show some real identity document, like a passport or drivers license, to get anyone to actually trust your identity.

Maybe something to implement in the next, say, 20 years in the great USA ?

Yeah. This sounds like a flame. So sue me. Another thing US residents seem to be really good at ;-)

Re:What's the big panic about SSNs?

Precisely. The problem isn't that people can find out your SSN. It's that far too many people think that SSNs are somehow a secret authentication key that only you could possess.

If you walked up to any organization and said, "Hi, I'm CmdrTaco, gimme the keys to Fort Knox", they'd ask for some ID. They don't take knowledge of a name as proof of ID. Yet far too many people will accept the one that walks up and say "Hi, I'm 123-45-6789, gimme the keys to Fort Knox". An SSN is just like a name. It's not a digital signature.

Note that the fuss a lot of people make over insisting their SSNs be "secure" actually makes the problem worse, not better. Increasing the obscurity slightly doesn't improve the technical security. But it does tend to make people sloppy and overconfident, and leads them to rely on the obscurity of the number as a substitute for authentication. The reason we have a problem in the first place is all those people that mistakenly believe that SSNs are somehow secure in the first place.

We'd be better off if you were _required_ to use SSN as your student ID, and drivers license ID, frequent shopper card ID, whatever. Plaster it all over the place, and make sure that everyone realizes the number is every bit as public as your name, and thus of no more value for proving an identity. Agitating for "privacy of SSNs" is counter-productive.

Re:What's the big panic about SSNs?

[joshsisk]

It may surprise some of you but in the rest of the world you actually need to show some real identity document, like a passport or drivers license, to get anyone to actually trust your identity.

So, do you provide those documents when you apply for a credit card via mail?

Then do you provide those documents via the web when you use that card to buy $5,000 worth of electronics on Amazon.com?

Re:What's the big panic about SSNs?

[TuxGrep]

So, do you provide those documents when you apply for a credit card via mail?

Again, it might surprise some of you ;-), but this is exactly the reason you can only apply for a credit card (loan, mortgage, etc) IN PERSON.

Sounds inconvenient ? Well, it depends on how secure you need to be. Typing in passwords is inconvenient as well...

Re:What's the big panic about SSNs?

[ClipDude]

Again, it might surprise some of you ;-), but this is exactly the reason you can only apply for a credit card (loan, mortgage, etc) IN PERSON.

That's funny. Those ten or so credit card applications I get in the mail each week say nothing about coming to see them IN PERSON.

Re:What's the big panic about SSNs?

[KsQuasar]

SSNs were originally designed to only match workers with government Social Security benefits. They were never intended to be the all pervasive ID that they are used for now. However, because of the uniqueness of the SSNs across the country, many/most organizations began to use the SSAN as an identifier/authenticator instead of trying to develop their own systems. And, here we are today...

Re:What's the big panic about SSNs?

[TuxGrep]

That's funny. Those ten or so credit card applications I get in the mail each week say nothing about coming to see them IN PERSON.

From that I can only assume that you live in the US ? Which, I guess, just proves my point that it is a system just waiting to be abused.

Never mind what those spams may say, in Europe you cannot get a bankaccount without applying in person. I guess there may be CC companies that are so eager to close that they trust me without proof. But I reckon that even those will send letters to your address that you have to return to them, signed. Which does prove at least two things to them: (A) you have physical access to the mailbox/streetaddress you supplied, and (B) they have your signature on paper, which can be useful to prove you signed it (and if need be, all the way though handwriting recognition experts).

In any case, that is better than nothing.

Re:What's the big panic about SSNs?

[tlk+nnr]

So, do you provide those documents when you apply for a credit card via mail?

In Germany, the post offers a service called postident - the mail carrier will only give you the letter if you show him your passport, and he'll send the passport number back to the sender of the letter.

The system is in place for years, afaik it's the only way to open accounts at internet only banks. No need for a magic SSN.

Re:What's the big panic about SSNs?

[ClipDude]

Opps, sorry. I didn't realize you were talking about outside the US. (Now I feel dumb.)

You are exactly right, the system is pretty much screaming "abuse the hell out of me".

Here, you can pretty much get credit card applications with no effort. When I buy a book from my campus bookstore, it comes with a damn credit card application stuffed in it. The credit card companies decided, I guess, that it is profitable enough to make credit incredibly easy to obtain that they don't mind eating the cost of occasional fraud. Unfortunately, this hurts those whose identities have been stolen, as they have to take the time and effort to clear their credit rating.

Re:What's the big panic about SSNs?

[Chrome-Dragon]

Had this same thing happen to me around Christmas time except they bought plane tickets. Tickets to be picked up at will call all the police had to do was go to the airport and wait. But no they said "the people picking up the tickets could be different from the ones who bought them". So when I said fine then forget the fraud charges and credit issues go arrest them for receiving stolen property, they got all-quiet and wanted to drop it. People can be so lazy.

Re:What's the big panic about SSNs?

[Mr.+No+Skills]

The problem is not so much that a single, unique identifier exists. The problem is that so many organizations will blindly take that number and extend credit to anyone, with very little verification that the number belongs to them.

Then, when fraud has been committed, they use that number to shut down the true number's owner and assign numerous penalties to them, when in many cases the incompetence is with the organization that extended the credit in the first place.

We've set up a system where a handful of low level, poorly compensated clerks can destroy years of good credit history, either on purpose or by accident. The cost to clean up the mess is horrendous to the individual who most likely did nothing wrong. Authorities do little to catch those during this as it is often written off as the cost of doing business.

Re:What's the big panic about SSNs?

[TuxGrep]

Wrong. SSNs are not unique. The combination of birthdate, name and SSN is unique.

Hmm.
Well, depending on the resolution with which you record "birthdate" (days? minutes? seconds?) one could probably just about prove that the combination of name and birthdate is already unique, regardless of the SSN.
Unless maybe when your name is real common.

Come to think of it, names should maybe be deprecated altogether. Just record the time of birth, and the GPS coordinates thereof.
Provably unique, and names are confusing anyhow. ;-)
Or else, we can design a domain name system for that too; A network of central servers that can facilitate a name lookup. Just input GPS and date/time and it tells you the name of the subject ! ;-)

Re:What's the big panic about SSNs?

[Jucius+Maximus]

"It may surprise some of you but in the rest of the world you actually need to show some real identity document, like a passport or drivers license, to get anyone to actually trust your identity."

One problem is that, by and large, a change in the way 'The System' works is, to Americans, an admission of defeat. But the US of A never loses at anything because it is the best. I mean, if a conversion to metric was ever implemented, the terrorists will have won!

Re:What's the big panic about SSNs?

[Jucius+Maximus]

" He's not talking about the US. In many countries you can not apply for credit via mail. The fact that you can do it in the US surprises many non-americans."

This surprises me as well, and I am from Canada. I have actually never applied for a credit card in person. I've done it by internet and by mail. Sometimes you have to pick it up at the bank branch, other times it comes in the mail to your home.

I actually work in the Credit Card division (VISA or Mastercard, but I won't tell you which ;-) of one of North America's 10 largest banks and I can tell you that this 'not in person' system DOES have its problems. Fraud is the curent biggest monetary loss for the bank. I won't post some of the methods the crooks use to take advantage of this mail and internet system (because I don't want to help budding fraudsters,) but it is truly nefarious. Fraud of credit cards is actually incredibly easy in Canada and the US, and it's going to get worse before it gets better. One big problem is that you don't need a PIN for the cc's and it is very rare that a merchant actually looks at the signature on the card. You could sign any old name and get away with it.

Now in Canada the system with SIN (social insurance numbers) is better than the US because by law, they can only be used for purposes related to paying taxes to the government. My SIN number is only used when starting a new job, opening a bank account that earns taxable interest, applying to university, paying taxes, and that's about it.

It's not the IT department.. it's the provost

[agrounds]

I used to admin at a University. One of the most frustrating things I encountered was the incessant desire for there to be no restrictions on any of the computing systems that the students used. This includes the servers. The firewall was just an expensive router. We were not allowed to run blocks from the internet to inside IPs, as that defeated the spirit of free access. I tried to explain why it was a 'Bad Thing(tm)' repeatedly, but alway met with resistance from the shared governance committee. One cannot blame the administrators in this thing. I assure you they feel just as powerless as I did. This kind of thing will become more and more rampant as clueless faculty (or upper-management in the business world) are allowed to influence major IT decision-making.

Re:It's not the IT department.. it's the provost

[tongue]

Actually, my fiance goes to UT, and I can assure you that this is entirely the administrator's fault (well, and the hackers, but since we're in the "blame the victim" mindset here)... UT has no such "free access" restrictions in place. half the campus can't even send mail outside the UT mail systems.

I will say this in defense of the IT people there... its gotta be pretty fucking hard to lock down a system that has almost 70,000 users (between students, faculty, staff, alumni, etc).

Re:As a recent graduate...

[binaryDigit]

What steps can one take to protect one's identity?

You can't (not to say that you shouldn't make it more difficult, but just don't fool yourself into thinking that it's possible to do absoultely). It's like your house or car, you can take steps to make it more difficult to break in/steal, but there is absolutely nothing you can do to stop someone is wants to target YOU. So the best thing to do is to introduce a bit of paranoia in your life and assume therefore that it COULD happen and adjust accordingly. So for you're indentity, you do regular checks of your credit report, you keeps tabs on your bank accounts, you review your credit card statements, etc. The absolute worse thing that can happen is for someone to grab your identity and use it for a length of time without your knowledge. Getting your cc company to forgive unauthorized purchases is easy, as long as you do it within 30 days of your statement. Having someone apply for a cc with your info can bite you in the butt if you're trying to buy that car or get that mortgage, so you make sure you check well in advance and make sure that window of exposure is a small as possible.

SSN's? Big deal.

[Slime-dogg]

Big deal. If anyone wants to know my ssn, it's "336721433".

SSN's are public information.

Already fixed

They immediately disconnected the compromised database from the Internet, later hooking up a database of useless information.

They probably just copied over the DB containing the University's security procedures.

`Recapturing'?

[TKinias]

UT says:

UT, in conjunction with the U.S. Attorney's Office, the U.S. Secret Service, and other law enforcement agencies, has focused its efforts since Sunday evening on identifying the perpetrator(s) of the break-in and recapturing the stolen data.

Someone is more than a little bit confused about the nature of digital storage if they think they can `recapture the stolen data'.

`Ah, cool, we've managed to delete the copy they made of our data.'
(whispers)
`Another copy? How many copies did they steal?'

Re:As a recent graduate...

[bpfinn]

If you are worried about credit card fraud, then you can contact the big credit agencies to check your credit report. They are:

• Experian
• Equifax
• Trans Union

Review who is looking at your credit report, and report suspicious activity to them. Having seen a few personal credit reports of people who were using their personal credit to establish a business line of credit, I've seen statements on them like: "Don't issue any credit to this person before contacting me at 111-222-3333".

Isn't there a law??

[PDXNerd]

A few years ago I got a new bank account and they told me that due to a federal social security law they could not use my SSN as an identification source and that anyone who used it as such was breaking the law.

I know that many institutions and businesses use it (SSN) that way, but isn't it against the law? Or did I misinterpret the statement from the bank?

Re:Isn't there a law??

[Dahan]

In general, government agencies (other than the IRS) can't require you to give them your SSN. There are a few exceptions though... and some govt. agencies want you to think that you need to give them your SSN when you don't actually need to. As an example, if you apply for a passport, the form threatens you with a $500 fine if you don't fill in your SSN. However, it's the IRS that wants to know if you're applying for a passport--you can actually tell the IRS directly, rather than sending your SSN to the State Dept. and having them tell the IRS.

Private businesses can request your SSN if they want... you don't have to give it though. But if you don't, they don't have to give you whatever you're looking for either :)

However, UT is a public school and is subject to the restrictions on government agencies... here's a page with some info on the use of SSNs in public schools.

Anyways, as a former UT Austin student, I'd be annoyed if my SSN was one of the ones that got out... and if so, I wonder how UT plans on contacting me--as far as I know, they don't have my current address, phone number, or any other type of contact info. As a side note, the first year I was there (1988), a lot of professors posted exam grades outside the classroom indexed by SSN... I guess someone put a stop to that :)

What the?

[Baracus]

Hold on, why were UT's internal data reporting systems hooked up to the internet? I thought sensitive information like this was only exchanged over secure intranet and stored in systems with no access to public networks?

SSN's are used too much

[StarTux]

They just should not be used by any third party, one thing I was amazed on after moving from the UK to the US was just how many companies/people here ask for that information when really its not necessary.

StarTux

UB

[hckrdave]

@ UB we have a "people number" it might sound stupid... but atleast if there hacked they dont get my ssn

Student Numbers = SSN

[vasqzr]

You've got WAY more to worry about than hackers.

ANYONE who works in the offices (especially student workers) can get this information. Admissions? Financial aid? All of these people could find enough info out about you to get a credit card in your name or go down to Circuit City and buy a big screen.

Just like the people who worry about their credit card being stolen from shopping online - You've got a better chance of the guy working at the mall going through reciepts, or the waitress at Hooters when she takes your card up to pay the bill.

Re:At least the University is acting responsibly..

[Telastyn]

Some helpful person probably setup a "phone search" databse where you could search via ID. Probably they just didn't know the IDs were SSNs, or didn't care, or didn't put 2&2 together to realise that in adition to finding people's phone numbers, you could find people's SSNs.

Then someone just wrote a script to brute force the SSN range it seems from the 2nd link

UT students in the dark

[sahidrajar]

I currently am a student at the University of Texas at Austin. The spineless fuckers in administration still have yet to inform us about our possible exposure. They may have only release info to the public about this yesterday, but as a current student, and employee I feel that I should have been informed first, not by my mom calling me at 8 am this morning, asking what the hell is going on at UT. Besides, you can't trust a University that claims a budget shortfall, but pays $400,000 for personal consulting for the UT President so he "looks like a more kind, and understanding person." One last thing, test forms that you hand out here have a field for you to bubble in your SSN as a unique identifier. Last I checked, isn't that a violation of the Social Security act?

Re:At least the University is acting responsibly..

[da'+WINS+pimp]

"There are six to 12 ways we could have reduced the risk to the database," Updegrove said. "The sad thing is, we didn't do any of them."

Unfortunately the literal translation of this is:

I am so fired!

Google your SSN

[netringer]

Google can answer most of your questions

Yeah. You should just search Google WITH your SSN and see how many poorly secured web site databases exposed it to the world.

Re:Google your SSN

[Patrick13]

About 6 years ago, I altavista'd my name and it turns out that there is another "Patrick Deese" at Kettering. At that time, the search went to the Adminstration Web Directory and there was a list in alphabetical order of every employee, first middle and last name, their DOB and their social security numbers.

They took it down about 3 months later....

Re:Google your SSN

[Patrick13]

Hah. My evil plan worked. Now I will go through your history cache using a remote exploit and get your SS# based on your google search history...

muahahahaaa....

Which head will roll?

[plaidlad]

Currently the State of Texas is in the middle of some staggering budget shortfalls (as are most of the other states in the US). One state-funded entity that is looking at a shrinking budget is the UT system.

Here's what I'm wondering: How do the powers-that-be, whether elected officials or University administrators, or the public for that matter, expect that security breaches like this are to be avoided when there is little to no budget to prevent them?

The agency that I work for, and many others, is faces increasing scrutiny by the state legislature and must undergo budget cuts, hiring freezes, and potentially the loss of staff to meet the State leadership's plans. As a result, we've already lost funding not only for basic needs already planned for, but also for what are known as "exceptional items" or those items that we see a need for outside our normal budget.

I understand the argument that "Hey, we need Police and health protection before you get new computer software!" but let's get real. Those are the same folks who will be panic stricken when their SSNs, or other personal info are stolen by crackers when agencies are broken into. And woe to the poor SysAdmin who couldn't work magic with a non-existant budget to prevent it...

I'm a taxpayer too, mind you, but how can we expect State and Federal agencies to protect their resources without security being made a priority and funded as such... :P

Re:At least the University is acting responsibly..

[lucabrasi999]

I am sure some heads are gonna roll

Have you every worked for a non-profit? It's pretty hard to get fired. People that work for non-profits tend to fall into the "touchy-feel" category. Imagine taking a corporation's HR department and staffing every single position throughout the non-profit with that type of personality. In other words, if you see ".gov", ".org", or ".edu", don't expect normal organizational behavior.

Even so, if there ever was an event that deserved a massive firing, this is it. Here's hoping my company doesn't pick up the newly unemployed.

security leaks abound

[KingPrad]

Here at the University of Alabama Huntsville we had a major leak here in an odd way. A student in my OS class turned in his homework on scratch paper, on the back of which was listed names and social security numbers of hundreds of students and faculty, including that particular teacher. He didn't think anything of it - he had been given the "scrap" paper by someone on his on-campus job. The prof refused to give the paper back because of the sensitive info on the back and he's currently working on tracing who gave the student those papers containing all that information.

kind of scary that just anybody can find all this info by getting some scrap paper from the recycle bins or wherever around campus. I do that a lot but most of it's junk. But if you work in on campus I'm sure you can find lots of confidential info in the recycle bins and such that should NEVER be released.

Re:SS as ID is INSANE!!!

[rela]

And isn't it illegal to use S.S. numbers as a form of ID in the states?

A common misconception. Federal agencies are now somewhat restricted in how they use it (5 U.S.C. Sec. 552A) and some states have laws about it in certain circumstances, but one the whole there's nothing illegal about it.

Some Googling:

http://www.cpsr.org/cpsr/privacy/ssn/ssn.faq.html# IsItIllegalToAsk
http://www.lawcommerce.com/newsletters/art_OHS_emp loyalert0205.asp
http://www.usdoj.gov/foia/privstat.htm

I'm sure intrepid Googlers out there could find more.

Re:SSN's? Big deal.

[HermanZA]

All numbers are public, by definition, but some numbers are more public than others. A SSN has value if you know that it belongs to a live human being of a certain age group, with a good credit rating and without a passport, if you have a bad credit rating, no passport and the same age. In contrast, a non-existent SSN, or one that belongs to a dead person has zero value. See for example an old guy who got arrested in South Africa recently, due to an FBI most wanted listing. A criminal stole his SSN and is probably a serial murderer, so this old guy spent a very hard time in a very tough jail for a few weeks. Not a nice holiday, but one he'll never forget.

Foreigners screwed?

[howler.fi]

I worked at UT Austin for a semester in '01, not sure if my SSN was compromised or not. I know there have been and are a lot of non-US students and faculty at UT Austin... What are the chances that one of our SSNs is going to get misused as a result of this and land us in trouble at some point with Homeland Security, INS, or the like?

SSN at UT

[yar]

I have both attended at work at UT in IT, so I can give you my observations.

For many years, UT had a non-centralized IT infrastructure. That is, the Colleges did one thing, the Administrative Computing Group did another thing, the Academic Computing Group did yet another thing, and the Libraries something else entirely. This was recently changed with the introduction of a new Office of Information Technology head by a new Vice Provost (Dan Updegrove, originally at Yale). One of the very first things I heard him address was the Social Security number problem in which every student, faculty, and staff member used their SSN as their ID. That practice had to change in order to meet both legal and privacy standards (see FERPA) , and UT has been trying for the past couple of years to make that happen. The trouble is, it was so integrated into all of the different services and departments that it is a slow process to remove it. They started to phase it out, but now UT is seeing the effects of this particular practice. I'm likely one of the ones who will be affected, so I'm waiting for them to announce where people can find that out. (It may be at the UT site, http://www.utexas.edu/datatheft/.

The Daily Texan (student newspaper) has an article about the theft, as does the Houston Chronicle.)

By the way, your Social Security Number isn't public information. It is required for use by some agencies of the government, but you are not required to provide your SSN to private groups unless they need to interact with certain government agencies (this includes your employers, who deal with the IRS). That being said, SSNs are so commonly used a search may pull up that information- but that doesn't mean it is legally public info.

last semester for SSN identification

[dj_whitebread]

Just to let everybody know, this was the last semester that UT was using SSN's as id's. We are in the process of switching over to what they call the EID. The EID is just a text string (similar to a user login). This is what we have to use to access online services for several years. Within months it was going to be our official identifier in all of the university's systems.

Honey pot

[oxfletch]

What we need is a honey pot full of fake SSNs ... when people try to use them (obviously stolen), the Feds go round and arrest the bastards.

When will those admin idiots learn?

[SysKoll]

This is really sickening. A lot of schools still use SSN as student IDs. In State University of New York, until very recently, your SSN was used on your grad reports, your dorm phone bills, your administrative notices, and teachers even insisted that this SSN/Student ID should be written at the top of every homework. Old phone bills with your name, date of birth, address and SSN were often found in classrooms or on the floor.

When I approached a SUNY teacher about this potential ID theft problem (back in 1999), his answer was: "I've been doing this for 20 years and I've never heard of this problem". Shocking, astonishing conclusion: The American academia is clueless! Oh no! How can that be! (But hey, it explains so much.)

It took a few ruined students and an order from the Attorney General (IIRC) for stopping NY schools from using SSNs as student IDs.

I am not really surprised that some administrative cretins are still camping on their position after all the theft ID problems of the last few years. After all, Schools Are Clueless.

I would like to entertain the hope that a few of these moronic school administrations would be sued 'till they bleed by ruined students, but how could ruined students afford this kind of legal costs?

-- SysKoll

another reason they aren't unique

[JeanBaptiste]

In US territories a ssn is often assigned to a family rather than to an individual. Then the children of the family come onto the mainland for college. A bit of a mess when a large puerto rican family has 8 kids that all go through the same college.

Re:As a recent graduate...

[FatAlb3rt]

contact the credit bureaus - there's 3 major ones - Equifax, Trans Union and Experian. tell them what happened, they can flag your acct so you have to contacted at your home phone before any acct is opened in your name. Here's more info...

Now wait a DAMNED MINUTE!!

[goldspider]

"The University of Texas' security was compromised over the weekend, leaking out nearly 60,000 records on students, staff, and faculty."

That information wasn't leaked, it was FREED!

User logon names as SSNs

[weave]

Think this all is bad, the first college I attended used SSNs as your logon id. All one had to do is logon and type "?WHO" to get a list of 100s of usernames logged onto the system, then run *system/who to tie it to a name.

(Extra credit props points to anyone who can name the system that I am talking about... Hint, this was late 70s to early 80s)

Who cares?

[kickabear]

It was probably some over-eager credit card company who will now use the information to send 60,000 "pre-approved" credit card applications to the students. I mean, come on. Everyone knows we have to keep these students drowning in a pool of debt. Otherwise, how would the economey function?

Learn about fraud alerts

[Davorama]

I highly recommend to everyone to read this page carefully

http://www.fightidentitytheft.com/flag.html

and if the drawbacks don't sound too bad (think carefully!) make the calls. It takes about a half hour. Much less than the time you'll spend untangling the mess of an identity theft. You may also consider calling your bank and creditors to ask them to put similar holds on your contact info so that some clever scammer doesn't have your statements forwarded to Timbuktu, thus gaining them extra time to run amok and causing you even more grief. This isn't paranoia talking, it's experience.

Here are the numbers.

Credit Bureau Fraud Departments

TransUnion
Fraud Victim Assistance Department
Phone: 800-680-7289

Equifax
Consumer Fraud Division
Phone: 800-525-6285 or: 404-885-8000

Experian
Experian's National Consumer Assistance
Phone: 888-397-3742

crypto is a solution

There's a solution if you use cryptography. Assign everybody a social security number. Also, give them a private key (or better, let them pick their own). Then, publish everyone's social security numbers and the public keys that match up with their private keys. (The government could even provide a service that allows people to look up public keys based on social security number.)

Then, everyone's number is out in the open. Whenever you want to do something with it, you create a message along the lines of this:

My name is John Doe, and my social security number is 987-65-4321. I hereby authorize CreditCards-R-Us to issue me a credit card linked with my social security number.

Then you sign that message with your private key. Once you've done that, anyone can use your public key to verify the signature. That means they can be assured that, unless someone has stolen your private key or broken the crypto, it could only have been you that wrote that message.

Thus, your social security number becomes public knowledge, but that doesn't help anybody because they'd need your private key to do anything with it. And, most importantly, there never is any situation where you have to give your private key to anyone. Your secret remains your own. No third-party ever gets a copy of it. This is important for two reasons:

1. Third-party institutions don't have much incentive to guard your secret well. Many of them will do their due diligence in guarding it, but the bottom line is that it's just not their ass on the line, so they won't try really hard. Even if they mean well, they're a busy corporation or university or whatever, and they have other things to get done.
2. If you are forced to give out your secret to get anything done (for example, register for classes), over time lots and lots of organizations will get (and store) a copy of it. This is bad, because the probability that information will get stolen is pretty close to proportional to the number of people who have a copy of it!

Re:crypto is a solution

[Drakonian]

Yeah, until they look under your keyboard and see the sticky with your private key. The weakest link in security is often the human.

Re:crypto is a solution

[slank]

This is waaaay too complicated. Your social security card should have two numbers on it:

An identifier (000-00-0000) and
An authenticator (AAA-AA-AAAA)

The identifier can be used to uniquely identify you (until we reach a population of 1,000,001), and the authenticator can be used to authenticate your identity. Provide a public system that can be used to authenticate identifiers (perhaps something similar to what credit card networks use and well-logged/monitored for abuse). Banks, creditors, or even your university could access the system when appropriate. Make it illegal to store authenticators. Provide a system to allow you to (perhaps for a small fee) change your authenticator when your card gets stolen.

This is, after all, a proven system that every slashdot reader uses regularly - good ol' username and password. And most people have already become accustomed to things requiring one, so it shouldn't be a difficult thing for the public to use.

Re:crypto is a solution

[ibennetch]

Dang -- typed up a huge reply and lost it. Since I'm too tired to re-type the whole thing; here's my summary:

Most people aren't going to want to remember their password. What happens if someone looses their private key (misplaced, corrupt data...there are a ton of things that could go wrong.) It's hard enough for people to keep track of paper; much less a disk/USB keyring thing/whatever the private key would be on. Much less keep it safe from being stolen.

Just a few thoughts. Users are pretty clueless; you'll either end up with "password" or a post-it note with the password written down taped on their monitors, stuck in their wallets, or under the keyboard. And people will be afraid of loosing/breaking their private key and leave it at home; making an additional thing to remember when going for that new car, new job, bank transation...

That said, a private key system would be great because figuring out someone's SSN is amazingly easy, I'm sure. Many universities and colleges use them for student numbers, account logins (well, part of it anyway)...all I'd need to do is pay attention in line while picking up some financial aid papers, or paycheck, or registering for classes, or registering to graduate...the list goes on much longer than I'd like.

Oh, yeah; what you said about third parties not having much incentive to keep it a secret is slightly wrong. My university doesn't care who finds it out. I'm tagged by my SSN no matter what I do (see a few examples above); it's printed on my paycheck and I'm required to write it on pretty much anything I send them. And I'm sure most universities are worse. Ugh!

Re:crypto is a solution

[Com2Kid]

Congratulations, you would add oodles of layers of complexity to the system, and the system would still have a single point of vulnerability.

Namely the private key, which would be FUNCTIONALY IDENTICAL TO THE SOCIAL SECURITY NUMBER, except with a ton of technology placed in between point A and point B.

Number stolen, person still screwed, nothing changed. :)

The real solution is for SSN#'s to stop being used as unique identifiers!

It is a bit of a necessary evil

[christopher240240]

I work in the admissions department of a Community College which uses SSNs for SIDs. One of the reasons that it is almost necessary to use the ss# as the identifier is because of the transcripts that we require for admissions into certain degree programs. We have about 20,000 unidentifiable documents that have only the name as the identifier on them, and 99% of these documents use maiden names, so without some uid (even as little as a current name and a birth date) , they are utterly worthless, and thus end up in a dead letter office. I personally recieve the same documents over and over again, but without the sending party taking the step to identify people, the documents aren't processed and people are denied admission because they miss deadlines.

nope, not as easily stolen

[The+Notorious+ASP]

Stealing files with fingerprint information isn't as helpful as it sounds. Fingerpint scanners don't compare against graphic files, they look for similarities between distinct features of your fingerprint (where ridges are, how far apart loops, etc...) Not enough information is stored in these files to make a working duplicate of someone's fingerprint (you might could hit a few of the features, but not enough). On the other hand, you could always lift someone's print off a glass and use the ole gelatin trick...

Not sure about retinal scans, maybe that's an answer

I agree though, the use of SSN is outdated, it is security through obscurity using a less than obscure number. If I want to steal your identity, all trying to hide your SSN from me does is make it take me a little longer and piss me off that much more, you'll be owned soon enough ;).

just an aggie reading the news...

[dewhite]

Not to be ignorant or anything, but as a Texas A&M Aggie it's my duty to say -- Whoop!

Gee, really? Hmm...

[Viv]

I was bitching about their lack of security as early as 1997... by default, they shunt(ed) all contact information into a publicly accessable x500 server. It wasn't a commonly known thing, and you had to take proactive steps to remove yourself from it (go down to an office, fill out a form, etc)

From ksparger@vaevictis.stf.org Fri Aug 1 10:42:46 1997
Date: Fri, 1 Aug 1997 10:42:45 -0500 (CDT)
From: Vaevictis
To: info@x500.utexas.edu
Subject: Questions regarding the x500 service.
Message-ID:
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: RO
X-Status:

Hi :)

Sorry to pester you (I know how much of a pain it can be to administrate an internet service :p)...

I'm a freshman taking English 301 (Composition class), and we've just recently been assigned a proposal argument.

My proposal is that the university change the policy on the x500 so that instead of having the student's information accessable by default, the
student would need to sign a release form. (in other words, the exact opposite of the way it's done now... as a new student, I was horrified to find that my personal information (home address and telephone number, specifically) was being given to all comers..)

I would like to know the following information, if it's not too troublesome for you to give to me :)

What would need to be done to change the student's default from "distribute information" to "withhold information" in the x500
directory?

Would it require a change at the actual x500 site (ie, configuration files?), or would it require that some other group (the registrar, perhaps?) change policy?

What kind of security measures are installed to log accesses of information? For instance, I know for a fact that you don't attempt identd lookups, do you log access attempts by hostname, IP address, or do you log at all?

What are the scenarios if it is found that someone used information acquired from this database for illegal/unethical purposes? ie, could you even prove where a certain access came from if you had to in court?

Anyhow, thanks for your time, it's much appreciated :)

If you don't know the information for any of the above questions, I would
appreciate it if you could tell me who could (if you know, anyway :))

Thanks a lot,
Kyle Sparger

Date: Fri, 01 Aug 1997 11:13:04 -0500
To: Vaevictis
From: "William C. Green"
Subject: Re: Questions regarding the x500 service.
In-Reply-To:
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Status: RO

You should read our FAQ and all associated links: http://x500.utexas.edu/x500info/faq.html

Specifically, Appendix C Subchapter 9 with special attention to section 9-201 of the General Information Catalog.

I would suggest you begin your inquiry with the Registrars office, although many other offices would be involved. My understanding is that any change would need to be approved by the Regents.
This question is more complicated than it would appear.

As part of your argument, you should consider the implications of not having a directory service, or, a service that is restricted to UT Austin
access only.

Host access information is kept in rolling logs.

Part of the problem is ...

[Skapare]

Aside from the fact that the custodian of the information certainly has a lot to blame in this, there is another big part of the problem. That problem is what people can actually do with the information.

An SSN is identity. It is nothing more than that. The problem is people make the incorrect assumption that it is authenticity (I can recite the number, or read it off a little card in my wallet, so it must be me), and authority (this account has your SSN and is overdrawn, so you are liable for it).

If any law change is needed, it is a law change that says that it is illegal for an SSN to be accepted for any purpose other than identity. What that means is that if I walk into a bank and open an account citing some SSN, the bank needs to understand that all this does is identify someone, and not necessarily me. If the bank causes harm to the real owner of the SSN by having provided any derogatory credit information based on that SSN, then the bank shall be fully liable for having not taking reasonable measures to ensure accuracy of information. And by that, what I mean is that the bank can't simply say that the victim needs to track down the perpetrator to cover the costs. The banks need to be forced to properly authenticate the information they use, especially when and where it might be used in a negative way.

And I don't mean to pick on banks (I just happen to have an open case with Chase Manhattan bank which continues to allow someone to operate a credit card account with my SSN, reported on my credit reports, without my consent, and after I have advised them of the fraud). Such a law should apply to anyone and everyone who accepts and uses SSN data for anything. It's the negative things that can be done (like bad credit info) that needs to be stopped (in addition to other stupidities like running computers insecurely and connecting systems to the internet that have no business being there).

Why would you want SS# of college students?

[generic]

When I was in college I was broke, in debt and had no credit. Go ahead steal my identity you can have
it!

Why there hasn't been any reform on SSNs

[silentbozo]

If SSNs were only supposed to be used by the IRS, and the current system is so ripe for abuse, why hasn't there been a law against using SSNs for non-tax purposes? Easy - lobbyists and money. Credit card companies and credit bureaus see SSNs as a godsend. For them, it's cheaper and easier to have a central registry in order to troll for new credit accounts, regardless of the security problems inherent in using SSNs for everything.

Every effort to reduce the power of credit bureaus and protect individual privacy has been defeated or weakened by the credit bureaus and credit issuing companies. Their claim is that a central database tied to everyone's SSN is critical to doing business. Of course, they neglect to mention that they do plenty of business outside of the US without having such a system in place, AND the fact that SSNs are not guaranteed to be unique.

At this point, reasonable souls would start to question whether this is a government for the people, by the people, or a government for big business, buy the politicians! Face it, it won't be until the system is completely broken, with millions of people affected, and with the costs of keeping the current way of doing business too high to continue, that they'll change. By then, it'll be too damn late...

Re:Why there hasn't been any reform on SSNs

[bluesangria]

If SSNs were only supposed to be used by the IRS, and the current system is so ripe for abuse, why hasn't there been a law against using SSNs for non-tax purposes?

It's a little-known and often-ignored-anyways fact that businesses and schools, etc. are NOT supposed to use your SSN for identity purposes. You have the legal right to DECLINE giving your SSN for any reason other than tax purposes (i.e. employer records, etc.)
When it started becoming more and more common to ask for SSN as an identifier, people just forgot that they could say "No", and presto! instant "standard".
FYI, if you are ever the victim of "identity theft" - credit cards issued in your name, bank accounts opened with your SSN, etc. - be aware that you are NOT allowed to change your SSN for any reason other than your life is in danger, i.e witness protection program. Harrassing bills for stuff you never bought? Hundreds of dollars spent faxing, duplicating, and mailing off documents to all the credit agencies explaining that your identity has been stolen? Tough cookies.
Another FYI, I have never had a fraud investigation department have anything more than a passing interest in WHO might have perpetrated the crime. The only thing you can do is re-new the flag on your credit report so that people HAVE to at least contact you by voice to allow a credit app.
My advice to anyone who has had their identity stolen - don't procrastinate in notifying the police and the major credit agencies, in writing, about your situation. Cancel any credit/store cards you don't use - make ESPECIALLY sure the account is permanently closed and not simply dormant to be reopened at a later date. I know for a fact, SEARS is guilty of that.
Finally, periodically request copies of your credit records to check for any unusual activity.
It'll be a looong time before the problem goes away.

blue

Am I Affected?

[AggieScott]

Is your SSN in the following ranges?

* 449-31-98xx - 450-91-24xx
* 451-12-32xx - 451-20-35xx
* 451-20-64xx - 452-20-40xx

If so, within these ranges, 55,200 people of the following types, including but not limited to:

* Current students, faculty and staff
* Former students, faculty and staff
* Job applicants
* Retirees

may be affected.

Same thing at my College

[skreuzer]

I attend community college at night and in one class we have to telnet into a Solaris box from W2K. Our login name is the frist 3 letters of our last name, followed by the last four digits of our social security number. Guess what the password is? Yeah, our full social security number. One day I came to class early with a copy of Knoppix on a CD and booted off it and ran ettercap, poisioning the switch so all traffic goes through my machine first... One by one, as students came in, I was able to sniff the their login name and password (which was their social security number). I sent an email to the school using that as an example of why students passwords, or their ID number should be a SSN number. I have not yet gotten a response

Princeton's security breach ...

[x-empt]

Funny how this security breach at Princeton never got the media attention it deserved:

http://www.ispep.cx/files/tucson.princeton.edu.txt

Mod this up as Informative...

There's a lot of that going around lately

[shutton]

The Indiana University School of Medicine was hit recently. Not just social security numbers, but medical records, too--everything you need to know to become someone else. All these poor folks were patients of their sleep clinic. I guess they have something else to keep them awake all night now...

Not Unique

[nfsilkey]

This isnt an isolated incident, rather its a trend. Big state universities are a target for hack attacks unfortunately.

Kansas University was hit hard in late January. SEVIS was pilfered, Student Exchange Visitor Information System; part of the Patriot Act)

Info here.

UT dishonest about source of attack

[randomthought]

I stumbled on a UT site yesterday that had a number of exposed social security numbers, after reading an article in Wired about open Web enabled databases. The UT site now appears to be down, but you can see the Google cached version here

A click on the travel.fp3 file listed a couple hundred SSNs. It was completely wide open.

UT made it sound like a deliberate attack, but it looks to me more like administrative incompetence (and cya).

Biometrics are bad m'kay?

[xixax]

While biometrics might be OK as part of a comprehensive security system, they do have problems all of their own, for a start, you can't isue someone with a new thumb if the system gets compromised. (say if I manage o get a silicon cast of your thumb).

Then there was the amusing experiment where a bunch of Germans managed to fool retina scanners using printed images of eyes that could be taken at a reasonable distance with a camera.

Xix.

Perspectives from one of UT's sister universities

[Pulsar]

I'm a student at UT-Arlington, the next largest school in the UT System. Last October our Student Congress passed a resolution I wrote asking them to basically make it easier for students to be able to request to no longer use their Social Security Numbers as their ID # - UTA currently has a system in place where you can request to use a randomly generated ID# instead of your SSN, but no one knows about it and they don't advertise it or make it easy.

The administration's response was "Come Summer 2005, when we have our new Student Information System, we won't use anyone's SSN" but that in the meantime, we're screwed because they weren't going to change anything.

A month ago I discovered the 'secure' portion of the Housing department's website had been indexed by Google, including the ID # (Social Security Number) of all 1200+ residents living in the on-campus dorms. This highlighted the need for the immediate cessation of collecting and storing SSN's, so I've introduced a follow-up resolution our Student Congress is looking to pass soon basically demanding each department document every way they use SSN's and the security measures in place to protect them, after which we want a committee of students and faculty to go through the documentation and approve or deny their use and storage of the SSN's.

Our school paper, The Shorthorn (www.theshorthorn.com) is supposed to do a story in tomorrow's (Friday's) issue concerning the leak at UT-Austin and the fact that administrators so far at UT-Arlington are ignoring the need to provide secyrity for SSN's NOW, and not just in 2005.

It should be interesting to see if the administration has finally 'seen the light' and will listen to us, this time.

Salon gets it right

[CleverNickName]

In their newswire, Salon titled this story, "Computer crackers steal students social security numbers."

I thought the Slashdot community would appreciate Salon getting the terminology right on this one. It may seem like a silly point to some, but the distinction between "cracker" and "hacker" is huge in my mind, and it always makes me happy to see a journalistic outlet get it right, for a change.

Re: Social Security Numbers

[AEton]

I agree wholeheartedly that the abuse of SSN is a problem. However, realize that most US educational institutions will assign you another unique student ID which is not your SSN; it is not impossible to dodge their use, and if you truly care about your security you will never use this number except when forced to. You have the right to protest its use otherwise, but consider that this distinguishing characteristic may not be so good socially--the people around you might not be quite as apt to understand your rabid protection of this number, even if many of the more privacy-oriented do.

Moreover, as much as it is claimed (and perhaps rightly) that "the system" wants you to use this one unique identifier, there is a definite advantage to having an easy-to-remember number associated with almost everything, instead of separate account and unique personal identification numbers. However, some privacy experts agree, as do I, that the SSN should only be used for, well, Social Security when possible.

Looking at that aformentioned letter, I find a passage which states that "from a technical viewpoint, the SSN is not a good identifier. It is not unique, [and] there are multiple users of a single SSN". While I can find no proof of this assertion elsewhere, I have heard anecdotally heard of people who used Richard Nixon's SSN throughout college (567-68-0515)--the results are obviously mixed. Overreliance on this number poses an undue threat to college students who, frustrated by this kind of wholesale theft which could lead to troubling financial consequences should the perpetrator preserve a copy of the data, might turn to forging SSN's--an OK idea until you get caught at it.