Slashdot Mirror
Identity Theft from University Computers
Different River writes "Someone broke into the administrative computers at George Mason University and accessed personal information, including social security numbers, of 30,000 students, faculty, and staff. "Before the hacking, the university was in the process of replacing students' Social Security numbers with other internal numbers to protect against identity theft." Looks like they just missed it."
Any corporation / school / government entity that uses SSN to identify a individual either on paper or digitalized is out for a harsh reality: Personal identity theft is real and here to stay. Now if I could just figure out how to talk these old timers to drop the SSN number they want labeled on their checks..
That would've been a lot funnier if you'd said "... Looks like they just failed it", implying that they weren't fast enough.
BTW: FP?
Finally, a new running joke. I am sick of Profit!
This just goes to show why using social security numbers for identification purposes is a bad idea. It always disturbs me how many places actually have that number. It was supposed to really be a secret number to identify your for social security, not everyday identification.
I always hated that about college. Where I went, EVERYTHING was connected to the SSN of a student. They knew it was, at the very least, imprudent. When a student first enrolled, there was an option somewhere that the student could check off signifying that he/she would like to be assigned a non-SSN ID. It was in an obscure place, though. I only found out about it when I started working for the University. It was almost as if they hid it, knowing that this is the last thing on most folks mind who are just enrolling at the university.
My other computer is a Jacquard loom.
no mention of the grades?
It seems like bit of a convenient coincidence that this happened just before they replaced their ID numbers with something other than Social Security numbers. Someone has obviously been paying attention in their Computer Science classes.
The most remarkable thing to consider regarding these types of stories is the fact that, more often than not, the hackers are incidentally detected (e.g. they send an email saying "give me money or I go public!").
How many of these incidents happen with no one the wiser. Just guessing, but I'd wager at least 10 major silent exploits for every 1 publicized event. How many employees of Big Corporation are doing a ZIP of the company database onto a USB key "just in case", and how many servers are silently owned month after month.
Why does it need to be secret? Is there anything important you could do with it?
There are probably a lot of cases just like this where either the hacked party isn't even aware they got hacked, or the hacked party knows they got hacked and isn't talking about it. Which makes you wonder how long our credit system can stand up to rampant large-scale ID theft.
Stock up on canned goods, folks.
And I'm sure the street value for social security numbers is really high too.
Obviously, some people seriously need to take a good hard look at the best digital security tool, that's been around since the beginning of computers: THE POWER SWITCH.
If computers nowadays were not always-on solutions (I'm sure 24/7 SS# databases in a university aren't a hot requirement) they would be less visible, and less prone to being destroyed by internet theives.
than from internal threats.
How many cases of internal theft do we know?
As someone who once created and maintained my high school information database, I know how easy the system can be abused.
What's very imporant is that Universities have strict and applied policies dealing with information and database handling.Limiting the numbers that have access is paramount.
Background checks for personnel involved should be done too.
Timang tinggi tinggi
parang sudah asah
alang alang mandi
biar sampai basah
I had an opportunity to work at a University in Canada as a development contractor, and literally had access to thousands of student numbers and personal information. There is a large push to web-ify a lot of applications, but the educational sector is lagging in terms of security. A strong initiative has to be undertaken at all levels of academic administration to better enforce security rules, from the registation process all the way to marking and evaluation.
just a web application developer and instructor in Toronto, ON Canada
Schools phase out SSN usage to prevent identity theft due to losing your wallet with your student ID therein. They still have the SSN on file for financial aid use and it's still part of your student record. It just isn't usually printed.
The easiest way to hack is already being on the inside.
This is another way of starting a sig with this and ending it with that.
One of the National Privacy Principles introduced by the Privacy Act 2000, prohibits a private organisation from using such information to uniquely identify a person. Maybe other countries should follow suit and enforce such a law...
This same thing happened at the University of Texas a couple of years ago. One would think they'd learn not to use SSN for id purposes anymore, but to my knowledge, UT still uses SSN for everything. Eventually maybe schools will figure out that it might not be a good idea to use SSN for any id purposes other than its original purpose, but I wouldn't hold my breath.
I'm a fire fighter, and we are constantly cutting dead and fucked up people out of cars, the worst ones are the idiots who don't wear seatbelts. Don't tie down your WiFi, you are leaving yourself open, same for storing social security numbers and personal info on a college computer system. 30,000 students??? there is bound to be one cleverer than the sysop/security guy. This sort of stuff is pathetic, and there is absolutely no f'ing need for it to happen.
What OS was their server running????
It makes you wonder if its worth it to steal someone else's SSN when you apply for a state university, with both berkeley and this one compromised...........better your SSN then mine, if you don't mind ;)
This is what i call "failure". But actually school administrators should be punished badly. I'd be very surprised if they wouldnt fire those lazy quakers - wannabe admins
PLEASE tell me this place is well known for it's high grade IT majors. That would be hillarious and really make my night.
Alternatively just say they had a fully patched windows machine, both works fine.
I like muppets.
We need more organisations using other unique identifiers for people than Social Security numbers. This will seem radical to you if you're a politician, but I recommend Social Security numbers should only ever be used for Social Security.
My mother a few years back pointed out that once upon a time, our politicians actually said, boldly, in front of the entire nation, that in Soviet Russia, the government numbered the citizens. They said this was proof that the soviets were an evil dictatorship sort of country, and not a democracy, where we can vote for naked petrified persons (so long as they are American-born).
She challenged me to imagine a beowulf cluster of Social Security numbers, and how easily such a cluster could be abused (a near-limitless supply of identities to steal).
Now, sadly, all our base are belong to the myriad entities that have our Social Security number (along with mother's maiden name, date of birth, income, and all the other things identity thieves might want). You'd expect us, as a society, to be smarter than that.
Hopefully others will follow the example of this school, and migrate away from using social security numbers for illegitimate purposes.
fifth sigma, inc.
http://www.gmu.edu/intrusion/
And according to email sent to all GMU faculty, staff, and students, it's implied that the compromised was -- get ready -- running Windows.
I don't care if the judicial system is suppose to be a reform system. Crimes of permanent damage should carry very harsh sentences. Such as identity theft, arson (which may damage unreplaceable property), etc.
and
That was pretty funny.
2b || !2b =?
The one thing that would make me suspicious would be the fact that the intrusion happened just as they were transforming the data to use some other sort of unique id - IMHO an insider alert if ever there was one.
You can burn the low-level guys all you want, but upper management should have had security audits done and weeded them out before an actual breach.
We don't know if mandates from above caused things to get forced into production without proper measures because of unrealistic deadlines or pathetic budgets, either.
Perhaps if the school as a whole had to carry information security liability insurance they'd be forced by an insurance carrier to be compliant with some security standards.
500GB of disk, 5TB of transfer, $5.95/mo
So what legal recourse do the students have? As far as I'm concerned, the organization is liable, and the students should launch a class action lawsuit, if nothing else, but for lost productivity time, which is what companies usually seek when they go after hackers. The school is no better than the people that hacked them if they couldn't safeguard this personal and highly sensitive information.
You'll also notice that the asshole of a VP didn't even apologize for the situation. Just that he regrets it. Makes me sick how there's no sense of responsibility there.
Universities are notorious for not having good network and server security (hard to hire the required large staff to oversee so much data). I now work in the computer security field, and when I look back at my university experience I see lots of very frightening things -- besides just the extent of the records the university keeps, they also tend to print things like your birth date on records. Having your date of birth intercepted is bad news, and it is really disturbing to see it printed in so many places, especially along side your SSN / SIN.
On top of that, network security in general is weak and so there are all these students using unencrypted shell logins, and exchanging sensitive data over email. Or doing online banking on public machines, where key loggers could easily be installed. Lots of students live at the university, so they have to use computers for sensitive tasks like banking (unless they happen to have a laptop).
The whole experience made me resolve to keep tight control of aspects of my privacy. If someone tries to hijack your identity, the tell tale signs are: money disappearing, and new accounts being opened. So you must keep accurate records of where your money is, and watch those balances. Also order yearly credit checks, which are free to do. If someone is opening accounts under your name, you can at least catch it.
Just remember: Once you have the cards paid off and the debt subsided, save save save. That way, when times are hard you have cash on hand to deal with anything. And congratulations, for thinking outside of the box =)
Some of the information freely available to anyone who cared to look at it was:
- Your full name
- Date of Birth
- Social Security Number
- Bank Name
- Bank Account Number
- The Amount of the Deposit
- The Date of the Deposit
It had more information than that, but plenty enough to call my bank and transfer money to another account. I assume they've improved since then, but they should have known better even then.The television will not be revolutionized.
This is offtopic but Walter Williams is a professor at George-Mason University. I consider him one of the greatest minds of our time :)
the Political Inquirer
This exact same thing happened at the University of California - San Diego about 8 months ago or so. I got a letter shortly afterward, informing me of the break-in and urging me to put a freeze on those accessing my credit report and to review my credit report for fradulent activity. What a pain.
I could not justify my existence if I were a turkey farmer. Would I terminate myself? Undoubtably, yes.
Even using alternative identification numbers will only limit identity theft rather than eliminating it. I think law enforcement and prosecution is the answer.
After all, it's an information society: abusing personal information harms the fabric of this society, as well as the specific individuals and organizations involved.
org.slashdot.post.SignatureNotFoundException: ewg
So when you, as a student of George Mason U, get a bill for "MOULIN SPLOOGE" you can be sure it wasn't you... or was it?
http://www.searchbug.com/peoplefinder/verify-ssn-f ree.aspx
I found this information on myself, I really wonder how many other applications these web sites can use your SSN for? Complete trackback with job history?
The Social Security Number 812-60-84622 is valid and was issued in Indiana. This SSN is ACTIVE. Would you like to learn more about this SSN? Click on the link below:
It's scary what our "Secret number" system is capable of.
I really can't see what that would solve, except to force the university to spend a huge amount of money defending itself from legal attack with money that could be better spent on improving/fixing the situation. The knee jerk reaction to every situation in this country is to just sue people left and right and it really kinda sucks. As much as I feel for the students that have to deal with this, if any do sue the university, I really hope they lose even more time and some money in the process.
Because he is indeed dead. The two other people in the car who were wearing seatbelts aren't....
Boffoonery - downloadable Comedy Benefit for Bletchley Park
This was no coincidence. Someone saw this coming change and decided to cash-in while they still could.
Actually everything you said is FUD. It's quite difficult to obtain credit/driver's license with only an SS number for ID. However, the more "false" data you have (birthday, full name, SS number, current/prior address, etc) makes the whole process easier. Since the SS number was never intended to be private/secret and since no law prohibits a business from using it in any way they see fit, it's not hard to see that bit of information so easily obtainable. The real problem lies with the businesses that rely upon it as their sole point of identification.
MS Windows. Cool. And we scream about security.
The machine that was hacked was in the PhotoID Office and it was a Windows machine. Based on the bahaviour it was exhibiting, that is- it was scanning other machines to infect, it may have only been a worm and this whole story has been somewhat sensationalized. It may have been oblivious to the fact that data existed on the machine.
The fact that the machine may have been unpatched reflects poorly on University Administration (ITU) but not on the CS or IT programs.
Disclaimer: I work and go to school at GMU.
There is NOTHING in the article to begin to imply this was an MS server/application. See the letter sent to students a couple posts down from yours.
"...better your SSN then mine..."
"Than".
"Then" in this context means "next in the sequence", and I don't think that's what you meant. Unless you are hoping to be the next victim of identity theft...
Maybe we should just stop treating an SSN like its some secret that no one will ever figure out. The SSN is so commonly used that no company should assume that if you know a person's SSN that you are that person. Its like saying, if you know John Doe's birtdate, you must be John Doe...its going to generate a lot of false positives.
And wait, just how many people out there are going to voluntarily submit their social security number and email address to a website they know nothing about????
No man's an island, unless he's had too much to drink and wets the bed.
Yes, it's a failure, but consider what you just said - I assume you mean that heads should roll and all that good stuff. Exactly what purpose would that serve? If this really was an unpatched machine sitting in an office, wouldn't it be better for IT to re-examine their procedures and take appropriate steps to prevent the situation from happening again? Contrary to popular belief, keeping hundreds of systems patched, particularly when they're out of the direct control of IT for whatever reason, can be pretty damn hard, even for really good admins.
The student IDs were all SSN's.
The same thing happened at Dartmouth a few months back. Some hacker got into a benifits server in our machine room. This got them access to SSNs of all Dartmouth employees and their dependents. In response to security concerns, they're implementing a PERSONAl firewall client (sygate) instead of front end. Makes me feel safe, when myself and the rest of my family works there...
Viva america!
If identity theft becomes rampant enough we can all nullify the significance of the SSN.
It's useless anyway, if they want to provide benefits to ppl then why tag us and make us tell everything about ourselves just to get some free cheese? Just give ppl cheese if they need it for crying out loud.
Look to see if one of the students may have been the thief, first. Doubly so for a student that works for the University. It's not too far fetched that a student caught wind of such a change and was given the idea to commit this crime.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
I didn't think you'd put your own social security number on /., but I am wondering how many people in general will. You don't really need clever phishing schemes when so many people probably give away information without needing to be duped.
No man's an island, unless he's had too much to drink and wets the bed.
The media has REALLY damaged the term hacking havn't they? It used to mean accomplishing or working towards a difficult task. I'd hardly say getting the SSNs of random people at a given University is hacking. ;)
If the gov't doesn't do something to stop identity thieves, this behavior will continue. In 10-20 years college students, whose identites were stolen will be making big $$$ and will probably have good credit histories. That's where the thieves hit the motehrlode, and the former students won't even know where it came from!!!
-Palal
Even still, a social security number by itself wont do much, even with a useless email address. You could come up with SSNs through educated guesses with no problem. It's the SSN combined with the other info about the person that opens them up for attack.
http://csis.gmu.edu/index.html
Highly recommended , and also Designated as a Center of Academic Excellence in Information Assurance Education by the National Security Agency. Could this be an inside job?
Hello! I can guarantee the culprits are the ones implementing the change or at least informed someone about the upcoming change and thought they would cash in.
1. There is no actual loss. Until someone gets their credit ruined becuase of ID theft, on what basis are you going to sue?
2. Where do you think the money will come from? GMU will have to raise tuition or cut back on some academic programs. Its a lose-lose for students.
I bet they have been "in the process or replacing the system" since last century. They just didn't do any serious work on that until they got busted. Same as US Airways over christmas and countless companies with Y2K bug until 1999. Everyone with decision making power should take a serious pay cut and students should get tuition discounts to offset the cost of dealing with identity theft.
If they really took the problem seriously, an upgrade wouldn't take long at all. Just mechanically replace SSNs in the database with unique, randomly generated 9 digit numbers and set up a web page that maps SHA(SSN) to the new ID.
My guess would be that it's too much of a coincidence that while they're making systematic changes around SSNs, suddenly, they have a mssive SSN breach. Probably someone working on that project or originated therefrom.
I for one want to know how the school is going to respond to this. What steps are they going to take post-incident, etc.
Hell, I don't even know how one is supposed to respond in a situation like this or what I would do, I'm just curious what the aftermath of something like this is (besides just alerting the police)
-Jay
I don't care whoever knows my SSN, I do care that a cellphone shop gives a subscription to "just someone" because he can provide that number. That's stupid. Those retailers should be more carefull!! Like "Sir, we will look up your telephone number in the phone book and call you back tomorrow lunchtime, to ask you some questions", that kind of stuff. But no, because they want to do business NOW, they give you on the spot a $1000 credit card (like Home Depot or Sears does), just because you can show a driver license (faked in a few minutes) and an SSN.
An SSN should be an easy identifier, nothing more than that. Like an ISBN number, but then for humans. Who wants to keep ISBN's secret? It's just dumb that the knowledge of an SSN is considered a proof of identity.
Browsers shouldn't have a back button!! It's all about going forward...
Your SSN is everywhere on school records. I work at the Environmental Health and Safety Dept. of the university I attend, and not only does every different dept. in the school have their own copy of students' information, but anyone who has a job at any of these places can get access to it without any alarms going off. This is the case at many institutions. Sure, it's a shame that some outside group got in and away with some info, but I'd be way more concerned with the employees and student employees that play around with your information every day.
It never ceases to amaze me how many places have my SSN. My insurance company was, up until just this week, using my SSN as my ID number. So did my last regular employer, a state university. So did my employer and educational institutional before that (another state university). If memory serves me correctly my telephone and gas/electric companies required I provide that information as well. Everyone has that information and not a damned one of them have any right to it. It's only their convienent way to identify me from everyone else. The system has been abused for far too long. I would love to see privacy legislation that made it unlawful to require that SSNs be provided except for in those cases where it is actually required such as financial reasons (employer, broker, CPA, etc) or medical reasons (insurance company and doctor but NOT pharmacists). There are probably other legit reasons that aren't popping into my head at the moment. This legislation should also prohibit these entities from abusing the SSN system by basing an individual's ID number on their SSN or some derivative. Both of these items would be required for decent legislation on this matter. Some would suggest the use of a national ID card. I'm rather opposed to that personally, but that's another topic for another discussion.
When I was learning solaris administration I was sifting through the nis+ tables in their computer science systems, and along with uid, gid, etc somebody had stuffed in all their ssn's.
so yeah.
not to terribly suprising.
How about identification via fingerprint with this reader? Anyone used it and are there any good hacks with it?
Linux at home
Hey, there's a golf arcade game (Links 2003?) that allows players to play tournaments for real prizes over online connections. They ask you for your name and SSN before you can compete.
If a video game company knew that greed could be that powerful, why not others?
I know of this guy here at SIUE who was arrested and kicked out of the school for "breaking into the computer system and stealing information." What he did was found an anonymous public FTP, logged in, and poked around. What he found was all of the information for every foreign student that attends SIUE (They have to keep a database because of the patriot act). So what does he do? He informs the computer department (Office of Information Technology) that they really should have this stuff secure and not just open as it is. The next day the feds break into his dorm room and sieze all of his stuff. He was then kicked out of school.
-kaitos
I wrote a chapter in the fictional book Stealing the Network - How to Own a Continent about a college student who steals social security numbers from his college. This is the second public story about universities losing tons of social security numbers because they continue to use them as student IDs since that book was released about 7 months ago. Universities should have stopped doing this so long ago...
Anyway, read my chapter! The whole book was really good. Ryan Russell and Kevin Mitnick edited it and it features amazingly cooler authors than me, like Nmap's Fyodor, Dan Kaminsky, FX and a number of other amazing people. Read the reviews at Amazon if you don't believe me.
The University Relations Department has put out an informative FAQ (scroll half-way down) which further explains the nature of the break-in and the current status of the investigation.
The real impact might not just be from the information accessed. George Mason University has numerous agreements with many contractors in government and defense related fields. As a relatively new school, it has worked to build up prestige and relationships in the area. Many of those enrolled in IT&E programs are actively sought after by the industry and are placed in jobs before they even graduate. Since I am a student in Mason's Information Security program,this is somewhat of a concern, as this incident could potentially effect their recruiting efforts for some time to come.
echo 'Christopher Sawtell 21:30 15-Feb-1943 St. Pancras, London, England' | md5sum | cut -f1 -d' '
Which for me gives:
17f11db57259bdbdf45ed234f1b122ed
Alternativly there is the sha1sum which gives a few more digits:
ac8379e71974cca81580d29913d806b0e952f593
Now then /.ers. Anybody else get the same hashes?
We want at least a million tests. Don't be shy. This is actually a worth while experiment which doesn't involve totally wrecking some poor sod's web server.
Post your data and hashes if both are _identical_.
Needless to say, we use SSN for identification purposes everywhere at this school. Doesn't exactly leave me with a sense of security.
I would venture to way that this article is severely over-stating the extent of the break-in.... assuming for a moment that the system compromised really did have the 30,000 SSN's removed from it.... by itself JUST the social security numbers represents approximately 264mb of data, if we just include names in this the data size can jump into around a gig, but the e-mail stated that the server contained the "names, photos, social security numbers and G numbers" of the students..... let's just venture to say that the hackers got greedy (an theat they didn't take the time to compromise the database program to spit out a file with just the SSNs) and took the whole thing...... we're talking with pictures easily 20+ gigs of data.... I could understand how a network admin might miss a network teansfer of maybe 100mb... but any transfer over a gig is gonna get noticed well before the routine check that their e-mail sent to students refrences.... In clonclusion... I think they're jumpingthe gun a bit here before they have all the facts in.
At my university, students' SSNs were just posted on the web for all the world to see. On more than one occassion. NYTimes article on the original incident; of course, you need to log in. Second incident was a month later. It all kickstarted the move to the non-SSN university IDs, but not before the university paid for credit checks for any affected student who requested it.
Did they also changed passwords, etc.? A cat of their NIS appeared in the web, see http://ftp.virginia.edu/public_access/toUVA/passwd -nis.virginia.edu (that seems to be where you could upload files). This already happened some days ago, but i wonder if they already did something against this.
...when I was an independent, I did a little consulting for a state university which shall remain nameless on computerizing their class sign-up system and allowing folks to set their course schedule for the term via the university's web site. They used the student's SSN and real name for the entire transaction, transmitted in the clear. I pointed out that this was terribly unsafe and could quite easily be used to steal the identities of every student who used the system, but suffice to say they weren't the least bit interested in hearing about my concerns. In fact, my short-term contract with them was not renewed because they didn't want to deal with the security flaws I pointed out and apparently were displeased that I'd had the gall to highlight said flaws in the first place.
Not that I cared about the contract; it seemed terribly irresponsible to me to put so many people at risk and deliberately do nothing to reduce that risk despite being told of the danger. But I do wonder if they'd be legally liable for their behavior, especially in light of the fact that I told them flat-out just how dangerous it was and that they needed to change the system to protect their students.
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?
My school uses this number for everything! The worst was when the residents on my floor were invited to a special dinner. If you wanted to go to the dinnner you had to sign up on a list posted in the hall with your full name and SSN. I guess they needed it to deduct a meal from your meal plan, but JEEZ! The worst part was how many students signed up without thinking.
- Captbaritone
I worked for AT&T Wireless when they were breaking off from AT&T proper. One of things that needed to be done was to replace all of the AT&T employee ID numbers with new AWS employee ID numbers.
It. Took. For. Ever.
All sorts of disconnected systems keyed to that AT&T ID # that needed to be updated and changed and the change need to happen in one fell swoop and nothing could fail.
I'm betting a university setup is even worse.
Before she moved to George Mason, their CIO was the head of my department. After she left we found out we'd run up a six-million-dollar deficit during her tenure. Call me vindictive, but I can't help chuckling about this...though I feel bad for the other 29,999 victims.
Ironically, our university quit using SSNs for IDs a couple months ago.
Universities are not that inept when it comes to setting up firewalls. Second, universities have SO MANY machines that the casual outside hacker isn't going to just stumble upon the id server, or even know how to find it....
However, universities are INCREDIBLY inept when it comes to hiring cheap student labor to work in the IT department. Broke-ass students have both motive and opportunity to commit ID theft on this wide a scale. ID Theft rings are fairly well-known for approaching student IT workers at schools of affluence like Mason, where the majority of the student body are wealthy and have good credit.
Read the Privacy Act of 1974, a quick Google will find it for you. We had to use it in the Military and it basically required you to give permission and sign a form that stated what the organization was going to do with your SSAN, covered a lot of different area's.
Does this mean that if I call one of these credit bureaus and put a fraud report on my credit file (even though I'm not a GMA student or anything), I can get a free credit report? And that they call me before they increase my rates? Sounds like a plan...
With the first link, the chain is forged.
You ever hear the phrase "Name, Rank, and Serial Number"?
In the US Military, the serial number part is your SSN. This always pissed me off becausse when I was in the service, you couldn't write a check anywhere in a military town without writing your SSN on it.
It seems that once your in the military, your SSN becomes public knowledge.
The fact that *any* orginazation is in the practice of using your SSN as an identifier is B as in B, S as in S.
Universities are notorious for giving away the farm on their students identity... there was not much I could do about it except refuse and only try to use my last four, but that made some admin angry because you would make them think.
We all know this, but finally some organizations are begining to see the light... our SSN is not for identification.
"I'm not ashamed I can't function in society like I'm supposed to." - Paul Westerberg
Read more here:
NEW PSU IDS IN EFFECT; SSN CONVERSION EXCEEDS EXPECTATIONS
After nearly two years of extensive preparation and coordination,
Penn State successfully completed its conversion of all centralized
systems and many departmental systems to the new Penn State
identification (PSU ID) during the winter break. The conversion of
central Administrative Information Systems such as IBIS, ISIS, the
Data Warehouse and eLion began on Dec. 19 and finished earlier than
expected, with these systems being brought back online by midday Dec.
22. The new PSU ID numbers assigned to students, faculty and staff
now are in effect and are being used in place of the Social Security
number (SSN) as the University's primary identifier. This number will
be used in all internal processes that do not require SSNs for
reporting and taxation purposes. SSNs still are being collected, but
their use is strictly limited by new University policy. New steps
have been added to many business processes for the assignment and use
of PSU IDs. Penn State staff can find important information
describing these new processes at
http://ais.its.psu.edu/ssn/staff_spec.html on the Web. With the
conversion of card-reading systems completed, including those
operated by Housing and Food Services, the Library and Police
Services, the new Penn State id+ cards are in use University-wide.
Read the full story at http://live.psu.edu/story/9602
To kids just hacking school computers to change their grades?
Paul
Maybe a stupid question, but as a non-american, what can someone do if they steal your SSN?
Here in Belgium we have pasports which also has a number on it, but I don't see how they can use that against me.
I've never been asked for an ID except for police or a bank.
So what's the gain then.
Sorry for being ignorant here...
Um, many states use your SS# for your driver's license and/or state issued ID card. Only recently has Missouri allowed you to use an alternate number...
this is getting old and so are you
blog
...this is somewhat old news. Last year someone broke into NYU's gym computer (yes, I know)...and stole something like 10,000 student ssn numbers. This year, NYU has switched to non-ssn id numbers for students. Way to be reactionary and not proactive guys. PS. my ssn was stolen in this incident and I'm still in control of all my banking functions. People need to relax a little bit about this one.
Since this types of incidents happens quite frequently our university does not ask students for their social security numbers anymore. This has been proven an important step in the right direction and we hope other colleges and universities will follow. For now, you should simply refuse to give your social security number to any school if you do not want it to get stolen. Schools do not have the right to require the social security numbers of their students but are supposed to use other types of identifiers e.g. sequential enrollment numbers.
Though I dont give out my SSN, most of my heath providers seem to have it and use it as an identifier anyways. I see it appear on my dentist records, the hordes of people involved in my recent auto accident, etc.
Law say that only organizations that collect taxes can use the number. This includes your employer, the government tax and benefit departments, including the DMV tax on cars. SSN for driver licenses is technically not legal, nor for security clearances, private health programs, student IDs, etc.. But they all push for it.
Actually try just a 8 digit subset of it so that strangers dont see the whole thing. When aquaintances have tried this, about half of them have seen their SSN listed on some websites. Scary!
The deserve what they got. The Manassas, Virginia campus doesn't even use WEP on any of their 20+ wireless access points.
I'm a displaced Canadian living in the states. I'm absolutely amazed at the constant demand for my SSN. If you get a phone or any utilities, you must provide an SSN. Heck, I rented a washer/dryer at an apartment in Dallas and they wanted my SSN. Amazingly they forget the file folder with my credit history after they installed the washer/dryer (a few days before I moved in). Needless to say I now have a copy of my credit report (excellent, I must say). In Canada, since the mid 90's it has been illegal to use an SSN (called SIN, social insurance number, in Canada) for anything other than employment and income related, uaually banking (for interest reporting). Even within the various government agencies, an effort has been made to create a new identifying key that is NOT your SSN. Fucking utilities and every Tom Dick and Harry wants your SSN because it makes there keys and system identifiers easier for them. Screw you, the consumer, if some disgruntled employee or poorly implemented system allows some hacker access to your name, birthday, and SSN. Once your identity is stolen it is now your problem. Charlie (boo hoo on you) Monoxide
My medical insurance (United Healthcare) just last year switched from listing ssn on id cards to some other kind if number. Although ssn is still used, at least if you lose your wallet, they can't find your ssn on the cards (unless you carry your ss card).
Once Bush gets rid of Social Security we won't have to worry about that anymore!