Slashdot Mirror

← Back to Stories (view on slashdot.org)

Congress To Restrict Social Security Number Use

Posted by ryuzaki0 on from the they're-not-toys-you-know dept.

diverge_s writes "News.com.com has an article detailing a long overdue attempt Congress is making to restrict the use of Social Security Numbers. From the article: 'In both the House and the Senate, there are at least three pieces of pending legislation that propose different approaches to restricting the use and sale of SSNs. Politicians have expressed astonishment at what they see as a rising identity fraud problem, frequently pointing to a 2003 Federal Trade Commission survey that estimated nearly 10 million consumers are hit by such intrusions each year.'"

4 of 280 comments (clear)

  1. Band-aid on a gunshot wound. by TripMaster+Monkey · · Score: 5, Insightful


    All the proposals mentioned in the article are merely band-aids on a system that is fundamentally broken. Any competently designed identification system consists of two parts: the public identifier, and the private key. The problem with SSNs is that you have a system where one number is simultaneously the public and private parts of the system, which dooms it to failure every time.

    Making new rules limiting the sale and purchase of SSNs, or restricting the display of SSNs on reports, is just closing the barn door after the hore has already left.

    --
    ____

    ~ |rip/\/\aster /\/\onkey

    1. Re:Band-aid on a gunshot wound. by Gonarat · · Score: 5, Interesting

      Exactly. It shouldn't matter if I know your SSN. There should be a private key part of the equation required for a transaction that requires an SSN to take place. This token should be a pass phrase, not just a password or PIN. Verification can be done electronically by the Social Security Administration.


      For example, if I sign up for a credit card, the application would not be processed until I give my valid pass phrase and it was verified. This way, someone could find out my SSN, date of birth, Mother's maiden name, shoe size, or whatever else, but could not do anything with it without knowing my pass phrase. Credit cards themselves should at least require a PIN to complete a transaction. This could be done without a major overhaul of the financial network -- the ISO 8583 specs supports PINs.


      You could support several pass-phrases. One pass phrase would be for applying for credit and such, giving a Bank or Credit institution this pass phrase would allow them to not only access your credit report, but would give them authorization to update it as they do today. A second pass phrase could be given to just allow read access to a credit report. This could be used for your own access, access by landlords, or any other situation where you need to give out that information without giving the ability to update it. One time use read pass phrases could even be supported. Pass phrases could be changed by visiting the Social Security Office or online. Any forgotten pass phrases would require a visit to the Social Security Office.


      A system like this would massively cut down on fraud and identity theft without too massive of a change to the current system flow.


      --
      Beware of Sleestak
  2. shared secret by Lord+Ender · · Score: 5, Insightful

    Many companies and government organizations use the SSN as some kind of shared secret for the purposes of establishing identity.

    This law wants to prop up this model.

    THIS IS A STUPID MODEL.

    There are much better ways of establishing identity than using the SSN.

    What we need to do is STOP USING SSN TO ESTABLISH IDENTITY!!!

    Then it can be public, you can post it wherever you want, and we won't have to deal with the impossible problem of putting the cat back in the bag.

    Government issued smartcards, with a simple PKI (and revocation system) would be a perfect method for establishing identity. We need to put the money in to that, not trying to keep some unchangable number secret.

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
  3. Just in the nick of time by Mouth+of+Sauron · · Score: 5, Insightful

    *NOT*

    Wait... What's this printed on the back of my Social Security card? "Not to be used for identification purposes."

    Having been the victim of identity theft and credit card fraud, I have to say this is probably too little too late. I've had over $20,000 in fraudulent charges made in my name -- items ranging from electronic equipment to beer and gasoline. The Social Security number is already the de facto citizen identification number, even if it is not de jure.

    Some culpability lies in the lap of merchant businesses, as well. In one case, a company sent a credit card application issued in my name to an old address. The occupant filled it out and began making purchases. When the bill came due, the collections agency had no problem tracking me down to give notice. In my opinion, this merchant could have been more dilligent, because I had asked them to cancel my account years before this happened. They were certainly dilligent when it came to getting paid.