South Korean Citizen IDs Vulnerable, Based On US Model

← Back to Stories (view on slashdot.org)

South Korean Citizen IDs Vulnerable, Based On US Model

Posted by samzenpus on Wednesday September 30, 2015 @04:34PM from the open-door dept.

An anonymous reader writes: South Korea's Resident Registration Number (RRN) has been proven 'vulnerable to almost any adversary' by the 'Queen of re-identification', Harvard Professor Latanya Sweeney, who previously proved that 87 percent of all Americans could be uniquely identified using just their ZIP code, birthdate, and sex. Sweeney was able to decrypt personal information from the RRN numbers of 23,163 deceased Koreans with 100% success by two different methods of attack, and notes that the South Korean system is based on one currently in use in the U.S.

57 comments

Min score:

Reason:

Sort:

What's so secret about those numbers? by Anonymous Coward · 2015-09-30 16:57 · Score: 2, Interesting

I'm only familiar with the Swedish model which uses a ten-digit number starting with the person's birth date on the form YYMMDD, three serial digits and a checksum. The key is that it's not designed to be secret at all, you're supposed to use it everywhere and for everything. It's just an ID number, simply knowing it does not entail authentication or authorization.
1. Re:What's so secret about those numbers? by timrod · 2015-09-30 17:17 · Score: 4, Informative
  
  The American model of identification number is basically supposed to be a secret between you, your employer, your insurer, your financial institution, and the government. The reason for this is that this is what you use to sign up for things like bank accounts and credit cards - and there's nothing in place to stop someone who has your SSN from getting a bunch of credit cards in your name and maxing them out.
  Korea is kind of weird in that they want their numbers to be secret, but have people use them for a lot of things. One of the most wide-scale cases of identity theft in South Korea for a long time (I don't know if it's the case as much today) was in MMORPGs, where they required people to sign up with a Korean identification number to play. There was actually a huge database of so called "KSSNs" (Korean Social Security Number) that were used to do this. The reason for this, oddly enough, had to do with a breach in a game called Lineage 2 that required KSSNs for registration - after the breach, the Korean government mandated that all online games use KSSNs for signups. I've heard they also use them for social media stuff but I've never seen that firsthand.
2. Re:What's so secret about those numbers? by Anonymous Coward · 2015-09-30 17:35 · Score: 0
  
  Sweden is an Orwellian state to begin with.
  In the Swedish system the birth sex and place is coded into the last four digits. I think starting with an even number is male, odd is female.
  Most countries I have lived in, intentionally have less information in their resident numbers. And it is a huge deal when you can deduce more info from them (as seen in this article). There are countries without any citizen/resident identifier number to begin with.
3. Re:What's so secret about those numbers? by Pi1grim · 2015-09-30 17:39 · Score: 5, Informative
  
  This.
  Same system in Estonia. What USA lacks for their SSN - is proper authorisation. Estonia, for example, has state-issued smartcards with assymetric cryptography keys generated on-die and then signed by central certification center, so that at any time you can verify whether ID is active, is not listed as stolen, etc. Software developed to work with the cards is opensourced and available for Win, Lin, Mac under BSD license and can be used to sign documents and encrypt documents for transit (public keys of all active IDs are stored on central certification server, much like GPG keyservers). Number in itself is in no way valid identification, only a valid signature by the private key is accepted as proof of identity. And guess what - identity theft problem solved in most part.
4. Re:What's so secret about those numbers? by Anonymous Coward · 2015-09-30 18:10 · Score: 0
  
  I am curious, where do you use your number (in most countries you have lived in), but do not provide your date of birth along with it? I cant come up with a single use case (some like the US use it as verification, but you dont use it as verification in sweden, you dont ever get asked for it for verification).
  
  Sweden is an Orwellian state to begin with.
  You think your government cant find your date of birth, if not for this number. I dont even know how to respond to that.
5. Re:What's so secret about those numbers? by Dutch+Gun · 2015-09-30 18:17 · Score: 2
  
  a secret between you, your employer, your insurer, your financial institution, and the government.
  And that's precisely why in today's world, such a system is broken by default.
  It's fine for identification, but we should stop screwing around with a simple 10-digit numbers as a means of authentication. Rather, as citizens, we should be given a tamper-resistant USB hardware dongle that contains a completely secret private key (which literally NO ONE knows - a completely random 256-bit number generated at manufacturing) with a read-only API to decrypt messages created with the public key. The government then officially associates that device's PUBLIC key with our SSID. Even if we lose control of our SSID, only someone with that hardware dongle can definitely prove they are who they say they are, even online.
  This way, we can easily and securely authenticate ourselves online for important transactions, like securing a loan or a credit card, or signing up for a service which would otherwise require your SSID today (like a health plan). The organization would request the public key for a given SSID from a public government database. The organization then would need to query that hardware device, which shouldn't be too much more difficult than what some second-factor authentication devices already do today.
  If the dongle is lost, stolen, or breaks, we go into our local Social Security office (like I recently had to do for a new SSID card), prove we are who we say we are to a human being, and we purchase a new dongle and public key, which is then associated with our existing SSID. Existing accounts should only care about your SSID and the fact that you authorized correctly once. It's only when you need to authorize your identity again would the new public key be read from a central government repository.
  This seems way too easy for me, so I'm sure I'm missing something. Any thoughts on why this might not work?
  
  --
  Irony: Agile development has too much intertia to be abandoned now.
6. Re:What's so secret about those numbers? by gl4ss · 2015-09-30 18:21 · Score: 2
  
  "your employer, your insurer, your financial institution, and the government. " and for that reason also your operator, cable provider, random cc providers...
  it's not a secret. shouldn't be treated like a secret. it's just an identifier. but oh well a nation that treats 40 year old paper as proof that you're some 40 year old dude..
  
  --
  world was created 5 seconds before this post as it is.
7. Re:What's so secret about those numbers? by gl4ss · 2015-09-30 18:29 · Score: 3, Insightful
  
  yeah it's there, so what? it's not a secret, it's not meant to be a secret. the documents detailing your health as you were born are supposed to be confidential, not the fact that you were born with a dick.
  and there's countries that have citizens who have lived for generations there but don't have any id, number or even official citizenship to act as a citizen and without the usual human rights to boot.
  I don't see what's so great about that.
  having an unique to you social security number is handy. it doesn't need to be a secret, when you use it your id is verified by other means - just trusting a string of numbers that stays the SAME through your whole life and is given to countless officials staying secret is so fucking stupid to begin with that it's just a present for ID thieves.
  and really, you don't even give it away that often(the ssn in nordic countries).
  
  --
  world was created 5 seconds before this post as it is.
8. Re:What's so secret about those numbers? by Anonymous Coward · 2015-09-30 18:52 · Score: 0
  
  The American model of identification number is basically supposed to be a secret between you, your employer, your insurer, your financial institution, and the government.
  That type of secret is called public information.
9. Re:What's so secret about those numbers? by ShanghaiBill · 2015-09-30 18:59 · Score: 3, Funny
  
  Any thoughts on why this might not work?
  Because it will be interpreted as the Mark of the Beast prophesied in the Book of Revelations. If you still think your plan could work, then please write to CNBC and convince the moderator to ask about your scheme during the next Republican debate on Oct 28th.
10. Re: What's so secret about those numbers? by Anonymous Coward · 2015-09-30 19:02 · Score: 0
  
  It's been many years since they stopped coding sex into the personal identity number.
11. Re:What's so secret about those numbers? by Anonymous Coward · 2015-09-30 19:10 · Score: 0
  
  a secret between you, your employer, your insurer, your financial institution, and the government.
  And that's precisely why in today's world, such a system is broken by default.
  It's fine for identification, but we should stop screwing around with a simple 10-digit numbers as a means of authentication. Rather, as citizens, we should be given a tamper-resistant USB hardware dongle that contains a completely secret private key (which literally NO ONE knows - a completely random 256-bit number generated at manufacturing) with a read-only API to decrypt messages created with the public key. The government then officially associates that device's PUBLIC key with our SSID. Even if we lose control of our SSID, only someone with that hardware dongle can definitely prove they are who they say they are, even online.
  This way, we can easily and securely authenticate ourselves online for important transactions, like securing a loan or a credit card, or signing up for a service which would otherwise require your SSID today (like a health plan). The organization would request the public key for a given SSID from a public government database. The organization then would need to query that hardware device, which shouldn't be too much more difficult than what some second-factor authentication devices already do today.
  If the dongle is lost, stolen, or breaks, we go into our local Social Security office (like I recently had to do for a new SSID card), prove we are who we say we are to a human being, and we purchase a new dongle and public key, which is then associated with our existing SSID. Existing accounts should only care about your SSID and the fact that you authorized correctly once. It's only when you need to authorize your identity again would the new public key be read from a central government repository.
  This seems way too easy for me, so I'm sure I'm missing something. Any thoughts on why this might not work?
  If I know your ID number I can then steal your USB dongle and be you? Or kill you and then "100%" prove I _am_ you?
  How much are these devices? What if I don't have a computer or internet connection - say I'm traveling in a backwater like USA instead of SK :D
12. Re: What's so secret about those numbers? by Anonymous Coward · 2015-09-30 19:36 · Score: 0
  
  It makes no sense to talk about SSN in the Nordic countries. It's called personal identity number, not SSN. Social security number is specifically the American identity number, not the English word for "identity number".
13. Re:What's so secret about those numbers? by Dutch+Gun · 2015-09-30 20:13 · Score: 1
  
  If I know your ID number I can then steal your USB dongle and be you? Or kill you and then "100%" prove I _am_ you?
  I suppose a pin could be added to protect against simple theft, with a security flag set if too many wrong guesses are detected. There's no real technical solution if someone is willing to murder you for your identity. I recommend a 12 gauge shotgun instead.
  
  How much are these devices?
  I've seen similar devices like the Yubikey for $25 to $50. I'd bet they could be mass produced for about $10 to $15 each at the numbers required to distribute them to the entire population of a country.
  
  What if I don't have a computer or internet connection - say I'm traveling in a backwater like USA instead of SK :D
  Har, har. ;-) Keep in mind this is for security authenticating identity online, in the typical places where you'd need a national ID now. The typical reasons for doing that are to open financial accounts, like banks or credit cards, or signing up for government services. In SK, they're apparently used for more things, like online games. Even so, these are not things you'd typically do while traveling. Your passport should suffice for most normal transactions out of country. In general, I'd imagine most people would not wish to carry this device with them at all times because of it's inherent value.
  For those that don't have a computer or internet connection of any sort (which is increasingly rare), you'd probably be required to meet with someone who could authenticate your identity for you in person through a device of their own - any smartphone would be capable of doing this, so the bar isn't that high.
  
  --
  Irony: Agile development has too much intertia to be abandoned now.
14. Re:What's so secret about those numbers? by Anonymous Coward · 2015-09-30 21:08 · Score: 0
  
  Where do I have the mod option "Strange"???
  This makes Dr. Strangelove seem utterly sane!
15. Re:What's so secret about those numbers? by Anonymous Coward · 2015-09-30 21:12 · Score: 0
  
  After a while it's no longer a secret. The SSN shall only be a lookup key used to provide a public record with sufficient data to identify you positively. The presence of an SSN itself shall never been seen as sufficient for identification - even if it is on a card that looks valid.
16. Re:What's so secret about those numbers? by drinkypoo · 2015-09-30 21:58 · Score: 1
  
  sorry about your redundant mod, that was one of the best comments in the thread.
  The USA doesn't want to fix identity theft, obviously.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
17. Re:What's so secret about those numbers? by Anonymous Coward · 2015-09-30 23:31 · Score: 0
  
  The American model of identification number is basically supposed to be a secret between you, your employer, your insurer, your financial institution, and the government.
  Someone evidently never considered that three people can keep a secret if two of them are dead.
18. Re:What's so secret about those numbers? by AmiMoJo · 2015-09-30 23:47 · Score: 1
  
  I'd add that some kind of two factor authentication would be a good idea, rather than relying on the key alone. Otherwise stealing the key means the thief gets everything.
  I'm not sure we really want a secure government ID though. Seems like it would be open to abuse, especially if every institution using it had to query government controlled servers for the public key with each transaction.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
19. Re: What's so secret about those numbers? by shitzu · 2015-10-01 00:53 · Score: 1
  
  Just FYI Estonia has such a system in place - Our national id card is a smartcard with a private key infrastructure. You too can use it via Estonian e-residency program.
20. Re:What's so secret about those numbers? by SQLGuru · 2015-10-01 01:10 · Score: 1
  
  It wasn't SUPPOSED to be used for the financial institutions.....they just borrowed the id because they were too lazy to create their own.
21. Re:What's so secret about those numbers? by Anonymous Coward · 2015-10-01 01:39 · Score: 1
  
  Many ostensibly crazy ideas in religious texts were basically just PSAs (public service announcements) in disguise.
  It was more difficult in the past to control things like trichinosis in pork, so don't eat pork. God says so. If you want kosher food, you boil your utensils. Why? Not because of knowledge of bacteria, but because God says so. Originators of such scripts observed what works, and they knew that the masses are extremely *stupid* people that can't be reasoned with. So "God says so" is unfortunately more effective than explaining things to them.
  So when it comes to governments branding or tagging people with identifiers, when your religion is a minority with a popularity considered a possible threat to the government, guess what the scriptural PSA will say this time? God says no personal identifiers.
  This isn't inherently irrational thinking. History is filled with examples of religious persecution (e.g. Romans vs Early Christians, Protestants vs Catholics, all of the "holy land" for all of history). As far as tagging people, just look at the treatment of Jews in WWII and having to wear stars to be identified as Jewish. And we know what the Nazis did to them. When it comes to politics, just because the spoken *reasoning* is a load of crap doesn't mean the underlying *reasons* are a load of crap.
  I'm not concerned about the "mark of the beast". I *am* concerned about governments having the ability to keep the citizenry under their control rather than the other way around.
22. Re:What's so secret about those numbers? by Anonymous Coward · 2015-10-01 02:04 · Score: 0
  
  having an unique to you social security number is handy.
  People never learn. You can have a world war in which almost an entire people gets slaughtered with the help of a database full of information collected in more innocent times. Does that deter anyone from again creating centralized databases with unique identifiers about people? No, because it's handy. And it's not just government databases either: Facebook or open protocols? Facebook, because it's handy. Your freedom has a price, for fucks sake. The price is that you think about the power you give other people, and accept a little inconvenience if that's necessary to prevent a dangerous concentration of power.
23. Re: What's so secret about those numbers? by Dutch+Gun · 2015-10-01 02:47 · Score: 1
  
  Thank you, that's interesting to know. I guess it's perhaps not such an outlandish idea after all. Probably the biggest hurdle in getting a system like this would be inertia, and for the US government (well, probably any government), that can be pretty substantial. Well, probably once the rest of the world does something like that, we'll probably implement something similar after a decade or two. That's just how we seem to roll here in the US of A, I guess - incredibly high tech in some areas, but stupidly backwards in others.
  
  --
  Irony: Agile development has too much intertia to be abandoned now.
24. Re: What's so secret about those numbers? by shitzu · 2015-10-01 03:29 · Score: 1
  
  Well, my first card with the validity period of 10 years is expiring soon, so one decade is already gone.
  But anyway, check out https://e-estonia.com/e-reside...
25. Re:What's so secret about those numbers? by Anonymous Coward · 2015-10-01 06:53 · Score: 0
  
  In the same issue of Technology Science where the Korean RRN paper appears is one showing how Iceland's more public version of a national identifier also leaks sensitive information http://techscience.org/a/2015092902/
Not just South Korea by antifoidulus · 2015-09-30 17:07 · Score: 1

This problem isn't limited to just South Korea, Japan this month Japan will start rolling out a similar system called My Number(and of course, this being Japan, it is associated with a cute character) Not sure why countries are so eager to give ID thieves a field day, but apparently they are. The elderly are especially vulnerable as they are the least likely to understand the new system and use the new technology and the most likely to fall prey to scams.

--
Monstar L
1. Re:Not just South Korea by davester666 · 2015-09-30 17:27 · Score: 1
  
  This problem will be fixed once we just give in and get the number tattooed on our foreheads.
  You know it's coming.
  
  --
  Sleep your way to a whiter smile...date a dentist!
2. Re:Not just South Korea by fustakrakich · 2015-09-30 18:10 · Score: 1
  
  Well, let's just hope they do it fashionably. Can we at least pick the font?
  
  --
  “He’s not deformed, he’s just drunk!”
3. Re:Not just South Korea by davester666 · 2015-09-30 18:25 · Score: 1
  
  Yes. You will be able to choose between Curlz and Giddyup.
  
  --
  Sleep your way to a whiter smile...date a dentist!
4. Re:Not just South Korea by Anonymous Coward · 2015-09-30 18:48 · Score: 0
  
  Yes. You will be able to choose between Curlz and Giddyup.
  Pfew. No Comic Sans.
5. Re:Not just South Korea by Anonymous Coward · 2015-09-30 19:08 · Score: 0
  
  This problem will be fixed once we just give in and get the number tattooed on our foreheads.
  You know it's coming.
  My only hope is that I'll be dead before that happens.
6. Re:Not just South Korea by davester666 · 2015-09-30 19:16 · Score: 1
  
  For you, the number will be so long, they will have to graft a bunch of extra skin onto your forehead.
  And they'll put a backup copy across your penis, balls and ass.
  
  --
  Sleep your way to a whiter smile...date a dentist!
7. Re:Not just South Korea by Anonymous Coward · 2015-09-30 19:41 · Score: 0
  
  For you, the number will be so long, they will have to graft a bunch of extra skin onto your forehead.
  And they'll put a backup copy across your penis, balls and ass.
  I don't know, my forehead is pretty big. The backup will fit completely on my ass though. Along with my medical history and systemd source code.
8. Re:Not just South Korea by Anonymous Coward · 2015-09-30 23:38 · Score: 0
  
  I have the systemd source code tattoed on my ass... kill me .. please ..kill me
Mentioned in the article: Washington State by Anonymous Coward · 2015-09-30 17:08 · Score: 0

Only in America. Pay through the nose for the most basic of health care, then have your privacy systematically violated as part of a federal requirement.
Captcha: winning
Huh by Anonymous Coward · 2015-09-30 17:56 · Score: 0

" The reason for this, oddly enough, had to do with a breach in a game called Lineage 2 that required KSSNs for registration - after the breach, the Korean government mandated that all online games use KSSNs for signups."
So,there was a breach on a system using KSSNs, which made users of that system exposed to all kinds of identity fraud. This prompted the Korean government to mandate the use of these numbers on other similar systems with supposedly the same security level?
SSN are not secret by ljhiller · 2015-09-30 18:44 · Score: 2

Never mind that SSN are plastered everywhere, even if you don't tell me the first 5 digits, if I know your birthday and place of birth and the last 4 digits, I know all 9. It's a public algorithm.
1. Re:SSN are not secret by ShanghaiBill · 2015-09-30 19:10 · Score: 2
  
  even if you don't tell me the first 5 digits, if I know your birthday and place of birth and the last 4 digits, I know all 9. It's a public algorithm.
  Not true. My sister and I were born two years apart and in different states. Our SSNs were issued on the same day, and are identical except for the last digit. They just pulled the next two numbers off the list. There is no "algorithm".
2. Re:SSN are not secret by Anonymous Coward · 2015-09-30 19:34 · Score: 0
  
  That's because she's not your sister. She's an identity thief!
3. Re:SSN are not secret by Anonymous Coward · 2015-09-30 20:37 · Score: 1
  
  The format of South Korean SSN is YYMMDD-GGXXXX# where Y, M and D are birthdate, G is gender, X is I don't really know well but some kind of number of area from where your ancestor originated or something and # is a checksum digit. (gender is two digits because since from 2000 or later to differentiate from people born in 19XX AFAIK) So in short it is quite possible to guess most digits if you know a person's birthdate and gender. The checksum number is quite easy to calculate because it is simple arithmetic. When KSSN became mandatory to sign up but there was no actual validation with SSN database, the most used number to sign up was 111111-1111117. Ah memory. Ever since my KSSN was terminated (S.Korea does not allow double nationality), I can't/don't use any of those Korean services requires registration with real SSN number. But well don't mind.
4. Re:SSN are not secret by Anonymous Coward · 2015-09-30 22:37 · Score: 0
  
  Unless you're a little kid, the first three digits encode the region, just not of your birth but of the mailing address used to request it. Your parents probably decided to have all the paperwork done in one fell swoop and gave the authorities one address.
  SSNs issued after 2011 are assigned randomly, so nowadays you and your sister would have gotten completely different numbers.
  In other words, grandparent post is largely right when he says he can predict the first five SSN digits, although this will change as people with SSNs issued after 2011 get old enough to matter and people with SSNs issued before 2011 start dying.
5. Re:SSN are not secret by amalcolm · 2015-09-30 23:39 · Score: 1
  
  Two digits for gender? Wow many genders are there over there?
  
  --
  Time for bed, said Zebedee - boing
6. Re: SSN are not secret by AvitarX · 2015-10-01 00:34 · Score: 2
  
  In the early 80s, SSN became required to receive child tax deductions (I believe it was then, part of regan closing loop holes).
  I suspect this is when you received your SSNs. I am born 81, but have the SSN of someone born a few years later myself.
  The algorithm exists, but it's not based on birth, it's based on registration.
  
  --
  Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
7. Re:SSN are not secret by Anonymous Coward · 2015-10-01 02:32 · Score: 0
  
  This. Between the OPM and the Anthem breaches, one out of every three Americans has their Social Security Number on the Web. The SSN is not, and should not, be used as a form of identification.
8. Re:SSN are not secret by WallyL · 2015-10-02 02:34 · Score: 1
  
  Maybe they use binary notation, so a max of 4 genders?
Aadhaar in India by Anonymous Coward · 2015-09-30 18:47 · Score: 0

In India we have a new system called Aadhaar. The unique ID is completely random and just knowing this number is useless as you would require to authenticate it with biometric or OTP sent to your mobile to do anything useful with it. Anyone can use it to Authenticate an Indian resident, the system will only reply with a yes/no based on the information (biometric/otp) submitted and will not leak any information on query..
1. Re:Aadhaar in India by Anonymous Coward · 2015-09-30 19:18 · Score: 0
  
  Everything in India is leaky and shady . Even assuming that your biometric data/ your phone calls are not leaky is just being stupid. It takes only a few thousand rupees .. to leak the hell outta any system
2. Re:Aadhaar in India by Anonymous Coward · 2015-09-30 19:33 · Score: 0
  
  Aadhaar's confidentiality has always been dubious. When you enroll for yourself, there is a check-box in the enrollment form asking if you want to share this data with private agencies collaborating with the government. Regardless of whether you leave the box unchecked, your data is supposedly uploaded to a common database shared by government and these unspecified "private agencies". Also, some incidents of data breach have already been reported in which the private contractors hired by government to set up Aadhaar enrollment camps where found culpable.
  Coming to your unique identification point, Aadhar was in fact supposed to be used as an identification number; but almost all government departments end up asking for a copy of your entire Aadhar Card as an identification proof; not just the number - which implies that paper copies of your Aadhaar card that contains your photograph, address, mobile number and Aadhaar number ends up being carelessly stored in several government/private offices.
Not news by Anonymous Coward · 2015-09-30 20:54 · Score: 0

It is 13 digit number comprises Birthdate (YYMMDD), gender (two digits), some 4 digits (AFAIK area code of your ancestor's origination or something like that) and a checksum digit. So it is hardly secure. On top of that, many of S. Korean websites stored those number upon registration in plain text, and got hacked to leak all those numbers. Also many people were successfully targeted with phishing mails and calls. And I have heard they could get numbers with brute force attack.
In early days, many websites used RRN to avoid people create multiple accounts but without any validation with RRN database of any sort. They only have checked the checksum digit which could be calculated with simple arithmetic (it was like multiply each digit, add the results and the lowest digit is the checksum number)
At certain point, some companies came up with RRN database service so websites could do actual validation from stopping multiple accounts. Though RRN numbers are already leaked from ages ago already. Many people have already shared with their friends and family for a long long time while it is advised to keep your number secret.
Id numbers shouldn't be required to be secret by skeletal · 2015-09-30 23:52 · Score: 1

The idenfitifaction numbers shouldn't be required to be secret. They should be used for just one purpose - to identify a person in a database, to act as a foreign key so the government databases can join together all data they have on you using it as a key. Or some private company as well. It shouldn't be ever used to authenticate people, but that's how the SSN is used in the US and what's causing all these problems. It should be required that you show a valid identification document with your picture on it, that also includes your ID number. If I know someone's ID number here in Estonia, then all I can do is guess their age and sex from it. That's it, when you apply for a credit card you have to show some kind of document, so this fuss about ID numbers being secret is just insane and inconveivable for anyone outside the US. Here (in Estonia), if we need to identifi and authenticate ourselves to the government or some private company (banks to do online banking, telecoms to check the phone balance or whatever, change the cable tv package) we can use our ID card which has a private key on the chip and requires the knowledge of a PIN code for authentication, another PIN for giving digital signatures. The Japanese are doing it a bit wrong, they should put their "my number" of id documents like passport or drivers license. Roll it out when peoples documents expire and they have to get new ones.
That's not how SSN was designed by Anonymous Coward · 2015-10-01 00:33 · Score: 0

SSN was never intended to be a secret authenticator. It's a sequentially assigned ID number, and nothing more. Historically, though, it became used as an authenticator. Much like "mother's maiden name" used to be the "challenge question" authenticator used.
Can we give up now? by holophrastic · 2015-10-01 00:53 · Score: 1

Are we still expecting to build a system that can't be hacked? I don't understand why anyone would think that possible.
We gave up on that hundreds of years ago for so many things -- think the lock on your front door, next to the glass window; or your car, with the slim-jim. You can walk up to anyone on the street, and just stab them to death with a kitchen knife. You can drive your car onto the sidewalk and kill a dozen people in mere seconds.
I think it's high-time we stop wasting so much time and money trying to resist, and start planning to deter and penalize.
Not used for SSN in the US by AndroSyn · 2015-10-01 01:26 · Score: 1

This system is NOT used in the US for social security numbers, its a private vendor that uses it....the /. summary is misleading..
Nobody reads the articles anymore so...here is the quote.

The system under scrutiny is modelled on one used by U.S.-based multinational IMS Health, which collates data on millions of (living) South Koreans.
I AM NOT A NUMBER by Anonymous Coward · 2015-10-01 02:12 · Score: 0

I AM A FREE MAN!
*contemptuous laughter*
I will not make any deals with you. I've resigned. I will not be pushed, filed, stamped, indexed, briefed, debriefed or numbered. My life is my own. I resign.