Slashdot Mirror
US Studying Ways To End Use of Social Security Numbers For ID (securityweek.com)
wiredmikey quotes a report from Security Week: U.S. officials are studying ways to end the use of social security numbers for identification following a series of data breaches compromising the data for millions of Americans, Rob Joyce, the White House cybersecurity coordinator, said Tuesday. Joyce told a forum at the Washington Post that officials were studying ways to use "modern cryptographic identifiers" to replace social security numbers. "I feel very strongly that the social security number has outlived its usefulness," Joyce said. "It's a flawed system." For years, social security numbers have been used by Americans to open bank accounts or establish their identity when applying for credit. But stolen social security numbers can be used by criminals to open bogus accounts or for other types of identity theft. Joyce said the administration has asked officials from several agencies to come up with ideas for "a better system" which may involve cryptography. This may involve "a public and private key" including "something that could be revoked if it has been compromised," Joyce added.
...we freak everybody out and make something using the number 6, but like, three times in a row.
Yeah, that's the ticket.
Unlink SSN from TID (Taxpayer ID). Banks need TID, they have no business with SSN. Unlink SSN from healthcare (it wasn't legallay required until Obamacaare, although healthcare providers used it).
"National Security is the chief cause of national insecurity." - Celine's First Law
Sounds like another attempt at a national ID. I am sure it will go as well as all the past efforts.
You'll be able to conveniently use your social security number to get your new id number.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
Clearly says "not to be used for identification purposes" on it. I guess its an oldie.
DNA. They want your DNA. On File.
So, like, you'd go to the SSA website, and they'd give you a string of digits. And you take this string and give it to banks or whatever, and they type it into the SSA website and that brings up who that is associated with. And the owner can revoke their string at any time and replace it with a new one. Better yet, make them all one-time-use, it's not like I REALLY need to use my SSN very often.
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
Blockchain. All the cool kids are doing it! Say it with me... Blockchain!
The new Medicare card will no longer have the primary (usually husband's) SSN as the Medicare number.
https://www.cms.gov/Medicare/New-Medicare-Card/index.html
About friggin' time! I've been doing my best to avoid giving out my SSN where it's not required by law since the '80s.
One big hole that has been going on for decades is Medicare:
* Once you're old enough to be on it, you can't get regular health insurance to pay for the portion of your medical work (often all or the bulk of the cost) that Medicare pays for. Regular health plans turn into cover-the-difference supplements. You must sign up for Medicare or pay the charges yourself. (And if you don't have the government imposing price levels or the insurance companies negotiating deep discounts you get to pay the drastically inflated "regular price" that makes up for their discounts.)
* But if you DO sign up for Medicare, what do you get for an ID? Your SOCIAL SECURITY NUMBER with a single letter appended after it. They won't provide any alternative (though they have "been thinking about it" for years). You have to give this to ALL your medical providers. Get a prescription or an immunization at a pharmacy, hand in your Medicare ID. Go to a doctor, hand in your Medicare ID. Get a lab test, hand in your Medicare ID. Go to a specialist, hand in your Medicare ID.
Dozens, or even hundreds, of medical billing paperwork operations, with unknown numbers of clerks doing data entry (often offshore) and unknown competency of IT people configuring their databases, get your name and SS#. Some have even been CAUGHT selling them. Oops!
* So then we get stories about how people over 65 have a much higher rate of identity theft - typically trying to imply that these oldsters are lax in guarding their SS numbers. Well, DUH!
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Practically half of us are already hacked NOW.
When would something be implemented even if a standard were already agreed upon and mandated? I get the feeling this will be treated like Android security where if you don't invest in X flagship, which is optional and expensive, you're just not covered. 140 million is nearly half of all US citizens. I'm pretty sure we can't just reprint all our forms, reprogram all our websites, rework all our databases and change the mentality towards accepting the new name and (hardest of all) technical requirements of the new setup.
All in all, we need a solution (whatever it is) Yesterday, but even in 1, 3, 5, 10 or 15 years I can't see it really in place (there is failure inertia of British / Metric conversion proportions here). Reminds me a bit of the stupid job we've done when it comes to the spirit of the law for chip&pin Credit cards, being optional and all and totally backward compatible to the old insecure method when the card gets stolen to pay for something online without you there (which is the point).
I hope it was just an error in reporting, but if the White House cybersecurity coordinator actually thinks the problem is with using social security numbers as identifiers then he doesn't understand the problem. As unique identifiers, SSNs are actually relatively good. The US government does attempt to make sure that they are unique and most people that businesses in the USA will want to deal with have one and even know what it is. The real problem is when organizations use knowledge of a SSN being associated with a name (and some other easily obtainable information) as an authenticator. It's like trying to use your email address as both a login name and as a password for your email account. Any organization that did something like that would be immediately decried as insecure, but nobody thinks twice about using an email address as an identifier for all kinds of things. But that email address is paired with an authenticator of some sort (usually a password). Even some of most secure systems out there (PGP/GPG) have no problem with having the identifier public. In fact, PGP works because an identifier (email address) paired with the public key part of a key pair is widely published. We don't need to get rid of SSNs, we just need to pair them with an appropriately secure authentication system.
Changing the ID doesn't help. The problem is we are not authenticating. We need authentication, then the ID does not matter. Sovrin.org as a start?
tora
There's nothing wrong with using SSNs for ID. A unique number for each person in the country? Perfect.
The problem is when it gets treated as a secret, and abused for "authentication". It's not a secret, any more than your date of birth is a secret. It should be treated as publicly available information. Merely "knowing an SSN" should not be sufficient information to do much of anything, except possibly "give someone money".
Banks and businesses require customers to hand over their SSN, despite it being tagged "Not for use as identification", and then subsequently lose them in breaches. Government says let's replace SSN with something else - let's call it SSN2. What do you think will happen next?
I was thinking about a White House petition for Virtual Social Security Numbers:
Virtual Social Security Numbers
Single use numbers that are aliases for your real number.
To protect consumers from fraud and theft many banks now offer Virtual Credit Card Numbers. They are aliases, pseudonyms, for a real credit card number. They “lock” to the first merchant to use them. If a merchant’s database is compromised and a virtual credit card number is exposed, it is unusable. All charges not originating from the first merchant are declined.
The Social Security Administration could use a similar scheme to protect employees and consumers. A Virtual Social Security Number could be given to an employer or financial institution and the number “locked” to that organization when they verify the number with the government, submit information to the government, etc. If a different organization then tries to verify or use the number the government will fail to verify, reject the submission, etc. This would help impede identity theft and financial fraud as employers and financial institutions inadvertently expose employee and consumer information.
Virtual Credit Card Numbers are generated as needed using a credit card issuer’s online services. Virtual Social Security Numbers could similarly be generated as needed by the Administration through its online services.
The Internal Revenue Service could employ a similar scheme for their various taxpayer identification numbers.
Since the SSN only has 10 digits and there are 300 million citizens it means (ignoring any restrictions on numbers) that
one-third of the possible values [and possibly effectively many more] are used up. All you need do if you need an SSN and expect it
will not be checked by the Social Security Admin is... guess. And someone will get tagged with that data. With a high probability. That's not good.
Start with a US birth certificate.
The start to request banks, building societies show the same person exists. Driver licence? Education institution?
Got a mortgage? Credit card? Utility bill? Who is renting a home?
The best way to work out who is illegal, using fake ID or just treaded a social security number is to request layers of other photo ID.
City, state, federal and private sector documents have to start to match going back years.
Does the life story go back to a lot of other valid US id? Does the trail stop with a fictional number?
Using another persons social security number or creating a fictional social security number should start to show over different federal, city and state databases.
The problem with a reused or fictional social security number is that it should not safe from in depth city and federal level scrutiny.
What worked in the past to get a resume in and cover an illegal persons US university education will not stand to deeper investigation.
Fictional numbers should not be accepted. Reused numbers should be detected.
Start to match birth dates with names, education, work and other ID. Most illegals would have expected their one number to carry them.
Trying to use a social security number as few times as possible with ID built on a cover story should be different from average citizens.
Domestic spying is now "Benign Information Gathering"
A simple solution for now would be just to add 4 or 5 digits to the new SSNs that are issued. That would break so many systems that others would have to address the real problem.
Decades ago AT&T had a payroll system that couldn't cope with two employees having the same SSN. It turns out that the SSA has stated that the numbers aren't unique, only unique combined with a last name. If Mary marries Mr Smith and there is a Mary Smith with her SSN, they will reissue her a new SSN. There are millions of people who have been issued replacement SSN so far.
How about we go back to a brand on our arms? Seems to have worked in the past. Oh wait... and yet this is the same thing.
Your social security number should really be viewed as a unique user name and not for purposes of authentication. You could then have one or more passwords for authentication purposes. Say one for taxes, one for mecdical, one for credit - you could change your password easily in the case of a data breach and it's less important if your user name only is leaked.
Works for the Medical field.
The card I received from them decades ago says it's not to be used for identification. Right there plain as day. But... some time between when I got my card and my daughters got theirs, the SS cards stopped saying that. How long before this new ID will get commandeered for use by businesses and we start the whole game over again?
CUR ALLOC 20195.....5804M
and to effectively voluntarily change your SSN, rendering the original number completely unusable:
To avoid disruption of existing users of the real social security number the real number would remain valid for all users prior to the use of the first virtual number. After the use of the first virtual number existing users of the real number are “grandfathered” but any new organization using it will be disallowed. A consumer may have the option to disallow all use of the real number, requiring legitimate organizations to update their accounts with a virtual number.
It seems to me there may not be any absolutely secure way of attaching a number, code, text string, retina photo, or whatever used for an identity authentication system. As soon as the system is established, someone will figure a way of compromising it. Even some kind of quickly changing, encrypted algorithmic solution one might come up with might last awhile, but it won't last. Tell me I'm wrong.
In a time of universal deceit, telling the truth is a revolutionary act. George Orwell
I propose we move to the new EjaculatID and DischargID biometric identification system.
If you use the SSN as a primary key, you're incompetent and you should resign.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
And I'm 59, I'm afraid. Very afraid.
Anything Trump proposes at this point is sure to be worse than what we have now.
Why not instead make part of the application a video of the applicant answering some questions?
What is the problem that needs to be solved? Is SSN the problem, or is the over use of SSN the problem? Will any replacement for SSN have the same overuse problem?
It's painfully obvious why a national id is a bad thing. There are people on both left and right who think it is a bad idea.
Another document you have to carry - "papers, please"
Instantly used for voting and other government services to filter those who can get them. That's racist!
YA form of ID to renew
Simple way to make noncompulsory things compulsory - census responses, selective service, jury duty
Just another step toward totalitarianism and the utter devaluation of human liberty. Fuck that. No one wants your efficiency, or your supposed protection from cybercriminals. This reminds me of the old email idea response sheet.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
What ever they decide, someone will make lots of money
oh, and it won't work
Which means someone else will also need to make a lot of money, and they will get to blame the last President of the USA.
Its about time. Finally. So many years too late we begin the beginning of what had really better be "OPEN SOURCE" dialog on how "WE" are identified as real. Or something like that. Just how do you finally, unquestionably really actually have the real me identified (in court criminally or in ordinary commerce)? I would suppose some combination of "Iris Scan" and a DNA sample would do in an extreme case, like a prison sentence, or even a 30 year mortgage- at what age would somebody be assigned an IDENTIFICATION? I'm sure Apple already has "i dentification"
for years to avoid using my SS# for identification purpose - tuff luck.
Argument against my wish is that the "company" has the right to choose what kind of identification they can demand.
It is sooo MF convenient, to have a whole population of a country tracked by ONE key!
Guess who benefits most from it?
Here's the new ID prototype they've come up with.
Apply for a signed certificate from the government or business like one would get a signed certificate from a CA for their website. If you lose your private key, then you have to repeat the process (and the government or business revokes your old certificate). Make it time consuming such that people aren't willing to go through the process that often, and they won't be so careless with their private keys.
Why not say hundreds of millions? Or all adult Americans with a bank account, apartment, house, car or credit card? Just say we all got equifuxxed together. Just say it.
Give everyone a private key on their birth certificate, and publish a public key as the new SSN.
Make the companies who lost people's identity data in hacks pay for it. All of it. They're the ones who broke SSNs. They should be the ones who pay to fix it.
Please note that this doesn't solve a equally big problem- you shouldn't HAVE to identify yourself for doing most things. A good example would be if you have to prove your age to do something. Age verification doesn't mean that establishment should be allowed to know WHO you are, and even worse, record that fact somewhere. Such acts erode privacy, freedom, and could be used later to frame, manipulate, or harass people.
Now, using your phone's numeric keypad, enter your 256-digit SecureID Unique Cryptographic Identification Number, followed by the pound sign...
If you repeat batshit crazy statements they become truer. If you repeat batshit crazy statements they become truer.
Cool, now I can log onto my bank account with my private key, from a local library PC, which I'm totally sure is not infected with malware because, you know, Windows, and I can feel safe because... why exactly?
Holy shit what the fuck type of crazy did I just read.
Why not adopt a burden of proof system like many other countries have. If you want to identify yourself you need to accumulate a certain number of points. Certain points are required for certain things (e.g. 100 points to open a bank account, 200 to apply for citizen ship etc).
Different items provide different points e.g. drivers license or government ID document with photo 50 points, bank issued document or card 25 points, internationally identifying document like passport 75 points, letter posted to your address 10 points etc.
Then the burden of proof also needs to link the systems together, i.e. you should always have a document with your name, your face, your date of birth and your home address. Mix and match documents until you have the required number of points and all the core parts covered, and bam. ID.
42
A shame that the laws dictate on the backside that we change our SSN's when it wasn't us that gave them up over, and over, and over, and over. Wouldn't it be nice if every time we screwed up, the government changed the laws for us?
All it took was for the SNN for every single adult in the US to be leaked.
You sound like those idiots that say "MAC addresses are unique, let's use them as an identifier."
Neither your MAC address nor your SSN is a unique identifier.
In fact, identity confirmation is quite difficult, and as an AC I can say that you are totally clueless when it comes to the various issues of identity.
Maybe you should let the adults talk and keep your head down.
If the SS Administration finds you are using SSIDs for ID, they call a Federal Marshal, and the Federal Marshal takes the entire Board of Directors of that company to a Federal Judge, and they do 180 days each for a first offense.
Cryptography is Evil[TM]
The SSN was never intended to be an ID number. Any organization that ever said "if you know this number, we accept that as proof of identity" was stupid, and frankly should be legally liable for any fraud that they enabled.
The simplest form of identity check is to require a physical government-issued ID with a picture. This could be a driver's license, or a passport, or something similar. These are (a) reasonably difficult to fake, and (b) faking them is a crime. Those may be low barriers, but just knowing an SSN is no barrier at all.
Cryptographic keys? Joe Sixpack and Granny Gina don't have a clue about cryptography, and aren't going to get one. If you want to put a chip into the aforementioned government IDs, to make them harder to fake, sure. But the users don't need to know about this, and shouldn't have to care about it.
Of course, the drivers licenses in the US all look different, which makes them difficult to verify when used out of state. I really do not understand why USAians are so resistant to having a uniform, federal ID. It's not really going to make you any easier (or harder) to track, but being uniform, it would be a lot easier to check it's validity.
Enjoy life! This is not a dress rehearsal.
Have it like Germany, give out national ID cards that require registering residency. Makes a lot of things much easier from generating voter lists to sending out information to finding people in emergencies. That will also end the patchwork of abusing driver's licenses as de facto national ID. Then again, knowing the US governments track records they will immediately find a way to abuse that information.
Make it a requirement that every citizen register for an ID linked to their personal information, DNA profile, photograph, iris scan, fingerprints, etc. Basically every form of identification you can think of, have the government record it down for every citizen and have a database of every citizen in the country. Have a secure government website where every citizen has their own homepage where they can deal with all their government services. Opting in and out of government programs, voting, welfare, healthcare, taxes, etc. Make sure everything is centralized, easy to access, and easy to use. Have free public terminals for those without computers/internet, mass produce cheap USB ID scanners with fingerprint pads to sell at cost to everyone, create secure government apps for approved devices, etc.
Problems this could potentially solve:
-DNA found at crime scenes is always identified; if it's not identified, it was either someone in the country illegally, a criminal who didn't register their information, or there was a problem with the test. Dead bodies are always able to be identified.
-Dead people are reported dead by the coroner, their accounts are flagged deceased, and their IDs are required to be turned in. Any activity on their pages would be noticed and reported to the police
-Last will & testament could be managed on your citizen page and drastically reduce court cases related to such things
-Ancestry is never a mystery, paternity and maternity court cases are no longer required (DNA samples/prints would be taken at birth, and further information would be taken upon reaching adulthood)
-Citizens could decide to allow/disallow the use of their DNA profiles and/or medical history in scientific studies, and scientists would have HUGE sample bases to work with
-Voting fraud is made nearly impossible, every citizen simply votes on their page; any fraud would be easily found out after investigation. Voting participation will skyrocket due to the ease of voting online
-Identity theft is much harder to accomplish (Nothing is impossible, you're never going to have a 100% secure system)
-Police organizations can easily access information if warrants are issued. Relevant agencies can access your information (IRS would be authorized to look at your tax data for example, but not unrelated information such as who you voted for) and alert you of problems/mistakes before it becomes troublesome
-Medical information and medical history could be managed on your citizen page. Doctors would be able to check your medical history and easily figure out blood type, allergies, organ donor status, whether you are DNR or not, etc. Doctors wouldn't need to store their own records of you, they could simply record new information in the government managed health database, and it could be accessed by other medical institutions when a patient switches doctors or hospitals
Downsides:
-Privacy (Can you call this a downside? The NSA already has a lot of this data in their super secret database, it's simply sitting there and doing nobody any good, why not openly do this and have it actually benefit the public? Obviously there would need to be permissions controls in place so a citizen can decide what they want kept private. For example, some random person viewing your citizen page wouldn't be able to see any information other than your name if you don't make it public, but a government agency would be able to see all the information that might be relevant for that agency.)
-Would probably cost a lot to reform everything (but you'd see savings in the long run)
This may involve "a public and private key" including "something that could be revoked if it has been compromised," Joyce added.
Or if you piss off the wrong person. Or if the system fails, or malfunctions. Or...
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
While Blockchain may have the marketcap, my vote for SSN replacement would be the Tangle i.e. quicker, free, public/private. IOT fits right in
Even if the country mandates it, employers will still use it.
Because, at this point, EVERYONE does.
Chas - The one, the only.
THANK GOD!!!
When I got my SSN, some 60 years ago, printed right on the then paper card, it said, NOT FOR IDENTIFICATION USE, or sommething like that. Guess they knew better then.
The problem in the United States is that the SSN is used both for identification and authentication. That means that instead of using the number like a name, just to refer to the person with that number, it is used as "secret knowledge" whose possession implies actually BEING the person it refers to. If the SSN were not used as an authenticator, knowing it would have no real value, and the Equifax breach would have been of no more importance than leaking the telephone book.
In Scandinavia (the best examples are Sweden and Iceland) everyone's ID number is in a publicly available register that also includes their name and address. Paradoxically, having everyone's ID number open and available is the most secure way to run an ID system.
(Another layer, like photo ID, biometrics, or private keys can be used for authentication.)
The Scandinavian approach could be a solution for the US, but there are two things that would make it politically difficult. One is that I think Americans would have a hard time believing that such a solution (especially from those durned socialists up there) would actually work.
The other is that you need a residence registration system to make national ID work well. That means everyone has an official address that they register with the government. Most countries in the world have this, but the US and some other Anglo-Saxon countries don't, for historical reasons. That's also the reason that voter registration is such a big issue in the US but a non-issue elsewhere. Identity theft and illegal immigration too. Introducing residence registration in the US would be a big step forward, but probably politically impossible in the gridlocked US governance system.
It's a representative republic, not a democracy, without a lobbying presence of your own, your Congressman is the place for this kind of request, not a social media holdover from the 44th presidency. That's so 2008.
Step 0: decide if we want a national ID or not. SSN was not supposed to be this, but businesses and the IRS could not help themselves. I think trying to eliminate the idea is like prohibition. It won't work. There are too many business models that depend on it.
Step 1: Don't eliminate. Instead, keep ssn's and embrace the publishing of them. There is nothing private about them and having a public ID number is useful.
Step 2: This means that an ssn can be used to connect the dots between a person's actions in one place and in another.
Step 3: Now we need a way for an institution to verify that the person before them and an ssn match. Clearly the Equifax breach published more than the SSN. This says that we can no longer depend on simple 'security' questions.
Step 4: We also need strong rules that say if you publish that a particular SSN did something, you also publish the trust chain that led you to believe that the ssn's actions were connected to the person. That way, there is responsibility on the person using the information, not just the person being held accountable.
Assuming we are not going to give up and find different business models, we need to embrace biometrics. Depending on the transaction it could be an increasingly complex series of tests. Do I care. Does the person have something like a credit card. Does the person have a picture id. Does my test equipment say the person matches some certified biometric data. (Perhaps on the card he is carrying, so no network is required.) Does his dna match that on file for his parents? Does his FMRI show he is who he says he is. Clearly this, like the current SSN story, could get out of hand.
Using a central government agency was a mixed blessing.
Perhaps, with something kin to PGP signing parties, going back to the 'I vouch for that person' is an option these days?
While I have no specific suggestions on WHAT they should do, I'll agree that this is most certainly a problem that needs to be resolved. Since the dawn of the computing age standard practice has been if an account is compromised, you immediately change your password, yet out in meat-space we're expected to keep a 9-digit number secret (while simultaneously having to hand it out to countless people to conduct business) for our entire lives?
The SSN was created in 1936. That's 10 years before the first modern, programmable computer was invented. It's a product of a by-gone time.
"People who think they know everything are very annoying to those of us who do."-Mark Twain
Comment removed based on user account deletion
Somehow, I made it out of my parents' basement over the past 48 1/2 years. In the process, I got a clearance and roll with more background checking and additional ID than most people will ever have. None of that makes me feel even slightly safe, because I know it's all bullshit, really. It doesn't protect against espionage, identity theft or anything else, really. Moreover, the aggregation of key information into a single database is what enabled the OPM breach that gave it all away to (presumably) the Chinese. So some guy in China now knows everything about me, including my personal contacts and whatever data the USG gleaned during my background investigation.
I subjected myself to this, and I really only have myself to blame for being captured in the OPM hack. People shouldn't be forcibly subjected to this for zero gain in any critical way. And the data won't remain secure. That much is obvious, now. Governments cannot secure electronic data.
There's lots wrong with the system, but an ID card with crypto isn't going to fix anything, just make things worse.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
But just watch: This is a foot in the door to hand the verification contract to Equifax. Without a bid.
Have gnu, will travel.
Most sensible part: "ÎÏ...ÎÎÏÏfOEÏ, ÎÏ...ÎÎÏÏfÎÏ"
There is no XUL, only WebExtensions...
Thank you for the information. Now please take your pills and get into the car.
deleting the extra space after periods so i can stay relevant, yeah.
My first SS card, said "not to be used for identification". Oh, I'm sure the government will come up with an alternative...CHIP implants. And they won't make it mandatory, but, if you don't they'll make a law that says if you don't have one, you can't access this government service or that government service. Hell, Sweden is doing it, and thinking about making it MANDATORY. When it comes to the USA, I'll be long gone, but, if I'm still around, I'll save them the fight, I'll just shoot myself. No one is putting an ID chip inside of me. It's bad enough your phone, home computer, GPS, car computers and what not know where you are and what you do all day long, but I'll be damn if someone plants one inside of me or puts a tattoo bar code on my skin.
Privacy preserving name verification
US 8347093 B1
RESUMO
Aspects of the invention pertain to preserving the privacy of users in on-line systems while also enabling verification that the users are who they purport to be. Confidential personal information may be communicated from a user to a trusted third party via a web-based application or other service. However, the personal information is encrypted so that the application or service is unable to access it. The trusted third party accesses the personal information and uses it to verify that a user ID such as an email address is associated with a particular user. This information is provided to the web-based application or service to certify the identity of the user. As a result, the application or server verifies to other users that the certified user is who he/she purports to be.
https://www.google.com/patents/US8347093
The problem is not SSN as identifier, it is more or less fine for that purpose.
The issue is using it as an authenticator (I know the SSN therefore I am that person). This must stop.
And the way to stop it is very easy. Like in every other country in the world, recognize that "identity theft" does not exist, and it is in reality just plain old "BANK FRAUD". The only reason why banks push the "identity theft" agenda is to put the blame and be able to go after the people who they were scammed to believe they talked to.
It should not be my problem that someone managed to convince a bank to give them money in my name. It is the bank's problem.
You'll see how fast this madness stops.
Sigh, replying to undo unintended mod. Meant to mark interesting.
Hey, Windows users, there is no such thing as "forward" slash, there is only slash and backslash.
The only people protected from these abuses are generally the well to do.
Middle class and below are basically left to the wolves and without recourse if their information is abused.
That *IS* the intended function of the system. Equifax, all the companies with access to your SSN (basically everybody from your school to any job you applied for, to your medical care providers) has access to your SSN, whether because you provided it to them, or because they filed a background check on you and got it as part of the record on your name/address.
Privacy in America has been dead for years, except for that you eked out by 'living off the grid' or outright illegally. I've been having to reconcile this fact the past few years and my only conclusion is: If you want privacy and aren't already part of a rural community that ensures it for most of their members (meaning some people are 'on the books' to facilitate the others staying off the books), then you pretty much have to assume you have no privacy and just hope you never come to the attention of anyone wanted to look further into your personal information, or abuse said information for personal gain. If you genuinely want privacy you have to leave the US to get it, and figuring out either a country where you can live like that, or an alternate lifestyle that will avail you that anonymity (pretty much living on an unregistered boat at sea somewhere national patrols won't harass and board you..) will prove difficult and likely filled with deanonymizing false starts.
UUID is all the SSN is! It is no different than your NAME except that it is unique. That is the only purpose behind it; the laws preventing it's use beyond original intent as well as laws expanding it's use added to the problem.
If changes are to be made, then it is a great time to upgrade the SSN. INTENTIONALLY breaking SSN will force everybody to upgrade at the same time alternatives are provided, this will prevent illegal use of old SSN. It should double as a Tax ID... and for any other government purpose-- just as your NAME does. Corporations shall be barred from using it for tracking/privacy purposes... they can demand your name but you shouldn't have to give your your UUID to create an online account!
New UUID should be available after some serious paperwork... it shouldn't be easy to defraud the government.
Actually, the new SS UUID should be alpha-numeric to account for a larger population and time. Old SSN are recycled because they run out of numbers. This would allow better historical record identification than we presently have. They should be designed to memorize and cut down on writing/reading errors. uppercase letters, numbers and skip letters I,O,S,Z because they look like numbers. Short as possible in length... 8 characters?
4 characters which encode place of birth and date of birth--- since hospitals change over time and years wrap...(what is the max time?)
4 characters serial number...
Both numbers would be in base 32 (10+22)
I've discussed the whole issue with my state secretary of state. They know about it but feel like most the problem is FEDERAL and legislative--plus they all think it will cost millions they don't have... can't do much about it.
We need IDENTITY services provided by the state. Driving licenses are primitive. It should be digital... multiple QR-Codes on paper should be as good. Yes, you can print fake copies... but you can do that with License cards too... Once you address this problem it should be compartmentalized. For example-- AUTHENTICATION-- the state authenticates your AGE, size, driving level, photo on your ID card. This can be digital. A QR-CODE which does not identify you-- but merely certifies your AGE. Meaning you could get a card saying you are over 18, 21 etc. without giving away your identity. digitally signed by the state. yes, again that ID could be copied... you could put a face on it... again, same problem everything has... once you address that... it should be compartmentalized.
Another example: PORN. age verification online with privacy. All one could know is the state government which verified your age.
The big problem with all of this is the confusion with the terminology and needs for each as well as use cases and security involved with each. Issuing smart cards around a standard which can be browser integrated as well as miniaturized (credit cards are too big) so your keychain can hold it. For driving, it may as well be key sized and ALL digital with only your UUID and name on it--- the police can read the chip to get your photo --- all being authenticated data by the state; you can't make a fake driving ID without the state's signing keys. Police will then be required to have a reading device -- which is not a big deal. Police could also look up your UUID in their computer-- they already look up your name or driver UUID.
For AGE related stuff-- a credit card with your photo and a chip. Events may not be able to scan everybody; a photo will have to do. (look-alike older relatives get around photo IDs.) Age verification is not a huge deal this works well enough. The chip would be for online purposes.
The problem is when biometrics and other schemes to attempt to perfect all this and combine aspects. Our fingerprint shouldn't be required for a great many things. To verify your age for example, it takes away your privacy. But if you have a PIN to decrypt the QR Code saying you are over 18.... that works... a smart chip replaces the PIN but both together is even better. Keep
SSN were never meant to be used for ID purposes and it is illegal to use them as such but this never stopped anyone. What about block-chain? Introducing the Blockstack Identity System
The problem is that with RFID being practically free, becoming more capable and smaller it will not be long before this is mandated at birth, injected into the feet/hands/forehead. The tags will be tied into every object interaction and used for all sorts of metadata hoarding.
Would it be more secure if we have simple feed back solution using 2 ways authentication through phone or computer? Something like If I apply for something, there is pop-up in my phone asks me to confirm? Such implementation already exist with remote login into your work computer and could be trivially replaced each time there is security bridge.
Identification and "credit worthiness" is supposed to be difficult in America. Death-to-birth tracking of bags of meat by arbitrary commercial entities for any purpose -- admission to a bar, granting of a coupon -- should not be possible. Instead of making it easier for the controlling organization to be certain they're dealing with the plebe in their database, like Jews with numeric tattoos in dehomag's database, we should:
- make it easy for people to operate a handful of aliases that can't be combined with one another, through both mechanical means and through forbidding attempts to do the analysis combining identifiers and forbidding discrimination against people who don't provide root, unaliased identifiers.
- allow commerce to continue with less power multiplication. For example, let credit agencies attest to someone's creditworthiness and provide a blinded handle for negative feedback if they fail to repay, without identifying them. Allow anonymous payment but not anonymous collection through a simple, main-stream scheme (like GNU Taler).
The issue is not with Social Security numbers. The issue is with systems used to STORE SENSITIVE INFORMATION. You are still going to have the problem of theft, if you do not have a secure system, regardless of whatever identification system you use.
Stop ignoring the problem. Focus on securing your system.
Hey, my SS card says it is not for identification. Past that we put to much weight in a social security number, particularly after the Equfax (and other unknown) security leaks. We need to have a way to verify it is us without an external (copy-able, steal-able) component. And not a dang implanted RFID chip. Are we back to passwords?
If fingerprints become the norm, then folks like Equifax will put them in a database and somebody will steal them.
If your fingerprints are published, then how many hacks are possible for somebody to use a copy of your print to be you.
Only now, the hack is worse because the authentication used a supposedly 'secure' method.
This makes it harder for you to prove that the hacker is not you.
Fingerprints may be part of the answer, but they are not a magic bullet.
If YOUR so smart, YOURE English may improve someday ?
Going with the Crypto idea and public/private keys and a revocation list... what happens if your private key gets revoked by mistake?
People complain about how hard it is to get off the terrorist watch list; how hard will it be to get off the Identity Revocation List? "I'm sorry, you must present your valid identity card to file a complaint." "Your identity can not be found. Please try again." "Your identity has been revoked. Please wait, Identity Removal Services agents will be with you shortly. Please enjoy your time in Guantanamo Bay."
What are all the ways this could go wrong?
41. ????
42. Profit!
better close the fucking door.....
This whole thing is so absurd, given that it was plainly stated on my first Social Security card: "Not for use as Identification." My original card wore out and had to be replaced sometime back, but by then, its use as an ID had become the norm... We definitely need a more secure system of establishing a hack-proof ID.
PlaynBass
I think of myself as creative but this is next level... I wonder if he actually wrote all the bogus documents referenced from which to draw "real" citations, or he if just keeps an index of made up stuff to be consistent across rants , or if its all "on the fly"
For individual id's and internet id's for users and sites.
The U.S. Department of Health, Education, and Welfare, in *** 1973 ***, submitted a report ("Computers, Records, and the Rights of Citizens") that warned that allowing SSN's to continue to be used as "Universal Identifiers" would lead to exactly the problems we are seeing now.
So, congress has been warned about it for 50 years, with suggested legislative options in the begining... chose to take no action, and now it is suddenly news and an emergency.
That's right. In fact don't give out your SS# to almost everyone. The ONLY ones that need it are banks and it seems health care due to the ACA, sometimes called Obummer care. Something that wasn't even his idea and he admits it.
You can give a fake number to those people. Start it with 555. That will instantly identify it to a guy like me that it's fake and we'll understand.
I want to scratch my eyes out reading the improper use of your and you're.
Lack of security education and the use cases involved is why we continue to have this disaster:
Account Universally Unique Identifiers are needed and just like your email should be public knowledge and able to be changed (but not without some difficulty.) It is illegal to track people using SSN or verify their identity with SSN but that has been going on since the start because people didn't LEARN enough to separate the use cases. Keep some uses illegal, but address the use cases and allow it as a universal unique identifier everywhere (with legal limits-- you can't force everybody post comments online using their UUID as their account name.)
SSN is just fine to CONTINUE to use as a citizen number. Let them be published. Children born after X date get a smarter UUID. Something easy to remember, base33 with only 6 characters... 3 for time/place of birth and 3 as a serial number. [A-Z0-9] but remove [OZI] to avoid confusion with [051].
Identity will require 3rd party verification-- by government and allow for other parties to sign on as well.
Use Cases:
Age verification, Endorsements, Tax Id, ownerships, claims, signing, HIDDEN anonymous virtual identities.
Multiple IDs are possible and SHOULD exist. Drinking Age is fine with a photo ID validated by 2D barcode of a digital photo. No identity required-- anonymous age verification!
Online age verification, smart chip... difficult to copy -- again, no identity given whatsoever. A pin could be used SOMETIMES... skydiving vs porn depends on how strong a verification step is needed if you need a pin.
Hidden anonymous identity--- as many as you want but the government with a warrant can discover your true identity. You could blockchain all of your aliases. Corporations, Contracts-- all will NOT know your identity or track you precisely with this info-- but lawsuits and crimes would allow in certain cases your alias chain to be tracked down in court (but not disclosed to corps.) Rent a car, steal it-- get sued and the rental service wins but never knows who you are the whole time; but the cops who arrest you know. Credit cards etc could be done using something like this... bankruptcy or identity protection situations could "reset" you while still maintaining an official secret trail.
Biometrics:
Tattoo your SSN on your fingers and use that as your password. Biometrics also fail at 5th amendment protections.
iPhone X: don't put your password on your forehead, make forehead your password!
Democracy Now! - uncensored, anti-establishment news