US Studying Ways To End Use of Social Security Numbers For ID

wiredmikey quotes a report from Security Week: U.S. officials are studying ways to end the use of social security numbers for identification following a series of data breaches compromising the data for millions of Americans, Rob Joyce, the White House cybersecurity coordinator, said Tuesday. Joyce told a forum at the Washington Post that officials were studying ways to use "modern cryptographic identifiers" to replace social security numbers. "I feel very strongly that the social security number has outlived its usefulness," Joyce said. "It's a flawed system." For years, social security numbers have been used by Americans to open bank accounts or establish their identity when applying for credit. But stolen social security numbers can be used by criminals to open bogus accounts or for other types of identity theft. Joyce said the administration has asked officials from several agencies to come up with ideas for "a better system" which may involve cryptography. This may involve "a public and private key" including "something that could be revoked if it has been compromised," Joyce added.

Step one and two.

[msauve]

Unlink SSN from TID (Taxpayer ID). Banks need TID, they have no business with SSN. Unlink SSN from healthcare (it wasn't legallay required until Obamacaare, although healthcare providers used it).

Re:Step one and two.

[aaarrrgggh]

Doesn't solve the problem though. You still have high-value information linked to the TID, which ultimately is the root of the problem.

Ultimately you need the TID to be unique to each taxpayer, and a subset/hash of the TID plus additional information to be linked for other (financial) purposes. The IRS should be the only ones able to re-associate you to a unique qualifier.

But, until you eliminate the profit motive for credit bureaus everything will end up being re-assembled. Back to square one.

Re:Step one and two.

[arglebargle_xiv]

US Studying Ways To End Use of Social Security Numbers For ID

Am I the only one who's immediate reaction to that is "Well, no shit, Sherlock".

Re:Step one and two.

[msauve]

"If a SSN is not linked to healthcare, what is its use really??"

Uh, Social Security (AKA OASDI). Duh.

Re: Step one and two.

[Hognoxious]

Not recycling them doesn't prove that there are no dupes. Errors can happen, and they have.

https://www.nbcnews.com/techno...

https://www.pcworld.com/articl...

Here's a fact - you suck at fact checking.

Re:Step one and two.

[dwillden]

Well by law it's supposed to only be used for Tax identification purposes. Not healthcare, not insurance, not anything else. But everybody just ignores the Privacy Act of 1974 because it's never been enforced.

Re:Step one and two.

[ctilsie242]

You can have a national ID system, but the way it likely will be designed will be a jackpot for all well-heeled attackers.

Instead, why not a national ID system based on certificates? For example:

When someone turns 21 here in the US, the country they were born in signs a certificate stating that the owner is over 21. This way, a bar owner has 100% cryptographic proof that someone is of legal age to drink... but doesn't need to know their name or any other info about the person.

If a degree from an accredited school is required, the school signs the ID with a cert showing the degree. That way, it doesn't matter who the person is... but the cert is valid.

Going into short-lived certs, one can have a cert signed by the FBI stating that there are no priors on the RAP sheet. This cert can be valid for a few days. Again, it solves the purpose and gives no data out.

Even credit records, Equifax or whatnot can sign a certificate stating someone's FICO score is over 700, ensuring they have an easy track for qualifying for a house. Since all this requires is a HSM to do the signing, it can be made well secured, with the actual scores being on an air-gapped database.

If we go with certificates, it means that one's privacy is kept, but the legal needs for stuff (age, no criminal history) are met. Add an option for the ID card holder to only show certs that are relevant, and this makes for an extremely private ecosystem.

Secure as well, since the only real points of attack are the cryptosystem (good luck), endpoint cards (which would only compromise users singly), and a signing cert holder (which only affects them). The only real single point of failure would be the physical ID card itself.

Re: Step one and two.

[lgw]

Credit agencies can suck air. They have no business extending easy credit to anybody who knows my SSN at the cash register of a clothing store.

Credit agencies don't extend credit to anyone - they just keep a DB of creditworthiness. It's the banks that are the eternal villains in this story, and they should never escape blame.

I believe there's a very simple fix here: any time a bank issues fraudulent credit, they're fined 3x the amount of credit issued. If that turns out to not produce sufficient ID checking, up it to 10x or 30x, or keep going until it does.

National ID?

[borcharc]

Sounds like another attempt at a national ID. I am sure it will go as well as all the past efforts.

Re:National ID?

[93+Escort+Wagon]

We already have a national ID - it's called Social Security - so what's the objection to another one?

Re:National ID?

[Known+Nutter]

Government!! Reasons!!!

Re:National ID?

[Nethemas+the+Great]

At some point the "States Rights," "Big Brother," "Don't Tread on Me" folks are going to have to concede the fact that they're US citizens and need to have a unique identifier as such. With rare exception, US citizens have already been assigned a unique identifier by default with their SSN. By their perpetual protests against a nation ID they've forced governments and NGOs to this lowest common denominator to everyone's detriment.

Re:National ID?

[DarkOx]

No the problem is really simple, the problem is using the SSN both as identification and authentication. You should think of your SSN the same way you think of your name. The only difference is SSN is more uniq.

If anything the government should issue cards with private keys associated with your existing SSN. The proof of your identity would be your ability to cipher (nonce + SSN + timestamp) or something similar and the bank, SSA, IRS, etc would determine its really you by deciphering with the public key and getting the same value back out.

Re:National ID?

[chill]

So, use the driver's license as the identifier. You have to physically go into the DMV and prove your identity to get one -- just like now. Nothing's perfect for this step, but this is one of the more workable and accurate systems so far.

Change the cards to be PIV/CAC/HSPD-12-style smart cards, so they can store a private key unique to the individual. These can be used for legally binding digital signatures.

You end up with 56 or so "certificate authorities" -- the 50 States, the various U.S. possessions and territories, and the Federal Gov't themselves. States already can validate each other's DL numbers and records in real time.

This deals with the concerns of having the big, bad central government in charge of everything yet still provides for a workable, federated system.

Re: National ID?

[chill]

Uh, what? Did you reply to the wrong message?

The cool thing is

[Maxo-Texas]

You'll be able to conveniently use your social security number to get your new id number.

My SS Card

Clearly says "not to be used for identification purposes" on it. I guess its an oldie.

Ooooh, I know!

[aaarrrgggh]

Blockchain. All the cool kids are doing it! Say it with me... Blockchain!

Re:Ooooh, I know!

[Tablizer]

NoSql.Blockchain.node.js is so last year, keep up!

About friggin' time!

[Ungrounded+Lightning]

About friggin' time! I've been doing my best to avoid giving out my SSN where it's not required by law since the '80s.

One big hole that has been going on for decades is Medicare:

  * Once you're old enough to be on it, you can't get regular health insurance to pay for the portion of your medical work (often all or the bulk of the cost) that Medicare pays for. Regular health plans turn into cover-the-difference supplements. You must sign up for Medicare or pay the charges yourself. (And if you don't have the government imposing price levels or the insurance companies negotiating deep discounts you get to pay the drastically inflated "regular price" that makes up for their discounts.)

  * But if you DO sign up for Medicare, what do you get for an ID? Your SOCIAL SECURITY NUMBER with a single letter appended after it. They won't provide any alternative (though they have "been thinking about it" for years). You have to give this to ALL your medical providers. Get a prescription or an immunization at a pharmacy, hand in your Medicare ID. Go to a doctor, hand in your Medicare ID. Get a lab test, hand in your Medicare ID. Go to a specialist, hand in your Medicare ID.

Dozens, or even hundreds, of medical billing paperwork operations, with unknown numbers of clerks doing data entry (often offshore) and unknown competency of IT people configuring their databases, get your name and SS#. Some have even been CAUGHT selling them. Oops!

* So then we get stories about how people over 65 have a much higher rate of identity theft - typically trying to imply that these oldsters are lax in guarding their SS numbers. Well, DUH!

Re:About friggin' time!

[msauve]

People need to fight back. Equifax leaks? That should be a problem for lenders, not individuals. PROVE it was me, and not someone giving you my info to take out a loan or ???. Reporting credit issues to any of the 3? That's libel (deliberate, you should know better) without that proof. It's their own damn fault for building a house of cards because it's cheap and easy.

Re:About friggin' time!

[Hognoxious]

Seems to me you have a case if, and only if, the information reported is wrong (and the burden of proof for that would be on you).

No it wouldn't. That would require proving a negative.

If a newspaper printed a story about you fucking goats could you prove you don't?

Time to implement?

[vlueboy]

Practically half of us are already hacked NOW.
When would something be implemented even if a standard were already agreed upon and mandated? I get the feeling this will be treated like Android security where if you don't invest in X flagship, which is optional and expensive, you're just not covered. 140 million is nearly half of all US citizens. I'm pretty sure we can't just reprint all our forms, reprogram all our websites, rework all our databases and change the mentality towards accepting the new name and (hardest of all) technical requirements of the new setup.

All in all, we need a solution (whatever it is) Yesterday, but even in 1, 3, 5, 10 or 15 years I can't see it really in place (there is failure inertia of British / Metric conversion proportions here). Reminds me a bit of the stupid job we've done when it comes to the spirit of the law for chip&pin Credit cards, being optional and all and totally backward compatible to the old insecure method when the card gets stolen to pay for something online without you there (which is the point).

Re:Time to implement?

[140Mandak262Jamuna]

Practically half of us are already hacked NOW.

Let me fix it for you.

Practically half of us know we are already hacked now. The rest will learn soon.

Someone doesn't understand the problem

There's nothing wrong with using SSNs for ID. A unique number for each person in the country? Perfect.

The problem is when it gets treated as a secret, and abused for "authentication". It's not a secret, any more than your date of birth is a secret. It should be treated as publicly available information. Merely "knowing an SSN" should not be sufficient information to do much of anything, except possibly "give someone money".

Re:Someone doesn't understand the problem

[MrLogic17]

This.

A Social Security number is a username, not a password.

Having a mere SSN should not be enough to authenticate a person is who they say they are, it's just a way to tell me from you. Any person or system using a SSN as proof of identity is just plain lazy - especially since SSN is now practically public domain information. (Thanks Equifax!)

Virtual SSN - White House Petition ?

[perpenso]

I was thinking about a White House petition for Virtual Social Security Numbers:

Virtual Social Security Numbers
Single use numbers that are aliases for your real number.

To protect consumers from fraud and theft many banks now offer Virtual Credit Card Numbers. They are aliases, pseudonyms, for a real credit card number. They “lock” to the first merchant to use them. If a merchant’s database is compromised and a virtual credit card number is exposed, it is unusable. All charges not originating from the first merchant are declined.

The Social Security Administration could use a similar scheme to protect employees and consumers. A Virtual Social Security Number could be given to an employer or financial institution and the number “locked” to that organization when they verify the number with the government, submit information to the government, etc. If a different organization then tries to verify or use the number the government will fail to verify, reject the submission, etc. This would help impede identity theft and financial fraud as employers and financial institutions inadvertently expose employee and consumer information.

Virtual Credit Card Numbers are generated as needed using a credit card issuer’s online services. Virtual Social Security Numbers could similarly be generated as needed by the Administration through its online services.

The Internal Revenue Service could employ a similar scheme for their various taxpayer identification numbers.

Re: Virtual SSN - White House Petition ?

[magarity]

The underlying reason: they wanted a unique identifier in their database.

Dear gas utility, my SSN is: select sys_guid() from dual;

Re: Virtual SSN - White House Petition ?

Little Bobby Tables is always up to something.

Re:Virtual SSN - White House Petition ?

[jbengt]

When I first got my SS card (a long, long time ago), it said right on it that it should not be used for identification.
SS number should be treated like a publicly known database key for the Social Security Administration's use. It should not be treated as an ID nor for authorization. Those should be independent of the SSN.

Re:Virtual SSN - White House Petition ?

[lgw]

Wat?

There's no problem with using SSNs as your username in a system. The problem is using them as a password. They're fine to use as an identifier, but not as a proof of identity.

User name equivelant

[burtosis]

Your social security number should really be viewed as a unique user name and not for purposes of authentication. You could then have one or more passwords for authentication purposes. Say one for taxes, one for mecdical, one for credit - you could change your password easily in the case of a data breach and it's less important if your user name only is leaked.

Define the problem, then fix the problem

[QuietLagoon]

What is the problem that needs to be solved? Is SSN the problem, or is the over use of SSN the problem? Will any replacement for SSN have the same overuse problem?

Re:Define the problem, then fix the problem

Good start.
Just stop at asking the question: what do other countries do. Presumably, Sweden, Great Britain, Japan, France, Germany, Kenya, Brazil, Canada, and may others have been in the same situation. Let's not find out how they did it. Presumably, the solution is separate numbers for a Financial/Tax ID, Social Security Number, Medicare Number, and the like.

I know what we can do! We can give a $10 million contract to Equifax for them to find the solution for us! No-bid contract, of course.

Re:How about

[sit1963nz]

my ex was born on the 5/6/66

Turned out that she came from the 5th circle of hell.

Step three

[Solandri]

Make the companies who lost people's identity data in hacks pay for it. All of it. They're the ones who broke SSNs. They should be the ones who pay to fix it.

Anonymity

[markdavis]

Please note that this doesn't solve a equally big problem- you shouldn't HAVE to identify yourself for doing most things. A good example would be if you have to prove your age to do something. Age verification doesn't mean that establishment should be allowed to know WHO you are, and even worse, record that fact somewhere. Such acts erode privacy, freedom, and could be used later to frame, manipulate, or harass people.

Re:Guessing works

[Actually,+I+do+RTFA]

Well, except that with the checksums eliminate half the valid numbers off the bat. So, you're looking at 60% off the bat. Except there are 337M citizens, so 67.2% gone . Then, you get into dead people who had SSNs (with imperfect recycling). And there may be other restrictions, but even without those the odds that any well-formatted SSN was ever issued has to be at least 70%.

SSN is not unique

[mveloso]

You sound like those idiots that say "MAC addresses are unique, let's use them as an identifier."

Neither your MAC address nor your SSN is a unique identifier.

In fact, identity confirmation is quite difficult, and as an AC I can say that you are totally clueless when it comes to the various issues of identity.

Maybe you should let the adults talk and keep your head down.

Re: How about

[Hognoxious]

Revelations 13, KJV

"Here is wisdom. Let him that hath understanding count the number of the beast: for it is the number of a man; and his number is Six hundred threescore and six."

A score is 20. Do the math.

Re:No, we don't.

[OneAhead]

All theories that sound reasonable on paper but are utterly divorced from reality. Only useful for keeping people dumb, just like in the totalitarian dystopias you so decry.

If you ever step out of your mom's basement (real or allegorical) into the scary, scary world, you'll notice that the US de facto already has this. In most of the country, you can't get anywhere without a car and you can't drive without a driver's license. And folks without one readily get a state ID because in most of the US, you literally can't even do as much as buy a beer without either. Also note that a lot of western European nations have national IDd, and are politically further away from totalitarianism than Ameristan, with (among other things) protection of personal privacy that still has some semblance of meaning. Do you really honestly believe the fact that there's formally no national ID is much of a hindrance to US government services intent on tracking their citizes?

On a more anecdotal note, I subjectively felt/feel far freer in Western European countries with state ID than in the USA; among many other things, I got ID-ed almost an order of magnitude more often in the latter country. Sure, I could in theory have refused and suffer the consequences, but that "in theory" is exactly why the US is so backward - you conservatives/libertarians/whatever should really get your feet on the ground and start talking in real life terms instead of lofty theoretical concepts that are hollow and being circumvented right under your firmly airborne noses.

And don't even get me started on SSNs; when I read this story, I rolled my eyes so hard that it was almost audible. Assuming you don't dedicate your life to paranoidly protecting your SSN, its security is an illusion. You know as well as I that your SSN is pretty much everywhere, and identity theft rates are only as "low" as they are because most criminals find it easier to rob people at gunpoint than to jump through a few loops in order to steal the ID of someone who more often than not will turn out to have more liabilities than assets.

I guess you grew up with it and you'll never understand how utterly bizarre it is to foreigners that there exists a simple 9-digit number that has such huge power over a lot of aspects of your life that it may be your biggest secret, YET YOU HAVE TO FILL IT INTO SOME FORM OR SPEAK IT OUT ON THE PHONE ON A MONTHLY BASIS. Hello? Is this thing on?

I don't care how safe you feel, you're wrong

[HBI]

Somehow, I made it out of my parents' basement over the past 48 1/2 years. In the process, I got a clearance and roll with more background checking and additional ID than most people will ever have. None of that makes me feel even slightly safe, because I know it's all bullshit, really. It doesn't protect against espionage, identity theft or anything else, really. Moreover, the aggregation of key information into a single database is what enabled the OPM breach that gave it all away to (presumably) the Chinese. So some guy in China now knows everything about me, including my personal contacts and whatever data the USG gleaned during my background investigation.

I subjected myself to this, and I really only have myself to blame for being captured in the OPM hack. People shouldn't be forcibly subjected to this for zero gain in any critical way. And the data won't remain secure. That much is obvious, now. Governments cannot secure electronic data.

There's lots wrong with the system, but an ID card with crypto isn't going to fix anything, just make things worse.

Re:How about

[sabri]

everyone gets to have the number tattooed their forehead!

This should not even be a problem. The problem is not SSN security. The problem is the way that people think it's some kind of secret password.

On my foreign passport, my SSN equivalent is printed on the same page as my name and photo. It's not a secret because we expect banks and similar businesses to verify identity using photo ID, not knowledge of a random 9 digit number associated with my person.

And that is the problem. That somehow, knowledge of a 9 digit number does not prove that you actually are that person.

Re: How about

[nomadic]

I try to avoid late-era Heinlein. His stuff got so bad.