Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Studying Ways To End Use of Social Security Numbers For ID (securityweek.com)

Posted by BeauHD on from the better-idea dept.

wiredmikey quotes a report from Security Week: U.S. officials are studying ways to end the use of social security numbers for identification following a series of data breaches compromising the data for millions of Americans, Rob Joyce, the White House cybersecurity coordinator, said Tuesday. Joyce told a forum at the Washington Post that officials were studying ways to use "modern cryptographic identifiers" to replace social security numbers. "I feel very strongly that the social security number has outlived its usefulness," Joyce said. "It's a flawed system." For years, social security numbers have been used by Americans to open bank accounts or establish their identity when applying for credit. But stolen social security numbers can be used by criminals to open bogus accounts or for other types of identity theft. Joyce said the administration has asked officials from several agencies to come up with ideas for "a better system" which may involve cryptography. This may involve "a public and private key" including "something that could be revoked if it has been compromised," Joyce added.

15 of 311 comments (clear)

  1. National ID? by borcharc · · Score: 5, Insightful

    Sounds like another attempt at a national ID. I am sure it will go as well as all the past efforts.

    1. Re:National ID? by 93+Escort+Wagon · · Score: 5, Insightful

      We already have a national ID - it's called Social Security - so what's the objection to another one?

      --
      #DeleteChrome
    2. Re:National ID? by Nethemas+the+Great · · Score: 4, Insightful

      At some point the "States Rights," "Big Brother," "Don't Tread on Me" folks are going to have to concede the fact that they're US citizens and need to have a unique identifier as such. With rare exception, US citizens have already been assigned a unique identifier by default with their SSN. By their perpetual protests against a nation ID they've forced governments and NGOs to this lowest common denominator to everyone's detriment.

      --
      Two of my imaginary friends reproduced once ... with negative results.
    3. Re:National ID? by chill · · Score: 5, Interesting

      So, use the driver's license as the identifier. You have to physically go into the DMV and prove your identity to get one -- just like now. Nothing's perfect for this step, but this is one of the more workable and accurate systems so far.

      Change the cards to be PIV/CAC/HSPD-12-style smart cards, so they can store a private key unique to the individual. These can be used for legally binding digital signatures.

      You end up with 56 or so "certificate authorities" -- the 50 States, the various U.S. possessions and territories, and the Federal Gov't themselves. States already can validate each other's DL numbers and records in real time.

      This deals with the concerns of having the big, bad central government in charge of everything yet still provides for a workable, federated system.

      --
      Learning HOW to think is more important than learning WHAT to think.
  2. The cool thing is by Maxo-Texas · · Score: 5, Funny

    You'll be able to conveniently use your social security number to get your new id number.

    --
    She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
  3. Ooooh, I know! by aaarrrgggh · · Score: 5, Funny

    Blockchain. All the cool kids are doing it! Say it with me... Blockchain!

  4. About friggin' time! by Ungrounded+Lightning · · Score: 5, Informative

    About friggin' time! I've been doing my best to avoid giving out my SSN where it's not required by law since the '80s.

    One big hole that has been going on for decades is Medicare:

      * Once you're old enough to be on it, you can't get regular health insurance to pay for the portion of your medical work (often all or the bulk of the cost) that Medicare pays for. Regular health plans turn into cover-the-difference supplements. You must sign up for Medicare or pay the charges yourself. (And if you don't have the government imposing price levels or the insurance companies negotiating deep discounts you get to pay the drastically inflated "regular price" that makes up for their discounts.)

      * But if you DO sign up for Medicare, what do you get for an ID? Your SOCIAL SECURITY NUMBER with a single letter appended after it. They won't provide any alternative (though they have "been thinking about it" for years). You have to give this to ALL your medical providers. Get a prescription or an immunization at a pharmacy, hand in your Medicare ID. Go to a doctor, hand in your Medicare ID. Get a lab test, hand in your Medicare ID. Go to a specialist, hand in your Medicare ID.

    Dozens, or even hundreds, of medical billing paperwork operations, with unknown numbers of clerks doing data entry (often offshore) and unknown competency of IT people configuring their databases, get your name and SS#. Some have even been CAUGHT selling them. Oops!

    * So then we get stories about how people over 65 have a much higher rate of identity theft - typically trying to imply that these oldsters are lax in guarding their SS numbers. Well, DUH!

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  5. Re:Step one and two. by aaarrrgggh · · Score: 4, Insightful

    Doesn't solve the problem though. You still have high-value information linked to the TID, which ultimately is the root of the problem.

    Ultimately you need the TID to be unique to each taxpayer, and a subset/hash of the TID plus additional information to be linked for other (financial) purposes. The IRS should be the only ones able to re-associate you to a unique qualifier.

    But, until you eliminate the profit motive for credit bureaus everything will end up being re-assembled. Back to square one.

  6. Someone doesn't understand the problem by Anonymous Coward · · Score: 5, Insightful

    There's nothing wrong with using SSNs for ID. A unique number for each person in the country? Perfect.

    The problem is when it gets treated as a secret, and abused for "authentication". It's not a secret, any more than your date of birth is a secret. It should be treated as publicly available information. Merely "knowing an SSN" should not be sufficient information to do much of anything, except possibly "give someone money".

  7. Virtual SSN - White House Petition ? by perpenso · · Score: 5, Interesting

    I was thinking about a White House petition for Virtual Social Security Numbers:

    Virtual Social Security Numbers
    Single use numbers that are aliases for your real number.

    To protect consumers from fraud and theft many banks now offer Virtual Credit Card Numbers. They are aliases, pseudonyms, for a real credit card number. They “lock” to the first merchant to use them. If a merchant’s database is compromised and a virtual credit card number is exposed, it is unusable. All charges not originating from the first merchant are declined.

    The Social Security Administration could use a similar scheme to protect employees and consumers. A Virtual Social Security Number could be given to an employer or financial institution and the number “locked” to that organization when they verify the number with the government, submit information to the government, etc. If a different organization then tries to verify or use the number the government will fail to verify, reject the submission, etc. This would help impede identity theft and financial fraud as employers and financial institutions inadvertently expose employee and consumer information.

    Virtual Credit Card Numbers are generated as needed using a credit card issuer’s online services. Virtual Social Security Numbers could similarly be generated as needed by the Administration through its online services.

    The Internal Revenue Service could employ a similar scheme for their various taxpayer identification numbers.

  8. User name equivelant by burtosis · · Score: 5, Interesting

    Your social security number should really be viewed as a unique user name and not for purposes of authentication. You could then have one or more passwords for authentication purposes. Say one for taxes, one for mecdical, one for credit - you could change your password easily in the case of a data breach and it's less important if your user name only is leaked.

  9. Step three by Solandri · · Score: 5, Insightful

    Make the companies who lost people's identity data in hacks pay for it. All of it. They're the ones who broke SSNs. They should be the ones who pay to fix it.

  10. Re:Step one and two. by dwillden · · Score: 4, Insightful

    Well by law it's supposed to only be used for Tax identification purposes. Not healthcare, not insurance, not anything else. But everybody just ignores the Privacy Act of 1974 because it's never been enforced.

    --
    I'm too lazy to compose a creative sig.
  11. Re:No, we don't. by OneAhead · · Score: 4, Insightful

    All theories that sound reasonable on paper but are utterly divorced from reality. Only useful for keeping people dumb, just like in the totalitarian dystopias you so decry.

    If you ever step out of your mom's basement (real or allegorical) into the scary, scary world, you'll notice that the US de facto already has this. In most of the country, you can't get anywhere without a car and you can't drive without a driver's license. And folks without one readily get a state ID because in most of the US, you literally can't even do as much as buy a beer without either. Also note that a lot of western European nations have national IDd, and are politically further away from totalitarianism than Ameristan, with (among other things) protection of personal privacy that still has some semblance of meaning. Do you really honestly believe the fact that there's formally no national ID is much of a hindrance to US government services intent on tracking their citizes?

    On a more anecdotal note, I subjectively felt/feel far freer in Western European countries with state ID than in the USA; among many other things, I got ID-ed almost an order of magnitude more often in the latter country. Sure, I could in theory have refused and suffer the consequences, but that "in theory" is exactly why the US is so backward - you conservatives/libertarians/whatever should really get your feet on the ground and start talking in real life terms instead of lofty theoretical concepts that are hollow and being circumvented right under your firmly airborne noses.

    And don't even get me started on SSNs; when I read this story, I rolled my eyes so hard that it was almost audible. Assuming you don't dedicate your life to paranoidly protecting your SSN, its security is an illusion. You know as well as I that your SSN is pretty much everywhere, and identity theft rates are only as "low" as they are because most criminals find it easier to rob people at gunpoint than to jump through a few loops in order to steal the ID of someone who more often than not will turn out to have more liabilities than assets.

    I guess you grew up with it and you'll never understand how utterly bizarre it is to foreigners that there exists a simple 9-digit number that has such huge power over a lot of aspects of your life that it may be your biggest secret, YET YOU HAVE TO FILL IT INTO SOME FORM OR SPEAK IT OUT ON THE PHONE ON A MONTHLY BASIS. Hello? Is this thing on?

  12. Re:Step one and two. by ctilsie242 · · Score: 5, Interesting

    You can have a national ID system, but the way it likely will be designed will be a jackpot for all well-heeled attackers.

    Instead, why not a national ID system based on certificates? For example:

    When someone turns 21 here in the US, the country they were born in signs a certificate stating that the owner is over 21. This way, a bar owner has 100% cryptographic proof that someone is of legal age to drink... but doesn't need to know their name or any other info about the person.

    If a degree from an accredited school is required, the school signs the ID with a cert showing the degree. That way, it doesn't matter who the person is... but the cert is valid.

    Going into short-lived certs, one can have a cert signed by the FBI stating that there are no priors on the RAP sheet. This cert can be valid for a few days. Again, it solves the purpose and gives no data out.

    Even credit records, Equifax or whatnot can sign a certificate stating someone's FICO score is over 700, ensuring they have an easy track for qualifying for a house. Since all this requires is a HSM to do the signing, it can be made well secured, with the actual scores being on an air-gapped database.

    If we go with certificates, it means that one's privacy is kept, but the legal needs for stuff (age, no criminal history) are met. Add an option for the ID card holder to only show certs that are relevant, and this makes for an extremely private ecosystem.

    Secure as well, since the only real points of attack are the cryptosystem (good luck), endpoint cards (which would only compromise users singly), and a signing cert holder (which only affects them). The only real single point of failure would be the physical ID card itself.