Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Studying Ways To End Use of Social Security Numbers For ID (securityweek.com)

Posted by BeauHD on from the better-idea dept.

wiredmikey quotes a report from Security Week: U.S. officials are studying ways to end the use of social security numbers for identification following a series of data breaches compromising the data for millions of Americans, Rob Joyce, the White House cybersecurity coordinator, said Tuesday. Joyce told a forum at the Washington Post that officials were studying ways to use "modern cryptographic identifiers" to replace social security numbers. "I feel very strongly that the social security number has outlived its usefulness," Joyce said. "It's a flawed system." For years, social security numbers have been used by Americans to open bank accounts or establish their identity when applying for credit. But stolen social security numbers can be used by criminals to open bogus accounts or for other types of identity theft. Joyce said the administration has asked officials from several agencies to come up with ideas for "a better system" which may involve cryptography. This may involve "a public and private key" including "something that could be revoked if it has been compromised," Joyce added.

11 of 311 comments (clear)

  1. National ID? by borcharc · · Score: 5, Insightful

    Sounds like another attempt at a national ID. I am sure it will go as well as all the past efforts.

    1. Re:National ID? by 93+Escort+Wagon · · Score: 5, Insightful

      We already have a national ID - it's called Social Security - so what's the objection to another one?

      --
      #DeleteChrome
    2. Re:National ID? by chill · · Score: 5, Interesting

      So, use the driver's license as the identifier. You have to physically go into the DMV and prove your identity to get one -- just like now. Nothing's perfect for this step, but this is one of the more workable and accurate systems so far.

      Change the cards to be PIV/CAC/HSPD-12-style smart cards, so they can store a private key unique to the individual. These can be used for legally binding digital signatures.

      You end up with 56 or so "certificate authorities" -- the 50 States, the various U.S. possessions and territories, and the Federal Gov't themselves. States already can validate each other's DL numbers and records in real time.

      This deals with the concerns of having the big, bad central government in charge of everything yet still provides for a workable, federated system.

      --
      Learning HOW to think is more important than learning WHAT to think.
  2. The cool thing is by Maxo-Texas · · Score: 5, Funny

    You'll be able to conveniently use your social security number to get your new id number.

    --
    She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
  3. Ooooh, I know! by aaarrrgggh · · Score: 5, Funny

    Blockchain. All the cool kids are doing it! Say it with me... Blockchain!

  4. About friggin' time! by Ungrounded+Lightning · · Score: 5, Informative

    About friggin' time! I've been doing my best to avoid giving out my SSN where it's not required by law since the '80s.

    One big hole that has been going on for decades is Medicare:

      * Once you're old enough to be on it, you can't get regular health insurance to pay for the portion of your medical work (often all or the bulk of the cost) that Medicare pays for. Regular health plans turn into cover-the-difference supplements. You must sign up for Medicare or pay the charges yourself. (And if you don't have the government imposing price levels or the insurance companies negotiating deep discounts you get to pay the drastically inflated "regular price" that makes up for their discounts.)

      * But if you DO sign up for Medicare, what do you get for an ID? Your SOCIAL SECURITY NUMBER with a single letter appended after it. They won't provide any alternative (though they have "been thinking about it" for years). You have to give this to ALL your medical providers. Get a prescription or an immunization at a pharmacy, hand in your Medicare ID. Go to a doctor, hand in your Medicare ID. Get a lab test, hand in your Medicare ID. Go to a specialist, hand in your Medicare ID.

    Dozens, or even hundreds, of medical billing paperwork operations, with unknown numbers of clerks doing data entry (often offshore) and unknown competency of IT people configuring their databases, get your name and SS#. Some have even been CAUGHT selling them. Oops!

    * So then we get stories about how people over 65 have a much higher rate of identity theft - typically trying to imply that these oldsters are lax in guarding their SS numbers. Well, DUH!

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  5. Someone doesn't understand the problem by Anonymous Coward · · Score: 5, Insightful

    There's nothing wrong with using SSNs for ID. A unique number for each person in the country? Perfect.

    The problem is when it gets treated as a secret, and abused for "authentication". It's not a secret, any more than your date of birth is a secret. It should be treated as publicly available information. Merely "knowing an SSN" should not be sufficient information to do much of anything, except possibly "give someone money".

  6. Virtual SSN - White House Petition ? by perpenso · · Score: 5, Interesting

    I was thinking about a White House petition for Virtual Social Security Numbers:

    Virtual Social Security Numbers
    Single use numbers that are aliases for your real number.

    To protect consumers from fraud and theft many banks now offer Virtual Credit Card Numbers. They are aliases, pseudonyms, for a real credit card number. They “lock” to the first merchant to use them. If a merchant’s database is compromised and a virtual credit card number is exposed, it is unusable. All charges not originating from the first merchant are declined.

    The Social Security Administration could use a similar scheme to protect employees and consumers. A Virtual Social Security Number could be given to an employer or financial institution and the number “locked” to that organization when they verify the number with the government, submit information to the government, etc. If a different organization then tries to verify or use the number the government will fail to verify, reject the submission, etc. This would help impede identity theft and financial fraud as employers and financial institutions inadvertently expose employee and consumer information.

    Virtual Credit Card Numbers are generated as needed using a credit card issuer’s online services. Virtual Social Security Numbers could similarly be generated as needed by the Administration through its online services.

    The Internal Revenue Service could employ a similar scheme for their various taxpayer identification numbers.

  7. User name equivelant by burtosis · · Score: 5, Interesting

    Your social security number should really be viewed as a unique user name and not for purposes of authentication. You could then have one or more passwords for authentication purposes. Say one for taxes, one for mecdical, one for credit - you could change your password easily in the case of a data breach and it's less important if your user name only is leaked.

  8. Step three by Solandri · · Score: 5, Insightful

    Make the companies who lost people's identity data in hacks pay for it. All of it. They're the ones who broke SSNs. They should be the ones who pay to fix it.

  9. Re:Step one and two. by ctilsie242 · · Score: 5, Interesting

    You can have a national ID system, but the way it likely will be designed will be a jackpot for all well-heeled attackers.

    Instead, why not a national ID system based on certificates? For example:

    When someone turns 21 here in the US, the country they were born in signs a certificate stating that the owner is over 21. This way, a bar owner has 100% cryptographic proof that someone is of legal age to drink... but doesn't need to know their name or any other info about the person.

    If a degree from an accredited school is required, the school signs the ID with a cert showing the degree. That way, it doesn't matter who the person is... but the cert is valid.

    Going into short-lived certs, one can have a cert signed by the FBI stating that there are no priors on the RAP sheet. This cert can be valid for a few days. Again, it solves the purpose and gives no data out.

    Even credit records, Equifax or whatnot can sign a certificate stating someone's FICO score is over 700, ensuring they have an easy track for qualifying for a house. Since all this requires is a HSM to do the signing, it can be made well secured, with the actual scores being on an air-gapped database.

    If we go with certificates, it means that one's privacy is kept, but the legal needs for stuff (age, no criminal history) are met. Add an option for the ID card holder to only show certs that are relevant, and this makes for an extremely private ecosystem.

    Secure as well, since the only real points of attack are the cryptosystem (good luck), endpoint cards (which would only compromise users singly), and a signing cert holder (which only affects them). The only real single point of failure would be the physical ID card itself.