

California Accidentally Posts 14,000 Social Security Numbers - gregpurtell
http://mashable.com/2012/12/13/california-social-security-numbers/

======
Aardwolf
If I understood it correctly, a Social Security Number is some kind of number
that identifies you, and if anyone else knows it, they can claim 100% they are
you, right? And yet you need to give that number to all kinds of companies,
hotels, and so on, and trust them?

This seems to be a trust based system, just like credit card numbers, which is
also a concept used more in the US than elsewhere (elsewhere debit cards are
used more and credit cards are more likely to have a PIN or other
protections).

How comes it that in the US this kind of trust based systems with numbers are
so popular compared to other parts of the world?

~~~
mpyne
It helps solve the problem of authenticating someone based on something they
know (e.g. for telephone password resets, banking questions, etc.) without a
ton of complicated key pre-sharing. Even at the state level it may not be
acceptable to have someone walk into a "local" office if it's 300 miles away.

Of course by now we (as in the general public and policymakers) know that this
is stupid and that there needs to be a different way. But some proposed
different ways (e.g. national ID w/ built-in PKCS crypto) are highly
politically unfavored, and no one seems to have come up with and popularized a
better way to do it that everyone will get on board with.

I personally figure that it will come down to government directing something
or the other (perhaps adopting an interoperable standard which the states must
implement) but Americans don't like solutions to come from government either.

~~~
halviti
I think he's speaking more to the way the system is setup in the US.

I believe every country has a system such as you describe. In my country,
everyone has an ID number, much like a social security number. It is tied to
everything, and is printed on everything, attached to every legal form I sign,
and anyone can look my number up. If you call some place for service, it will
be the first thing they ask for.

There is no-reason to keep this number a secret, and just by having this
number, no-one can steal my identity. In fact I have never even heard of a
single case of identity theft in the country, but that's not to say that it's
not possible.

Anyway, I think aardwolf is commenting on the "trust" put in the fact that
nobody else is going to use your number, whereas in other places, nobody is
going to give you that same trust, which is why we use our identifiers more
freely and rely on other methods to combat crimes like identity theft.

~~~
narcissus
Conversely, in Australia there is the Tax File Number... that's about as close
to a SSN as you'll get. The TFN is definitely personal. Unless you're dealing
with finances in some way, it's illegal (I believe) to even ask for your TFN.
Banks, employers and so on can ask for it (it makes processing your taxes
easier) but I don't believe it's a requirement to even give it to _them_.

As far as I know, the only organisation that you're required to give it to is
the tax office itself. Interestingly, by virtue of this number being so
'secretive' it really is usable as an identifier only to the tax office...
which, I daresay, helps to reduce 'identity theft' based around that number.

~~~
Turing_Machine
That was how the SSAN was supposed to be used here -- only for tax-related
things, such as banks and employers.

Unfortunately it didn't stay that way.

------
driverdan
3 level deep blogspam? Mashable takes content from ThreatPost[1] without
adding anything, ThreadPost takes it from KCRA[2]. Can we at least link to TP
or KCRA?

On the topic itself I really hope people get fired for this, although I doubt
it since it's the government. Whoever posted it, their boss, and their boss'
boss should all be disciplined. They should have an outside company audit
their security and they should take immediate action to properly control who
has access to SSNs, which should be almost no one.

1: [http://threatpost.com/en_us/blogs/14000-californians-risk-
fo...](http://threatpost.com/en_us/blogs/14000-californians-risk-following-
medi-cal-dhcs-breach-121212)

2: [http://www.kcra.com/news/local-news/news-sacramento/State-
of...](http://www.kcra.com/news/local-news/news-sacramento/State-of-Calif-
mistakenly-publishes-thousands-of-SSN-
online/-/12969376/17723434/-/item/0/-/14jl2vwz/-/index.html)

------
stfu
Things like this scare me. Sure, these are SSNs and a lot of harm can be done
by abusing them. But what if the _California's Medicaid health-assistance
program, Medi-Cal_ had electronic medical records? It is so often proposed
what kind of great budget savings such an instrument would bring, but the
severe consequences for data leaks in this area are for individuals with
extreme consequences.

------
robrenaud
If only they posted 30 million of them, then maybe we'd get rid of the notion
of using a SSN (which is basically a username) as a password.

------
ahi
For many years you could find thousands of SSNs on court and bankruptcy
filings. The courts finally figured out that they needed to redact this stuff.
However, in a lot of places the wrong part of the SSN is redacted. The last
four digits are the digits that matter. The first 5 numbers are relatively
easy to figure out if you have birth date and birth state.

~~~
jonhohle
That's only true after the early 1980s. I was born in the early eighties, but
my SSN was assigned several years later in a different state from which I was
born.

------
elchief
Wouldn't it take about 30 seconds to put a rule on an outbound firewall to
block this?

