The Social Security Administration's official policy on SSNs is that consumers don't have to give their SSN to businesses with the exception of tax-related things like employment and banks. But, they also say that businesses can choose to not do business with you if you are unwilling to give out your SSN.
And businesses have done nothing to help people secure their identities. In fact, they've done the opposite.
Starting around 20 years ago, I refused to give my SSN out except where it was specifically required by the govt. The insurance companies seemed to be the ones who had the hardest time of it, it required hours of effort with my insurance company to let me not have my SSN as my identifier. They ended up putting all zeroes in. But then every time I used my insurance I had to work with them ("What is your SSN?" "The insurance company doesn't use my SSN, they use all 0s." Blank stare).
Around 10 years ago it got to the point where there was even more push back and the effort was more than it was worth.
It really wasn't helping, being "the one guy who wouldn't give out his SSN". Pretty much every time I explained it to a doctors office they would say "I've never heard of that before, but it makes sense." That sort of pushback only really works if, you know, at least a few people do it. :-)
In the 80s and early 90s, I also would refuse to give my SSN for non-taxid purposes.
I also was worn down by the system. Employers wouldn’t understand. (HR was horrid.). Buying a house was more difficult. Medical provider relationships were more complicated.
Cheers to you.
But you're happy to give them your national ID number from your home country. Bonus points if you actually have another passport to waive around while claiming this.
This doesn't work all the time, but it's surprisingly effective in like 90% of cases.
I think most cases are companies that use software that just assumes the SSN will be readily available.
It's well and good for a given organisation to have its own internal identifier. And virtually all do -- that's what your account number, or customer ID, or payment number, etc., are. That works fine for internal operations.
But it doesn't address the inter-organisational problem.
1. Well, sometimes. Actually the hijinks that can happen within an organisation with identifiers are ... numerous.
I fear that financial institutions will use the change as an opportunity to offload their due diligence onto consumers.
Someone having my private key should not have any greater ability to implicate or permanently damage me than someone having my SSN.
There would also be far less hacking to get SSNs if we had a reasonable credit system where our credit is always frozen and only unfrozen for a short window (24 hours?) at our request and this request is verified via a MFA approach of our choosing. As long as you can get $5K credit at the register in 5 minutes, you are going to have a hard time stopping identity theft. Too many people want easy credit. It will always be a balance of security and convenience. Most consumers want convenience and will continue to do so as long as the cost of the fraud is hidden from them.
Isn't it kind of insane that a random entity can destroy your financial reputation with little more than a few bits of info about you? And without any notice before or after of it happening (you have to affirmatively ask about it to find out). It's so strange that you will get notified if you're rejected for credit due to your credit score, but not notified by the party who made the claim on which that decision was based?
In most cases, if there's a case of fraud, you file a counter, and (modulo various bureaucratic foulups), you're clear. The merchant almost always eats the cost, and that really should be changed, at least balanced with the financial institution.
The burden is more from the "death by a thousand cuts" variety of having to go through the re-assertion process again and again and again and .... I've been looking at attention and cognition mostly in the context of media, but the simple truth is that most of us are bombarded by all sorts of demands and claims, the dealing of with is an increasingly insurmountable burden.
I liken this to point-and-click computer interfaces. It's simple to graphically delete a few files or folders or message notifications. It's a slight chore when that rises to 20 or 30. At the level of a hundred or so items, most people would give up. With more powerful tools, it's possible to manage hundreds, thousands, even millions of items with dispatch. (Of course, that may increase the likelihood that you'll have to do so.)
Given the frequency of issues and the magnitude of them, presented through current financial and authentication mechanisms, even "easy" repudiation becomes untenable at scale.
When someone wants to confirm your identity, or otherwise interact with your 'financials', you get sent an email with a quickly expiring link that you click on to view a page where you enter the name of the org or person you /think/ is checking your data, and if it matches things work.
Beware Maginot defences.
SSNs are lost for good on breaches of companies' infrastructures, but nothing should be lost in a Pub/Priv key scheme. What we'll need is a good key revocation process. So when my identity is compromised (say, malware on a device) then I can be me again.
If you have the technical know-how to protect your private key, and you're immune from rubber hose attacks, and there's no mechanism for key recovery outside your control, I'd agree.
And I'm not aware of any system suitable to replace SSN that can withstand rubber hose attacks. That's where law enforcement & the justice department will have to step in, as always.
If your card holds a private key and won’t sign anything without also being fed a correct PIN you’d need a proper exploit of the application on the card to defeat it.
Like - US for a very long while didn't use chip & PIN - but it was simple to deny the transactions and as a consumer you were somewhat well protected, despite lax security. But this generates large costs, and perversely, the cost/uncertainty affects the small businesses the most.
Yes, when I use 3DSecure for an online transaction, the bank shifts the burden of proof to me (a correctly-authorized 2-factor transaction cannot be simply challenged with a complaint at the bank, I have to prove that it wasn't me). Still, it's hard to argue that 2-factor for online transactions is consumer-unfriendly, even if the consumer loses the deniability
By that I mean that we need to educate the masses that a few letters and numbers are as valuable and powerful as the combination to their home safe or keys to their car. People just aren't inclined to exercise the same degree of caution over some gibberish letters as they are the cash in their sock drawer, even though the gibberish is potentially much more valuable.
I'm skeptical that such an education is possible without it being ingrained from youth and even then it may be impossible to achieve a high enough degree of understanding to make the kind of shift you envision.
If people have to go through a lot of trouble, I suspect they would quickly learn a way to minimize the risk of having to do so. I suspect that most people are careful with their passports so that they don't lose them, because it is a bit of a hassle to get a replacement.
1. The use of a physical authentication mechanism makes exfiltration far more difficult. The problem with passwords is that they can be sniffed with absolutely no awareness by the victim. A device or token you have to have yourself is going to make its absence known.
(This presumes it's not cloneable.)
2. That reduces the attack surface for phishing. What I suspect is is that you'd see other forms of attack -- say, trying to get recurring charges inserted into bills or some such, rather than full account access.
3. In the event of token compromise, the ability to determine after the fact that a device was compromised and invalidate the subsequent transactions would be helpful. (Sorting out who bears the risk for that would be an interesting question. I'd like to put the burden on the banks, as they're best positioned to detect such activity.)
Gibberish is not something humans can remember. Technical people use a password manage, but that just limits us to one password that we use often enough that we have a chance to remember it. One wrong knock to the head though and all the passwords stored in the manager are gone - unless you wrote the password down someplace, but then that place is your sock drawer: probably not secure enough.
In France, the privacy watchog CNIL was founded in 1978 when the idea of using the social security number for all sorts of other purposes got proposed (and rejected), prompting for some safeguards.
In the US, we've been so allergic to a "national ID card" that we just re-purposed the SSN into the very same thing. But then we decided to make it both a unique ID and a password, despite it being a terrible way to perform authentication (and an even worse way to do authorization).
Of course, because there is no voter ID there is no accurate way to measure voter fraud. Because there is no way to measure it, it can be truthfully claimed that there is no evidence that it is significant. Because there is no evidence that voter fraud is significant, there is no need to introduce voter ID.
Privacy minded and anti-government types opposed RealID.
Ironically, globally unique identifiers are required to protect our demographic data. Otherwise all records must be stored as plaintext (unencrypted). I was very chagrined when I finally figured this out, causing me to support RealID.
Source: Me. I worked on both voter privacy and electronic medical records.
The government, thru contracts with services like Lexis/Nexus (nee Seisent) have already created globally unique identifiers for pretty much every person, living or dead. Replacing SSN would just formalize, simplify, daylight such matters.
Alas, wedge issues like voter registration databases (assessing eligibility to vote) and immigration status, in near real-time, would become trivial and nearly error free, so I doubt this commonsense, practical effort will happen any time soon.
SS are useful as a unique identifier for Americans. But the weird process by which they've become some sort of "password" for accessing credit and such in someones name is crazy, and pretty obviously not working.
They basically are available to any business that needs them. Just takes a few months to go through the compliance process for an identity verification company. See https://cognitohq.com/docs
Regarding it being a password, yeah that is pretty bad. Some friends of mine are working on Bloom (https://hellobloom.io/) which is trying interesting things that hook into the real world (necessary) while also trying to create a better system eventually. Basically, an ID you control with a private key is approved by identity verification services. Your friends basically vouch for the ID being correct. Your identity is tied to that ID. If you lose the private key then you have your friends invalidate the old ID and transfer their vouch to your new ID. Way better than just a secret number.
Obviously it should so - but obviously, they shouldn't be using them in the first place. Doesn't seem like it would stop anyone - possibly for regulated entities like banks, maybe - but even then, they'd probably have to be dragged, kicking & screaming.
Most people won't even need to know the public/private key exists, but techies can leverage it to automate their lives some day.
Let's say I want to open a bank account with bank X. So I go to bank X's website and click open an account. Select my country and it redirects me to an oauth login page for my government. I log in and authorize the bank to view my basic identity info. Now the bank knows who I am and I can finish opening the account.
For in-person interactions, I could have my phone scan some person/company's public key in the form of a QR code and generate a qr code of my own that will let that company instantly authenticate me (airline, cruise line, police officer, etc.) with the government, but that same qr code will not do anything with any other person who sees my code because it is encrypted with the company's public key.
My government password can be reset if compromised and I never have to give out to anybody which puts it miles ahead of social security numbers from day 1. My phone is secure if lost, because it requires my government password to unlock the app as well as some biometric information.
> those not comfortable with technology
Or those of us that are comfortable with technology refuse to carry tracking devices in this post-Snowden world.
The internet is already creating far too many interdependencies that will have unforeseen consequences and create the risk of cascade failure. I strongly recommend to anyone that wants to tie something as important as government services to the internet that they listen to Dan Geer's recent-ish talk, and maybe reconsider the kind of future they are trying to create.
"Have you or a loved one ever experienced identity theft?"
"How long did it take to get things fixed?"
"Since your social security number never actually changed, what's to stop you from having new issues 5 or 10 years from now?"
"The cost of a pay-as-you-go phone can be less than the cost of "Identity theft protection"
If that doesn't work, let them opt out.
A friend of mine worked on a shareholder database for AT&T back in 70/80's and discovered this when they tried to make their SSN column unique.
Now, AT&T also asks for account holders' tax ids, which the use to pull credit reports, and to report on credit activity.
The issue is people are giving AT&T incorrect SSNs.
There are 248 birthing centers in the United States, and only about 1% of all births occur outside of one (typically a BC is at a hospital).
This long HuffPo piece profiling the problem ... manages to specifically fail to answer that question, though it does note that "more than half of all rural counties in this country are now without a single local hospital where women can get prenatal care and deliver babies."
This list suggests there are 1627 rural counties in the US. So at least 814 of them lack a birthing facility (hospital, clinic, etc.) of some stripe.
There are 3,142 counties total in the US.
I'm not sure every "hospital" itself has a maternity ward, given my familiarity with several specifically in outlying areas (many are not much more than glorified first-aid stations, without permanent resident physician staff -- that happens to be how I'm principally aware of them).
But we're down to something on the order of 2500 - 5000 facilties, now, which remains a pretty low count.
If you are on HN and have a randomly-assigned Area Number on your SSN, you are, however, precocious.
My feeling is, "this is probably you" is good enough for nearly every transaction people will perform. And we've long had a system in place to deal with the special cases in which this is not good enough: notaries.
Financial companies need to come to terms with this fact and accept insurance against its exploitation as a cost of doing business.
For taxes and other government documents, we should all move to a tax id system, like businesses use.
Much of the remaining argument revolves around credit and risk, and around advertising and tracking. I'd argue that the first does not require single-ID tracking, and the second should under no circumstances be allowed to institute it.
Much of the remaining space is national accounts types stuff: tax, pension, and medical authorities, passport/border control, some licensing (much of that at the state/local level).
But yes, at the national level, there is a call for 1:1 account assignments, though those need not be unified across all services.
Unfortunately this is the Federal government we're talking about so the chance of it being completed in any timely fashion are slim.
There will be roughly 300 million disinterested users, making it work reliably in that scenario is important.
Combine that with X forms of id to issue a new smart card (like passports today) or pre-delegation to M of N trusted people to vouch for you (ex: you could delegate choose two of mom + data + brother) and you cover the majority of the population.
There are a lot of competing concerns here, not the least among them being privacy. For example, if a system based on public key cryptography becomes commonplace in the US, will websites start using that same system for authentication? There are some rather significant privacy issues associated with having a government issued, globally unique ID associated with your account on random websites.
Maybe this is something the tech industry in the US should be involved in? I imagine lots of companies would jump at the chance to be involved in a standards group designing a unified method for citizen authentication in the US.
BTW, after the Equifax hack, financial institutions should be mandated to stop trusting SSN as proof of identity.
* Tax authority (TIN).
* Pensions system (e.g., SSN)
* Possibly a voting ID, though that's fraught.
* Military or national service ID.
* State tax ID.
* Drivers registration.
* Real estate / property ID.
* Medical records ID.
* Social benefits ID.
* Other registrations, e.g., weapons, broadcast licenses, etc.
For some purposes, there's a need for a single identifier. For others, various counterparties only need to agree that they are talking about the same party. Creating paired (or multi-part) keys might work for that. (This could also cut down on the rampant and promiscuous data exchanges that occur currently, particularly if the subject of the data had to participate in the making of any such shared identifier.)
For the general case of online identity, I'd really like to see the concept of an identity manager, with various policies which could be set, both as defaults and with specific counterparties.
As an example, I might have a policy that "all sites default to a one-time session identifier which is destroyed after 24 hours". This gives a stateful history for 24 hours, but a clean slate afterwards. It should be enough for basic site navigation, but not for deeper interactions (e.g., posting inane comments to HN). The periods might be longer or shorter.
For a select set of sites, persistent IDs might be presented, but specific only to a given site.
And where necessary, a set of sites might have a common ID. Say, a cluster of systems used for work purposes.
And if needs be, you might have a limited set of systems -- your government pensions account, tax systems, and voting registration, say -- which link to a specific government-issued ID.
For such a system, I see a physical token (I'm partial to very-near-field chips in a worn form-factor, say an NFC-ring), some additional input (password, passphrase, possibly biometrics), and then, by way of an identity management system (probably on a local device), the identity assertion specific to a given service is offered.
There are any number of other elments to this, including the problems of deanonymising data and such. For that I see legal reforms coming into place, which is a longer discussion.
Say I have a private key, and I want a business to have a way to ID me. They give me a key associated with me in their database, and I encrypt it with my private key, and give the results back. Now when someone wants to do business with them in my name they must turn those results back into what the business has in their database. So long as I keep my key safe the business can leak data all they want.
This would shift all the work for security over to the citizens though, which could have mixed results...
There would be a lot of non-trivial considerations by pushing all this on average joes (both as individuals and as people attempting to verify individuals).
A system that appears secure but isn't is more dangerous. I can hear a 60 year old now: "Aunt Claire is stuck in london and needs money! We know its her, here's her [expired key] encrypted message!"
A "bad keys" registry might be a useful / necessary thing.
Enforcing a regular expiry might also be an option, though ... you'd have to think through that. Keep in mind that technology is continuously improving (or at least has been to date), and there might be a circumstance in which All Keys Suddenly Go Bad, which would have to be dealt with.
(Figuring out ways in which to make such situations Less Obviously a Shitfest could be ... useful.)
When I've very roughly scoped things out at Google Scale (> 3 billion registered Android profiles), and made modest assumptions such as 1% of users lose their token annually, you're looking at ~10,000 resets per day. So you'll have to have provisions for doing this in any system that's intended to be in the least part useful.
As for attacks, I'd strongly suggest finding a good reference of 19th century financial frauds and reading through it. The fundamentals do not (generally) change.
In regards to "which version do we trust if a new key has been issued?": My gut says there would need to be a centralized system to for which ones have been voided, and which ones haven't. At that point what we're doing is making SSN's that we can invalidate, with the added disadvantage of being much more confusing to work with.
I have no idea what the right answer is, but Aunt Claire is (possibly) in need so we need to figure this out fast.
If you lose your private key you would have to go to some government services office and bring additional documents to prove who you are just like a passport.
I'm strongly partial to a worn form-factor. A near-field-chip ring, essentially a modern signet ring, which interacts with various authentication systems, strikes me as attractive.
You would go down to some place (govt office) to get the device (card?). They would take the device, pop it in a reader/writer, and the device would ask you for a key and your biometric data (maybe a fingerprint?). The device would have on it a keypad and fingerprint reader (or whatever). Once you typed in your pin and scanned your fingerprint, it would generate a private key, hash all three together and store it in the card. This key would be "permanent" to the card (if you lose the card, you have to get another). The key wouldn't be saved anywhere (not in a govt database, etc). And it couldn't be retrieved from the card.
To prove your identity, you would slot the card into a reader, swipe your fingerprint, type in your pin. If your pin and fingerprint plus key on card hashed matches the stored hash - then you are identified and the card outputs a "true" value to the reader. Otherwise, it outputs a "false" value indicating no match.
Multi-factor auth - something you have (the card), something you know (the pin), something you are (the fingerprint/biometric).
That's the basic gist or blueprint - essentially an ID card that can't have it's id read (not easily at least - I imagine that you could read it with proper decapping and electron microscopy), with a built in keypad and biometric read sensor in one unit. Anywhere you need to do a transaction to prove yourself, you need to use a reader (even online - so as a part of you getting your card, you would get a reader too).
There's probably a ton in the scheme that I am missing or have wrong, but I think the basic idea is there, and I think it is possible to do with today's technology. The idea is that just having the card alone isn't enough. Just having the id number/key isn't enough. You need all three pieces for it to work.
It isn't "rubber hose" proof - but then again, not much is or can be.
You have now destroyed any security this device has, as no one wants to create a brand-new PIN every 90 days, no matter how much or little entropy it has.
Changing passwords on a regular basis as a security best practice has been debunked for years now. Even NIST is (finally) on board, saying that forced regular password changes should not be used in an attempt to increase security.
Your password/PIN should be changed iff there is reason to believe it has been compromised.
Don't you mean with your public key? Pretty sure encrypting things with your _private_ key is pretty unusual. (Unless you're talking about digital signatures with RSA.)
but we don't need a national ID. at all. the tracking that will most certainly accompany that is diametrically opposed to the concept of a free people.
banks take a risk with every account and every transaction. it's up to those institutions to figure out how to manage that risk, without obligating all americans to give up their hard fought and valuable constitutional right to privacy to make it easy for them.
There are fewer than 1 billion unique SSNs. Yes, there are 8 digits, but there are significant ranges of invalid values. The Social Security Administration will run out of numbers within a few decades, at most.
It's one thing to have enough values to assign everybody. It's another for the namespace to be so densely populated that any randomly-chosen value is likely to be valid. This ... creates problems.
There are no check or validity values within SSNs. There's a structure to the digits (Area, Group, and Serial numbers), but even those are at best vague, there've been three regimes of assignment (< 1972, 1972-2011, and 2011+), and other than "this value isn't within a validly assigned range", there are, again, no validity checks.
Provisions for being issued a new SSN are at best cumbersome.
That's just off the top of my head. I've worked in large-scale data analysis and processing, though years ago, and there are long and detailed discussions of the limitations and failures of SSNs even just as account identifiers.
Using them outside the SSA only compounds those issues.
it seems even for just social security, the SSN numbering system could use an update, integrating everything we've learned about identity schemes in the last 100 years.
Ban SSNs as identifiers with private companies not affiliated with providing retirement benefits.
And as I've commented elsewhere on this thread, SSNs themselves actually do have numerous problems and deficiencies, even if confined to the SSA.
Replacing SSN would daylight this fact, exposing an inconvenient truth.
If I need to authenticate through their system the Federal government will definitely know.
I would actually put that concern near the top of my list of things that is not relevant to this discussion.
I think Google's dropped the ball, badly, on identity and authentication (though they're ... making some movement with physical 2FA).
I've got massive misgivings myself about private tech firms getting into this space, though I do think they might have useful elements to add by way of suggesting protocols and standards. And I'd be really suprised if various majors aren't part of the discussion. Google, Facebook, Microsoft (remember Passport?), Oracle, IBM. And databrokers such as ADP. Plus banking and financial institutions, who've mostly created the mess....
Beats having to dreg up my high school year book, social security card, birth certificate, and high school transcript (None of which are actually inspected of course).
How do you defend against replay attacks?
Once you verify they are who they say they are, you can do a second step to verify they actually intend to do some secure action.
It might be sufficient to have an authority which ensures there are no duplicate numbers issued, though that doesn't get around the problem of a single individual with multiple assigned numbers.
In practice, there are methods of determining with a fairly high degree of accuracy whether or not two or more identifiers might indicate the same individual (or at least two very closely related individuals). But if you're looking for a 1:1 signifier-subject relation, you'd want that system to be quite good.
The SSA that exists now would be able to validate public keys and reissue keypairs, which would absolutely be necessary. So we'd still have the same central authority, but the numbers they give out would actually be useful.
I'm presuming this EMV card: https://en.wikipedia.org/wiki/EMV
You know, the situation is really bad when the people you used to think were conspiracy nuts now seem to be people who weren’t thinking in big enough terms.
Just because you do not share such beliefs does not mean they do not exist, or can be dismissed.
Yea no fucking way I'm supporting this admin in cataloging anyone.