Senators Push to Ditch Social Security Numbers in Light of Equifax Hack

Megalith

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,000
Yesterday, the Senate Commerce Committee questioned former Yahoo CEO Marissa Mayer, Verizon chief privacy officer Karen Zacharia, and both the current and former CEOs of Equifax on how to protect consumers against major data breaches. The consensus was that Social Security numbers have got to go.

Multiple times throughout the hearing, Brazil’s Infraestrutura de Chaves Públicas system of citizen IDs through digital certificates came up as a potential model for the U.S. as it moves forward. In this model, a certificate lasts for three years at maximum and can be used to issue a digital signature much like written signatures are used now. Unlike its counterpart in the U.S., these identity accounts can be revoked and reissued easily through an established national protocol.
 
And when it needs to be replaced, you have to call every company you deal with to change your cert ID....because it's no longer you on those accounts.

Try again.
 
To be perfectly honest, when I look at this situation from the wider viewpoints and all the crap that's been going on over the years, this kind of push towards having a major one-size-fits-all ID of any kind just seems to be too convenient to me, almost like it's all happening on purpose with a specific goal in mind and it ain't got Jack Shit to do with information securiity.

Of course that's just my take on the situation. :sneaky:
 
Having a system like that... Really feels like the top of the slope toward a police state. I work in compliance for state government, and we use licenses to twist the arms of operators who don't follow regs, but that only applies to one type of operation. I imagine this ID would be tied to all aspects of your life, revoking something like this or tagging it could be far more detrimental than a ding on a credit report. Wouldn't trust the government to handle the maintenance either and costs to implement would be astronomical.
 
Last edited:
It's not the place of the government to do anything about this. It is the place of the markets to do something about this. If the government forces something on the market, it will be inherently unusable in a matter of months to a few years, and then spend decades being half-assed and insecure before they actually do anything else about it.
 
modi123 said:
*Insert 'mark of the beast' conspiracy theories. *
Click to expand...

Hah, I was waiting for that one. I hope just for the hell of it someone releases a fake article about everyone getting a big 666 on their foreheads as a replacement for social security ;).

But really, It's terrible that it took this long and such a significant event to make this happen, but good god at least it's finally happening. Hopefully it's actually done . . . at least somewhat right, this time. Whatever is put in place, it needs to be upgradeable.
 
Brazilian Public Keys certs are awesome for some uses and useless for others. My certs are tied to my CPF (~ physical person certificate), a number like your social security. Knowing my CPF does not allow a third party to revocate my public keys, when a new cert is issued, most business already know that it is my CPF behind them, no need to contact business again. digital signing adds a healthy measure of safety for financial and taxes, as a MD i can sign my medical receipts without fear of counterfeits or exploits. Lawyers login into digital law suits systems, judges issues court orders. Pretty much everything that requires safety identification can be done with Brazilian certs.

But:

My bank only allows 1 account tied to 1 certificate. I changed the place where i live, my cert is tied to an old bank agency since 2005 and after 12y using certs, i still can not link my new bank account to my cert. I ended up opening an account in another bank.

Some people managed to have more than one CPF issued- sounds crazy, but ~19% of Brazilians share the same last name: Silva. This is a scam paradise and a perfect money laundry tool, fortunately not nearly as exploited as Social security ID theft. We will probably ditch CPFs once and for all when every Brazilian gets a digital certificate as an ID.
 
Back in the mid-90s I had a customer who paid cash deposits for equipment because he refused to give up his SSN for credit checks. He said it was due to religious reasons that he never used his number to buy things. Turns out he was 20 years ahead of the game.
 
They should just use biometrics. Sure crooks will still cut out eyeballs and thumbs, but the other 99.9% of the people are pretty safe from that.
 
Technically it is still a Federal offense to use the SSN for anything and I do mean anything but Social Security related identification and classification. Somehow in the early 1980s it started being used as a "Taxpayer ID Number" by several agencies, most notably the IRS, even in spite of that action being - as stated - a Federal offense. Banks started using it as the manner in which to tie a person's deposits (if large enough) towards IRS reporting of such deposits after which the banking industry really latched on to it for that purpose, then other lending institutions, then car dealerships, credit card companies, and so on and so forth to where we are today.

It's a Social Security number, for that purpose only, by law, and yet nobody seems to give a fuck so look what's happened because of the laziness of fucking stupid people. :eek::rolleyes:o_O
 
About time, SSN was never intended as a form of ID. IMO, biometrics would suck since once stolen and replicated, (yes, it will happen), the victim can't get a new replacement. And any replacement needs to work equally well with paper and online requirements. Still a lot of business done without using an always connected computer.
 
Dead Parrot said:
About time, SSN was never intended as a form of ID. IMO, biometrics would suck since once stolen and replicated, (yes, it will happen), the victim can't get a new replacement. And any replacement needs to work equally well with paper and online requirements. Still a lot of business done without using an always connected computer.
Click to expand...

Ya think if you get your biometrics stolen, or there was the technology to replicate eyeballs (lol) and thumbprints, we'd have this thing nicked by then?
 
So, how would I verify I am me with this? I certainly won't remember the cert key. Will I have to have a gov't issued card with RFID? RFID under the skin? USB drive I carry around all the time? Implementation seems like it would be problematic and expensive. Is it worth it?
 
Dead Parrot said:
About time, SSN was never intended as a form of ID. IMO, biometrics would suck since once stolen and replicated, (yes, it will happen), the victim can't get a new replacement. And any replacement needs to work equally well with paper and online requirements. Still a lot of business done without using an always connected computer.
Click to expand...

Exactly. What we need are identifications that aren't tied to any one system. Multiple systems are absolutely necessary. If one set of info gets stolen, the thief only has access to a small portion of the system. We have three credit reporting agencies in this country. If they each have a different way to generate a 2048 bit certificate for each person, and one get stolen, then they only have access to banks that use that one credit reporting agency. If one gets too careless, then they go out of business and someone new steps in an takes their place, while the other 2 keep going. Having just one ID for all the credit reporting agencies is asinine.
 
Pretty sure the purpose of this committee was to see if Marissa could set them up with a killer party. The best part? This time the money is endless.

Screen-Shot-2015-12-17-at-9.53.58-AM.png
 
dgingeri said:
It's not the place of the government to do anything about this. It is the place of the markets to do something about this. If the government forces something on the market, it will be inherently unusable in a matter of months to a few years, and then spend decades being half-assed and insecure before they actually do anything else about it.
Click to expand...
What? Social Security is a social contract. By its very definition the markets have no place in it.
 
dgingeri said:
It's not the place of the government to do anything about this. It is the place of the markets to do something about this. If the government forces something on the market, it will be inherently unusable in a matter of months to a few years, and then spend decades being half-assed and insecure before they actually do anything else about it.
Click to expand...

lol, self regulation works really well in a capitalist system yea?

They should just refresh the laws making it illegal to use SSN for ID purposes. End problem.
 
Armenius said:
What? Social Security is a social contract. By its very definition the markets have no place in it.
Click to expand...
I meant in our credit system. That's what this is all about. Who said anything about Social Security except for the idiots who have been using the numbers for credit identity?

Social Security is nothing but a Ponzi scheme and is falling apart on its own. Moot point.
 
  • Like
Reactions: Madoc
like this
modi123 said:
*Insert 'mark of the beast' conspiracy theories. *
Click to expand...

unfortunately, most folks rather guess about what 666 means than to actually inquire about the truth.
One needs both wisdom and insight to be given to them by God in order to know what the verses mean
(see Book of Revelation chapter 13 verses 17 & 18) which is why it's called the book of REVELATION

the word REVELATION, as used in the bible in the book of Revelation means: the Divine or supernatural disclosure to humans of something relating to human existence or the world.

"Divine or supernatural disclosure", which of coarse means ... God has to reveal it too your mind One on one (when it's not related to divine things, we call it an epiphany)

Regarding that scripture, our wisdom and insight will fall very short which is why there are just about as many wrong guesses about what 666 means as there are, well, people.

Regarding SS#'s, what 'system' will be used that will be 'secure' ? Ain't no lock a person ever built that another person wasn't able to pick. Only security is physical, like when they are guarding the gold at Fort Knox. Is there any real digital security yet? Using one's eyeball or fingerprint is plain foolish ... to many commoners like us will loose eyeballs and fingers ...
 
Last edited:
thesmokingman said:
lol, self regulation works really well in a capitalist system yea?

They should just refresh the laws making it illegal to use SSN for ID purposes. End problem.
Click to expand...

That won't do any good. Laws just tangle things up and create red tape. If they were to JUST make it more illegal to use the SSN, then that might do some good, but that's doubtful as they would never actually be ENFORCED. Laws that are unenforced do NOTHING to those who don't follow them, which banks and credit reporting agencies don't. Just like SOX and Dodd-Frank do absolutely nothing for making business any more honest, simply because there is no actually enforced penalty for not complying.

WE THE PEOPLE need to make sure the credit reporting agencies and banks pay for their stupidity of using SSNs for credit ID. To do that, just don't pay on fraudulent credit opened under your name. Tell them its their fault for using such a stupid system and refuse to pay. Also, don't count such things against people when giving them jobs or credit on the small scale. The whole system will fall apart if people don't comply with their stupidity. The biggest problem is that so many people just blindly follow it. The whole credit system we use today is entirely conceptual. Refuse to give it credibility, and it falls apart.

Eventually, they'll get the message and start using their brains a little more.
 
I use Apple Pay when I can. Recently, a cashier warned me of the mark of the beast. She went on to explain how the numbers 666 are in the chips in all of our phones. I asked how they paid for stuff? Credit cards.
I didn't see a point in discussing this at all. I then had the fun of explaining to my daughter what the mark of the beast was. That was easy - I just told her the cashier was an r-tard.
 
_l_ said:
unfortunately, most folks rather guess about what 666 means than to actually inquire about the truth.
One needs both wisdom and insight to be given to them by God in order to know what the verses mean
(see Book of Revelation chapter 13 verses 17 & 18) which is why it's called the book of REVELATION

the word REVELATION, as used in the bible in the book of Revelation means: the Divine or supernatural disclosure to humans of something relating to human existence or the world.

"Divine or supernatural disclosure", which of coarse means ... God has to reveal it too your mind One on one (when it's not related to divine things, we call it an epiphany)

Regarding that scripture, our wisdom and insight will fall very short which is why there are just about as many wrong guesses about what 666 means as there are, well, people.

Regarding SS#'s, what 'system' will be used that will be 'secure' ? Ain't no lock a person ever built that another person wasn't able to pick. Only security is physical, like when they are guarding the gold at Fort Knox. Is there any real digital security yet? Using one's eyeball or fingerprint is plain foolish ... to many commoners like us will loose eyeballs and fingers ...
Click to expand...

There is also the little matter that all of Revelation has already come to pass, hundreds of years ago with the end of the Roman Empire. So, it is irrelevant other than learning from history.
 
Weren't we told, originally, that SSNs would never be used for any purpose beyond providing us with our account number? Just like a driver's license was originally only supposed to verify that we were licensed to drive in a particular state. Gosh, I wonder what happened to that?
 
WorldExclusive said:
And when it needs to be replaced, you have to call every company you deal with to change your cert ID....because it's no longer you on those accounts.

Try again.
Click to expand...
I dont know how brazil's system works, but wouldn't you just revoke your key at a single certificate authority, and then all the companies could pull your new public key from there?
 
WorldExclusive said:
And when it needs to be replaced, you have to call every company you deal with to change your cert ID....because it's no longer you on those accounts.

Try again.
Click to expand...
That's not how it would work. The main cert would be used to check credit, but then the rest of the dealings with the account would be by the bank's local account number. If it got stolen, the only thing that would be affected would be the person would have to use a new cert to get credit approvals, with no changes in credit history.
 
serpretetsky said:
I dont know how brazil's system works, but wouldn't you just revoke your key at a single certificate authority, and then all the companies could pull your new public key from there?
Click to expand...

The problem lies with how you will obtain a key. Online, at your local office, through the mail?
Any of these can be hacked or stolen. What would stop someone posing as you to request a new key and lock you out?

My problem is having to eventually prove who you are repeatedly because of compromised keys.

In the last year alone, I have received about 5 letters/emails of compromise from companies that hold my personal info.
That means I would have to change my cert ID five times. Imagine the backlog and system overload that will cause when tens of millions are logging on daily to get new certs. Remember the ACA website? It didn't last long.
 
WorldExclusive said:
The problem lies with how you will obtain a key. Online, at your local office, through the mail?
Any of these can be hacked or stolen. What would stop someone posing as you to request a new key and lock you out?

My problem is having to eventually prove who you are repeatedly because of compromised keys.

In the last year alone, I have received about 5 letters/emails of compromise from companies that hold my personal info.
That means I would have to change my cert ID five times. Imagine the backlog and system overload that will cause when tens of millions are logging on daily to get new certs. Remember the ACA website? It didn't last long.
Click to expand...
The way I envisioned it is that you hold on to your private key (in whatever form, a smart card? a usb dongle, whatever). The only time someone would be able to get your key is either 1) like you say when its in transfer to you 2) You lose it or keep it in an unsecure manner (your own fault). If the only time someone could get your key is while it's in transfer to you this is much better, in my opinion, that having just databases of everyone's private information waiting to be compromised.

How do you keep someone from posing as you and requesting a new key? Im not sure. Maybe give everyone at least 3 keys and require at least 2 to revoke and issues new keys. If you lost those come on down to your local dmv to have your fingerprints taken and new keys issued.
 
jardows said:
So, how would I verify I am me with this? I certainly won't remember the cert key. Will I have to have a gov't issued card with RFID? RFID under the skin? USB drive I carry around all the time? Implementation seems like it would be problematic and expensive. Is it worth it?
Click to expand...

Brazilian certs have a physical media - a usb token, a card with a chip or are hard-stored in your PC. you sign using your PIN. A counterfeit would need: access to your token AND your pin. Not saying it can not be hacked, just arguing that a lot of effort is required.
 
Just make an IPv6 version of the SSN.... no one will ever touch them again. Safe! :)
 
BloodyIron said:
How about we also nuke the clearly incompetent Equifax?
Click to expand...

*sigh* all this talk of trying to make a piece of data you exchange with others to identify yourself secret. It's a flawed concept. You are partially right in going after equifax. The goal should be to set up an ID and services where knowledge of the ID doesn't create unlimited risk as it does now.

The lowest hanging fruit is that equifax, experian, and trans union have created products that generate risk. They also create tools to mitigate that risk. They should not be able to put both behind a paywall.
 
Tiberian said:
To be perfectly honest, when I look at this situation from the wider viewpoints and all the crap that's been going on over the years, this kind of push towards having a major one-size-fits-all ID of any kind just seems to be too convenient to me, almost like it's all happening on purpose with a specific goal in mind and it ain't got Jack Shit to do with information securiity.

Of course that's just my take on the situation. :sneaky:
Click to expand...

modi123 said:
*Insert 'mark of the beast' conspiracy theories. *
Click to expand...

Indeed, does everyone recall in the past 2 years, media and big companies are trying to warm you up to the idea of RFID for the masses, first it's sold as convenience (e.g. pet tracking, payment for vending machines or entry into work place), then security abroad, then it becomes necessary to be employed at certain companies, then "something happens" and it becomes mandatory for all. It's coming, not a conspiracy theory, just extrapolated from history.

With any luck, I'll be dead before mandatory.

Tiberian said:
Technically it is still a Federal offense to use the SSN for anything and I do mean anything but Social Security related identification and classification. Somehow in the early 1980s it started being used as a "Taxpayer ID Number" by several agencies, most notably the IRS, even in spite of that action being - as stated - a Federal offense. Banks started using it as the manner in which to tie a person's deposits (if large enough) towards IRS reporting of such deposits after which the banking industry really latched on to it for that purpose, then other lending institutions, then car dealerships, credit card companies, and so on and so forth to where we are today.

It's a Social Security number, for that purpose only, by law, and yet nobody seems to give a fuck so look what's happened because of the laziness of fucking stupid people. :eek::rolleyes:o_O
Click to expand...

Tiberian, you're on fire today :)
 
geok1ng said:
Brazilian certs have a physical media - a usb token, a card with a chip or are hard-stored in your PC. you sign using your PIN. A counterfeit would need: access to your token AND your pin. Not saying it can not be hacked, just arguing that a lot of effort is required.
Click to expand...

Great, now to exist, you need a pc to be and guard who you are...
 
The issue I have, first, isn't necessarily the identity system. I know it could be improved.

The really big issue I have first, though, is that I want to see Equifax "burn at the stake" for their WILLFULL, GROSS, NEGLEGENCE with the data they were entrusted. The CEO blamed JUST ONE sys admin, which is a load of bullshit. Companies that big have CHANGE CONTROL BUSINESS PROCESSES to prevent shit like this from EVER happening. NO ONE PERSON SHOULD HAVE BEEN CAPABLE OF CAUSING THIS PROBLEM AS A RESULT.

I hate to type in caps, but I just am so fed up with yet another business getting away with "murder". What about the banks from 2008? What about BP in the USA? (why are they still allowed to do business in the gulf?), etc. Fines aren't enough. Businesses need to FAIL when this kind fo shit happens, otherwise IT WILL NEVER GET BETTER.

raz-0 said:
*sigh* all this talk of trying to make a piece of data you exchange with others to identify yourself secret. It's a flawed concept. You are partially right in going after equifax. The goal should be to set up an ID and services where knowledge of the ID doesn't create unlimited risk as it does now.

The lowest hanging fruit is that equifax, experian, and trans union have created products that generate risk. They also create tools to mitigate that risk. They should not be able to put both behind a paywall.
Click to expand...
 
Here's an idea, make these companies (all companies) financially responsible for putting people's lives back together when any sort of data breach occurs. Not that "1 year of credit monitoring", you lose the info, you're on the hook for the life of the company, you pay for a lifetime of credit monitoring, and if something happens you pay some THIRD PARTY who deals with fixing messes like that. Then maybe their in-house security won't go "it'll cost us more to investigate than it'll cost us to not do anything" as the current case is with literally every credit card company out there, much in the same way in some areas you can be held responsible if you do not secure dangerous items.

But no, that would require these billion dollar companies to stop donating to SuperPACs of every lawmaker out there.
 
geok1ng said:
it's been so for quite a long time. i assume you arrived last week on this planet?
Click to expand...

I assume you're a slave to the system. Do you think the elderly command their existence on a pc like you do? Do you think they can step it up the notch that the Brazilian ID requires? Maybe you can put yourself in other peoples shoes and not just your own ;)
 
You must log in or register to reply here.
Back
Top