Equifax Ex-CEO Backs Plan To Stop Using Social Security Numbers As ID

R

rgMekanic

[H]ard|News
Joined
May 13, 2013
Messages
6,943
In a report today on The Register, White House cybersecurity coordinator Rob Joyce has won the backing of Equifax's ex-CEO for a plan to stop using social security numbers as personal identifiers in the US. Joyce suggested using a "modern cryptographic identifier" - presumably a hash or public-private key pair or something - to identify individual US taxpayers rather than the usual nine digits.

I can understand some of the reasoning behind this, but are you going to start issuing every American a encrypted USB key? Rob Joyce hasn't given any word on how he feels about the ex-CEO's endorsement, but the quote from The Register mirrors my thoughts perfectly.

"The concept of a Social Security number in this environment being private and secure - I think it's time as a country to think beyond that," Smith told politicians. No kidding, Dick, you just lost 145 million of the numbers to hackers.
 
Why have any government entity issue a USB key? It could be easily handled by private enterprise, and probably cheaper and more secure, and without the USB key. Issuing people a 2048-bit encryption certificate would be pretty easy, and establishing cert authorities would be easy. We could keep track of them as we wish.
 
rgMekanic said:
In a report today on The Register, White House cybersecurity coordinator Rob Joyce has won the backing of Equifax's ex-CEO for a plan to stop using social security numbers as personal identifiers in the US. Joyce suggested using a "modern cryptographic identifier" - presumably a hash or public-private key pair or something - to identify individual US taxpayers rather than the usual nine digits.

I can understand some of the reasoning behind this, but are you going to start issuing every American a encrypted USB key? Rob Joyce hasn't given any word on how he feels about the ex-CEO's endorsement, but the quote from The Register mirrors my thoughts perfectly.

"The concept of a Social Security number in this environment being private and secure - I think it's time as a country to think beyond that," Smith told politicians. No kidding, Dick, you just lost 145 million of the numbers to hackers.
Click to expand...
God yes, having 1 number that cant be easily changed is retarded
 
dgingeri said:
Why have any government entity issue a USB key? It could be easily handled by private enterprise, and probably cheaper and more secure, and without the USB key. Issuing people a 2048-bit encryption certificate would be pretty easy, and establishing cert authorities would be easy. We could keep track of them as we wish.
Click to expand...

Your grandmother is gonna be able to hand her doctor or new employer an encryption certificate?
 
I use an RSA keychain token at work to log into some sensitive servers. It randomly cycles through 9 digit keys every minute.

I’d imagine the same concept can be used if the tech can be refined to the size of a card.
 
Sonicks said:
I use an RSA keychain token at work to log into some sensitive servers. It randomly cycles through 9 digit keys every minute.

I’d imagine the same concept can be used if the tech can be refined to the size of a card.
Click to expand...
That tech is already in play, chipped credit cards for example. Countless form factors for that tech already out there. Can even have it embedded in your body like the tags they put into dogs.
 
For all its faults, the SSN is easy for most folks to remember, no card or hardware gizmo needed. I can't remember the last time I actually needed to produce my SS card. Not sure I know where it is. Any viable replacement needs to have similar qualities. Any hardware gizmo will be prone to loss, theft, eaten by pet, other type of destruction or becoming outdated.

Even something as simple as the SSA sending out a new Taxpayer ID number on a paper card every year that is tied to your SSN would be an improvement. Any breach of the Taxpayer ID would be limited in usefulness to a max of 1 year and less if the person discovered the breach and requested a new Tax ID number.

Whatever solution is picked, it needs to be usable both for electronic and paper transactions.
 
I'll make them use my steam authenticator. Seems pretty tight.

"Enter key to approve bling for teeth"
Yup, not me.
(Alert police)
 
rgMekanic said:
Your grandmother is gonna be able to hand her doctor or new employer an encryption certificate?
Click to expand...

Grandma loves printing things, recipes, emails, certs.... no problem, it improves the current situation.
 
The SSN was never intended nor even legally capable of being used for anything except Social Security benefits and absolutely nothing else, but over time the practice of using it as a "Taxpayer Identification Number" then got it tied together with bank and other financially connected accounts and that's where it all kinda fell apart. To my knowledge it's still a Federal offense to use an SSN for anything except Social Security benefits, so if we finally stop doing that I suppose it'll be a good thing but in the long run there will never be any identifier of any kind that cannot be compromised.
 
Tiberian said:
The SSN was never intended nor even legally capable of being used for anything except Social Security benefits and absolutely nothing else, but over time the practice of using it as a "Taxpayer Identification Number" then got it tied together with bank and other financially connected accounts and that's where it all kinda fell apart. To my knowledge it's still a Federal offense to use an SSN for anything except Social Security benefits, so if we finally stop doing that I suppose it'll be a good thing but in the long run there will never be any identifier of any kind that cannot be compromised.
Click to expand...

man of truth
 
We could like you know.. look out on how other modern countries are doing it and kinda replicate the success stories... but i bet we gonna end up wasting tax payers into big corporate organizations to figure out something "new" because of party support...
 
I'm pretty sure that even with a public-private key pair they'll be able to fuck it up and store the information in a hackable database lol.
 
Tiberian said:
The SSN was never intended nor even legally capable of being used for anything except Social Security benefits and absolutely nothing else, but over time the practice of using it as a "Taxpayer Identification Number" then got it tied together with bank and other financially connected accounts and that's where it all kinda fell apart. To my knowledge it's still a Federal offense to use an SSN for anything except Social Security benefits, so if we finally stop doing that I suppose it'll be a good thing but in the long run there will never be any identifier of any kind that cannot be compromised.
Click to expand...
I had to give the water company for my new house my ssn or they wouldn't turn on the water....they are also are so ass backwards they don't take credit cards. Same thing with the power company. No ssn no power
 
Tiberian said:
The SSN was never intended nor even legally capable of being used for anything except Social Security benefits and absolutely nothing else, but over time the practice of using it as a "Taxpayer Identification Number" then got it tied together with bank and other financially connected accounts and that's where it all kinda fell apart. To my knowledge it's still a Federal offense to use an SSN for anything except Social Security benefits, so if we finally stop doing that I suppose it'll be a good thing but in the long run there will never be any identifier of any kind that cannot be compromised.
Click to expand...

When I was in college they were using SSN as student ID number, then somebody sued and they had to stop and begin to issue different numbers. Also here in Ky they were using it on driver's licenses but were ordered to stop. Why can't they just order all financial services to stop using it, then they would have to be creative and come up with something else to use. Make it a $1,000,000 fine for using it for anything other than Social Security and things will change quickly.
 
Kind of locking the barn door after all the animals have left. I don't really understand how this has become a such a huge problem, because, in fact, it says RIGHT ON THE DAMN CARD, that it's not to be used for identification. Just shows how many idiots are in charge of something. Peter principle at it's finest, and this country is filled with them (damn, that keeps showing up to be true). So I suppose it's the public education system's fault, for producing so many managers, who got through high school and college, who apparently failed basic reading comprehension every step of the way.
 
People are paranoid AF about having a "unique identifier" in this country, but everyone already does and it is extremely unsecure. A SSID card does not have your picture or any other security built in.
 
SvenBent said:
We could like you know.. look out on how other modern countries are doing it and kinda replicate the success stories... but i bet we gonna end up wasting tax payers into big corporate organizations to figure out something "new" because of party support...
Click to expand...

The only people who are allowed to use your SIN (Social Insurance Number) in Canada are your employer, your financial institution and the federal government. Not a credit bureau, not a credit card company, and you can never use it as a public identifier. Same with your health care number. Only your medical provider and the Ministry of Health are legally allowed to ask for it and use it.
 
I don't know what to do . . .but I do know these things matter:

1. Encryption: Eventually it can all be broken, especially if quantum computing ever lives up to the theory.

2. Bio-metrics: Eventually someone will gain access to the scan files and can use them to impersonate.

What else?
 
A unique Identifier is a unique identifier. Won't change much. And a number people can remember pretty much the requirement will have has tables generated before you can blink.

Pretty much the best course of action would be
1) Multiple identifiers. One for government, one for financial, one for medical, one for education. You can only ever use one identifier for your organization. If an organization needs your ID out of their selected boundary, you have to supply the ID for the request to that organization.
2) Your full credit history open to you at all times. A freeze will be available to you at all times for free.
3) Small irregularities in your credit history that are not removed when requested or lost opportunities due to irregularities are automaticly penalized to avoid the burden of legal action. However, this does not remove the ability for a person to take legal action. The penalty amount will be deducted from the award from a civil suit, though. If they had incentive to be diligent on the small stuff, the big stuff would take care of itself.
 
Seeing that the US just started using chip+pin credit cards i imagine these new private keys will start getting issued in 2050.
 
as terrible as the ssn is, I'm leery of what they would replace it with. You can bet that more individual liberty isn't on the table....
 
dgingeri said:
Why have any government entity issue a USB key? It could be easily handled by private enterprise, and probably cheaper and more secure, and without the USB key. Issuing people a 2048-bit encryption certificate would be pretty easy, and establishing cert authorities would be easy. We could keep track of them as we wish.
Click to expand...

rofl, Equifax is a "private enterprise", let's let them do it! Always love the occasional illogic of the private sector over government sector argument, usually it is rooted in the idea that the government is not "of the people", when in fact they are supposed to be and the other side of the coin is that the private sector is more efficient, somehow. The reality is, EVERYFUCKINGTHING IS FOR PROFIT, business and government.
 
Why would we listen to the former Equifax guy again?

Far as I'm concerned, his opinions are worthless, based on his track record.
 
DKS said:
The only people who are allowed to use your SIN (Social Insurance Number) in Canada are your employer, your financial institution and the federal government. Not a credit bureau, not a credit card company, and you can never use it as a public identifier. Same with your health care number. Only your medical provider and the Ministry of Health are legally allowed to ask for it and use it.
Click to expand...
In Denmark. you SS is only used for the goverment. "Anything" else is based on what is called an Easy ID. Which also contains a simple one time PID system. aka the number you used to ID yourself only works from that one session so even if its stolen or keylogged... its useless.

I"ve lost my PID card. took forever to verify that i was indeed a danish citizen living in the states and not an evil US hacker. but i truely love the idea of not having a single number ID that can be stolen by phishers..

--- edit ---
felt like showing anexample

nemid.jpg


This is your Easy ID a little credit card size card that you keep safe.

now let say you log into you bank. you type in you login credentials with passwod as ussual and it will aske you for the 6 digits key next to the 4 digit number
So if its ask for the key for 2013 you type in 168548 and boom you are in. and that entry is invalidated and can never be used again...

Once you are down to like 20 keys left a new card is sent to you.

if your card get stolen. you are still somehow protected by your password to login places. and you can shut down the card just like a creditcard and a new one will be sendt to you.

A lot more secure than constanlty using the same ID number over and over for everything.
 
Last edited:
SvenBent said:
In Denmark. you SS is only used for the goverment. "Anything" else is based on what is called an Easy ID. Which also contains a simple one time PID system. aka the number you used to ID yourself only works from that one session so even if its stolen or keylogged... its useless.

I"ve lost my PID card. took forever to verify that i was indeed a danish citizen living in the states and not an evil US hacker. but i truely love the idea of not having a single number ID that can be stolen by phishers..

--- edit ---
felt like showing anexample

nemid.jpg


This is your Easy ID a little credit card size card that you keep safe.

now let say you log into you bank. you type in you login credentials with passwod as ussual and it will aske you for the 6 digits key next to the 4 digit number
So if its ask for the key for 2013 you type in 168548 and boom you are in. and that entry is invalidated and can never be used again...

Once you are down to like 20 keys left a new card is sent to you.

if your card get stolen. you are still somehow protected by your password to login places. and you can shut down the card just like a creditcard and a new one will be sendt to you.

A lot more secure than constanlty using the same ID number over and over for everything.
Click to expand...
Is that an actual example? I'd run through a card every two days if all of my financial and other secure services required me to use a key.
 
gxp500 said:
Seeing that the US just started using chip+pin credit cards i imagine these new private keys will start getting issued in 2050.
Click to expand...
We only did chip. The good part, the pin, wasn't included. The chip was done to force retailers to buy new readers thinking that was the fault of the round of breaches we had a few years ago. real protection like the PIN would require the financial institutions to lay out some cash.
 
Short of everyone having bar codes tattooed on their wrists. Why don't they just make a card with the persons thumb print on it. For additional security a numeric code could be created by measuring the distance between the creases in your print.
 
Krenum said:
Short of everyone having bar codes tattooed on their wrists. Why don't they just make a card with the persons thumb print on it. For additional security a numeric code could be created by measuring the distance between the creases in your print.
Click to expand...

You are most certainly going in the wrong direction with either of those thoughts, unless your direction is to be tagged and tracked even more easily than we already are.
 
this is stupid. A number shouldn't be the sole indication to identify someone. Adding more numbers to it won't make it harder to steal from the morons at equifax. Even if we did have 2048 bit hash as our identification, i'm fairly sure they would have been stolen. So what's the point?
 
Yeah we should listen to this guy on security matters. o_O

I mean who wants his endorsement?
 
I'm inclined to think whatever this guy says regarding privacy and security, we should probably do the opposite....
 
  • Like
Reactions: Rahh
like this
rgMekanic said:
Your grandmother is gonna be able to hand her doctor or new employer an encryption certificate?
Click to expand...
You can have a credit card type card with a chip that has it pre-loaded. (I specify credit card chip, because every office will be equipped with a chip reader in the next year-ish.)

In person you can also validate with Driver's License and other mundane IDs.
 
You must log in or register to reply here.
Back
Top