Re: Last 4 digits of SSN and birthdate

["Mark T. Nardone" <m.nardone () NEU EDU>]

I have to agree with Sarah here.
If I were a bad person (I'm not, but I do get paid to think like one at
times) I could do all sorts of financial mischief with this kind on
information and some Googling. A name, DOB and the last four SSN, what
could I do? I could easily find the address, I know the age and the
location, what are the chances this person lives in the same state their
were born? From this I could get the whole SSN. Hell even with just the
last four and some record searching I could get most of the information I
would need to answer most credit card challenge questions.

I highly recommend that they find some other way to identify your alumni,
how hard would it be to assign everyone an Alumni number? Year of
graduation-00001, have that relate to the database as a search key. The
best rule of thumb is never use SSN to identify a person. If I were you,
make your case with University Advancement like this: how much money do
you think an Alumni is going to give you when they hear that you have
exposed them to the risk of identity theft, simply for the convenience of
looking them up in a database?

regards

Mark


Mark T. Nardone
IT Security Analyst
Northeastern University
448 Columbus Place
Boston , MA 02115
617.373.7901 (desk)
617.335.5082 (mobile)
617.373.8858 (fax)
m.nardone () neu edu
Northeastern AUP
=================================================
This message may contain confidential or sensitive information,
and is intended only for the addressed individuals.  If you are not
a named addressee, or if you have received this message in error,
we ask your cooperation to refrain from disseminating, distributing or
copying this e-mail, and request that you delete it from your device.
=================================================





Rebecca Ramos <rramos () PROVIDENCE EDU>
10/26/2005 03:48 PM
Please respond to The EDUCAUSE Security Discussion Group Listserv

        To:     SECURITY () LISTSERV EDUCAUSE EDU
        cc:
        Subject:        Re: [SECURITY] Last 4 digits of SSN and birthdate


Sarah,

Why do you say that?

Becky Ramos

Rebecca Ramos
AVP Information Technology
Providence College
rramos () providence edu
(401)865-2345


-----Original Message-----
From: Sarah Stevens [mailto:sarah () STEVENS-TECHNOLOGIES COM]
Sent: Wednesday, October 26, 2005 2:55 PM
To: SECURITY () listserv educause edu
Subject: Re: [SECURITY] Last 4 digits of SSN and birthdate

Elizabeth,

If you are going to print this much information on the cards, you may
as well print the entire SSN.  This information is enough to gather
the information to know what the entire SSN of the individual is.

Sarah Stevens
Stevens Technologies, Inc.



> A representative of University Advancement contacted me and wanted
to
> know if printing a person's birthday (MM/DD/YYYY) and the last 4
digits
> of the person's SSN on pledge cards was acceptable.  The reason for
> "needing" this info is it allows staff to search the alumni database
> much faster.  Other info printed on the card: first name, middle
> initial, last name, phone number, and address.
>
> I can not find any sources prohibiting their request, but I am not
> comfortable with displaying this info. I am concerned with the
> precedence this  may set with other departments.  Any suggestions or
> links to info would be appreciated.
>
> Elizabeth Shannon
> Pittsburg State University - Kansas

--