Re: Risk of using SS#s (last 4 digits) for authentication

[noconflic <nocon () texas-shooters com>]

[jblii () hotmail com] Sat, Nov 02, 2002 at 10:59:55AM -0500 wrote:
> We are currently considerring the limited use of employee's Social Security 
> numbers to authenticate them when they request a password reset from the 
> Help Desk.  We have chosen two items (in total) for authenticating them: 
> their employee # and the last 4 digits of their SS#.  Only the last 4 
> digits would be stored in the Help Desk app, and these would be viewable 
> only by Help Desk technicians.  They would only be able to see them by 
> selecting a specific toolbar button (the SS# screen would not visible at 
> all times).
>
> We are concerned with the privacy issue potential if we use any part of a 
> SS# but are unaware of any legal precedent, standard or guideline either 
> supporting or against this use.  Does anyone have knowledge they can share, 
> or know of web resources that might be useful to research this issue?
>
> We are a corporation of roughly 1200 specializig in healthcare, and HIPAA 
> privacy/security regs, NCQA and URAC acredidations must be taken into 
> consideration.
>
> Thanks in advance for any suggestions or information.
>
> JBL

  Hrmf, not really sure myself but here is some info to maybe help
you in making that decsion. ;-) I know a lot of company's use last 
four digits to somewhat aid in verifing a person's identity. That 
said, i guess one issue would be some sort of "Social Engineering" 
between those who view the last 4 digits and the person who the 
last 4 digits belong to. I guess it would be a matter of employee 
/customer trust. 

http://www.privacy.ca.gov/ssn/ssn.htm 
http://www.howstuffworks.com/social-security-number.htm
http://www.cpsr.org/cpsr/privacy/ssn/ssn.structure.html
http://www.usdoj.gov/04foia/1974ssnu.htm

Hope these help.
- nocon