Security Basics mailing list archives
Re: Risk of using SS#s (last 4 digits) for authentication
From: Gordon Ewasiuk <gewasiuk () unixfanatic com>
Date: Fri, 8 Nov 2002 20:54:17 -0500 (EST)
On Mon, 4 Nov 2002, noconflic wrote:
Date: Mon, 4 Nov 2002 21:23:11 -0600 From: noconflic <nocon () texas-shooters com> [jblii () hotmail com] Sat, Nov 02, 2002 at 10:59:55AM -0500 wrote:We are currently considerring the limited use of employee's Social Security numbers to authenticate them when they request a password reset from the Help Desk. We have chosen two items (in total) for authenticating them: their employee # and the last 4 digits of their SS#. Only the last 4 digits would be stored in the Help Desk app, and these would be viewable only by Help Desk technicians. They would only be able to see them by selecting a specific toolbar button (the SS# screen would not visible at all times). JBLHrmf, not really sure myself but here is some info to maybe help you in making that decsion. ;-) I know a lot of company's use last four digits to somewhat aid in verifing a person's identity. That said, i guess one issue would be some sort of "Social Engineering" between those who view the last 4 digits and the person who the last 4 digits belong to. I guess it would be a matter of employee /customer trust. http://www.privacy.ca.gov/ssn/ssn.htm http://www.howstuffworks.com/social-security-number.htm http://www.cpsr.org/cpsr/privacy/ssn/ssn.structure.html http://www.usdoj.gov/04foia/1974ssnu.htm
Isn't it possible to obtain the first three digits...if the person's place of birth is known? Would such information be on file with the person's HR department? At worst, it could be obtained via casual conversation... I'd never, ever, ever even think about using SSN to validate anybody, anywhere. There is just too much potential for abuse. Online identity theft is already the rage. Consider something like SecurID or s/key or something...using SSNs anywhere is bad mojo. regards, -gordon
Current thread:
- Risk of using SS#s (last 4 digits) for authentication Jim Lawton (Nov 04)
- Re: IIS running with least privs.. McKenzie Family (Nov 06)
- Re: Risk of using SS#s (last 4 digits) for authentication Andy Cowan (Nov 06)
- Re: Risk of using SS#s (last 4 digits) for authentication noconflic (Nov 08)
- Re: Risk of using SS#s (last 4 digits) for authentication Gordon Ewasiuk (Nov 09)
- RE: Risk of using SS#s (last 4 digits) for authentication David Greenstein (Nov 08)
- RE: Risk of using SS#s (last 4 digits) for authentication Jason Coombs (Nov 09)
- Re: Risk of using SS#s (last 4 digits) for authentication Jim Clark (Nov 11)
- Re: Risk of using SS#s (last 4 digits) for authentication Griff Palmer (Nov 11)
- RE: Risk of using SS#s (last 4 digits) for authentication Jason Coombs (Nov 12)
- Re: Risk of using SS#s (last 4 digits) for authentication Richard Caley (Nov 12)
- <Possible follow-ups>
- Re: Risk of using SS#s (last 4 digits) for authentication Margles Singleton (Nov 05)