Re: Universities riskiest place for SSN

[John Ladwig <John.Ladwig () CSU MNSCU EDU>]

While we're wishing, let's apply similar identifiers-are-not-authenticators rigor to credit-card PANs, and bank routing 
and account numbers.

My life'd be a lot simpler then, though others' would be more complicated.

I'm guessing the financial-services industry has way better lobbyists than you or I, or even higher ed taken as a 
whole, and this won't be happening.

   -jml

> > > Kevin Shalla <kshalla () UIC EDU> 2010-11-09 09:47 >>>
Given that SSNs are needed to apply for and receive financial aid, 
and financial aid is used by ... let me guess -- 90% of students, 
we'll be using SSNs indefinitely.  We cannot stop.  SSNs are great 
because they're so good at identifying matching records -- the IRS 
does the work of eliminating duplicates for us.  They're poor for 
authentication, because so many places store SSNs, and millions of 
employees in varied industries across the country have access to some 
subset of them.

This brings me back to my old idea.  Keep using SSNs, make them 
public, and place the burden of combating fraud on those that can 
solve the problem -- the SSN-using industries.  With legislation, 
make them liable for debts or other harm when authentication isn't 
done well, specifically prohibiting them from using SSN as an 
authenticator.  This way individuals would rarely suffer from 
impersonation fraud.

At 04:53 PM 11/8/2010, Dan Peterson wrote:

> http://home.hiwaay.net/~becraft/ScottSSNLetter.pdf 
>
> So a SSN is need to report to IRS and the SSA.
>
>  From your list that is: (all report to IRS related)
> - - Student employees on work-study have their wages reported to the
> government.
> - - Students with federally guaranteed student loans are reported to the
> government.
> - - Individual contractors paid directly instead of through a company must be
> reported to the government.
> - - Speakers receiving honoraria must be reported to the government.
> - - Regular employees' wages must be reported to the government.
>
> This likely is due to money but I am not sure:
> - - The NCAA uses it and requires it in reporting regarding recruiting
> activities.
>
>
> That leaves:
> - - Students provide the information to the College Board while in high school
> and it comes in over the transom with SATs, sometimes before the student has
> actually filed an application, and it is therefore useful, though maybe not
> required,  in Admissions to differentiate between potential applicants with
> the same name.
>
> I would bet that this is a lions share of the SSN collected. Most students
> don't work for the school and are not part of NCAA.
> I would venture a guess that on every student application form it has
> "SSN_____" and does not indicate any choice for the student and they do have
> a choice.
>
> - ---------------
>
>
> How can I protect my Social Security number?
>
> You should treat your Social Security number as confidential information and
> avoid giving it out unnecessarily.
> You should keep your Social Security card in a safe place with your other
> important papers.
> Do not carry it with you unless you need to show it to an employer or
> service provider.
> We do several things to protect your number from misuse. For example, we
> require and carefully inspect proof
> of identity from people who apply to replace lost or stolen Social Security
> cards, or for corrected cards.
> One reason we do this is to prevent people from fraudulently obtaining
> Social Security numbers to establish false identities.
>
> We maintain the privacy of Social Security records unless:
> . The law requires us to disclose information to another government agency;
> or
> . Your information is needed to conduct Social Security or other government
> health or welfare program business.
> You should be very careful about sharing your number and card to protect
> against misuse of your number.
> Giving your number is voluntary even when you are asked for the number
> directly.
>
> If requested, you should ask:
> . Why your number is needed;
> . How your number will be used;
> . What happens if you refuse; and
> . What law requires you to give your number.
> The answers to these questions can help you decide if you want to give your
> Social Security number. The decision is yours
>
> http://www.ssa.gov/pubs/10002.html#protect 
> - ------------
>
> My point in asking this question was to get people to think about the need
> for the SSN.
> I have found that in 60% of the time when asked for an SSN its not required
> but
>
> Don't like the risk?
> Don't collect the number unless you have to.
>
>
> - --
> Dan
>
>
>
> - -----Original Message-----
> From: David Escalante [mailto:david.escalante () bc edu] 
> Sent: Monday, November 08, 2010 1:32 PM
> To: drpeterson () es net 
> Cc: The EDUCAUSE Security Constituent Group Listserv
> Subject: Re: [SECURITY] Universities riskiest place for SSN
>
>
> On Nov 8, 2010, at 4:12 PM, Dan Peterson wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > I agree that High-Ed does report things that private industry does
> > not; however, why does Higher-Ed need the student SSN in the first
> > place
>
>
> There are a host of reasons, a few examples...:
>
> - - Student employees on work-study have their wages reported to the
> government.
> - - Students with federally guaranteed student loans are reported to the
> government.
> - - Students provide the information to the College Board while in high school
> and it comes in over the transom with SATs, sometimes before the student has
> actually filed an application, and it is therefore useful, though maybe not
> required,  in Admissions to differentiate between potential applicants with
> the same name.
> - - The NCAA uses it and requires it in reporting regarding recruiting
> activities.
> - - Individual contractors paid directly instead of through a company must be
> reported to the government.
> - - Speakers receiving honoraria must be reported to the government.
> - - Regular employees' wages must be reported to the government.
>
> Morrow's comments overlap mine, so I'll stop there. :-)
> - --
> David Escalante
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.9.1 (Build 287)
> Charset: us-ascii
>
> wj8DBQFM2H955chTNtilRz8RAnjzAJ4xL4GAqfzSQ1iBW8c8MhhTHkOgUQCfVpFY
> GqGN4xk65Q0+aEElih3rwUw=
> =8MlR
> -----END PGP SIGNATURE-----