Home page logo

basics logo Security Basics mailing list archives

Re: Risk of using SS#s (last 4 digits) for authentication
From: noconflic <nocon () texas-shooters com>
Date: Mon, 4 Nov 2002 21:23:11 -0600

[jblii () hotmail com] Sat, Nov 02, 2002 at 10:59:55AM -0500 wrote:
We are currently considerring the limited use of employee's Social Security 
numbers to authenticate them when they request a password reset from the 
Help Desk.  We have chosen two items (in total) for authenticating them: 
their employee # and the last 4 digits of their SS#.  Only the last 4 
digits would be stored in the Help Desk app, and these would be viewable 
only by Help Desk technicians.  They would only be able to see them by 
selecting a specific toolbar button (the SS# screen would not visible at 
all times).

We are concerned with the privacy issue potential if we use any part of a 
SS# but are unaware of any legal precedent, standard or guideline either 
supporting or against this use.  Does anyone have knowledge they can share, 
or know of web resources that might be useful to research this issue?

We are a corporation of roughly 1200 specializig in healthcare, and HIPAA 
privacy/security regs, NCQA and URAC acredidations must be taken into 

Thanks in advance for any suggestions or information.


  Hrmf, not really sure myself but here is some info to maybe help
you in making that decsion. ;-) I know a lot of company's use last 
four digits to somewhat aid in verifing a person's identity. That 
said, i guess one issue would be some sort of "Social Engineering" 
between those who view the last 4 digits and the person who the 
last 4 digits belong to. I guess it would be a matter of employee 
/customer trust. 


Hope these help.
- nocon

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]