Home page logo

basics logo Security Basics mailing list archives

Re: Risk of using SS#s (last 4 digits) for authentication
From: Griff Palmer <gpalmer () palmermania com>
Date: Sat, 9 Nov 2002 10:30:49 -0800

Computer Professionals for Social Responsiblity has a good FAQ on Social 
Security numbers at:


CPSR says the Privacy Act of 1974 is the principal federal statutory 
authority governing solicitation and use of Social Security numbers. That 
prohibits government agencies from requiring that a person give his/her SSN 
as a condition of receiving the agency's services, and from taking punitive 
action against people who refuse to divulge their SSNs.

The 1974 Privacy Act doesn't place any such restrictions on private 

For tax-reporting purposes, the IRS requires employers to gather employees' 
Social Security numbers.  I'm sure there's a complex web of state statutes, 
case law, contract law, etc. that speak to what employers may and may not do 
with employees' SSNs.

As a practical matter, using only the last 4 digits of an employee's SSN 
gives some measure of protection to the employee. It's important to remember, 
though, that a variety of personal financial services companies use the last 
4 digits of a person's SSN as part of the identifying information that gives 
access to that person's account information, so there is a potential for harm 
from accidental release of even the last 4 digits of an employee's SSN.

                                                            Griff Palmer

On Monday 04 November 2002 02:45 pm, you wrote:
How legal is the use of the SSN for authentication. My understanding
is that the SSN is to be used by state and federal government only
Please, any legal expert, help us to understand the issue
Thank you

-----Original Message-----
From: Jim Lawton [mailto:jblii () hotmail com]
Sent: Saturday, November 02, 2002 8:00 AM
To: security-basics () security-focus com
Subject: Risk of using SS#s (last 4 digits) for authentication

We are currently considerring the limited use of employee's Social Security
numbers to authenticate them when they request a password reset from the
Help Desk.  We have chosen two items (in total) for authenticating them:
their employee # and the last 4 digits of their SS#.  Only the last 4
digits would be stored in the Help Desk app, and these would be viewable
only by Help Desk technicians.  They would only be able to see them by
selecting a specific toolbar button (the SS# screen would not visible at
all times).

We are concerned with the privacy issue potential if we use any part of a
SS# but are unaware of any legal precedent, standard or guideline either
supporting or against this use.  Does anyone have knowledge they can share,
or know of web resources that might be useful to research this issue?

We are a corporation of roughly 1200 specializig in healthcare, and HIPAA
privacy/security regs, NCQA and URAC acredidations must be taken into

Thanks in advance for any suggestions or information.


Surf the Web without missing calls! Get MSN Broadband.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]