Security Basics mailing list archives

RE: Risk of using SS#s (last 4 digits) for authentication

From: "Jason Coombs" <jasonc () science org>
Date: Fri, 8 Nov 2002 21:24:09 -1000

Aloha,

You can do anything you want with a person's SSN, and so can the State and
Federal government. See http://www.epic.org/privacy/ssn/

See http://www.epic.org/privacy/ssn/alternatives_ssn.html

Here in Hawai'i my driver's license number is my social security number. The
State is working to remedy this problem, and recently it became possible for
me to request a replacement number and be issued a new license.

http://www.co.honolulu.hi.us/refs/bill/text/2002/r242.htm

This condition was mandatory when my license was first issued, and my option
if I didn't want my SSN to appear on my driver's license was to try to live
without a State-issued identification card and without legal driving
privileges. There were some options, such as an International Driver's
license, or claiming residency in another State, but they would have
required a considerable amount of effort and cost and might have resulted in
legal problems of a different sort -- tax evasion, etc.

The FBI gave testimony before the House Ways and Means Subcommittee on
Social Security recently. The testimony is somewhat interesting:

http://waysandmeans.house.gov/socsec/107cong/9-19-02/9-19ashl.htm

An argument against use of the SSN that is much stronger than the privacy
argument is the one of religious freedom guaranteed by the First Amendment.

See BOWEN v. ROY, 476 U.S. 693 (1986), U.S. Supreme Court decision  that
reversed a lower court decision where "the court held that the public
interest in maintaining an efficient and fraud-resistant system could be met
without requiring a Social Security number" and required the Secretary of
Health and Human Services of the plaintiff's State to provide AFDC and Food
Stamp program assistance to the plaintiff's 2-year-old daughter, Little Bird
of the Snow. The arguments made by plaintiff are especially interesting:

'At trial, Roy testified that he had recently developed a religious
objection to obtaining a Social Security number for Little Bird of the Snow.
2 Roy is a Native American descended from the Abenaki Tribe, and he asserts
a religious belief that control over one's life is essential to spiritual
purity and indispensable to "becoming a holy person." Based on recent
conversations with an Abenaki chief, Roy believes that technology is
"robbing the spirit of man." In order to prepare his daughter for greater
spiritual power, therefore, Roy testified to his belief that he must keep
her person and spirit unique and that the uniqueness of the Social Security
number as an identifier, coupled with the other uses of the number over
which she has no control, will serve to "rob the spirit" of his daughter and
prevent her from attaining greater spiritual power.'

http://caselaw.lp.findlaw.com/cgi-bin/getcase.pl?court=us&vol=476&invol=693

If you listen carefully, you can almost hear your spirit being robbed every
moment of every day by the machinery of modern society. But the benefits
sure are great.

Sincerely,

Jason Coombs
jasonc () science org

-----Original Message-----
From: David Greenstein [mailto:dgreenst () tir com]
Sent: Monday, November 04, 2002 12:45 PM
To: Jim Lawton; security-basics () security-focus com
Subject: RE: Risk of using SS#s (last 4 digits) for authentication


How legal is the use of the SSN for authentication. My understanding
is that the SSN is to be used by state and federal government only
Please, any legal expert, help us to understand the issue
Thank you

-----Original Message-----
From: Jim Lawton [mailto:jblii () hotmail com]
Sent: Saturday, November 02, 2002 8:00 AM
To: security-basics () security-focus com
Subject: Risk of using SS#s (last 4 digits) for authentication


We are currently considerring the limited use of employee's Social Security
numbers to authenticate them when they request a password reset from the
Help Desk.  We have chosen two items (in total) for authenticating them:
their employee # and the last 4 digits of their SS#.  Only the last 4 digits
would be stored in the Help Desk app, and these would be viewable only by
Help Desk technicians.  They would only be able to see them by selecting a
specific toolbar button (the SS# screen would not visible at all times).

We are concerned with the privacy issue potential if we use any part of a
SS# but are unaware of any legal precedent, standard or guideline either
supporting or against this use.  Does anyone have knowledge they can share,
or know of web resources that might be useful to research this issue?

We are a corporation of roughly 1200 specializig in healthcare, and HIPAA
privacy/security regs, NCQA and URAC acredidations must be taken into
consideration.

Thanks in advance for any suggestions or information.

JBL




_________________________________________________________________
Surf the Web without missing calls! Get MSN Broadband.
http://resourcecenter.msn.com/access/plans/freeactivation.asp

Current thread:

Risk of using SS#s (last 4 digits) for authentication Jim Lawton (Nov 04)
- Re: IIS running with least privs.. McKenzie Family (Nov 06)
- Re: Risk of using SS#s (last 4 digits) for authentication Andy Cowan (Nov 06)
- Re: Risk of using SS#s (last 4 digits) for authentication noconflic (Nov 08)
  - Re: Risk of using SS#s (last 4 digits) for authentication Gordon Ewasiuk (Nov 09)
- RE: Risk of using SS#s (last 4 digits) for authentication David Greenstein (Nov 08)
  - RE: Risk of using SS#s (last 4 digits) for authentication Jason Coombs (Nov 09)
  - Re: Risk of using SS#s (last 4 digits) for authentication Jim Clark (Nov 11)
  - Re: Risk of using SS#s (last 4 digits) for authentication Griff Palmer (Nov 11)
    - RE: Risk of using SS#s (last 4 digits) for authentication Jason Coombs (Nov 12)
    - Re: Risk of using SS#s (last 4 digits) for authentication Richard Caley (Nov 12)
- <Possible follow-ups>
- Re: Risk of using SS#s (last 4 digits) for authentication Margles Singleton (Nov 05)