Posted by: David Schneier
Data Breaches and Identity Theft
After years of screaming and yelling from privacy advocates, consumer groups and others with some common sense, the Congress is finally coming around to the idea that using Social Security numbers as identifiers is bad. SSNs are used in so many places these days that it may be too late for this to do any good for anyone who’s over the age of three, but it’s worth a try. I’ve been to conferences where they printed attendees’ SSNs on their badges as a “security precaution.” And I’ve also watched security experts sit in the lobby of a conference hotel and sniff the wireless network with a free tool and grab dozens of SSNs as people register for the show. This stuff is not difficult.
As Caron Carlson points out in her story, the federal government not only leaves many SSNs exposed as a matter of course, it also has no standard for how to truncate them. That means some agencies use the first five digits as an identifier, while others use the last four, making it trivial for thieves to put the pieces together. But agencies and some private sector special interest groups are complaining it’s too hard to change to a new identifier. Really? My dental insurance company just did it and it went off without a hitch. Laziness is no longer an acceptable defense for using SSNs.