No, you don’t need my social security number.

5639011991_8848ea5561_b

– (phone rings) Hello.
– Hello, I’m calling from American Express. Are you Mr. *****  ******?
– Yes, great that someone finally reacts to my reclamation.
– First I need to verify your identity. What’s your social security number?
– Excuse me but you are calling me on a number that you have in your register, so you can be pretty confident that you are talking to the right person. But I have no way of knowing that you really are from Amex. So YOU tell ME what my social security number is. I know you have it on file.
– (silence) Well, eh … we must identify our customers to be able to serve them by phone. It’s company policy.
– Yes, I know that. But I’m certainly NOT going to give out my number to a stranger who calls and asks for it. I really need some kind of identification from you first.

It went on like that for a while until I proposed a compromise. I told her the first part of my number and she told me the last digits. It all matched and we were able to proceed.

This post is not about American Express, it is about a severe and widespread problem that is visible in this case. The problem is these Social Security Numbers, SSNs, or National Identification Numbers which is a proper global term. They appear in most countries, in many forms and under many names. But they all have two things in common. They were designed to be unique and distinguish persons with the same name. And they are misused for identification.

The practice of using the SSN as proof of identity is really fundamentally flawed. They are used in the same way as a password, knowledge of the “secret” is supposed to prove who you are. The problem is just that the SSN isn’t designed to be secret. If you are a little bit Internet savvy, you know the basic rules for safe passwords. Think of your SSN as a password. It’s assigned once for your whole lifetime and you can’t change it. You are forced to use the same SSN on all services you use. It’s printed on various documents, depending on what country you live in. It’s recorded in numerous registers, and you don’t even know where all those registers are and who’s got access to them. Would you handle the password to your favorite net service this way? Hell, no! Still knowledge of this fundamentally flawed “password” may enable anyone to get credit, order goods, close accounts, etc. in someone else’s name. Scary!

But what can we do about it? Let’s refresh the memory with some practical advice about how to handle your SSN.

  • Do some googling and look for national advice about SSN security in your country. Laws and practices vary and a local source is typically more accurate. But here comes some generic advice.
  • Do not give out your SSN unless you know who he other part is.
  • Verify that the other part has a valid reason to use your SSN before you reveal it.
  • If a business demands your SSN, you can refuse to give it but the business can refuse to serve you. You can either comply or spend your money elsewhere.
  • Some try to phish for SSNs, look out for fraudulent web forms that ask for it.
  • Check what documents you carry in your wallet that have the SSN printed. Avoid carrying those documents daily, if possible, as your wallet may get stolen.
  • Invoices, tax documents etc. may have the SSN printed. Think about how you dispose those papers. If you have a shredder, use it.
  • Needless to say, don’t post the SSN on the net in any context.

This will help a bit, but not cure the fundamental problem. Your SSN is still used and stored so widely that you may be the victim of identity theft even if you do all this.

The problem is really the misuse of SSNs as proof of identity. And the next question is obvious, what should we use instead? Yes, that’s right. There is no common, safe and reliable method for identifying a caller. Some companies have their own methods to improve security. They may require both your SSN and for example a customer number or invoice number. Better, but still not good as those additional numbers aren’t protected very well either. The banks have good systems with sheets of one-time passwords, or similar. These system have been developed with security in mind and are typically reliable enough. They are developed for on-line access but often work for identifying a caller as well.

Banks have good systems, but they are unique for each bank. We would really need national systems, or even better, a global system for reliable identification of persons both on-line and over the phone. More and more of our transactions cross borders and national systems do not help if you are dealing with someone overseas, like in this case. The problem is not technical, public key cryptography and digital signatures could be deployed to achieve this. But agreeing on a reliable global identification standard that won’t become a privacy threat would certainly be a significant political achievement.

So we probably have to live with this flaw for quite a long time. National solutions will no doubt become available in some countries. Estonia is usually quick to utilize new technology and this is no exception, An electronic ID is a good fundament even if reliable identification over the phone still would require some additional technology. But the rest of us just have to acknowledge the risk, keep our non-secret SSNs as secret as possible and hope for the best.

Safe surfing,
Micke

Image by DonkeyHotey @ Flickr.

More posts from this topic

BYOD

Why Bring your own Device (BYOD)?

Do you ever use your personal phone to make work related calls? Or send work related e-mails? Maybe you even use it to work on Google Docs, or access company files remotely? Doing these things basically means you’re implementing a BYOD policy at your work, whether they know it or not. BYOD – that’s bring your own device – isn’t really a new trend, but it is one that’s becoming more widespread. Statistics from TrackVia suggest that younger generations are embracing BYOD on a massive scale, with nearly 70% of surveyed Millennials admitting that they use their own devices and software, regardless of their employer’s policies on the matter. This is essentially pressuring employers to accept the trend, as the alternative could mean imposing security restrictions that limit how people go about their work. Consequently, Gartner predicts that 38% of businesses will stop providing employees with devices by 2016. It kind of seems like workers are enforcing the trend, and not businesses. But it’s happening because it’s so much easier to work with phones, tablets, and computers that you understand and enjoy. Work becomes easier, productivity goes up, life becomes more satisfying, etc. This might sound like an exaggeration, and maybe it is a little bit. BYOD won’t solve all of life’s problems, but it really takes advantage of the flexibility modern technology offers. And that’s what mobility should be about, and that’s what businesses are missing out on when they anchor people to a specific device. BYOD promotes a more “organic” aspect of technology in that it’s something people have already invested in and want to use, not something that’s being forced upon them. But of course, there are complications. Recent research confirms that many of these same devices have already had security issues. It’s great to enjoy the benefits of using your own phone or tablet for sending company e-mails, but what happens when things go wrong? You might be turning heads at work by getting work done faster and more efficient, but don’t expect this to continue if you happen to download some malicious software that infiltrates your company’s networks. You’re not alone if you want to use your own phone, tablet, or computer for work. And you’re not even alone if you do this without telling your boss. But there’s really no reason not to try and protect yourself first. You can use security software to reduce the risk of data breaches or malicious infections harming your employer. And there’s even a business oriented version of F-Secure's popular Freedome VPN called Freedome for Business that can actually give you additional forms of protection, and can help your company manage an entire fleet of BYOD and company-owned devices. It’s worth bringing these concerns to an employer if you find yourself using your own devices at the office. After all, statistics prove that you’re not alone in your concerns, and your employer will most likely have to address the issue sooner rather than later if they want the company to use technology wisely.  

Apr 17, 2015
BY 
webpage screenshot TOS

Sad figures about how many read the license terms

Do you remember our stunt in London where we offered free WiFi against getting your firstborn child? No, we have not collected any kids yet. But it sure was a nice demonstration of how careless we have become with user terms of software and service. It has been said that “Yes, I have read then license agreement” is the world’s biggest lie. Spot on! This was proven once again by a recent case where a Chrome extension was dragged into the spotlight accused of spying on users. Let’s first check the background. The “Webpage Screenshot” extension, which has been pulled from the Chrome Web Store, enabled users to conveniently take screenshots of web page content. It was a very popular extension with over 1,2 million users and tons of good reviews. But the problem is that the vendor seemed to get revenues by uploading user behavior, mainly visited web links, and monetizing on that data. The data upload was not very visible in the description, but the extension’s privacy policy did mention it. So the extension seemed to be acting according to what had been documented in the policy. Some people were upset and felt that they had been spied on. They installed the extension and had no clue that a screenshot utility would upload behavior data. And I can certainly understand why. But on the other hand, they did approve the user terms and conditions when installing. So they have technically given their approval to the data collection. Did the Webpage Screenshot users know what they signed up for? Let’s find out. It had 1 224 811 users when I collected this data. The question is how many of them had read the terms. You can pause here and think about it if you want to guess. The right answer follows below.   [caption id="attachment_8032" align="aligncenter" width="681"] Trying to access Webpage Screenshot gave an error in Chrome Web Store on April 7th 2015.[/caption]   The privacy policy was provided as a shortened URL which makes it possible to check its statistics. The link had been opened 146 times during the whole lifetime of the extension, slightly less than a year. Yes, only 146 times for over 1,2 million users! This means that only 0,012 % clicked the link! And the number of users who read all the way down to the data collection paragraph is even smaller. At least 99,988 % installed without reading the terms. So these figures support the claim that “I have read the terms” is the biggest lie. But they also show that “nobody reads the terms” is slightly incorrect.   Safe surfing, Micke   PS. Does F-Secure block this kind of programs? Typically no. They are usually not technically harmful, the user has installed them deliberately and we can’t really know what the user expects them to do. Or not to do. So this is not really a malware problem, it’s a fundamental problem in the business models of Internet.   Images: Screenshots from the Webpage Screenshot homepage and Chrome Web Store    

Apr 8, 2015
BY 
3 Mobile Security Tips for Travelers

3 Mobile Security Tips for Travelers

Easter is coming up, and many people will take advantage of the holiday by visiting friends or family, or even taking a quick vacation. Mobile phones are an important travel accessory for people these days, as it lets them stay in touch with people, use some great map apps to find their way around, and use online banking and other services they need. The flip side to these wonderful aspects of mobile technology is that there are threats that become more pronounced when people are on the road. Public Wi-Fi hotspots are popular in hotels and airports because they help people avoid roaming charges. Wi-Fi in general wasn’t designed to be particularly secure, and so it exposes all kinds of sensitive information to the public. It’s so easy to monitor what people do over Wi-Fi that it took less than 20 minutes for this hacker to learn the personal details of people connected to a cafe’s hotspot. Do you ever visit café’s when you travel? I know I do. And I also know that having to worry about keeping my personal data safe when I travel is one hassle I can do without. So I sat down with F-Secure Security Advisor Sean Sullivan to talk about this. Sean travels extensively for both work and play. He gets it – worrying about mobile security is the last thing people want to do when they’re away. He gave me three quick pieces of advice to pass along to let people know what they can do to keep their mobile phones safe and secure when they’re away from home. 1. Use a PIN number or passcode to lock your phone. Losing your phone is like losing your wallet – it’s not the cash that stresses people out. It’s the information. Credit cards, driver’s license, insurance information, ID – lots of people keep this info in both their phones and wallets. If your phone gets lost or stolen that information can get out there, so if you want to keep this data secure a code is the absolute minimum. Even if your phone goes missing, a passcode or PIN can help the data stay hidden. Plus, many mobile services will have anti-theft protection and let you remotely locate your phone, but these anti-theft features won’t do you any good if whoever finds your phone can simply open your settings and disable them. Most phones let you set up passcodes to lock your phone at regular intervals (for example, every hour or every two hours). When I'm working I usually set my phone to lock every four hours, but for traveling I set it to lock every five minutes. I suggest you set yours to lock as often as you can stand. Even if it's not a long time, like at hour intervals, it's better than no protection at all. 2. Take the time to remove old files and log out of apps that you don’t need. Cleaning your phone out is important if you want to bring it traveling, especially if you use your phone for work. Phones and computers always store information about what you do. Internet browsers store a history. Apps create temporary files where they store stuff to help them run faster. A lot of apps and websites have passwords and contact information about you stored. Deleting this data only takes you a few minutes with this new free app, and can save you the hassles that come from having your personal data compromised. I’m always careful to close and even delete apps I won’t be using when I travel, and even reset automatic logins I use for work. I recommend you do the same, because if your phone goes missing and someone starts sending e-mails from your account, you might not have a job to come back to. Getting rid of work stuff is key, not only to protect you and your employer from any mishaps, but also to avoid thinking about work when you’re trying to relax. 3. There’s no excuse not to use a VPN, so get one and test it BEFORE your trip. VPNs are always a good idea. Almost every security researcher I know swears by them. They’re especially important while you’re traveling because you’re more exposed when you’re away from home. You often have to choose between using free Wi-Fi hotspots or paying roaming charges to use your mobile connection. Using a VPN like Freedome gives you a secure funnel that lets you use public Wi-Fi connections without assuming the risks. It’s especially important for budget travelers that use services like AirBnB. The sharing economy is great for travelers on a shoestring budget, but you give up some of your control over your own situation when you use these services. If you’re using someone else’s Wi-Fi you might not be able to verify that it’s safe – after all, it’s not a 5-star hotel. Using Freedome can prevent you from “sharing” information in this new economy that you’d rather keep private. These are quick, easy things you can do to keep your private information private while you’re traveling, so take this advice to heart so you can enjoy your holidays. P.S. Sullivan also suggests calling your bank ahead of time and let them know you’re traveling, so they know that charges appearing away from where you live don’t mean that your credit card was stolen. [Image by Francesco | Flickr ]

Apr 2, 2015
BY