No, you don’t need my social security number.

5639011991_8848ea5561_b

- (phone rings) Hello.
– Hello, I’m calling from American Express. Are you Mr. *****  ******?
– Yes, great that someone finally reacts to my reclamation.
– First I need to verify your identity. What’s your social security number?
– Excuse me but you are calling me on a number that you have in your register, so you can be pretty confident that you are talking to the right person. But I have no way of knowing that you really are from Amex. So YOU tell ME what my social security number is. I know you have it on file.
– (silence) Well, eh … we must identify our customers to be able to serve them by phone. It’s company policy.
– Yes, I know that. But I’m certainly NOT going to give out my number to a stranger who calls and asks for it. I really need some kind of identification from you first.

It went on like that for a while until I proposed a compromise. I told her the first part of my number and she told me the last digits. It all matched and we were able to proceed.

This post is not about American Express, it is about a severe and widespread problem that is visible in this case. The problem is these Social Security Numbers, SSNs, or National Identification Numbers which is a proper global term. They appear in most countries, in many forms and under many names. But they all have two things in common. They were designed to be unique and distinguish persons with the same name. And they are misused for identification.

The practice of using the SSN as proof of identity is really fundamentally flawed. They are used in the same way as a password, knowledge of the “secret” is supposed to prove who you are. The problem is just that the SSN isn’t designed to be secret. If you are a little bit Internet savvy, you know the basic rules for safe passwords. Think of your SSN as a password. It’s assigned once for your whole lifetime and you can’t change it. You are forced to use the same SSN on all services you use. It’s printed on various documents, depending on what country you live in. It’s recorded in numerous registers, and you don’t even know where all those registers are and who’s got access to them. Would you handle the password to your favorite net service this way? Hell, no! Still knowledge of this fundamentally flawed “password” may enable anyone to get credit, order goods, close accounts, etc. in someone else’s name. Scary!

But what can we do about it? Let’s refresh the memory with some practical advice about how to handle your SSN.

  • Do some googling and look for national advice about SSN security in your country. Laws and practices vary and a local source is typically more accurate. But here comes some generic advice.
  • Do not give out your SSN unless you know who he other part is.
  • Verify that the other part has a valid reason to use your SSN before you reveal it.
  • If a business demands your SSN, you can refuse to give it but the business can refuse to serve you. You can either comply or spend your money elsewhere.
  • Some try to phish for SSNs, look out for fraudulent web forms that ask for it.
  • Check what documents you carry in your wallet that have the SSN printed. Avoid carrying those documents daily, if possible, as your wallet may get stolen.
  • Invoices, tax documents etc. may have the SSN printed. Think about how you dispose those papers. If you have a shredder, use it.
  • Needless to say, don’t post the SSN on the net in any context.

This will help a bit, but not cure the fundamental problem. Your SSN is still used and stored so widely that you may be the victim of identity theft even if you do all this.

The problem is really the misuse of SSNs as proof of identity. And the next question is obvious, what should we use instead? Yes, that’s right. There is no common, safe and reliable method for identifying a caller. Some companies have their own methods to improve security. They may require both your SSN and for example a customer number or invoice number. Better, but still not good as those additional numbers aren’t protected very well either. The banks have good systems with sheets of one-time passwords, or similar. These system have been developed with security in mind and are typically reliable enough. They are developed for on-line access but often work for identifying a caller as well.

Banks have good systems, but they are unique for each bank. We would really need national systems, or even better, a global system for reliable identification of persons both on-line and over the phone. More and more of our transactions cross borders and national systems do not help if you are dealing with someone overseas, like in this case. The problem is not technical, public key cryptography and digital signatures could be deployed to achieve this. But agreeing on a reliable global identification standard that won’t become a privacy threat would certainly be a significant political achievement.

So we probably have to live with this flaw for quite a long time. National solutions will no doubt become available in some countries. Estonia is usually quick to utilize new technology and this is no exception, An electronic ID is a good fundament even if reliable identification over the phone still would require some additional technology. But the rest of us just have to acknowledge the risk, keep our non-secret SSNs as secret as possible and hope for the best.

Safe surfing,
Micke

Image by DonkeyHotey @ Flickr.

More posts from this topic

Unbenannt-1

16 ways SAFE protects your devices, your family and you

In the early twenty-first century, when hackers were mostly pranksters, having security software on your PC was mostly about saving you some trouble. In 2014, international crime syndicates regularly co-opt millions of computers in order to systematically steal banking information, take identities and hold files for ransom, security isn't about convenience. It's about giving our families the freedom to live our lives online with out the threat of strangers invading our lives, hijacking our time and money. An anti-virus on one PC is a good step. But who just uses one PC now? Many of us three different devices before breakfast. That's why we created F-Secure SAFE -- it's built to protect all the devices and all of the people in your family. The latest update of SAFE is designed to make it easier to install on infected computers for a smoother overall experience. It also gives your tools to keep your devices and family safe wherever they go. Since SAFE is such a dramatic expansion of what our traditional F-Secure Internet Security does we wanted to cover 16 ways it protects you, your family and your devices. And to celebrate the new SAFE launch, we're giving away one SAFE hoodie and a free year of SAFE on our Facebook page every day for 16 days beginning on September 16. Please read the rules and enter now. Here's how SAFE protects you, your devices and your family: PCs and laptops 1. Protection against ransomware Thanks to browsing protection, F-Secure SAFE protects you against malicious software that impersonates authorities, such as Interpol or the FBI, and may block your computer, demanding ransom for unblocking it and preventing you from accessing your files until you pay. Thanks to F-Secure SAFE, all known versions of this insidious type of malware can't get on your computer. 2. Protect your home computer in the same way your office computer is protected Your office computer is protected by software that safeguards it against viruses and protects corporate data against theft by criminals. SAFE gives you the same options on your home computer. 3. Limit the time your children spend on the Internet. If you think that your children may spend too much time browsing the internet or playing online games, SAFE will let you decide for how many hours they are allowed to do it every day. You can easily define in which hours exactly they connect to the Internet. If they try to go online during unapproved times, the computer will not connect to the Internet. 4. Online banking protection your bank knows you need Do you know that most banks recommend in terms of security is using paid anti-virus software when banking online? SAFE ensures you meet these recommendations. 5. Safeguard your memories  F-Secure Safe protects the photos and videos of your children or grandchildren against falling into the wrong hands. The built-in anti-virus application and protection against as-yet-unknown threats ensure that all of the memories collected on your computer are fully protected. Your files will never be destroyed, encoded to demand payment for decoding them, or intercepted in order to be published or to gain profit from distributing them. 6. Protect your children against adult content Define which sort of content can be accessed by your children, whether you're monitoring them or not. 7. Shop online without worry Thanks to protection against spyware and browsing protection, your credit card number is invisible to criminals. Now you can relax when shopping online, booking hotels or buying air tickets. Tablets 1. Control which apps your kids can install Keep games that involve virtual violence, sex or gambling off your child's device with a simple setting. 2. Decide which sites your child can visit  Even if they use tablets in their rooms, you can be sure that they visit no websites inappropriate for their age. 3. Protect your device against malware with browsing protection. Protect yourself from phishing scams, ransomware and malicious apps that could be triggered by visiting the wrong site. 4. Keep login data and online banking passwords secure SAFE protects your tablet against spyware that steals your bank login data. Smartphones 1. Find your missing phone. Locate your lost phone and make sure no one can access your data should your device be stolen. 2. Find your child Check the location of your child’s phone from our simple web portal. 3. Avoid surprising charges Are you concerned that your children may install games than require additional payments? F-Secure Safe lets you control which software is installed on their phones. 4. Block calls and text messages from unwanted numbers Start your own "Do not call" list with this feature that allows you decide who has access to you through your phone. 5. Keep your phone malware free More than 99 percent of all mobile malware targets Android, which is the second most targeted platform in the world behind Windows. With SAFE, you have protection from increasingly complex ransomware and trojans designed to get inside your phone then your wallet. You can try F-Secure SAFE for free now. Cheers, Sandra

Sep 15, 2014
Unbenannt-2

Why your Apple Watch will probably never be infected by malware

On Tuesday Apple announced its latest iPhone models and a new piece of wearable technology some have been anxiously waiting for -- Apple Watch. TechRadar describes the latest innovation from Cupertino as "An iOS 8-friendly watch that plays nice with your iPhone." And if it works like your iPhone, you can expect that it will free of all mobile malware threats, unless you decide to "jailbreak" it. The latest F-Secure Labs Threat Report clears up one big misconception about iOS malware: It does exist, barely. In the first half of 2014, 295 new families and variants or mobile malware were discovered – 294 on Android and one on iOS.  iPhone users can face phishing scams and Wi-Fi hijacking, which is why we created our Freedome VPN, but the threat of getting a bad app on your iOS device is almost non-existent. "Unlike Android, malware on iOS have so far only been effective against jailbroken devices, making the jailbreak tools created by various hacker outfits (and which usually work by exploiting undocumented bugs in the platform) of interest to security researchers," the report explains. The iOS threat that was found earlier this year, Unflod Baby Panda, was designed to listen to outgoing SSL connections in order to steal the device’s Apple ID and password details. Apple ID and passwords have been in the news recently as they may have played a role in a series of hacks of celebrity iCloud accounts that led to the posting of dozens of private photos. Our Mikko Hypponen explained in our latest Threat Report Webinar that many users have been using these accounts for years, mostly to purchase items in the iTunes store, without realizing how much data they were actually protecting. But Unflod Baby Panda is very unlikely to have played any role in the celebrity hacks, as "jailbreaking" a device is still very rare. Few users know about the hack that gives up the protection of the "closed garden" approach of the iOS app store, which has been incredibly successful in keeping malware off the platform, especially compared to the more open Android landscape. The official Play store has seen some infiltration by bad apps, adware and spamware -- as has the iOS app store to a far lesser degree -- but the majority of Android threats come from third-party marketplaces, which is why F-Secure Labs recommends you avoid them. The vast majority of iPhone owners have never had to worry about malware -- and if the Apple Watch employs the some tight restrictions on apps, the device will likely be free of security concerns. However, having a watch with the power of a smartphone attached to your body nearly twenty-four hours a day promises to introduce privacy questions few have ever considered.    

Sep 9, 2014
BY Jason