No, you don’t need my social security number.

5639011991_8848ea5561_b

– (phone rings) Hello.
– Hello, I’m calling from American Express. Are you Mr. *****  ******?
– Yes, great that someone finally reacts to my reclamation.
– First I need to verify your identity. What’s your social security number?
– Excuse me but you are calling me on a number that you have in your register, so you can be pretty confident that you are talking to the right person. But I have no way of knowing that you really are from Amex. So YOU tell ME what my social security number is. I know you have it on file.
– (silence) Well, eh … we must identify our customers to be able to serve them by phone. It’s company policy.
– Yes, I know that. But I’m certainly NOT going to give out my number to a stranger who calls and asks for it. I really need some kind of identification from you first.

It went on like that for a while until I proposed a compromise. I told her the first part of my number and she told me the last digits. It all matched and we were able to proceed.

This post is not about American Express, it is about a severe and widespread problem that is visible in this case. The problem is these Social Security Numbers, SSNs, or National Identification Numbers which is a proper global term. They appear in most countries, in many forms and under many names. But they all have two things in common. They were designed to be unique and distinguish persons with the same name. And they are misused for identification.

The practice of using the SSN as proof of identity is really fundamentally flawed. They are used in the same way as a password, knowledge of the “secret” is supposed to prove who you are. The problem is just that the SSN isn’t designed to be secret. If you are a little bit Internet savvy, you know the basic rules for safe passwords. Think of your SSN as a password. It’s assigned once for your whole lifetime and you can’t change it. You are forced to use the same SSN on all services you use. It’s printed on various documents, depending on what country you live in. It’s recorded in numerous registers, and you don’t even know where all those registers are and who’s got access to them. Would you handle the password to your favorite net service this way? Hell, no! Still knowledge of this fundamentally flawed “password” may enable anyone to get credit, order goods, close accounts, etc. in someone else’s name. Scary!

But what can we do about it? Let’s refresh the memory with some practical advice about how to handle your SSN.

  • Do some googling and look for national advice about SSN security in your country. Laws and practices vary and a local source is typically more accurate. But here comes some generic advice.
  • Do not give out your SSN unless you know who he other part is.
  • Verify that the other part has a valid reason to use your SSN before you reveal it.
  • If a business demands your SSN, you can refuse to give it but the business can refuse to serve you. You can either comply or spend your money elsewhere.
  • Some try to phish for SSNs, look out for fraudulent web forms that ask for it.
  • Check what documents you carry in your wallet that have the SSN printed. Avoid carrying those documents daily, if possible, as your wallet may get stolen.
  • Invoices, tax documents etc. may have the SSN printed. Think about how you dispose those papers. If you have a shredder, use it.
  • Needless to say, don’t post the SSN on the net in any context.

This will help a bit, but not cure the fundamental problem. Your SSN is still used and stored so widely that you may be the victim of identity theft even if you do all this.

The problem is really the misuse of SSNs as proof of identity. And the next question is obvious, what should we use instead? Yes, that’s right. There is no common, safe and reliable method for identifying a caller. Some companies have their own methods to improve security. They may require both your SSN and for example a customer number or invoice number. Better, but still not good as those additional numbers aren’t protected very well either. The banks have good systems with sheets of one-time passwords, or similar. These system have been developed with security in mind and are typically reliable enough. They are developed for on-line access but often work for identifying a caller as well.

Banks have good systems, but they are unique for each bank. We would really need national systems, or even better, a global system for reliable identification of persons both on-line and over the phone. More and more of our transactions cross borders and national systems do not help if you are dealing with someone overseas, like in this case. The problem is not technical, public key cryptography and digital signatures could be deployed to achieve this. But agreeing on a reliable global identification standard that won’t become a privacy threat would certainly be a significant political achievement.

So we probably have to live with this flaw for quite a long time. National solutions will no doubt become available in some countries. Estonia is usually quick to utilize new technology and this is no exception, An electronic ID is a good fundament even if reliable identification over the phone still would require some additional technology. But the rest of us just have to acknowledge the risk, keep our non-secret SSNs as secret as possible and hope for the best.

Safe surfing,
Micke

Image by DonkeyHotey @ Flickr.

More posts from this topic

brain floppy, scanning engines, malware scanning

5 Ways We Stop Cyber Attacks In Their Tracks

See that floppy disc? That's how F-Secure Labs used to get malware to analyze. Nowadays, of course, it's much different, Andy Patel from the Labs explained in a recent post, "What's The Deal with Scanning Engines?" In just a few hundred words, Andy lays out what makes modern protection so different from the anti-virus that you remember from the 80s, 90s or even the early 00s. And it's not just that floppy disks the Labs once analyzed have been replaced by almost any sort of digital input, down to a piece of memory or a network stream. The whole post is worth checking out if you're interested in how relentless modern internet security must be to keep up with the panoply of online threats we face. But here's a quick look at five of the key components of endpoint protection that work in tandem to stop attacks in their tracks, as described by Andy: Scanning engines. Today’s detections are really just complex computer programs, designed to perform intricate sample analysis directly on the client. Modern detections are designed to catch thousands, or even hundreds of thousands of samples. URL blocking. Preventing a user from being exposed to a site hosting an exploit kit or other malicious content negates the need for any further protection measures. We do this largely via URL and IP reputation cloud queries. Spam blocking and email filtering also happen here. Exploit detection. If a user does manage to visit a site hosting an exploit kit, and that user is running vulnerable software, any attempt to exploit that vulnerable software will be blocked by our behavioral monitoring engine. Network and on-access scanning. If a user receives a malicious file via email or download, it will be scanned on the network or when it is written to disk. If the file is found to be malicious, it will be removed from the user’s system. Behavioral blocking. Assuming no file-based detection existed for the object, the user may then go on to open or execute the document, script, or program. At this point, malicious behavior will be blocked by our behavioral engine and again, the file will be removed. The fact is, a majority of malware delivery mechanisms are easily blocked behaviorally. In most cases, when we find new threats, we also discover that we had, in the distant past, already added logic addressing the mechanisms it uses.If you're interested in knowing more about behavioral engines, check out this post in which Andy makes then easy to understand by comparing the technology to securing an office building. So you must be wondering, does this all work? Is it enough? Well, our experts and our computers are always learning. But in all the tests this year run by independent analysts AV-Comparatives, we’ve blocked 100% of the real-world threats thrown at us. Cheers, Jason  

May 24, 2016
BY 
Customer Day F-Secure

Customer Day at F-Secure: Technology Enables, Feelings Live

The Internet is pretty cool. You can use it to learn about things happening all over the world. You can start your own blog or social media account to share your views and speak up about the things you care about. You can stay in touch with people that live far away. It’s really all about connecting people, and it’s changed how people live their lives. The odd thing about all this connecting is that it's surprisingly easy to become disconnected from actual people. Spending time in front of a computer screen, especially when working in roles that involve lots of engineering or programming, can put people out of the picture. All too often, things get reduced to bits and pieces of information. People are what’s important to companies. Not just employees, but all the people involved with a business. And many companies say that the customer is #1, but they’ll have employees who never interact with the people they’re serving. So in this era of hyper connectivity, it’s easy for companies and employees to lose touch with the people that are actually paying their salaries. So Donal Crotty, F-Secure’s Director of Customer Advocacy, started a new tradition in 2015 to celebrate how we feel about customers, give them an opportunity to candidly share their views on the company with the Fellows that work here, and learn more about the company and the people that help make it a success. It’s called Customer Day. “Not everyone at F-Secure has the pleasure of actually meeting the people they’re trying to help,” says Donal. “It’s just the nature of some jobs. But it’s a real shame, because all the metrics and analytical tools companies use to gauge how happy or unhappy customers actually are simply aren’t enough. Numbers and data are no replacement for people, and that’s what Customer Day is for.” So today is the 2nd annual Customer Day at F-Secure (#fscustomerday16 on Twitter). And here at our Helsinki headquarters, as well as several of our regional offices around the world, Fellows and customers are coming together to connect with each other and learn more about the people and products. And have a bit of fun too. “IT companies will often say that they’re about people and not technology. But I’m not sure how many of them actually make the effort to put the people that build products and provide behind the scenes services in front of customers” says Donal. “We, as in people in companies, talk about customer experience, but it takes something more than just talking about it to make it meaningful. I like to think of it as a type of feeling. Our technology enables, but the feeling we give to customers is what we want them to live with.” Images provided by Bret Pulkka-Stone.

May 13, 2016
BY 
winners

Why F-Secure’s the 4th Most Attractive Employer for IT Students

IT companies used to have a pretty bad image. It’s not that they’re bad companies giving people bad jobs. They just never screamed “job satisfaction” to the general public. The stereotype of IT companies as inhuman, mundane places to work became so well-known that a hilarious comedy from the 90’s called Office Space satirized the idea. The movie told the story of a disgruntled programmer who rebelled against the soulless, life-sucking office environment of the IT company he worked for in order to find happiness. The movie and the stereotype are a bit old now. But I think it’s still safe to assume that the environment represented in Office Space, and the lifestyles of the people who work there, is something everyone would like to avoid. And according to Universum – a research firm that specialized in employer branding – F-Secure is ahead of the game in offering people a place where they’d actually LIKE to work. At least according to IT students. F-Secure was ranked as the 4th most attractive employer amongst Finnish IT students in Universum’s 2016 Most Attractive Employers ranking (up from 5th in last year’s rankings), beat out only by Google, Microsoft, and Finnish game company Supercell. So what is it that makes F-Secure such an appealing employer? Well, here’s a few things we’re doing that separates us from the kind of company shown in Office Space. We don't box people into cubicles People at F-Secure aren’t expected to isolate themselves from other Fellows and sit by themselves in cubicles. Our Fellows work together in whatever way makes them feel comfortable. In fact, as a global company with offices and people working all over the world, we often think outside the box and take whatever approach lets people work together to get the best results. We don’t stop at securing computers – we secure society This sentiment, recently expressed by F-Secure Chief Research Officer Mikko Hypponen, highlights the importance of what we do at F-Secure. We deal with real adversaries and security threats, whether that’s an advanced persistent threat group working on behalf of a government, or a gang of online extortionists looking to spread ransomware or steal data to blackmail people. Having active adversaries to work against presents us with a constantly evolving set of threats to people and companies. The opportunity to combat those threats makes our days challenging, but exciting and fulfilling. We know how to chill out Cyber security is a tough business. As mentioned above, we deal with real adversaries and threats. When we’re doing our jobs, we’re focused 100% on winning. But we also understand it’s important to be able to unwind, so Fellows are encouraged to enjoy themselves at work. Our HQ has things like a sauna, a gym, games, and other things for people to enjoy when they need to step out of the fight for a few minutes. With great power comes great responsibility, but everyone needs some time to chill out (even if it’s in a scorching hot sauna). So F-Secure has a lot going for it, and based on Universum’s rankings, it looks like that’s paying off. But why don’t you tell us what’s most important to you in a workplace. Finnish IT students already think F-Secure would be a great place to work, but we’re always ready to do more. And why not check out our current openings to see if there’s a place that’s right for you. [polldaddy poll=9407357] Image: A team of Aalto University students that won an award for a software project sponsored by F-Secure. Read more here.

May 4, 2016
BY