No, you don’t need my social security number.

5639011991_8848ea5561_b

– (phone rings) Hello.
– Hello, I’m calling from American Express. Are you Mr. *****  ******?
– Yes, great that someone finally reacts to my reclamation.
– First I need to verify your identity. What’s your social security number?
– Excuse me but you are calling me on a number that you have in your register, so you can be pretty confident that you are talking to the right person. But I have no way of knowing that you really are from Amex. So YOU tell ME what my social security number is. I know you have it on file.
– (silence) Well, eh … we must identify our customers to be able to serve them by phone. It’s company policy.
– Yes, I know that. But I’m certainly NOT going to give out my number to a stranger who calls and asks for it. I really need some kind of identification from you first.

It went on like that for a while until I proposed a compromise. I told her the first part of my number and she told me the last digits. It all matched and we were able to proceed.

This post is not about American Express, it is about a severe and widespread problem that is visible in this case. The problem is these Social Security Numbers, SSNs, or National Identification Numbers which is a proper global term. They appear in most countries, in many forms and under many names. But they all have two things in common. They were designed to be unique and distinguish persons with the same name. And they are misused for identification.

The practice of using the SSN as proof of identity is really fundamentally flawed. They are used in the same way as a password, knowledge of the “secret” is supposed to prove who you are. The problem is just that the SSN isn’t designed to be secret. If you are a little bit Internet savvy, you know the basic rules for safe passwords. Think of your SSN as a password. It’s assigned once for your whole lifetime and you can’t change it. You are forced to use the same SSN on all services you use. It’s printed on various documents, depending on what country you live in. It’s recorded in numerous registers, and you don’t even know where all those registers are and who’s got access to them. Would you handle the password to your favorite net service this way? Hell, no! Still knowledge of this fundamentally flawed “password” may enable anyone to get credit, order goods, close accounts, etc. in someone else’s name. Scary!

But what can we do about it? Let’s refresh the memory with some practical advice about how to handle your SSN.

  • Do some googling and look for national advice about SSN security in your country. Laws and practices vary and a local source is typically more accurate. But here comes some generic advice.
  • Do not give out your SSN unless you know who he other part is.
  • Verify that the other part has a valid reason to use your SSN before you reveal it.
  • If a business demands your SSN, you can refuse to give it but the business can refuse to serve you. You can either comply or spend your money elsewhere.
  • Some try to phish for SSNs, look out for fraudulent web forms that ask for it.
  • Check what documents you carry in your wallet that have the SSN printed. Avoid carrying those documents daily, if possible, as your wallet may get stolen.
  • Invoices, tax documents etc. may have the SSN printed. Think about how you dispose those papers. If you have a shredder, use it.
  • Needless to say, don’t post the SSN on the net in any context.

This will help a bit, but not cure the fundamental problem. Your SSN is still used and stored so widely that you may be the victim of identity theft even if you do all this.

The problem is really the misuse of SSNs as proof of identity. And the next question is obvious, what should we use instead? Yes, that’s right. There is no common, safe and reliable method for identifying a caller. Some companies have their own methods to improve security. They may require both your SSN and for example a customer number or invoice number. Better, but still not good as those additional numbers aren’t protected very well either. The banks have good systems with sheets of one-time passwords, or similar. These system have been developed with security in mind and are typically reliable enough. They are developed for on-line access but often work for identifying a caller as well.

Banks have good systems, but they are unique for each bank. We would really need national systems, or even better, a global system for reliable identification of persons both on-line and over the phone. More and more of our transactions cross borders and national systems do not help if you are dealing with someone overseas, like in this case. The problem is not technical, public key cryptography and digital signatures could be deployed to achieve this. But agreeing on a reliable global identification standard that won’t become a privacy threat would certainly be a significant political achievement.

So we probably have to live with this flaw for quite a long time. National solutions will no doubt become available in some countries. Estonia is usually quick to utilize new technology and this is no exception, An electronic ID is a good fundament even if reliable identification over the phone still would require some additional technology. But the rest of us just have to acknowledge the risk, keep our non-secret SSNs as secret as possible and hope for the best.

Safe surfing,
Micke

Image by DonkeyHotey @ Flickr.

More posts from this topic

23717191060_edfd6a465b_k

Don’t ruin our trust in the update process!

We can see signs of a disturbing trend. Nowadays there is a built-in update process in almost every software product, and the automatic updates are essential for our devices’ security. The main driver to implement them was to be able to reach out quickly when vulnerabilities are discovered. And most users got the message. We understand the need for updates and let them be installed promptly. This is great from security point of view. So I’m very sad to see increasing misuse of users’ trust in the updates. Apple is making headlines right now with the “Error 53 scandal”. In short, upgrading to iOS 9 may brick your device, that is render it totally useless, if the new system detects that an unauthorized repair has been performed. The official reason is that Apple wants to protect the user’s data against attacks involving tampering with the device. The new functionality does however smell to high heaven. Apple has already a bad reputation for keeping its ecosystem closed and tightly managed, and this incident just feeds that reputation. It doesn’t take a genius to figure out that a move like this also benefits authorized Apple service companies over unauthorized. Bashing Windows 10 is also popular right now. I’m not going into all the security and privacy issues here. But I think the way Microsoft is pushing out Windows 10 to users of previous versions is disturbing. Yes, the automatically distributed upgrade is convenient, if you want to upgrade. And as said, upgrading is usually good from security point of view. But people may have tons of valid reasons to postpone the upgrade, and this is where things get nasty. Several gigabytes are downloaded anyway and use up disk space in vain. Language in the upgrade dialog suggests you have to upgrade. And it starts all over even if you decline, clean up and disable the updates. Even worse, now the upgrade may even start automatically without your consent! People are raging over these incidents because they cause major inconvenience and interferes with your ability to use a product you have purchased. But another at least equally severe side effect is that every case like this undermines peoples’ trust in update services. I bet people with a bricked iPhone will be hesitant to install new versions of iOS in the future. And my opinion about Microsoft’s update service has definitively changed while defending a touch-screen computer with Windows 8.1 from the upgrade. Yes, I have tried Windows 10 on it. No, it didn’t work properly so I had to roll back to 8.1. So to conclude. Rapid updates are more important than ever. Therefore it is very sad to see companies misuse the update channels to roll out features and versions that are designed mainly to boost their own business. The outcome may be that people to a larger extent decline updates or try to block update systems that can’t be disabled. Permanent damage has been caused in that case.   Micke   PS. There’s some good news for people who want to stay on their previous Windows versions. There is a registry setting that can be used to prevent the upgrade. See MS Knowledge Base Article 3080351 for more details.     Image by Nick Hubbard

February 11, 2016
BY 
Safer Internet Day

What are your kids doing for Safer Internet Day?

Today is Safer Internet Day – a day to talk about what kind of place the Internet is becoming for kids, and what people can do to make it a safe place for kids and teens to enjoy. We talk a lot about various online threats on this blog. After all, we’re a cyber security company, and it’s our job to secure devices and networks to keep people protected from more than just malware. But protecting kids and protecting adults are different ballparks. Kids have different needs, and as F-Secure Researcher Mikael Albrecht has pointed out, this isn’t always recognized by software developers or device manufacturers. So how does this actually impact kids? Well, it means parents can’t count on the devices and services kids use to be completely age appropriate. Or completely safe. Social media is a perfect example. Micke has written in the past that social media is basically designed for adults, making any sort of child protection features more of an afterthought than a focus. Things like age restrictions are easy for kids to work around. So it’s not difficult for kids to hop on Facebook or Twitter and start social networking, just like their parents or older siblings. But these services aren't designed for kids to connect with adults. So where does that leave parents? Parental controls are great tools that parents can use to monitor, and to a certain extent, limit what kids can do online. But they’re not perfect. Particularly considering the popularity of mobile devices amongst kids. Regulating content on desktop browsers and mobile apps are two different things, and while there are a lot of benefits to using mobile apps instead of web browsers, it does make using special software to regulate content much more difficult. The answer to challenges like these is the less technical approach – talking to kids. There’s some great tips for parents on F-Secure’s Digital Parenting web page, with talking points, guidelines, and potential risks that parents should learn more about. That might seem like a bit of a challenge to parents. F-Secure’s Chief Research Officer Mikko Hypponen has pointed out that today’s kids have never experienced a world without the Internet. It’s as common as electricity for them. But the nice thing about this approach is that parents can do this just by spending time with kids and learning about the things they like to do online. So if you don’t know what your kids are up to this Safer Internet Day, why not enjoy the day with your kids (or niece/nephew, or even a kid you might be babysitting) by talking over what they like to do online, and how they can enjoy doing it safely.

February 9, 2016
BY 
Virdem malware, old viruses, Malware Museum

Step back in time to when hackers were just having fun

What's so fun about old malware? In just four days more than a hundred thousand people have visited The Malware Museum -- an online repository of classic malware, mostly viruses, that infected home computers in the 1980s and 90s. Working with archivist Jason Scott, Mikko Hyppönen -- our Chief Research Officer -- put together 78 examples finest/worst examples of old-school malware that includes emulations of the infections with the destructive elements removed so you can enjoy them safely. "I only chose interesting viruses," Mikko told BBC News. The result is "nerdy nostalgia," says PC Magazine's Stephanie Mlot. The exhibits feature clunky ASCII graphics, pot references and obscure allusions to Lord of the Rings. While an early ancestor of ransomware like Casino was willing to ruin your files and call you an "a**hole," it wasn't trying to extort any cash out of you. That's because the creators of these early forms of digital vandalism were amateurs in the truest sense of the world. They did it for the love of mayhem. We long for the days of "happy hackers," as Mikko calls them, because the malware landscape today is so ominous. "Most of the malware we analyze today is coming from organized criminal groups... and intelligence agencies," Mikko explained. To keep the memories of the good old days alive, we're going to make t-shirts celebrating some classic malware. And we'd like you to choose which viruses we should commemorate. CRASH V SIGN FLAME CASINO PHANTOM (Image via @danooct1) [polldaddy poll=9302985] If you appreciate the Museum, Mikko asks that you contribute to the Internet Archive. You can learn more about Malware from Mikko's Malware Hall of Fame. Cheers, Sandra

February 8, 2016