No, you don’t need my social security number.

5639011991_8848ea5561_b

- (phone rings) Hello.
– Hello, I’m calling from American Express. Are you Mr. *****  ******?
– Yes, great that someone finally reacts to my reclamation.
– First I need to verify your identity. What’s your social security number?
– Excuse me but you are calling me on a number that you have in your register, so you can be pretty confident that you are talking to the right person. But I have no way of knowing that you really are from Amex. So YOU tell ME what my social security number is. I know you have it on file.
– (silence) Well, eh … we must identify our customers to be able to serve them by phone. It’s company policy.
– Yes, I know that. But I’m certainly NOT going to give out my number to a stranger who calls and asks for it. I really need some kind of identification from you first.

It went on like that for a while until I proposed a compromise. I told her the first part of my number and she told me the last digits. It all matched and we were able to proceed.

This post is not about American Express, it is about a severe and widespread problem that is visible in this case. The problem is these Social Security Numbers, SSNs, or National Identification Numbers which is a proper global term. They appear in most countries, in many forms and under many names. But they all have two things in common. They were designed to be unique and distinguish persons with the same name. And they are misused for identification.

The practice of using the SSN as proof of identity is really fundamentally flawed. They are used in the same way as a password, knowledge of the “secret” is supposed to prove who you are. The problem is just that the SSN isn’t designed to be secret. If you are a little bit Internet savvy, you know the basic rules for safe passwords. Think of your SSN as a password. It’s assigned once for your whole lifetime and you can’t change it. You are forced to use the same SSN on all services you use. It’s printed on various documents, depending on what country you live in. It’s recorded in numerous registers, and you don’t even know where all those registers are and who’s got access to them. Would you handle the password to your favorite net service this way? Hell, no! Still knowledge of this fundamentally flawed “password” may enable anyone to get credit, order goods, close accounts, etc. in someone else’s name. Scary!

But what can we do about it? Let’s refresh the memory with some practical advice about how to handle your SSN.

  • Do some googling and look for national advice about SSN security in your country. Laws and practices vary and a local source is typically more accurate. But here comes some generic advice.
  • Do not give out your SSN unless you know who he other part is.
  • Verify that the other part has a valid reason to use your SSN before you reveal it.
  • If a business demands your SSN, you can refuse to give it but the business can refuse to serve you. You can either comply or spend your money elsewhere.
  • Some try to phish for SSNs, look out for fraudulent web forms that ask for it.
  • Check what documents you carry in your wallet that have the SSN printed. Avoid carrying those documents daily, if possible, as your wallet may get stolen.
  • Invoices, tax documents etc. may have the SSN printed. Think about how you dispose those papers. If you have a shredder, use it.
  • Needless to say, don’t post the SSN on the net in any context.

This will help a bit, but not cure the fundamental problem. Your SSN is still used and stored so widely that you may be the victim of identity theft even if you do all this.

The problem is really the misuse of SSNs as proof of identity. And the next question is obvious, what should we use instead? Yes, that’s right. There is no common, safe and reliable method for identifying a caller. Some companies have their own methods to improve security. They may require both your SSN and for example a customer number or invoice number. Better, but still not good as those additional numbers aren’t protected very well either. The banks have good systems with sheets of one-time passwords, or similar. These system have been developed with security in mind and are typically reliable enough. They are developed for on-line access but often work for identifying a caller as well.

Banks have good systems, but they are unique for each bank. We would really need national systems, or even better, a global system for reliable identification of persons both on-line and over the phone. More and more of our transactions cross borders and national systems do not help if you are dealing with someone overseas, like in this case. The problem is not technical, public key cryptography and digital signatures could be deployed to achieve this. But agreeing on a reliable global identification standard that won’t become a privacy threat would certainly be a significant political achievement.

So we probably have to live with this flaw for quite a long time. National solutions will no doubt become available in some countries. Estonia is usually quick to utilize new technology and this is no exception, An electronic ID is a good fundament even if reliable identification over the phone still would require some additional technology. But the rest of us just have to acknowledge the risk, keep our non-secret SSNs as secret as possible and hope for the best.

Safe surfing,
Micke

Image by DonkeyHotey @ Flickr.

More posts from this topic

Screen Shot 2014-10-24 at 2.53.58 PM

5 things you’d know about password security if you had time to care

If you use the internet like a normal person, password management is a pain. It doesn't have to be that way. Over the last two months through Triberr, we invited a group of bloggers we enjoy to work as brand ambassadors on behalf of our password manager KEY, which we built to make securing your accounts simple. They tried KEY out and shared their experience with their readers. By watching them explain what they learned we were reminded that there are some password truths we take for granted. Here are five important points about passwords they made that everyone needs to know. 1. No one changes their passwords when there's a hack. It's constant headline, "Passwords breached. Change all your passwords!" Not only do we have to put up with our trust being breached, as Breakthrough Radio's Michele Price pointed out, we have to take the time to change all our passwords ourselves. If you're a regular reader of Safe and Savvy, you know that experts aren't being sincere when they tell you to change all your passwords. “The dirty little secret of security experts is that when there’s a data breach and they recommend to ‘change all your passwords,’ even they don’t follow their own advice, because they don’t need to,” our Security Advisor Sean Sullivan told us. The only reason you'd need to change all your passwords is if you made a few basic mistakes. 2. Our password choices can make us vulnerable. "You should have diversified your usernames and passwords in the first place," Harri Hiljander, our Product Director or Personal Identity Protection, told LeadersWest's Jim Dougherty. If you reuse passwords, every hack or breach is exponentially worse. But still people reuse passwords over and over for a pretty obvious reason. 3. It's too hard to come up with and remember strong, unique passwords for all our important accounts. Our bloggers presented the suggestions for generating strong unique passwords our Labs offered -- and to be honest, the advice can overwhelming. But if you're going to come up something that protects your financial details, it's essential. That's why the bloggers liked KEY's ability to generate strong passwords for them. "I think this is the best feature of all," World of My Imagination's Nicole Michelle wrote. Forget all the rules. Now you don't have to worry if your password is going to end up on a list of ones you should never use. 4. Password security is especially important to people who work online -- and who doesn't? If you spend your time building up an online publication your readers trust, the integrity of your site is priceless, as we learned from WhyNotMom.com. Sean advised our bloggers to sure that their WordPress -- or any blogging platform -- password isn't being reused anywhere else. In addition to the three things everyone needs to do -- back up everything, patch all your software and use updated security software -- he also advised them to make sure they keep a watchful eye on all their blog plug-ins. Keep them updates AND keep an eye out for plug-ins that are no longer being updated. Get rid of those. 5. You should have at least one email account you don't share with anyone. Identity management gets harder and harder as our usernames become more public. Everyone gets by now -- we hope -- that you should never reuse pairings of logins and passwords for your crucial accounts. But there are extra steps you can take, as our bloggers learned from our KEY experts. "Create a new email address for online accounts, don’t share it with ANYONE." Chelsea from Me and My Handful wrote about our Labs' advice to keep your login names secret. "So smart, and yet, we don’t do it." But all this knowledge is useless if you don't have a system to keep your passwords secure. Set up a system then pick a password manager -- we suggest you try KEY for free, of course --and stick with it. Cheers, Jason [Image via kris krüg via Flickr ]

Oct 24, 2014
FBI

No, we do not need to carry black boxes

The recent statements from FBI director James Comey is yet another example of the authorities’ opportunistic approach to surveillance. He dislikes the fact that mobile operating systems from Google and Apple now come with strong encryption for data stored on the device. This security feature is naturally essential when you lose your device or if you are a potential espionage target. But the authorities do not like it as it makes investigations harder. What he said was basically that there should be a method for authorities to access data in mobile devices with a proper warrant. This would be needed to effectively fight crime. Going on to list some hated crime types, murder, child abuse, terrorism and so on. And yes, this might at first sound OK. Until you start thinking about it. Let’s translate Comey’s statement into ordinary non-obfuscated English. This is what he really said: “I, James Comey, director of FBI, want every person world-wide to carry a tracking device at all times. This device shall collect the owner’s electronic communications and be able to open cloud services where data is stored. The content of these tracking devices shall on request be made available to the US authorities. We don’t care if this weakens your security, and you shouldn’t care because our goals are more important than your privacy.” Yes, that’s what we are talking about here. The “tracking devices” are of course our mobile phones and other digital gadgets. Our digital lives are already accurate mirrors of our actual lives. Our gadgets do not only contain actual data, they are also a gate to the cloud services because they store passwords. Granting FBI access to mobile devices does not only reveal data on the device. It also opens up all the user’s cloud services, regardless of if they are within US jurisdiction or not. In short. Comey want to put a black box in the pocket of every citizen world-wide. Black boxes that record flight data and communications are justified in cockpits, not in ordinary peoples’ private lives. But wait. What if they really could solve crimes this way? Yes, there would probably be a handful of cases where data gathered this way is crucial. At least enough to make fancy PR and publically show how important it is for the authorities to have access to private data. But even proposing weakening the security of commonly and globally used operating systems is a sign of gross negligence against peoples’ right to security and privacy. The risk is magnitudes bigger than the upside. Comey was diffuse when talking about examples of cases solved using device data. But the history is full of cases solved *without* data from smart devices. Well, just a decade ago we didn’t even have this kind of tracking devices. And the police did succeed in catching murderers and other criminals despite that. You can also today select to not use a smartphone, and thus drop the FBI-tracker. That is your right and you do not break any laws by doing so. Many security-aware criminals are probably operating this way, and many more would if Comey gets what he wants. So it’s very obvious that the FBI must have capability to investigate crime even without turning every phone into a black box. Comey’s proposal is just purely opportunistic, he wants this data because it exists. Not because he really needs it.   Safe surfing, Micke    

Oct 17, 2014
BY 
Screen Shot 2014-10-15 at 7.29.32 AM

Who is waging digital war on the Hong Kong protesters?

Is this China's digital riot police? A "particularly remarkable advanced persistent threat" has been compromising websites in Hong Kong and Japan for months, according to Volexity. The pro-democratic sites that have been infected include "Alliance for True Democracy – Hong Kong" and "People Power – Hong Kong" along with several others identified with the Occupy Central and Umbrella Revolution student movements behind the massive protests against the Chinese government. Visitors to the sites are being targeted by malware designed for "exploitation, compromise, and digital surveillance". In an analysis on our Labs Blog, Micke notes that it's possible that cybercriminals could be simply piggybacking on the news without any political motivation. However, the Remote Access Trojans (RATs) being used could provide serious advantages to political opponents of the movement. "A lot of the visitors on these sites are involved in the movement somehow, either as leaders or at grassroot level," he writes. "Their enemy could gain a lot of valuable information by planting RATs even in a small fraction of these peoples’ devices." And even leaders aren't compromised, the publicity around the attack will drive users away from the sites. This is a tactic that would definitely benefit those who want these see protests to end ASAP.  And it would be a far more effective tactic if not for social networks like Twitter that can be accessed to plan resistance,even if the government blocks them -- as long as you have a VPN solution like our Freedome. If the goal is to cripple the protests by targeting protesters, "you don’t have to be a genius to figure out that China is the prime suspect," Micke writes. The significance a state-sponsored RAT attack -- or even a state-condoned attack carried out by privateers -- would be immense. Criminals use malware to target individuals, businesses and governments themselves. Government-sponsored cyberattacks on citizens practicing civil disobedience could be considered an escalation beyond even likely government-sponsored surveillance malware like Flame, which forces businesses to consider malware attacks from their own governments. Over the last year we've learned just how far suspicious governments will go to play defense against internet users who haven't been accused of any crime. Now we're seeing hints that a government may be willing to play offense too.

Oct 15, 2014