No, you don’t need my social security number.

5639011991_8848ea5561_b

– (phone rings) Hello.
– Hello, I’m calling from American Express. Are you Mr. *****  ******?
– Yes, great that someone finally reacts to my reclamation.
– First I need to verify your identity. What’s your social security number?
– Excuse me but you are calling me on a number that you have in your register, so you can be pretty confident that you are talking to the right person. But I have no way of knowing that you really are from Amex. So YOU tell ME what my social security number is. I know you have it on file.
– (silence) Well, eh … we must identify our customers to be able to serve them by phone. It’s company policy.
– Yes, I know that. But I’m certainly NOT going to give out my number to a stranger who calls and asks for it. I really need some kind of identification from you first.

It went on like that for a while until I proposed a compromise. I told her the first part of my number and she told me the last digits. It all matched and we were able to proceed.

This post is not about American Express, it is about a severe and widespread problem that is visible in this case. The problem is these Social Security Numbers, SSNs, or National Identification Numbers which is a proper global term. They appear in most countries, in many forms and under many names. But they all have two things in common. They were designed to be unique and distinguish persons with the same name. And they are misused for identification.

The practice of using the SSN as proof of identity is really fundamentally flawed. They are used in the same way as a password, knowledge of the “secret” is supposed to prove who you are. The problem is just that the SSN isn’t designed to be secret. If you are a little bit Internet savvy, you know the basic rules for safe passwords. Think of your SSN as a password. It’s assigned once for your whole lifetime and you can’t change it. You are forced to use the same SSN on all services you use. It’s printed on various documents, depending on what country you live in. It’s recorded in numerous registers, and you don’t even know where all those registers are and who’s got access to them. Would you handle the password to your favorite net service this way? Hell, no! Still knowledge of this fundamentally flawed “password” may enable anyone to get credit, order goods, close accounts, etc. in someone else’s name. Scary!

But what can we do about it? Let’s refresh the memory with some practical advice about how to handle your SSN.

  • Do some googling and look for national advice about SSN security in your country. Laws and practices vary and a local source is typically more accurate. But here comes some generic advice.
  • Do not give out your SSN unless you know who he other part is.
  • Verify that the other part has a valid reason to use your SSN before you reveal it.
  • If a business demands your SSN, you can refuse to give it but the business can refuse to serve you. You can either comply or spend your money elsewhere.
  • Some try to phish for SSNs, look out for fraudulent web forms that ask for it.
  • Check what documents you carry in your wallet that have the SSN printed. Avoid carrying those documents daily, if possible, as your wallet may get stolen.
  • Invoices, tax documents etc. may have the SSN printed. Think about how you dispose those papers. If you have a shredder, use it.
  • Needless to say, don’t post the SSN on the net in any context.

This will help a bit, but not cure the fundamental problem. Your SSN is still used and stored so widely that you may be the victim of identity theft even if you do all this.

The problem is really the misuse of SSNs as proof of identity. And the next question is obvious, what should we use instead? Yes, that’s right. There is no common, safe and reliable method for identifying a caller. Some companies have their own methods to improve security. They may require both your SSN and for example a customer number or invoice number. Better, but still not good as those additional numbers aren’t protected very well either. The banks have good systems with sheets of one-time passwords, or similar. These system have been developed with security in mind and are typically reliable enough. They are developed for on-line access but often work for identifying a caller as well.

Banks have good systems, but they are unique for each bank. We would really need national systems, or even better, a global system for reliable identification of persons both on-line and over the phone. More and more of our transactions cross borders and national systems do not help if you are dealing with someone overseas, like in this case. The problem is not technical, public key cryptography and digital signatures could be deployed to achieve this. But agreeing on a reliable global identification standard that won’t become a privacy threat would certainly be a significant political achievement.

So we probably have to live with this flaw for quite a long time. National solutions will no doubt become available in some countries. Estonia is usually quick to utilize new technology and this is no exception, An electronic ID is a good fundament even if reliable identification over the phone still would require some additional technology. But the rest of us just have to acknowledge the risk, keep our non-secret SSNs as secret as possible and hope for the best.

Safe surfing,
Micke

Image by DonkeyHotey @ Flickr.

More posts from this topic

Connected

Wherever You’re Connected, You Should Be Protected

Protecting yourself on the internet used to be a lot simpler -- mostly because you weren't always on the internet. Now we can be online from when we wake up until when we go to sleep. We seamlessly shift from chatting to shopping to banking -- rarely sticking to one device or platform for too long. Most of us aren't just a Mac or PC or an Android anymore -- we're all of the above. “I, and I think most people, have a cross-platform household – I use several different devices with different operating systems on a daily basis," F-Secure security advisor Sean Sullivan explains. The old paradigm of just protecting your PC or your phone can leave your devices exposed to threats. And even the best security software in the world won't protect your public Wi-Fi connection from being snooped on, possibly exposing your most private details, including passwords. That's why we've launched F-Secure total security and privacy, which combines F-Secure SAFE and F-Secure Freedome. F-Secure SAFE is a multi-device internet security suite that protects all your devices. Freedome is a VPN offers a simple way to encrypt your communications over public Wi-Fi and change your virtual location to access geo-blocked sites and services while blocking malicious websites and online tracking. You can still purchase F-Secure SAFE and Freedome separately. And there have been recent improvements to both, including: Silent upgrades that ensure SAFE is automatically updated Parental controls now available on all supported SAFE platforms Ability to create Freedome Wi-Fi hotspots with Android devices while VPN is turned on "Buying separate products to protect iOS, Windows, Macs and whatever else isn’t just expensive, but it means you have to get used to different pieces of software designed to do the same thing," Sean explains. F-Secure total security and privacy is now available for a free trial here. If you're a current SAFE customer, you can't upgrade to total security and privacy but you should receive a discount offer for Freedome. "Bundling protective measures into packages to run on different devices is more economical and more user friendly, both of which are good for security.” Cheers, Sandra [Image by Hans Kylberg | Flickr]  

September 27, 2016
yahoo

What You Need to Know About the Yahoo Hack

Reports that half a billion Yahoo accounts were hacked in 2014 "by a state-sponsored actor" were confirmed today by the tech giant. This hack of "names, email addresses, telephone numbers, birth dates, encrypted passwords and, in some cases, security questions" is the largest in the company's history and one of the most consequential breaches of all time. Our security advisor Sean Sullivan told CNN what Yahoo users need to know right now: [youtube https://www.youtube.com/watch?v=kO-70yKF4bE] He also gave a longer interview to Data Breach Today about the wider implications of the hack. The most important takeaway from this attack is you should always use an extra layer of protection -- in this case Yahoo's two-factor authentication on all your accounts -- and never reuse any important password. Even though Yahoo's passwords stored your passwords with encryption, it's still possible for criminals to get access to them, especially if they are weak. A former Yahoo employee told Reuters that the answers to security questions were deliberately left unencrypted to help catch fake accounts more easily because fake accounts that used the same answers over and over. Sean always uses nonsense answers for so-called security questions so they aren't guessable by anyone who knows him or follows him on social media. He recommends you do the same. So what should you do now? Sean recommends you "walk, not run" to your Yahoo account to disable your security questions and change your password -- and change them on any other site where you've used them to something unique. Make sure you create non-human passwords -- not patterns like yahoo1985. Make them long and difficult to remember. If they're between 20 and 32 characters, they are nearly uncrackable, as our senior researcher Jarno Niemelä recommends. And to deal with all that complexity, use a password manager like our F-Secure KEY, which is free on one device. You can also store your nonsense answers to your security questions in there. Then turn on two-factor authentication, if you haven't already. If you're wondering who might have carried out such a massive attack, Sean does have a hypothesis. [Image by Christian Barmala | Flickr]

September 23, 2016
BY 
android_wi-fi

How to Create a Portable Hotspot on Android with VPN on

Many Android users (myself included) have long found it annoying that creating a working portable hotspot is not possible while using a VPN on the device that shares the connection.  From the user interface to the lines of code that power the app behind it, a driving principle of designing Freedome has always been to make the kind of VPN that only makes your online experience better, without hindering it in any way. Tethering with VPN is now possible This is why we are extremely happy - both personally and for our users - to announce that our new Android release (out now on Google Play) makes it possible to have Freedome turned on while sharing your connection with other devices. We are also the first (as far as we know) major VPN provider to make this happen. Instructions on setting up a portable hotspot The new update automatically allows you to create a portable hotspot with Freedome VPN, so the instructions are fairly simple. Download Freedome VPN on your Android Turn on the portable hotspot feature from your Android settings Keeping it simple, as usual! A note on privacy It’s worth noting for the sake of your privacy that the tethered device’s traffic will NOT go through the VPN tunnel of the device sharing the connection. According to Freedome Product Development Director Harri Kiljander: “Android does not allow tethered devices access to the VPN tunnel. This is a deliberate choice forced by Android for security reasons. For instance, when using VPN to access your employer’s network, they might not want your friends and family there. Also a VPN tunnel shared with others wouldn’t really be a private network anymore” In other words, remember to use Freedome on laptops and any other devices you connect to your own hotspots with. If you have any questions, drop us a line on Twitter. Enjoy!

September 23, 2016
BY