Doug Lhotka

Technical Storyteller

Opinions and commentary are mine, and do not reflect those of my employer.

(C) Copyright 2019-2023
Doug Lhotka.
All Rights Reserved.
Use of text, images, or other content on this website in generative AI or other machine learning is prohibited.

SSN is not a secret (and never was)

By

(c) Depositphotos / johnkwan

With the Equifax breach, there’s been a lot of commentary about it’s impact, and much of it has one important fact wrong:  SSN was never intended to be a secret.

I’ve written in more detail about this before, but in light of the recent breach, I thought I’d repost it again.  One update, before I get to the original post:  At this point, between Anthem, Equifax, and the others, we should all assume that SSN is no longer secret.  For consumers, that means a credit freeze (where you do establish a secret PIN to unlock the reports).  For businesses, I’ll just say this.  Enough.  Seriously, enough.  Across the board you need to stop using it to authenticate people.  Today.  Unfortunately I think they’re largely too lazy to do it without legislation.

Here’s the original post from January 10th, 2016:

The Social Security Number is the Achilles heel of modern information. It was never intended to be used for identification purposes – in fact, my original card has that printed in big bold red letters right across the front of it.

Well, that didn’t work out well. In college, SSN was our student number. Printed on our ID, posted outside the professor’s office with our grades, and on our transcripts. Medicare and Medicaid members have it printed on their cards. Insurance companies have adopted it and print it on their cards. Financial firms use it not only for tax purposes, but also some as account numbers. It was used in a hundred other ways. And everyone uses it to authenticate their customers, which is the worst of all.

But it’s not a secret!   For the majority of people, given their birthdate and location (did you put real ones on social media?), you can guess their SSN within a few tries. We use it because it’s easy, and the closest thing we have to a national ID number (note – I’m not advocating one).   Even in the face of massive data breaches – 80 million SSN’s in just one (that’s 1 in 5 SSN’s exposed) folks continue to use it. It’s easy, it’s convenient, everyone does it, people remember it – it works.

And it’s dumb.

Let me explain some terminology before continuing, and use an example to help folks understand. We’re going to login to our bank so we can do some online transactions in two steps.

  • We assert our identity – in other words we claim to be someone. That’s the login ID – or identification credential. ID is not a secret.
  • We prove our identity – authenticate our assertion, usually by password, or sometimes by two-factor authentication. Authentication uses a secret (the something you know, are, or have) to prove that you are who you claim to be.

SSN is an identifier – something we use to assert who we are. It’s not a secret, has never been a secret, and we can’t turn it into a secret.   It’s time to stop trying.

The problem is that SSN is being used as an authenticator – a secret that proves that I am who I say I am. It doesn’t matter if we use the last four, or the whole number. Using SSN to prove identity is like leaving the sticker with the combination on the back of the padlock.

So we’re in a mess, and there’s no real easy way out. But here’s some thoughts on ways to start.

First the IRS should implement a PIN system for SSN – for everyone. This PIN should be randomly generated to avoid people choosing birthdates or other easily discoverable information, and yes, resetting it probably should require a trip to the local social security office with documents that prove identity, including a government issued picture ID. Most states will already issue ID’s at no charge to folks that can’t afford them.  Yes, we’re in a bit of a circular situation here because bills and such are used to provide identity and residency, but it’s the best we’ve got. The SSN/PIN system should support two-factor authentication that’s used for things like filing a tax return.

Oh shoot, we’re into national ID territory. Given the recent track record of breaches within the US government, there’s legitimate concern about having all our eggs in one basket. What happens if the next data disclosure is the entire IRS taxpayer database?

So here’s the controversial proposal. Congress should pass legislation limiting the use of the SSN to the IRS only – prohibit commercial use as an identifier, and ban all use as an authenticator. Medicare and Medicaid would be required to move away from SSN (except for ACA compliance) and issue separate identity and authentication tokens to it’s members.

That means that your bank would still have it so they can file your 1099’s, but they’d be prohibited from using it for anything else – and they would not have your authentication information! TurboTax and the like would be able to use the SSN/PIN combination to file returns, but would not store PIN information (the IRS would provide a web service to validate authentication for known-good actors). Insurance companies would have SSN to forward coverage to the IRS for Affordable Care Act (Obamacare) compliance, but would be prohibited from using it for anything else. That means that your local doctor’s office would never need SSN at all – which is a major reduction in the points of failure.

Credit bureaus are going to have a challenge. They will need to develop some sort of identification system themselves. The good news is that most of it is in place – when you get a credit freeze, they issue you a secret authentication token. You use that to unlock credit when you want someone to be able to get a copy of your report. We should grant them antitrust immunity so they can jointly develop a Credit Identification Number system to replace SSN for their use, and then issue that – and an authentication code – to everyone in the database, and retire SSN from use.

It’s a lot of work, it’s not cheap to do, and there’s a ton of details and nuances (like not allowing easy-to-guess security questions as part of an authentication reset system) that have to be worked out.    But with at least 1 in 5 SSN’s is already exposed [Edited – essentially all SSN’s as of 9/2017], it’s long past time to do the hard work.

Armor up! Personal Cyber Safety

By

A friend of mine recently lost their smart phone.  They did most of the right things – sent the wipe signal to it, and changed their passwords.  Unfortunately, they missed telling the cellular carrier, and it turns out that someone had simply moved the SIM card into another phone and used it to make hundreds of dollars in overseas calls (much like we used to see with calling card and conference call numbers).  It also meant that any inbound calls and SMS messages would have rung on that stolen phone – something to think about in the age of SMS-two factor authentication.

He asked me for an updated list of suggestions on how to get secure and stay safe online, and rather than doing a one-off, I thought I’d share here – feel free to add suggestions in the comments, and I’ll keep this current.  The first is the most important, and the rest are in no particular order.  Many of these are involved topics that deserve posts in their own right – this is just a quick summary.

[Updates at the end]

#1 – Keep Current

Make sure you’re on a current and supported operating system, and keep up with patches.  For Windows that means 7 or higher, for Mac El Capitan or higher, and for iOS it means 9 or higher.  For both Windows and Mac, that’ll change soon – Windows 10 and Sierra are better options.  Android is much harder unless you get updates directly from Google.  If you don’t, you’re behind – that’s one of the reasons I don’t recommend non-google Android devices.

This also means keeping your applications up to date.  If you still have Office 2003 because it’s all you need, unfortunately, you’ll have to pay the Microsoft tax and get a current version to get patches.  Ditto on the Adobe products, and pretty much everything else.

For both OS and apps, apply patches and updates on a regular basis.  For Windows machines, makes sure you watch for ‘Patch Tuesday’ and apply patches right away – often the bad guys release new malware shortly afterwards that attacks unpatched machines.   We all find it hard to keep up with patches (Window takes far more care than Mac), so when possible, turn on automatic updates.  Which brings us to the importance of the next item:

 

Backups

Things will go wrong.  Consumer cloud has no guarantee of backup or restoration of data, so don’t trust Google, Apple, Microsoft, DropBox, or any other service as the sole place your information lives: any critical information (i.e. family photos) should live in at least two physical places, one of which should be in your personal controls.  For example, one of the first things I disabled in Sierra was the ‘automatic migration of data to iCloud’.  Aside from not controlling what’s uploaded, the last thing I’d trust a consumer-grade service to do is delete anything off my machine automatically.

Backups should be encrypted (see below), and at least one stored offsite – either a cloud-based backup like CrashPlan, or a drive in a safety deposit box or at a friend’s house.  If you use cloud backup, remember that they don’t work for things like virtual machines, and can blow out your data charges.

So I backup my iOS devices to my local computer (not iCloud), then backup the Mac using Time Machine (for the oops I deleted it situations), and Carbon Copy Cloner (www.bombich.com) for my disaster backups.  CCC has saved my bacon more times than I can count, and I highly recommend it for Mac users.

I also strongly recommend that at least one of your backups be physically disconnected from your computer when not actively backing up.  That’s the single best defense against ransomware.

 

Securing the browser

Absolutely run a current browser version.  I recommend using uBlock Origin and Privacy Badger to cut down on the worst of the tracking and funky sites.  Don’t use shady extensions like video downloaders.  To be extra safe, use two browsers – one for general browsing, and one for sensitive sites.  Be careful of typo-squatting sites.  That’s one reason I like 1Password – it validates the URL before pasting in credentials.  Stick with one of the big three – Edge, Firefox, or Chrome.  Retire Internet Explorer.

 

Trust the cloud – sort of

There are three kinds of cloud services:  free/consumer, and enterprise.  Free services monetize you in some fashion (more below), usually by selling your data to advertising – and I recommend avoiding them.  This includes services like Gmail, Facebook, Twitter, and such – if you’re not paying for it, you’re the product, not the customer.

iCloud is paid for as part of buying Apple products, and while Apple uses the data for marketing and product development, they don’t sell it to third parties, so it’s somewhat better.  One thing that all consumer services have in common is that they disavow any responsibility for data loss or disclosure.

So, for backups and email, I recommend paying for the service.  You’ll get much better responsiveness and much less privacy compromise.  And make darn sure the data is encrypted before uploading.

 

Passwords & Password Managers

That’s especially true of Password Managers.    I’m not a fan of cloud-storage for my password vault – it’s too inviting a target.  That’s one of the reasons I use 1Password from www.agilebits.com – they offer a local sync option.  But using one with the cloud is far better than not using one, and I have a number of family and friends using the 1Password cloud options.  I’ve written recently about 1Passwords migration to the cloud, and while I have concerns, it’s still the best option out there.

Your password manager password needs to be a good one – a passphrase is best.   The new advice is to pick four or five words:  cheetah shark Saturn smiley mayonnaise.  You’ll remember it much easier than a random set of characters, and most good cracking tools now easily bypass backwards words, replacing letters with numbers, and all the other tricks.

All this implies, yes, use a password manager that generates unique random passwords for each site.  That way you only need to remember one single password (hence 1Password) that’s really good and strong, then it does the rest for you.

Note:  Do not use the web-version of a password manager.  Use the application on a device that you control.

 

Lie

That brings me to one of the toughest ones – lying to sites by intent.   This falls into two categories – lying for protection, and lying because it’s none of their business.  For the former, when a site asks you to create a secret question and answer, lie – use a random word, and then store that in your password manager.

More importantly, when a site asks you for information it doesn’t need – your birthday for a shopping site for example, make something up that’s completely random.  I started getting retirement spam after using a 1940’s date…interesting.

This is also true for sites or companies that ask for ‘mother’s maiden name’.  Go change all those and record the new random answers in your password manager.  For companies that continue to insist on the single worst authentication mechanism (last 4 of SSN), pester them to see if you can get it changed.  If not, then we should all shame them on social media.

 

Use two-factor

When offered, use two-factor authentication.  It’s not perfect, but it’s better than just a password.  Do not use just device-based authentication though, always use both factors.

 

Disk/device encryption – backup and machines

Turn on whole disk encryption on your system.  For mac: https://support.apple.com/en-us/HT204837 and for Windows: https://support.microsoft.com/en-us/instantanswers/e7d75dd2-29c2-16ac-f03d-20cfdf54202f/turn-on-device-encryption

 

Set mobile devices to lock and wipe

If you have options to disable biometrics, and force a passcode after a handful of attempts turn it on, and then turn on the options to wipe the device after 10 failed attempts.

And use something stronger than a 4 digit PIN – at least 6.  Alpha numeric is better.  Pick one that’s not your, your spouse, your kids or any other date, address, phone number, or anything else that’s easy to guess or on social media.

While you’re at it, set airdrop to ‘contacts only’.  Better to stay off the grid.

 

Biometrics

Biometrics are a mixed bag.  Right now there’s tons of snake oil out there.  The only one that I trust for regular use is the fingerprint reader on the iPhone – and that’s because of the lock/wipe options.  I do not use it on a computer – type the passphrase instead.  Facial recognition, swipe patterns, and such can be spoofed trivially, and many consumer grade fingerprint readers can be as well.
Stay off public (and other) computers.

Using a public computer is like licking the seat in an outhouse.  Just don’t.  Ever.  Your friend’s computer isn’t quite as bad, but unless you know that they have good hygiene, it’s best to only use your own devices.

 

Uninstall Flash and Java 

It’s time to get rid of these two applications from your personal machines.  Corporate machines should too, but that’s a whole more involved story.

Flash:

Mac: https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-mac-os.html

Windows: https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.html

Java:

Mac: https://www.java.com/en/download/help/mac_uninstall_java.xml

Windows: https://www.java.com/en/download/help/uninstall_java.xml

If you have to use Flash, use Chrome (but disable all the tracking first).

 

Get accounts before the bad guys do

As Brian Krebs recommends, get accounts on https://www.ssa.gov/ and IRS.gov https://krebsonsecurity.com/2015/03/sign-up-at-irs-gov-before-crooks-do-it-for-you/ before someone does it first.

 

Credit Freeze

And again a shout-out to Brian, for his information on getting credit freezes from all four agencies.  Credit monitoring is useful for telling you it’s been compromised – a freeze protects it up front.  https://krebsonsecurity.com/2015/06/how-i-learned-to-stop-worrying-and-embrace-the-security-freeze/

If your homeowners insurance offers identity theft protection as a rider, that’s not a bad investment for the price.

Note:  If you have kids, freeze their credit too.

 

eMail security

Email is not private.  If you have a standalone email application, using SSL only keeps it secure between your machine and the server.  If you do it in the browser, same situation – and you’re also exposed if the browser is compromised.  Never email any sensitive information like bank account numbers, social security number, credit card numbers, and so on.  If you’re emailed a new password after a reset, immediately go change it on the site itself.

Note:  Yes, there are ways to technically encrypt email end-to-end.  It’s not clean or easy, and pretty fiddly.  If you absolutely positively must email something sensitive, my recommendation is to encrypt the document itself then attach that to a regular email.  That’s beyond the scope of this post.

Because password resets are done via email, this is the most important account you have.  It must be used with a robust random password, and you should never login from any device that you don’t own and control.  If the bad guys get your email, they get all your other accounts.

 

Have a throwaway email

So that means having more than one might make sense.  Ever have a site that you might want to get information from, but don’t want them to have your details?  Get and use a throwaway email account – or a junk mail account to use for all of them.

 

Never click links

And never, ever, click on any link in anything on that junk account.  That’s good practice for all email and all links.  Go manually to their site, and login by hand.  Related – stop sending emails with links in them (internal corporate communications I’m looking at you).

 

Stay off the seedy side of the internet

It goes without saying, stay off the seedy side of the internet.  Get legal software and content, avoid torrents, and naughty sites.

 

VPN/Public Hotspots/Cellular Data

I avoid using any public hotspots – it’s far too easy for someone to sniff what you’re doing, Use your cellular hotspot when you can.  For better protection, use a personal VPN like www.getcloak.com to prevent traffic monitoring and cellular carrier supercookies.  This includes hotel internet.

 

Never respond to inbound phone calls

If you get a call allegedly from your credit card company, bank, insurance company, or similar company, don’t give any information or acknowledge that you even have an account.  Politely thank them, and call the number on your credit card or statement (not the one they give you over the phone).  Hiring a fake call center is trivial.

 

Firewalls & Antivirus

Turn on the Firewall on a Mac https://support.apple.com/en-us/HT201642 and Windows https://support.microsoft.com/en-us/instantanswers/c9955ad9-1239-4cb2-988c-982f851617ed/turn-windows-firewall-on-or-off

As a minimum, turn on Xprotect on the Mac https://support.apple.com/en-us/HT201940 and Windows Defender on Windows: https://support.microsoft.com/en-us/help/17464/windows-defender-help-protect-computer

On both Mac and Windows use www.malwarebytes.com to scan and remove malware, including adware.

On Windows, seriously consider paying for antimalware software.  At this point I’d probably recommend Symantec over the alternatives – the free solutions aren’t worth it.  If your bank offers Trusteer Rapport, download and install it.

Oh, and disable file sharing if you haven’t already.

Don’t tweak the bad guys

I know folks who will keep the ‘tech support’ spoofers on the line, or text with the thieves who stole a phone, or respond to phishing emails with ‘nice try’.  Don’t.  These folks are very good at what they do, and most of the time you’re just a drive by as they conduct a massive campaign.  But if you get them mad and they target you, it’s a whole different ball game.   Respect their skills.

In the end

Be skeptical, be wary, and be prepared to be hacked.  I had a bank ask me to send mortgage paperwork via email.  I said no.  I’ve had calls to my phone that spoof my own callerID.  I hung up.   I’ve also had really clever phishing emails that I almost clicked.  I did – to delete.  We’ve had our credit card stolen several times – caught it by watching my bills weekly.

As one of the characters in Harry Potter was fond of proclaiming, ‘Constant Vigilance’.

 

[Update]

Shred it

Shred anything and everything that has your information on it.  That includes envelopes from bills (they identify targets for the bad guys to hit), junk mail, receipts, boarding passes, hotel room cards, credit cards (unless metal – cut those with tin snips), conference badges (I punch out the RFID chip as soon as I get one), old business cards, and so on.  Bar codes are the most insidious as they can hide a lot of personal information, as Brian Krebs points out in the link about boarding passes.

Secure Thinking

By

I often speak on ‘Secure Thinking’ to a variety of audiences, and share some suggestions on how to keep themselves safer in their online lives.  Here’s those tips:

 

  • Patch your systems regularly (patch Tuesday is a great start)
  • Run Anti-Malware, but don’t pay too much for it.
  • Uninstall flash completely. If you need it, run it inside Google Chrome (and only use Chrome for flash sites).  Likewise with Java in your web browser.
  • Stay off the seedy side of the net
  • Only install software from trusted sources
  • Don’t click links in emails.
  • Avoid wi-fi hotspots, or use a personal VPN if you need to use them. I use getcloak.com
  • Never, ever use a public computer, for anything. It’s like swimming in a sewer.
  • If you find a USB thumb drive, destroy it – never plug it in.
  • Encrypt your data – FileVault or BitLocker
  • Backup your data to a trusted repository
  • Use robust, unique passwords for every site. I use 1Password from agilebits.com to manage mine (and store a copy of the file with another family member)
  • Enable two factor authentication when it’s offered
  • Enable a passcode on your phone. If it’s iOS or a Google Nexus running Marshmallow or newer, consider using the fingerprint reader to make it more usable.
  • Only use Google Nexus android devices to ensure you can stay current
  • When asked for secret questions, lie – and record those lies in 1Password.
  • Lie to websites that ask for information they don’t need – why does a game company need my real birthday?
  • If you receive an inbound phone call, don’t assume it’s real. Hang up without sharing any information and call the bank/insurance company/etc back from the number on your card or statement.
  • Get a credit freeze – not credit monitoring. Brian Krebs has a great article on this. Store your PIN in 1Password, and keep a backup copy of the vault In a safe place.

 

In the end, it boils down to simply being aware.

 

Think about security!