Please Don’t Tell Me You’re Still Using SSNs as IDs!

Monday, November 05, 2012

Rebecca Herold

65be44ae7088566069cc3bef454174a7

Okay, I just finished the 3rd conversation in just the past two weeks alone with an organization that is using Social Security Numbers (SSNs) as their primary form of customer and/or employee identification. I’ve written about this topic numerous times over the past 15 years.  Seriously; all businesses out there doing this, please make a plan to stop doing this! Why? Here are three good reasons. 

Good Reason #1: Using SSNs as identifiers is often illegal

Over the years I’ve been occasionally revisiting the topic of laws and regulations prohibiting the use of SSNs, most recently in 2008 when I identified over 45 U.S. federal and state laws and regulations regulating, and often prohibiting, the use of SSNs as identifiers in some locations. I provide pointers at the end of this post to some other reports and resources that contain many other lists of legal prohibitions for the use of SSNs.

Good Reason #2: SSNs facilitate identity theft

Within organizations there are multiple ways in which those IDs that are the same as SSNs are put at risk, and can subsequently be used for identity theft.  First of all, think about all the people who have access to the customer and employee IDs you are using at your organization.  The insider threat is growing, and if some of the folks within your organization (or whom you have contracted) with access to the IDs thinks he or she can get away with it without being caught, they may very well take the IDs and commit all sorts of fraud and crime with them. Desperate folks often take despicable actions.  I’ve listed a few recent examples at the end of this post.

Second, think about how those folks, your employees and customers, who have those IDs (that are the same as their SSNs) are putting them at risk, often because they don’t realize what they are doing. The SSNs are often embedded within IDs, so folks don’t realize that by leaving an ID card out on a reception desk, or giving it to others, they are basically handing their SSNs to someone who may take it and do bad things.

Most organizations I’ve helped over the years have said, “We trust our employees! We don’t have to worry about them doing bad things!”  Under perfect circumstances that may be close to true. However, there will always be situations that will push otherwise trustworthy employees into exploiting their positions of authority and access to such valuable information as SSNs.  See some links to stories of such situations at the end of this post.

Good Reason #3: Using portions of SSNs as identifiers can lead to the full SSN

Many organizations are choosing to use portions of SSNs, often the last 6 digits and sometimes first 5 digits, as identifiers. They believe that since the full SSN is not being used that there is no risk involved. Au contraire, mon frère!  Multiple studies throughout the years have demonstrated how SSNs can be determined through knowing only portions of them.  Carnegie Mellon published a nice research paper on this topic back in July of 2009.

How widespread is this bad practice?

So, I’ve provided you with three compelling reasons that should convince most reasonable business leaders not to use SSNs as IDs. Do you really need more reasons? Well, perhaps you think, “Hey, everyone else is using SSNs as IDs, so why not us?” Does that make the practice okay? As your mother may have asked/scolded you as a child, “If everyone else was jumping off cliff, would you too? No, don’t!”

Organizations started using SSNs as customer, employee, systems and applications identifiers from almost the moment that SSNs came into existence in 1936.   As the Social Security Administration (SSA) states, SSNs were, “created merely to keep track of the earnings history of U.S. workers for Social Security entitlement and benefit computation purposes,” but now they have “come to be used as a nearly universal identifier.”   The SSA stresses that the SSN was not, and should not, be used for other purposes because of the significant fraud and abuse risks that doing so creates. However, the use of SSNs is pervasive. I provide some links below to articles discussing how ubiquitous this use is.

Bottom line for all organizations, from the largest to the smallest:  Using SSNs as customer, patient, employee, systems or applications IDs is a *very bad* idea, and an even worse business practice.  Organizations of all sizes (and perhaps new, along with small and medium sized businesses more than others) continue to use SSNs because the SSNs just seem to be just so darn easy and available to use. 

Really; use a different type of identifier!  Use something else that will not lead to bad things happening…to the individuals involved, or to your organization.

Good additional information about the use of SSNs as IDs

Here are some other thought-provoking and information-rich articles and news reports about using SSNs as identifiers, along with a few recent examples of breaches involving SSNs:

This post was written as part of the IBM for Midsize Business (http://goo.gl/S6P7m) program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.

Cross-posted from Privacy Professor

Possibly Related Articles:
11405
Privacy
Information Security
Identity Theft Privacy Authentication Social Security Numbers
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.