Summary: The use of social security numbers for client identification has become
widespread, but with growing prevalence of this practice, the threat of identity
theft grows larger.
In July 2002, Princeton used prospective students' social security numbers and
birthdates to gain access to one of Yale University's websites. Only students
were meant to use the site for advanced notice about their admissions into Yale.
Admissions officers at Princeton claimed to have logged onto the website to test
its security.
The ease with which Princeton entered Yale's website calls to question the
security of using social security numbers as passwords. Using social security
numbers for client identification makes sense because each individual will likely
only have one social security number throughout their life, and will remember it
better than a randomly generated customer identification number. However, with
such widespread use of social security numbers for this function and the public's
mistaken belief that these numbers are confidential information, identity theft
becomes easier to perpetrate.
One website, http://www.cpsr.org created by
Computer Professionals for Social Responsibility, provides information about
social security numbers and possible misuse. According to the site, armed with
another's name and social security number, a thief can transfer funds and make
changes to the account by telling the bank that he or she forgot the account
number. Similar use of a social security number could allow a thief to access
other supposedly secure websites to check such things as email and credit card
accounts.
Another problem is the violation of privacy. As demonstrated by the incident
between Princeton and Yale, personal information can be readily available once
someone has the social security numbers of others. One company, Docusearch
Investigations, will locate people using social security numbers, and report
their current and past addresses for $49. Though the site requires a reason
for certain types of searches, and some services are restricted to particular
purposes, it is alarming that privacy can be invaded in such a manner.
As long as companies and individuals hold onto the belief that social security
numbers are confidential, identity theft and privacy violation remain more
likely. Ironically, there is no security when only social security numbers are
used. Security comes when access is based on a combination of client identification
codes, instead of solely relying on social security numbers, names, and other
easily ascertainable information.
Links:
http://www.cbsnews.com/stories/2002/07/27/tech/main516598.shtml
Article about the Princeton and Yale incident
http://www.docusearch.com
A company that provides search and investigatory services.
http://www.cpsr.org/cpsr/privacy/ssn/ssn.faq.html
Frequently asked questions about social security numbers.
http://www.ssa.gov/pubs/10002.html
Information about social security numbers and cards.
http://www.ssa.gov/pubs/10064.html
Information concerning identity theft and possible actions to take once it has occurred.
