Re: Identity Theft (was: CRIME Computers vulnerable at Oregon department)

From: Crispin Cowan (crispin@private)
Date: Thu Sep 26 2002 - 23:19:27 PDT

  • Next message: Crispin Cowan: "Re: Identity Theft (was: CRIME Computers vulnerable at Oregon department)"

    Greg Jorgensen wrote:
    
    > On Thursday, September 26, 2002, at 06:19  PM, Crispin Cowan wrote:
    >
    >> What WILL work to prevent ID is legislation that prohibits banks & 
    >> credit bureaus from using pathetically weak authenticators. Dr. 
    >> Crispy's proposed law to largely eliminate ID theft:
    >>
    >>    * No financial institution or government agency may use a social
    >>      security number, any attribute that is a matter of public record,
    >>      or any attribute that is easily obtainable about another person
    >>      (such as DOB, address, or mother's maiden name) as an
    >>      authenticator. Authenticators must be *secret*, known only to the
    >>      person and to the issuing organization at the time of issue.
    >
    I'll just leave my proposed law up there for reference :-)
    
    > From the Social Security Administration's Publication No. 05-10002, 
    > "Your Number and Card":
    >
    >> Giving Your Number To Others
    >>
    >> If a business or other enterprise asks you for your Social Security 
    >> number, you can refuse to give it to them. However, that may mean 
    >> doing without the purchase or service for which your number was 
    >> requested. For example, utility companies and other services ask for 
    >> your Social Security number, but do not need it; they can do a credit 
    >> check or identify their customers by alternative means.
    >
    Yes, and that has become completely ineffective. You cannot be legally 
    required to give your SSC to people who don't need it, but just try to 
    get a car loan without coughing it up.
    
    > When Social Security was first established the law authorizing the 
    > issuance of numbers specifically prohibited their use as 
    > identification. The only legitimates purpose for the SSN according to 
    > the original statute is to identify and access an individual's Social 
    > Security account. The IRS uses your SSN as your Taxpayer ID Number 
    > (TIN), but you can ask for and get a different TIN that is not your 
    > SSN. I believe the IRS was later authorized to require SSNs when they 
    > took over collecting FICA "contributions." Employers can ask for and 
    > use your SSN only to complete tax forms.
    
    See, here is the problem. SSC is a fine identifier, and a lousy 
    authenticator. Why is it a lousy authenticator?
    
        * Way, WAY too many people have a copy. This is the primary reason
          it is a bad authenticator.
        * There is no easy way to change it. Authentication credentials
          (passwords) should be rotated on a regular basis, and *definitely*
          need to be changable on demand (in case you think someone has
          sniffed yours). It is a huge PITA to change your SSC, so it
          horribly fails as a password.
        * Minor nit: the user does not get to choose the number.
    
    
    > Most organizations that ask for your SSN--schools, utility companies, 
    > etc.--will issue an identifier to you if you ask. Their use of SSNs is 
    > more or less benign; the problem is that they don't secure the 
    > information.
    
    Exactly. That is why they should not be permitted to use SSC as an 
    authenticator.
    
    Trying to treat a password that is only shared with a few thousand of 
    your most distant business associates is hopeless. No amount of privacy 
    legislation will make SSC's hard enough to get to be usable as 
    passwords, nor will they enable rapid, easy change of SSC's.
    
    SSC's should be used exclusively as identifiers. You should be able to 
    print them on your business cards. No one should ever use them for 
    access control.
    
    >> Sadly, I don't think the State has the jurisdiction to implement such 
    >> a law; it'll probably have to be Federal.
    >
    > In general states laws can't override or nullify Federal laws, but 
    > they can clarify and narrow areas left open in a Federal law. Since 
    > Social Security numbers are issued by the Federal government states 
    > can't legislate on their use in any meaningful way. The Federal 
    > Privacy Act also appears to create a Federal jurisdiction over 
    > identification schemes.
    
    The State may not have jurisdiction over SSC's, but it can have 
    jurisdiction over what kind of authentication various state-regulated 
    and state-operated orgs use. For instance, it would be easy for the 
    State to outlaw any state agency using SSC's for authentication.
    
    > I'm not an attorney. 
    
    Neither am I, but I am an opinionated cuss :)
    
    Crispin
    
    -- 
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX                      http://wirex.com/~crispin/
    Security Hardened Linux Distribution:       http://immunix.org
    Available for purchase: http://wirex.com/Products/Immunix/purchase.html
    
    
    
    



    This archive was generated by hypermail 2b30 : Thu Sep 26 2002 - 23:50:33 PDT