Re: Bare Social Social Security Numbers

[Gary Flynn <flynngn () JMU EDU>]

H. Morrow Long wrote:

> The following are advertised on Google:
>
> Social Security Numbers
> Lookup SSN Number online.
> Get instant access now.
> www.SSN-Finder.com
>
> Reverse SSN Lookup
> Enter a name or SSN & get info.
> Start with your preliminary search.
> www.civilrecords.org
>
> Find Annyone by SSN #
> Money Back Guarantee
> Locate Someone Today only $19.95
> socialsecuritysearchusa.com
>
> SSN #s Lookup.
> Lookup SSN #. Verify People Info,
> Contacts, Background Check, More.
> www.check-ssn.com
>
> SSN Verification
> SSN Verification Solutions. Aliases
> Addresses And Phone Numbers.
> www.ewoss.com

I vote we make all SSN and names public knowledge so they'll
be worthless as a basis on which to make a decision. Then,
when companies, governments, and organizations can no longer
use them as authenticators, they become worthless. ;)

Given the list of *known* incidents on the privacyrights.org
site and all the stuff for sale, we may be halfway there already.

> There is also an interesting project involving SSNs at CMU:
>     http://privacy.cs.cmu.edu/dataprivacy/projects/ssnwatch/
> identitytheft.html

I wonder how many people type their SSN into that site.

I wonder if queries are written to log files. ( Listserv
archives, google searches, and newsgroups are probably
treasure troves of IP Address <-> person correlations.
Anyone know of any research on this? I've always been
opposed to NAT but now I'm not so sure. )

I wonder how robust the application is and how its
maintained. When I tried I got...

Error: 404 HTX Not Found
The HTX file specified in the query request was not found.

> > On a side note, we had a recent scare on campus where a faculty
> > member had created an example database using real student names
> > combined with a set of SSNs, addresses, phone numbers, etc. that  were
> > made up.  ...

We've had similar things happen here.

BTW - It looks to me like the current and proposed laws define a lowest
common denominator in care. While a list of SSNs by themselves are not
covered, if they're a list of SSNs in a single class or club, there are
obvious risks even without explicit name lists that common sense may
suggest avoiding.

And I have yet to figure out why an encrypted database should be
exempted from disclosure if the system on which it resides is
compromised at the root or administrative level.


--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature