Educause Security Discussion mailing list archives
Re: Bare Social Social Security Numbers
From: Gary Flynn <flynngn () JMU EDU>
Date: Tue, 28 Mar 2006 12:52:05 -0500
H. Morrow Long wrote:
The following are advertised on Google: Social Security Numbers Lookup SSN Number online. Get instant access now. www.SSN-Finder.com Reverse SSN Lookup Enter a name or SSN & get info. Start with your preliminary search. www.civilrecords.org Find Annyone by SSN # Money Back Guarantee Locate Someone Today only $19.95 socialsecuritysearchusa.com SSN #s Lookup. Lookup SSN #. Verify People Info, Contacts, Background Check, More. www.check-ssn.com SSN Verification SSN Verification Solutions. Aliases Addresses And Phone Numbers. www.ewoss.com
I vote we make all SSN and names public knowledge so they'll be worthless as a basis on which to make a decision. Then, when companies, governments, and organizations can no longer use them as authenticators, they become worthless. ;) Given the list of *known* incidents on the privacyrights.org site and all the stuff for sale, we may be halfway there already.
There is also an interesting project involving SSNs at CMU: http://privacy.cs.cmu.edu/dataprivacy/projects/ssnwatch/ identitytheft.html
I wonder how many people type their SSN into that site. I wonder if queries are written to log files. ( Listserv archives, google searches, and newsgroups are probably treasure troves of IP Address <-> person correlations. Anyone know of any research on this? I've always been opposed to NAT but now I'm not so sure. ) I wonder how robust the application is and how its maintained. When I tried I got... Error: 404 HTX Not Found The HTX file specified in the query request was not found.
On a side note, we had a recent scare on campus where a faculty member had created an example database using real student names combined with a set of SSNs, addresses, phone numbers, etc. that were made up. ...
We've had similar things happen here. BTW - It looks to me like the current and proposed laws define a lowest common denominator in care. While a list of SSNs by themselves are not covered, if they're a list of SSNs in a single class or club, there are obvious risks even without explicit name lists that common sense may suggest avoiding. And I have yet to figure out why an encrypted database should be exempted from disclosure if the system on which it resides is compromised at the root or administrative level. -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Re: Bare Social Social Security Numbers, (continued)
- Re: Bare Social Social Security Numbers Ken Connelly (Mar 27)
- Re: Bare Social Social Security Numbers Joel Rosenblatt (Mar 27)
- Re: Bare Social Social Security Numbers H. Morrow Long (Mar 27)
- Re: Bare Social Social Security Numbers Leo Tran (Mar 27)
- Re: Bare Social Social Security Numbers Gary Golomb (Mar 27)
- Re: Bare Social Social Security Numbers H. Morrow Long (Mar 28)
- Re: Bare Social Social Security Numbers Keith Schoenefeld (Mar 28)
- Re: Bare Social Social Security Numbers H. Morrow Long (Mar 28)
- Re: Bare Social Social Security Numbers H. Morrow Long (Mar 28)
- Re: Bare Social Social Security Numbers Keith Schoenefeld (Mar 28)
- Re: Bare Social Social Security Numbers Gary Flynn (Mar 28)
- Re: Bare Social Social Security Numbers Kevin Shalla (Mar 28)
- Re: Bare Social Social Security Numbers Pullman, Nick (Mar 28)
- Re: Bare Social Social Security Numbers scott hollatz (Mar 28)
- Re: Bare Social Social Security Numbers Jere Retzer (Mar 28)