Educause Security Discussion mailing list archives
Re: Use of Partial SSN as Authenticator
From: Brad Judy <Brad.Judy () COLORADO EDU>
Date: Thu, 22 Feb 2007 10:33:42 -0700
FYI: Here is the SS administration page on the formation of SSN's: http://www.ssa.gov/history/ssn/geocard.html which links to a table of the max current group numbers for each issued area number. It can be helpful in validating SSN's, although while working with Spider, we found that validating down to that detail level wasn't very useful as it eliminated very few false positives (as compared to the reg ex's we ended up using). The problem of 'alternate authentication' is a tough one, particularly if it's for first time authentication (i.e. prior to an opportunity to ask a user for a 'security question' or something similar) - we usually have limited pieces of data about a user to work with and even fewer that aren't easily discovered. Brad Judy IT Security Office Information Technology Services University of Colorado at Boulder
-----Original Message----- From: Randy Marchany [mailto:marchany () CANDI2 CIRT VT EDU] Sent: Thursday, February 22, 2007 9:34 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Use of Partial SSN as Authenticator I thought ANY part of the SSN would be considered a FERPA violation. Having said that, anything that asks for the last 4 digits of an SSN is BAD. I can go to the ssa.gov site, find a description of the SSN fields (xxx-xx-xxxx), realize the first 3 digits are by state (001-001 for NH, etc.), make a reasonable guess for the middle 2 digits (again fully explained in the SSN guide) and wait for someone to provide the last 4 digits. See http://members.tripod.com/%7Egene_pool/3invssn2.htm for a description of the SSN fields. I have seen applications that ask for the last digits of your driver's license number for a PIN code. Here in VA, DL #'s aren't SSNs so I suppose it's a little safer. I do understand the developers are probably trying to think of a number that most people would know but using any part of the SSN is not good. Have I said that enough? :-)))) -Randy Marchany
Current thread:
- Use of Partial SSN as Authenticator Gary Flynn (Feb 22)
- <Possible follow-ups>
- Re: Use of Partial SSN as Authenticator Charlie Reitsma (Feb 22)
- Re: Use of Partial SSN as Authenticator Randy Grimshaw (Feb 22)
- Re: Use of Partial SSN as Authenticator Steve Worona (Feb 22)
- Re: Use of Partial SSN as Authenticator Gary Flynn (Feb 22)
- Re: Use of Partial SSN as Authenticator Randy Marchany (Feb 22)
- Re: Use of Partial SSN as Authenticator Pace, Guy (Feb 22)
- Re: Use of Partial SSN as Authenticator Brad Judy (Feb 22)
- Re: Use of Partial SSN as Authenticator Jimmy Kuo (Feb 22)