Educause Security Discussion mailing list archives

Re: Use of Partial SSN as Authenticator

From: Brad Judy <Brad.Judy () COLORADO EDU>
Date: Thu, 22 Feb 2007 10:33:42 -0700

FYI: Here is the SS administration page on the formation of SSN's:
http://www.ssa.gov/history/ssn/geocard.html which links to a table of
the max current group numbers for each issued area number.  It can be
helpful in validating SSN's, although while working with Spider, we
found that validating down to that detail level wasn't very useful as it
eliminated very few false positives (as compared to the reg ex's we
ended up using).  

The problem of 'alternate authentication' is a tough one, particularly
if it's for first time authentication (i.e. prior to an opportunity to
ask a user for a 'security question' or something similar) - we usually
have limited pieces of data about a user to work with and even fewer
that aren't easily discovered.

Brad Judy

IT Security Office
Information Technology Services
University of Colorado at Boulder

-----Original Message-----
From: Randy Marchany [mailto:marchany () CANDI2 CIRT VT EDU] 
Sent: Thursday, February 22, 2007 9:34 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Use of Partial SSN as Authenticator

I thought ANY part of the SSN would be considered a FERPA violation. 

Having said that, anything that asks for the last 4 digits of 
an SSN is BAD. I can go to the ssa.gov site, find a 
description of the SSN fields (xxx-xx-xxxx), realize the 
first 3 digits are by state (001-001 for NH, etc.), make a 
reasonable guess for the middle 2 digits (again fully 
explained in the SSN guide) and wait for someone to provide 
the last 4 digits.

See http://members.tripod.com/%7Egene_pool/3invssn2.htm for a 
description of the SSN fields.

I have seen applications that ask for the last digits of your 
driver's license 
number for a PIN code. Here in VA, DL #'s aren't SSNs so I 
suppose it's a 
little safer.

I do understand the developers are probably trying to think 
of a number that 
most people would know but using any part of the SSN is not 
good. Have I said 
that enough? :-))))

      -Randy Marchany

Current thread:

Use of Partial SSN as Authenticator Gary Flynn (Feb 22)
- <Possible follow-ups>
- Re: Use of Partial SSN as Authenticator Charlie Reitsma (Feb 22)
- Re: Use of Partial SSN as Authenticator Randy Grimshaw (Feb 22)
- Re: Use of Partial SSN as Authenticator Steve Worona (Feb 22)
- Re: Use of Partial SSN as Authenticator Gary Flynn (Feb 22)
- Re: Use of Partial SSN as Authenticator Randy Marchany (Feb 22)
- Re: Use of Partial SSN as Authenticator Pace, Guy (Feb 22)
- Re: Use of Partial SSN as Authenticator Brad Judy (Feb 22)
- Re: Use of Partial SSN as Authenticator Jimmy Kuo (Feb 22)