Comment

Comment on All U.S. Social Security numbers may need to be changed following a massive breach that is already being investigated as a national threat

<- View Parent

remotelove@lemmy.ca ⁨2⁩ ⁨days⁩ ago

SSNs are generally considered public information but how the SSN is linked to other information is usually the more difficult bit to find and it’s generally pay-walled. (Any jackass with a business license and a credit card can usually buy background check information for ‘hiring’.)

But no, it shouldn’t be solely used for authentication. That is just dumb. However, it can be used as part of a larger verification and validation scheme while building authentication/authorization profiles. In most systems that I have seen that use full or partial SSNs, it is always linked to several other identifiers that need to match.

source

Sort:hotnew top

Archer@lemmy.world ⁨2⁩ ⁨days⁩ ago
They are definitely not. People consider it increased risk for identity theft if they hear their SSN was stolen and you just cited how people are still using them in part for authentication. They need to be completely useless for authentication

source
- remotelove@lemmy.ca ⁨2⁩ ⁨days⁩ ago
  I am making a slightly different point and have a bias to this perspective: www.legis.iowa.gov/docs/publications/…/19230.pdf
  
  I am saying that an SSN can be part of a larger validation scheme, not the only key to the castle. Specifically for government sites, SSNs can be linked to IRS data to verify places of last residence. A person generally needs to verify multiple items that are referenced by the SSN before basic authentication can be established and set by the user. (This is part of the full Authentication, Authorization and Access Control triad.)
  
  An SSN is just a broad level identifier. If you look at many laws around the release of SSNs, the redaction is usualyl in place to prevent the linking of different documents and other data points.
  
  If I released my SSN in this chat, I could be fully doxxed in a matter of seconds. It’s mainly because there are many legal systems in place that use an SSN as a primary key, of sorts. (It’s a bit more than that, as SSNs can be duplicated in some circumstances.)
  
  So to say, at a high level, an SSN is considered private is absolutely correct. However, it’s so easily referenced and obtainable it really isn’t fully private either.
  
  source
  - UltraGiGaGigantic@lemmy.ml ⁨1⁩ ⁨day⁩ ago
    
    If I released my SSN in this chat, I could be fully doxxed in a matter of seconds.
    
    000-00-0002
    
    source
    remotelove@lemmy.ca ⁨1⁩ ⁨day⁩ ago
    000, 666 and 900-999 are invalid area numbers and any digit group of all zeros is also invalid. Thanks for playing!
    
    source
    -> View More Comments