Identity theft boggles my mind a bit. It’s no mystery why criminal enterprises attempt it. It’s a mystery that we have systems where public information is used for security.
The biggest one is your Social Security Number. Why should knowledge of a person’s SSN entitle you to anything? The SSN is a user ID. A public key at best. It is certainly not a password.
And yet we use it as such. Furthermore, you keep this “password” unchanged for your whole life. If it’s compromised once, it’s compromised forever. It’s just crazy that we accord it any security value at all.
Now we learn that SSN’s can be guessed with a high degree of accuracy. So theft isn’t even necessary: “We really wanted to come public with this result because the issue goes way beyond individual response,” he said. “It’s not just about remembering to shred your documents or to remove personal identification off your mail. As much as you try to protect your personal info, the info is already out there.”
According to information privacy experts, Social Security numbers were never meant to be used for authentication purposes, and using them as passwords puts all consumers at risk for identity theft.
We need to evolve our systems such that knowledge of a person’s SSN is utterly useless. I am thinking of this primarily in terms of banks and credit card offers. Many of them have multi-factor authentication systems, none of which is perfectly secure but the sum of which puts the odds in security’s favor.
But when a small information leak can lead to a massive personal security breach, we have a system that is not well designed against localized, but catastrophic, failure.