General discussion

It’s Time to Dump the Social Security Number

The social security number has been in use since 1935, or 80 years.
Initially it was clearly printed on every social security card issued that the number WAS NOT to be used for Identification Purposes.
However we all know that banks, other financial institutions, and most businesses have been ignoring this admonition.

Since the dynamic growth of the internet and online business transactions, the social security number has been the target of many hacks.

It is time to get rid of the social security number altogether.
There are very efficient biometric scanners that can be used to verify a person’s identity.

Banks and other businesses and institutions need to start registering the clients and/or customers thumb-prints and use
them to verify identities.

People who wish to place orders over the internet can purchase a thumb-print scanner very cheaply.
These scanners are in the 50.00 to 200.00 dollar price range.

Businesses that process credit and ATM debit cards can use the same scanners.

Using the thumb print is a fraud proof way of identity verification, since the users thumb MUST be scanned and matched with the
issuing institution’s database. Therefore even if the thumb-print database is hacked, it’s useless because the criminals have
NO ACCESS to the person’s thumb.

Obviously standards should be put in place to insure all thumb-print scanners adhere to the same verification
paradigm: e.g. blood-pressure and temperature sensors, to insure a live human thumb is being scanned.

All of the technology to verify identities through biometrics exist today, as Off-the-Shelf products.
The prices on such biometric devices will drop as their use becomes wide spread.

Discussion is locked

Follow
Reply to: It’s Time to Dump the Social Security Number
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: It’s Time to Dump the Social Security Number
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
Yeh Right, Tell That To The Social Security Administration

I understand your premise, but knowing the "powers-that-be" in the administration of SS, changing government standards for the millions of members is next to impossible. It won't happen anytime in the near future and because the number will always exist, it will always be an easy way to identify those same members, and companies will continue to use it as such..

And besides, most fingerprint scanners aren't all that secure either.. iPhone scanners have already been hacked and for many other brands of scanners, merely printing a thumbprint on a piece of paper gets you through the security. Unfortunately, there is no silver bullet when it comes to security.

Hope this helps.

Grif

- Collapse -
It is time to drop the use of Social Security Numbers

Well Grif you bring up some interesting issues.
Regarding the Social Security Administration, they still hold the policy as set forth in 1935, that
SSNs should NOT be used for identification purposes. This is stated on their web site.
The law further states that only the IRS and Law Enforcement Agencies may demand a person's SSN as it pertains to an on-going investigation. The fact that all government agencies, and private businesses obtain SSNs upon request, is because WE the PEOPLE have been: "..Hoodwinked & Bamboozled.." (to paraphrase Malcolm X) into surrendering this information without challenge.
I believe I mentioned in my original statement that thumb-print scanners should all use the same verification paradigm to insure a live human is having their thumb scanned.
e.g. blood pressure and temperature checks. This sensor technology all ready exists.
It's already incorporated into the better thumb-print scanners.
Besides if thieves hack a thumbprint database, Whose thumbprint are they going to mimic?
That's assuming they can break the encryption on such a file.

- Collapse -
As to the live human test. Pork chops.

There was a system I worked on years ago and penetration tests found that pork chops worked best. Many hotdogs worked too.

The other checks you noted were also found to be bypassable.

If you are thinking this is the one true solution, I fear you are new to this field.

Next thing you know you'll be asking us to be tattoo'd at birth.

- Collapse -
It is time to drop the use of Social Security Numbers

R. Profitt would you care to give some details on these tests?
How long ago was it ?
I'll be frank, I think you're making it up (I don't want to say LYING)
simply to be contrary or at a sad attempt to be humorous.
I NEVER said it is a true solution (whatever you mean by that).
It is however a very viable solution.
I think you've been away from the field a long time.
BTW at least in America, children are "Tattoo'd" at birth, they're assigned a
social-security number.

- Collapse -
It was over a decade ago.

It was contract work for those ankle home monitoring systems.

I'm unsure why you want to have me vet my prior work. That out of the way, your system is well, how to discuss it without upsetting folk?

There are long papers, dissertations on this area. There is a simple system that works well. That is, you come to a terminal with a video camera and declare who you are. There's a feed back to the security system with folk that look at the video camera feed and then up pops up the on file photo and such. The human makes the call and agrees that it is who they say it is and the OK is sent.

There are some computer based systems but for absolute security the human wins this round.

- Collapse -
It is time to drop the use of Social Security Numbers

R. Profitt I apologize.
The claims about pork-chops and hotdogs just flabbergasted me.
However I'm familiar with the ankle "bracelet" home monitoring systems.
My son-in-law had to wear one because of the severity of his DUI offenses.
He related to me that people did try to use meat, but it didn't work.
The court and the company that monitored the bracelets warned people not to
try any such tricks.
These monitors were designed to measure blood alcohol via the sweat coming
thru the skin.
I don't know the last time you've had any kind of physical or had your vital signs
taken, as a veteran I go to the VA quite often.
They have a simple finger-clamp device that actually measures your pulse rate.
They have another device that can measure your blood-sugar thru the skin
without "spilling" any blood ..i.e. pricking a finger.
Taking the body temperature via your skin is no problem either.
So as I was stating earlier, all these sensor systems are available technology.
The better (more expensive) scanners incorporate these features.

- Collapse -
Sounds like you only need to

Make a business plan, prototype and sell it. The system I was part of had severe cost constraints so what you noted was not in the budget.

- Collapse -
But Can You Made A "Hard Copy"...?

Most needs for identity checks also need an "easy" method (usually a hard copy) of recording the data for various identification requests. Currently, the company simply writes down the SSN on an official piece of paper, or types it into a database, (yes, I understand that it wasn't originally approved for, such uses by the SS admin.), and it remains there for easy retrieval by the company later. How do it do that with a thumbprint when the identity check might be needed on a on phone call, or at an office, such as when you need to call in for help on your mortgage payment, or your phone bill, or your medical records? Everybody has to have a thumbprint read-out machine, or a retinal eye scanner sitting next to their phone or at a desk? Not my favorite way of doing things and there are too many folks still termed as "old school". (Heck, I've got parents that have never made a FAX.. Literally !)

I'll grant you that the SSN isn't an ideal method for general use in identifying individuals, but I'm not sold on any other methods, such as thumbprints, either. They all can be hacked/broken and other methods don't function well with current methods of keeping and checking records.

Good luck at creating the cheap prototype that covers all the requirements.

Hope this helps.

Grif

- Collapse -
But Can You Made A "Hard Copy"...?

Grif you make some good points.
Yes you can make a "hard copy" of a thumb-print.
As to phone calls, while it may be technically challenging, a thumb-print scanner app could be added to "smart-phones", as to "old school", even my 87 & 91 year
old aunts have smart-phones. (and they are very conservative)
Actually having a thumb-print app "hard-coded" into one's smart-phone and/or
ipad/notebook would prevent thieves from stealing these devices as ONLY the
person whose thumb-print is "registered" with the device. If the thumb-print app is removed or otherwise disabled it would render the device inoperable.

- Collapse -
Why Are SSNs Issued At Birth!

If you do the research you'll find out that the issuance of a SSN at birth was introduced to prevent tax cheating. Before the "tattooing" referred to, the 1040 required only the names of dependents. So if you entered yourself and spouse, Mr. and Mrs. Smith, and also listed Tickles Smith and Fido Smith, you doubled your deduction and lowered your taxes. There was no way to verify the validity, or even existence, of the listed dependents. If you'll notice, now an SSN is required for each person included on the return and that has gone a good way to limit such cheating by tax filers. Even non-citizen filers (there are millions of these) need to provide, a US government tax identification number to be used on a 1040 in order to qualify themselves and valid dependents. There are strict requirements for the forms of foreign documentation required in order to qualify for a government issued tax number.
So how can our government prevent this sort of tax cheating, issue a national ID card and the bureaucracy to support it?

- Collapse -
Why Are SSNs Issued At Birth! Drop use of SSN

Hi dickmcguinness
Good question. For the Time being as long as we have the present tax structure
The use of the SSN for tax purposes will have to stay in place.
The SSN as a means of authentication to open a Bank Account, or to obtain credit,
or to get a Drivers License or other Identification should NOT be used.
Remember the SSN is NOT to be used for identification purposes and despite this
phrase not being printed on Social Security Cards, the SSA still maintains this policy.
However it has no force of law, so most companies ignore it.
Our current tax system is essentially "broken" and is too complex.
If the U.S. would repeal the 16th Amendment and get rid of capital-gains, income,
and wage taxation, and go with a national sales tax of 10% that would further
reduce the need for the SSN.
However the tax system is another topic and probably inappropriate for cnet.

- Collapse -
A Logistics nightmare

The thing that's going to drive your biometric Fantasyland is Software and as we all know Software has ins and outs and mostly back doors. I've been working in the POS industry for about 30 years as a acquirer. The one thing that I've found is that these will be able to circumvent whenever system you put in place if there is money at the end of the rainbow. As one of your post you said there is no silver bullet when it comes to security. Biometrics will make it hard for the idiot criminal to commit crime but never the smart one

- Collapse -
Not For Much Longer!

Each of you make some good points, and your concerns are real, but there is a product in development which will bring about the end of SSNs -- securely. I have spent more than 15 years designing this new system, because the matter as a whole is a FAR more difficult than most believe. I have been a Software Consultant for quite a few organizations over the past 30+ years, to include several federal agencies and financial institutions. I have a unique perspective which I've used to prove/test my concepts. This new system, known as the Multi-Use Passport Identification (MPID) system, seeks to correct most, if not all, of the current issues involving the protection of personally identifiable information (PII) AND commonly-used personal data elements.

Is a forced use of biometrics the answer? No, simply because they can't be changed, and there will always be cases, such as witness protection, in which primary identifiers need to change.

Are computer systems too easy to compromise? Yes, the vast majority are, but only because we fail to do the proper amount of system testing on a CONTINUAL basis. You can't build the safest possible luxury car today, and expect it to remain the safest luxury car on the market for 50, 25, or even 10 years. You also wouldn't be able to drive that car in environments which it wasn't intentionally designed for, so why do software developers/users assume that software products are any different? Some of the primary design characteristics of MPID, support that the system be expanded and tested on a continual basis in order to meet the needs of its members in a secure manner. We realize that as long as there is an army to attack the system, there needs to be an army actively pushing them back.

Does corruption truly exist to compromize such systems? You bet! Without the proper checks and balances in place, the human factor will always present a negative factor in security. Greed is a big one. Although the MPID system should bring in plenty of profit to meet our needs, even in a pricing model which provides its basic services for FREE to all individuals, we have to remain mindful of such temptations. Coercion tactics today have forced us to build in controls which will protect the MPID system from both internal and external forces.

The MPID system provides each individual and registered organization with a globally unique identifier. Unlike Social Security numbers, MPID numbers ARE designed to be freely used by others to identify members and organizations, without compromising the security of said individuals and organizations. Like it or not, we live in a technological world which requires logical identifiers for the sake of efficiency. Properly managed, MPID numbers will allow completely independent systems to communicate about members in a positive way that we have previously only dreamed of. MPID provides those management services. This means that SSNs can go away, by being replaced with a better identifier, and that doing so will improve the operations of the Social Security Administration, rather than hinder them.

I can't possibly answer all the questions and concerns that you might have about the MPID system in a forum such as this. It's far too complex, but it has to be in order to solve the problem. Many years of effort have been devoted to this project, and many more will follow after it goes into production. Want those SSNs and the abuse of SSNs to go away? Then find one or more identity security systems that you believe in, and support their efforts!

- Collapse -
I bow to your greater knowledge...

...of MPID, which I readily admit, I know nothing about but if it's anything like the chipped EU passports system, that was hacked in two days - lessons learned, hopefully.

I do agree with you about biometrics, though. Most people might think DNA is unique but not so. I knew a gentleman, now deceased, who married his first cousin and due to the vagaries of genetics, they produced a son with verified identical DNA to his father!

One system that did seem to work quite well was used for a while by the USA INS, called INSpass (not sure I have the capitalization right) for frequent alien travellers to the USA. You registered with a photograph, fingerprints and a box, into which you placed your spread hand to touch some sensor posts. Subsequently, on arrival, you placed your hand into a similar box at immigration and when the red lights all went out, confirming your hand was in the correct position, the hand profile was compared to a stored copy held at registration. If it matched, your admission certificate popped out of the machine . My best use was 7 seconds - to pass US immigration, wow! It fell by the wayside when Congress failed to renew the visa waiver legislation in the form on which it was based.

- Collapse -
I bow to your greater knowledge...

Hello Zouch, regarding the so-called identical DNA incident, can you give me any
scientific references ? Such a discovery most certainly would have been reported in the
scientific and medical journals. At any rate you said the boy's father is dead, since "his"
DNA is not in circulation any more so to speak, then his son is still unique.
But I seriously doubt it. Frankly, it sounds like an urban legend.

- Collapse -
MPID ???

Hello ebewley. I went to your website it's interesting if nothing else.
I guess there are a few individuals who'll send you money to further your research.
Why don't you try going to IBM with your idea ?
If it is what you say it is, I'm sure IBM will at least give you access to facilities to test it.
Based on your generalized description it sounds like applying PKI to individuals.
You may have something, perhaps PKI and Kerberos combined.

However from my perspective, a robust and facile biometric system will be virtually
impossible to break.
I've heard a lot of objections, and that's good because it helps develop and strengthen
the argument for biometrics.
There will always be exceptions to the "rule" e.g. a person with no hands or feet, the
statistically rare occurrence of people having identical thumb-prints. It's an assertion made
based on a misunderstanding of the current practice of trying to match latent prints from
a crime scene to finger-prints in the FBI's database.
A criminal cannot "hack" a live person's thumb-print. I guess a criminal could conceivably
kidnap a person and force them to use their thumb print. But how would they know whom to kidnap ??
One thing I've learned in designing software systems is to ALWAYS code for the
"Steady-State". If an exception condition arises, kick out the transaction and log the information for further analysis, usually by a human.

- Collapse -
A Logistics nightmare ??

Hello astbnboy
I find your comments curious, and the title "logistics nightmare" is never explained in your post.
Anyway please tell me how you think a "smart" criminal could get-around a biometric system at a
POS terminal ? I'll make it easy... The gas station scenario where one just swipes their card.

- Collapse -
Maybe, maybe not

Very interesting idea, but I'd like to separate the issues here.

I absolutely agree that businesses and other groups, including job applicant systems, should not be requesting SSN. As stated, the SSN was only intended for use by the SSA with the purpose of tracking a person's wages and payments into the Social Security trust fund. Some of you may be too young to recall this, but at one point many health care insurance providers were using the SSN as the contract number for the individual. They were forced to change this more than 10 years ago, because of the risks and exposure for identity theft.

The question is, why are other businesses still requesting it? When you are applying for a job, they are not entitled to ask that number until they hire you, if you think about it. Here in NY state, I can supply my driver's license number rather than my SSN by law, but that doesn't work in many online systems. When applying for colleges, the applications were asking for SSN.

As for biometric measures - why could a thief not use the same technique that law enforcement does to gather fingerprints to capture a thumbprint and use that? Perhaps a thumbprint in conjunction with some other piece of information would help.

- Collapse -
Maybe, maybe not re:Drop the SSN

Hello flautist59
Please elaborate on your statement to wit:
"As for biometric measures - why could a thief not use the same technique that law enforcement does to gather fingerprints to capture a thumbprint and use that? Perhaps a thumbprint in conjunction with some other piece of information would help."
Perhaps you should carefully re-read my original post.
e.g.
A person's thumb-print is used in conjunction with their ATM/Credit-Card, and even a PIN.
The thumb-print scanner no only captures the person's print, but also the temperature, and
pulse-rate. This dynamic authentication data is then compared to card issuer's database.
If it's a valid match, then the transaction proceeds to the next process
credit-limit/funds verification.

- Collapse -
#AmericasPandemicIgnorance

People who bring this stuff up or suggest these things are the real problem.
We NEED to get rid of #AmericasPandemicIgnorance , too much to late the strategy here, but don't need to for those with common sense, which is sadly far a few between these days.

- Collapse -
AmericasPandemicIgnorance ????

DADSGETNDOWN
A curious statement. Do you care to elaborate ?

- Collapse -
Time To Close This Thread...

No longer is it really "on-topic" for the "Spyware, Viruses, & Security forum" regarding computers. Locking the thread.

Hope this helps.

Grif

CNET Forums

Forum Info