There is a situation that seems too common in this industry. Companies are storing the last four digits of a users social security number in a data repository in clear text. I’m going to put this next part on it’s only line to reaaaaly stress my point:
DON’T EVER STORE THE LAST 4 OF AN SSN IN CLEAR TEXT!
First we need to ask ourselves “why” they think it’s ok to do this. Generally the response is, “well, it’s ok because it’s not the full SSN”. My best guess is that they never put any real thought into this, because the last four digits of a social security number is the most important part!
Ask yourself, “Why do you guard your SSN so tightly?” and you’ll probably come back with something like, “I don’t want people to steal my identity”.
Well… you don’t need the full SSN. Well, maybe for more elaborate things, like opening a line of credit, but not for any of your day-to-day stuff. Think about it. When someone wants to validate you are who you say, they ask you a couple questions that everyone knows (name, phone, etc), and then the über secure, “What’s the last four of your SSN?”
Everyone verifies you now via the last four of your SSN! You want a bunch of help desk personel (maybe even off-shore) to have the last four of your SSN? Yeah… didn’t think so.
Also, not sure if you already know this or not, but the last four of your SSN are the ONLY numbers that are serial. The first three have to do with where you filed for your SSN. It’s a location code. The second two are a grouping (most not even used) and they are determined by when you where born (the year). You can find out the code behind it here:
http://stevemorse.org/ssn/ssn.html
So, let’s say you were born in Delaware. Then the first three digits are either 221 or 222. Let’s say you were born in 1973; the middle two digits would be 50. Not very random huh?
Now you’re just down to just the last four (the one’s companies want to leave unencrypted) and there’s only 10,000 possibilities. Sure, a malicious user calling up AT&T is going to have a tough time guessing 1 in 10,000 but if there’s an online app that has you “verify” the last four of your SSN, they’ve basically created a brute force tool to “verify” that you’ve guessed the correct answer =). Also, phishing the last four from someone isn’t terribly difficult. Ironically, this is because of the same reasons that a company thinks it’s ok to leave the last 4 unencrypted. Most people think you can’t do anything with just the last 4, and the rest are random.
You can read more, right from the Social Security Administration (http://www.ssa.gov/history/ssn/geocard.html).
So, this is my public outcry to everyone to push companies to stop using the last 4 as a security measure! I don’t want everyone knowing my SSN, and neither should you. Until there’s a better citizen numbering system implemented (which is probably going to be pretty soon), these guys need to come up with something better.
Maybe ask for the first 3? LOL!
I guess I should reword my opening statement to:
DON’T EVER STORE THE LAST 4 OF AN SSN!
Because, really, it’s not needed. I mean c’mon, if Facebook or Google hasn’t asked for it, and they know more about you than you do, it’s just not necessary.