[Cryptography] After Equifax pwning, what is the best means for replacing the SSN?

Tony Patti crypto at glassblower.info
Tue Sep 12 22:26:03 EDT 2017 

Hi John,
Since you cite Estonia specifically in your last sentence: 
please note yesterday's article in Forbes: "Estonia's ID Card And The March Of Cryptography"
https://www.forbes.com/sites/kalevleetaru/2017/09/11/estonias-id-card-and-the-march-of-cryptography/#56ec1072352f
Tony

-----Original Message-----
From: cryptography [mailto:cryptography-bounces+crypto=glassblower.info at metzdowd.com] On Behalf Of John Levine
Sent: Tuesday, September 12, 2017 5:51 PM
To: cryptography at metzdowd.com
Cc: erik at erikgranger.name
Subject: Re: [Cryptography] After Equifax pwning, what is the best means for replacing the SSN?

In article <13702759.1bt7j2b2zW at lovemachine> you write:
>It make syou wonder, however, why a single 9-digit number is capable of 
>such destruction. Why is your identity 9 digits long?

Because it was never supposed to be a national ID.  SSNs were invented in the 1930s when Social Security was invented, as an account number to track people's contributions and benefits.  Back in the 1930s, account numbers were not common.  The minority of people who paid income tax put their names at the top of their form 1040.  Your bank account had your name, not a number.  (Account numbers arrived in the 1950s when the Bank of America started automated check sorting.)  

Unfortunately for us, the people who designed the account system for the Social Security Administration did a really good job, and even though it's 80 years later, the numbering system is still adequate for its original purpose, and as we have seen sort of adequate for way too many other purposes with which it has been overloaded.

It seems to me that the worse abuse of the SSN is the fiction that it is secret, and so anyone who presents your SSN must be you.  I'd pass a law that says that any account or transaction or database authenticated only or primarily with an SSN is presumed fraudulent and uncollectable.  This specifically includes credit bureaus.

As far as a better national ID, there are lots of countries with national IDs, some of which work better than others.  You might start by looking at Estonia which is small and sophisticated, and India which is huge.

R's,
John
 
_______________________________________________
The cryptography mailing list
cryptography at metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

More information about the cryptography mailing list