Posted on: Wednesday, August 7, 2002

Social Security number your weakest link

By Janet Kornblum
USA Today

After years of warnings by privacy advocates about the pitfalls of using Social Security numbers as online secure passwords, the practice is still common, even among respected institutions and firms. That became clear once again when a Princeton University official admitted using students' personal information to snoop into an online admissions database at rival Yale.

The database required only students' names, birth dates and Social Security numbers to gain access.

The incident highlights the kinds of breaches that become common when organizations use Social Security numbers as a form of ID, security experts say.

The problem is two-fold: Social Security numbers are so widely used that anyone with minimal research skills can get access to them, but they're also used as passwords to enter systems intended to be secure.

"It is the reason we have an epidemic of identity theft right now," says privacy expert Simson Garfinkel, co-author of the 2000 book "Database Nation."

"The problem here is that people treat the Social Security number as if it is a secret when in fact it is not."

The issue exploded after a public outcry five years ago when the Social Security Administration tried to make its own records accessible online. All that was needed to access someone's employment and income history was a Social Security number, mother's maiden name and state of birth.

It isn't just schools that use Social Security numbers as passwords. Banks, credit card companies, health insurance companies and credit reporting agencies all do, too.

Social Security numbers can be found on a range of documents. Some private database companies sell them for under $50.

State departments of motor vehicles, including Hawai'i's, have started moving away from using Social Security numbers on driver licenses. And the Honolulu City & County Employees Federal Credit Union is updating its identification numbers.

Colleges and universities also are moving away from the practice. But half of colleges and universities still use Social Security numbers to identify students, and 79 percent include them in transcripts, according to a March survey.

"There was a time when you could know someone's Social Security number, but there wasn't really a whole lot of damage you could do to them," says the group's Barmak Nassirian. "But now a handful of critical data allows you, for all intents and purposes, to be that person on the Internet."

Sen. Dianne Feinstein, D-Calif., has introduced legislation that her office says "prohibits the sale or display of an individual's Social Security number without the individual's consent — with exceptions for business-to-business and business-to-government activity."

But Garfinkel says it's too late to put the number back into hiding. "We should accept the fact that the Social Security number is a universal identifier, and we should treat it as a public record. Businesses should not use a Social Security number as a password anymore than they should use a name."