Yet another unfortunate disclosure...
http://www.techweb.com/showArticle.jhtml?articleID=163701121
- ferg
I wonder when schools are going to get the hint and stop using SSN's as ID
numbers..
--Adam
Around about whenever the US Federal Government gets the hint and
passes a bill which makes it illegal to use social security numbers
for any purpose other than the administration of social security.
- mark
Though that isn't the major problem.
<ot record="broken">
The major problem, as has been pointed out in Privacy and RISKS digests
in the past dozens of times, is that people persist in using as
authenticators things (like SSN's, Mother's Maiden Name, etc) which are
patently not suitable for that.
</ot>
Cheers,
-- jra
> Around about whenever the US Federal Government gets the hint and
> passes a bill which makes it illegal to use social security numbers
> for any purpose other than the administration of social security.
Wrong answer. Federal laws do not stop people from doing stupid
things and they do not stop people from doing illegal things.
What we need is a Hollywood blockbuster in which some highschool
hackers wreak havoc by aquiring SSNs from gradesheets and using
mother's maiden names to steal lots of money and identities.
Then, pointy-haired bosses will ask their sysadmins to make sure
that it can't happen in their department.
Hollywood movies change people's behavior. Federal laws do not.
--Michael Dillon
> > Around about whenever the US Federal Government gets the hint and
> > passes a bill which makes it illegal to use social security numbers
> > for any purpose other than the administration of social security.Wrong answer. Federal laws do not stop people from doing stupid
things and they do not stop people from doing illegal things.What we need is a Hollywood blockbuster in which some highschool
hackers wreak havoc by aquiring SSNs from gradesheets and using
/////// criminals
mother's maiden names to steal lots of money and identities.
Then, pointy-haired bosses will ask their sysadmins to make sure
that it can't happen in their department.Hollywood movies change people's behavior. Federal laws do not.
"Mr President, did you see that movie about an Ebola outbreak in the US
a couple of years ago?"
"Yes...?"
"The budget for that movie was quite a bit more then the total annual
funding in the US to study Ebola and related viruses."
Cheers,
-- jr '</OT>' a
The major problem, as has been pointed out in Privacy and RISKS digests
in the past dozens of times, is that people persist in using as
authenticators things (like SSN's, Mother's Maiden Name, etc) which are
patently not suitable for that.
pre-existing sources of of unabigious uniqueness that map to people are hard to come by...
fwiw, most universities that I'm aware of, have moved away from using ssn's as an authentication tool.
joelja
Or for some private university to be bankrupted by a class action suit
brought by the students who had their identities stolen when the student
records db was compromised.
How hard is it for a university to generate their own student "serial
numbers" as students register?
Personally, I'd like to see much harsher penalties for identity theft
though (and I'm including simple credit card fraud / use of stolen credit
card info in "identity theft"). This is happening so much, and is so
often just brushed under the rug by the big credit card companies (banks),
that kids do it with impunity, knowing that odds are they won't be looked
for, much less caught.
Last time one of my cards was "stolen" (from an online merchant I assume),
I managed to social engineer the IP from which it was used from one of the
online establishments where they used my card. It was a Linux box on DSL
in California. Did anybody care? Not that I'm aware of. I filed
complaints with the appropriate government agencies, and AFAIK, nothing
happened.
Put a few credit card frauders up in front of a firing squad, and see if
things change. But that would require actually picking them up first,
which LE doesn't seem to be motivated or have the time to do.
People are missing the point a bit. Most schools HAVE switched over to new
numbering systems. Most student ID's have school-specific ID numbers. The
problems are:
1) Older student records are indexed by SSN and they must be retained.
2) Some information is still indexed by SSN out of necessity - student
financial aid for example
That means you have a translation database somewhere, with all those SSNs
and the new student index numbers.
SSNs are already forbidden going forward at pretty much all school. For
example, they can't be used to post grades. However, the need to retain them
for backwards compatibility remains. Education institutions need a clear set
of guidelines for handling sensitive data like that. A good start would be
that such data can only be stored in an encrypted format in a physically
secure facility.
Yes, that seems obvious, but it doesn't happen. Considering the sort of free
wheeling environment prevalent in University networks, you would think they
would be a bastion of high security. Sadly, this isn't the case.
- Dan
Yes, that seems obvious, but it doesn't happen. Considering the sort of free
wheeling environment prevalent in University networks, you would think they
would be a bastion of high security. Sadly, this isn't the case.
This isn't meant to be a bashing session on universities and other educational systems, just an observation. I would think, and I may be wrong, that a educational network would be subject to - stakeholders (students, faculty, alumni) that turn over quickly, calendar-tied fluctuations in activity, and a user base that tends to be more liberal and risk-tolerant than a typical end user network. I would think that these traits would work against the accumulation of tested operational techniques, appreciation of the time and cost of a reliable service, and stiff enough penalties for anti-cyber-social behavior. Also working against this is the availability of time (like between semesters) when major upgrades can be done, because in the rush to do so sound techniques can be over looked.
I don't mean to cast dispersions on educational campus IT functions. There is a lot of good security research and energy available in those environment. I'm just saying the environment is harsher than for other end users. No - I'm not leading up to a suggestion to quarantine them from the rest of the Internet.
Stories like this just serve as the example headlines of why any organization ought to take preventative measures when it comes to this kind of data. Hopefully, whatever vulnerabilities that were exploited will be patched, even if there is no public disclosure. (Word will get around when it needs to.)
PS - I was more surprised by the case of identity data that was lost when a laptop was stolen. Why was something so valuable left in such a mobile form?
An example of following bad practices. Is the solution "more consultants?" 
* Jon Lewis:
How hard is it for a university to generate their own student "serial
numbers" as students register?
It's probably hard to restructure your databases and rewrite most of
your software. 8-(
Of course, any unique identifier will do, but it's hard to make the
switch.
Thus spake "Jon Lewis" <jlewis@lewis.org>
How hard is it for a university to generate their own student "serial
numbers" as students register?
Generating them is trivial. Getting students to remember them is difficult.
Personally, I'd like to see much harsher penalties for identity theft
though (and I'm including simple credit card fraud / use of stolen
credit card info in "identity theft"). This is happening so much, and
is so often just brushed under the rug by the big credit card
companies (banks), that kids do it with impunity, knowing that
odds are they won't be looked for, much less caught.
My credit card number was stolen a couple months ago; they went on quite a
shopping spree across several states before I discovered it and got the
number cancelled. Here's my experience:
I filed (or tried to file) police reports in each jurisdiction where the
charges occurred, since my bank required the report numbers to process the
charge disputes. Two cities simply refused to accept my report since I
wasn't a resident, and another required that I file it in person (hundreds
of miles away). All but one of the cities that accepted my reports stated
flat-out that they wouldn't even attempt to investigate unless _I_ provided
_them_ with a suspect.
One PD, from a rural town in Oklahoma, was actually very helpful. They went
out, pulled all the video tapes, interviewed cashiers and waitresses, etc.
and the best they could do was provide a description of the man and his car.
I tried forwarding this new info to the other PDs involved, and they
uniformly said they still wouldn't investigate unless I provided them with
the _name_ of a suspect.
Since most of the items purchased were gift certificates from department
stores, I called the various stores' loss-prevention departments to give
them the transaction numbers and suggest they cancel the certificates before
they were redeemed and try to check ID on the perp. Over half refused to
talk to me, saying they needed official contact from the local PD (WalMart
went so far as to say they'd destroy the tapes if they didn't hear from the
cops within 24 hours). The ones that did were happy to provide tapes to the
local PD of the person who had already redeemed several certificates, but
they had no means to inform a cashier to check someone's ID when they
presented the remaining ones which had been cancelled. Of course, the
redemption stores were all in different cities than the purchase stores, so
when I tried to get the local PDs involved, they refused saying "no crime
occurred in our jurisdiction", and the stores wouldn't send the tapes to the
PD where the certificates were purchased.
All told, about $2300 worth of certificates was redeemed and about $1000 of
liquor, food, and gasoline was purchased -- in under a week. Who says crime
doesn't pay?
Put a few credit card frauders up in front of a firing squad, and see if
things change. But that would require actually picking them up first,
which LE doesn't seem to be motivated or have the time to do.
As long as the card networks are willing to chalk the fraud up to a "cost of
doing business", nothing will change. When it starts getting out of hand,
you can be sure they'll see to it a special task force in the FBI is
started. And it won't help, because the vast majority of fraud is isolated
incidents by opportunists, not the rings of professional criminals the FBI
understands.
S
Stephen Sprunk "Those people who think they know everything
CCIE #3723 are a great annoyance to those of us who do."
K5SSS --Isaac Asimov
* Jon Lewis:
> How hard is it for a university to generate their own student "serial
> numbers" as students register?It's probably hard to restructure your databases and rewrite most of
your software. 8-(Of course, any unique identifier will do, but it's hard to make the
switch.
Stanford's student/faculty/staff ID system is not based on SSN's, and
it has been in place for a number of years. I don't think the previous
system was based on SSN's either.
Which brings up the question of why SSN's would be in the career center
database in the first place.
* Jon Lewis:
> How hard is it for a university to generate their own student "serial
> numbers" as students register?It's probably hard to restructure your databases and rewrite most of
your software. 8-(Of course, any unique identifier will do, but it's hard to make the
switch.Stanford's student/faculty/staff ID system is not based on SSN's, and
it has been in place for a number of years. I don't think the previous
system was based on SSN's either.Which brings up the question of why SSN's would be in the career center
database in the first place.
One thought.
Sadly most universities are attended by those who need money from the goverment
in some way or another. Be it a loan or grant that are often managed by the
university. Thus one way or another, as far as I know, unless you pay in cash,
they require all sorts of identification on file to be able to help you apply
for the loan and to manage the loan. Also when people want to check if You have
a degree, they have to have a way to translate You to the person who attented
the university.
So I think the original statement/suggestion stands. They perhaps need your
information, but becouse of this, they have a responsibiity to guard that
information as well as any swiss bank might guard gold.
You can never be just a name again..
Just wait till the biometric data and ID cards come.
Nicole