Last 4 of your social

[flipper35]

So, we have been going round and round on this at work. HR and one other department setup user names for staff and it uses the first initial and last name for the user name and then the initials and last for of the SS# for the password.

Being in IT I said that is a lousy policy and we should never use the SS# for anything identifying our staff. They said going forward they will use the employee number instead of SS# but it is too much work to change existing accounts.

How do I convey how this is so not a good idea to them, or am I just paranoid?

[Tobra]

Impress upon them the potential financial downside, to them, not just their employees

[wildthing]

Someone in HR is being creative. They might have tried to use the username for something else.

Are there too many John Smiths in the company and they weren't willing to do any manual work?

Most other companies go with:

firstname.lastname@company.domain
First letter of first, than full last name
First letter of first, then max 7 characters of last name

But somebody had to manually fix the duplicates.

[stevej37]

I wouldn't be too concerned if all they were wanting was the last four numbers.
Not much could happen bad with just those.
But, that's just my opinion...I think the security thing is overblown in most cases.

[Bob Kontak]

On a side note when I started with Sohio back in 84, my employee number was my social. Probably common back then.

[flipper35]

Quote:

Originally Posted by wildthing

Someone in HR is being creative. They might have tried to use the username for something else.

Are there too many John Smiths in the company and they weren't willing to do any manual work?

Most other companies go with:

firstname.lastname@company.domain
First letter of first, than full last name
First letter of first, then max 7 characters of last name

But somebody had to manually fix the duplicates.

This isn't for email, it is for passwords on accounts that are applications not on premise.

Our email is first initial last name @ domain.com and they choose their own password.

[flipper35]

Quote:

Originally Posted by stevej37

I wouldn't be too concerned if all they were wanting was the last four numbers.
Not much could happen bad with just those.
But, that's just my opinion...I think the security thing is overblown in most cases.

The last four are the only unique parts. The first three are the locale/area you were born, the next two are the year you were born and the last for are the unique identifiers. If I know those four and your name I have your whole identity.

[flipper35]

Quote:

Originally Posted by Tobra

Impress upon them the potential financial downside, to them, not just their employees

Tried that. I also asked if it would be more work to fix it now or after one of those sites was hacked and the hackers now have the SS# and name to go with it.

[mreid]

Um...no. You cannot uniquely identify someone as you describe.

There are state laws in most states that prohibit employers from using your ssn as a company ID number. However, even though it’s not a good idea there is no law prohibiting them from using a portion.

[tabs]

6666...of course what did youse think it would be?

[stomachmonkey]

Quote:

Originally Posted by flipper35

The last four are the only unique parts. The first three are the locale/area you were born, the next two are the year you were born and the last for are the unique identifiers. If I know those four and your name I have your whole identity.

That is incorrect.

[pwd72s]

Quote:

Originally Posted by tabs

6666...of course what did youse think it would be?

Please allow Tabby to introduce himself. He's a man of wealth and taste..

[Baz]

Quote:

Originally Posted by pwd72s

Please allow Tabby to introduce himself. He's a man of wealth and taste..

Isn't that a song by the Stones?

[stevej37]

Quote:

Originally Posted by flipper35

The last four are the only unique parts. The first three are the locale/area you were born, the next two are the year you were born and the last for are the unique identifiers. If I know those four and your name I have your whole identity.

nope

[flipper35]

Quote:

Originally Posted by stomachmonkey

That is incorrect.

Yeah, sorry. locale/state then group number. My bad.

[Neilk]

No way... How many credit card companies etc validate your identity by asking the last 4 digits of your SSN? I would not want those digits used anywhere it could be avoided.

[legion]

Really, really, really bad idea.

Look at it this way. I can spearfish someone in your HR department for their password. From their, even If I can only get a list of everyone's social security numbers with no other data attached, I can reasonably pick out that one person's whole SSN based on the last 4.

Don't think it will happen, this is exactly how hackers operate. They use what they know to get at something they don't, once they have that, they now know more and have even more to use. Most hacking is a combination of security flaws, social engineering (fooling people into giving up info), and using stupid security procedures like this to your advantage.

Did I mention that I'm getting a boat? I just need to know the first name of your HR's departments newest hire....

[flipper35]

Funny thing is they all have failed phishing tests and I have just had personal one on one training to explain how this stuff happens. They say it is too much hassle. I have thought about having our lawyer send them a note.

Mreid, in our state there is no law but other states prohibit using it for an employee ID or any part of identification including part of a password or PIN.

I just can't see any good coming of using it when they have an employee number that is 4 digits also and nothing lost when the hacking occurs.

Legion, their first name is

[id10t]

Nope. Only place your SSN should be is with payroll info. Which if I could dream a perfect world, would run on a entirely secondary setup and be totally separated from any other data storage. Everything else should reference employee number - which shouldn't be based on the SSN, and should definitely have a larger keyspace than 4 digits gives you.

[GH85Carrera]

Quote:

Originally Posted by id10t

Nope. Only place your SSN should be is with payroll info. Which if I could dream a perfect world, would run on a entirely secondary setup and be totally separated from any other data storage. Everything else should reference employee number - which shouldn't be based on the SSN, and should definitely have a larger keyspace than 4 digits gives you.

Your bank will REQUIRE it as well. No other option. Even if if is a business account registered under a federal I’d number. They will tie it to an person with a SSN unless it it a publicly traded business.