1

Is it poor practice to use the last 4 digits of a social security number as an identifier?

The last 4 digits of a person's social are commonly used as a means of personal identification/authentication, but I can't find guidelines regarding their usage as such. It seems that needlessly exposing part of one's SSN creates an avoidable attack vector.

Anders
  • 64,406
  • 24
  • 178
  • 215
user389823
  • 625
  • 6
  • 11
  • 2
    It is only an attack vector so long as systems continue to use it as an identifier. – Owen Dec 13 '18 at 04:54
  • Only the last four digits are asked for because with those and other info about the person, it's actually pretty easy to figure out the first 5. Most systems that work this way actually have a fallback if they find multiple matches that will ask for the full number. – Austin Hemmelgarn Dec 13 '18 at 19:53
  • @AustinHemmelgarn: it is usually possible to guess or at least significantly narrow first5 _for natives born 1987 to 2011_, less so earlier and not at all later. – dave_thompson_085 Dec 13 '18 at 20:48

2 Answers2

4

Never use SSN for authentication. They do not work for that, because they were not designed for that.

While you should probably try to keep your own SSN secret, when designing a system you should consider all SSN's as public knowledge. The internet is littered with data dumps containing them. Your friends, family or employees of any institution you've handed yours out to has access to it. On top of that, they are to short to hash safely. It's about as bad as using your shoe size as password for everything.

This advice goes for all of your processes, including sign in, account recovery and interactions with customer support. It's best if you can avoid having to store them at all, unless you are willing to risk your own mini Equifax scandal.

Anders
  • 64,406
  • 24
  • 178
  • 215
1

Identification and authentication are quite different things.

I've never heard of anyone using SSN last 4 for identication; it would likely have duplicates for any group over about 100 people, and most computerized systems, at least, deal with substantially more than that.

Full SSN is a fairly good identifier, as it was designed to be, at least for US citizens and (legal) residents. It isn't perfect, and no system of its size is likely to be: there have been cases of the same number assigned to multiple people by mistake, and rather more cases of people improperly using (i.e. stealing) someone else's number; and there are relatively few cases where one person is assigned multiple numbers over time (but not concurrently). For some applications -- particularly anything related to taxes, such as employment and investment, and certain other government benefits -- it is required to be used to identify persons. (Although Medicare recently finally began shifting to a different, Medicare-only 'Beneficiary Identifier'.) For many others it isn't required, and there is a valid policy debate whether it is better to have fewer multiply-used identifiers or many/all separate and distinct ones. It is certainly easier for people to remember one id, or at most two or three, compared to ten or twenty or fifty, and it makes it possible to (accurately!) link different records, relationships, and parts of a person's life, which is sometimes beneficial and sometimes not.

OTOH, too many systems use as an authenticator either full or partial SSN. It was NOT designed for that, and as Anders correctly said, is VERY BAD for it.

dave_thompson_085
  • 9,759
  • 1
  • 24
  • 28