[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-basics
Subject:    Re: Risk of using SS#s (last 4 digits) for authentication
From:       Andy Cowan <awc () gamma ! physics ! uiowa ! edu>
Date:       2002-11-05 19:09:21
[Download RAW message or body]

How many help desk techs do you have, is the real question.  Every 
person who has access to any part of employee SSNs is a potential risk 
for identity theft and fraud.  

Suggestions for alternatives:

1) Use another number
2) If you must use part of the SSN, consider setting up an app where the 
help desk tech types in the employee name/number and last four digits of 
SSN, and the app checks these against a database that the tech does not 
have direct access to.  Either it's valid or it's not.  That way only 
the people who maintain your HR database, who will need to have access 
to employee SSNs anyway, have access to them.  For that matter, you 
could have this app on an internal server that the employees could 
access directly.  Need your password reset?  Just open up this here web 
app (which, naturally, should not be accessible from the net at large if 
it's for internal purposes), type in your name, employee ID number, 
and/or SSN, and either it will authenticate and reset your password or 
tell you that you got something wrong.  n incorrect attempts results in 
a temp. lockout from the app, etc.   Of course, this doesn't work if 
employees have to log onto their workstations using that same password.
3) Make people go to the help desk in person and present ID for a 
password reset.  It's always harder to commit fraud in person.

Andy


[prev in list] [next in list] [prev in thread] [next in thread]