[prev in list] [next in list] [prev in thread] [next in thread]
List: security-basics
Subject: Re: Risk of using SS#s (last 4 digits) for authentication
From: Andy Cowan <awc () gamma ! physics ! uiowa ! edu>
Date: 2002-11-05 19:09:21
[Download RAW message or body]
How many help desk techs do you have, is the real question. Every
person who has access to any part of employee SSNs is a potential risk
for identity theft and fraud.
Suggestions for alternatives:
1) Use another number
2) If you must use part of the SSN, consider setting up an app where the
help desk tech types in the employee name/number and last four digits of
SSN, and the app checks these against a database that the tech does not
have direct access to. Either it's valid or it's not. That way only
the people who maintain your HR database, who will need to have access
to employee SSNs anyway, have access to them. For that matter, you
could have this app on an internal server that the employees could
access directly. Need your password reset? Just open up this here web
app (which, naturally, should not be accessible from the net at large if
it's for internal purposes), type in your name, employee ID number,
and/or SSN, and either it will authenticate and reset your password or
tell you that you got something wrong. n incorrect attempts results in
a temp. lockout from the app, etc. Of course, this doesn't work if
employees have to log onto their workstations using that same password.
3) Make people go to the help desk in person and present ID for a
password reset. It's always harder to commit fraud in person.
Andy
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic