Rusty Divine

Live, Love, Learn, Teach

Don’t use Social Security Numbers as Usernames

Under Practices To Avoid: "Never have a computer log-in system where a person has to use their SSN", and "Organizations should avoid using Social Security numbers (SSNs) as identifiers for any type of transaction. The SSN should only remain in a database as a secondary identifier. Organizations should exercise limited use of an individual’s SSN", and "Organizations that maintain SSNs in their system of records should consider encryption of this data."

The government is cracking down on bad security practices including a $150,000 fine for HIPAA violation, and taking a closer look at themselves.

That was the TL;DR; version of the simple advice given by the Social Security Administration website and the Office for Civil Rights who levies fines. You would think a health insurance benefits company would know better than to play fast and loose with their customer's personally identifiable information, but imagine my surprise this autumn when I got an email with the following instructions:

FirstEmail

WAT? My username is my SSN followed by 624, and my password is the last four of my SSN? You just emailed me…why didn't you use my email address as my username? What is with the 624, is that some sort of security-through-obscurity so that if someone had my SSN they couldn't log in? When I went to their website, I saw that no, the 624 was used for everyone and the username and password pattern was put on their home page for any would-be hacker to see.

WebsiteInstructions

Ok, so there are only one billion possible SSNs, and about half of those have been assigned, and there is a pattern you can use to narrow that down, so a potential hacker could probably pretty quickly gain access to a valid SSN by a brute force attack that just tried different combinations of SSN on their website until one worked. What could they do then? Well, they'd see their victim's name, address, birthday, and voila they could steal their identity. An angry ex could add themselves as their victim's beneficiary and enroll them in some life insurance that would be paid out of their victim's pay check.

I contacted the benefits provider to let them know this was a bad practice and that I wanted my information either removed from their system or my username changed. Their response to me was that I shouldn't worry because their website was secure, and that I could change my username and password in a few weeks when the open enrollment began (which means my SSN-username and last-4-password have probably been sitting on this site for a year without me even knowing it).

SiteIsSecure

I can only assume by "secure" they mean it was encrypted with SSL. What about line-of-sight vulnerability of a co-worker seeing me log in? The website does use autocomplete="off" on the username input to tell most browsers not to cache that information. What about a disgruntled employee who has query access to the database? Is the username hashed and salted? I'm guessing it is not since that isn't a common practice for a username, so any disgruntled employee could potentially walk out with a disk full of SSNs, names, addresses, and dates of birth.

When open enrollment came, I noticed that there was no way to change my username; I did change my password though, so I let the benefit provider know and their response again was to assure me their site was secure.

Secure2

I started wondering if their site had been vulnerable to the Heartbleed bug, so I checked LastPass' website tool to find out. LastPass says they were using open SSL prior to July 2014 and may have been vulnerable to the Heartbleed bug prior to that (the vulnerability became public in April).

heartbleed

Finally, I filed a complaint with the Office for Civil Rights, even though I'm not certain if the benefits company is under the jurisdiction of the OCR (they did levy the large fine mentioned above). I will also send a link to this blog post to their company and hope that they take this situation seriously.

A coworker of mine also complained to our employer, and they said their security team and VP is taking a look at this issue.

What should you do if your identity is stolen?

I have heard from friends that having your identity stolen is a burden that lasts for years as you try to repair or just out-wait the damage it causes to your credit and your ability to rent, borrow, and buy. I hope you never have to deal with something so awful, but if you do or are, check out this guide for What to do if your identity is stolen.

If you're a developer, here are some guidelines from the Office of Personnel Management to safeguard SSNs. Also, you should check out the OWASP website and find your local chapter to meet other security-conscious IT folks.

I'd like to thank a colleague of mine, Rob Temple, a security analyst and OWASP member who provided some of the links for this blog post.