One of the things I enjoy about Canada is that our reliance on the SIN is far less than the US and SSN. Applying for a place to live? No SIN required. Cell phone? No SIN required. Bank? No SIN required. Etc etc.
In the US, the SSN is almost considered your ‘password’ – name, address, and SSN = access granted.
So I read this article on reverse-engineering SIN numbers and found it to be absolutely mind-boggling. The essence was using an algorithm and a botnet of 10k servers (not that
many), they were able to deduce the SSN of people at 47 SSNs a minute. At 24×60 minutes a day – that means over 65,000 SSNs decoded a day.
I wonder how long until some organization manages to do this on a large scale (who needs to steal laptops with sensitive information?)
3 Responses to SSN vs SIN
Michael Bogobowicz
July 7th, 2009 at 1:16 am
How is authentication/a credit check performed in Canada? How is information tied together?
I agree that the usage of the SSN as a password is a hugely flawed security model (as evidenced by the massive amount of identity fraud across the states on a more-or-less constant basis), but how can you realistically improve it?
Credit maintenance companies already provide instant notifications on postings to SSN-related activities, giving you a reactive solution. Perhaps adding a PIN requirement to SSN-write-related activities that can easily be changed/have federal requirements not to be stored anywhere, whereas read-only activities require only the SSN?
otoburb
July 7th, 2009 at 1:27 am
Seems like banks now require your SIN as part of the new(ish) anti-laundering law, which also means that (by law) they are required to ask your occupation and keep it on record. Rather strange, because I doubt there are provisions to update that information so data fidelity over the long-term would still be an issue.
Ahmed
July 8th, 2009 at 4:38 pm
Don’t have a better solution Bogo – just pointing out that when they originally conceived of the SSN, they used partitioning to make it easier for them. That is now coming back to bite them in the ass.
And dammit you need to give them the SIN? Ugh.