I agree with <a href="https://twitter.com/constmontague/status/1213309357204688899" rel="nofollow">https://twitter.com/constmontague/status/1213309357204688899</a><p>"... we need a new personal identifier, SSNs are all stolen at this point"<p>Though identity and authentication should be different things, as an identifier the only real problem with SSNs is that we should be using UUIDs instead.<p>The hard part is authentication, which should have a far more secure process than merely knowing 9 digits everyone (re)uses.
Why are they notifying folks via mail instead of good old fashioned email?<p>Haven't got a letter yet but would be super easy for me to check my inbox...
As more Social Security Numbers are leaked from security breaches like Equifax et al - I have done a deep dive into all things publicly known about SSNs and published the results on a hobby site (with limited ad revenue to cover the server cost) to both educate myself on the historic data contained in a social security number, how its usage has changed throughout the years (enumeration at birth in the 80's for example) and then how finally the state and date information was removed around 2009 so that numbers are now randomly assigned. For those born before the 2010 - there is a real information encoded (or deduced) from your number beyond what most are aware. If you are curious what types of information a hacker could deduce, or additional ways your SSN could be mis-used if disclosed (or guessed) take a gander at<p><a href="https://numchk.com/" rel="nofollow">https://numchk.com/</a>
Why was Stripe sharing something as critical as [SSN+Name] with a third party? If Atlas is simply a white labeled service of another service, then I hope it was prominent in Stripe's communication with customers/potential-customers. I say this because the market has many competitive offerings in the space, and among the primary reasons to pick Stripe is the assumption of better security, given it's multi billion dollar venture funding and valuation
The problem with SSNs is how short they are. 9 digits.<p>Even if you hash them, it's not that hard to make a 10^10 - 1 rainbow table.<p>It's the same problem with IPs (v4). You simply cannot store them at all if you care about your customers' privacy.
Strange to not see an official statement and post Mortem from Stripe mentioned anywhere. Can someone who got a letter post a (redacted as necessary) scan of it?
How could Stripe Atlas even require SSNs? Wasn't the whole point of that service giving access to the U.S. market for people from other countries?
If anyone needs a Stripe Atlas alternative that doesn't require SSN and also less expensive ($350 vs Stripes $500 + $400/yr) check out <a href="https://www.blook.io/stripe-atlas-alternative" rel="nofollow">https://www.blook.io/stripe-atlas-alternative</a>
getting your identity stolen in any way that’ll effect you is all random<p>they’re all leaked now and people borrow them for things that would never show up on your credit report<p>hope you don’t get framed! Good luck