'Why the Heck Are SSNs Still Treated as Passwords in the US?' (techcrunch.com) 174
Haje Jan Kamps, writing for TechCrunch: A couple of weeks ago yet another of my friends was a victim of identity theft, and I got yet another deep look into how fantastically broken the U.S. can be when it comes to security. "They have my social security number," she said, and I was reminded of how a lot of systems in the U.S. are woefully poorly designed. To wit: This morning I called my bank and was asked for the last four digits of my SSN and they somehow accepted my identity because I knew those four digits.
When I moved to the U.S. a couple of years ago, my friends made sure that I knew I had to keep my Social Security number (SSN) secret and hidden. When I started opening a bank account and set up a cell phone plan, it became obvious why: All sorts of institutions that really should know better are treating this string of numbers as a password. There's a huge, glaring problem with that. I maintain that Equifax should receive the corporate equivalent of capital punishment for allowing this to happen, but 145 million social security numbers were stolen by hackers a few years ago, which means that the Social Security numbers -- yes, the same numbers that are being treated as "passwords" -- for about half the U.S. adult population are in the wind.
We've gotten used to passwords by now, but at least, in most cases, passwords can be changed when they are hacked. Your social security number? Not so much. If your SSN leaks just once, you're boned. It's not possible to change it, and that brings up the true depth of idiocy in all of this: Relying on security that depends on keeping an unchangeable piece of information secret is really bloody stupid. The corollary is this: Imagine that your email has been hacked but your email provider tells you that you can't change your password, you can't change your email provider, and you'll just have to deal with it. That's the situation we currently have with Social Security numbers.
When I moved to the U.S. a couple of years ago, my friends made sure that I knew I had to keep my Social Security number (SSN) secret and hidden. When I started opening a bank account and set up a cell phone plan, it became obvious why: All sorts of institutions that really should know better are treating this string of numbers as a password. There's a huge, glaring problem with that. I maintain that Equifax should receive the corporate equivalent of capital punishment for allowing this to happen, but 145 million social security numbers were stolen by hackers a few years ago, which means that the Social Security numbers -- yes, the same numbers that are being treated as "passwords" -- for about half the U.S. adult population are in the wind.
We've gotten used to passwords by now, but at least, in most cases, passwords can be changed when they are hacked. Your social security number? Not so much. If your SSN leaks just once, you're boned. It's not possible to change it, and that brings up the true depth of idiocy in all of this: Relying on security that depends on keeping an unchangeable piece of information secret is really bloody stupid. The corollary is this: Imagine that your email has been hacked but your email provider tells you that you can't change your password, you can't change your email provider, and you'll just have to deal with it. That's the situation we currently have with Social Security numbers.
'Just change country. (Score:5, Insightful)
If your country can't change, change country.
Re: 'Just change country. (Score:2)
It's the corporations treating the SSN as a "password"
Re: (Score:3)
Corporations or government does not matter, it's only a problem in the US.
Re: 'Just change country. (Score:2)
Nah, itâ(TM)s a problem pretty much everywhere that has an identity card of sorts. If any government wasnâ(TM)t so intent on tracking their subjects, this wouldnâ(TM)t be a problem. In some countries they use an identity card system that has been broken for decades and has been broken so it is basically 40 bits of encryption, they are about as easy to clone as the train and bus ride cards they have, but because the card verified your transaction it is legally the equivalent to a signature. So
Re: 'Just change country. (Score:5, Insightful)
Nah, itâ(TM)s a problem pretty much everywhere that has an identity card of sorts
No, it isn't. It is a uniquely American problem.
Plenty of countries use ID numbers, and those ID numbers are often publicly available. That is not a problem. Using an ID for identification is exactly what an ID is for.
But only in America are widely available ID numbers used as passwords to authenticate that identity.
The reason for this stupidity is that the cost of identity theft is dumped onto the victims, so the corporations have no reason to care.
Re: 'Just change country. (Score:4, Insightful)
Re:US SSNS are not secret (Score:4, Informative)
Legally, only the SSN administration and your employer can you require you provide your social security number. Private businesses have no legal right to it. The problem is, they can refuse to do business with you if you don't provide it. Tying your number to your credit history compounds the problem even more. The government allows this and that is why it has become such a clusterfuck. Too many businesses that you need have it and they aren't exactly intelligent when it comes to security.
Re: US SSNS are not secret (Score:3)
Re: (Score:3)
The reason for this stupidity is that the cost of identity theft is dumped onto the victims, so the corporations have no reason to care.
No, the reason for this is any time someone proposes a national ID, a whole lot of crazy folks insist it's a scheme to haul people off to concentration camps.
So, we're stuck with using SSNs, the de-facto national ID we already have.
Re: 'Just change country. (Score:4, Insightful)
So, we're stuck with using SSNs, the de-facto national ID we already have.
There is nothing wrong with SSNs as an ID number.
It is pretending it's a secret password that is stupid.
Re: (Score:3, Insightful)
Exactly. In Spain we have identity cards. Our national ID number is pretty much public information: it's even printed in official publications next to your name for some purposes. It's not a secret to anyone, but it allows you to identify yourself **when** associated with a password. The ID it not a password.
Re: 'Just change country. (Score:5, Interesting)
Even worse. In the US a passport is often not even accepted as ID.. "Don't you have a driver's license?"
If your country can't universally accept the only ID that's accepted globally, then something's very wrong to begin with.
Re: (Score:3)
"Don't you have a driver's license?"
Don't get me frigging started on this. I presented a European drivers license after seeing several colleagues get told their passports were not valid ID, only to be told by the person with fewer braincells than years alive on this planet that he couldn't understand my drivers license despite it literally being in the same ISO 18013 format as American licenses.
He's was like "There are multiple dates here, which one is the expiry date" "4b like it is on licenses in your home state!"
Better still our licenses h
Re: 'Just change country. (Score:4, Interesting)
Cumulatively, a passport should count as like 5-6 forms of ID!
That's how it works in Australia. We have a points based system for identification. Passport and official government papers (e.g. birth certificate) carry 70 points. Secondary documents like drivers licenses are worth 40 points. And we have a few smaller categories as well.
It's called the 100 point check system (100 points being the basis for financial systems such as opening a bank account) https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:2)
Not once have I ever had to or been asked to use my SIN in Canada for a password or to gain access to anything.
Re: (Score:3)
Not true, happens in other places too unfortunately. Like when I contact my credit card company they ask for my national ID number and home address as verification.
*sigh*
Re: (Score:2)
Re: 'Just change country. (Score:2)
In the US you are the product, the government and corporations only care about your money and habits, not your wellbeing or honor.
Re:'Just change country. (Score:5, Insightful)
The moment banks are responsible each time they are fooled by 4 digits of SSN, this practice will stop. Immediately. And they (banks) will have to think of something else to authenticate you.
Re:'Just change country. (Score:5, Interesting)
This exactly. If someone gave the bank 4 digits of my all too well known SSN and they handed over scads of cash, that was fraud against the bank. Too bad, so sad. I hope they find the guy, but it's not my problem. If they then try to take the cash from me or my account, that's theft by conversion and they need to be jailed. If they try to bill me, it's more fraud, and if they try to take it to court based only on the SSN, it's perjury if they indicate any degree of certainty and barratry if they don't.
Perhaps that should be rendered cut and dry through a simple law. Just to put an exclamation point on it, have the law publish all SSNs for all time just to make the point obvious.
Re: (Score:2)
You are not required to disclose your SSN to anyone other than the IRS and financial institutions. They're also free to tell you to take a hike if you don't.
If you willingly give up anything that they ask for it's your own damn fault.
Re: (Score:2)
Re:'Just change country. (Score:4, Interesting)
You missed! The scenario I was speaking of was somebody ELSE using the SSN. Perhaps they got it when my wallet went missing back in 1989. Perhaps someone stole a letter from the IRS out of my mailbox or had a little peek at my outgoing tax return. Perhaps a disgruntled government employee sold a pile of SSN data back in the '90s. Doesn't matter.
Even if I willfully published it on a billboard, it's STILL the bank's fault if they took such a flimsy bit of information as proof of anything and handed over a wad of cash.
Re: (Score:3)
You are not required to disclose your SSN to anyone other than the IRS and financial institutions.
You're obviously not a freelancer in the USA. If you were, you'd know that every company you work for asks for your SSN via an IRS W-9 form, and you must provide it so they can report to the IRS how much money they paid you.
Re: (Score:2)
You should not be thinking in terms of "stealing" a SSN. It is given out so much that it should be treated as publicly available information, like a phone number in a phone book or an address used by the Post Office. It should never be used as an ID, let alone as a password.
Re: (Score:2)
Re: (Score:3)
If your country can't change, change country.
Banks are slightly better here, but some of them still think my mother's maiden name is likewise a secret. Or even my date of birth.
Numerous institutions want to send me a SMS for authentication, even though phone numbers are easily stolen (unauthorised porting).
BTW, am I the only one who read the headline and thought SSN meant a nuclear attack submarine?
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:2)
If your country can't change, change country.
And yet ... the flow is still the other way. Strange.
Re: 'Just change country. (Score:3)
At least Finland uses smart ID chips in their national ID card. You can use it to sign emails and 100% prove your identity to websites. The US is so backward like stuck in some kind of caveman era.
https://dvv.fi/en/citizen-cert... [dvv.fi]
Replace them (Score:5, Insightful)
Other countries have long since replaced simple, half-predictable numbers with much longer, more random ones. Also, we don't use them as identification, but simply as account numbers, which are useless by themselves.
Why is the US so resistant to change?
Re:Replace them (Score:5, Insightful)
Why is the US so resistant to change?
It's related to the unofficial motto shared by our two political parties:
America will always do the right thing — after exhausting all the alternatives.
Re: (Score:2)
Re: Replace them (Score:5, Informative)
My SSN Card says âoeNot for Identification Purposesâ. We were told to keep it secret.
When I, initially, enlisted in the Navy (1982), we were instructed to write our SSN under our names to send/receive mail. Our SSN was our âoeserviceâ number. Millions of letters with our name, address, and SSN in plain view.
In college, our SSN was on every document we received or filled out. It was our college ID number.
Now, we worry about people stealing our identities and benefits because they get our SSN.
Thank you Congress for changing the law. Not!
Asinine.
Re: (Score:2)
Re: (Score:2)
Ditto, here, sort of.... I had my drivers license number printed on my checks.
Re: (Score:2)
When I attended Washington University in St. Louis from 1980-1982, our SSN was used as our student ID.
Re: (Score:2)
Yep. When I first moved to Ohio, it was required to give your social security number to get a drivers license, and your social security number was your drivers license number.
Which was a publicly available document.
Re: (Score:3)
This may be a legal urban legend, but I've read that the "Not for Identification" thing on the card referred to using the card as ID, not the number, which is how not-government places justified using the number as your customer id.
That doesn't solve it. More info, and a solution (Score:4, Informative)
> Other countries have long since replaced simple, half-predictable numbers with much longer, more random ones
That does absolutely no good when millions of them are in every breach. I can just look up somebody's social in the breaches I downloaded. Nobody is brute forcing social security numbers, so it doesn't matter how long or random they are. In particular, the SSN has to match with the name, so nine digits is plenty - the guy at the bank is going to get a tad suspicious if you submit four million account applications before guessing the right social.
For those interested in the topic, here's a write-up I did a couple of years ago, with each statement supported by factual references and such. I also outline a proposed solution.
https://passworddog.s3.amazona... [amazonaws.com]
The problem is that the SSN is trated both an an identifier, like your name, and a secret, like a password. Names and other identifiers are not secret, and will never be secret! You send them to all kinds of companies - they aren't secret. As one scholar put it "it isn't a secret if you tell everyone" (Milan Morris, kindergartner).
For the proposed solution, the basic idea is that most of the time the company or whoever needs to know something *about* you. An arbitrary string of digits isn't actually what they need anyway. Suppose you're trying to finance a cell phone, using a plan where they had you a "free" phone and you pay an extra $40 / month compared a prepaid plan. What the phone provider actually wants to know is whether you have a history of making payments on time. That has nothing to do with social security. With the proposed system, you actually give them what they need and nothing more. You don't give them the ability to impersonate you by handing over a "secret" password.
It's based on SAML, which allows one site to sign an assertion on behalf of a user, and send that assertion to another site. You click a button which sends you to log in to your old phone provider's sitewhich causes them to use SAML to tell the other phone provider "this person pays their bill on time" - without any other information, no "identity". Just "we confirm the person who clicked pays on time".
For a broader credit score, instead of giving your SSN to everyone, then having *them* log in to Transunion to get info about you, the flow would be reversed. YOU log in to Transunion, getting a signed SAML assertion that only says "yes, this person has a FICO score of at least 780". You don't need to send any secret to the new company.
If someone did truly need identity, as opposed to some fact about you, fine. The DMV provides identity. So the SAML goes through the DMV and the DMV signs off on your identity. Just like a driver's license. Still no need to send any secrets to the company., They just use the DMV's public key to verify that the DMV (or any other trusted party) identified you.
Re:That doesn't solve it. More info, and a solutio (Score:4, Insightful)
Agreed, a number, even a 2048-bit number that is fully randomized, is useless if it gets leaked. Now, a 2048-bit private key to validate certs is indeed very good, but that's not what identfication numbers are. Even though in advanced countries who laugh at Americans, idenfication numbers are insecure if they can be used to verify your identity merely by knowing them.
DMV is good, if the card is present. The card has all sorts of security features, but it's useless if you can vo just give someone the driver's license number to pretend to be someone else. But even if it was better, it's still useless as a national identify number - as it needs to be used for all citizens and all non-citizen residents; and babies don't drive, as well as huge swaths of the population. Plus many times a driver's license requires a fee, and the non-driving identification from a DMV office most definitely requires a fee; whereas SSN is free and only requires the interminable standing in line.
Re: (Score:2)
Yeah the DL number is as useless as the social security number.
The idea is you log in to the DMV web site using your RSA token + password manager or whatever. The DMV then uses their private key to sign an assertion of your identity, which also includes a nonce from the recipient.
DMV could of course be any trusted identity provider. They happen to be the main identity provider used today - people check your state ID.
Re: (Score:2, Informative)
The problem with your argument is that SSNs are highly predictable.
Re: (Score:2)
Re: (Score:2)
> The problem with your argument is that SSNs are highly predictable.
Okay, predict my social. Sure you could get it after a million guesses. Which is going to make the bank manager a bit suspicious.
Or you could just look it up in one of the many,any, many breaches.
It's not predictable enough to get in one or two guesses.
Which makes predicting it pointless, when you could just download the torrent and look it up.
Re: (Score:2)
For the proposed solution, the basic idea is that most of the time the company or whoever needs to know something *about* you. An arbitrary string of digits isn't actually what they need anyway. Suppose you're trying to finance a cell phone, using a plan where they had you a "free" phone and you pay an extra $40 / month compared a prepaid plan. What the phone provider actually wants to know is whether you have a history of making payments on time. That has nothing to do with social security. With the proposed system, you actually give them what they need and nothing more. You don't give them the ability to impersonate you by handing over a "secret" password.
Unfortunately, this probably won't work in practice. Credit reporting typically doesn't involve a one-time verification without proof of identity, with very few exceptions. When you open a line of credit, the creditor doesn't just need to know whether you pay your bills on time, but also who you are (definitively) so that they can report back to the credit agency if you fail to pay your future bills on time. Without that identifier and proof that the identifier belongs to the applicant, we would be even
Re: (Score:2)
The SSNs are not to be used as idenfification numbers with banks, hospitals, universities, and other non-goverment offices. Until 1972, the Social Security cards came with a warning on the bottom reading "Not For Identification"! The problem is that this restriction is ignored. Mostly because there are no other readily available identification number that exists (especially since not everyone has a driver's license, whose numbers are also pitifully insecure). So the SSN defaults to being a national identi
Re: (Score:2)
In most of the rest of the world, your SSN-equivalent is treated as a unique identifier. In other words: It is your unique username. In addition to your user name, you’ll need a password to deal with anything. For the same reason you shouldn’t use your username as a password, you shouldn’t rely on any public information as part of your security matrix.
For any personal identification process that could produce serious (financial) consequence, there need to be a chain of trust. At the beginning of such chain, it has to be a face-to-face interaction with some picture ID. Without that, the operation shall not be bound legally. In the middle of chain, it has to be either handwritten signature or user-configurable password, else the chain shall be regarded invalid. So
Re: (Score:2)
Why is the US so resistant to change?
Conservatives. It’s in the name.
Lol, no, this is a government issue. It would take them a decade to come up with and implement a replacement.
So they just aren't going to.
There's nothing better here (yet) (Score:3)
The answer is obvious - there's nothing better right now that's a secret that people know (kind of) to not share broadly, that's centrally assigned and part of a single namespace.
There are a lot of obvious problems too - there's no easy way to change SSNs, and it's used over the span of one's entire life so a security breach is likely. The US should do better. It'd be nice if Congress started to put together a plan to move us towards a post-SSN world (including figuring out what that would look like).
Re: (Score:2)
It's a deeper problem. It is literally impossible to use it even once as identification or authentication without disclosing it.
Even if that one time is at a bank when you're a teen, there's a good chance that it's changed hands several times by the time you're middle aged. Who knows if it was kept secure or not.
Re: (Score:2)
It's obvious what it would look like, a mandatory ID law.
Financial industry especially needs a well maintained universal identifier, only government has the means and rights to maintain such a thing. So it's going to be a photo-ID with NFC cryptoprocessor. If you allow access to government services without the ID you get voter oppression of the people living on the fringes, so the only solution is to make it an absolute mandate and free (also has to be dirt cheap to make, some homeless bum is going to say h
Re: (Score:2)
Mandatory ID doesn't solve the problem. If it's a number, even a very long number, and it can be used to identify you, then it's a problem. If there's a d data breach then what? Someone buys those numbers in bulk, phones up your bank and hands over the big long number... Better solution - require going TO the bank IN PERSON with the government issued identity card that has your picture and a seal (and was free to obtain). Forget this online crap, it's insecure from the start; but at least with credit c
Re: (Score:2)
Mandatory ID doesn't solve the problem. If it's a number, even a very long number, and it can be used to identify you, then it's a problem. If there's a d data breach then what? Someone buys those numbers in bulk, phones up your bank and hands over the big long number... Better solution - require going TO the bank IN PERSON with the government issued identity card that has your picture and a seal (and was free to obtain). Forget this online crap, it's insecure from the start; but at least with credit cards the banks do notice suspicious activity and will cancel the card and send you a new one.
That doesn't stop credit fraud. It just requires someone to have fake ID that is good enough to fool someone. At a bank, that's probably good enough, but for small lines of credit, like buying cell service from some random minimum-wage worker in a Verizon/AT&T/Sprint/T-Mobile store, "good enough to fool someone" is probably a pretty low bar.
It also basically amounts to a complete ban on credit cards issued by online retailers (Amazon, B&H Photo, etc.), and having people trained to do adequate veri
Re: (Score:2)
The SSN is not the fundamental problem, ignoring arch-conservative objections to any form of official identification for a moment. The fact that your knowledge of SSN is taken as verification of identity is the problem.
What would happen is that anyone who wants to authenticate your identity takes the SSN, goes to a public government database to get a public key associated with that SSN and then uses that to request verification from the cryptoprocessor in the ID card that it belongs to that SSN.
The number w
Re: (Score:2)
Re: (Score:2)
You don't need the formula. The vast amount of identity theft comes from data breaches, throwing out papers that includes this number, etc.
Re: (Score:2)
SSNs were never set up to be secrets, are not secrets now, and should never be used for identification.
Re: (Score:2)
Easy solution... (Score:5, Insightful)
Re: (Score:2)
...hack congress & the senate's records to get their SSNs then publish them on the open internet. I'm sure they'd find a way to resolve the issue then.
Well, there would be an issue to resolve, but finding lawmakers immune to identity theft due to self-imposed loopholes that reveal that their wealth isn't even in the US banking system, isn't exactly the corruption you were targeting.
Re: (Score:2)
I'm sure they'd find a way to resolve the issue then.
Yeah, they'd pass a law making it illegal to misuse congresspeople's SSNs (including publishing them online) and be done with it. The hoi polloi can f right off.
It's not a big deal at all, and you can change it (Score:5, Informative)
Yes, it's stupid that so many organizations rely on it as an identifier, but:
- Identity theft isn't the issue it's made out to be. It is for banks as they lose money, but consumers can refuse and dispute charges without any real issue.
- An SSN is rarely the sole thing used to identify an individual to an account, it's one of many identifiers.Sounds like the person who submitted the story should switch banks if they are so lax as to grant access to the account just from knowing the last 4 digits. Chase for example doesn't do that, nor do any of the big banks.
- You don't HAVE to use SSN as an identifier, and technically it's meant to be illegal to demand it, it's just become a de facto practice. Make a fuss, speak to a manager, and you can open an account without one so long as you can provide enough other documents proving your identity. Although in practice they probably can match you records to other data and get your SSN anyway.
- Lastly, there is a process to change your SSN if you've been a victim of identity theft, it's a high bar to clear but far from impossible. I know, I've done it. The SSN website even has an entire page devoted to how to go about it.
Re: (Score:2)
Re: (Score:2)
Not in practice. To open an account you're required to provide your TIN (Taxpayer Identification Number), which happens to be exactly the same as your SSN (so that's what they ask for, because it's the number people know). Next to impossible to make them different.
Re: (Score:2)
For banks that is true, but you don't need to provide it to any other type or organization or company that requests or even demands it, and technically it is illegal for them to do so.
Anyone with a non-US citizenship can use their passport number in place of an SSN or ITIN, and for US residents without, the workaround is to open a business account with an EIN which you can apply for an obtain from the IRS. You need an LLC to do this, so it's a little more expensive with a minimum fee of $50/year for the LLC
Re: (Score:2)
Re: (Score:2)
I write my original comment very casually, wasn't expecting it to be so dissected. Nothing I have said is incorrect except for the people desperate to point out gotchas.
As I said, you were right that in general a US Citizen is asked for a a TIN, but there are ways around this. I haven't backtracked on anything, I've clarified. I simply pointed out there are workarounds.
Now you're mentioning employers when I said you don't need to provide your SSN to any organizations, and that just seems like desperation on
Re: (Score:2)
If you're talking about banks, you can't come back and say you weren't when it's pointed out that you're incorrect.
Re: (Score:2)
No, I don't have a short attention span. You sad people so desperate to play semantics to win internet points and feel smug are everything that's wrong with the internet today.
I agreed with the guy that said "not in practice". This doesn't negate my original comment. The point I was making is that there are workarounds. I maintain you don't need an SSN to open a bank account. I know that to be true because I've done it more than once.
Re: (Score:2)
As I hold my TIN papers in hand, it is NOT the same as my SSN.
Re: (Score:2)
Yes, you usually stop identity theft, but it is a huge hassle. If the identity thieves are persistent, it can take years of fighting to get one's identity back under control.
I can't imagine that being true unless people are particularly inept.
In a worst case scenario a person can pay for one of many reputable services to monitor their credit reports and accoutns which flag and require approval for anything suspicious.
Re: (Score:2)
Do you know anyone who's elderly? Scams on the elderly are extremely common. They're starting to lose a bit of judgement, were raised in a time when you trusted people more, don't understand computers or complex government systems, and tend to be less likely to call up law enforcement if they're lost a lot of money. It would be great if everyone was a 30-something paranoid Slashdot reader, but unfortunately being inept is a part of life for the majority of humans.
Re: (Score:2)
and yet they still vote
Re: (Score:2)
The majority of what gets called identity theft these days is stolen credit card fraud, which has nothing to do with SSN. But "credit card fraud" reminds people they have legal protections, and that can lead to people being careless. But "identity theft" is still a scary clickbait buzzword that makes people more paranoid.
Real identity theft is a major hassle, especially if you don't know (or follow) the procedures on how to respond to it. Credit card fraud isn't to the cardholder.
Various businesses... (Score:2)
...have tried this with me, but I adamantly refuse to fork over my SS number to, say, an internet provider. Instead, I have them create a 5-digit PIN. Really, though, this is little more than just sending a message to them, since they will more than likely do a credit check on my anyway if I'm a new customer. So, they will know my SS number regardless.
I absolutely agree that privacy is not taken very seriously in this country. You need to take responsibility for protecting yourself, because many businesses
SSNs are just an example. (Score:3)
The reproduction does not have to be perfect, it just has to be good enough to fool the access system. The Chaos Computer Club in Germany for instance managed to get an official German passport with the fingerprints of Germany's Minister of Interior affairs stored on its identity chip. How they did it? At an public event someone took the glass the minister was drinking from, when he returned it to the service personal, took the finger prints from the glass and made a plastic pattern from it. When he then went to get a new passport, he covered his fingertips with the plastic patterns before his fingerprints were taken, and thus, instead of his own, the minister's fingerprints were stored in the database and then in the passport.
Re: (Score:2)
You can *also* get yourself a Tax ID number, which is the same format as social security numbers, except the 5th digit is odd instead of even, and is legally good everywhere a social security number might be required.
Re: (Score:2)
I know for a fact that my late wife's SSN had an odd 5th digit.
Online govt. (Score:3)
"In Soviet Union ..." gag is very very true (Score:2)
But often one is able to use such information, open credit lines, and run away leaving the the real person to deal with the consequences of ID theft. Why? Why can't we lock our creditlines? Why can't we tell credit reporting agenci
Re: (Score:2)
Why can't we lock our creditlines? Why can't we tell credit reporting agencies, I am not seeking credit.?
You can. Each reporting agency has a process to do so.
Probably had other info too ... (Score:2)
This morning I called my bank and was asked for the last four digits of my SSN and they somehow accepted my identity because I knew those four digits.
If you called from home or your cell, they probably have those numbers on file and were asking for your SSN to corroborate that you were someone associated with that phone number. In addition, companies often have their computers and phones linked so when you call the computer can use the caller ID to automatically pull up your customer record. Not saying your bank has that, but I used something like that at a small software development company. Obviously caller id isn't spoof-proof, but that's a business
Meant to be an identifier, not a password... (Score:2)
The SSN was never meant to be a password. It is only supposed to be your unique ID from a govt standpoint. Businesses too can and should have it to connect with your legal identifier.
Any business using it as a password though, that is totally wrong.
And even for a unique ID, it is always good to keep it secret. We do this with lots of identifiers like our employee number, our driver's license number, etc. It's just smart to prevent others from accessing your records given the ID.
Here's why (Score:5, Insightful)
SSNs are used as proof of identify because Americans refuse ID cards on the grounds that they don't want to be tracked by the government, retain their God-given freedom to live without Nazi-like papers issues by the state and yada-yada.
But Americans are all assigned a SSN at birth (because they all like social security, even if it's a government thing - surprise surprise...) and other businesses need to verify their identities somehow. So the SSN has become the de-facto ID card.
Hence the terrible brokenness of it.
The day Americans decide to accept an ID card like everybody else, the problem will be solved. Until then... well, Amerca will remain a land of contradiction: puritan that makes tons of porn, lover of peace and democracy that wages war everywhere, with a population profoundly attached to freedom that accepts to live in a crypto-fascict plutocracy.
Give me a break. (Score:2)
And just try opening a bank account without a 'state issued but not national' ID card.
Re: (Score:2)
... and it's also untrue in that in the UK also doesn't have mandatory ID cards or an SSN. The closest equivalent is a driving license card (that it isn't mandatory to carry, even when driving) and a National Insurance card and number that isn't used for anything at all as far as I can tell. I'm pretty sure I've lost mine.
Yet somehow banks still exist. There are many ways of proving identity beyond a state-issued number or document.
Re: (Score:2)
because Americans refuse ID cards
Because we don't want private businesses to build dossiers on us across all of our various commercial and other relationships. I don't mind setting up an ID and password with each firm or person I do business with. But they can all be different, making it difficult to link my activities to me as a unique individual*. The only consistent ID that is asked for is a SSN. I provide that to those who have a legal need to know it. For everyone else, I say I forgot it and don't carry a card. Or I lie (that is only
Re: (Score:3)
But Americans are all assigned a SSN at birth (because they all like social security, even if it's a government thing - surprise surprise...) and other businesses need to verify their identities somehow.
Sort of.
Americans are not automatically assigned a SSN at birth.
The parents are given the option to request a SSN from the entity issuing the birth certificate.
https://faq.ssa.gov/en-us/Topi... [ssa.gov]
Not everyone says yes, but people usually say yes because the child must have a SSN for the parents to get the dependent deduction from the IRS or the Child Tax Credit.
It's probably not being used as a password (Score:3)
They're asking just to to verify that it's you. They've already pulled up your record and want to make sure that your answer matches what is on their screen. Especially if they have multiple records with the same first and last name.
In Canada, they may typically ask you to provide one or more details like phone number, address, or postal code. I've even heard tellers in a bank ask for info on previous transactions to help verify identity. I've never been asked to provide our SIN number though which is our equivalent to your SSN. That is a bad practice.
If they're using it as the actual account number, I'd cancel all business with them and find another company to work with. Only tax related services like banks and investment companies need the number.
Re: (Score:2)
It used to be the case that most places asked for your SIN.
There was a huge push around 2000-2004 where the federal gov't told businesses to not use SIN as an identifier.
College IDs changed, recovery ID question of "what is your SIN" changed, internet and utilites stopped asking for SIN. It was a huge difference than what was the norm in the 90s.
The office of the privacy commissioner (priv.gc.ca) reaffirmed that "No private-sector organization is legally authorized to request customers’ SINs for pur
Do you have a better idea? (Score:3)
Re: (Score:2)
There are ways. I've been asked to verify the amounts of the last 3 checks I've written, back when more things happened by check; generalize as you like.
Yep! (Score:3)
What is the right way to get around this problem? I think the only real solution is to build a system of Multi Factor Identification and Authentication, that relies on held zero trust secrets, public keys, and a biological / DNA based access token, for updating, changing and cycling the information involved.
Lets assume you have to change your phone plan, or you want to update your license plate, how would this system work? In my naive approach, you'd generate a one time QR code, place it on an ID chain, that's signed and encrypted with a private key, have the company / government scan the QR code, after decryption it with their keys, then provide with some MFA (TOTP, etc...), and validate that X updated Code Y for reason Z, destructing and destroying the token after it's use.
Re: (Score:2)
I get the sense that SSN, DOB, Mothers Maiden Name were originally used for disambiguation more than identification. Then overtime, it became a security feature, and that's things went south.
Re: (Score:2)
There are reasons for it (Score:2)
Banks are required by law to verify your identity and report any interest income you get from the account. SSN is a pretty effective way to do that (and may actually be required as part of the identity verification, for all I know). To get a cell phone account, the carrier is going to do a credit check, and they can't do that without SSN.
Using it to verify you're you in future contacts is a matter of convenience. Not the best way, sure, but it's something they already have.
(And BTW, you can get your SSN cha
Blame the IRS (Score:2)
While the poster blames Equifax they really should blame the IRS. CGP Grey explains this very well
https://www.youtube.com/watch?... [youtube.com]
It's a feature, not a bug. I wish I were joking. (Score:2)
Well, it's also laziness and because using a more secure form of authenticating identities would be expensive.
* For one thing, the IRS can see that the same SSN has jobs all over the United States that would be physically impossible for any one person to do. They see it on the filings from their employers. By law they are not allowed to let other TLAs know there are a dozen employers all filing tax forms showing the same employee working in 4 different states. The IRS doesn't care if you earn your money b
Vote with your wallet (Score:2)
Ask to have a meeting with the local branch manager. Let them know how unacceptable it is to use SSNs for security. Ask them if they have plans to change that and when. If they don't or won't change that, open a new account somewhere that takes security seriously. Vote with your wallet.
Re: (Score:2)
It's nobody's business but everybody wants to know it. "I am not a number. I am a free man."
Exactly why a famous actor, not saying who, changed his name from Morgan Number to something else ...