Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security IT Technology

'Why the Heck Are SSNs Still Treated as Passwords in the US?' (techcrunch.com) 174

Haje Jan Kamps, writing for TechCrunch: A couple of weeks ago yet another of my friends was a victim of identity theft, and I got yet another deep look into how fantastically broken the U.S. can be when it comes to security. "They have my social security number," she said, and I was reminded of how a lot of systems in the U.S. are woefully poorly designed. To wit: This morning I called my bank and was asked for the last four digits of my SSN and they somehow accepted my identity because I knew those four digits.

When I moved to the U.S. a couple of years ago, my friends made sure that I knew I had to keep my Social Security number (SSN) secret and hidden. When I started opening a bank account and set up a cell phone plan, it became obvious why: All sorts of institutions that really should know better are treating this string of numbers as a password. There's a huge, glaring problem with that. I maintain that Equifax should receive the corporate equivalent of capital punishment for allowing this to happen, but 145 million social security numbers were stolen by hackers a few years ago, which means that the Social Security numbers -- yes, the same numbers that are being treated as "passwords" -- for about half the U.S. adult population are in the wind.

We've gotten used to passwords by now, but at least, in most cases, passwords can be changed when they are hacked. Your social security number? Not so much. If your SSN leaks just once, you're boned. It's not possible to change it, and that brings up the true depth of idiocy in all of this: Relying on security that depends on keeping an unchangeable piece of information secret is really bloody stupid. The corollary is this: Imagine that your email has been hacked but your email provider tells you that you can't change your password, you can't change your email provider, and you'll just have to deal with it. That's the situation we currently have with Social Security numbers.

This discussion has been archived. No new comments can be posted.

'Why the Heck Are SSNs Still Treated as Passwords in the US?'

Comments Filter:
  • by stooo ( 2202012 ) on Friday April 29, 2022 @03:54PM (#62490298) Homepage

    If your country can't change, change country.

    • It's the corporations treating the SSN as a "password"

      • by stooo ( 2202012 )

        Corporations or government does not matter, it's only a problem in the US.

        • Nah, itâ(TM)s a problem pretty much everywhere that has an identity card of sorts. If any government wasnâ(TM)t so intent on tracking their subjects, this wouldnâ(TM)t be a problem. In some countries they use an identity card system that has been broken for decades and has been broken so it is basically 40 bits of encryption, they are about as easy to clone as the train and bus ride cards they have, but because the card verified your transaction it is legally the equivalent to a signature. So

          • by ShanghaiBill ( 739463 ) on Friday April 29, 2022 @05:35PM (#62490550)

            Nah, itâ(TM)s a problem pretty much everywhere that has an identity card of sorts

            No, it isn't. It is a uniquely American problem.

            Plenty of countries use ID numbers, and those ID numbers are often publicly available. That is not a problem. Using an ID for identification is exactly what an ID is for.

            But only in America are widely available ID numbers used as passwords to authenticate that identity.

            The reason for this stupidity is that the cost of identity theft is dumped onto the victims, so the corporations have no reason to care.
             

            • by jbengt ( 874751 ) on Friday April 29, 2022 @06:09PM (#62490616)
              SSNs are an index to your Social Security records, not an ID. They should be treated as publicly available information. My Social Security card (long since lost) even included the text "This card is not an ID". I don't think they say that anymore, but they should.
            • The reason for this stupidity is that the cost of identity theft is dumped onto the victims, so the corporations have no reason to care.

              No, the reason for this is any time someone proposes a national ID, a whole lot of crazy folks insist it's a scheme to haul people off to concentration camps.

              So, we're stuck with using SSNs, the de-facto national ID we already have.

            • Re: (Score:3, Insightful)

              by RinzeWind ( 413873 )

              Exactly. In Spain we have identity cards. Our national ID number is pretty much public information: it's even printed in official publications next to your name for some purposes. It's not a secret to anyone, but it allows you to identify yourself **when** associated with a password. The ID it not a password.

            • by splutty ( 43475 ) on Saturday April 30, 2022 @03:30AM (#62491346)

              Even worse. In the US a passport is often not even accepted as ID.. "Don't you have a driver's license?"

              If your country can't universally accept the only ID that's accepted globally, then something's very wrong to begin with.

              • "Don't you have a driver's license?"

                Don't get me frigging started on this. I presented a European drivers license after seeing several colleagues get told their passports were not valid ID, only to be told by the person with fewer braincells than years alive on this planet that he couldn't understand my drivers license despite it literally being in the same ISO 18013 format as American licenses.

                He's was like "There are multiple dates here, which one is the expiry date" "4b like it is on licenses in your home state!"

                Better still our licenses h

          • by SirSlud ( 67381 )

            Not once have I ever had to or been asked to use my SIN in Canada for a password or to gain access to anything.

        • Not true, happens in other places too unfortunately. Like when I contact my credit card company they ask for my national ID number and home address as verification.
          *sigh*

          • There are multiple level of identification. Sometimes it is okay to identify people just by the national ID and home address, sometimes it is not. Whenever an operation requires signature in pre-Internet days, then asking national ID and home address is not good enough. Those shall be done by true user-configurable password + 2FA.
        • In the US you are the product, the government and corporations only care about your money and habits, not your wellbeing or honor.

    • by Mitreya ( 579078 ) <mitreya.gmail@com> on Friday April 29, 2022 @04:21PM (#62490366)
      Simple: Because "identity theft" misnomer somehow makes it YOUR responsibility if a malicious person stole your SSN and got money on your behalf.
      The moment banks are responsible each time they are fooled by 4 digits of SSN, this practice will stop. Immediately. And they (banks) will have to think of something else to authenticate you.
      • by sjames ( 1099 ) on Friday April 29, 2022 @05:02PM (#62490490) Homepage Journal

        This exactly. If someone gave the bank 4 digits of my all too well known SSN and they handed over scads of cash, that was fraud against the bank. Too bad, so sad. I hope they find the guy, but it's not my problem. If they then try to take the cash from me or my account, that's theft by conversion and they need to be jailed. If they try to bill me, it's more fraud, and if they try to take it to court based only on the SSN, it's perjury if they indicate any degree of certainty and barratry if they don't.

        Perhaps that should be rendered cut and dry through a simple law. Just to put an exclamation point on it, have the law publish all SSNs for all time just to make the point obvious.

        • Really, it's just people being sheep.

          You are not required to disclose your SSN to anyone other than the IRS and financial institutions. They're also free to tell you to take a hike if you don't.

          If you willingly give up anything that they ask for it's your own damn fault.

          • by jbengt ( 874751 )
            I disagree. The SSN should not be treated as an ID, let alone as a password. It is merely an index for the SSA to use in their records. My old Social Security card even stated that it was not to be used as an ID. Fault should clearly land on any bank or other entity using SSNs as authentication of identities.
          • by sjames ( 1099 ) on Friday April 29, 2022 @09:07PM (#62490900) Homepage Journal

            You missed! The scenario I was speaking of was somebody ELSE using the SSN. Perhaps they got it when my wallet went missing back in 1989. Perhaps someone stole a letter from the IRS out of my mailbox or had a little peek at my outgoing tax return. Perhaps a disgruntled government employee sold a pile of SSN data back in the '90s. Doesn't matter.

            Even if I willfully published it on a billboard, it's STILL the bank's fault if they took such a flimsy bit of information as proof of anything and handed over a wad of cash.

          • by kmoser ( 1469707 )

            You are not required to disclose your SSN to anyone other than the IRS and financial institutions.

            You're obviously not a freelancer in the USA. If you were, you'd know that every company you work for asks for your SSN via an IRS W-9 form, and you must provide it so they can report to the IRS how much money they paid you.

      • by jbengt ( 874751 )

        Simple: Because "identity theft" misnomer somehow makes it YOUR responsibility if a malicious person stole your SSN and got money on your behalf.

        You should not be thinking in terms of "stealing" a SSN. It is given out so much that it should be treated as publicly available information, like a phone number in a phone book or an address used by the Post Office. It should never be used as an ID, let alone as a password.

    • by vlad30 ( 44644 )
      The banks and telcos using the date of birth (available everywhere on social media) as a verification check often no password as many do in Australia unless you specifically ask for more security and yes recently telcos were told to make it more difficult to transfer numbers to stop phone number transfers which would then be used to change bank account passwords
    • by quenda ( 644621 )

      If your country can't change, change country.

      Banks are slightly better here, but some of them still think my mother's maiden name is likewise a secret. Or even my date of birth.
      Numerous institutions want to send me a SMS for authentication, even though phone numbers are easily stolen (unauthorised porting).

      BTW, am I the only one who read the headline and thought SSN meant a nuclear attack submarine?

      https://en.wikipedia.org/wiki/... [wikipedia.org]

    • If your country can't change, change country.

      And yet ... the flow is still the other way. Strange.

  • Replace them (Score:5, Insightful)

    by bradley13 ( 1118935 ) on Friday April 29, 2022 @03:57PM (#62490310) Homepage

    Other countries have long since replaced simple, half-predictable numbers with much longer, more random ones. Also, we don't use them as identification, but simply as account numbers, which are useless by themselves.

    Why is the US so resistant to change?

    • Re:Replace them (Score:5, Insightful)

      by OrangeTide ( 124937 ) on Friday April 29, 2022 @04:28PM (#62490384) Homepage Journal

      Why is the US so resistant to change?

      It's related to the unofficial motto shared by our two political parties:

      America will always do the right thing — after exhausting all the alternatives.

    • by jonadab ( 583620 )
      Actually, using them as identification IS a change. When SSNs were introduced, the public was promised that they absolutely would not ever be used for identification purposes.
      • Re: Replace them (Score:5, Informative)

        by Ronin Developer ( 67677 ) on Friday April 29, 2022 @04:45PM (#62490448)

        My SSN Card says âoeNot for Identification Purposesâ. We were told to keep it secret.

        When I, initially, enlisted in the Navy (1982), we were instructed to write our SSN under our names to send/receive mail. Our SSN was our âoeserviceâ number. Millions of letters with our name, address, and SSN in plain view.

        In college, our SSN was on every document we received or filled out. It was our college ID number.

        Now, we worry about people stealing our identities and benefits because they get our SSN.

        Thank you Congress for changing the law. Not!

        Asinine.

        • by kackle ( 910159 )
          Yes, for more helpful identification, I used to have it printed under my name and address on the checks connected to my bank account! Talk about one-stop shopping...
        • by sconeu ( 64226 )

          When I attended Washington University in St. Louis from 1980-1982, our SSN was used as our student ID.

        • Yep. When I first moved to Ohio, it was required to give your social security number to get a drivers license, and your social security number was your drivers license number.

          Which was a publicly available document.

        • by porges ( 58715 )

          This may be a legal urban legend, but I've read that the "Not for Identification" thing on the card referred to using the card as ID, not the number, which is how not-government places justified using the number as your customer id.

    • by raymorris ( 2726007 ) on Friday April 29, 2022 @04:46PM (#62490450) Journal

      > Other countries have long since replaced simple, half-predictable numbers with much longer, more random ones

      That does absolutely no good when millions of them are in every breach. I can just look up somebody's social in the breaches I downloaded. Nobody is brute forcing social security numbers, so it doesn't matter how long or random they are. In particular, the SSN has to match with the name, so nine digits is plenty - the guy at the bank is going to get a tad suspicious if you submit four million account applications before guessing the right social.

      For those interested in the topic, here's a write-up I did a couple of years ago, with each statement supported by factual references and such. I also outline a proposed solution.

      https://passworddog.s3.amazona... [amazonaws.com]

      The problem is that the SSN is trated both an an identifier, like your name, and a secret, like a password. Names and other identifiers are not secret, and will never be secret! You send them to all kinds of companies - they aren't secret. As one scholar put it "it isn't a secret if you tell everyone" (Milan Morris, kindergartner).

      For the proposed solution, the basic idea is that most of the time the company or whoever needs to know something *about* you. An arbitrary string of digits isn't actually what they need anyway. Suppose you're trying to finance a cell phone, using a plan where they had you a "free" phone and you pay an extra $40 / month compared a prepaid plan. What the phone provider actually wants to know is whether you have a history of making payments on time. That has nothing to do with social security. With the proposed system, you actually give them what they need and nothing more. You don't give them the ability to impersonate you by handing over a "secret" password.

      It's based on SAML, which allows one site to sign an assertion on behalf of a user, and send that assertion to another site. You click a button which sends you to log in to your old phone provider's sitewhich causes them to use SAML to tell the other phone provider "this person pays their bill on time" - without any other information, no "identity". Just "we confirm the person who clicked pays on time".

      For a broader credit score, instead of giving your SSN to everyone, then having *them* log in to Transunion to get info about you, the flow would be reversed. YOU log in to Transunion, getting a signed SAML assertion that only says "yes, this person has a FICO score of at least 780". You don't need to send any secret to the new company.

      If someone did truly need identity, as opposed to some fact about you, fine. The DMV provides identity. So the SAML goes through the DMV and the DMV signs off on your identity. Just like a driver's license. Still no need to send any secrets to the company., They just use the DMV's public key to verify that the DMV (or any other trusted party) identified you.

      • by Darinbob ( 1142669 ) on Friday April 29, 2022 @05:47PM (#62490574)

        Agreed, a number, even a 2048-bit number that is fully randomized, is useless if it gets leaked. Now, a 2048-bit private key to validate certs is indeed very good, but that's not what identfication numbers are. Even though in advanced countries who laugh at Americans, idenfication numbers are insecure if they can be used to verify your identity merely by knowing them.

        DMV is good, if the card is present. The card has all sorts of security features, but it's useless if you can vo just give someone the driver's license number to pretend to be someone else. But even if it was better, it's still useless as a national identify number - as it needs to be used for all citizens and all non-citizen residents; and babies don't drive, as well as huge swaths of the population. Plus many times a driver's license requires a fee, and the non-driving identification from a DMV office most definitely requires a fee; whereas SSN is free and only requires the interminable standing in line.

        • Yeah the DL number is as useless as the social security number.
          The idea is you log in to the DMV web site using your RSA token + password manager or whatever. The DMV then uses their private key to sign an assertion of your identity, which also includes a nonce from the recipient.

          DMV could of course be any trusted identity provider. They happen to be the main identity provider used today - people check your state ID.

      • Re: (Score:2, Informative)

        by whoever57 ( 658626 )

        In particular, the SSN has to match with the name, so nine digits is plenty - the guy at the bank is going to get a tad suspicious if you submit four million account applications before guessing the right social.

        The problem with your argument is that SSNs are highly predictable.

        • by jbengt ( 874751 )
          They have started randomizing new SSNs, but that's not the issue, since they're not supposed to be used for ID, anyway, let alone as authentication of your identity.
        • > The problem with your argument is that SSNs are highly predictable.

          Okay, predict my social. Sure you could get it after a million guesses. Which is going to make the bank manager a bit suspicious.

          Or you could just look it up in one of the many,any, many breaches.

          It's not predictable enough to get in one or two guesses.
          Which makes predicting it pointless, when you could just download the torrent and look it up.

      • by dgatwood ( 11270 )

        For the proposed solution, the basic idea is that most of the time the company or whoever needs to know something *about* you. An arbitrary string of digits isn't actually what they need anyway. Suppose you're trying to finance a cell phone, using a plan where they had you a "free" phone and you pay an extra $40 / month compared a prepaid plan. What the phone provider actually wants to know is whether you have a history of making payments on time. That has nothing to do with social security. With the proposed system, you actually give them what they need and nothing more. You don't give them the ability to impersonate you by handing over a "secret" password.

        Unfortunately, this probably won't work in practice. Credit reporting typically doesn't involve a one-time verification without proof of identity, with very few exceptions. When you open a line of credit, the creditor doesn't just need to know whether you pay your bills on time, but also who you are (definitively) so that they can report back to the credit agency if you fail to pay your future bills on time. Without that identifier and proof that the identifier belongs to the applicant, we would be even

    • The SSNs are not to be used as idenfification numbers with banks, hospitals, universities, and other non-goverment offices. Until 1972, the Social Security cards came with a warning on the bottom reading "Not For Identification"! The problem is that this restriction is ignored. Mostly because there are no other readily available identification number that exists (especially since not everyone has a driver's license, whose numbers are also pitifully insecure). So the SSN defaults to being a national identi

      • The desire for a simple number to distinguish who is who is NOT the problem. From the article:

        In most of the rest of the world, your SSN-equivalent is treated as a unique identifier. In other words: It is your unique username. In addition to your user name, you’ll need a password to deal with anything. For the same reason you shouldn’t use your username as a password, you shouldn’t rely on any public information as part of your security matrix.

        For any personal identification process that could produce serious (financial) consequence, there need to be a chain of trust. At the beginning of such chain, it has to be a face-to-face interaction with some picture ID. Without that, the operation shall not be bound legally. In the middle of chain, it has to be either handwritten signature or user-configurable password, else the chain shall be regarded invalid. So

  • The answer is obvious - there's nothing better right now that's a secret that people know (kind of) to not share broadly, that's centrally assigned and part of a single namespace.

    There are a lot of obvious problems too - there's no easy way to change SSNs, and it's used over the span of one's entire life so a security breach is likely. The US should do better. It'd be nice if Congress started to put together a plan to move us towards a post-SSN world (including figuring out what that would look like).

    • by sjames ( 1099 )

      It's a deeper problem. It is literally impossible to use it even once as identification or authentication without disclosing it.

      Even if that one time is at a bank when you're a teen, there's a good chance that it's changed hands several times by the time you're middle aged. Who knows if it was kept secure or not.

    • It's obvious what it would look like, a mandatory ID law.

      Financial industry especially needs a well maintained universal identifier, only government has the means and rights to maintain such a thing. So it's going to be a photo-ID with NFC cryptoprocessor. If you allow access to government services without the ID you get voter oppression of the people living on the fringes, so the only solution is to make it an absolute mandate and free (also has to be dirt cheap to make, some homeless bum is going to say h

      • Mandatory ID doesn't solve the problem. If it's a number, even a very long number, and it can be used to identify you, then it's a problem. If there's a d data breach then what? Someone buys those numbers in bulk, phones up your bank and hands over the big long number... Better solution - require going TO the bank IN PERSON with the government issued identity card that has your picture and a seal (and was free to obtain). Forget this online crap, it's insecure from the start; but at least with credit c

        • by dgatwood ( 11270 )

          Mandatory ID doesn't solve the problem. If it's a number, even a very long number, and it can be used to identify you, then it's a problem. If there's a d data breach then what? Someone buys those numbers in bulk, phones up your bank and hands over the big long number... Better solution - require going TO the bank IN PERSON with the government issued identity card that has your picture and a seal (and was free to obtain). Forget this online crap, it's insecure from the start; but at least with credit cards the banks do notice suspicious activity and will cancel the card and send you a new one.

          That doesn't stop credit fraud. It just requires someone to have fake ID that is good enough to fool someone. At a bank, that's probably good enough, but for small lines of credit, like buying cell service from some random minimum-wage worker in a Verizon/AT&T/Sprint/T-Mobile store, "good enough to fool someone" is probably a pretty low bar.

          It also basically amounts to a complete ban on credit cards issued by online retailers (Amazon, B&H Photo, etc.), and having people trained to do adequate veri

        • The SSN is not the fundamental problem, ignoring arch-conservative objections to any form of official identification for a moment. The fact that your knowledge of SSN is taken as verification of identity is the problem.

          What would happen is that anyone who wants to authenticate your identity takes the SSN, goes to a public government database to get a public key associated with that SSN and then uses that to request verification from the cryptoprocessor in the ID card that it belongs to that SSN.

          The number w

    • by micheas ( 231635 )
      The biggest problem with SSNs is that they are assigned in a way that means that someone who knows your date of birth, the state you were born in, and the publicly available formula for assigning SSNs can typically guess within ten tries if you were born in the US since 1984.
      • You don't need the formula. The vast amount of identity theft comes from data breaches, throwing out papers that includes this number, etc.

    • by jbengt ( 874751 )

      . . . there's nothing better right now that's a secret that people know (kind of) to not share broadly . . .

      SSNs were never set up to be secrets, are not secrets now, and should never be used for identification.

    • The other "verification" financial institutions use online is awful. They ask you things like which previous address is associated with you... well there's always at least 1 question where none of the answers are correct, and there's no option to indicate that.
  • Easy solution... (Score:5, Insightful)

    by VeryFluffyBunny ( 5037285 ) on Friday April 29, 2022 @04:03PM (#62490326)
    ...hack congress & the senate's records to get their SSNs then publish them on the open internet. I'm sure they'd find a way to resolve the issue then.
    • ...hack congress & the senate's records to get their SSNs then publish them on the open internet. I'm sure they'd find a way to resolve the issue then.

      Well, there would be an issue to resolve, but finding lawmakers immune to identity theft due to self-imposed loopholes that reveal that their wealth isn't even in the US banking system, isn't exactly the corruption you were targeting.

    • by chihowa ( 366380 )

      I'm sure they'd find a way to resolve the issue then.

      Yeah, they'd pass a law making it illegal to misuse congresspeople's SSNs (including publishing them online) and be done with it. The hoi polloi can f right off.

  • by metrix007 ( 200091 ) on Friday April 29, 2022 @04:10PM (#62490340)

    Yes, it's stupid that so many organizations rely on it as an identifier, but:

    - Identity theft isn't the issue it's made out to be. It is for banks as they lose money, but consumers can refuse and dispute charges without any real issue.

    - An SSN is rarely the sole thing used to identify an individual to an account, it's one of many identifiers.Sounds like the person who submitted the story should switch banks if they are so lax as to grant access to the account just from knowing the last 4 digits. Chase for example doesn't do that, nor do any of the big banks.

    - You don't HAVE to use SSN as an identifier, and technically it's meant to be illegal to demand it, it's just become a de facto practice. Make a fuss, speak to a manager, and you can open an account without one so long as you can provide enough other documents proving your identity. Although in practice they probably can match you records to other data and get your SSN anyway.

    - Lastly, there is a process to change your SSN if you've been a victim of identity theft, it's a high bar to clear but far from impossible. I know, I've done it. The SSN website even has an entire page devoted to how to go about it.

    • As a Power of Attorney for a family member, I've noticed some institutions require much more than a Social Security Number to get any information. It really varies by institution. I've had some give me full access if I can answer all of the questions correctly, some demand to see a human that matches the description on the account documents, and everything in between.
    • by msauve ( 701917 )
      > you can open an account without one

      Not in practice. To open an account you're required to provide your TIN (Taxpayer Identification Number), which happens to be exactly the same as your SSN (so that's what they ask for, because it's the number people know). Next to impossible to make them different.
      • For banks that is true, but you don't need to provide it to any other type or organization or company that requests or even demands it, and technically it is illegal for them to do so.

        Anyone with a non-US citizenship can use their passport number in place of an SSN or ITIN, and for US residents without, the workaround is to open a business account with an EIN which you can apply for an obtain from the IRS. You need an LLC to do this, so it's a little more expensive with a minimum fee of $50/year for the LLC

        • You keep on making generic statements, but then backtrack. The OP is talking about banks, you make a statement you don't need a SSN to open an account, but then backtrack "oh, except for banks". You say "you don't need to provide SSN to any other type of organization", again, total BS - you cannot be paid any wages if you don't provide you SSN, you cannot collect any jackpot at a casino if you don't provide your SSN, you cannot get your utilities (electricity, gas) or cell phone service setup without a cred
          • I write my original comment very casually, wasn't expecting it to be so dissected. Nothing I have said is incorrect except for the people desperate to point out gotchas.

            As I said, you were right that in general a US Citizen is asked for a a TIN, but there are ways around this. I haven't backtracked on anything, I've clarified. I simply pointed out there are workarounds.

            Now you're mentioning employers when I said you don't need to provide your SSN to any organizations, and that just seems like desperation on

        • by msauve ( 701917 )
          You have a short attention span, and can't even remember what you have written. Let me refresh your memory...

          - ... for banks ...
          - ... should switch banks...
          - You don't HAVE to use SSN...

          If you're talking about banks, you can't come back and say you weren't when it's pointed out that you're incorrect.

          • No, I don't have a short attention span. You sad people so desperate to play semantics to win internet points and feel smug are everything that's wrong with the internet today.

            I agreed with the guy that said "not in practice". This doesn't negate my original comment. The point I was making is that there are workarounds. I maintain you don't need an SSN to open a bank account. I know that to be true because I've done it more than once.

      • by Khyber ( 864651 )

        As I hold my TIN papers in hand, it is NOT the same as my SSN.

  • ...have tried this with me, but I adamantly refuse to fork over my SS number to, say, an internet provider. Instead, I have them create a 5-digit PIN. Really, though, this is little more than just sending a message to them, since they will more than likely do a credit check on my anyway if I'm a new customer. So, they will know my SS number regardless.
    I absolutely agree that privacy is not taken very seriously in this country. You need to take responsibility for protecting yourself, because many businesses

  • by Sique ( 173459 ) on Friday April 29, 2022 @04:14PM (#62490354) Homepage
    I have the same issues with biometric access methods. Once someone gets your fingerprint, your retina pattern or whatever and is able to reproduce it, your biometric security is doomed, because you can't change it.

    The reproduction does not have to be perfect, it just has to be good enough to fool the access system. The Chaos Computer Club in Germany for instance managed to get an official German passport with the fingerprints of Germany's Minister of Interior affairs stored on its identity chip. How they did it? At an public event someone took the glass the minister was drinking from, when he returned it to the service personal, took the finger prints from the glass and made a plastic pattern from it. When he then went to get a new passport, he covered his fingertips with the plastic patterns before his fingerprints were taken, and thus, instead of his own, the minister's fingerprints were stored in the database and then in the passport.

    • You *can* change your social security number.

      You can *also* get yourself a Tax ID number, which is the same format as social security numbers, except the 5th digit is odd instead of even, and is legally good everywhere a social security number might be required.
  • by VeryFluffyBunny ( 5037285 ) on Friday April 29, 2022 @04:15PM (#62490356)
    Where I live, it had already begun before the pandemic but was accelerated & broadened during it: Putting most govt services online. People were travelling to govt offices & waiting, sometimes hours, to show their govt ID card in order to give, receive or change information on a govt database. They now give everyone who wants one a "digital key" with which they get by proving their identity in a govt office once & from then on, can log on to govt websites securely & easily, no passwords or usernames to forget & get sent reminders by insecure email. Lose your key, phone, laptop? Go to any govt office & get it changed, the old key is cancelled & your new one works with every govt service immediately. It works with healthcare, unemployment, inland revenue, voter registration, etc., so you can pretty much do everything without leaving your home. It's incredibly popular.
  • It is obvious identity is not authentication. Known my name, or my mother's maiden name or knowing how I got rid of my warts, spunkwater? dead cat? or split bean? will just confirm someone knows me well. It does not mean that someone can claim authorization from me for anything.

    But often one is able to use such information, open credit lines, and run away leaving the the real person to deal with the consequences of ID theft. Why? Why can't we lock our creditlines? Why can't we tell credit reporting agenci

    • Why can't we lock our creditlines? Why can't we tell credit reporting agencies, I am not seeking credit.?

      You can. Each reporting agency has a process to do so.

  • This morning I called my bank and was asked for the last four digits of my SSN and they somehow accepted my identity because I knew those four digits.

    If you called from home or your cell, they probably have those numbers on file and were asking for your SSN to corroborate that you were someone associated with that phone number. In addition, companies often have their computers and phones linked so when you call the computer can use the caller ID to automatically pull up your customer record. Not saying your bank has that, but I used something like that at a small software development company. Obviously caller id isn't spoof-proof, but that's a business

  • The SSN was never meant to be a password. It is only supposed to be your unique ID from a govt standpoint. Businesses too can and should have it to connect with your legal identifier.

    Any business using it as a password though, that is totally wrong.

    And even for a unique ID, it is always good to keep it secret. We do this with lots of identifiers like our employee number, our driver's license number, etc. It's just smart to prevent others from accessing your records given the ID.

  • Here's why (Score:5, Insightful)

    by Rosco P. Coltrane ( 209368 ) on Friday April 29, 2022 @04:37PM (#62490416)

    SSNs are used as proof of identify because Americans refuse ID cards on the grounds that they don't want to be tracked by the government, retain their God-given freedom to live without Nazi-like papers issues by the state and yada-yada.

    But Americans are all assigned a SSN at birth (because they all like social security, even if it's a government thing - surprise surprise...) and other businesses need to verify their identities somehow. So the SSN has become the de-facto ID card.

    Hence the terrible brokenness of it.

    The day Americans decide to accept an ID card like everybody else, the problem will be solved. Until then... well, Amerca will remain a land of contradiction: puritan that makes tons of porn, lover of peace and democracy that wages war everywhere, with a population profoundly attached to freedom that accepts to live in a crypto-fascict plutocracy.

    • This is bullshit, if you Drive in America you have an ID card - your state issued driver's license. If you don't drive you have a state issued ID. Just because it is not a 'national ID card' doesn't mean we don't have an ID card system.

      And just try opening a bank account without a 'state issued but not national' ID card.
      • ... and it's also untrue in that in the UK also doesn't have mandatory ID cards or an SSN. The closest equivalent is a driving license card (that it isn't mandatory to carry, even when driving) and a National Insurance card and number that isn't used for anything at all as far as I can tell. I'm pretty sure I've lost mine.

        Yet somehow banks still exist. There are many ways of proving identity beyond a state-issued number or document.

    • by PPH ( 736903 )

      because Americans refuse ID cards

      Because we don't want private businesses to build dossiers on us across all of our various commercial and other relationships. I don't mind setting up an ID and password with each firm or person I do business with. But they can all be different, making it difficult to link my activities to me as a unique individual*. The only consistent ID that is asked for is a SSN. I provide that to those who have a legal need to know it. For everyone else, I say I forgot it and don't carry a card. Or I lie (that is only

    • by clovis ( 4684 )

      But Americans are all assigned a SSN at birth (because they all like social security, even if it's a government thing - surprise surprise...) and other businesses need to verify their identities somehow.

      Sort of.
      Americans are not automatically assigned a SSN at birth.
      The parents are given the option to request a SSN from the entity issuing the birth certificate.
      https://faq.ssa.gov/en-us/Topi... [ssa.gov]

      Not everyone says yes, but people usually say yes because the child must have a SSN for the parents to get the dependent deduction from the IRS or the Child Tax Credit.

  • by qzzpjs ( 1224510 ) on Friday April 29, 2022 @04:38PM (#62490420)

    They're asking just to to verify that it's you. They've already pulled up your record and want to make sure that your answer matches what is on their screen. Especially if they have multiple records with the same first and last name.

    In Canada, they may typically ask you to provide one or more details like phone number, address, or postal code. I've even heard tellers in a bank ask for info on previous transactions to help verify identity. I've never been asked to provide our SIN number though which is our equivalent to your SSN. That is a bad practice.

    If they're using it as the actual account number, I'd cancel all business with them and find another company to work with. Only tax related services like banks and investment companies need the number.

    • It used to be the case that most places asked for your SIN.
      There was a huge push around 2000-2004 where the federal gov't told businesses to not use SIN as an identifier.
      College IDs changed, recovery ID question of "what is your SIN" changed, internet and utilites stopped asking for SIN. It was a huge difference than what was the norm in the 90s.

      The office of the privacy commissioner (priv.gc.ca) reaffirmed that "No private-sector organization is legally authorized to request customers’ SINs for pur

  • by battingly ( 5065477 ) on Friday April 29, 2022 @04:50PM (#62490466)
    Ok, so you were on the phone with your bank. How do you expect them to verify your identity in that situation? The best they can do is ask for some information that is not easily obtainable with a google search. The last four digits of your SSN fits that requirement.
    • by porges ( 58715 )

      There are ways. I've been asked to verify the amounts of the last 3 checks I've written, back when more things happened by check; generalize as you like.

  • by Murdoch5 ( 1563847 ) on Friday April 29, 2022 @05:01PM (#62490488) Homepage
    It's really no different then providing your DOB as validation of identity, and it's broken, stupid, poorly implemented and a disaster in slow motion. Lets ignore the SSN (or SIN), and use DOB or Mothers Maiden Name, can anyone get this information? Of course they can! Asking someone to provide public information, doesn't validate you're who you claim, any more then asking if you like coffee or tea.

    What is the right way to get around this problem? I think the only real solution is to build a system of Multi Factor Identification and Authentication, that relies on held zero trust secrets, public keys, and a biological / DNA based access token, for updating, changing and cycling the information involved.

    Lets assume you have to change your phone plan, or you want to update your license plate, how would this system work? In my naive approach, you'd generate a one time QR code, place it on an ID chain, that's signed and encrypted with a private key, have the company / government scan the QR code, after decryption it with their keys, then provide with some MFA (TOTP, etc...), and validate that X updated Code Y for reason Z, destructing and destroying the token after it's use.
    • by godrik ( 1287354 )

      I get the sense that SSN, DOB, Mothers Maiden Name were originally used for disambiguation more than identification. Then overtime, it became a security feature, and that's things went south.

      • by kmoser ( 1469707 )
        I doubt your mother's maiden name was used for disambiguation. If two brothers with the same named opened an account with the same bank, they'd have the same name and same mother's maiden name. I'd bet MMN was *always* used for security.
  • Banks are required by law to verify your identity and report any interest income you get from the account. SSN is a pretty effective way to do that (and may actually be required as part of the identity verification, for all I know). To get a cell phone account, the carrier is going to do a credit check, and they can't do that without SSN.

    Using it to verify you're you in future contacts is a matter of convenience. Not the best way, sure, but it's something they already have.

    (And BTW, you can get your SSN cha

  • While the poster blames Equifax they really should blame the IRS. CGP Grey explains this very well

    https://www.youtube.com/watch?... [youtube.com]

  • Well, it's also laziness and because using a more secure form of authenticating identities would be expensive.

    * For one thing, the IRS can see that the same SSN has jobs all over the United States that would be physically impossible for any one person to do. They see it on the filings from their employers. By law they are not allowed to let other TLAs know there are a dozen employers all filing tax forms showing the same employee working in 4 different states. The IRS doesn't care if you earn your money b

  • Ask to have a meeting with the local branch manager. Let them know how unacceptable it is to use SSNs for security. Ask them if they have plans to change that and when. If they don't or won't change that, open a new account somewhere that takes security seriously. Vote with your wallet.

"Being against torture ought to be sort of a multipartisan thing." -- Karl Lehenbauer, as amended by Jeff Daiell, a Libertarian

Working...