Which is the fault of the person treating it as a password.
If I said
"can I have a loan, my name is John Smith from 123 Main Street"
And the bank gave me money and stuck it on John Smith's account, people (John Smith) wouldn't stand for it.
In an ideal world SSNs would be published in a global lookup list, getting rid of the entire idea in the average person's head that SSNs are secret information when they aren't.
Could just replace that with "in other countries".
Where I live my personal number is considered public and government will give it to anyone asking. Authentication is done using one time codes, certificates, identification cards and similar. Nothing stops a company from treating the personal number as some authentication factor but it would make no sense.
It's a secret that you are compelled to share with many many entities. And apparently it is hard coded into 'too many' places to change. I would bet the US is still using SSNs of the exact same format when I'm long dead.
Ignorant american question... in not-in-person transactions, how do they make sure that the one time code/ certificate goes to John, not just someone claiming to be John? Is there some centralized password issuer/validator that can only be reset in person?
Here in Austria there is a free phone app (Handysignatur) that allows you to authenticate to a variety of services. It's a two factor system, so someone would need to steal both your phone and your password to impersonate you. For initial activation, you need to go to a government office and show your passport to verify your identity.
It's mostly used to log into government services, but you can also use it to digitally sign arbitrary PDFs.
Banks have their own system where you need an app from the bank to confirm your identity when logging into your bank account or to authorize payments.
As far as I know, identity theft is really not much of an issue here. The biggest weakness is phishing (eg. people could call and pretending to work for your bank, asking to you to confirm something on your phone app)
Here in Germany you either get some username and password in person, setup an app for 2FA, or sometimes you get two different letters (one with the username and another one with the password). I guess so that it is slightly more difficult to intercept both.
For a few services if you forget the password you get the letters again.
Yeah, it's crazy the extent to which banks have gotten away with shifting the blame onto consumers in the USA for "the bank didn't verify your identity and we got defrauded, and now we will falsely report this debt as yours with minimal consequences to us, and it's on you to prove that something didn't happen".
> Which is the fault of the person treating it as a password
Fault isn't the important question. Often the damage is done to the SSN owner, with zero consequences to the person/organization who misuse and/or mishandle the data.
