I never understood the american secrecy about SSN... it should be a "username" not a "password"...
In my country you can calculate our own national id (mix of date of birth, autoincreasing number by each birth that day + 1 checksum number), and if you do/have any kind of personal business, your personal tax number has to be written everywhere, on every receipt you hand out or anything you buy as a business.
Somehow knowing that first boy born today will have an ID number of 120702450001X (too lazy to calculate the checksum, but the algorithm is public), doesn't help anyone with anyting bad.
It's because it happened gradually / naturally / semi un intentionally, because:
1) SSN was not intended as a national ID, but it so happened to fit the shape of one, in that almost everyone has one and they're unique.
2) It has never been possible to institute an intentional national ID system in the US for political reasons
That is the recipe for the problem we have now. Strong demand for a national ID from many business purposes, the existence of something that looks a lot like, but is an imperfect form of, national ID, and the refusal to create a proper national ID, has naturally led to a de facto system of abusing the SSN as a national ID and just kind of everyone being a little annoyed and sketched out about it but putting up with it anyway for lack of alternatives.
Incidentally, did you know anyone can generate a valid new EIN (which is a lot like an SSN, and can be used where an SSN can be used for some but not all purposes, specifically filing taxes and ) at this page https://www.irs.gov/businesses/small-businesses-self-employe... ? This isn't legal advice and I'm not a lawyer and I don't know in what situations you personally would be legally permitted to use this (it's meant for businesses, absolutely not some kind of personal alias) -- but technologically, it's just honor system, and anyone can certify they need and are entitled to a new EIN and the IRS web site will provide you with a new unique one. I don't think you even need a legal entity, since you don't need a legal entity to run a business in the US.
> Somehow knowing that first boy born today will have an ID number of 120702450001X
It's even worse. Only post-2011 IIRC births have an algoirthmic SSN. So everyone over the age of 13 still has old fashioned sequential SSNs, where XXX-YY-ZZZZ is determined by
1) XXX is the code for the office that issues your card. Can be guessed precisely and accurately by knowing birth location. For example, I can guess what region of the US you were born in (or lived in when you immigrated) by the first digit. 0 or 1 is probably northeast. 4 or 5 is probably near Texas. 7 might be near Arkansas. Etc.
2) YY-ZZZZ is sequential by date! So by knowing just birth day, can be guessed to within a range. In practice, this means it's easy to guess YY alone, but harder to get all 4 digits of ZZZZ
3) For some stupid reason it got popular to print SSNs with all but the last four digits masked. This is horribly bad because those four are ACTUALLY THE MOST SECRET PART! It's the only part that might not be guessable. But since it's common to be more lax with securing them..... it is super easy to recover the full SSN if you find a piece of paper that says something like
JOHN SMITH
123 Main St
Alabama City, AL 76543
In ref acct: XXX-XX-1234 (2001-03-14)
Dear Mr Smith,
Your account is overdrawn. Have a nice day.
Thinking of you,
The Bank
It also means if someone is personally known to me, even vaguely, I may be able to reconstruct their social seeing nothing but a scrap of paper that has just the last four, if I can guess approximately where and when they were born or first entered the US. If I'm in a situation where I can try several guesses, it's even easier.
> 1) XXX is the code for the office that issues your card. Can be guessed precisely and accurately by knowing birth location.
While the first sentence is true, the second is only true if you were born after the mid-1980s, when a Reagan-era tax reform was enacted. (It required a SSN when claiming dependents.) Prior to that, most people did not get a SSN until they got a job.
I looked this up and while your first sentence is true, the second (non-parenthetical) sentence is only true if you did not require any of the other services that required a SSN. There's a list of those under "Exhibit 2" (about 2/3 of the way down the page) on the SSA's website:
tl;dr: If you had a bank account, applied for a federal benefit, were on food stamps, applied for school lunch, or did any number of other financial or government transactions, you needed a SSN starting in the 1970s. That's enough of an incentive that many parents might've just applied at birth, figuring that their kid will eventually need it. Also everyone born 1968-1981 would've likely gotten one in 1986, when the change you mentioned about dependents was enacted, and then after 1988 they started being required for issuance of a birth certificate.
I stand corrected. Thanks. I didn't bother to look it up, since I'm old and got mine when I started working. Although people born 1968-1981 were getting SSNs where they currently lived, which is not necessarily where they were born; which was the original point.
When I was in school (almost 20 years ago) this came up because someone mentioned the first 6 digits of their SSN and they matched mine. Since then it's similarly bothered the hell out of me that the practice is to mask all but the last 4 of the SSN and that a lot of places require you to enter your last 4 of your SSN.
I didn't know the reasons for the matches but them being my age and likely born in the same place as me made me realize those were identifiers and the last 4 were the unique bit.
A lot of financial things in the US are “secured” or anchored by SSN, that’s the only reason why. That and mother’s maiden name and first vacation and other security questions. It’d be less important with MFA now but SSN is also needed when opening new credit, so having it allows you to pretty easily fake someone else’s identity for credit. KYC hasn’t removed it from the equation.
The problem with that plan is social engineering attacks. CSRs are often careless and will accept 'a bunch of random letters and numbers' as the answer rather than validating each character.
Better to randomly select a long dictionary word or hypenate a few together. Equally unguessable but easily verified, so it won't be weakened during a phone conversation.
"Mother's maiden name" won't work for my kids - my wife kept her name and the kids' last name is hyphenated, so you just have to guess whose name we put first.
This comment pops up every time someone talks about social security numbers. Yes, they were never supposed to be private, but now they are. So either Congress can do something about it, or big companies can stop leaking them. Clever "well, actually"s didn't stop my identity from being stolen recently after a breach, and they never will.
They're not really private+, and nobody should design a system with the assumption that they are. afaik nobody does these days. There are extra authentication checks done in addition to simply "I have the SSN".
+ e.g. until very recently there were US states that used your SSN as your driver license number.
I never understood the american secrecy about SSN... it should be a "username" not a "password"...
The problem is banks/financial services do a piss-poor job validating identity when issuing credit/opening accounts. "Oh, you provided an address, a SSN, and [non-random, easily discoverable personal fact]! Sure, here's a CC with a $150k limit!"
It's not the leak that's the problem; it's the ease with which that leaked data is used to either obtain fraudulent credit or access accounts.
I don't have a good answer, because at some point, a financial institution needs to trust people to do business. Customer loses their phone, so MFA doesn't work, ok, now what? I guess the customer needs to have one-time use recovery tokens saved somewhere that can't be lost? How many people do that (not nearly enough)? How many banks even issue those tokens? And what if the token store gets hacked? Now you're really fucked.
> Customer loses their phone, so MFA doesn't work, ok, now what? I guess the customer needs to have one-time use recovery tokens saved somewhere that can't be lost? How many people do that (not nearly enough)? How many banks even issue those tokens? And what if the token store gets hacked? Now you're really fucked.
In my experience with banking in Brazil and Sweden this is easily solved with a OTP device you get from your bank.
Brazilian banks before that used to provide a card of 50-100 tokens you'd use for authenticating, which is obviously dangerous as people would carry them in their wallets with their cards (and associated banking details). Since the early 2010s banks have instead provided a physical OTP generator that you associate with your account.
In Sweden if I lose access to my phone with my digital identification app (BankID) I can fall back to my hardware OTP generator to login into my account, and authorise a new BankID installation in case I need a new phone.
It's a solved problem, even though the US developed a lot of the tech industry it feels like digital infrastructure is still in the late 90s for a lot of stuff; banking is a clear case, and government systems are another good example, e.g.: the DHS website for visa application is atrocious, we are in 2024 and applying for a visa feels like an experience from when I navigated the web on Netscape in the early 2000s.
Totally agree. It feels like our banking is a decade behind - like transfer money - no direct way to do it between banks - most people use Venmo. Some banks are part of Zelle, but I’ve heard it has fraud issues (weak discovery/confirmation of correct recipient) and the banks won’t refund many fraudulent transfers (“You initiated the transfer! Not our problem you sent to the wrong person!”).
So, do you get a physical OTP generator for every financial institution? I guess that works, but that would mean I’d have a drawer full (2x bank, 1x work, current 401k, past IRA, and a brokerage account - x2 because my wife has about the same).
I was thrilled last year when I discovered I could renew my passport online! In 2023! That should have been available eons ago.
SSN is too public for it to be private or secret. Multiple employers, schools, medical institutions, financial institutions all ask for it, so it's not private.
It's also treated as evidence of who you are, but it isn't tied to identification like an ID is. These institutions use it without ever truly validating it.
It's similar to how records fraud can occur - people can record anything to the local registrar office, including fraudulent documents, without any checks. Once it's registered, it becomes evidence against the real owner. It's really messed up.
Even the US gov't gave up on the notion the SSN was not to be used as an identifier. My dad's SS card had a phrase printed on it saying so. My SS card did not have that text.
My SS card has that text. I got into an argument at the DMV when they asked for it. I relented because I needed my drivers license.
Congress could solve this by enacting a simple law. Something to the effect of SSNs shall not be used as a means of identification by any party, governmental or otherwise other than the Social Security Administration. Use of an SSN as identification shall be subject to a $100 fine per each SSN used as identification, per day.
When I went to college in the late 80s my ssn was automatically used as my student id. When I got my first bank account in 1990, they used my ssn as the account number.
Ah it was a different time. Societal trust was greater. Without global internetification, the only people who could ever have any opportunity to exploit this information were your fellow campus denizens (students, professors, etc).
Without global internetification, there was not as much an average person could really do or would know to do with an SSN alone to exploit it.
This story is a good parable for so much of what has changed in the world the last couple decades -- we had a world built for less globalization, then we globalized, and we've been gradually adapting to / dealing with the unintended consequences since then.
A real life door can only be picked by your neighbors or anyone else nearby -- attack surface is limited by the nature of physical distance.
A virtual door can be picked at by 7 billion people.
(Payouts are expected to drop in about ten years if no action is taken, but that doesn’t render the SSA irrelevant or cause it to suddenly collapse and shut down, so I assume you mean something else)
Security is not a concern. There is no real incentive to change the status quo. Make them pay for monitoring indefinitely .