> Social Security numbers are the keys to the kingdom. In this country, people get a unique number when they’re born, and the Social Security Administration tells them it’s secret and valuable. Then we use that number to pay taxes, to get government benefits, to apply to college, to get a mortgage, to apply for a car loan, to open a bank account, to track our credit. We’re asked to hand over this number again and again to institutions that have failed to guard it.
This is the problem right here.
To that sorry list, I would add medical providers' offices (doctors and dentists), all of which seem to request social security numbers for some reason on their patient intake forms, when all they should need is the patients' insurance information as printed on their insurance card.
Regarding all the Social Security number issues, it somehow reminds me the Onion title "‘No Way To Prevent This,’ Says Only Nation Where This Regularly Happens" (I know USA is not literally the only one, but almost) - plenty of places have something similar to that number, but USA is pretty much unique is treating simply knowing it as some kind of identity proof. "Something you (and a bunch of others) know" doesn't cut it.
Don't forget a DVD rental card at Blockbuster. Yep, they used to ask for it just to become a member but you could of course not fill it in and they would still accept your membership.
I still remember them asking me for mine. Pure jokes.
> The trash pile included recent membership applications, each revealing the customer’s birth date, address, phone number, driver’s license number and signature.
More alarming, each application also contained a credit card number and expiration date, and many included a Social Security number.
Talk about a violation of privacy and leaking sensitive information. This is why you can't trust big companies with anything sensitive.
Old timers told me when Social Security was first started, the American people were promised that the number would never ever be used for anything but Social Security.
It's interesting, in Canada and probably other countries, the corresponding ID code cannot be used as primary key, like for employment records. And somehow their societies function.
Tip: I leave the social security number blank for medical providers, and have never been asked for it verbally except once. I told them I don't feel comfortable with it, and the person said that was fine and moved on.
If you're giving your SSN to your doctor you're doing it wrong. Just leave the field blank. End of story. You don't need to give them your SSN and the practice has been largely phased out due to HIPAA.
I don't have a SSN (I'm not an American citizen), but I've spent quite a bit of time in the US. I had a bank account, drivers license, registered a car in my name, etc. etc.
What stops you from just refusing to give out your SSN, or simply saying you don't have one (even if you do?)
Obviously getting a credit card might be annoying, but to get around that I just put down a $500 "bond" and got a Credit Card with a $500 limit (so the bank was guaranteed not to lose it's money).
Can you not just refuse to give out your SSN and still get on with life in America? (I get on OK without one)
In other countries with ID numbers like this, I wonder how much of a difference is made by requiring that institutions be liable for fraud, rather than shielded from such fraud, forcing them to use more secure methods of verifying identity/possession by default.
Example is chip+pin, which is widespread in Europe but not really available in the US. Chip+nothing (which is still better than a 16-digit number) is become more commonplace as the liability protections that the magnetic strip enjoyed are disappearing. People react in self-interest, and the fact that you become liable for fraud if you take the strip instead of the chip mean that there's a large incentive to move away from the magnetic strip.
I'm sure if you dig into it you'd see similar provisions that protect other organizations, either throw law, regulation, or just protection of "industry standard practices", from being held directly liable if they use the SSN for identity verification rather than insisting on a more reliable hard-to-exfiltrate identifier.
> To that sorry list, I would add medical providers' offices (doctors and dentists), all of which seem to request social security numbers for some reason on their patient intake forms, when all they should need is the patients' insurance information as printed on their insurance card.
Insurance information changes over time though so it's simpler to just request the government issued GUID and use that to make sure you're associating the patient files correctly.
I think the only real solution would be for smart cards to come back into vogue and assign everyone a unique key along with their SSN. Proofs of identity for things that matter ie loans and other financial work could then be secured without significantly interfering with it's use as a unique identifier in cases where it doesn't need to be secure. (As wrong as it is to use SSNs that way it's ingrained enough in interactions and systems that trying to cut that off would be a big pain.)
Is there any harm in choosing random number as your Social Security number? Since it is supposed to be secret how can anyone verify it? Apart from special situations like filling taxes where one would use the real SSN.
I am not a US citizen and I have no idea what is the real life use of SSN.
> We’re asked to hand over this number again and again to institutions that have failed to guard it.
You’re asked to hand over the number, but you don’t always have to provide it. Really only the government needs to identify you with this number, and only for purposes related to the social security system. You don’t have to give it to your doctor’s office or bank. Often, a simple “I’d prefer not to disclose this because of identity theft” is fine. They may press you for it, and most people are too timid to resist. If they are insistent I’ll just make up a random string of digits and that’s always been ok. All they are looking for is nine digits so the computer form they are filling out lets them move on to the next page.
What does "identity theft" have to do with the person being impersonated? They have nothing to do with these transactions. It is not my fault Wells Fargo was tricked into giving someone a bank account under false pretenses. Why in the world does that have anything to do with me? And why in the world is Wells Fargo not liable for damages?
Around the time of the Equifax breach, there was a discussion here that put it succinctly. "Identity theft" is just a clever name for "fraud" that shifts the responsibility away from the bank.
I mean, they ARE liable in the sense that they will have to eat the loss (the money they loaned out won't be repaid). The problem is that for them, this is just a cost of doing business, and that cost is already priced into interest rates... the cost to the person who has to prove it wasn't them has no return and is only negative
It’s even worse for people using prepaid banking cards like GoBank. I got issued one of these debit cards from an employer. Months later, someone skimmed my debit card presumably at a gas station. While at home, someone withdrew $265 out of my account.
I call to report it. The 800 number says you can email the dispute but an operator told me that was outdated. I’d have to mail it into a PO Box. I repeatedly asked if they would inform law enforcement as dozens of other people’s cards were likely stolen.
Approximately a month later, GoBank responds and denies my dispute. I then searched for the executives, emailed them, someone called me and the next day my money was returned. Yet I’m assuming no one investigated the actual theft.
If you ever have problems communicating with customer service people, the only thing you can do is email the executives and suddenly you have a real person capable of understanding and making actual decisions.
You can draw an analogy to price elasticity in economics (more directly, the cost of switching). Because of identity theft, the expected cost of business between you and the bank has gone up. Who has an easier time switching to an alternative: you (to another bank), or the bank (to another customer)? Based on that, you can conclude, fairness aside, who ends up carrying the burden of addressing the identity theft.
You're right of course, but I wonder if the status quo were to suddenly change so that banks are liable, would credit suddenly restrict and cause a recession or worse?
> And why in the world is Wells Fargo not liable for damages?
This is more or less a digital question in an analog situation.
What I mean by that is they could very well be liable however the cost, trouble and barriers to pursue this make it impractical to enforce that liability. This is often the case in both business and life unfortunately.
Because they identify people using Tax ID, obviously. Plus birth date and other information. So if they need to go after an account holder, whoever they find with the matching Tax ID is "it".
And then it's your responsibility to prove that you're not "it".
But turn it around. How else would they identity people? I suppose that they could collect fingerprints, iris scans, DNA samples, etc. But for >99% of cases, that's overkill. And too expensive.
In a way, this just reflects the fact that anyone can sue anyone. And if sued, you must defend yourself. So basically they're just using Tax ID to decide who to sue.
The concept of identity theft is a massive scam that not only let's financial institutions shift losses to other people, but then then they get to double dip by selling ID theft prevention solutions.
If your government is not willing to step up and protect you, who do you expect to prevent these abuses? I think you know the answer to all these questions. Might makes right.
Here’s[1] an early picture of a social security card where it says plainly it’s not for identification purposes.
What’s the better solution — the government making it so you can change your ssn? Or legislation that shifts the liability burden of identification entirely onto the lender?
I don't know how common this is in other countries but in Norway we have a common system called BankID which is pretty much the de-facto way to identify yourself when applying for government services, bank loans or basically anything else "important". It usually consists of a two-factor authenticator issued by your bank, a password and your "birth number" (basically SSN) if you have all three as far as any bank or the government is concerned you "are" the person. However since it is so robust I don't think it can be exploited unless you royally fuck up. I wonder how the per capita identity theft cases in Norway are compared to the US because of this system, I would think much lower.
Maybe the most ridiculous aspect of US credit reporting: federal law only mandates that you be able to obtain a free copy of your report once per year - why is this not “whenever the hell you want”? It just generates a PDF from their database!
I mean, federal law has little to say about the pricing of PDFs generated from databases in the supermajority of instances. Lots of them cost tens of thousands of dollars. The price is what the market will bear, etc etc.
From the perspective of a savvy technologist talking to another savvy technologist on how to optimize for their preferred outcomes in personal finance:
1) You probably do not need credit monitoring more than 3X per year unless you are actively applying for a mortgage, because you are unlikely to get signalful updates from it which will change how you conduct your affairs in a fashion which optimizes for your interests.
2) But if you do not take my advice on #1, you can get free ~weekly reports from e.g. Amex or Capital One or Chase as a function of having an account with them. Of this group, note that you can open a checking account with Capital One with an initial deposit of IIRC $1 and keep it open forever.
> In this country, people get a unique number when they’re born
Fun fact, social security numbers are not unique. [1] Apparently 40 million of them have been assigned to multiple names, and there's a 1 in 7 chance that any given SSN is not unique.
I skimmed so apologies if this doesn't resonate or was answered, but here in OZ we have what is called "100 points" tests which demands more than one item of ID, and not just knowing the value, but a 'what you hold is who you are' receipt from a government agency.
The burden of proof for KYC is higher basically. Not that fraud and identity fraud don't happen: we have some very famous cases of land titles being swung on wafer-thin proof of identity, which lost people significant amounts of money.
I just feel the US 'social security number' thing is a problem which is in large part of US state/federal making: you drove too hard to a single weakness. Much like your voting fraud risk, you took it too far.
To me the worst is that there seems no way to clean this up. Like the story when he applies for a mortgage and they tell him not to bother. At least at this point you would expect somebody to take a look and clean this up. But instead the machine keeps going.
> Two-factor authentication for bank and credit card accounts would be a start. Banks should probably make it harder to get a new credit card than to log in to Gmail. Creating a web of multichannel identity verification using devices we carry around all day already—conveniently equipped with fingerprint scanners—would likely make some types of fraud more difficult.
Would it, though?
To protect against the type of problem in the article, the second factor would need to come from some sort of official government database. Otherwise, I could just walk into any bank where my victim didn't already have an account and say "Hi, I'm so and so, and I'd like to open an account and sign up for a credit card."
Also, it's not as though iPhones actually send a copy of your fingerprint to the bank. Actually doing so—and relying on it—would introduce a host of other problems.
We have the CPR (Central Person Registry)-number in Denmark which is handed over to various authorities and can also be misused for fraud, to which degree I'm unsure of- but I have heard of some nasty debt issues people struggled to get out of. What's worse is that the generating algorithm is based off of your date of birth and if you have date of birth for the victim you can run the algorithm rather easily and come up with 10-20 potential CPR-numbers (I can't remember the exact num., but it's approximately in that range) whereas one is the valid for the person you wish to defraud.
EDIT: Unsure about possible CPR candidates when reversing CPR numbers.. There have been some updates to the way it's working post 2007.
This is one of the rare highly-charged issues in our country that's also bipartisan, and it's been rapidly gaining space in the public awareness in recent years. I wouldn't be surprised if some legislation actually makes it to the floor. In an era of broad dissatisfaction with the US government, this seems like easy political points waiting to be scored.
> The good news? With so much stolen information in circulation, there’s almost certainly an oversupply of raw materials for fraud and an undersupply of willing criminals.
This is what I've always used as cold comfort. Given the degree of anarchy on the side of the actual data, and given that society hasn't totally collapsed yet, it must be that deterrence by companies and prosecutors is good enough on its own to keep fraud from happening everywhere it could. Even though chances are high that your information is out there, chances remain relatively low that you'll actually be targeted. Of course you still want to keep yourself out of that minority by freezing your credit, etc., but it's something.
Right, it's privatized profits from having a cheaper insecure system with lower sign-up friction, and socialized losses because uninvolved third parties and law enforcement have to pick up the pieces and find the guy to make an example of.
The fraudulent activity got his name put on a government watchlist, probably while the perpetrator was still actively posing as him. Once you get on these lists, it can be extremely difficult or impossible to get back off.
The currency questions imply that they didn't have enough information to arrest him (and were quite possibly aware of the mistaken identity issue), but didn't want an actual thief to escape jurisdiction with stolen money.
[+] [-] arbuge|6 years ago|reply
This is the problem right here.
To that sorry list, I would add medical providers' offices (doctors and dentists), all of which seem to request social security numbers for some reason on their patient intake forms, when all they should need is the patients' insurance information as printed on their insurance card.
[+] [-] PeterisP|6 years ago|reply
[+] [-] nickjj|6 years ago|reply
I still remember them asking me for mine. Pure jokes.
Here's an article from almost 15 years ago where one of the Blockbuster locations dumped a bunch of customer forms in the street where most forms had people's SSNs on it: http://legalshred.com/east-side-new-york-blockbuster-dumps-c...
> The trash pile included recent membership applications, each revealing the customer’s birth date, address, phone number, driver’s license number and signature.
More alarming, each application also contained a credit card number and expiration date, and many included a Social Security number.
Talk about a violation of privacy and leaking sensitive information. This is why you can't trust big companies with anything sensitive.
[+] [-] JJMcJ|6 years ago|reply
It's interesting, in Canada and probably other countries, the corresponding ID code cannot be used as primary key, like for employment records. And somehow their societies function.
[+] [-] omarhaneef|6 years ago|reply
[+] [-] siculars|6 years ago|reply
[+] [-] grecy|6 years ago|reply
What stops you from just refusing to give out your SSN, or simply saying you don't have one (even if you do?)
Obviously getting a credit card might be annoying, but to get around that I just put down a $500 "bond" and got a Credit Card with a $500 limit (so the bank was guaranteed not to lose it's money).
Can you not just refuse to give out your SSN and still get on with life in America? (I get on OK without one)
[+] [-] andrewla|6 years ago|reply
Example is chip+pin, which is widespread in Europe but not really available in the US. Chip+nothing (which is still better than a 16-digit number) is become more commonplace as the liability protections that the magnetic strip enjoyed are disappearing. People react in self-interest, and the fact that you become liable for fraud if you take the strip instead of the chip mean that there's a large incentive to move away from the magnetic strip.
I'm sure if you dig into it you'd see similar provisions that protect other organizations, either throw law, regulation, or just protection of "industry standard practices", from being held directly liable if they use the SSN for identity verification rather than insisting on a more reliable hard-to-exfiltrate identifier.
[+] [-] rtkwe|6 years ago|reply
Insurance information changes over time though so it's simpler to just request the government issued GUID and use that to make sure you're associating the patient files correctly.
I think the only real solution would be for smart cards to come back into vogue and assign everyone a unique key along with their SSN. Proofs of identity for things that matter ie loans and other financial work could then be secured without significantly interfering with it's use as a unique identifier in cases where it doesn't need to be secure. (As wrong as it is to use SSNs that way it's ingrained enough in interactions and systems that trying to cut that off would be a big pain.)
[+] [-] gondo|6 years ago|reply
[+] [-] ryandrake|6 years ago|reply
You’re asked to hand over the number, but you don’t always have to provide it. Really only the government needs to identify you with this number, and only for purposes related to the social security system. You don’t have to give it to your doctor’s office or bank. Often, a simple “I’d prefer not to disclose this because of identity theft” is fine. They may press you for it, and most people are too timid to resist. If they are insistent I’ll just make up a random string of digits and that’s always been ok. All they are looking for is nine digits so the computer form they are filling out lets them move on to the next page.
[+] [-] momokoko|6 years ago|reply
[+] [-] matmann2001|6 years ago|reply
[+] [-] sorokod|6 years ago|reply
> This reminds me of a great Mitchell and Webb sketch. https://youtu.be/CS9ptA3Ya9E
[+] [-] cortesoft|6 years ago|reply
[+] [-] appleshore|6 years ago|reply
I call to report it. The 800 number says you can email the dispute but an operator told me that was outdated. I’d have to mail it into a PO Box. I repeatedly asked if they would inform law enforcement as dozens of other people’s cards were likely stolen.
Approximately a month later, GoBank responds and denies my dispute. I then searched for the executives, emailed them, someone called me and the next day my money was returned. Yet I’m assuming no one investigated the actual theft.
If you ever have problems communicating with customer service people, the only thing you can do is email the executives and suddenly you have a real person capable of understanding and making actual decisions.
[+] [-] arugulum|6 years ago|reply
You can draw an analogy to price elasticity in economics (more directly, the cost of switching). Because of identity theft, the expected cost of business between you and the bank has gone up. Who has an easier time switching to an alternative: you (to another bank), or the bank (to another customer)? Based on that, you can conclude, fairness aside, who ends up carrying the burden of addressing the identity theft.
[+] [-] yrro|6 years ago|reply
Surely the identity thief, the actual criminal who committed fraud, should be liable?
[+] [-] binarymax|6 years ago|reply
[+] [-] dangero|6 years ago|reply
[+] [-] gist|6 years ago|reply
This is more or less a digital question in an analog situation.
What I mean by that is they could very well be liable however the cost, trouble and barriers to pursue this make it impractical to enforce that liability. This is often the case in both business and life unfortunately.
[+] [-] mirimir|6 years ago|reply
And then it's your responsibility to prove that you're not "it".
But turn it around. How else would they identity people? I suppose that they could collect fingerprints, iris scans, DNA samples, etc. But for >99% of cases, that's overkill. And too expensive.
In a way, this just reflects the fact that anyone can sue anyone. And if sued, you must defend yourself. So basically they're just using Tax ID to decide who to sue.
[+] [-] tylersmith|6 years ago|reply
[+] [-] caconym_|6 years ago|reply
[+] [-] dev_dull|6 years ago|reply
What’s the better solution — the government making it so you can change your ssn? Or legislation that shifts the liability burden of identification entirely onto the lender?
1. https://www.shutterstock.com/image-photo/old-blank-social-se...
[+] [-] chrbarrol|6 years ago|reply
[+] [-] plaidfuji|6 years ago|reply
[+] [-] harryh|6 years ago|reply
They don't work with Experian, but you can create an account with them directly for free and get a copy updated monthly.
[+] [-] patio11|6 years ago|reply
From the perspective of a savvy technologist talking to another savvy technologist on how to optimize for their preferred outcomes in personal finance:
1) You probably do not need credit monitoring more than 3X per year unless you are actively applying for a mortgage, because you are unlikely to get signalful updates from it which will change how you conduct your affairs in a fashion which optimizes for your interests.
2) But if you do not take my advice on #1, you can get free ~weekly reports from e.g. Amex or Capital One or Chase as a function of having an account with them. Of this group, note that you can open a checking account with Capital One with an initial deposit of IIRC $1 and keep it open forever.
[+] [-] gnicholas|6 years ago|reply
Fun fact, social security numbers are not unique. [1] Apparently 40 million of them have been assigned to multiple names, and there's a 1 in 7 chance that any given SSN is not unique.
https://www.nbcnews.com/technolog/odds-someone-else-has-your...
[+] [-] ggm|6 years ago|reply
The burden of proof for KYC is higher basically. Not that fraud and identity fraud don't happen: we have some very famous cases of land titles being swung on wafer-thin proof of identity, which lost people significant amounts of money.
I just feel the US 'social security number' thing is a problem which is in large part of US state/federal making: you drove too hard to a single weakness. Much like your voting fraud risk, you took it too far.
[+] [-] Ididntdothis|6 years ago|reply
[+] [-] Wowfunhappy|6 years ago|reply
Would it, though?
To protect against the type of problem in the article, the second factor would need to come from some sort of official government database. Otherwise, I could just walk into any bank where my victim didn't already have an account and say "Hi, I'm so and so, and I'd like to open an account and sign up for a credit card."
Also, it's not as though iPhones actually send a copy of your fingerprint to the bank. Actually doing so—and relying on it—would introduce a host of other problems.
[+] [-] manjana|6 years ago|reply
EDIT: Unsure about possible CPR candidates when reversing CPR numbers.. There have been some updates to the way it's working post 2007.
[+] [-] _bxg1|6 years ago|reply
[+] [-] harryh|6 years ago|reply
https://www.kalzumeus.com/2017/09/09/identity-theft-credit-r...
Short summary:
- do everything in writing instead of over the phone so there is a paper trail
- make sure you are writing to the right people on the other end
- present professionalism
- be calm and persistent. it can be a pain but you can definitely get this stuff fixed.
[+] [-] _bxg1|6 years ago|reply
This is what I've always used as cold comfort. Given the degree of anarchy on the side of the actual data, and given that society hasn't totally collapsed yet, it must be that deterrence by companies and prosecutors is good enough on its own to keep fraud from happening everywhere it could. Even though chances are high that your information is out there, chances remain relatively low that you'll actually be targeted. Of course you still want to keep yourself out of that minority by freezing your credit, etc., but it's something.
[+] [-] mattnewton|6 years ago|reply
[+] [-] todipa|6 years ago|reply
[+] [-] blhack|6 years ago|reply
You cannot steal an address on the blockchain.
I mean my god, imagine if somebody rewrote bitcoin, except there were no private keys, and the public keys were only 9 digits long.
[+] [-] bookofjoe|6 years ago|reply
[+] [-] m-p-3|6 years ago|reply
https://ipfs.io/ipfs/QmXf6RkeMR1xGZ2DqWJiCytrGzvkPAPgjHmRthC...
https://cloudflare-ipfs.com/ipfs/QmXf6RkeMR1xGZ2DqWJiCytrGzv...
[+] [-] Alex_Romanov|6 years ago|reply
[+] [-] lisper|6 years ago|reply
https://faq.ssa.gov/en-US/Topic/article/KA-02220
[+] [-] onetimemanytime|6 years ago|reply
[+] [-] excalibur|6 years ago|reply
[+] [-] Bartweiss|6 years ago|reply
[+] [-] amingilani|6 years ago|reply
[+] [-] noer|6 years ago|reply
[+] [-] gumby|6 years ago|reply