Comment by kevindamm
9 months ago
At what point can we start demanding that SSNs be redefined? I've lost track of how many data breaches I've unwittingly been the victim of, and I'm usually more careful and paranoid than most.
9 months ago
At what point can we start demanding that SSNs be redefined? I've lost track of how many data breaches I've unwittingly been the victim of, and I'm usually more careful and paranoid than most.
We "just" need to stop pretending they are secret like passwords and using them to authenticate that someone is who they say they are. Banks should not be issuing loans based on a bunch of personal information (including SSN) that the collected and concluded "Yup, that data matches itself--therefore you are actually you!"
The whole system is broken in hilarious ways.
Unrelated but similar: I live in a rural area, so we don't get street delivery of mail. Instead, we need to apply for a PO Box. Every year, to verify that only residents are using the PO Boxes, the Post Office sends out a renewal form, and you have to show up with a current bill and your driver's license. The latter makes sense—the State, presumably, goes through the validation of your address, and you sign their forms under penalty of perjury, etc., the the former is hilarious.
So, to receive the very bill used to authenticate "current residency," the bill has to go through the Post Office (remember what I said about no street delivery? anything that's mailed to our street address goes... to our PO Box!), and then we show it to them to validate that we are receiving email to that address—which cannot be independently validated outside the driver's license.
The PO Box we're renewing is therefore used to validate itself. And the fun part is that if you delay in returning the form, they'll block off your box.
I have been arguing for a while that we need to implement some sort of public-key cryptography system for identity verification. It's the obvious solution, though admittedly implementing it will take a lot of effort. But it would at least eliminate a lot of issues with how SSNs are used in practice right now.
They (the government and banks) still use the phone number to authenticate you. I would not be surprised if they consider using SSNs to issue loans, etc.
Is there some reason my bank needs this information in the first place? I want them to verify that I am the owner of the account, I do NOT need them to verify my precise federal identity.
They are legally required to know your identity and, I believe, report interest to the IRS. If they don’t check your government ID, they’ll be popular with organized crime.
Now, I’m sure banks also love that for data mining purposes but it’s not entirely without a valid reason.
2 replies →
And we already have well regulated tools for getting away from the ssn nonsense. They're called notaries.
I'd love to see the government force companies to stop treating them like an ID number that's secret.
Maybe they should allow people to request a new number any time they wish and even hold multiple SSNs. Or create a virtual number system like some credit cards have where you would give every company that asks for a SSN a unique number that only they have. It would be cool to be able to tell exactly who had the data breach when your number shows up in a dump.
SSNs have always been clear that they’re identifiers, not authenticators - it’s printed on the card! The problem are the businesses who tried to skimp by treating them as secrets, and they invented the mainstream concept of identity theft to make it sound like their negligence should be your problem.
The fix should be simple: stop taking companies seriously when they only used an SSN for authentication. Ideally there’d be a law adding penalties: try to bill someone for a loan authenticated only by common metadata and they have to pay the target a penalty fine, allow insurers to deny claims, etc. As soon as it costs them money, they’d suddenly find the money to check ID like everyone else.
There's a really good video by CGP Grey that touched on this:
https://youtube.com/watch?v=Erp8IAUouus
I'm more and more convinced that the only way to do this is the "Swedish way", make all SSNs public and/or available on request.
Until that happens, companies will still pretend they're private information.