Comment by 29athrowaway
9 months ago
Time for services everywhere to stop using SSNs for identification and for the US to move on to a more advanced form of identification.
And lock your credit.
9 months ago
Time for services everywhere to stop using SSNs for identification and for the US to move on to a more advanced form of identification.
And lock your credit.
Time for the US credit bureaus to lock everyone by default.
What can an attacker who knows your SSN still do with that information nowadays? Genuinely curious, as the SSN is just this strange in distinct password thingy the Europeans like me hear about on HN but have no actual parallels with.
If they have your address; birthday; and SSN a whole lot. Generally, they could apply for credit cards; loans; set something to bill to you; etc...
Fortunately, it's getting harder without previous addresses or other verification methods.
For non-Americans that don't know, our Social Security number is generally assigned at birth or when you become a citizen by the Social Security Administration. Social Security is a disabled or elderly benefit we all pay into (roughly 7.5% employee and 7.5% employer - ~15% total). It's the only number we all get, since not everyone gets a driver's license; ID; passport; or other identifier. Unfortunately, it's been used to identify us for everything, and until recently was typically in plaintext on most forms (medical; tax; student; etc...).
CGP Grey has a good summary of how it came about and why it's become a problem: https://www.youtube.com/watch?v=Erp8IAUouus
> It's the only number we all get, since not everyone gets a driver's license; ID; passport; or other identifier. Unfortunately, it's been used to identify us for everything, and until recently was typically in plaintext on most forms (medical; tax; student; etc...).
I fail to see the problem with that. As you said, it's an identifier, like an username or your full name. There should be no issue with everyone knowing your full name, or your username; why there should be an issue with everyone knowing your SSN, or it being in plaintext everywhere?
5 replies →
Do you need SSN for voting? I heard that you don't need an ID (at least in some states) which was very weird for me but if they ask SSN instead, that is at least something I guess?
1 reply →
The SSN is used as a way to genuinely identify someone, unfortunately - it’s like having to give out your password each time you rent an apartment or buy a car or obtain medical care or any number of other transactions. Having this info (along with other basic info like name/address/date of birth) lets you effectively pretend you are them. You can take loans out in their name or call some service to do a password reset (since you have all the info to verify you are them) or whatever else. But it’s not like there is one particular way in which the information can be used - it’s dependent on what businesses LET you do with that info. In 2024, NO business should use SSN to verify identity or authorize sensitive transactions but many do, and what they let you do varies significantly.
I think it’s important to distinguish between identification and authentication. As a unique database primary key, they’re fine. The problem was when a bunch of businesses decided it’d be too expensive to check things like government ID and started using them for authentication purposes. Nobody blinks an eye at using a phone number or email address on an application, but we should treat using your SSN or past addresses for authentication the same way we would if someone says they could approve a loan if you know your phone number and zip code.