
The Way We Use Social Security Numbers Is Absurd - nols
http://fivethirtyeight.com/datalab/the-way-we-use-social-security-numbers-is-absurd/
======
WorldMaker
I've gotten into so many arguments about how the first five digits of an SSN
for nearly everyone born before 2011 (!), when they switched to a more pseudo-
random algorithm, is reverse engineer-able and thus you should never, ever
show the last four digits as that really is the only "secret" part of an SSN.
This argument is a "fun" circular argument that typically goes "Well, but if
we only show the first five, many families can't tell which social is whose
because they all look so similar..." "Yes, because it was an algorithm! We
should use something other than SSN to identify different people." "But how
will people _know_ which SSN their account is connected to?" "Why is their SSN
connected to the account at all?" "So they can identify their account!"
/facepalm

~~~
cheepin
I find it amusing that many places that will require "Strong" passwords with
numbers, letters, and symbols, will use 9 digits as if it is secure, many even
using just the last four!

~~~
baconner
This. There's nothing like setting up a rigid password policy to give the
_appearance_ of security, then providing a secondary super weak password like
ssn or easy to figure out security questions. For many sites its purely about
appearance with little real thought given to protecting users.

------
OrwellianChild
This strikes me as a pretty difficult problem, since it touches on personal
privacy, information security, and identification all at once...

The simplest solution would be a disassociated ID card with a 2 or 3 factor
identification (eye scan, fingerprint, etc.). Except this requires everyone to
register and isn't going to gain widespread support in the U.S. for privacy
reasons.

Info security just needs multiple factors, so require SSN and then an RSA-type
second-factor to authenticate. This would make it about as secure as GMail,
except for when you lose your PIN generator. I have backup codes for my
GMail... How do we handle lost PINs when it's personal ID at stake?

Identification could be as simple as a personal e-mail address... Except we
have all kinds of things tied to SSN as ID, including credit history, bank
loans, etc. that require proof of _individual_ identity, not just "unique
identification".

Is this a solved problem?

~~~
WorldMaker
A lot of it comes down to the mapping problem between the messy real world and
nice-ish structured things like relational databases.

Almost all of the "identifying" objects about a person (names, emails, even
fingerprints can change over time/accidents) change with time and
circumstance. That's hard to encode in a database or program against, so
identity is a harder problem to solve than people would like it to be.

People like 1:1 mappings because it is easy to map and report, but those are
rare in the real world. There is more than one John Smith. John Smith may have
more than one email address (at the same time even).

Credit Reporting Agencies are essentially tasked with doing an ad hoc mapping
of the vast fuzzy cloud of identifying statistics about a person to a 1:1
report ID. It should be no great shock to anyone that the Credit Reporting
Agencies will get this wrong sometimes. Sometimes I wonder if its the Credit
Reporting Agencies that should just hand out identification numbers (here's
your Equifax Report #, use it apply for credit from here on out; we will no
longer provide results without that specific ID #) and stop trying to corral
data that will always be wild and untamable.

~~~
OrwellianChild
I like the idea that the unique identifier comes from the credit agency rather
than the individual... Though this requires open disclosure of credit
reporting data, which might not be a bad thing, all things considered...

How do they validate you, though? You give them the unique ID, but what's to
keep you from reporting someone else's with a FICO score of 800 (top of the
chart, for those outside the US).

~~~
WorldMaker
In such a hypothetical world the main thing stopping you would be that in many
cases you would need to provide three such identifiers (Equifax, TransUnion,
Experian) to get a full credit report. Presumably that redundancy alone would
actually help catch fraud in that world.

------
Retric
IMO, the idea anyone can resell dubious debt, use collections, or put
something on a credit report is the real issue. If you first needed to say
mail something to the address with the DMV then simply having random info
becomes a lot less useful.

~~~
pacaro
This.

I found it amazing that the article didn't mention the role that the credit
agencies play in this. Almost all the time you are asked for your SSN,
certainly in commercial transactions, it's so a credit check can be run. The
credit agencies could solve this. They could even some it securely.

~~~
ars
And they don't even need the number to run a credit check!

When some utility wanted the number to run a credit check I said I could not
remember it. They ran the check anyway (using Name and Address), and read my
social back to me!

------
cesarb
As far as I know, the USA doesn't have identity cards. That's probably why the
SSN is often used as an identifier there: it's the closest thing to a "unique
identifier" they have. (Of course, treating it like a password is madness: as
an identifier, it _should_ be _public_.)

~~~
WorldMaker
A good majority of Americans have a state-issued driver's license (or
equivalent for non-drivers) with a unique identifier on it. I am absolutely
surprised we don't use these identifiers more often, especially given that
unlike SSNs, driver's licenses in most states don't have "Please don't use for
other identification purposes" written on them like SSN cards do.

Also yes, IDs are not passwords and should never be used for authentication
purposes. This is never "two-factor", it is always a "wish it were two-factor"
kludge.

~~~
WorldMaker
Of course, the issue with driver's license numbers is they do change when
people move. People like SSNs because they are handed out "at birth" and
mostly don't change in a person's lifetime. [ _]

[_] I love the mostly clause here, because they can, in fact, change, and it's
sad how much software and credit reporting breaks because of that in-built
assumption that person will ever have one SSN.

------
smegger001
Why not issue each citizen, immigrant, business, legal entity, something like
a RSA SecureID token with a associated public privet key pair?

~~~
sbierwagen
[https://en.wikipedia.org/wiki/Common_Access_Card](https://en.wikipedia.org/wiki/Common_Access_Card)

------
MichaelGG
It's amazing where they are asked for, too, and how easily people give them
out. Get Comcast cable? They ask for SSN, but it's not a showstopper. I just
told them I didn't have one, and that was that.

But a prepaid T-Mobile, recharging via CC over the phone? Asked for SSN and
insisted. When I said I was Canadian, they insisted on the Canadian
equivalent. Had to hang up and get another rep.

Why do Americans just go along with it and give their SSN out? Just say you
don't have one. Canada does it right. Upon getting a SIN, the government is
very clear that you are not obligated to give it out and that companies cannot
refuse service if you do not provide it.

~~~
_delirium
I'm not sure whether it's the reason T-Mobile is asking for it, but a number
of countries have added identification requirements for mobile-phone services,
due to pressure from law-enforcement agencies, who don't like the possibility
that people can buy anonymous "burner" phones & SIMs. In Denmark nowadays
nobody will sell you a SIM without tying it to a national ID number. Bank
accounts have similar requirements, to combat money laundering and tax
avoidance.

~~~
ubernostrum
Yeah, last year when traveling in Europe with a friend we had all sorts of
trouble trying to get her a SIM card in Germany. They insisted they could only
sell it if we provided the address of a German resident to tie the account to.

A German-speaking friend helped us solve it (I still don't know exactly what
he worked out with them), but it wasn't a pleasant experience. Especially
since in France we literally just walked into an Orange shop, and I said, in
my bad US-high-school French, "Nous voulons acheter une carte SIM", and they
said "OK", quoted a price and that was that.

------
RIMR
>People affected by SSN-related tax fraud can apply for an IRS-issued IP PIN
or identity protection PIN.

So I have to be a victim already to add security to my SSN? Why can't I just
opt-in before I get my identity stolen?

~~~
OrwellianChild
Sadly, this is generally correct, per the application process here:
[https://www.irs.gov/Individuals/Get-An-Identity-
Protection-P...](https://www.irs.gov/Individuals/Get-An-Identity-Protection-
PIN)

Citizens of Florida, Georgia, or DC can, though. Wonder how we expand this
program...

------
Meekro
You know what's really scary? Gmail is held up as the pinnacle of email
security, but they let you reset your password by proving ownership of _just a
phone number!_

So much for 2FA. So much for strong passwords. All I have to do is obtain your
SSN, call up your cell phone provider and hijack your phone number, and
initiate a password reset with Google. That gets me into your Gmail, which in
turn gets me into all your other accounts.

Ridiculously easy. Google should be ashamed.

~~~
Moshe_Silnorin
Even if you use google authenticator?

~~~
Meekro
Yes -- having the "recovery phone number" lets you bypass their google auth
two-factor. See more here:

[1]
[https://support.google.com/accounts/answer/183723?hl=en](https://support.google.com/accounts/answer/183723?hl=en)

------
akersten
I have written a little bit about this topic[0], describing that ideally we'd
have a much better system that relied on keypairs and cryptography rather than
keeping a short, predictable number secret. I really really hope to see a
movement towards better meatspace authentication in my lifetime, but I have a
fear that SSNs are here for good.

[0] [http://ece.rocks/alex/2015/02/01/generated-at-
birth.html](http://ece.rocks/alex/2015/02/01/generated-at-birth.html)

~~~
icebraining
It's not generated at birth, but I and millions of other Portuguese citizens
have state-issued smartcards with our own public keypair (and signed by their
certificate).

Yet just last week to sign up for a mobile contract, I had to print a PDF,
sign it and scan it. The adoption has been almost nil.

~~~
tmzt
Where are the private keys stored? Are they kept only within the card, or are
they generated externally and added to the card? I ask because it's difficult
to belive that millions are generating and keeping safe a private key.

Of course the lack of adoption is another concern.

~~~
icebraining
The card itself generates the key, and AFAIK there's no way to get a copy of
it (except maybe by physically decapping the chip and reading its memory).

------
nitwit005
American bureaucracies have a bizarre obsession with them. My school issued
student IDs with unique numbers, which should have been the end of all such
issues.

Unfortunately, they made a bizarre system where US students had their student
ID be their SSN with a fixed prefix, and international students got a random
number with other prefixes. They refused to give up on using SSN even when
they knew it wouldn't work for a good portion of students.

Heaven forbid someone just add an SSN to student ID lookup table to the
database.

~~~
ars
> Heaven forbid someone just add an SSN to student ID lookup table to the
> database.

Why does a school even need this number?

The only groups that need this number are financial institutions of all types
(including employment and borrowing) and government agencies.

A school does not need it. If they lend you money then that department might,
but no further.

What I do when places that don't need the number ask for it is pretend I don't
remember it. So far I've not had any problems, they mange just fine without
it.

------
rdancer
As technologists, and as an industry, we are failing our customers by not
having developed a credible alternative to SSNs. They're only used because
literally everything else is an even worse fit for access control.

Let's not also forget that in year 2015, we still use _passwords_ as primary
access control guards. That's technology that was invented shortly after the
development of speech in humans, circa 100,000 BC.

~~~
vezzy-fnord
Passwords, as we know them in the form of computer passwords, are of course
much more recent, usually credited to Fernando J. Corbató for use in the
Compatible Time-Sharing System in the early 60s. Their semantics are quite
different from having to say "swordfish" to a guard behind a door.

There's nothing intrinsically wrong with them. There are people who propose we
generate key pairs for every newborn. It is, however, delusional to believe
that the same governments which struggle with flat documentation will then
turn around to properly do PKI.

------
kitwalker12
I can't remember the link to the article, but a few years back a researcher
had published a paper on the security of SSNs.

It outlined how the first 3 numbers are kind of based on your location of
application (like a 3 digit code for a county). next 2 are kind of related to
your date of birth. The only hard part was the last 4 digits which are random
but easy to get as thats the first thing most companies ask for.

