> "The whole point of the federal privacy law is to prevent states from making the Social Security number into a nationally mandated identification number of the kind that’s common in Europe. The practice goes back to the immediate post-World War II era, when Sweden became the first country to assign every citizen a personal identity number that follows you throughout your life and must be used in essentially every interaction with state. Every Swede memorizes the number in childhood. And notably, the tax authority makes everyone’s number publicly available to anyone who asks for it."
This wouldn't be a bad thing if we didn't also use the SSN as proof of identity. Numbers as "usernames" for individuals are fine. But they should not also serve as "passwords." That particular cat is already out of the bag. The list of people who know or have access to your social security number includes dozens of bank personnel, medical professionals, standardized testing agencies, previous employers, and government employees. It is entirely possible for malicious actors, given any other personal identifier (a unique full name, or any full name plus address), to find the associated social security number.
We simply cannot expect any SSN - let alone its last 4 digits - to be known only by the person to which it was issued.
For many people, the last 4 digits are the only ones that aren't easily deduced if you know the city a person was born in and the person's approximate birthdate.
And for this reason, many SSN verifiers (banks, government agencies, etc) ask for the last 4 digits. Then they store them in a dusty database somewhere and forget about them until they have to verify identity again, or there's a major breach.
That last part is the part that keeps me up at night.
Even if they didn't, given the number of state-level administrations, I am sure I can get close to the 9999 attempts I need to brute force a code. I wonder how many automated attempts are possible.
If you encounter a business still wanting your social security number as proof of identity, just generate and give them a random one and store it in a password manager like you would any other password.
Most businesses asking for your SSN are most likely going to do a soft or hard pull on your report to actually verify your identity. This would 100% not work in those cases.
This wouldn't be a bad thing if we didn't also use the SSN as proof of identity. Numbers as "usernames" for individuals are fine. But they should not also serve as "passwords." That particular cat is already out of the bag. The list of people who know or have access to your social security number includes dozens of bank personnel, medical professionals, standardized testing agencies, previous employers, and government employees. It is entirely possible for malicious actors, given any other personal identifier (a unique full name, or any full name plus address), to find the associated social security number.
We simply cannot expect any SSN - let alone its last 4 digits - to be known only by the person to which it was issued.