We are replacing such things, although USA is a decade or so behind the rest of the world due to various legitimate sociopolitical and historical reasons.
In most places worldwide identifiers equivalent to SSNs and passport numbers aren't really treated as financial secrets; they may not be totally public due to certain privacy aspects, but they generally don't result in financial identity theft, that's a fixable problem of certain regions (like USA and a few others). Similarly, moving to proper credit card authentication (chip&pin or wireless chip when card is present, 3dsecure when not, etc) has made many credit card numbers mostly useless for thieves unless accompanied by a more serious compromise.
But all these things above have been implemented only because (and where, and when) the actual companies became financially liable for the consequences - as long as the losses/fraud/etc hit only the users/consumers, there is no motivation to fix anything. Shift the liability to the company which accepts that fundamentally insecure data as good enough, and they'll figure out some way to implement a secure process.
You make an interesting point about the lack of incentive to protect others' private data - it may only hurt the subject of the data and leave a negligent company unscathed. But how might we shift the liability from those companies without encouraging regulatory agencies to maximize data theft?
I am a bit confused why shifting liability would be linked to maximizing data theft, and why would that data theft be done by some regulatory agencies - can you elaborate?
The liability shift that I had in mind is mostly about immunity from liability for the impersonated person, like, if some criminal defrauds a company by claiming to be Bob, then shifting the liability for that risk (compared to currently common cases in USA) to that company which had lax processes and was defrauded would be various consumer protection mechanisms for things like credit score, preventing that company from trying to collect that money from Bob, preventing them from reporting that Bob owes them money (as he doesn't) and requiring that company to correct any adverse credit reports if they had already made them, etc, various means to ensure that the fraud stays between the fraudster and the defrauded company and doesn't affect the person whose identity was falsely used; and removing the implication that they are somehow responsible if that information (which they aren't legally required to keep secret) is used by someone else.
In most places worldwide identifiers equivalent to SSNs and passport numbers aren't really treated as financial secrets; they may not be totally public due to certain privacy aspects, but they generally don't result in financial identity theft, that's a fixable problem of certain regions (like USA and a few others). Similarly, moving to proper credit card authentication (chip&pin or wireless chip when card is present, 3dsecure when not, etc) has made many credit card numbers mostly useless for thieves unless accompanied by a more serious compromise.
But all these things above have been implemented only because (and where, and when) the actual companies became financially liable for the consequences - as long as the losses/fraud/etc hit only the users/consumers, there is no motivation to fix anything. Shift the liability to the company which accepts that fundamentally insecure data as good enough, and they'll figure out some way to implement a secure process.