This isn't going to stop until we stop treating SSNs like they're secret. Mine's not; it's been leaked at least once that I know of and I've given it freely to dozens of clerks and HR staffers over the years, any of whom had ample opportunity to jot it down for personal use.
I know this will never actually happen, but I sincerely wish the Social Security Administration would publish a complete official database of real name to SSN mappings. It wouldn't impede their use as Social Security Numbers, but it would make it extremely obvious how inappropriate they are as a proof of identity. Maybe then we'd finally be forced to come up with something a bit less insane.
My university used to use SSN as student identifiers. So you'd walk down the hallways and trash bins would be full of discarded test papers and homework assignments with a nicely printed SSN and full names on all of them.
Likewise. I've worked with some of my university's databases that have a field for SSN, but don't contain SSNs anymore. We now call them Structural Support Numbers, or something equally silly.
> I sincerely wish the Social Security Administration would publish a complete official database of real name to SSN mappings
Given the prevalence of fraudulent tax returns and people working under fake SSNs to avoid taxes, I imagine the IRS would be very displeased with them if they were to do this. It's not just credit reporting agencies that need to reform their identification procedures, it's also government.
Which is exactly the problem. The IRS is relying on the fact that SSNs are sorta-kinda-secret. Unless the database gets leaked there's not much impetus for change.
Yes, but the argument that just releasing the database is responsible is based on the notion that private sector businesses have no right to use the identifier and can't complain if their usage is compromised. But extensive use by the public sector means that an alternative system needs to be put in place before releasing the database.
If you think about it, there's virtually no purpose to a SSN without the IRS's current usage. The whole purpose of it is to track contributions into and benefit distributions out of the fund. The SSA tracks the benefit distributions, but the IRS's usage is squarely within the raison d'etre for the SSN existence in the first place. Releasing the mapping database would essentially break Social Security since they'd no longer have a working way of tracking contributions into the fund.
I've got no issue with the IRS and/or the private sector continuing to use SSNs as surrogate IDs or usernames. Being public doesn't prevent it from being used to disambiguate similar users or associate records between datasets. In fact, having the mapping public would make it easier, since that's one less column you need to store securely.
What it would prevent is the illusion that providing my SSN on demand is in any way an indication that I am in fact the human being attached to that number and not some third party.
I don't see a problem with the IRS continuing to use it as-is. I would have no more incentive to lie about my SSN than I currently do about my legal name or my mailing address, for example. In fact, I might have a significant disincentive if I knew that my boss, my HR manager, the auditor at the IRS, and anyone else who cared could spot check whether it matched what I told them all my name was. Besides, the IRS has been dealing with endless attempts at tax fraud for a century and a half now. One more awkward but plausible avenue for cheating is likely to be background noise against their existing caseload.
Which is exactly why I said, "...an alternative system needs to be put in place before releasing the database."
I wasn't saying that using SSNs they way they're currently used is a good system or even that it works halfway decently. I was saying your plan for the SSA to break the world would also fundamentally break the original purpose for the SSN and hurt themselves. The IRS and SSA need to get together and devise a better system for authenticating citizens and resident aliens before even contemplating taking that step.
What I'd like to see them do is get NIST involved and run it as a public challenge the way they have with the various encryption standards. Get competing strategies proposed and let cryptographers rip them to shreds until something acceptable is left over. Incidentally, we should also do the same thing with voting machines to create a standard which vendors can implement and sell to local election commissions.
> Besides, the IRS has been dealing with endless attempts at tax fraud for a century and a half now
Former Intuit employee here...not in tax, but I've worked with people who are and learned a lot about anti-fraud programs. Acting like this is an old problem is disingenuous. The advent of e-file has made the problem massively worse. Releasing the entire database would make it, turn, significantly worse. I can guarantee you that Intuit, H&R Block and the other online tax filing solutions have been in contact with Equifax to get the full list of (or full list of hashes of) SSNs that were compromised and that returns for those SSNs will undergo increased fraud scrutiny. Equifax only leaked around 1/3 of all SSNs, so your plan to release the full list would create far more than background noise.
> I know this will never actually happen, but I sincerely wish the Social Security Administration would publish a complete official database of real name to SSN mappings.
A full list might not even be necessary — a form that would allow you to trade some basic details for an SSN might be enough to scare various agencies straight. At least that way isn't quite as iterable.
Honestly, this doesn't even sound all that implausible to me as long as some sort of sufficient warning was built into the announcement to give organizations a way to build alternatives. Say two years. After that, levy major fines against anyone who's not compliant with certain very basic security standards.
The biggest hurdle here isn't going to be backlash as much as it is comprehension. Just like with net neutrality and encryption, most lawmakers are going to have a hard time understanding why SSNs as secrets aren't a good thing, and they'll have to be convinced.
No, it means a chance to do it right: to separate the part that uniquely, globally identifies you (username) from the part you use to prove that you're the owner of that ID (secret). And the SSN shouldn't be that secret.
>They would probably pick something more secure than the government did
The government did NOT pick SSN's for ID. SSN cards used to have 'not to be used for identification purposes'. It was the private sector that appropriated SSN's as ID's. What the government failed in is adequately prohibiting and enforcing a prohibition of this type of use.
Do you mean Equifax? I'm having a hard time keeping Equifax, Experian, and Expedia straight. And poor Expedia didn't even do anything to deserve my confusing them with those other two.
If the government already chose a 9-digit 'secret' number that can be used to pay taxes and get tax refunds and do pretty much any other sensitive communication, is it the onus of private industry to supersede it?
Experian failed, but the system was designed to fail. You can already get all of this important info with this number, so there was little incentive to create a new system and ensure that every American participated in it. Their operation was also entrenched by government credit reporting acts, pretty much setting in stone how things are and preventing innovation. This was a pseudo-government 'industry', not a free market system with new startups frequently joining.
* Government Issued IDs -- Most situations. Police Tickets, Court issues, etc. etc. Usually your driver's license. This is effectively a security token, since its illegal to make illegitimate copies of a Government issued ID (although cryptography should be used in future ID efforts IMO)
* Tax PIN number and Last year's tax refund -- Pay taxes and do tax refunds. There's a ton of OTHER information you need to submit with your taxes to get it processed. The SSN is purely the "username" for your taxes, it isn't the "password".
----
In the free market? People use SSN as a password, because free market doesn't give a care about you or decent security practices. Or at least, Experian doesn't (and they're a free market actor)
> Tax PIN number and Last year's tax refund -- Pay taxes and do tax refunds
For individuals, your TIN (Taxpayer Identification Number) defaults to your SSN, and you do not need the previous year's return to file taxes. Not sure where you are coming up with these imaginative claims, and I find it somewhat concerning how confident you feel in bureaucratic design decisions.
No, the entire point of Experian et al is to reduce the number of loans that can't be collected on for any reason, including but not limited to fraud.
Assume a credit rating agency can lower a lender's default rate from X% to X'% but introduces an additional Y% of fraudulent loans. If X - X' > Y, that's a good deal for lenders no matter what the absolute size of Y is.
"The first hurdle for instantly revealing anyone’s freeze PIN is to provide the person’s name, address, date of birth and Social Security number (all data that has been jeopardized in breaches 100 times over — including in the recent Equifax breach — and that is broadly for sale in the cybercrime underground).
After that, one just needs to input an email address to receive the PIN and swear that the information is true and belongs to the submitter. I’m certain this warning would deter all but the bravest of identity thieves!"
Considering that address and date of birth strongly predict most of the digits of the SSN, this is pretty bad. Consider further than even name can predict SSN (people named Stein more likely to have been born at the Jewish hospital, and SSNs are sharded by hospital).
This just keeps getting more and more outlandish. I'm pretty sure you have to deliberately work at it, if you want to be this incompetent. Had they just had the entire IT staff play minesweeper, they might actually be better off than they are now.
I am not actually sure that I've seen a bigger display of ineptitude. I suspect there's going to be academic research papers published about this and studied for years to come. I'm not big on conspiracy theories, but I could understand someone believing this is deliberate incompetence. I'm not even sure I could fault them for believing that.
There is no solution to this problem of identity. So they invent the credit freeze. Then they invent the credit freeze PIN. Then someone loses their PIN and they want to buy a car now. So business adds "look up your PIN" feature. It is face-palming. But that's what you get when your business requires a way to securely identify people when no such method exists.
There may be no perfect solution but I am really hoping something better can exist. There isn't as much trouble in some other countries, maybe we can look into what they are doing?
I don't have the answers. But, just because I'm not an MD doesn't mean I can't point out an obviously broken arm. This is a problem and it does need fixing.
At this point, it's reached the level of absurd. Not even a great author could have come up with a better storyline. This has reached the point of being surreal. If I weren't witnessing this, I'd have trouble believing it - it's that bad.
At this point, I'm having trouble thinking of something they haven't screwed up. This has more twists than a soap opera.
> There may be no perfect solution but I am really hoping something better can exist. There isn't as much trouble in some other countries, maybe we can look into what they are doing?
In France for example there's no SSN used by banks, there's no Credit score either. How do people get mortgages? Bank do their research, ask for your paystubs and other documents, it's simply due diligence.
Due diligence can take you pretty far, for instance for mortgages, probably the biggest loan a person needs in life: current mortgage fixed interest rate are around 1.3% - 1.8% for long duration[1]. You get this without the existence of a credit score. In 2008, there wasn't any wave of people loosing their home because their mortgage was approved too easily and they suddenly weren't able to pay back, so something must be done right.
As an other commenter mentions, you might not be able to get your mortgage approved in a minute on a smartphone app ... But who wants this anyways? In a house/car buying process, this isn't the most time consuming task anyways, and certainly not the one you should approach lightly.
It's true that in the US, opening Credit cards is much more common, but even there, I'm not sure why a couple weeks of wait is much of a big deal, the bank already takes one to 2 weeks to send you the credit card by mail.
I don't know how it works in France, but other countries have a "bad payer" database. You get added to it when you're behind with your payments, and get removed from it when you're no longer behind. All lenders check that database.
Other countries don’t have the free/easy relationship to credit that we do.
In many places, if you want to get a small, revolving line of credit it’s considered perfectly normal to spend weeks validating your identity, including one or more in-person visits by a financial official. Can you imagine doing this in modern America? The economy would shrink by whole percentage points overnight.
We’ve made a deal with the devil, and this is how we pay.
That might just be the saddest post I'm going to read all day because you're probably right. Individuals have access to lots of credit, it fuels our American consumerism.
Maybe it's better, in the long term, to suffer that shrinkage? I'm absolutely not an economist, so I don't really know. Maybe we are in a credit bubble and it needs to pop?
Could we absorb the negative drop in the economy without there being riots in the street? Would it be better in the long run?
It's a weird situation. Your credit information is so crucial that the agencies need a workaround for everything - a user can't be allowed to get stuck in a state that locks them out of their credit forever.
I'm still annoyed by this entire debacle but I'm not sure what the correct solution for a lost PIN should be.
> I'm not sure what the correct solution for a lost PIN should be
Krebs gives an answer in the article and I think I agree:
> I understand if people who place freezes on their credit files are prone to misplacing the PIN provided by the bureaus that is needed to unlock or thaw a freeze. This is human nature, and the bureaus should absolutely have a reliable process to recover this PIN. However, the information should be sent via snail mail to the address on the credit record, not via email to any old email address.
Until we have a way to guarantee our electronic identity to the government (e.g. an RSA key registry so that I can sign a message like "I am $name and $email is my email"), physical delivery is the best option.
The issue of course being that credit reporting agencies are in close company with credit issuing agencies. When someone wants a loan right now the lender doesn't want to wait for snail mail because the purchaser will change their mind. So if the credit reporting agency starts sending out snail mail forgot-your-pin resets, the lender will start using one of the other credit reporting agencies.
"If you believe the address on file is outdated please mail a notarized copy of X of the Y documents to us at Z"
Getting a notarized copy of an ID and proof of address and mailing it in isn't too terrible of a hoop for poor people (who aren't so poor that an organization that cares about credit ratings is considering lending to them) to jump though. It doesn't scale well and provides a substantial hurdle for monetizing ID information.
If it's incorrect, you likely have bigger problems than where to send the pin. And I think there are ways to correct the address.
If it's outdated, then it simply goes to your old address. If you moved, the Post Office will forward mail addressed to you at your old address to your new address.
I always hear this story about post offices forwarding mail with old addresses, but in my life (having moved a ton), I've never received mail at a new address with an old address printed on it, while I have received huge volumes of mail addressed to the last guy living where I'm at. Is forwarding an American thing?
Yes, I have gotten mail forwarded as much as 8 months after a move. It get's a yellow sticker with your new address on the bottom right. I believe it's based on names so it may not work for all mail.
Having one's email forwarded to another address can also be subject to fraud. Haven't done it in awhile, possibly you now have to go to the counter and show some id, but it used to be far too easy to fill out the little card and hand it to the person behind the counter, no questions asked.
I know it is popular meme when it comes to Google, Facebook, etc. that “you are not the customer”, but at least you have a choice not to use their services. It’s impossible to opt out of allowing credit bureaus access to your personal information and still function in society.
Do you think they're more likely to steal the identity of someone with good credit? If you've already got a house and can pay cash for a car and aren't running your own business, I wonder if good credit doesn't become more of a liability than an asset.
What could be a possible solution to the PIN reset? Security practices say that we can authenticate across 3 ways; something you are, something you have, and something you know. Its obvious to me that the something you know is also known by hackers, and I don't think biometrics are going to be overly popular after this. Does Experian send out a hardware token to all users that request a security freeze?
It's interesting that this isn't one of the three traditional ways to authenticate, but it's obviously effective to some degree. Maybe it suggests a new mode of authenticating: some place where you are.
This is where Congress has utterly failed in its regulatory responsibilities. There's no way this labyrinth of credit-related breaches/issues should be confronting consumers.
Two things I do: monitory my credit reports regularly and give nonsensical answers to the security questions.
In the Netherlands every citizen has a digid, which is a two factor digital identification mechanism. Almost all government and almost all (semi-)public companies use it. Works like a charm and very secure.
the only solution is to implant a RSA token generator on arms of every citizen at birth. perfect 2FA. they get to turn you chip off if you make too much trouble.
I think it's also worth noting while I do think they at least hash your password if you sign up for an account you are limited to a 14 character password.
I know this will never actually happen, but I sincerely wish the Social Security Administration would publish a complete official database of real name to SSN mappings. It wouldn't impede their use as Social Security Numbers, but it would make it extremely obvious how inappropriate they are as a proof of identity. Maybe then we'd finally be forced to come up with something a bit less insane.