Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

"sensitive Social Security information"

We really need to do something about social security numbers. They've all been leaked and there's no way to put the cat back in the bag.

And when people use them fraudulent the bank can somehow hold YOU responsible? Total insanity.




The replacement driver's license of a colleague of mine was stolen from his mail, and since then his financial life has been ruined.

Cars were rented in his name across multiple states and never returned, At&T charged dozen of apple products in his account, SoFi approved and disbursed loan in his name, credit cards were opened, credit score completely ruined. Some of them happened even after he froze his SSN.

And the answer he gets is "Too bad, there is nothing we can do". He is now fighting multiple legal cases against him.

Every time I think about it my blood boils.


> froze his SSN

What does it mean to freeze an SSN, and how does one go about it? I'm familiar with freezing credit (through the big 3 credit score companies), but that doesn't sound sufficient to protect against a lot of what you're describing.


I think he started with online available info (I believe Reddit has a good identity theft community), but the thing is that notices keep coming long after fraud has been committed. So every week he would find out there are more things he was on the hook for.

Eventually he hired a lawyer to help him out, there are so many reporting agencies (for subprime loans etc) that you need to reach out to.

Long term a new SSN will be issued for him, but there is a lot of cleanup before that.


Can I ask why in the USA can a malicious individual with a random person’s SSN number and name allow them to wreak havoc?

In my country we just have a name but you need an ID document to get anything done.

Do banks etc. consider an SSN number to be a password?


They said in their first comment that their drivers license had been stolen in the mail, which is what started all of it. I'd imagine they either went and bought their SSN from someone who had a collection of them from hacks or they used information they were able to get from places that ask for verification but show a few digits (e.g. "confirm your SSN: *-*-1234") to narrow down and then brute force different numbers at different sites until they got it.


There is no way to freeze an SSN. As you pointed out, all you can really freeze are credit files. In some circumstances, victims of identity theft can obtain a new SSN.

https://www.businessinsider.com/personal-finance/credit-scor...


Thing I never got about ID thieves pulling all this off with stolen basic credentials is just how they get approved so widely.

I mean, imagine, often, when you're the ACTUAL holder of an identity, trying to legitimately obtain credit, buy products and so forth, you get all sorts of absurd algorithmic or anti-fraud roadblocks that can make it tricky or fully block you, but then some dude with only part of your ID paperwork in his hands can just go ahead and take out loans, get credit, use your name for X or Y official thing just like that? Then also, them getting the mailing addresses they need for all these scams to work. How do they pull that off too?

I'm really puzzled by how these contradictions work?


I think this is one of those cases where the actual holder of the identity sees the process as an annoyance, and the ID thief sees it as a job. If you repeat the same procedure a hundred times you get really good at doing it efficiently.


That's a good point, and makes sense. Also, they can afford to be blithely reckless about all those attempts, more than someone stressing about rejections with their own, one true ID.


Because there are plenty of creditors who will not put customers through all of those hoops, and the front line sales guy at AT&T is motivated to get that phone sold and that line activated, that car salesman is motivated to get the car sold. If it turns out in 6 months the bank is holding the bag on a fraudulent loan those front line salespeople are not really going to have any impact to their bottom line


Every time I read bout what damage you can do to people's lives with hurt a number, in the US, I am glad that I live in a first world country.


As a European I'm dumbfounded how this issue alone isn't deciding elections in the US. Somehow everyone just accepted having their identity stolen every once in a while.


I'm in my 40s, and I don't know anyone personally who's dealt with any kind of significant issue due to identity theft or fraud.

Like, occasionally my credit card company will call me up about some fraudulent transactions and then they'll mail me a new card and take the fraud off my bill.

A problem can be simultaneously incredibly acute for an unlucky subset, structurally really problematic, and also on average have very low impact. Those problems generally don't decide elections.


I traveled to the Caribbean on a cruise. I figure one of the staff found my wallet, which had my original Social Security Card in it. Years later, I find a letter from the IRS about unpaid taxes on income over the previous 3 years. My SSN had been used for fraudulent filings, despite my residence always having been in California. There was also the discrepancy of overlapping tenures at cleaning companies across the eastern seaboard and overlapping tenures at tech companies on the west coast.

I talked to the IRS and I got audited (naturally). My income tax returns were withheld for about 7 years plus the 3 that had fraudulent filings. One day, I got a check from the US Treasury for all the back-returns plus interest. It was worth, I guess. Some individuals had also tried to get various loans, phones, etc in my name but my credit was sub 500 at the time, so they were denied. I kinda got lucky and unlucky at the same time.


I periodically receive OTPs I didn't request, because malicious actors are trying password stuffing with really old credentials of mine from data breaches. It's relatively frequent.


Yeah, but the consequences of things like that, if they succeed, are rarely anywhere near the level Nord VPN and Life Lock would have us believe.


Identity handed to Musk's businesses, along with all of the personal history there, is mind-boggling. But MAGA doesn't care, and all the enabling congresspeople will just say "omg, we didn't know that we should care".

I suppose it's not as bad as believing/promoting the lies that got the US into two wars in Iraq, but it's still bad and sort of feels like it goes into the same bucket.


You would be shocked how Blase people are about it.

The credit card companies block a transaction and issue a card replacement and everyone feels OK again.

I have had a couple of PayPal alternatives accounts opened using my email address. Still feel on edge about it. Holy shit. The only thing which gives me a modicum of peace is I get free credit monitoring from the Equifax boondoggle.



I'm not necessarily disagreeing with you, but non of your links refer identity theft in Europe (Turkey might be considered Europe in some geographic definition, but when people talk politics/law they typically mean the EU).


That silly little phrase gets smugly mentioned on this site so often that it should be labeled a parody of itself. As a European myself, I can't generalize shit about people from my enormous multi-ethnic continent of several hundred million inhabitants and dozens of states, mini states and assorted autonomous regions. It's full of contradictions, problems, social disasters, bureaucratic fuckeries, authoritarian nonsense, simmering brands of racism/xenophobia and other assorted crap that varies widely from one little part of its landscape to another, sometimes drastically.

Many other Europeans on this site should consider climbing down from their imaginary pedestals of moral superiority. Very little about either past or present day Europe (insofar as you can generalize about it at all) merits such a sense of superiority, at all. It all comes with trade-offs.

Reading some HN comments from "As a European" types, you'd think they were already living in a wonderfully socialist version of the singularity, and it got built right next to the Pearly Gates, where it daily receives the airy blessings of winged angels.


> Reading some HN comments from "As a European" types, you'd think they were already living in a wonderfully socialist version of the singularity, and it got built right next to the Pearly Gates, where it daily receives the airy blessings of winged angels.

Hearing stories about the US, that is indeed how it feels. I pretty regularly read unironic stories of people that literally lived on the street because of some random misfortune. I just can’t imagine that happening in my home country (e.g. socialist paradise), and I’m inclined to believe much of western Europe is the same.


Like I clearly said, there are tradeoffs in all of these comparisons, but they include unpleasant or downright shitty things about Europe too, and because you can't imagine that happening in your home country doesn't mean you can generalize about Europe being completely superior to the US in all such ways, or the US being as you generalize it in all ways.


> or the US being as you generalize it in all ways

Well, it’s not as if I come from a place of no experience. I’d say the US lives up to its reputation in many ways.


The claimaints’ concern is more around “family court and children’s school records and medical and mental health information” [1] than SSNs.

[1] https://www.nytimes.com/2025/06/06/us/politics/supreme-court...


> We really need to do something about social security numbers.

Get everybody to realize that identifiers and credentials are pretty much polar opposites in design space? Sounds like one of the many impossible infosec literacy crusades, unfortunately.


Meanwhile Switzerland is implementing e-ID which gives citizens private and public keys so they can sign and prove things without leaking their whole identity.


The USPS, with their existing delivery infrastructure and massive presence, would be a great fit for doing this in the US. Think like DoD CAC cards, but for ordinary citizens.

It'll never happen, though.


You don't think the USPS is on the chopping block?? The new Postmaster General is from the FedEx BOD. https://www.commondreams.org/news/david-steiner-postal-servi...


We don’t need to do anything about SSNs, we just need to not bother borrowers with pricing they are innocent, and rather require lenders to prove the person they are claiming they did business with is the the person who agreed to borrow the money.

The whole thing is a giant corporate subsidiary to lenders.


SSNs were never designed to be private information. There should be no expectation that they are.


They weren't designed to be used as general-purpose identifiers by non-government entities, either, but here we are.


My college classes used to post grades, on paper, taped to the wall, listed by SSN.


Which, assuming it was in the last 50 years or so (assuming it didn't have individual non-compulsory signed and dated written consent of every individual whose grades were so posted) a violation of federal law (specifically, the Family Educational Rights and Privacy Act of 1974.)


This is enough to make me put all of my assets in a trust.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: