Congress To Restrict Social Security Number Use

diverge_s writes "News.com.com has an article detailing a long overdue attempt Congress is making to restrict the use of Social Security Numbers. From the article: 'In both the House and the Senate, there are at least three pieces of pending legislation that propose different approaches to restricting the use and sale of SSNs. Politicians have expressed astonishment at what they see as a rising identity fraud problem, frequently pointing to a 2003 Federal Trade Commission survey that estimated nearly 10 million consumers are hit by such intrusions each year.'"

Band-aid on a gunshot wound.

[TripMaster+Monkey]

All the proposals mentioned in the article are merely band-aids on a system that is fundamentally broken. Any competently designed identification system consists of two parts: the public identifier, and the private key. The problem with SSNs is that you have a system where one number is simultaneously the public and private parts of the system, which dooms it to failure every time.

Making new rules limiting the sale and purchase of SSNs, or restricting the display of SSNs on reports, is just closing the barn door after the hore has already left.

Re:Band-aid on a gunshot wound.

[Billosaur]

All the proposals mentioned in the article are merely band-aids on a system that is fundamentally broken. Any competently designed identification system consists of two parts: the public identifier, and the private key. The problem with SSNs is that you have a system where one number is simultaneously the public and private parts of the system, which dooms it to failure every time.

From the article: The SSN hasn't always had such broad applications. Back in 1935, Congress first directed the Social Security Administration to develop an accounting system to track payments to the fund. Out of that mandate came a unique identifier that has ultimately found applications in everything from issuing food stamps to tracking down money launderers.

This is what happens in the modern age, when previous devices are outstripped by new uses for them. The SSN number started out as simply an identifier for the purposes of calculating benefits and recording taxes. It has turned into a universal identifier, but has not fundamentally changed at all. It's very easy to forge a Social Security card, and the accessibility of SSN data tied to all sorts of other information makes it far too easy to compromise.

As an aside, other than the fact it doesn't contain a photo, the SS card is pretty much a national id card.

Re:Band-aid on a gunshot wound.

[Gonarat]

Exactly. It shouldn't matter if I know your SSN. There should be a private key part of the equation required for a transaction that requires an SSN to take place. This token should be a pass phrase, not just a password or PIN. Verification can be done electronically by the Social Security Administration.

For example, if I sign up for a credit card, the application would not be processed until I give my valid pass phrase and it was verified. This way, someone could find out my SSN, date of birth, Mother's maiden name, shoe size, or whatever else, but could not do anything with it without knowing my pass phrase. Credit cards themselves should at least require a PIN to complete a transaction. This could be done without a major overhaul of the financial network -- the ISO 8583 specs supports PINs.

You could support several pass-phrases. One pass phrase would be for applying for credit and such, giving a Bank or Credit institution this pass phrase would allow them to not only access your credit report, but would give them authorization to update it as they do today. A second pass phrase could be given to just allow read access to a credit report. This could be used for your own access, access by landlords, or any other situation where you need to give out that information without giving the ability to update it. One time use read pass phrases could even be supported. Pass phrases could be changed by visiting the Social Security Office or online. Any forgotten pass phrases would require a visit to the Social Security Office.

A system like this would massively cut down on fraud and identity theft without too massive of a change to the current system flow.

Re:Band-aid on a gunshot wound.

[Alex+P+Keaton+in+da]

Um- do we really need legislation to restrict use of SSNs? I thought that the law already said that SSNs are only for, well, social security... Why dont we enforce laws before making up new ones?
I went to a state University for 2 years before transferring to a private one. At the state school everything was all about the SSN. One every test, you had to put your SSN...

Re:Band-aid on a gunshot wound.

[jcr]

Any competently designed identification system

The SSN was never intended to be an identification system. In fact, its proponents promised up and down that the SSN would never be used for anything but keeping records of individual retirement accounts.

-jcr

Re:Band-aid on a gunshot wound.

[emmaussmith]

Public Universities are beginning to change. About 2 years ago, NC State University (my school) switched from using the SSN to a six digit ID number which the Cashier's Office had already been using in their own database.

They issued new ID cards to everyone along with other much needed improvements (your SSN is no longer used as a standard barcode on the front, larger photo, newer magstripe, expiration date, etc.). This made everything much more secure and departments and professors are no longer allowed to have/use your SSN as a primary key.

Re:Band-aid on a gunshot wound.

[canuck57]

For example, if I sign up for a credit card, the application would not be processed until I give my valid pass phrase and it was verified.

This isn't going to help, what if the institution records it? Sooner or later they will. Oh yea, pass a law... that is useless too as we can't enforce the laws we already have.

The real issue is the lending institutions business practices of NOT practicing due diligence in maters of credit. That's right, they are just too damn lazy to verify who you are. They have been known to hire ex-cons to process credit card applications!!! Personnally, I don't care if they are careless, I do however care about the grief it causes people.

The real solution is to make it easy for those that get grief from poor and lax credit to recover damages and get their records corrected quickly. I would propose:

• Unlimited liability for damages to people who have been harmed by invalid or incorrect credit information.
• Credit information must be corrected in 7 days of notice or the credit agencies involved shall assume 100% liability for all damages and up to 30 times the damages in punative damages.
• Damages can include almost any expense, milleage, legal, rental, hotel, airfare, time taken, etc.
• No charges are allowed for users to check their credit, and no charges for correcting their credit. This includes providing 1-800 numbers as not to incur long distance. And up to 8 times per year.
• If big credit is deemed negligent or unresponsive punitive damages can be unlimited.

And enforce the above vigoriously. Make the lenders so scared and costly to get it wrong they will clean up their act. Maybe we have to go the bank where we meet a real person that will check our ID and knows we have deposits. But a small price to pay. And apply at the bank, not through Joe's Con Credit card processing service.

One last item, a forced labor camp where if convicted of fraud, you have to work to pay off all damages to get free. In essence, those that knowingly choose a life of fraud become indentured slaves to society.

shared secret

[Lord+Ender]

Many companies and government organizations use the SSN as some kind of shared secret for the purposes of establishing identity.

This law wants to prop up this model.

THIS IS A STUPID MODEL.

There are much better ways of establishing identity than using the SSN.

What we need to do is STOP USING SSN TO ESTABLISH IDENTITY!!!

Then it can be public, you can post it wherever you want, and we won't have to deal with the impossible problem of putting the cat back in the bag.

Government issued smartcards, with a simple PKI (and revocation system) would be a perfect method for establishing identity. We need to put the money in to that, not trying to keep some unchangable number secret.

If you need to use a fake SSN# use this one...

[i_want_you_to_throw_]

078-05-1120

It's a specimen number from the Eisenhower era. No need to give ur correct number to the cable or phone company. They don't need it. Period. Of course it's possible that someone else has used this number already, especialy if you live near me in upstate NY.

Otherwise use the "Fletch" approach on things like your customer loyalty cards. I keep mine under Harry S Truman, Ted Nugent and John Cocktosen. I have started using Igor Stravinsky lately.

Re:If you need to use a fake SSN# use this one...

[OctoberSky]

I go with Peter Lemonjello, sometimes when asked I correct people with "It's Dr. Lemonjello"

Mr... err... Dr. Lemonjello has a Gmail account, a throw away cell phone, and subscriptions to Stuff, Popular Science, and Field & Stream. He now gets credit card offers. He lives in my house yet I have never seen him. H&R Block must think I am sick of him living with me because they are offering him a home loan, good rate too, Peter must have good credit.
He used to get those 9 cds for 1 penny but he got sick of all the associated crap that came along with them.
I reply to all of his mail with the return address labels some Church sent him. He must be religous, I think I might have Dr. Lemonjello ordained so he can conduct marragies through an online church.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Just in the nick of time

[Mouth+of+Sauron]

*NOT*

Wait... What's this printed on the back of my Social Security card? "Not to be used for identification purposes."

Having been the victim of identity theft and credit card fraud, I have to say this is probably too little too late. I've had over $20,000 in fraudulent charges made in my name -- items ranging from electronic equipment to beer and gasoline. The Social Security number is already the de facto citizen identification number, even if it is not de jure.

Some culpability lies in the lap of merchant businesses, as well. In one case, a company sent a credit card application issued in my name to an old address. The occupant filled it out and began making purchases. When the bill came due, the collections agency had no problem tracking me down to give notice. In my opinion, this merchant could have been more dilligent, because I had asked them to cancel my account years before this happened. They were certainly dilligent when it came to getting paid.

It says "Not for purposes of identification..."

[dpbsmith]

...right on the card. Just what is there about "Not for purposes of identification" that is hard for officials to understand?

Of course, when I was in the hospital emergency room and I said I didn't want to give them my social security number, they said they would treat me until I did. I backed down.

When I contacted the social security administration about this, and said "Am I required to give anybody but the government my SSN," their rather unhelpful reply was "No, you're not required to, but the hospital is not required to treat you without it."

No financial burden for them.

[khasim]

I wonder why more companies/organizations don't realize this, and any step to educate them is a step in the right direction.

They do realize it.

They just don't care because the current system minimizes their financial losses by transfering those losses to the individual who has his/her identity "stolen".

Making any changes would cost money which reduces profits.

Any changes that improved the situation could be used to find them responsible when/if their new system is defrauded.

So, fixing the system is, from the individual company's point of view, all loss and no gain.

SSNs now issued at birth

[swillden]

Now, in order to claim your children on taxes, you have to get them a social security number.

Not only that, but with my youngest kids, the paperwork to request and issue an SSN was processed by the hospital. We were told that if we didn't sign the request form, we wouldn't be allowed to take our child home. I didn't buy that, of course, but signed the form because I knew we'd need the number anyway. I'm sure that if you forced the issue, you could take your baby home without getting an SSN, but I doubt anyone does.

SSNs on tests at public univs.

[JimBobJoe]

At the state school everything was all about the SSN. One every test, you had to put your SSN...

In the early 1990s a group of students took Rutgers to court regarding SSN use as the student identifier. They won in federal court, and that case was considered precedence in this field. (Not to mention kinna cool because it was just a bunch of students going at the university pro se.)

That case specifically enumerated

*prohibitions using all or part of the SSN as an identifier on tests or assignments

*prohibitions using all or part of the SSN as an identifier en masse (such as posting grades by last four digits)

*prohibitions regarding using all or part of the SSN as an identifier on student ID cards

Universities damn well know of the Krebs v. Rutgers prohibitions but they have taken their time in implimenting them. Hell, even my university broke/still breaks the Privacy Act of 1974, by not disclosing how the SSN will be used and if its necessary to disclose, when applying for admission.