Does Your Employer Still Use SSNs?

An anonymous reader asks: "My company, a fairly large telco, still uses social security numbers for non-financial purposes; mostly for our IT ticketing system. I find it amazing that in these times, with how easy it is to use an SSN to obtain credit, that any company still does this. I've heard talk for almost eight years that the practice is going to be stopped but little progress has been made. How many companies out there still use SSNs so openly? Since it seems that nobody is in a hurry to solve this issue, what can be done to speed the process up?"

You think you have it bad?

My company makes us use our ssn as our email address. Talk about being a number...

Re:You think you have it bad?

Depends on where in the world you are. Those laws do exist here, in Denmark.
They are critical to prevent the misuse of SSNs. Also you can't require someone to give there SSN, except for spcific situations, e.g. banks can require SSN to open an account.

Re:You think you have it bad?

[afidel]

Actually they DID exist. The original social security act made it illegal to use the SSN for any purpose other than for the administration of taxes and social security benifits. The law would not have passed without this provision from the reasearch I have done. It was only in the mid 80's with years of unenforcement of the law and the explosion of computer tracking databases that an update to the act (changing benifits and retirement age) carried a rider striking the provision. Due to the way that modern information driven economies work it would be highly difficult to design a system without a unique key that exists across multiple systems, for better or worse that key is the SSN in the US.

Wow... that's not right...

[soren42]

My employer, a large bank, doesn't even use SSN's (or, more specifically TIN's - Taxpayer Identification Number) for non-financial information. Our employee ID numbers are unique, distinct, and not based on any formula. Now, that said, any employee that has a corporate credit card or is an officer of the company ("Officer", "Assistant Vice President", "Vice President", "Director", "Managing Director", "Senior Vice President", "Executive Vice President", "Senior Executive Vice President", etc., etc., etc.) does have their credit checked monthly by the company. But, I would assume that any company - not just a bank - would take that precaution with employees with purchasing or signatory authority. That system is based on SSN/TIN at our company - but it makes sense there.

I believe that there is a Federal Regulation that intends to restrict the use of SSN/TIN numbers for identification by (guessing here) 2010. I'm certain there is such a law for banks, but I believe that it extends to any US public company. Anyone have details on this?

One last thing - I know many people who use fake SSN's for non-financial uses. For some time, Richard Nixon's SSN was very popular. Now, don't get me wrong, I'm not endorsing that practice - just sharing that it seems pretty common to me.

Re:Wow... that's not right...

[reanjr]

I used to work for a logistics company that GM uses. One of GM's systems required some kind of user authentication (I don't remember the details) that they asked for my SSN to use. I did an MD5 on my actual SSN in hex and ripped out all the letters, used the first 9 as my SSN. It's a nice, repeatable way to generate a fake SSN that is likely to be unique in any system.

I strongly suggest using fake SSNs for anything possible, but of course, many times you are signing the "I verify that all this information is true to my knowledge" clause. Of course if you use it all the time, maybe you can get away with chalking it up to confusion over your actual SSN.

Re:Wow... that's not right...

[LearnToSpell]

HSBC, which is what you could call "a large bank," uses SSNs for everything. It's pretty annoying.

As far as I know, to contradict your info (and I'd love to be corrected on this), any non-governmental company is allowed to use SSNs for whatever they want. I looked it up briefly a little while ago, and that was my understanding, but again, I hope I'm wrong.

Re:Wow... that's not right...

Try changing a digit, you might end up with a very similar & still valid SSN (that belongs to someone else)

Or you might end up with an invalid one. There are rules for how the number is constructed and there are easily-googled programs into which you can input a nember to see if it's valid.

If a company simply validates SSNs, without any further checking, they may still catch an arbitrarily constructed invalid number.

Be especially careful about modifying the first three digits. It's well known that the first three follow a pattern across the country, so they constitute a pointer to where the card was issued. Try to use a San Francisco-issued number in Miami and you may get tripped up if someone asks a question about where in the Bay Area you were living when your card was issued.

If you try to use a number starting with 7, be prepared to talk about which railroad issued your card to you. 700 to 728 were given to railroads to pass out to new employees who didn't already have one through 1963, then discontinued.

Even if they were still in use, I suspect you wouldn't see a lot of these in the future as few babies apply for employment with a railroad at birth, when our trusting government insists that we be brande^H^H^H^H^H^H included in our national Social Insecurity system. 729 and above are either unassigned (for future use) or are invalid.

Finally, from http://www.ssa.gov/ssnumber/ (bottom of middle column), "Misuse of someone else's SSN is a violation of Federal law and may lead to fines and/or imprisonment."

Point out to your local normalization DBA

[Marxist+Hacker+42]

That SSNs are non-unique. They used to be, but thanks to illegal immigrants, ID theft, and a lot of other problems, SSNs simply aren't unique anymore, and thus are not a good identifier.

Re:Point out to your local normalization DBA

[MBCook]

Are SSNs of dead people later re-assigned? If not now, is there a guarantee that they won't do that later? With 300 million people alive now and all the people coming into this country and being born here, how long before they have to start recycling them, especially if they want to keep doing the first 3 digits showing where you were born part?

Re:Point out to your local normalization DBA

[pla]

Are SSNs of dead people later re-assigned? If not now, is there a guarantee that they won't do that later?

Q20: Are Social Security numbers reused after a person dies?
A: No. We do not reassign a Social Security number (SSN) after the number holder's death. Even though we have issued over 415 million SSNs so far, and we assign about 5 and one-half million new numbers a year, the current numbering system will provide us with enough new numbers for several generations into the future with no changes in the numbering system.

However, an SSN has only nine digits - So the SSA will need to add a digit or three within then next few decades. Reissuing numbers, thanks to the exponential growth of the population, would only gain them a few years at most, so they probably won't do it (instead doing something like adding a new number group and moving all existing users to 000-###-##-####).


Rather than use a dead person's number, though, might I suggest you use one of the classic non-numbers, such as any group all zeros (000-##-####, ###-00-####, ###-##-0000) (official) or 666-##-#### (unofficial, but as yet still never issued), or 078-05-1120 (the single most used fake SSN in history, which belongs to Hilda Whitcher, the secretary of an ad exec who decided to use her number in a promotion - She got a new one to replace it and the SSA retired it). A friend of mine had his used, just by coincidence, for something as mundane as a college ID, and you wouldn't believe the hoops he had to jump through just to register for classes. So don't make someone else's life hell, just carefully pick a totally invalid number.

even more outrageous

[Aeron65432]

I am a student at Tulane University in New Orleans, Louisiana, and we use our social security numbers as STUDENT ID's.

It appalls me how irresponsible this is. I have to write out my social security number down for the desk worker if I lock myself out of my room, to log-in to view my classes and grades, and all the time online to manage my account.

I cannot believe that such a highly accalimed university promotes such reckless actions. SSN's are basically our national ID number, and the fact that I have to throw it around all the time scares me.

Re:SSN

[Raindance]

Honestly... not that I'm a big fan of litigation, but this seems like a problem a high-profile lawsuit (regarding the needless identity-theft risk companies are exposing their users to) could fix. The market won't fix it, and if politicians haven't fixed it by now it's hard justify just waiting until a law comes along to outlaw it.

Perhaps the EFF could step in.

You might be surprised...

[BenEnglishAtHome]

...that my employer, a place flat-out driven by SSNs in many aspects of our work, wouldn't think of using them for anything internal that isn't mandated by law. We issue to everyone a 5-character ID that's used for signons and all sorts of IDs. We used to use a contraction of the user name, but even that has been 95% phased out for years.

It's not that difficult to quit using SSNs and it's just good policy. I'm surprised that they are still so commonly used in situations where they might be disclosed to anyone but the person to whom it belongs.

USPS still uses em

[DrMrLordX]

I work for the US Post Office at a REC site. We still use parts of our SSN for identification. I don't really want to elabourate, but anyone who wished to steal SSNs there could easily do so.

Even simpler

[JimXugle]

Or do credit checks on him and let them slip into the fax machine when it's set to auto-dial the NY Times, Washington Post, His Wife, Misteress, and several corporate leadership figures in the company.

Re:SSN

[Qzukk]

was that this number was supposed to be private to the individual assigned it.

WRONG, and that's why this is a problem. The SSN was designed to identify you to the government for tax purposes. Everyone who reported your money to the government needs it: your employer, your bank, mortage officers, loan officers, casinos and so on and so forth. Someone stole your SSN? Oh noes! They can pay your taxes for you! The horror!

It wasn't until other companies decided that they could use the SSN to identify you to them despite the fact that many, many people have access to these numbers that this became a problem.

The solution is for the credit agencies to start feeling the bite. When lenders get a credit report from the agency that says that the crook they're dealing with isn't who the agency said they were, they should sic lawyers on the credit agencies when they end up with bad loans. A change in laws to force lenders to deal with the consequences of fucking up instead of allowing them to pursue the real person when they didn't bother to actually find out who they're giving money to will help also. Once this is in effect, the credit agencies will start to compete again, and improve based on accuracy. Lenders, too, will make sure the person receiving their money is who they say they are. I'm confident that captialism can come up with a solution for this one on it's own, we just have to stop protecting the lenders and credit agencies from their own stupidity so that Darwin can take care of the rest.

Good thing federal law prevents that.

[BKX]

Or at least allows you to. All universities and colleges MUST allow you to change your student ID to something other than your SSN if you ask (and are encouraged to not use SSNs anyway, though not required). It's federal law (a law passed about five years ago, I beleive). Ask and you shall receive. If you don't, sue and you shall receive even more.

Re:SSN

[spagetti_code]

As a foreigner who was working in the US for a number of months (all above board - my US based employer stationed me there) - I was forced to get by without a SSN.

I had all sorts of issues including (a small sample):

• having my VISA card rejected because it wasn't an "American" VISA
• having my passport labelled a forgery at a bank because the date was 14/6/68. To quote the teller "there's no 14th month". Let me tell you - that creates an interesting scene in a busy bank.
• being given checks by another bank, which were rejected by almost everyone because their starting number was too low. Then the bank cancelled them because of my lack of SSN.
• the supermarket wouldn't let me use checks because I didn't have an SSN.
• being offered a discount at the checkout on an expensive item if I signed up for a loyalty card. I said I didn't have an SSN. No problem they said. 30 minutes of head scratching and phone calls later, the checkout and manager and manager's manager gave up. Sorry they said. You need an SSN.

Eventually I got a fake SSN from a website that has lists of unused SSNs and everything went a lot smoother.

Correct, and furthermore...

[metamatic]

Right. The problem isn't your employer using your SSN to identify who you are uniquely. The problem is dumbass companies that pretend that knowledge of your SSN proves you are that person.

I've written before that there's actually a free market solution to the problem. What it needs is for some well-funded activists (Gilmore?) to put together a nice big database of SSN info. We know all that info is available to any company that wants it.

Then, public announcements are prominently made in the press (NYT ads, paper mail notifications to every major bank and so on) stating that on 2008-01-01, the entire database will be made public for search purposes on the Internet. On that day, you'll be able to look up and verify anyone's SSN for free. That's the way it should be, after all--it's an identification number, not a password, and anyone can look it up for $20 from one of the many online services. We're just going to change the price.

This means that any organization currently using SSN as a secret identifier basically has to stop doing so, or face massive fraud and consequent liability lawsuits.