Does Your Employer Still Use SSNs?

An anonymous reader asks: "My company, a fairly large telco, still uses social security numbers for non-financial purposes; mostly for our IT ticketing system. I find it amazing that in these times, with how easy it is to use an SSN to obtain credit, that any company still does this. I've heard talk for almost eight years that the practice is going to be stopped but little progress has been made. How many companies out there still use SSNs so openly? Since it seems that nobody is in a hurry to solve this issue, what can be done to speed the process up?"

Simple

[SecaKitten]

what can be done to speed the process up?

Simple, apply for credit cards in your boss's name.

You think you have it bad?

My company makes us use our ssn as our email address. Talk about being a number...

Re:You think you have it bad?

[parasonic]

How about the law that you shall not be identified by your SSN?

How about the law that you shall not be required to give more than the last four digits of your SSN?

No wonder there are "305 lawsuits" per average company per year...

Re:You think you have it bad?

[BandwidthHog]

Neither of those laws you mentioned actually exist.

A business can ask for an SSN when you attempt to buy a nine volt battery with exact change. Perfectly legal. You can, of course, refuse such a ridiculous request. Also quite legal. They can then decline to do business with you. Just as legal.

It’s only the government folks that are prohibited by law from demanding SSNs.

Re:You think you have it bad?

Depends on where in the world you are. Those laws do exist here, in Denmark.
They are critical to prevent the misuse of SSNs. Also you can't require someone to give there SSN, except for spcific situations, e.g. banks can require SSN to open an account.

Re:You think you have it bad?

[afidel]

Actually they DID exist. The original social security act made it illegal to use the SSN for any purpose other than for the administration of taxes and social security benifits. The law would not have passed without this provision from the reasearch I have done. It was only in the mid 80's with years of unenforcement of the law and the explosion of computer tracking databases that an update to the act (changing benifits and retirement age) carried a rider striking the provision. Due to the way that modern information driven economies work it would be highly difficult to design a system without a unique key that exists across multiple systems, for better or worse that key is the SSN in the US.

Wow... that's not right...

[soren42]

My employer, a large bank, doesn't even use SSN's (or, more specifically TIN's - Taxpayer Identification Number) for non-financial information. Our employee ID numbers are unique, distinct, and not based on any formula. Now, that said, any employee that has a corporate credit card or is an officer of the company ("Officer", "Assistant Vice President", "Vice President", "Director", "Managing Director", "Senior Vice President", "Executive Vice President", "Senior Executive Vice President", etc., etc., etc.) does have their credit checked monthly by the company. But, I would assume that any company - not just a bank - would take that precaution with employees with purchasing or signatory authority. That system is based on SSN/TIN at our company - but it makes sense there.

I believe that there is a Federal Regulation that intends to restrict the use of SSN/TIN numbers for identification by (guessing here) 2010. I'm certain there is such a law for banks, but I believe that it extends to any US public company. Anyone have details on this?

One last thing - I know many people who use fake SSN's for non-financial uses. For some time, Richard Nixon's SSN was very popular. Now, don't get me wrong, I'm not endorsing that practice - just sharing that it seems pretty common to me.

Re:Wow... that's not right...

[TubeSteak]

Taxpayer Identification Number (TIN)
http://en.wikipedia.org/wiki/Individual_Taxpayer_I dentification_Number

Employer Identification Number (EIN)
http://en.wikipedia.org/wiki/Employer_identificati on_number

One last thing - I know many people who use fake SSN's for non-financial uses. For some time, Richard Nixon's SSN was very popular.

1. A surprising number of organizations will never check your SSN's validity
2. Try changing a digit, you might end up with a very similar & still valid SSN (that belongs to someone else)

Re:Wow... that's not right...

[reanjr]

I used to work for a logistics company that GM uses. One of GM's systems required some kind of user authentication (I don't remember the details) that they asked for my SSN to use. I did an MD5 on my actual SSN in hex and ripped out all the letters, used the first 9 as my SSN. It's a nice, repeatable way to generate a fake SSN that is likely to be unique in any system.

I strongly suggest using fake SSNs for anything possible, but of course, many times you are signing the "I verify that all this information is true to my knowledge" clause. Of course if you use it all the time, maybe you can get away with chalking it up to confusion over your actual SSN.

Re:Wow... that's not right...

[LearnToSpell]

HSBC, which is what you could call "a large bank," uses SSNs for everything. It's pretty annoying.

As far as I know, to contradict your info (and I'd love to be corrected on this), any non-governmental company is allowed to use SSNs for whatever they want. I looked it up briefly a little while ago, and that was my understanding, but again, I hope I'm wrong.

SSN

[CherniyVolk]

In the beginning the Social Security Number was issued by the government and is unique to each living citizen. This much still holds true.

But what was lost somewhere via the effects of Capitalism.... was that this number was supposed to be private to the individual assigned it. And, while there are laws protecting a citizens privacy. Companies were granted positions to effectively counter such laws. Only the government, state or law-enforcement officials may "demand" your Social Security Number. Visa can not demand you give it to them. Your landlord can not demand you give it to him. Private schools by law, can not demand you forfeit such information.

But no law is telling Visa or anyone else to accept alternate information for their personal records. As a result, you have to give out your Social Security Number, becuase if you don't, you can't apply for an Apartment, you can't buy a car, you can't have a credit card, you can't open a bank account, you can't get a job..... yeah, we have a choice.

*Some places do accept alternate information such as Drivers License Numbers.*

Re:SSN

[Raindance]

Honestly... not that I'm a big fan of litigation, but this seems like a problem a high-profile lawsuit (regarding the needless identity-theft risk companies are exposing their users to) could fix. The market won't fix it, and if politicians haven't fixed it by now it's hard justify just waiting until a law comes along to outlaw it.

Perhaps the EFF could step in.

Re:SSN

[Qzukk]

was that this number was supposed to be private to the individual assigned it.

WRONG, and that's why this is a problem. The SSN was designed to identify you to the government for tax purposes. Everyone who reported your money to the government needs it: your employer, your bank, mortage officers, loan officers, casinos and so on and so forth. Someone stole your SSN? Oh noes! They can pay your taxes for you! The horror!

It wasn't until other companies decided that they could use the SSN to identify you to them despite the fact that many, many people have access to these numbers that this became a problem.

The solution is for the credit agencies to start feeling the bite. When lenders get a credit report from the agency that says that the crook they're dealing with isn't who the agency said they were, they should sic lawyers on the credit agencies when they end up with bad loans. A change in laws to force lenders to deal with the consequences of fucking up instead of allowing them to pursue the real person when they didn't bother to actually find out who they're giving money to will help also. Once this is in effect, the credit agencies will start to compete again, and improve based on accuracy. Lenders, too, will make sure the person receiving their money is who they say they are. I'm confident that captialism can come up with a solution for this one on it's own, we just have to stop protecting the lenders and credit agencies from their own stupidity so that Darwin can take care of the rest.

Re:SSN

[RexRhino]

Only the government, state or law-enforcement officials may "demand" your Social Security Number.

Completly false. Employers are REQUIRED BY LAW to take your social security number to handle SS deductions. Banks and credit card companies are REQUIRED BY LAW to retain your social security number in order to do financial reporting (so the IRS can check and make sure you aren't spending more than your reported earnings). Gun shops are REQUIRED BY LAW to take your social security number as part of criminal background checks. There are a whole slew of situations where, not only can a company ask you for your SSN, but they are required to take your SSN!

Visa can not demand you give it to them.

Visa IS REQUIRED BY LAW to take your social security number, or a tax ID number if it is a corporation, as part of their financial reporting requirments.

Private schools by law, can not demand you forfeit such information.

Private schools BY LAW ARE REQUIRED to take your SS number if the private school accepts federal government loans or grants for students.

Don't try to obscure the blame that the government bears for your SSN being your ID number. Aside from the fact that they have made legislation making SSN the de-facto ID number (Real ID Act), it was the government that decided that you would have one single number that would follow you for the rest of your life as your unique identity (as opposed to the system they used for passports, where your passport is given a unique ID, but that number will change over the course of your life... your passport is assigned a number, not the person)

Re:SSN

[spagetti_code]

As a foreigner who was working in the US for a number of months (all above board - my US based employer stationed me there) - I was forced to get by without a SSN.

I had all sorts of issues including (a small sample):

• having my VISA card rejected because it wasn't an "American" VISA
• having my passport labelled a forgery at a bank because the date was 14/6/68. To quote the teller "there's no 14th month". Let me tell you - that creates an interesting scene in a busy bank.
• being given checks by another bank, which were rejected by almost everyone because their starting number was too low. Then the bank cancelled them because of my lack of SSN.
• the supermarket wouldn't let me use checks because I didn't have an SSN.
• being offered a discount at the checkout on an expensive item if I signed up for a loyalty card. I said I didn't have an SSN. No problem they said. 30 minutes of head scratching and phone calls later, the checkout and manager and manager's manager gave up. Sorry they said. You need an SSN.

Eventually I got a fake SSN from a website that has lists of unused SSNs and everything went a lot smoother.

Re:SSN

[jcr]

In the beginning the Social Security Number was issued by the government and is unique to each living citizen. This much still holds true.

Nope. There have been many cases of the SSA issuing blocks of numbers multiple times. SSN collisions happen every day.

-jcr

Re:SSN

[NormalVisual]

Gun shops are REQUIRED BY LAW to take your social security number as part of criminal background checks.

Not true. There is a field for the SSN on a Form 4473, but it's not required that it be filled in.

Re:SSN

[NormalVisual]

being given checks by another bank, which were rejected by almost everyone because their starting number was too low

Yup, and for the life of me I can't figure that one out. Every bank I've done business with has asked me what I wanted my starting check number to be, which makes the check number completely useless.

Re:SSN

[Eivind]

How about instead stopping the idiocy of confusing identification with authenthication ?

A SSN is a perfectly fine and perfectly way to establish that we're talking about the same person. Names, adresses, birthdates whatever all break down here. (there is more than one "John Smith", there could even be more than one with the same birthdate, furthermore it's perfectly possible that "Ann Smith" is the same person as "Ann Kulstad", she could've married.)

For this purpose, making certain that two records really refer to the same person, SSN is fine. A unique key that refers to an individual.

Now, where you guys went wrong where in confusing this with authenthication.

The very fact that you use your SSN to *identify* which person you're talking about means that lots of different organisations and individuals *MUST* know your SSN. That ain't a problem. The problem is in assuming that whoever is aware of your SSN *IS* you, or is authorized to order credit-cards in your name, or whatever else.

We've got SSNs in Norway too. They're not particularily secret. The tax-people have them. Your employer has it. Your bank has it. They all even *need* to have it, to *identify* you. Your employer, for example, pays taxes, and uses your SSN when communicating with the tax-people so that it's clear for which individual these taxes are.

But here's the rub: Knowing the SSN is never *ever* considered authentication. You cannot order a credit-card in someones name just by knowing it. Nor access their bank-account, or infact do *anything* you couldn't just aswell have done without it. Except for ONE thing: If you know the SSN, you can use it to refer to an individual, in such a way that all involved will know for sure precisely *which* individual you're talking about.

The account is owned by individual X, the taxes are paid by individual X, the drivers-licence was issued to individual X, and we all (the bank, the employer, the drivers-license-people, etc) agree that this is infact one and the same individual, despite the fact that one of us spelled his name wrong, he has married, he has moved, and there's 17 other people with that precise name in Norway.

*THAT* is the point of a SSN.

You cannot at the same time give your SSN to dozens of different organisations (which you need to do if using it as an identificator shall work) and at the SAME time pretend that it's a secret that only the individual himself would ever know.

I dunno why USA persists in the stupidity.

Re:SSN

[Alioth]

I was in the same situation for a while (I ended up staying in the US rather longer, so in the end got a pukka SSN because I had to pay US taxes).

However, not all banks are equal. The credit union at work absolutely refused to give me an account because they said they got fined if they gave accounts to people and didn't take their SSN. Bank of America, on the other hand, told me that was bullshit and had no problem in opening an account for me. All they wanted was a letter from my employer saying that I was indeed employed by them.

As for checks - I never used them except to pay bills. I got a Visa debit card off my bank _straight off the bat_. They didn't want an SSN for that either.

Re:SSN

[abb3w]

having my passport labelled a forgery at a bank because the date was 14/6/68. To quote the teller "there's no 14th month". Let me tell you - that creates an interesting scene in a busy bank.

Let me apologize for the increased restrictions on the ownership and use of firearms in the United States that have allowed an ignoramus so massive to continue to walk about.

Point out to your local normalization DBA

[Marxist+Hacker+42]

That SSNs are non-unique. They used to be, but thanks to illegal immigrants, ID theft, and a lot of other problems, SSNs simply aren't unique anymore, and thus are not a good identifier.

Re:Point out to your local normalization DBA

[MBCook]

Are SSNs of dead people later re-assigned? If not now, is there a guarantee that they won't do that later? With 300 million people alive now and all the people coming into this country and being born here, how long before they have to start recycling them, especially if they want to keep doing the first 3 digits showing where you were born part?

Re:Point out to your local normalization DBA

[Planesdragon]

Are SSNs of dead people later re-assigned?

Not yet, but they will eventually. That or add another digit.

Less than a century until we run out of our billion or so possible SSNs. Expect the next method to just have a new digit thrown in.

Re:Point out to your local normalization DBA

[pla]

Are SSNs of dead people later re-assigned? If not now, is there a guarantee that they won't do that later?

Q20: Are Social Security numbers reused after a person dies?
A: No. We do not reassign a Social Security number (SSN) after the number holder's death. Even though we have issued over 415 million SSNs so far, and we assign about 5 and one-half million new numbers a year, the current numbering system will provide us with enough new numbers for several generations into the future with no changes in the numbering system.

However, an SSN has only nine digits - So the SSA will need to add a digit or three within then next few decades. Reissuing numbers, thanks to the exponential growth of the population, would only gain them a few years at most, so they probably won't do it (instead doing something like adding a new number group and moving all existing users to 000-###-##-####).


Rather than use a dead person's number, though, might I suggest you use one of the classic non-numbers, such as any group all zeros (000-##-####, ###-00-####, ###-##-0000) (official) or 666-##-#### (unofficial, but as yet still never issued), or 078-05-1120 (the single most used fake SSN in history, which belongs to Hilda Whitcher, the secretary of an ad exec who decided to use her number in a promotion - She got a new one to replace it and the SSA retired it). A friend of mine had his used, just by coincidence, for something as mundane as a college ID, and you wouldn't believe the hoops he had to jump through just to register for classes. So don't make someone else's life hell, just carefully pick a totally invalid number.

Re:Point out to your local normalization DBA

[MustardMan]

However, an SSN has only nine digits - So the SSA will need to add a digit or three within then next few decades.

10^9 = 1 billion possibilities. If the current system has used up 415 million, and SSNs are being added at a rate of 5.5 million a year.... that's around a hundred years to use up the remaining possibilities. I call that more than "a few decades"

Re:Point out to your local normalization DBA

[DeadChobi]

I did the math on this for a math ed. class. It's about 110-130 years from now that we will run out, assuming the population maintains the same growth rate.

Thought it was actually illegal

[kbob88]

I used to work in the IT department of a managed care company in the early 90s, and seem to remember something about it actually being illegal to use the Social Security Number for any other purpose (than running Social Security and the IRS). Of course, we (and every else in healthcare) still used it as a primary numbering/identification scheme. Not sure if the illegality was true or not.

From the Social Security Administration:

• "[Makes] misuse of the SSN for any purpose a violation of the Social Security Act"
• "Unlawful disclosure or compelling disclosure of the SSN of any person a felony, punishable by fine and/or imprisonment."

even more outrageous

[Aeron65432]

I am a student at Tulane University in New Orleans, Louisiana, and we use our social security numbers as STUDENT ID's.

It appalls me how irresponsible this is. I have to write out my social security number down for the desk worker if I lock myself out of my room, to log-in to view my classes and grades, and all the time online to manage my account.

I cannot believe that such a highly accalimed university promotes such reckless actions. SSN's are basically our national ID number, and the fact that I have to throw it around all the time scares me.

You might be surprised...

[BenEnglishAtHome]

...that my employer, a place flat-out driven by SSNs in many aspects of our work, wouldn't think of using them for anything internal that isn't mandated by law. We issue to everyone a 5-character ID that's used for signons and all sorts of IDs. We used to use a contraction of the user name, but even that has been 95% phased out for years.

It's not that difficult to quit using SSNs and it's just good policy. I'm surprised that they are still so commonly used in situations where they might be disclosed to anyone but the person to whom it belongs.

USPS still uses em

[DrMrLordX]

I work for the US Post Office at a REC site. We still use parts of our SSN for identification. I don't really want to elabourate, but anyone who wished to steal SSNs there could easily do so.

Old Employer 8 years ago

[Associate]

We were required to give the last four digits of our SSN to get in the gate. Their verification was someone sitting on the otherside of the gate call box with a list of everyone's SSN. I expressed some concerns to my supervisor at the time because I didn't really trust my coworkers. Stupid bitch ran and told our manager that I was going to refuse to give it. She came back and told me that I could be fired for not following the procedure.
That said, Larry Wise's last four SSN numbers are 2795.

SSNs?

[JohnWiney]

My employer doesn't, because none of his employees has an SSN.

and just to show what can happen...

[phageman]

I'm a high school teacher in Kentucky. Yesterday, every teacher in the state got an email informing us that letters sent to our homes inadvertently displayed our SSN through the address window!!! Anyone could have swiped the numbers just by looking at the envelope. I'm not worried myself (my credit is so bad I hope someone will steal my identity), but just imagine if some unscrupulous postal employee noticed thousands of SSNs in plain view.

Re:and just to show what can happen...

[mjs0]

Not trying to scare anyone here...but...my wife works in this field (no not stealing identities, helping people resolve issues arising from stolen identities!) and unfortunately it is not just about your credit. If someone gets hold of your SSN together with your name they can 'become you' in many different ways.

One of the scariest things is when your number gets used for reporting income by many people. Even if income tax is withheld on the wages of these imposters guess what happens when you work 20 different $20,000 per year jobs...you end up in the top tax bracket, and of course it looks like you've take the standard deduction 20 times. Guess who the IRS comes after to get all those extra taxes...the actual owner of the SSN of course.

Oh and imagine what happens when someone gets your SSN and other info then applies for a driver's license in your name. Maybe 6 months later you get pulled over for a routine stop and dragged to jail for non-payment of speeding fines or even worse crimes.

Are any of these likely, no...but as with all matters of probability unlikely does not mean never...it does happen to somebody.

And on the topic of companies using SSNs for non-essential situations...someone in that organization needs to look at a few recent laws regarding the correct handling of NPI (non-public information) such as:

• FACTA (Fair and Accurate Credit Transactions Act) (which applies to more than just credit transactions) under that act the loss of unsecured customer OR employee NPI can result in federal and state fines, civil liability and responsibility for any actual losses.(http://en.wikipedia.org/wiki/FACTA/ or http://www.ftc.gov/os/2004/11/041118disposalfrn.pd f)
• If you are a financial organization take a look at the Gramm, Leach, Bliley Safeguard rule. (http://en.wikipedia.org/wiki/Gramm-Leach-Bliley_A ct/ or http://www.ftc.gov/os/2002/05/67fr36585.pdf)
• If you are a medical organization take a look at HIPAA (Health Insurance Portability and Accountability Act), this one is a doozie as it can result in jailtime for executives.(http://en.wikipedia.org/wiki/HIPAA/ or http://www.hipaa.org/)

Good thing federal law prevents that.

[BKX]

Or at least allows you to. All universities and colleges MUST allow you to change your student ID to something other than your SSN if you ask (and are encouraged to not use SSNs anyway, though not required). It's federal law (a law passed about five years ago, I beleive). Ask and you shall receive. If you don't, sue and you shall receive even more.

i'm a victim

[feld]

i live in WI and someone in Milwaukee (with many, many previous addresses) is reporting my SS. I have no idea how or where they are reporting it, but they're in the database with my #. They have never used it for financial things yet, though, so my credit is fine. I reported this to the cops several times but they won't do anything about it because they arent using it for credit related things. This pisses me off to no end.

I have the original SS card in its original envelope from 2 months after I was born.

I had a hard time explaining things to employers when I was a teenager because they'd do checks of some sort and find this other guy's name.... notably Radio Shack and Menards (Like Home Depot) were the main ones causing problems over it.

Re:i'm a victim

[jcr]

Not necessarily a single person. Many illegal aliens will pick a random set of digits, and they'll share numbers that work. Depending on the employer, they may need to change numbers annuallly.

-jcr

You're looking at it from the wrong direction

[Michael+Woodhams]

The problem isn't that people can find out your SSN.

The problem is that banks etc. use knowledge of SSN for authentication. If someone accumulates debt in your name, based only on their knowledge of your SSN and other readily available data (DOB, mother's maiden name) then you should be able to simply disown those debts, sticking the problem back on the people who accepted inadequate ID.

SSN equivalent public in some countries

In some countries the SSN-equivalents are public and not excpected to be a secret usable to prove your identity. E g in Sweden the Personal Number of all citizens is public. No organisation would use knowledge of the PN as proof of identity. That is what a photo id form an acreditied organisation is used for. The PN is simply a good key to use.

One may argue that having compatible unique keys in almost all databases enables or at least simplifies abuse by correlating various databases. But as far as identity theft goes, the SSN only enables it if the SSN are expected to be kept secret. AS long as they are public they are no more useful for identity theft than your name.

Correct, and furthermore...

[metamatic]

Right. The problem isn't your employer using your SSN to identify who you are uniquely. The problem is dumbass companies that pretend that knowledge of your SSN proves you are that person.

I've written before that there's actually a free market solution to the problem. What it needs is for some well-funded activists (Gilmore?) to put together a nice big database of SSN info. We know all that info is available to any company that wants it.

Then, public announcements are prominently made in the press (NYT ads, paper mail notifications to every major bank and so on) stating that on 2008-01-01, the entire database will be made public for search purposes on the Internet. On that day, you'll be able to look up and verify anyone's SSN for free. That's the way it should be, after all--it's an identification number, not a password, and anyone can look it up for $20 from one of the many online services. We're just going to change the price.

This means that any organization currently using SSN as a secret identifier basically has to stop doing so, or face massive fraud and consequent liability lawsuits.