Same Birthday, Same Social Security Number, Same Mess For Two Florida Women

itwbennett writes: After 25 years, the Social Security Administration (SSA) has fessed up to giving two Florida women who shared a name and a birthday the same social security number. The women only recently discovered that they shared an SSN, but not before having trouble getting loans and having tax returns rejected. You might think that the SSA would catch something like this, but as it turns out, they are prohibited from trying to verify the legitimate owner of an SSN, except in rare cases, says Ken Meiser, VP of identity solutions at ID Analytics, provider of credit and fraud risk solutions. And the problem isn't as rare as you might think (except for the part about two women with the same name born on the same day in the same state). According to a 2010 study by ID Analytics, some 40 million SSNs are associated with multiple people.

Probably not a coincidence

[XXongo]

I would assume that it is not a coincidence that two women with the same name and same birthdate got the same social security number; I expect that when the second application came in, they checked the name and birdhday and assumed that it was a duplication of the first application, and just send out "here is your number".

Re:Probably not a coincidence

[Jason+Levine]

The article definitely makes it sound like it was a mix up due to the two babies having similar names (Joanna Rivera vs. Joannie Rivera), having the same birthday, and being in the same general area.

After 25 years of confusion, the Social Security Administration reportedly has admitted its mistake at last: In 1990, two Florida hospitals created the same record for two babies with similar first names, the same last name and the same date of birth, and the administration gave them both the same Social Security number.

The article lists some red flags that should have been raised (two addresses listed as being active, the IRS getting W2 forms from two employers that weren't even near each other, etc). In my experience, though, companies and government agencies don't mind missing red flags. Red flags mean that someone has to put in extra effort to resolve the issue. Ignoring the red flag, though, means that you continue doing what you're doing and it becomes someone else's problem.

Re:Probably not a coincidence

[aaarrrgggh]

Born in same area, same date, same first three letters of last name-- expect collisions. That is how the formula works for allocation, and I am sure real-time checking wasn't done due to "low probability."

Re: unique id

[Wycliffe]

I'm pretty sure that most of the "40 million" are sharing a SSN with somebody who died *years* ago, and that the number of people like the two women cited as an example is much, MUCH smaller.

I mean, for ${deity.name}'s sake, there are only ~300 million *AMERICANS*. If one in 8 Americans had SSN collisions with another living person, I can *guarantee* it wouldn't have taken until now to be newsworthy.

That said, the gov't really needs to add at least a digit or two. Just adding one digit & making every existing SSN end with "0" until 2025 (to allow a graceful transition where existing 9-digit numbers would have an easily-derived 10-digit value) would give them enough unique numbers to go a few centuries without ever reusing a number.

Why would you add the digit on the end and break every system in existence? Much better to add it to the left like a normal number then the zero is completely optional unless you have a 10 digit SSN. Reusing SSNs is a stupid idea. Just start giving babies and new applicants 10 digit, then 11 digit numbers, etc... If everyone in 2016(or 2017 if you want to give a little more time) got a SSN greater than 999,999,999 then existing systems would adapt quickly, many probably already support ID fields greater than 9 digits as there are alternate IDs like passport numbers and foreign IDs already in existence that probably exceed 9 digits. The other alternative would be to go to alphanumeric IDs for new applicants.

Personally, though, it might be better to break the system and fix it right. Why do you need a non-changing number? Credit card companies and even banks have the ability to reissue you a new number if your previous number is compromised. Credit card companies sometimes even send you a new number every few years just for safety. A standard USA credit card is 16 digits, I would propose a 16 alphanumeric SSN that changes every year and can be invalidated at any time. When you file your taxes, you file it with the current year's SSN and then when it's complete, they send you a new SSN to use the next year. As long as each SSN is chained to the previous one, they you still have the ability to track what is needed but finding a 3 year old number is now worthless.

Re:unique id

[jtownatpunk.net]

Your mother's maiden name isn't an identity check. It's like "What's your first pet's name". Nobody has the name of your first pet in a big database used to verify your identity. It's just a passphrase that can be anything. In fact, you should use something other than your mother's actual maiden name. Anyone can do a bit of research and find out your mother's maiden name. But they can't do research to find out the fake name you used so they won't be able to use that information to take over an established account.

Re:prohibited ?

[smhsmh]

The US social security number as an id is seriously broken. After consideration, I'd epect my ssn to be in at least 100 poorly-secured databases: bank accounts, insurance accounts, doctor/dentist/hospital facilities, employers, etc. The number is hardly secret, yet there are about 350M persons in the USA and only 1000M distinct ssns.

A better system would redefine a ssn as two components. A 9 (or 10?) digit public number would signify who you are -- lotsa entities need to know that -- and a 6-7 digit secret number would prove that you are the person associated with that ssn. It is pure hell when the first number needs to be changed (witness protection?) but the second number could be changed often and with little overhead or impact, whenever one suspects it has been compromised. The current electronic fiduciary networks would be sufficient and secure enough to support and manage this.

Unfortunately, the US Congress will eventually try to fix these problems by passing laws, making things illegal, rather than passing technology that makes violations almost impossible.

More specifically, IDENTIFY, not AUTHENTICATE

[raymorris]

> The US social security number as an id is seriously broken. After consideration, I'd epect my ssn to be in at least 100 poorly-secured databases: bank accounts, insurance accounts, doctor/dentist/hospital facilities, employers, etc. The number is hardly secret

More specifically, it's fine as an IDENTIFIER, and ID must necessarily be different from AUTHENTICATION. My name identifies me (approximately), my password authenticates me.

To be useful, a personal ID must be more or less public - the name "Barak Obama" is useful only because everyone knows who that is, it's public. Also, in order to be useful, authentication information must be private. So as you said, two pieces of information - one that is the ID, the other is the authentication.

This seems obvious, but people who should know better routinely treat user names as "a little bit secret". This is wrong. It's either secret, in which case it's hashed so nobody can read it, and it can be trusted to be secret, or it's it's not. Since a user name is not protected as a secret, don't start thinking that maybe it's a little bit secret, kinda maybe, and start putting any trust in people not knowing it. User names aren't hashed, they are sometimes displayed, so they aren't secret. Not even a little bit (especially not a little bit).

 

Re: unique id

[dgatwood]

Banks are, but AFAIK, the credit bureaus aren't. They're the root of the problem. If the credit bureaus really wanted to end so-called "identity theft", they could do it very easily. It would simply require them to invest the money to perform a callback authentication to all registered phone numbers prior to issuing new credit. Boom. No more "identity theft", or at least so many orders of magnitude less that the remainder could be treated as noise.

I put that in quotes because your SSN isn't a true identity, at least by the cryptographic meaning of the term. It's an identifier. An identity is something that can be used to prove who you are. An identifier is something that stands in for who you are. A proper identity should roughly guarantee non-repudiation. An identifier does not, because it is not secret. It is not possible for someone to steal a true identity, or anything that even approaches one. It is trivial to steal an identifier; it need only be shared once, and then it is no longer secret.

Thus, "identity theft" is a misnomer. It should be called "SSN theft", or even "unauthorized SSN use". But if we call called it that, then the credit bureaus couldn't pretend that the problem is a serious problem caused by a bunch of bad people, rather than an entirely artificial problem of their own making....

The again, if everyone who found a false entry on his or her credit report sued the credit bureau for libel, the problem might just take care of itself.

Re: unique id

[AK+Marc]

Thus, "identity theft" is a misnomer. It should be called

Fraud. Nothing more, nothing less. Lies for gain. Why would there be any confusion on the matter? Oh yeah, if you call it bank fraud, the bank would pay for their loss. When you call it identity theft, you blame the victim for the bank's poor security and reduce the bank's loss.

Re:Years and years ago...

[j-beda]

I Had someone using my social security number for work once upon a time. Their company had a mandated retirement program. The IRS never complained about my taxes, even when I e-filed. One year I got a check in the mail for ~$5000 from a company I had never heard of, nor worked for.

As an expat US Citizen, maybe I should try to get some illegal immigrant in the USA to use my SSN to do some work to build up my social security credits which have not been growing while I am out of the US....