Same Birthday, Same Social Security Number, Same Mess For Two Florida Women

itwbennett writes: After 25 years, the Social Security Administration (SSA) has fessed up to giving two Florida women who shared a name and a birthday the same social security number. The women only recently discovered that they shared an SSN, but not before having trouble getting loans and having tax returns rejected. You might think that the SSA would catch something like this, but as it turns out, they are prohibited from trying to verify the legitimate owner of an SSN, except in rare cases, says Ken Meiser, VP of identity solutions at ID Analytics, provider of credit and fraud risk solutions. And the problem isn't as rare as you might think (except for the part about two women with the same name born on the same day in the same state). According to a 2010 study by ID Analytics, some 40 million SSNs are associated with multiple people.

last four digits of your Social?

[turkeydance]

8675

Re:last four digits of your Social?

[DrVxD]

Same as the last 4 digits of Pi

Probably not a coincidence

[XXongo]

I would assume that it is not a coincidence that two women with the same name and same birthdate got the same social security number; I expect that when the second application came in, they checked the name and birdhday and assumed that it was a duplication of the first application, and just send out "here is your number".

Re:Probably not a coincidence

[One+With+Whisp]

Maybe. Or maybe these duplicate SSN's are so common and it just happened that this one had the same legal name for both parties as well.

Re:Probably not a coincidence

[gurps_npc]

Probably. Especially if they both applied at the same time. If some bureaucrat got two requests in the same day, he probably just assumed the 2nd was someone being impatient, and just sent the same information.

The real question is, will the US government compensate them for their large legal bills caused by the the government screw up.

Re:Probably not a coincidence

[Jason+Levine]

The article definitely makes it sound like it was a mix up due to the two babies having similar names (Joanna Rivera vs. Joannie Rivera), having the same birthday, and being in the same general area.

After 25 years of confusion, the Social Security Administration reportedly has admitted its mistake at last: In 1990, two Florida hospitals created the same record for two babies with similar first names, the same last name and the same date of birth, and the administration gave them both the same Social Security number.

The article lists some red flags that should have been raised (two addresses listed as being active, the IRS getting W2 forms from two employers that weren't even near each other, etc). In my experience, though, companies and government agencies don't mind missing red flags. Red flags mean that someone has to put in extra effort to resolve the issue. Ignoring the red flag, though, means that you continue doing what you're doing and it becomes someone else's problem.

Re:Probably not a coincidence

[BarbaraHudson]

It's more likely that the algorithm used to generate SSNs, given the same input data, generates the same output. After all, it's estimated that there are 40,000,000 dupes out there.

Re:Probably not a coincidence

[aaarrrgggh]

Born in same area, same date, same first three letters of last name-- expect collisions. That is how the formula works for allocation, and I am sure real-time checking wasn't done due to "low probability."

Re:Probably not a coincidence

[ShanghaiBill]

For many years, I would just make up a random SSN for forms that didn't seem like they had a legitimate reason to be asking for it. Never, not once, did they later tell me there was a mismatch. So I think there was very little cross-checking going on.

Re:Probably not a coincidence

[ShanghaiBill]

It's more likely that the algorithm used to generate SSNs, given the same input data, generates the same output.

The "algorithm" is "pull the next number off the list". My sister and I were born in different states, two years apart ... and we have different first names. My parents requested SSNs for both of us at the same time, and they were given two consecutive numbers.

Re:Probably not a coincidence

[nwf]

I'd just leave them blank. Blockbuster used to ask for that, and I left it blank. Oddly, I had a card from a store well after it went out of business ages ago and they still accepted it at other ones. I hadn't been at that address for 15 years, but that's a different story.

Re:Probably not a coincidence

[unrtst]

After all, it's estimated that there are 40,000,000 dupes out there.

This is a misconstrued / misused statistic.
The linked page at idanalytics.com says:

More than 20 million Americans have multiple Social Security numbers (SSNs) associated with their name in commercial records according to a new study announced today from ID Analytics, Inc., a leader in consumer risk management. The study also found that rather than serving as a unique identifier, more than 40 million SSNs are associated with multiple people.

[bolded by me]
That is also poorly worded. What association are they referring to? I'm VERY confident they do NOT mean the official SSN database. FWIW, one can verify SSN's using the social security system's SSNVS (social security number verification service): https://www.socialsecurity.gov...
I suspect they mean that SSN's that show up in external databases, such as employment records, fraud reports, credit checks and reports, etc (anything falling under what they called "commercial records", and what they base their bread and butter business on), and that those end up having multiple names associated with them - which makes sense. since there's probably a LARGE amount of typo's and purposefully incorrect information.

This is quite different than the subject of this article, where two women had the same SSN issued to them by the Social Security administration.

FWIW, if you're wondering if they're ever re-used, they have not been thus far (you take your number with you when you die, so to speak). There are currently about 319 million people in the united states. The SSN format has room for a maximum of 999 million numbers. There are a bunch of exceptions that won't be used:
* 100 million of those are reserved for ITIN use (ITIN's start with "9").
* No number group will ever be issued all zeros (ie. 000-nn-nnnn, nnn-00-nnnn, and nnn-nn-0000 are all invalid), which rules out a bunch more.
* Area number 666 has never been issued, and probably won't be (ie. 666-nn-nnnn), ruling out another million of them.
* Numbers from 987-65-4320 to 987-65-4329 are reserved for advertising use.
* Hilda Whitcher's SSN is now invalid (http://www.snopes.com/business/taxes/woolworth.asp)

To date, over 450 million SSNs have been issued, and the SSA notes that it does not reassign SSN's after the number holder's death (https://www.ssa.gov/history/hfaq.html). I don't know where the countdown clock is for running out, but we'll get there eventually (we're over half way there). That's going to make one hell of a y2k, unless they just start re-issuing from the death master file (yes, that's a thing).

Re:Probably not a coincidence

[dgatwood]

Ignoring the red flag, though, means that you continue doing what you're doing and it becomes someone else's problem.

Funny, sad, and true, all at the same time.

The thing is, the IRS has plenty of incentives to ignore those sorts of problems. After all, a lot of illegal immigrants who pay taxes do so using a fake SSN. So they end up getting forms with two different names, two different employers, two different addresses in different areas, etc., and if they went to investigate, they would just lose revenue by deporting one of those families, thus losing the income taxes that they previously paid. When's the last time the government went out of their way to cost themselves income?

Re:Probably not a coincidence

Use a GUID.

No, really, use a 128-bit GUID. Don't give each person a random number between 1 and 10 and you'll be fine.

Re:Probably not a coincidence

[Solandri]

The article lists some red flags that should have been raised (two addresses listed as being active, the IRS getting W2 forms from two employers that weren't even near each other, etc). In my experience, though, companies and government agencies don't mind missing red flags. Red flags mean that someone has to put in extra effort to resolve the issue. Ignoring the red flag, though, means that you continue doing what you're doing and it becomes someone else's problem.

There's a more sinister reason behind it. A huge chunk of W2s under duplicate SSNs are due to illegal immigrants using a fake SSN to work. You can't just make up any number - the IRS will reject that. So (presumably) they or someone they hire gets a real person's SSN, and the illegal immigrant adopts that person's name, identity, and SSN. "Fixing" this problem means creating a sure-fire way to prevent illegal immigrants from working in the country, so nothing is done about it. One party doesn't want to fix it because they want to make these people citizens so they'll vote for that party. An influential fraction of the other party doesn't want to fix it because they want these people to remain as a source of cheap labor.

I used to do the accounting at a company which I'm pretty sure had a not-insignificant number of illegal immigrants. Employers are only allowed to ask potential employees for certain pieces of ID, and the most common one is the Social Security Card. The government has no system by which an employer can verify a SSN matches other info the applicant provides, so all you can do is look at it and see if it seems real (it's super-easy to fake), make a photocopy of it, and keep it in the employee's file. If INS ever comes knocking, that's your proof that you've done your due diligence. Anyway, about a month or two after I completed everyone's W2s, I got a stack of letters from the IRS about "irregularities" with the W2s. Some careful reading between the lines and some web research turned up that these letters are commonly generated when two W2s are issued for the same person whose name and SSN match but other details (like address) differ. As an employer, you just sign saying that the employee swears that that's their real SSN, mail it back, and it becomes the government's problem. I'd like to do more as an employer, but my job is running a company, not immigration enforcement. The government doesn't even provide me with tools to verify it anyway. And the potential liability for incorrectly ratting someone out as illegal is huge.

Re:Probably not a coincidence

[darthsilun]

I'm not sure why this gets +5 informative, this just isn't that uncommon.
The fact that you got two consecutive numbers is because your parents applied at the same time in the same state.
My bother and I were born in Illinois, but our parents didn't apply for our SSNs until we lived in California. Our SSNs are "California SSNs, and they're close, but not consecutive.
Unlike when we – you, your sister, me, my brother – got our SSNs, now you must apply for your child's SSN when they're born so you can claim them as a dependent on your tax return.

Re:Probably not a coincidence

[Hognoxious]

Not from the US, but I worked there for a while. It was a long time ago but I'm pretty sure I went to the office, showed my visa and the lady pulled a stack of cards out of her desk. She took the one off the top, put the details in the computer, handed it to me. Ten minutes from finding the place to "have a nice day".

Re:Probably not a coincidence

[swillden]

"Fixing" this problem means creating a sure-fire way to prevent illegal immigrants from working in the country, so nothing is done about it. One party doesn't want to fix it because they want to make these people citizens so they'll vote for that party. An influential fraction of the other party doesn't want to fix it because they want these people to remain as a source of cheap labor.

Semi-OT, but I just want to throw out my favorite low-cost, low-effort fix for getting nearly all illegal immigrants out of the country.There are two steps:

1. Make it a criminal offense to hire a worker not vetted as legally able to work by the E-Verify system, and beef up the E-Verify system so it validates with roughly the same level of assurance as the US Passport issuance system. By "criminal offense" I mean "non-trivial mandatory jail time for the most senior company officer who approved/ordered the hire".

2. Offer permanent resident alien status (green card) to any undocumented worker who turns in his employer. The alien gets the green card whether or not E-Verify supports his right to work, to reduce the risk to the alien of coming forward. Phase this step in a year or two after the first, but make sure everyone knows it's coming.

I doubt the program would actually give out many green cards for shady employers. It would probably give a few out for bugs in the E-Verify system.

However, you're right that this won't happen because neither party really wants illegal immigration ended. My specific plan would also generate lots of objections among conservatives aghast at the idea of giving green cards to some "undeserving" people, even though the numbers would be small and the approach would be dramatically cheaper (theoretically appealing to conservatives) than other alternatives.

Re:Probably not a coincidence

[jellomizer]

There was a case where 2 people had the same name dob and state of birth, and they had lived in the same address at different times. That really gummed up the probabilistic matching algorithm

Re:Probably not a coincidence

[jellomizer]

Normally they would use it to check your credit or as a way to verify you identity.

Re:Probably not a coincidence

[Cerlyn]

The algorithm *was* pull the last number off of the list.

As of June 25, 2011, that is not the case anymore.

That said, this does not help any of us that are less than 4 years old.

Re: Probably not a coincidence

[rickb928]

2010, extending the cuts of 2003.

But to the government, 'income' can also be borrowing.

Re: Probably not a coincidence

[rickb928]

Ditto here. In fact, my two brothers and two sisters all share with me SSNs that are a total of 8 digits apart. Only the last digits are different.

In the 70s two banks helpfully changed my SSN, believing it was an error, merging my checking account with hers. Great fun undoing that. I never did business with either bank again, and until I moved out West we checked before changing banks.

Duplicate and assumed SSNs should be resolved, but won't be for reasons already expressed. But then we need to secure our borders before we discuss amnesty. You shouldn't be ordering off the menu if you have no idea how much it will cost, unles you don't care.

Re:Probably not a coincidence

[jittles]

It's more likely that the algorithm used to generate SSNs, given the same input data, generates the same output.

The "algorithm" is "pull the next number off the list". My sister and I were born in different states, two years apart ... and we have different first names. My parents requested SSNs for both of us at the same time, and they were given two consecutive numbers.

By consecutive I assume that you mean that you have something like 11 and she has 13 or whatever. The SSA has never given out consecutive numbers. They give out odds and then evens and this has always been the case. See Wikipedia. We have a string of consecutive even numbers in my family - four in a row, in fact.

Re:Probably not a coincidence

[LWATCDR]

You left out the third reason.
We bet to collect taxes and SS from those workers. They can never collect the ss because they are illegals and that helps keep ss afloat.
And both sides want the cheap labor and use then for an advantage.

Re:Probably not a coincidence

[Gryle]

Not necessarily. A rental agency ran a credit check on me a few years back. State law required they give me the results. Turns out I share a social security number with a dead guy from Alabama and a woman twice my age from eastern Texas. The names and birthdates of the other two folks were nowhere close to mine.

Re:Probably not a coincidence

[pla]

Born in same area, same date, same first three letters of last name-- expect collisions.

Your SSN doesn't "hash" anything. From 1972 through 2011 (the range applicable to these two women), only the the first three numbers (the area number) actually meant anything in isolation. The middle pair of numbers (the group number) only has meaning within a given area, and even then it just serves to more-or-less evenly subdivide the area. And the final four numbers (the serial number) monotonically increases from 0001 through 9999.

So rather than a collision, you could more accurately call this a race condition. Two requests go in at approximately the same time without adequate semaphores, and the serial number didn't get incremented early enough in the process to avoid both processes getting the same "next" number available.

The geek in me would love to know if no one ever received the next number in sequence - Did they double-increment after issuing the number, or did one of them overwrite the other?

Re:Probably not a coincidence

[jdavidb]

"Fixing" this problem means creating a sure-fire way to prevent illegal immigrants from working in the country, so nothing is done about it. One party doesn't want to fix it because they want to make these people citizens so they'll vote for that party. An influential fraction of the other party doesn't want to fix it because they want these people to remain as a source of cheap labor.

Hmm. Is it okay if I don't want there to be a sure fire way to prevent illegal immigrants from working in the country, but still want the problem to be fixed somehow?

Re: Probably not a coincidence

[Coren22]

They don't pay out twice, so I would assume that there is some kind of verification process to see who was born in the US when there are multiple claims on the same SSN.

Re:Probably not a coincidence

[Coren22]

Wouldn't it help everyone who is less than 4 years old?

Re:Probably not a coincidence

[ShanghaiBill]

By consecutive I assume that you mean that you have something like 11 and she has 13 or whatever.

No. My sister's SSN and my SSN are exactly the same except for the last digit. Mine ends in 7, hers ends in 8.

The SSA has never given out consecutive numbers.

I am a counter-example, so you are wrong. Never say never.

Re: Probably not a coincidence

[unrtst]

They may be asking for your number, but social security, will only say, if the number is in use. Any number will work. The number is not an identifier, except for claiming claiming benefits.

This is a bit misleading. What question are you asking and to whom? If you ask the SSNVS, it will verify the name and SSN match, so you can't just use any name with any SSN and have it pass that test.

Re:Probably not a coincidence

[currently_awake]

If they checked for duplicates, it would prevent illegal immigrants from re-using a stolen number in order to work in the USA. Checking for duplicate use seems like an easy way to prevent illegal immigration, certainly cheaper than a three thousand mile fence. I suspect that government has taken steps to prevent such checking, in order to lower the cost of doing business (for corporations) in the USA.

Re:Probably not a coincidence

[parkinglot777]

Born in same area, same date, same first three letters of last name-- expect collisions. That is how the formula works for allocation, and I am sure real-time checking wasn't done due to "low probability."

Did you mean that around 1990 (25 years ago), SS agency already had computers with hashing formula to do the allocation for them?

Re:Probably not a coincidence

[unrtst]

That does not mean that those other two people were assigned those SSN's. It just means that they (or someone posing as them) used that SSN in association with their names at some point for something that reached a credit reporting place.
Within the SSA, I'm fairly certain it's a one-to-one lookup (lookup one SSN, you get one name back).

It does speak to the fact that using SSN for this purpose (credit checks and tracking) is pretty weak, though there isn't a whole lot of other options.

Re:Probably not a coincidence

[Obfuscant]

The article lists some red flags that should have been raised (two addresses listed as being active, the IRS getting W2 forms from two employers that weren't even near each other, etc).

1. I moved during the tax year.

2. I telecommute to one job in another state, work a second job here.

3. I work two jobs locally, but one (or both) is at a branch site of a national company with headquarters in another state.

There are all kinds of valid reasons to get W2s from employers who aren't near each other. If the IRS had to spend time tracking all of those valid cases down, they'd not have enough time to do anything else. So yes ...

Red flags mean that someone has to put in extra effort to resolve the issue.

And having a warning system that has consistent false positives is a bad thing, because it wastes time tracking down the false positives and hides the true ones. It's like the silly way a C compiler will see one error in the first line of a file, report that, and then continue to spew errors about everything that follows that is a result of that first error. "Wow, that program must be really buggy." "No, they just misspelled 'include' in line two."

Re:Probably not a coincidence

[painandgreed]

Same for Oklahoma.

Re:Probably not a coincidence

[libertytrek]

"Fixing" this problem means creating a sure-fire way to prevent illegal immigrants from working in the country, so nothing is done about it. One party doesn't want to fix it because they want to make these people citizens so they'll vote for that party. An influential fraction of the other party doesn't want to fix it because they want these people to remain as a source of cheap labor.

Semi-OT, but I just want to throw out my favorite low-cost, low-effort fix for getting nearly all illegal immigrants out of the country.There are two steps:

1. Make it a criminal offense to hire a worker not vetted as legally able to work by the E-Verify system, and beef up the E-Verify system so it validates with roughly the same level of assurance as the US Passport issuance system. By "criminal offense" I mean "non-trivial mandatory jail time for the most senior company officer who approved/ordered the hire".

Please point to the Article:Clause in the Constitution that delegates the Federal Government (or State Government) the power to control who can work for who in this country. I won't hold my breath. This infuriates me no end. The government has NO BUSINESS telling me who I can and cannot work for, and that is precisely what E-Verify is, whether it is used for that purpose TODAY or not. But if nits like you get their way, it won't be long before you get turned down for a job for any number of reasons: outstanding parking ticket? No job for you.

Re:Probably not a coincidence

Illegal aliens regularly use the SSN of two deceased relatives in our family.
One died as a child in 1990 and the other passed away around 2002.
The ssn for the child has been used 5 times that I know of, so its probably more like 50 times.
The ssn for the adult has been used twice that I know of.

This is a serious problem, and another avenue where we allow illegals in the u.s.

Its likely that most of the duplicate ssn's are due to illegal aliens.

We The People do not care where you are from: You are here legally or you have committed a crime.

Illegal immigration is about Nationality. Take your comments about race and shove them somewhere.

Re:Probably not a coincidence

[clintp]

I work in software for a payroll processor and the "duplicate" SSN problem comes up all the time.

First off, we're not the employer and really don't care who you hire -- that's your problem. I think your contract with us requires that you perform verification of your employees, but we don't handle it. Give us an SSN, and we'll put it in the system.

Secondly, we *legitimately* see duplicate SSN's all the time in our database. Most common? Someone holds two jobs at once and we do payroll for both employers, for example.

Or, a worst case? Jane Smith works at ABC Company on January 1. She gets married on February 1, changes her name legally, moves, and gets a new job. Her old employer "lays off" Joan in case she comes back. February 2 she shows up in our database as Jane Doe at a new address, new job, new name but the same SSN. Both employers saw legitimate documentation and neither has knowledge or a duty to inform the other of any of this -- nor does the employee. We are bound not to disclose this to either client (confidentiality). What do we do? The quarterly filings contain completely different Janes, with the same SSN.

This is someone else's problem.

Now the State and Feds have this file that contains a "duplicate" SSN -- and they know it. What can they do, short term? They've got to swallow the file and take the withholding money. They're so far downstream from the problem, the best they can hope for is to send a notice to the employers asking "WTF" or kick Jane out for an audit when she files. The employers will both say she's fine. When she files -- a year later -- she claims both incomes, properly. Everything is okay for the IRS.

TLDR: SSN is a *terrible* indicator of uniqueness, and the IRS can't find your illegals for you.

Re:Probably not a coincidence

[DrVxD]

Don't do that - sooner or later we're going to run out of GUIDs. There's only so many of them - and once they're gone, they're gone. That's it. That's your lot.
There won't be any more.

Re:Probably not a coincidence

[matthewd]

I'm not familiar with the validation associated with the passport system, but the problem with relying on E-Verify as it is now is that it is not designed to detect identity theft. All E-Verify will do (at least the last time I looked at it) is tell you that the social security number, name, gender, birth date, match. If an illegal immigrant has stolen someone's identity and presents an employer with information that matches, then E-Verify is going to say the employee is ok.

I presume that the passport system is designed more strictly to identify your identity, so really what you are talking about is more like a national identity card? A picture ID at the least, a biometric ID card may be better. Although I've heard that will not go over so well in some quarters.

Now the government could modify the system to start flagging SSNs that get multiple uses, but that becomes problematic. What happens when a person who actually is the real person that belongs to the SSN gets flagged (and possibly denied employment or has employment delayed)? If the government starts keeping track of multiple hits on the same SSN, then the government now has "constructive knowledge" that one or more individuals are at a minimum engaging in identity theft and likely not citizens (the main reason for engaging in identity theft to obtain employment). Now the government will be expected to do something about it.

Several years ago the SSA was going to start sending out "no match" letters to employers when the SSN's didn't match the employee information provided on the W-2's. The employer was then supposed to contact the employee and give them instructions on what to do (depending on whether the employee maintained that the SSN was correct) which could include going down to the local SSA office to sort things out. That program never got off the ground.

Re:Probably not a coincidence

[LWATCDR]

No they don't.
http://www.factcheck.org/2009/...

Re:Probably not a coincidence

[show+me+altoids]

Same for Missouri, and I suspect several other states. I think it only lasted about 3-4 years though.

Re:Probably not a coincidence

[swillden]

But if nits like you get their way, it won't be long before you get turned down for a job for any number of reasons: outstanding parking ticket? No job for you.

If I got my way, we'd just open the borders. I'm not saying that we should stop immigration of workers, just that if we wanted to, there's a really easy way to do it.

Re:Probably not a coincidence

[beckett]

i read slashdot just so i can find comments like this.

Re:Probably not a coincidence

[volmtech]

Do you know how many rights a person gets when they set foot on American soil? Have you heard of anchor babies? How about criminals, unaccompanied minors, or off the books entrepreneurs? Build the wall, now.

Not the same problem as most of the duplicates.

[daninaustin]

Most of the duplicates are due to fraud by illegals.

Re:Not the same problem as most of the duplicates.

Probably, but its true.

Yes, having immigration laws like every other nation (most nations are not majority white!) and expecting those laws to either be enforced or be repealed is so very racist.

This is why no one takes you seriously who didn't already agree with you.

Re:Not the same problem as most of the duplicates.

[ShanghaiBill]

Probably, but its true.

Unlikely. There are 40 million dupes, and only 12 million illegals.

Re:Not the same problem as most of the duplicates.

[nwf]

No, they all use 123-45-6789.

Re:Not the same problem as most of the duplicates.

[AK+Marc]

How do the illegals dupe the government into giving out the same SSN to multiple people?

Re:Not the same problem as most of the duplicates.

[DaHat]

Depends on how good their forger is... A couple decades ago I had someone show up with a social security card in the form 1234-56-789. Somehow they got the groupings out of order and were reminded that they needed a 'real' card.

Re:Not the same problem as most of the duplicates.

[kbg]

1) It is possible some illegals use more than one SSN.
2) The 12 millions are an estimation, give we are talking about illegals here.
3) 12 million may be the current number but you have to take into account some time period of illegals, since over 700,000 enter each year.

Re:Not the same problem as most of the duplicates.

[kbg]

That's amazing. I've got the same combination on my luggage.

Re:Not the same problem as most of the duplicates.

[Overzeetop]

That's the one you're supposed to use to get free ACA healthcare.

Re:Not the same problem as most of the duplicates.

[Notorious+G]

That 12 million is a estimate based on ... what? Other estimates put it as high as 30 million. Both are WAG's.

Re:Not the same problem as most of the duplicates.

[david_thornley]

They don't. They use somebody else's SSN to fill in hiring paperwork. Therefore, you can, for all the SS administration knows, be working full-time doing software development in Boston and also working full-time on an Arizona construction project.

Re:Not the same problem as most of the duplicates.

[AK+Marc]

That's not a duplicate. If both of those people petitioned the SSA for a re-printed SSN card, there would be no duplication. If someone walks into Bob Smith's bank and asks for his money, claiming to be Bob Smith, he hasn't just duplicated Bob Smith.

Duplicates are when the SSA give the same number to two concurrent people. That's the only useful definition of that word, and that's why this story was interesting. It wasn't about fraud or illegal activity, it was about the SSA having the same SSN on record for multiple people. A rare event.

Re:Not the same problem as most of the duplicates.

[Talderas]

You've incorrectly parsed the summary. There's two stories in the summary. The first is about the rare incident where two people were issued the same SSN. The second story is about how 40,000,000 SSNs are associated with multiple people which the vast majority are either due to name changes or illegal immigrants using someone else's SSN to file employment paperwork.

And the first three digits?

[Krishnoid]

309

Re:And the first three digits?

[radiumsoup]

comments like this are the only reason I bother reading /. any more. well done.

Re:And the first three digits?

[codezion]

Jenny? Is that you?

prohibited ?

[randalware]

The SSA is prohibited from checking out errors with the SS numbers ?
Who better equiped to straighten out identity theft verifications ?
There is no National ID system and I don't think we want one.
Does this mean I don't have to verify my income with the IRS because the government doesn't know who I am ?
I recieved this SSN in error !
prove me wrong !

Re:prohibited ?

[righteousness]

Why don't you want a National ID system?

Re:prohibited ?

[davester666]

Sorry, the S.S.N. is a national id. It is used to identify you in any important document, in particular your tax return and passport. And even if it isn't directly asked for, your bank has it, as well as your credit card companies and anybody who buys your credit report.

Re:prohibited ?

[smhsmh]

The US social security number as an id is seriously broken. After consideration, I'd epect my ssn to be in at least 100 poorly-secured databases: bank accounts, insurance accounts, doctor/dentist/hospital facilities, employers, etc. The number is hardly secret, yet there are about 350M persons in the USA and only 1000M distinct ssns.

A better system would redefine a ssn as two components. A 9 (or 10?) digit public number would signify who you are -- lotsa entities need to know that -- and a 6-7 digit secret number would prove that you are the person associated with that ssn. It is pure hell when the first number needs to be changed (witness protection?) but the second number could be changed often and with little overhead or impact, whenever one suspects it has been compromised. The current electronic fiduciary networks would be sufficient and secure enough to support and manage this.

Unfortunately, the US Congress will eventually try to fix these problems by passing laws, making things illegal, rather than passing technology that makes violations almost impossible.

Re: prohibited ?

[Bing+Tsher+E]

It shouldn't be allowed for any organization to use a SSN as a secret code. I.e. nobody should have to keep their SSN secret. If I chose to put it on my mailbox, no credit agency should be able to penalize me. It should be of no value to an identity thief.

The way to accomplish this would be for the govt. to publish Name/Hometown/SSN for everybody.

It was never meant to be a secret, or a tool for bankers to sort us.

Re:prohibited ?

[Overzeetop]

The IRS may not care, but if/when they go to pull Social Security benefits in a couple of decades, one of the two of them is going to be royally fucked.

Re:prohibited ?

[Ramze]

Such an optimist -- thinking SS benefits will exist in a couple of decades. Plans are in progress to set the age for benefits higher than average life expectancy so it almost never has to pay out.

unique id

[hjf]

So, slashdot tells me americans HATE the idea of a centralized, unique ID number. Yet, they have a de-facto standard "unique" ID number, the SSN.

Can somebody explain?

Re:unique id

[Hadlock]

Right, either SSN or Federal Taxpayer ID #
 
There's also the federally issued passport, which also has it's own number. I've never really understood why the passport isn't just the de-facto personal ID, it's a global standard ID system recognized by all countries (as far as I know).
 
I'm sure there are others, but that's at least three federal unique ID systems for humans off the top of my head. Other certifications like HAM, Pilot, Captain's licenses are all forms of federal ID as well.

Re: unique id

[O('_')O_Bush]

What is there to explain? Americans hate the idea of the UID *because* they all have direct experience with having a SSN. The way the SSN is, it is like having a password for very important things, but one that you have to give out to every street vendor to verify you as well. Identity theft nightmare for the owner.

Re:unique id

[billrp]

Nothing much to explain - we just issue duplicate SSNs to avoid a unique, centralized ID number system.

Re:unique id

[tompaulco]

So, slashdot tells me americans HATE the idea of a centralized, unique ID number. Yet, they have a de-facto standard "unique" ID number, the SSN.

Can somebody explain?

It's not unique. 40 million people share one with somebody else according to the article.

Re:unique id

[amiga3D]

I know the joke at the local chicken processing plant was that they have over 200 immigrant workers and they all have the same SSN.

Re:unique id

[whoever57]

There's also the federally issued passport, which also has it's own number. I've never really understood why the passport isn't just the de-facto personal ID, it's a global standard ID system recognized by all countries (as far as I know).

Because:

1. Passports cost money,

2. Only a relatively small proportion of US citizens have passports, and

3. Not every US resident is entitled to a US passport.

Re:unique id

[Jason+Levine]

SSN started out merely as an identifying number to record social security payments. After awhile, though, it morphed into a number that identifies you for everything. However, this isn't a very secure number and it can be compromised in any of a dozen different ways. Combine this with a person's name and date of birth and you can do some horrible things to their credit rating while raking up huge debts in their name.

I know this first hand since I'm a victim of identity theft. Someone got hold of my name, address, DOB, and SSN (how, I'll never know). They opened a credit card in my name. (Despite, I might add, getting my mother's maiden name wildly wrong. So much for that "security question.") The only thing that kept this nightmare from being much, much worse was that they paid for rush delivery of the card and THEN changed the address on the card. The card was sent to me before the address change went through so I was able to shut the account down before any real damage was done. Of course, I still need to have my credit frozen for the rest of my life since my information's out there and could be used at any moment.

Fortunately, there have been enough identity theft stories in the news to make people aware of the situation. Unfortunately, too many companies require you to give your SSN when they don't really need it and too many people just assume "it's required so I have no choice."

Re: unique id

[Miamicanes]

I'm pretty sure that most of the "40 million" are sharing a SSN with somebody who died *years* ago, and that the number of people like the two women cited as an example is much, MUCH smaller.

I mean, for ${deity.name}'s sake, there are only ~300 million *AMERICANS*. If one in 8 Americans had SSN collisions with another living person, I can *guarantee* it wouldn't have taken until now to be newsworthy.

That said, the gov't really needs to add at least a digit or two. Just adding one digit & making every existing SSN end with "0" until 2025 (to allow a graceful transition where existing 9-digit numbers would have an easily-derived 10-digit value) would give them enough unique numbers to go a few centuries without ever reusing a number.

Re:unique id

The United States is a socialist country that refuses to admit it, therefore they can't create the tools and infrastructure to govern properly. Hence the myriads of problems, including nearly infinite debts and this SSN laughable implementation.

Re:unique id

[XXongo]

It's not unique. 40 million people share one with somebody else according to the article.

Not exactly. If you click through to the link, it says that "more than 40 million SSNs are associated with multiple people." It turns out, when you read through the article, what this means is that at least once somebody made a typo and wrote the wrong social security number. Not cases of a people using the same social security numbers.

Re: unique id

[Wycliffe]

I'm pretty sure that most of the "40 million" are sharing a SSN with somebody who died *years* ago, and that the number of people like the two women cited as an example is much, MUCH smaller.

I mean, for ${deity.name}'s sake, there are only ~300 million *AMERICANS*. If one in 8 Americans had SSN collisions with another living person, I can *guarantee* it wouldn't have taken until now to be newsworthy.

That said, the gov't really needs to add at least a digit or two. Just adding one digit & making every existing SSN end with "0" until 2025 (to allow a graceful transition where existing 9-digit numbers would have an easily-derived 10-digit value) would give them enough unique numbers to go a few centuries without ever reusing a number.

Why would you add the digit on the end and break every system in existence? Much better to add it to the left like a normal number then the zero is completely optional unless you have a 10 digit SSN. Reusing SSNs is a stupid idea. Just start giving babies and new applicants 10 digit, then 11 digit numbers, etc... If everyone in 2016(or 2017 if you want to give a little more time) got a SSN greater than 999,999,999 then existing systems would adapt quickly, many probably already support ID fields greater than 9 digits as there are alternate IDs like passport numbers and foreign IDs already in existence that probably exceed 9 digits. The other alternative would be to go to alphanumeric IDs for new applicants.

Personally, though, it might be better to break the system and fix it right. Why do you need a non-changing number? Credit card companies and even banks have the ability to reissue you a new number if your previous number is compromised. Credit card companies sometimes even send you a new number every few years just for safety. A standard USA credit card is 16 digits, I would propose a 16 alphanumeric SSN that changes every year and can be invalidated at any time. When you file your taxes, you file it with the current year's SSN and then when it's complete, they send you a new SSN to use the next year. As long as each SSN is chained to the previous one, they you still have the ability to track what is needed but finding a 3 year old number is now worthless.

Re: unique id

[ag0ny]

The way the SSN is, it is like having a password for very important things, but one that you have to give out to every street vendor to verify you as well. Identity theft nightmare for the owner.

No.

The problem isn't what the SSN is. The problem is the way the SSN is used.

I'm Spanish. In Spain we have a national ID system, and I have my own ID number. However, we don't use this number as a password in order to verify that we are who we say we are. It's used more or less as an index in a database. You can easily find my national ID number with a simple Google search. Mine, and probably every other Spanish citizen's. No big deal about it.

In you case, what's going on is that a bunch of clueless policy makers working for businesses decided that the SSN would work fine as a way to identify people. It's not. You're using it wrong.

Re:unique id

[BarbaraHudson]

SSNs aren't unique. This has been known for a long time - it was discussed in the C user's journal back in the 80s.

Re:unique id

[jtownatpunk.net]

Your mother's maiden name isn't an identity check. It's like "What's your first pet's name". Nobody has the name of your first pet in a big database used to verify your identity. It's just a passphrase that can be anything. In fact, you should use something other than your mother's actual maiden name. Anyone can do a bit of research and find out your mother's maiden name. But they can't do research to find out the fake name you used so they won't be able to use that information to take over an established account.

Re:unique id

[aaarrrgggh]

Since all anybody really cares about is the last four digits, we could simplify it at the same time...

Re: unique id

[Bing+Tsher+E]

The power of businesses to use the SSN that way would vaporize if everybody just disclosed them to each other.

Re: unique id

[AK+Marc]

The number of edge cases is pretty small. And those exceptions have travel papers that are a passport, even if not an official passport. It's illegal for a state to allow someone to be stateless, so unless someone renounces without permission, like a refugee, and is granted asylum, they'll have a passport. That's about it for legal residents without a passport of any kind.

Re: unique id

[AK+Marc]

It's illegal for the banks to use SSN for the reasons they do. But nobody enforces the law against the financial sector. So it's not the SSN that's the problem, but laissez faire.

Re:unique id

[whoever57]

However, every US Resident not entitled to a US will have a Foreign Passport; which follows the same numbering rules.

In addition to the problem of stateless people, not entitled to any passport, do you really want your government delegating its ID management to other countries?

Oh, and numbers 4 and 5:

4. Passport numbers change with a newly issued passport.

5. What about people with two passports, or people who (after living in the USA for years) relinquish a foreign passport and get a US passport?

Re: unique id

[AK+Marc]

Where I am, we have one number for tax, one number for health care, one number for drivers license, one number for passports, and nobody uses any of them improperly. But they are all secret, and not known to anyone who doesn't need to know it.

SSN is supposed to be secure, but everyone has it and it isn't secure.

Re: unique id

[_Sharp'r_]

So your theory is that the government creates a centralized ID number, it's abused by the most heavily regulated industry we have and the problems are due to lack of enough government involvement in the process?

Dude, you gotta start sharing whatever you're smoking there...

Re: unique id

[ag0ny]

Where I am, we have one number for tax, one number for health care, one number for drivers license, one number for passports, and nobody uses any of them improperly. But they are all secret, and not known to anyone who doesn't need to know it.

SSN is supposed to be secure, but everyone has it and it isn't secure.

Exactly, it's the same thing in Spain. I have one DNI number (Documento Nacional de Identidad, National Identity Document), a drivers license number, and a passport number (used to be the same as my DNI, but now that I live in Japan the number has changed). Spain also has a number for tax purposes, the NIF (Número de Identificación Fiscal, Tax Identification Number), but it's just the DNI + a letter which is a function of the DNI numbers, sort of a CRC.

We don't go around telling our ID numbers to everybody (unless you're a business, then you're required to), but they aren't exactly secret either. The government itself routinely makes them available when publishing documents about student grants, lawsuits, etc, as in this one.

If you know my full name you can easily find out mine searching for "firstname lastname1 lastname2 NIF".

Re: unique id

[AK+Marc]

The financial industry isn't heavily regulated. What are you smoking?

Re:unique id

[dgatwood]

This is what databases are for.

select new_passport_number from passport_map where old_passport_number = '...';

Run in a loop until you don't get a new value. Add old and new country codes in there for good measure.

Re: unique id

[dgatwood]

Banks are, but AFAIK, the credit bureaus aren't. They're the root of the problem. If the credit bureaus really wanted to end so-called "identity theft", they could do it very easily. It would simply require them to invest the money to perform a callback authentication to all registered phone numbers prior to issuing new credit. Boom. No more "identity theft", or at least so many orders of magnitude less that the remainder could be treated as noise.

I put that in quotes because your SSN isn't a true identity, at least by the cryptographic meaning of the term. It's an identifier. An identity is something that can be used to prove who you are. An identifier is something that stands in for who you are. A proper identity should roughly guarantee non-repudiation. An identifier does not, because it is not secret. It is not possible for someone to steal a true identity, or anything that even approaches one. It is trivial to steal an identifier; it need only be shared once, and then it is no longer secret.

Thus, "identity theft" is a misnomer. It should be called "SSN theft", or even "unauthorized SSN use". But if we call called it that, then the credit bureaus couldn't pretend that the problem is a serious problem caused by a bunch of bad people, rather than an entirely artificial problem of their own making....

The again, if everyone who found a false entry on his or her credit report sued the credit bureau for libel, the problem might just take care of itself.

Re: unique id

[dgatwood]

Just to clarify, it is possible to steal a digital identity, but it is not possible to steal a digital identity when used correctly, e.g. when you use your private key to encrypt a nonce, and someone else decrypts that nonce with your public key to verify that you really do possess the private key associated with that public key.

Re: unique id

[dgatwood]

Financial systems already have to cope with two entirely overlapping sets of numbers—taxpayer identification numbers and SSNs. Both are nine-digit numbers. One has a single hyphen after the second digit, and the other has two hyphens. So it isn't as though you can just store the nine-digit number and ignore the rest of the string. To be useful, an SSN really needs to be stored as a ten- or eleven-digit string, and must be compared using string comparisons, not numeric comparisons.

Thus, it would make more sense to make the new batch of SSNs be dddd-dd-ddd, and construct the actual digits in exactly the same way that they do now. That would give an additional billion SSNs without any significant impact on anything. In fact, there are 8 possible single-hyphen variants, and we've only used one, which leaves seven billion more. There are 28 possible pairings of two hyphens (if I counted correctly), of which we have used only one, which leaves 27 billion additional values. You can also have zero hyphens, assuming that software doesn't have any checks that pitch a fit if you do that. Add them all together, and you get a whopping 35 billion possible additional SSNs or TINs at your disposal without the need to add any more digits. And you could also have variants that drop digits, which pushes the number up even higher.

Re: unique id

[AK+Marc]

Thus, "identity theft" is a misnomer. It should be called

Fraud. Nothing more, nothing less. Lies for gain. Why would there be any confusion on the matter? Oh yeah, if you call it bank fraud, the bank would pay for their loss. When you call it identity theft, you blame the victim for the bank's poor security and reduce the bank's loss.

Re:unique id

[Koby77]

The 40 million figure is misleading. After working with SSNs, I can tell you that it's mostly not the Social Security Administration accidentally issuing the same number to multiple people. The numbers are associated with multiple people because someone has chosen to use someone else's number fraudulently.

Re:unique id

[dunkelfalke]

Stateless people get a 1954 convention travel document for a passport.

Re: unique id

[_Sharp'r_]

Forbes: "The two sectors currently most affected by the regulatory environment in the U.S. are healthcare and financial services."

Regdata: "Regulation on Credit Intermediation and Related Activities has grown 517.73% since 1997."

Can you point to any data which shows the financial industry isn't heavily regulated? Simply googling the question is the financial industry heavily regulated seems to have a pretty broad consensus of answers in the affirmative. Why do you think otherwise?

Re: unique id

[Overzeetop]

A SSN contains 30 bits of information, plus a SSN.TIN bit which is 31 bits, or 4 bytes (with a bit to spare). They way you count it we'd need 11 bytes, minimum. It's easy to forget that, when many/most of these systems were set up, storage cost many orders of magnitude more than they do today. When you're paying on the order of a dollar per kB of information and you're storing data on 200 million people, it gets expensive.

Today, it's no big deal - we've got data capacity to spare. But there are a lot of legacy systems out there that would cost a Trillion dollars or more to rewrite all the code.

Re: unique id

[tompaulco]

The FEID and SSN are issued from the same range of numbers by different branches of the federal government, but eins do not overlap with SSN, except in rare accidental cases. I am not aware of any systems that attempt to make any use of the hyphen positions as predictors, but undoubtedly some are even though it is not a useful data point and subject to user error.

Re: unique id

[Wycliffe]

Changing every year? My my, someone is ambitious in wanting to destroy simpletons computer systems.
SSN should be nothing more than a DB number, not an identity.

This might be the better solution. Everyone gets a SSN, let them publish it on the side of their car or their license plate as a UID, but make it useless without a current password. It can be their DB number, it can be their identity, they can publish it on facebook or give it to their friends to say who they are but to actually file taxes, check your credit, do a bank loan, etc, it requires a current changable password. Just like every check you write has your bank account number on it, your SSN should identify who you are just like someone's public key verifies who they are but you should need a password to actually validate it.

Re:unique id

[danbert8]

I try to get out of it whenever possible. But for all practical purposes, you have no choice. For example, to set up natural gas service. You have option 1) providing your SSN which they will probably keep as insecurely as possible and also probably use for your customer number. Option 2 is putting down an excessively large deposit which must be done using cash at their office an hour away during "business hours" of 9-11AM or 1-3PM M-Th. Or I guess there is option 3 as well which is not heating your home or your water. Then again, the water company and the power company are going to pull the same shit, so I guess if you like living in a dark, cold home drinking bottled water and not showering sure, you have a choice of not providing your SSN.

Re:unique id

[IronChef]

In my state you need to purchase a special parking pass to enter state parks. You can get the pass when you register your car, or you can buy it at a sporting goods store like a fishing license.

To buy the pass at a retail location, you must give the clerk your social security number. Why does my state government require my SSN for a parking pass... and who thought that a system requiring a Big 5 clerk to handle private information was a good idea? It's absurd.

Re: unique id

[david_thornley]

Unfortunately, the government never has told me what my private SSAN is.

Re: unique id

[david_thornley]

Call it the Social Security 999-99-9999 problem, like the Y2K problem. I'm sure that nine digits seemed ample when the program was started, and I'm sure there are tons of COBOL programs listing it as either PIC 9(9) or PIC 9(3), PIC 99, PIC9(4), and tons of other programs and database tables allocating nine characters to it. This is going to be a serious problem.

Re:unique id

[david_thornley]

Yeah, it's a crap security check, but the fraudster failed it and it didn't stop him or her. No security check is worth anything if it's completely disregarded. (The worst case I know of was in Leo Mark's "Between Silk and Cyanide": British agents in Nazi-occupied Europe, particularly the Netherlands, were supposed to make specific mistakes in their messages home to verify they weren't under duress. The British message back would be something like "You forgot to include the anti-duress mistakes in your message. Please do it right next time." Just the thing you want to receive when your new SS "best friend" is sitting next to you.)

Re: unique id

[AK+Marc]

Yeah, so how large is the regulatory body of the banks? How does that compare to the FAA or FCC as bodies regulating other industries?

There are a lot of laws, and a lot of talk about it, but the actual hands-on regulation is completely missing. Otherwise the credit swap crash wouldn't have happened, as it happened 20 years before, in almost exactly the same way. If we had planes falling out of the sky the same way time after time, do you think the FAA would have done something about it? Probably. But not with banks. Because they aren't regulated.

Re: unique id

That's not even close to true. The Social Security Death Index is publicly accessible.

Re:unique id

[Citizen+of+Earth]

I've never really understood why the passport isn't just the de-facto personal ID

It's hard to stuff a passport into a card slot in your wallet. It's also too powerful. Hand it to some seedy shop owner and you could end up on a no-fly list on suspicion of international terrorism. The damage from a cloned driver's license is much more local.

Re: unique id

[_Sharp'r_]

You still haven't provided any actual comparison data, just questions. Provide the answers to your questions and maybe you can attempt to make a case, but you haven't made one so far by simply musing aloud about what you imagine.

Re: unique id

[AK+Marc]

Ah yes, the "do my research for me, so I can ignore it" compliant. Thanks for playing, but not worth my time to educate the uneducable. If you choose to not believe reality, it's not my job to fix your mental illness.

Re: unique id

[_Sharp'r_]

I provided links with facts and specific measurements.

You provided an unsubstantiated claim and refuse to provide any evidence for your claims. I already backed mine up. So we can clearly see you're just full of B.S. and have no idea what you're talking about.

Re:unique id

[Agripa]

Then again, the water company and the power company are going to pull the same shit, so I guess if you like living in a dark, cold home drinking bottled water and not showering sure, you have a choice of not providing your SSN.

The state will not approve you home for residency if it lacks basic services so problem solved.

Re:unique id

[danbert8]

Except the state would see that you do have services that you are refusing by not giving up your SSN.

Re:unique id

[Agripa]

I do not understand what you mean by this.

People installing solar systems which would allow completely off-grid self sufficiency have had this problem; they cannot forgo a grid connection and still legally live in their house. The same applies to other utilities.

Re:unique id

[danbert8]

You'll have the grid connection, but you won't have a service agreement. The lights are plugged in, but there's no voltage on the line. The water pipes are hooked up, but the valve is closed. The people who control the gates can pretty much demand whatever they want to initiate service. There isn't a competitor.

More than 1 in 10 are associated with multi

[tompaulco]

More than 1 in 10 are associated with multiple people. That is unbelievably poor quality control. You could GUESS at an SSN and 1 out of 3 would not be associated with somebody.

Let me fix that for you

[Laguerre]

ALTER TABLE ssn_info ADD CONSTRAINT ssn_unique UNIQUE (ssn);

Re:Let me fix that for you

[david_thornley]

Won't help you if two girls are entered as the same person. They probably have their own checks against issuing the same number for different people. The women were born on the same day, had very similar names (one looked like the nickname of the other), and were both in the same three-first-digit area.

Re: Random one?

[AndrewMontana]

9...?

SSN never really intended for current use

[bv728]

After they were originally issued in the 30s and 40s, there was a fad where people would have their SSN tattooed on their body as the government emphasized the importance of remembering them. The semi-public nature of the SSN is kind of interesting. Originally, they were basically intended to track your contribution to Social Security - what would you do, fraudulently contribute to someone else's retirement? Thus far, I don't believe they've been reissued, but we're likely pretty close, since they're NOT just random number combinations. Now, it only took them a few years before things went... strangely, but not badly, but their continued flow into general life means that a system designed to be semi-public has now gotten tendrils everywhere, and protection on them is not as good as it should be.

In my first programming job in 1982 for a bank...

we had three people with the same SSN. In 1935 in a three month period, 25 million numbers were issued from over a thousand post offices and from several companies, especially rail roads. Of course, there were mistakes made. What I still can't believe after encountering that almost a dozen more times, is that people still insist that SSNs are unique. I currently work for a payroll company, and we have a unique index on our database. People still mistakenly believe that they must be unique despite seeing proof that they are not.

Years and years ago...

[jtownatpunk.net]

...my company's accountant told me that someone in Los Angeles had used my SSN and the IRS was trying to garnish my wages. She told them that I was certainly not Mr. Aguilar and that I was not responsible for Mr. Aguilar's debt to the IRS. Seems like a simple thing but she was not supposed to tell me about the incident. Because if the proles ever found out how often this happens, they'd lose faith in the integrity of The System. I, as the taxpayer and rightful SSN holder was never contacted by the IRS to either collect money or warn me that there was someone out there using my SSN, possibly ruining my credit.

Re:Years and years ago...

The problem is that people allow private for-profit credit reporting agencies to rule their lives. These organisations are criminal. Any business can run a credit check on you, affecting your credit rating Heisenberg-style, or make a false report on your credit and are taken at their word. Want to lodge an objection as a lowly individual consumer? That will be a $50 fee., or worse, and there is no guarantee it will mean anything.

We need to stop letting these crooks (the credit reporting agencies) rule us. The only solution is to live without credit and completely neuter them and their currently ultimate power over people. Once, a cellular phone company failed to provide me with any actual service, so I refused to pay them. They even offered me 50 cents on the dollar on the amount they claimed I owed. I still refused to pay. I will not pay for services not actually rendered. My credit has been shit ever since. I refuse to pay the credit agency(ies) to object. It is a scam, it should be illegal - and as extortion, I believe it already is, yet this is somehow accepted.

So I have learned to live by: If I cannot afford to buy it in cash, then I do not need it. You'd be surprised how well that works out. (Owning a home has never been realistic for my generation in my country anyway - everything else a person needs can be bought in cash.)

Re:Years and years ago...

[sociocapitalist]

...my company's accountant told me that someone in Los Angeles had used my SSN and the IRS was trying to garnish my wages. She told them that I was certainly not Mr. Aguilar and that I was not responsible for Mr. Aguilar's debt to the IRS. Seems like a simple thing but she was not supposed to tell me about the incident. Because if the proles ever found out how often this happens, they'd lose faith in the integrity of The System. I, as the taxpayer and rightful SSN holder was never contacted by the IRS to either collect money or warn me that there was someone out there using my SSN, possibly ruining my credit.

They're just waiting for the interest to build up -

You should probably get something in writing from them saying that you don't owe anything.

Re:Years and years ago...

[jittles]

...my company's accountant told me that someone in Los Angeles had used my SSN and the IRS was trying to garnish my wages. She told them that I was certainly not Mr. Aguilar and that I was not responsible for Mr. Aguilar's debt to the IRS. Seems like a simple thing but she was not supposed to tell me about the incident. Because if the proles ever found out how often this happens, they'd lose faith in the integrity of The System. I, as the taxpayer and rightful SSN holder was never contacted by the IRS to either collect money or warn me that there was someone out there using my SSN, possibly ruining my credit.

I Had someone using my social security number for work once upon a time. Their company had a mandated retirement program. The IRS never complained about my taxes, even when I e-filed. One year I got a check in the mail for ~$5000 from a company I had never heard of, nor worked for. It was nowhere near me. My social security number and name were on the check. I called them up and asked them if there was some sort of mistake. Got transferred around and ended up talking to someone from HR and accounting in a conference call. They said they weren't allowed to give me any info about who had been using my info but said since it was clearly my name and social security number, I was welcome to cash the check and the money was all mine. Sometimes identity theft can work in your favor!

Re:Years and years ago...

[jittles]

They're just waiting for the interest to build up -

You should probably get something in writing from them saying that you don't owe anything.

As long as the GP has filed their taxes and keeps a copy of the filing records, the IRS only has 3 years to claim back taxes. You should keep your tax records for a minimum of 8 years as they can go back much further if they claim you never filed. I would recommend keeping your tax records indefinitely.

Re:Years and years ago...

[j-beda]

I Had someone using my social security number for work once upon a time. Their company had a mandated retirement program. The IRS never complained about my taxes, even when I e-filed. One year I got a check in the mail for ~$5000 from a company I had never heard of, nor worked for.

As an expat US Citizen, maybe I should try to get some illegal immigrant in the USA to use my SSN to do some work to build up my social security credits which have not been growing while I am out of the US....

Re:Years and years ago...

[Quirkz]

Did you end up having to pay an early withdrawal penalty for that check? Or income taxes? I mean, that's still probably a win, but it seems that there would be complications.

Re:Years and years ago...

[jittles]

Did you end up having to pay an early withdrawal penalty for that check? Or income taxes? I mean, that's still probably a win, but it seems that there would be complications.

That was almost a decade ago and the IRS never asked for anything. I never got a tax bill, or a form from the company indicating that i had withdrawn from a retirement account. I just took the money and ran, so to speak.

More specifically, IDENTIFY, not AUTHENTICATE

[raymorris]

> The US social security number as an id is seriously broken. After consideration, I'd epect my ssn to be in at least 100 poorly-secured databases: bank accounts, insurance accounts, doctor/dentist/hospital facilities, employers, etc. The number is hardly secret

More specifically, it's fine as an IDENTIFIER, and ID must necessarily be different from AUTHENTICATION. My name identifies me (approximately), my password authenticates me.

To be useful, a personal ID must be more or less public - the name "Barak Obama" is useful only because everyone knows who that is, it's public. Also, in order to be useful, authentication information must be private. So as you said, two pieces of information - one that is the ID, the other is the authentication.

This seems obvious, but people who should know better routinely treat user names as "a little bit secret". This is wrong. It's either secret, in which case it's hashed so nobody can read it, and it can be trusted to be secret, or it's it's not. Since a user name is not protected as a secret, don't start thinking that maybe it's a little bit secret, kinda maybe, and start putting any trust in people not knowing it. User names aren't hashed, they are sometimes displayed, so they aren't secret. Not even a little bit (especially not a little bit).

 

Re:More specifically, IDENTIFY, not AUTHENTICATE

[dgatwood]

User names aren't hashed, they are sometimes displayed, so they aren't secret.

That's not strictly true. It depends a lot on the nature of the site. On a banking site, for example, the username could theoretically be an account number. At the very least, the account number is likely to be your initial username when you first sign in to create an online account associated with a brick-and-mortar bank. In that case, the username actually would be secret, and wouldn't be displayed anywhere publicly (and wouldn't be displayed in full even within your account when logged in, typically).

And even on discussion forums, if the forum makes a distinction between the screen name (the visible name) and the actual login name, then the login name (often an email address) can be seen as at least somewhat secret. Such a distinction provides a lot of added security by making it considerably harder to guess someone's login credentials based solely on their public postings and password guessing, because the attacker also has to guess an email address. It isn't that the email address itself is secret, per se, so much as that the association between a given screen name and an underlying email address is secret.

Mind you, in no case is it likely to demand the same level of secrecy as a hashed password, though ostensibly you could construct a site that would give that level of secrecy by hashing both the email address and the password, and keeping only the screen name unhashed. Then, when the user logs in or requests a password change, you'd hash the email address and compare the hashes. Whether this would make sense or not depends largely on whether the email address is being stored for other purposes, such as allowing the user to subscribe to threads.

Random UUIDs

[SpaghettiPattern]

All those in favor of random UUIDs, raise your hands.

Devil's in the details

[Tablizer]

According to a 2010 study by ID Analytics, some 40 million SSNs are associated with multiple people.

That's about 1 on 7 Americans! I hope they mean that 1 in 7 had at least one cross-association error in past rather than 1 in 7 are actively referring to the same person.

Aadhaar in India

In India we now have a system called Aadhaar, the number is generated in a random fashion and just knowing the number does not mean anything and is of no use to anyone... But any company can use your number, name, address etc to verify if the details match each other.. they get a pure yes or no response back from the Aadhaar server... Credit cannot be obtained by just providing this number, you have to authenticate yourself with additional means to get credit...

Taxes...

[Kazoo+the+Clown]

So were both of them paying taxes?

No, UUIDs won't help.

That doesn't solve anything, because they were never meant to be secret in the first place. The "proper" use of an SSN is more like a username, not a password.

The real problem is that we have a bunch of people stupidly misusing a non-secret piece of information as if it was.

Similarly, I don't care if my license-plate number is sequential or random, any company that will lend money to someone who knows my name and license-plate is a company that is fucking up, and our laws need to recognize that it is *their* fuckup, not mine.

Re:No, UUIDs won't help.

[Gim+Tom]

Exactly! Social Security Numbers were never MEANT to be secret. One alternative solution would be for the Social Security Administration to publish every persons name and social security number and for the law that says that social security number not be used for identification be given some teeth. I am a bit surprised that some enterprising young attorney hasn't made this point in court.

Big surprise...

[Stephan+Schulz]

Vice president of a company that sells a solution to an alleged problem states that the alleged problem really is a really bad problem, citing an amusing anecdote as a hook and a study in which the company that sells the solution claims that the alleged problem really is a problem. A cynic might have some questions...

Re: Random one?

[WarJolt]

Bingo!!!

What'd I win?

Sue. sue, sue

[tekrat]

Experian is a multi-billion dollar entity. They will never change the data in their machines, because they long ago laid off all those people to raise their stock price.

People have been suing Experian for years to change their credit histories which are borked by these agencies. Experian has found it cheaper to pay the lawsuit settlements than spend the money to update credit histories.

You will never be able to get a credit card. But you might be able to get a 10's of thousands settlement with Experan, which might buy you a little happiness.

Seriously, you're better off leaving the country and restarting elsewhere under another system.

It's called a check, or ++. Forums are the problem

[raymorris]

> if the forum makes a distinction between the screen name (the visible name) and the actual login name, then the login name (often an email address) can be seen as at least somewhat secret.

That's precisely what causes the problem. In some well-known forum scripts, the user name (for logging in) isn't different from the visible "screen name". So it appears to be kinda secret. HOWEVER, a less-used feature of the forum uses the username as the identifier in links, something like profile.php?user=dgatwood. So it's not actually secret. Since it's not what is -normally- displayed, developers of the forum itself and of plugins sometimes treat it as secret, as if an attacker wouldn't know your user name. But there it is, right in your profile and elsewhere. So it's not secret, but it's being trusted as though it were secret.

It's not okay (security-wise) to have something publicly available, but then trust that it's not. It's either secret or not. "Somewhat secret" is really dangerous.

> the username could theoretically be an account
number... In that case, the username actually would be secret

I thought you were old enough to have written a check before. Your account number is on your check, which you handed to all of the clerk at the various stores you shop at. You might also notice account numbers are SEQUENTIAL. If I want to know someone's account number, I take mine and add one. If I add two, I get another valid account number. My bank account number is on my web site, so people can wire payments to me. Not secret, not even a little bit.

The PIN number to my debit card and my password for the bank's web site are the secrets. Anybody who knows how to add one to a number (any third grader) can enter my account number into the bank's web site. Entering my password to go with it is the tough part.

Paying taxes

[Zaowulf]

When we got married, my wife changed her last name. For the next 5 years nobody could figure out why the IRS kept rejecting our joint return. After multiple calls and in-person visits, we finally got the Social Security office to admit that when they changed her name, someone also updated her date of birth. We never knew that was possible, and she certainly didn't check whatever box indicates that that was her intention. What's more, the person behind the counter said she didn't know it was possible either.

Re:It's called a check, or ++. Forums are the prob

[david_thornley]

If my user ID is not my screen name, even if it is used elsewhere on the site it may stop the really casual crackers. It's not somethiing I'd want to rely on at all, but it could help a bit. In an MMORPG, some griefer might do password guesses on my screen name, and many players probably use bad passwords.

They're missing out on a big opportunity.

[BarbaraHudson]

I would PAY to have a number that started with 666.

How many people would pay to have a number starting with 007?

Back in the day......

[Gim+Tom]

Back in the dark ages (1976-1999) I worked on a large mainframe system that used the Social Security Number of virtually everyone as the primary key in the master database that included all employees and anyone applying for employment. We had about 80,000 employees and got over 100,000 new applicants each year. Duplicate social security numbers were fairly common and were not limited to any one group or class. Some were entry errors or mistakes on applications but at least a dozen or more each year were true duplicates with original social security cards.

We finally moved to a relational database with our own primary key and it stopped being a problem for me. Probably not for those with the duplicate numbers though.

Re:It's called a check, or ++. Forums are the prob

[dgatwood]

I thought you were old enough to have written a check before. Your account number is on your check, which you handed to all of the clerk at the various stores you shop at. You might also notice account numbers are SEQUENTIAL. If I want to know someone's account number, I take mine and add one. If I add two, I get another valid account number. My bank account number is on my web site, so people can wire payments to me. Not secret, not even a little bit.

For a checking account, that is true, but it isn't true for (for example) a credit card account number or a savings account number.

When the banking system as a whole was set up initially, the assumption was that most of your money would be in a savings account, and that your checking account would contain only enough money to handle typical transactions. If it suddenly went empty because of fraud, the bank could cover the loss. That breaks down somewhat if you're doing everything with one account, obviously, but that's another issue entirely.

Either way, the general advise that the banks give is to treat the account number as a secret, and to not give it out unless necessary (which means writing checks only to people you trust at least to some degree). After all, once I have your account number, I can very easily get a deck of checks printed with that number, and it is unlikely that I would get caught, so long as I shopped in random places that are all far from home. But it is secret only because the system is fundamentally broken, once again treating a mere identifier as an identity.