Slashdot Mirror
Same Birthday, Same Social Security Number, Same Mess For Two Florida Women (cio.com)
itwbennett writes: After 25 years, the Social Security Administration (SSA) has fessed up to giving two Florida women who shared a name and a birthday the same social security number. The women only recently discovered that they shared an SSN, but not before having trouble getting loans and having tax returns rejected. You might think that the SSA would catch something like this, but as it turns out, they are prohibited from trying to verify the legitimate owner of an SSN, except in rare cases, says Ken Meiser, VP of identity solutions at ID Analytics, provider of credit and fraud risk solutions. And the problem isn't as rare as you might think (except for the part about two women with the same name born on the same day in the same state). According to a 2010 study by ID Analytics, some 40 million SSNs are associated with multiple people.
8675
I would assume that it is not a coincidence that two women with the same name and same birthdate got the same social security number; I expect that when the second application came in, they checked the name and birdhday and assumed that it was a duplication of the first application, and just send out "here is your number".
Most of the duplicates are due to fraud by illegals.
309
The SSA is prohibited from checking out errors with the SS numbers ?
Who better equiped to straighten out identity theft verifications ?
There is no National ID system and I don't think we want one.
Does this mean I don't have to verify my income with the IRS because the government doesn't know who I am ?
I recieved this SSN in error !
prove me wrong !
This is my opinion based on what little I know and understand of the rumors and lies Thanks, Randal
What is there to explain? Americans hate the idea of the UID *because* they all have direct experience with having a SSN. The way the SSN is, it is like having a password for very important things, but one that you have to give out to every street vendor to verify you as well. Identity theft nightmare for the owner.
while(1) attack(People.Sandy);
Nothing much to explain - we just issue duplicate SSNs to avoid a unique, centralized ID number system.
I know the joke at the local chicken processing plant was that they have over 200 immigrant workers and they all have the same SSN.
Because:
1. Passports cost money,
2. Only a relatively small proportion of US citizens have passports, and
3. Not every US resident is entitled to a US passport.
The real "Libtards" are the Libertarians!
SSN started out merely as an identifying number to record social security payments. After awhile, though, it morphed into a number that identifies you for everything. However, this isn't a very secure number and it can be compromised in any of a dozen different ways. Combine this with a person's name and date of birth and you can do some horrible things to their credit rating while raking up huge debts in their name.
I know this first hand since I'm a victim of identity theft. Someone got hold of my name, address, DOB, and SSN (how, I'll never know). They opened a credit card in my name. (Despite, I might add, getting my mother's maiden name wildly wrong. So much for that "security question.") The only thing that kept this nightmare from being much, much worse was that they paid for rush delivery of the card and THEN changed the address on the card. The card was sent to me before the address change went through so I was able to shut the account down before any real damage was done. Of course, I still need to have my credit frozen for the rest of my life since my information's out there and could be used at any moment.
Fortunately, there have been enough identity theft stories in the news to make people aware of the situation. Unfortunately, too many companies require you to give your SSN when they don't really need it and too many people just assume "it's required so I have no choice."
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
9...?
we had three people with the same SSN. In 1935 in a three month period, 25 million numbers were issued from over a thousand post offices and from several companies, especially rail roads. Of course, there were mistakes made. What I still can't believe after encountering that almost a dozen more times, is that people still insist that SSNs are unique. I currently work for a payroll company, and we have a unique index on our database. People still mistakenly believe that they must be unique despite seeing proof that they are not.
...my company's accountant told me that someone in Los Angeles had used my SSN and the IRS was trying to garnish my wages. She told them that I was certainly not Mr. Aguilar and that I was not responsible for Mr. Aguilar's debt to the IRS. Seems like a simple thing but she was not supposed to tell me about the incident. Because if the proles ever found out how often this happens, they'd lose faith in the integrity of The System. I, as the taxpayer and rightful SSN holder was never contacted by the IRS to either collect money or warn me that there was someone out there using my SSN, possibly ruining my credit.
I'm pretty sure that most of the "40 million" are sharing a SSN with somebody who died *years* ago, and that the number of people like the two women cited as an example is much, MUCH smaller.
I mean, for ${deity.name}'s sake, there are only ~300 million *AMERICANS*. If one in 8 Americans had SSN collisions with another living person, I can *guarantee* it wouldn't have taken until now to be newsworthy.
That said, the gov't really needs to add at least a digit or two. Just adding one digit & making every existing SSN end with "0" until 2025 (to allow a graceful transition where existing 9-digit numbers would have an easily-derived 10-digit value) would give them enough unique numbers to go a few centuries without ever reusing a number.
Why would you add the digit on the end and break every system in existence? Much better to add it to the left like a normal number then the zero is completely optional unless you have a 10 digit SSN. Reusing SSNs is a stupid idea. Just start giving babies and new applicants 10 digit, then 11 digit numbers, etc... If everyone in 2016(or 2017 if you want to give a little more time) got a SSN greater than 999,999,999 then existing systems would adapt quickly, many probably already support ID fields greater than 9 digits as there are alternate IDs like passport numbers and foreign IDs already in existence that probably exceed 9 digits. The other alternative would be to go to alphanumeric IDs for new applicants.
Personally, though, it might be better to break the system and fix it right. Why do you need a non-changing number? Credit card companies and even banks have the ability to reissue you a new number if your previous number is compromised. Credit card companies sometimes even send you a new number every few years just for safety. A standard USA credit card is 16 digits, I would propose a 16 alphanumeric SSN that changes every year and can be invalidated at any time. When you file your taxes, you file it with the current year's SSN and then when it's complete, they send you a new SSN to use the next year. As long as each SSN is chained to the previous one, they you still have the ability to track what is needed but finding a 3 year old number is now worthless.
The way the SSN is, it is like having a password for very important things, but one that you have to give out to every street vendor to verify you as well. Identity theft nightmare for the owner.
No.
The problem isn't what the SSN is. The problem is the way the SSN is used.
I'm Spanish. In Spain we have a national ID system, and I have my own ID number. However, we don't use this number as a password in order to verify that we are who we say we are. It's used more or less as an index in a database. You can easily find my national ID number with a simple Google search. Mine, and probably every other Spanish citizen's. No big deal about it.
In you case, what's going on is that a bunch of clueless policy makers working for businesses decided that the SSN would work fine as a way to identify people. It's not. You're using it wrong.
My site
SSNs aren't unique. This has been known for a long time - it was discussed in the C user's journal back in the 80s.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Your mother's maiden name isn't an identity check. It's like "What's your first pet's name". Nobody has the name of your first pet in a big database used to verify your identity. It's just a passphrase that can be anything. In fact, you should use something other than your mother's actual maiden name. Anyone can do a bit of research and find out your mother's maiden name. But they can't do research to find out the fake name you used so they won't be able to use that information to take over an established account.
> The US social security number as an id is seriously broken. After consideration, I'd epect my ssn to be in at least 100 poorly-secured databases: bank accounts, insurance accounts, doctor/dentist/hospital facilities, employers, etc. The number is hardly secret
More specifically, it's fine as an IDENTIFIER, and ID must necessarily be different from AUTHENTICATION. My name identifies me (approximately), my password authenticates me.
To be useful, a personal ID must be more or less public - the name "Barak Obama" is useful only because everyone knows who that is, it's public. Also, in order to be useful, authentication information must be private. So as you said, two pieces of information - one that is the ID, the other is the authentication.
This seems obvious, but people who should know better routinely treat user names as "a little bit secret". This is wrong. It's either secret, in which case it's hashed so nobody can read it, and it can be trusted to be secret, or it's it's not. Since a user name is not protected as a secret, don't start thinking that maybe it's a little bit secret, kinda maybe, and start putting any trust in people not knowing it. User names aren't hashed, they are sometimes displayed, so they aren't secret. Not even a little bit (especially not a little bit).
The number of edge cases is pretty small. And those exceptions have travel papers that are a passport, even if not an official passport. It's illegal for a state to allow someone to be stateless, so unless someone renounces without permission, like a refugee, and is granted asylum, they'll have a passport. That's about it for legal residents without a passport of any kind.
Learn to love Alaska
It's illegal for the banks to use SSN for the reasons they do. But nobody enforces the law against the financial sector. So it's not the SSN that's the problem, but laissez faire.
Learn to love Alaska
Where I am, we have one number for tax, one number for health care, one number for drivers license, one number for passports, and nobody uses any of them improperly. But they are all secret, and not known to anyone who doesn't need to know it.
SSN is supposed to be secure, but everyone has it and it isn't secure.
Learn to love Alaska
Banks are, but AFAIK, the credit bureaus aren't. They're the root of the problem. If the credit bureaus really wanted to end so-called "identity theft", they could do it very easily. It would simply require them to invest the money to perform a callback authentication to all registered phone numbers prior to issuing new credit. Boom. No more "identity theft", or at least so many orders of magnitude less that the remainder could be treated as noise.
I put that in quotes because your SSN isn't a true identity, at least by the cryptographic meaning of the term. It's an identifier. An identity is something that can be used to prove who you are. An identifier is something that stands in for who you are. A proper identity should roughly guarantee non-repudiation. An identifier does not, because it is not secret. It is not possible for someone to steal a true identity, or anything that even approaches one. It is trivial to steal an identifier; it need only be shared once, and then it is no longer secret.
Thus, "identity theft" is a misnomer. It should be called "SSN theft", or even "unauthorized SSN use". But if we call called it that, then the credit bureaus couldn't pretend that the problem is a serious problem caused by a bunch of bad people, rather than an entirely artificial problem of their own making....
The again, if everyone who found a false entry on his or her credit report sued the credit bureau for libel, the problem might just take care of itself.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Thus, "identity theft" is a misnomer. It should be called
Fraud. Nothing more, nothing less. Lies for gain. Why would there be any confusion on the matter? Oh yeah, if you call it bank fraud, the bank would pay for their loss. When you call it identity theft, you blame the victim for the bank's poor security and reduce the bank's loss.
Learn to love Alaska
That doesn't solve anything, because they were never meant to be secret in the first place. The "proper" use of an SSN is more like a username, not a password.
The real problem is that we have a bunch of people stupidly misusing a non-secret piece of information as if it was.
Similarly, I don't care if my license-plate number is sequential or random, any company that will lend money to someone who knows my name and license-plate is a company that is fucking up, and our laws need to recognize that it is *their* fuckup, not mine.
Experian is a multi-billion dollar entity. They will never change the data in their machines, because they long ago laid off all those people to raise their stock price.
People have been suing Experian for years to change their credit histories which are borked by these agencies. Experian has found it cheaper to pay the lawsuit settlements than spend the money to update credit histories.
You will never be able to get a credit card. But you might be able to get a 10's of thousands settlement with Experan, which might buy you a little happiness.
Seriously, you're better off leaving the country and restarting elsewhere under another system.
If telephones are outlawed, then only outlaws will have telephones.
I try to get out of it whenever possible. But for all practical purposes, you have no choice. For example, to set up natural gas service. You have option 1) providing your SSN which they will probably keep as insecurely as possible and also probably use for your customer number. Option 2 is putting down an excessively large deposit which must be done using cash at their office an hour away during "business hours" of 9-11AM or 1-3PM M-Th. Or I guess there is option 3 as well which is not heating your home or your water. Then again, the water company and the power company are going to pull the same shit, so I guess if you like living in a dark, cold home drinking bottled water and not showering sure, you have a choice of not providing your SSN.
Yes it's an anecdote! Were you expecting original research in a Slashdot comment?
> if the forum makes a distinction between the screen name (the visible name) and the actual login name, then the login name (often an email address) can be seen as at least somewhat secret.
That's precisely what causes the problem. In some well-known forum scripts, the user name (for logging in) isn't different from the visible "screen name". So it appears to be kinda secret. HOWEVER, a less-used feature of the forum uses the username as the identifier in links, something like profile.php?user=dgatwood. So it's not actually secret. Since it's not what is -normally- displayed, developers of the forum itself and of plugins sometimes treat it as secret, as if an attacker wouldn't know your user name. But there it is, right in your profile and elsewhere. So it's not secret, but it's being trusted as though it were secret.
It's not okay (security-wise) to have something publicly available, but then trust that it's not. It's either secret or not. "Somewhat secret" is really dangerous.
> the username could theoretically be an account
number... In that case, the username actually would be secret
I thought you were old enough to have written a check before. Your account number is on your check, which you handed to all of the clerk at the various stores you shop at. You might also notice account numbers are SEQUENTIAL. If I want to know someone's account number, I take mine and add one. If I add two, I get another valid account number. My bank account number is on my web site, so people can wire payments to me. Not secret, not even a little bit.
The PIN number to my debit card and my password for the bank's web site are the secrets. Anybody who knows how to add one to a number (any third grader) can enter my account number into the bank's web site. Entering my password to go with it is the tough part.