Slashdot Mirror
Same Birthday, Same Social Security Number, Same Mess For Two Florida Women (cio.com)
itwbennett writes: After 25 years, the Social Security Administration (SSA) has fessed up to giving two Florida women who shared a name and a birthday the same social security number. The women only recently discovered that they shared an SSN, but not before having trouble getting loans and having tax returns rejected. You might think that the SSA would catch something like this, but as it turns out, they are prohibited from trying to verify the legitimate owner of an SSN, except in rare cases, says Ken Meiser, VP of identity solutions at ID Analytics, provider of credit and fraud risk solutions. And the problem isn't as rare as you might think (except for the part about two women with the same name born on the same day in the same state). According to a 2010 study by ID Analytics, some 40 million SSNs are associated with multiple people.
8675
Most of the duplicates are due to fraud by illegals.
309
Nothing much to explain - we just issue duplicate SSNs to avoid a unique, centralized ID number system.
SSN started out merely as an identifying number to record social security payments. After awhile, though, it morphed into a number that identifies you for everything. However, this isn't a very secure number and it can be compromised in any of a dozen different ways. Combine this with a person's name and date of birth and you can do some horrible things to their credit rating while raking up huge debts in their name.
I know this first hand since I'm a victim of identity theft. Someone got hold of my name, address, DOB, and SSN (how, I'll never know). They opened a credit card in my name. (Despite, I might add, getting my mother's maiden name wildly wrong. So much for that "security question.") The only thing that kept this nightmare from being much, much worse was that they paid for rush delivery of the card and THEN changed the address on the card. The card was sent to me before the address change went through so I was able to shut the account down before any real damage was done. Of course, I still need to have my credit frozen for the rest of my life since my information's out there and could be used at any moment.
Fortunately, there have been enough identity theft stories in the news to make people aware of the situation. Unfortunately, too many companies require you to give your SSN when they don't really need it and too many people just assume "it's required so I have no choice."
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
The article definitely makes it sound like it was a mix up due to the two babies having similar names (Joanna Rivera vs. Joannie Rivera), having the same birthday, and being in the same general area.
The article lists some red flags that should have been raised (two addresses listed as being active, the IRS getting W2 forms from two employers that weren't even near each other, etc). In my experience, though, companies and government agencies don't mind missing red flags. Red flags mean that someone has to put in extra effort to resolve the issue. Ignoring the red flag, though, means that you continue doing what you're doing and it becomes someone else's problem.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
...my company's accountant told me that someone in Los Angeles had used my SSN and the IRS was trying to garnish my wages. She told them that I was certainly not Mr. Aguilar and that I was not responsible for Mr. Aguilar's debt to the IRS. Seems like a simple thing but she was not supposed to tell me about the incident. Because if the proles ever found out how often this happens, they'd lose faith in the integrity of The System. I, as the taxpayer and rightful SSN holder was never contacted by the IRS to either collect money or warn me that there was someone out there using my SSN, possibly ruining my credit.
The way the SSN is, it is like having a password for very important things, but one that you have to give out to every street vendor to verify you as well. Identity theft nightmare for the owner.
No.
The problem isn't what the SSN is. The problem is the way the SSN is used.
I'm Spanish. In Spain we have a national ID system, and I have my own ID number. However, we don't use this number as a password in order to verify that we are who we say we are. It's used more or less as an index in a database. You can easily find my national ID number with a simple Google search. Mine, and probably every other Spanish citizen's. No big deal about it.
In you case, what's going on is that a bunch of clueless policy makers working for businesses decided that the SSN would work fine as a way to identify people. It's not. You're using it wrong.
My site
Born in same area, same date, same first three letters of last name-- expect collisions. That is how the formula works for allocation, and I am sure real-time checking wasn't done due to "low probability."
For many years, I would just make up a random SSN for forms that didn't seem like they had a legitimate reason to be asking for it. Never, not once, did they later tell me there was a mismatch. So I think there was very little cross-checking going on.
It's more likely that the algorithm used to generate SSNs, given the same input data, generates the same output.
The "algorithm" is "pull the next number off the list". My sister and I were born in different states, two years apart ... and we have different first names. My parents requested SSNs for both of us at the same time, and they were given two consecutive numbers.
Banks are, but AFAIK, the credit bureaus aren't. They're the root of the problem. If the credit bureaus really wanted to end so-called "identity theft", they could do it very easily. It would simply require them to invest the money to perform a callback authentication to all registered phone numbers prior to issuing new credit. Boom. No more "identity theft", or at least so many orders of magnitude less that the remainder could be treated as noise.
I put that in quotes because your SSN isn't a true identity, at least by the cryptographic meaning of the term. It's an identifier. An identity is something that can be used to prove who you are. An identifier is something that stands in for who you are. A proper identity should roughly guarantee non-repudiation. An identifier does not, because it is not secret. It is not possible for someone to steal a true identity, or anything that even approaches one. It is trivial to steal an identifier; it need only be shared once, and then it is no longer secret.
Thus, "identity theft" is a misnomer. It should be called "SSN theft", or even "unauthorized SSN use". But if we call called it that, then the credit bureaus couldn't pretend that the problem is a serious problem caused by a bunch of bad people, rather than an entirely artificial problem of their own making....
The again, if everyone who found a false entry on his or her credit report sued the credit bureau for libel, the problem might just take care of itself.
Check out my sci-fi/humor trilogy at PatriotsBooks.
There's a more sinister reason behind it. A huge chunk of W2s under duplicate SSNs are due to illegal immigrants using a fake SSN to work. You can't just make up any number - the IRS will reject that. So (presumably) they or someone they hire gets a real person's SSN, and the illegal immigrant adopts that person's name, identity, and SSN. "Fixing" this problem means creating a sure-fire way to prevent illegal immigrants from working in the country, so nothing is done about it. One party doesn't want to fix it because they want to make these people citizens so they'll vote for that party. An influential fraction of the other party doesn't want to fix it because they want these people to remain as a source of cheap labor.
I used to do the accounting at a company which I'm pretty sure had a not-insignificant number of illegal immigrants. Employers are only allowed to ask potential employees for certain pieces of ID, and the most common one is the Social Security Card. The government has no system by which an employer can verify a SSN matches other info the applicant provides, so all you can do is look at it and see if it seems real (it's super-easy to fake), make a photocopy of it, and keep it in the employee's file. If INS ever comes knocking, that's your proof that you've done your due diligence. Anyway, about a month or two after I completed everyone's W2s, I got a stack of letters from the IRS about "irregularities" with the W2s. Some careful reading between the lines and some web research turned up that these letters are commonly generated when two W2s are issued for the same person whose name and SSN match but other details (like address) differ. As an employer, you just sign saying that the employee swears that that's their real SSN, mail it back, and it becomes the government's problem. I'd like to do more as an employer, but my job is running a company, not immigration enforcement. The government doesn't even provide me with tools to verify it anyway. And the potential liability for incorrectly ratting someone out as illegal is huge.
Thus, "identity theft" is a misnomer. It should be called
Fraud. Nothing more, nothing less. Lies for gain. Why would there be any confusion on the matter? Oh yeah, if you call it bank fraud, the bank would pay for their loss. When you call it identity theft, you blame the victim for the bank's poor security and reduce the bank's loss.
Learn to love Alaska
"Fixing" this problem means creating a sure-fire way to prevent illegal immigrants from working in the country, so nothing is done about it. One party doesn't want to fix it because they want to make these people citizens so they'll vote for that party. An influential fraction of the other party doesn't want to fix it because they want these people to remain as a source of cheap labor.
Semi-OT, but I just want to throw out my favorite low-cost, low-effort fix for getting nearly all illegal immigrants out of the country.There are two steps:
1. Make it a criminal offense to hire a worker not vetted as legally able to work by the E-Verify system, and beef up the E-Verify system so it validates with roughly the same level of assurance as the US Passport issuance system. By "criminal offense" I mean "non-trivial mandatory jail time for the most senior company officer who approved/ordered the hire".
2. Offer permanent resident alien status (green card) to any undocumented worker who turns in his employer. The alien gets the green card whether or not E-Verify supports his right to work, to reduce the risk to the alien of coming forward. Phase this step in a year or two after the first, but make sure everyone knows it's coming.
I doubt the program would actually give out many green cards for shady employers. It would probably give a few out for bugs in the E-Verify system.
However, you're right that this won't happen because neither party really wants illegal immigration ended. My specific plan would also generate lots of objections among conservatives aghast at the idea of giving green cards to some "undeserving" people, even though the numbers would be small and the approach would be dramatically cheaper (theoretically appealing to conservatives) than other alternatives.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Born in same area, same date, same first three letters of last name-- expect collisions.
Your SSN doesn't "hash" anything. From 1972 through 2011 (the range applicable to these two women), only the the first three numbers (the area number) actually meant anything in isolation. The middle pair of numbers (the group number) only has meaning within a given area, and even then it just serves to more-or-less evenly subdivide the area. And the final four numbers (the serial number) monotonically increases from 0001 through 9999.
So rather than a collision, you could more accurately call this a race condition. Two requests go in at approximately the same time without adequate semaphores, and the serial number didn't get incremented early enough in the process to avoid both processes getting the same "next" number available.
The geek in me would love to know if no one ever received the next number in sequence - Did they double-increment after issuing the number, or did one of them overwrite the other?