I thought for quite awhile that the whole list should be made public on a pre-announced date to "scorch the earth". On that date, liability for any fraud committed using the data would be placed on the party improperly using SSNs for authentication tokens.
The Equifax breach did the publishing part, but nothing changed with liability. A golden opportunity missed to fix this particular bullshit.
100% agree with this. Our SSNs are fully “compromised” many times over at this point. Scare quotes because—as far as I know—they weren’t originally regarded as a secret to begin with.
But the fiction of a secret SSN still persists. You're told to protect it; sensitive financial documents ask for it as part of proving you’re you; forgotten password pages use the last 4 digits as some sort of 2nd factor.
The best thing that could happen is if the names and corresponding numbers were published far and wide. So obviously public that nobody could keep this fiction up.
Banks and other high-stakes firms need to figure out how they want to identify their clients. It’s not an easy problem to solve, I get that. But that doesn’t mean we should be happy with them taking the easy way out.
Ha, you just reminded me of my student ID number in college. Also used to purchase snacks and meals at the commons. In the strangest of coincidences, it was my SSN.
The problem is that it's a username that is used as a password. In Europe you'd use some kind of tax identification number plus a physical copy of an ID card or driving license.
My identification number is algorithmically derived from place and date of birth, first and last name and gender. Anybody who knows my address and has heard someone greeting me happy birthday can guess mine with two-three trials corresponding to the closest hospitals. But that doesn't worry me, because I don't fear identity theft, it just doesn't exist in Italy.
Instead, as a result of America's allergy to ID, they are essentially the only country where identity theft is a thing.
I live in Denmark so also Europe. Our social security number (which can be guessed with enough information and a few tries) has been incorrectly used as a password instead of a key just like you describe. You make a call, provide this number and the clerk on the phone believes that you are who you claim to be.
Nowadays things are better because computers are used everywhere We have a national ID system using 2FA which is pretty safe. Unfortunately, identify theft is still a thing.
Recently someone installed keyloggers on public computers. The second factor in the 2FA is a cardboard card with a list of one time password codes. You use a code on each sign in.
The criminals were able to determine when there were only a few codes left on the card. You then get a new cardboard card sent to your home address. They would stalk their victim's mail box and steal the new card as soon as it arrived.
With user name (your social security number) and password from the key logger together with the 2FA codes they were able to perform identity theft.
While all that is accurate, it should be noted that they have already mitigated some of the problems mentioned above (no more displaying number of keys left), but also that the entire system is being replaced this year with one that does not rely on a physical cardboard key card, but can use something like a Yubikey instead.
You can also change your username to something other than your CPR-number. Indeed, the problem lies more with other services that has used it as a password rather than 'username'. But those are rarer to come by these days.
Ditto in Finland. Just like in Denmark, the social security number is being used for authentication by some actors, even though it's inherently insecure to do so. The Swedish way of handling those numbers seems more reasonable; they're just used as unique identifiers and you still need to show some other kind of ID.
When I lived in Denmark, airlines occasionally did identity spot checks on domestic flights. I was always horrified to notice that everyone just pulled up (picture-less) social security cards and used them as identification.
Absolutely, but it's more effort than knowing an SSN and being immediately able to get a loan in the name of that person. That would be ridiculous in Europe.
That’s pretty ridiculous in the US as well. An SSN is never enough. Usually they will need some copy of a state ID and proof of access to a mailing address on your credit history.
> Identity thieves
can use your number and your good
credit to apply for more credit in your
name. Then, they use the credit cards
and don’t pay the bills, it damages
your credit. You may not find out
that someone is using your number
until you’re turned down for credit, or
you begin to get calls from unknown
creditors demanding payment for items
you never bought.
> identity theft [...] just doesn’t exist in Italy
Big lol. The country used to be famous for frauds and scams! Of course identity fraud exists, but precisely because everyone expects it, the majority of systems errs on the side of caution and requires validation from multiple sources. The result is that fraud processes become so much harder to pull off that fewer and fewer bad guys attempt it, but on the other hand every validation step becomes a bureaucratic nightmare (“did you include certificate X from office A, Y from office B, and Z from office C, as well as your ID card, health card, tax card, and recent pictures? No? Sorry, no cookie for you.”)
This is also why the country has a pretty secure and advanced way to carry out official acts electronically (PEC) - because otherwise fraud would be even more rampant.
I do agree that the “anglo” hate for ID documents (“such Napoleonic constructs, so barbaric!”) leaves the door open to scammers, but it’s not like they don’t exist in Italy too.
I see, the good old racist card. But no, you're wrong. I have opened bank accounts in three EU countries and the procedure was the same everywhere. No ID, no bank account.
I still have to see a headline like "identity theft ruined my life" in any other language than English. Every single time "furto di identità" makes the news in Italy, it's just about someone impersonating a famous person on social media to scam the followers, which is a completely different thing than in the US.
So yeah of course scams and credit card skimmers exist in Italy (though the US's disdain for chip and PIN would be another interesting topic). Dishonest telemarketers convince gullible people to switch into more expensive utilities contracts. But identity theft in the US is not in any way comparable to "scamming".
And yeah, PEC ("registered email") is pretty cool. :)
I have to wonder if part of the difference is down to how we deal with creditors in the US and the financial welfare of the population. We have a huge population living paycheck to paycheck with almost no cushion for crisis and we have a system where creditors can take the money from your bank account or directly from you wages.
If the money acquired by a creditor was what was needed to pay your rent you could be looking at eviction in short order. The law in my state until 2020 required only a 3 day delay to begin eviction for non payment. It used to be possible to be due on May 1st. Receive an eviction notice on May 4th and be homeless by mid month. I think it now takes a whole month for your life to disintegrate.
Being homeless doesn't bode extremely well for you continued employment as a handful of missed days can terminate your employment.
Being jobless doesn't bode well for your health insurance which there is no way you can afford to maintain past employment.
Being without insurance, job, money doesn't bode well for being able to afford medical care hopefully you aren't receiving continuing care for a major medical situation because you might be dead.
I have to hope western Europe isn't remotely like that.
Identity theft if very common in Italy for pension fraud, people don’t report deaths of their elderly parents and assume their identities to cash in pensions.
It's not really the same—a caregiver keeping on doing bureaucracy tasks after a person's death, vs. an unknown person using a living person's identity to get loans or credit cards.
It’s not just direct carers and it’s still an identity theft, what identity theft can be used for ranges between different countries based on financial incentives in some countries getting a loan or credit is far more easier than others in others state pensions and benefits are higher.
In the US stealing the identity of a 30 year old with decent credit can allow you to rack up a decent bill in their name. In Italy the state pension is universal and is about €14,000 a year and whilst in the US technically you can get far more in social security payments the people who are susceptible to identity theft in that group tend to not be the ones who maxed out their contributions over the past 30-40 years.
When I visit Italy I’m often impressed by the physical lock & key systems in use even in pretty humble domiciles. Those keys look incredibly complex compared to anything I normally see in the US short of, say, a Mult-T-Lock.
It’s necessary. I grew up on the outskirts of a pretty wealthy, pretty law-abiding Italian city, and still: the flats on the first floor were burgled twice in a few years, my family’s own flat was squatted before it was even finished, and bikes or motorbikes were routinely stolen. My dad just told me this week that the closet where his amateur football club keeps training material was burgled: the idiots literally cut through the wall to remove the hardened door, just to get to a few footballs and plastic cones. This was the fifth attempt in two years, and they finally succeeded - thanks to the lockdown there was nobody around, my dad found out just because they littered some of the training bags nearby. Security remains a big problem.
This was finally done away with in 2011. I only found out because I was surprised that our second child's SSN (issued in 2012) had a different prefix than that of our first child (2009).
When your identity gets stolen enough times, the IRS assigns you an identity protection PIN and mails you a new one every year. Too bad it's only useful for your taxes.
When I was first enrolled at University of Illinois of Chicago in 1985, your SSN was your student ID. You could log in to the mainframe using your SSN in the username field (although thankfully, the actual user ID was a sequentially assigned five-digit number and not the SSN. I was U10754). I think around 1986 or 1987, universities were instructed to stop using SSNs as student ID numbers.
When looking up the details of the incarceration of a POS we had locked up in the state of Washington we discovered his electronically available prior warrants show his entire SSN NOW.
My university (back in the early 2000s) used your initials and last 4 of SSN as your student ID number. I think they finally stopped a year or two after I graduated.
Hum... When normal people say "identification" the almost always mean what we understand by "authentication"¹. They main intended use of a social security number is as a key, that's the intended use 99.(some more 9s)% of the times a government gives a number to somebody.
1 - And when they say "authentication", they almost always mean what we understand by "non-repudiation".
The story of how this happened is quite interesting. CGP Grey did a video about how it evolved [0]. I'm not American so I can't judge how likely it is to ever change because it seems to be politically radioactive to propose a government mandated ID.
We had a similar issue in Australia, but our workaround is that your drivers license (or ID card from the equivalent of the DMV) typically acts as your ID.
I don't know about most of Europe, but in Norway, we use a 2FA system called BankID. You authenticate with either with your phone using a custom SIM app, or an app, or a OTP device. This system is used for everything from banking, to checking taxes, medical records, or signing documents.
On the one hand, I feel very sorry for Mr Krebs and his family, yet on the other I'm grateful for his tenacity in sticking with it despite all the brick bats the bad guys throw at him.
There would need to be a billion people in the US for us to run out of SSNs. I find it highly unlikely that our population will triple in 70 years. The Census Bureau finds it unlikely, too, considering they expect us to add only 76m by 2060. They could also decide to re-use the SSNs of those who have been dead for decades.
That would freak me the fuck out wow.