There's been enough leaks from DMVs, credit bureaus, credit cards, and a myriad of businesses that require an SSN for verification checks by now that if every SSN wasn't already in the hands of attackers I would be surprised.
Don't forget the federal government itself. I've still got 1 year remaining from the 10 years of monitoring I got from the OPM breach wayyy back when.
Related, any company offering monitoring should be required to pay for a serialized version. The 10-20 or so settlements that require monitoring in my lifetime have been useless because I already have it for a longer period.
Same. It works out every time there's some class action over a spill because I can show that I have the credit monitoring and ask for the $3 or whatever from the lawsuit. A few more years of leaks and I'll have enough to buy a lego set for all the trouble.
Yes, this is actually a common way of getting out of debt. Often times the "proof" for a debt is lost in the tangled web of debt collection, and by the time someone comes around to collect, there's no tangible evidence the debt was valid.
It's a best practice to request proof of any outstanding debt before paying collections, and I've personally seen cases where friends have gotten out of a debt that went to collections simply by asking for proof, and when it wasn't provided, poof it went away.
I'm a sucker, and don't take advantage of this, but I don't blame anyone who does. Keep good records, and it won't be a problem!
I'm not a lawyer, but I'd imagine that claiming that for cards that are legitimately yours would be considered fraud and would probably land you in more hot water than the initial debt would.
> credit bureau industries are obviously impossible to run safely and should be destroyed
I am not sure I agree with that premise.
I would say there are literally no incentives to secure that data and no penalty for leaking it. Hence for profit businesses will never operate this securely.
I think it’s the same conclusion but a worthy distinction
Then it's called "Identity Theft", and deflected back to you as your problem to resolve. But, it's no big deal. I'm sure everyone everywhere qualifies for a year's worth of free credit monitoring.
Technically, there is legal precedent in Canada that concluded unsolicited credit services are not legally binding. i.e. unless you personally asked/signed a request for some service, it is illegal to issue a bill for that service. These laws were a consequence of early credit-cards mass-mailing campaigns that just issued debt products to random people. Today, many legal cons still issue bogus invoices to companies everyday for things no one asked for... and sometimes you have to be careful how you handle the response (ahem, Google appliances... cough cough...)
Accordingly, up North an individual is only responsible for a few hundred dollar fee under fraudulent use of a credit card situation. i.e. even if you don't catch the billing errors fast enough to lock your card, you are generally not responsible for a criminals use of credit services without your knowledge.
When we were starting out, I made the mistake of paying for our IP lawyers dubious Lexis Nexsus subscription for a year, and then was hit 4 years later with a collection agents bill (initially we thought it was a scam)... because the former employee just kept using the service. Note, because I had initially agreed to pay for the journal subscription, my lawyer said it was cheaper to just pay them the $14k to get the matter settled (we were displeased as you could imagine.)
The lesson here, is be very careful about saying "yes" to things when you don't fully understand the consequences. There are unethical people that make their income from legal shenanigans pulled on new businesses.
The small private college I attended in the early aughts used your SSN as your student ID and it was printed on everything. Transcripts, official records, basically any piece of paper with your name on it. You'd even speak it aloud to the worker at the book store to pick up your books for the semester. It was everywhere.
As a kid twenty years ago, I was mildly bothered by it but imagined they must know what they are doing.
Looking back at near 40, with the hindsight of years, I'm flummoxed. Like, what the hell, who's absolutely terrible idea was this?
I would have sworn I've read the opposite but found this history [1] outlining usage of SSNs:
> Private sector use of the SSN is neither specifically authorized nor restricted. People are asked for an SSN at banks, video rental outlets, hospitals, etc., and may refuse to give it. However, the provider may, in turn, decline to furnish the product or service, leaving some to conclude they have no real choice.
> Throughout the history of the Social Security program, the SSN, originally intended to be used only to record Social Security earnings, has been adopted for other purposes, both governmental and private. The broad-based coverage of the Social Security program makes the SSN widely available and a convenient common data element for all record-keeping systems and data exchanges.
IMHO, as the name suggests, the intended usage is for social security. We're not supposed to have Citizen ID numbers which is why the number has been shoe-horned into this role.
In the 1980s, professors used to print out the list of exam scores and tape it on their office door so students could check their score (something younger generations would find quaint, I'd imagine). Because people might be embarrassed by their score, they were "anonymized" by student ID rather than by name. As in your case, our student IDs were our SSNs and nobody saw a problem with it yet (I'm a bit surprised that in your school's case they were still doing it in the early 21st century, but institutional inertia, I suppose).
Had basically the same experience at a large public college. I had classes which would print out a list of SSN and test scores for everyone in the room to look at.
Before the Internet SSN was "presumed secret" but it became a tragedy of the commons. By 2000 it was the equivalent of your public key and should have been treated as such by institutions, never used as password like that bookstore did.
Student ID card would have been the right way to verify identity at a college; I'd forgotten the SID defaulted to SSN, which was also really lazy decision!
It was also my first DL number. Both colleges and VA DMV changed to calculated serial numbers around the same time (late 90s, IIRC).
But, to me, using SSN as a unique serial number feels correct. As somebody else mentioned, that's what it is - a serial number, not a shared secret. "Which John Smith are you?" is very similar to the VIN on a car answering "which Honda Civic?" SSN never proves that you are actually the John Smith you claim.
My dad etched his SSN on his tools back in the day. It was my student ID as well. Wasn't the SSN not considered secret until later when more transactions happened online instead of IRL where it was harder to impersonate someone?
The bad idea was to try to convert a semi-public number into a secret identifier.
Back in the 80's, NYC had a program where the local police stations would lend you engravers so you could engrave your SSN on your TV, stereo, etc., so they could be returned if they were stolen and found. Probably also made pawn shops more reluctant to take them.
The bad idea was to have a secret identifier in the first place. Who thought that "a ten digit number printed on a bunch of documents" was a good thing to use as sole proof of someone's identity?
Slightly related, my uni id was a prefix for the campus + year
of admission + serial number
the serial number was sequential based on last name, you could essentially guess anyones student id if you had a couple of data points of last name : serial number
As far as I know no one used it for nefarious purposes, but it was a cool party trick to guess someone’s number.
They are a very useful identifier. However they only prove that someone with such a name exists. They are not enough to prove that the given person with that number is the unique person they say they are.
They were never meant to be a ubiquitous identifier/authentication token.
But they de facto are and have been for longer than they haven’t. At some point, it becomes an abdication of responsibility by the SSA, no matter how much they kvetch about it being “not their problem”.
I've never really understood why it's supposed to be considered secret but also has to be given out sometimes and also can't be changed unless in witness protection.
(Information all from Hollywood.)
Other countries don't seem to have this problem? You can have my bank account number, driving licence number, passport number, national insurance number if you want?
It's because Americans have a libertarian streak and instinctively mistrust the government, so we've historically resisted any sort of federal ID program. Because the federal government has to keep track of you somehow, and every American (more or less) already had a unique identifying number, the government started using those unique identifying numbers to identify us for tax purposes. This started being a convenient way for private corporations to ask the government "Wait, who's supposed to be identified by this number?" for employment and loans, and then people decided that it would be better to use this instead of any sort of, you know, online ID, to identify people for credit card applications.
I'm British, we've also resisted it, which is why the closes thing to a national identity document I listed was a driving licence or passport. It's not uncommon to have a provisional driving licence (learners' permit to you I think) purely for the purpose of being IDd for alcohol or whatever.
For tax I would use my national insurance number and any form of photo ID to register for an online account, or you can do a paper form but I don't know how they verify identity if you're claiming a refund in that case.
A credit card application would similarly want a copy of photo ID and probably a proof of address (like a bank statement or utility bill).
There's nothing wrong with having the number, I have a national insurance number, I have Self-Assessment Tax Return numbers (I think it's unique each year), it's the secret bit I don't get.
The lack of a federal ID is almost irrelevant at this point. Most states have moved to "Real ID" which requires almost as much if not the same to get as a passport (federal ID). Requirement to have that has been coming (and admittedly pushed back several times) for a long time.
It was also heavily rejected as a "number of the beast" by far right Christians -- who are consistently able to get guys like GW Bush and Trump elected.
No one on the left really cares that much -- they have their own sacred cows and causes of the year -- so nothing really changes.
Unlikely. We have terrible, dangerous, expensive, painful de facto national ID, none of which bad elements hinder use of it (with associated government and private databases) for the purposes people worry about, but a huge segment of the right and a fair amount of the left won’t let us fix it because they fear a good version would be misused, and/or that it’s the “mark of the beast”. Never mind that the horse is already out of the barn I guess. So we’re stuck with a bunch of extra lost time and money for no reason.
> because they fear a good version would be misused, and/or that it’s the “mark of the beast”
I'm aware of and share the concerns about misuse (it has happened, see the tax ID debate in Germany), but what the fuck is that with "mark of the beast" relating to ID cards?!
Issued by who? The states vs federal ID is still a very polarizing conversation. I see no way that all 50 states will ever agree on the exact same system. Look at the RealID situation.
Most of my life my SSN was also my drivers license number. Then my state a few years ago changed the numbers. Great! Now some hotels want to copy both sides of your license before renting you a room. My doctors office and local hospitals copy them too.
A few years ago, Capital One credit cards wouldn't let us pay our bill online, which we had done for several years, unless we sent them a copy of both sides of our DL's! I called them and said no thanks and they said I would have to began paying through the mail. We paid off both cards and canceled them.
Have said all this, it's prob just a matter of time before my DL number is hacked by someone through some weakly secured site.
Now? None. I believe they've all done away with it. In the past, quite a number of states. Mine was originally; but, I was able to change it in 1995, when Virginia began offering people the choice of SSN or a DMV number. (It was the result of efforts by the ACLU and others.)
Many states have done all or part of the social security number on drivers licenses. Thankfully not ones I've lived in, but a Google search will yield lists.
Back in the 80s, University of Illinois at Chicago used SSNs as student ID numbers. Until you memorized your five-digit userid (I was U10754) you could login with your social security number, so I would type [just kidding].
It's fine to use them for disambiguation purposes. It's not fine to assume that just because I know someone's SSN (and maybe their DOB) I am that person.
Readit News
Related, any company offering monitoring should be required to pay for a serialized version. The 10-20 or so settlements that require monitoring in my lifetime have been useless because I already have it for a longer period.
From what I read, the best thing you can do is freeze all credit reports and add a PIN to your tax efiling.
I’d love to see a case like that. These data broker and credit bureau industries are obviously impossible to run safely and should be destroyed.
It's a best practice to request proof of any outstanding debt before paying collections, and I've personally seen cases where friends have gotten out of a debt that went to collections simply by asking for proof, and when it wasn't provided, poof it went away.
I'm a sucker, and don't take advantage of this, but I don't blame anyone who does. Keep good records, and it won't be a problem!
I am not sure I agree with that premise.
I would say there are literally no incentives to secure that data and no penalty for leaking it. Hence for profit businesses will never operate this securely.
I think it’s the same conclusion but a worthy distinction
Accordingly, up North an individual is only responsible for a few hundred dollar fee under fraudulent use of a credit card situation. i.e. even if you don't catch the billing errors fast enough to lock your card, you are generally not responsible for a criminals use of credit services without your knowledge.
When we were starting out, I made the mistake of paying for our IP lawyers dubious Lexis Nexsus subscription for a year, and then was hit 4 years later with a collection agents bill (initially we thought it was a scam)... because the former employee just kept using the service. Note, because I had initially agreed to pay for the journal subscription, my lawyer said it was cheaper to just pay them the $14k to get the matter settled (we were displeased as you could imagine.)
The lesson here, is be very careful about saying "yes" to things when you don't fully understand the consequences. There are unethical people that make their income from legal shenanigans pulled on new businesses.
Have a great day, =3
As a kid twenty years ago, I was mildly bothered by it but imagined they must know what they are doing.
Looking back at near 40, with the hindsight of years, I'm flummoxed. Like, what the hell, who's absolutely terrible idea was this?
It's a serial number, not a shared secret. It sounds like your college treated it as such.
The real problem with SSN is the prevalence of unintended usage.
> Private sector use of the SSN is neither specifically authorized nor restricted. People are asked for an SSN at banks, video rental outlets, hospitals, etc., and may refuse to give it. However, the provider may, in turn, decline to furnish the product or service, leaving some to conclude they have no real choice.
> Throughout the history of the Social Security program, the SSN, originally intended to be used only to record Social Security earnings, has been adopted for other purposes, both governmental and private. The broad-based coverage of the Social Security program makes the SSN widely available and a convenient common data element for all record-keeping systems and data exchanges.
[1] https://www.ssa.gov/history/reports/ssnreportc2.html
IMHO, as the name suggests, the intended usage is for social security. We're not supposed to have Citizen ID numbers which is why the number has been shoe-horned into this role.
There is nothing more permanent than a temporary solution, and nothing more temporary than a permanent solution.
Before the Internet SSN was "presumed secret" but it became a tragedy of the commons. By 2000 it was the equivalent of your public key and should have been treated as such by institutions, never used as password like that bookstore did.
Student ID card would have been the right way to verify identity at a college; I'd forgotten the SID defaulted to SSN, which was also really lazy decision!
But, to me, using SSN as a unique serial number feels correct. As somebody else mentioned, that's what it is - a serial number, not a shared secret. "Which John Smith are you?" is very similar to the VIN on a car answering "which Honda Civic?" SSN never proves that you are actually the John Smith you claim.
The bad idea was to try to convert a semi-public number into a secret identifier.
Back in the 80's, NYC had a program where the local police stations would lend you engravers so you could engrave your SSN on your TV, stereo, etc., so they could be returned if they were stolen and found. Probably also made pawn shops more reluctant to take them.
Guess it made sense at the time ;-)
the serial number was sequential based on last name, you could essentially guess anyones student id if you had a couple of data points of last name : serial number
As far as I know no one used it for nefarious purposes, but it was a cool party trick to guess someone’s number.
But they de facto are and have been for longer than they haven’t. At some point, it becomes an abdication of responsibility by the SSA, no matter how much they kvetch about it being “not their problem”.
The problem is the case for making a viable replacement for such usages.
Deleted Comment
(Information all from Hollywood.)
Other countries don't seem to have this problem? You can have my bank account number, driving licence number, passport number, national insurance number if you want?
For tax I would use my national insurance number and any form of photo ID to register for an online account, or you can do a paper form but I don't know how they verify identity if you're claiming a refund in that case.
A credit card application would similarly want a copy of photo ID and probably a proof of address (like a bank statement or utility bill).
There's nothing wrong with having the number, I have a national insurance number, I have Self-Assessment Tax Return numbers (I think it's unique each year), it's the secret bit I don't get.
No one on the left really cares that much -- they have their own sacred cows and causes of the year -- so nothing really changes.
I'm aware of and share the concerns about misuse (it has happened, see the tax ID debate in Germany), but what the fuck is that with "mark of the beast" relating to ID cards?!
I'd be happy to join a trillion-dollar class action lawsuit against whomever assembled this data without securing it.
A few years ago, Capital One credit cards wouldn't let us pay our bill online, which we had done for several years, unless we sent them a copy of both sides of our DL's! I called them and said no thanks and they said I would have to began paying through the mail. We paid off both cards and canceled them.
Have said all this, it's prob just a matter of time before my DL number is hacked by someone through some weakly secured site.
Right???
Deleted Comment