## Passwords and Social Insecurity

Why do private companies treat your social security number like a personal ID number? The government doesn’t do this: the only federal paper that will have your SSN on it is your Social Security Card. It does not appear on your passport, your drivers license, or your birth certificate. and yet, the last 4 digits of your SSN is the default PIN for many ATM accounts. It was my keycode to clock in and out at a summer job I once had. I just got a copy of a background check Google did on me before hiring me (if your employer does a similar check, the Fair Credit Reporting Act gives you the right to get a copy), and the password I used to access it was those same 4 digits. Moreover, these last 4 numbers are written in two different places on this report. Insurance companies ask for these numbers when you sign up with them. So do apartment rental companies. They have no business checking on how much money I have paid/received to/from Social Security, and the number should not have any other purpose.

When Social Security was created, the intention was never to make these numbers identify you throughout your life! If some less-than-upstanding person gets these 4 digits, I don’t want them to suddenly have access to my bank account, credit report, insurance policy, etc. This is exactly how identity theft gets started! Is my family the only one concerned about this? Would anyone be willing to step up and present the other side of this?

One reason I’m worked up about this now is that I have just avoided having my identity stolen: I received a piece of mail on Bank of America letterhead saying that there was a problem with my credit card, and I should call the number provided to straighten it out. I needed to have my credit card number ready so they could verify some questionable actions taken on the account. The only problem? I don’t have a BoA credit card. At least, I didn’t. The next day, as if to rectify this problem, my new BoA credit card arrived in the mail. The phone number given in the letter is nowhere to be found on the BoA website, or indeed any website indexed by Google. I’m heading to the bank tomorrow to try to clear this up, and possibly to the post office afterwards: this can likely be considered mail fraud as well as attempted identity theft and attempted credit card fraud. I have no proof that this is related to misuse of my social security number, but the SSNs are a tangential topic about which I have much more knowledge.

The bottom line is this: protect your SSN, don’t use it for other passwords, and try to keep your passwords as unique as possible. Thanks for letting me rant.

Leave a Reply

### 7 Comments

1. janna says:

Yeah, I’ve heard rants about this for years. The problem is I don’t know what I can do about it. I mean, yes, I can avoid using it sometimes, but when banks and credit cards use it, you often dont have a choice not to. Just recently my mom was using a Kohl’s credit card that she did not have with her, so she had to give her SSN. I’ve even heard cashiers ask for it out loud!

The one thing is that the SSN does provide (theoretically) a unique identifier. So, for things like banks it kind of makes sense. But you ought to be able to provide enough other information to make idenify yourself.

2. dhalps says:

1) I had a similar thing happen with a new credit card, and it wasn’t actually an identity theft thing. It was just them being stupid.

2) “When social security was created” isn’t a great argument for something, because social security is a moronic pyramid scheme. Sounds like the Republican argument about “When this country was created” while trying to defend composition of church and state. (state $\cdot$ church). Or slavery.

3) The government puts your SSN all over everything internal. It’s on your tax returns (those go through the mail, too), for instance. Do you have a copy of a tax return in your house? Your parents’ house? Your accountant’s office? Every job application, and most other forms of paperwork are required to use it by law (they have to verify citizenship and provide your tax ID). It’s on your Driver’s License application. They also use it as your four-digit pin in many cases, such as when swiping your NSA badge while moving between buildings. Because people can’t see you type your pin into a keypad while you’re in a long line going into the cafeteria.

4) I think the moral here is to keep your eyes open. It turns out, identity theft just isn’t that big a problem any more if you have brains. Basically all banks and credit cards have policies that protect you from it, and if yours don’t I’d look into switching.

Your information is everywhere. No amount of complaining is going to get that cleaned up, because you’re still going to end up e.g. applying to grad schools that leave your personal information in Google’s cache (me). Also, play with numrange: sometime on Google and see how many credit card numbers you can find. It’s kinda absurd.

I just did a little experiment, and with a little creativity, some web services, and multiple search engines, given only the information on my driver’s license I can recover nearly everything needed to apply for a bank account in my name. I’m fairly certain that with < $500 I could join some of those online information collection sites like you see advertused on whitepages.com and get all of it. The bottom line is that the thieves go for the easy targets. The ones who type all of their personal, bank, and security information into a web form that looks like ebay.com. The ones whose wallet they find or who throw out a box of checks without destroying them. Go make a purchase on Amazon without SSL and see the complete lack of theft that results. It’s just like your PC. (I believe that) There are vulnerabilities for whatever OS you’re using that are known to hackers and not to Micro$oft/Apple/Torvalds/etc, or maybe they are known but still unpatched like M\$ seems to be going for nowadays. Are you going to get hacked and get all your information stolen? It’s unlikely because you’re not a target someone would dedicate the time to break – they’ll go for the people that execute email attachments instead.

Or someone at VA services could just lose a laptop with your information on it instead.

• To summarize (part) of this: Your social security number is your UID because it was the first numeric identifier everybody got that didn’t change. (Address? Phone Number? Those change)

So everybody started using it, because it was easy. The fact that it has something to do with social security is tangential, really; it’s just a UID.

Luckily, there is legal recourse for identity theft, unlike computer security, where it is (usually) roughly impossible to catch the bad guy.

My Dad points out that it could be that you checked a box somewhere that signed you up for a credit card implicity; overdraft protection, various other things…

• Alan says:

You and Dan make good points.

I’m almost positive I didn’t do anything to get this card; before this morning I hadn’t actually been to a bank in months, except to get a cashier’s check for the down payment on the apartment. If I checked some box several years ago, the card is a bit late getting here…

I guess at least part of it is that I’ve always thought that identity theft happened to people who weren’t careful about stuff like this and used the same password on every website, people who buy stuff from spam advertisements, and who fall for phishing schemes. Reading how easy it was for Dan to find his own information in publicly accessible places (even outside of the whole grad school application thing, over which I hope someone was severely chastised, if not fired) and realizing that even if you’re careful this information isn’t in the least secure is a bit of a kick in the teeth for me.

• Alan says:

I’m surprised to hear that the government puts my SSN on all it’s documents: lawmakers for quite some time argued against using SSNs as National ID numbers. To quote from the Privacy Act of 1974,

It shall be unlawful for any Federal, State or local government agency to deny to any individual any right, benefit, or privilege provided by law because of such individual’s refusal to disclose his social security account number [except for laws Congress may pass in the future that explicitly talk about SSN use].

I have always thought that I could get a drivers lisence, file my tax returns, etc. without giving anyone my SSN, so long as I was willing to stick to my guns and go through a bit of a hassle. Hearing otherwise makes me even more uneasy—there are a lot of underlings in the government that I don’t think are trustworthy enough to handle everyone’s personal information (just as in the Veteran’s Affairs mishap you mentioned).

Otherwise, you make some excellent points.

3. riccobot says:

Did you apply for the credit card? I had a credit card appear on my list of BofA accounts that I never applied for. Non-ideal, I say.

• Alan says:

Yeah, that sounds similar. I never applied for the card. Near as I can tell, someone else applied for the card and then sent me the letter, hoping I’d call the number and give them my new credit card information.

I went to the bank today, and they referred me to their fraud hotline (which is the same phone number their website suggests I call about fraud), which won’t be open again until Monday. I’ll see if I can track this down more in a few days…