Social Security Numbers were originally optional, but now are pretty much ubiquitous, even for children.
And they used to be fairly confidential, not freely available and not supposed to be used as IDs in private databases like bank records. But again that has changed and they are everywhere.
So, do we need a new number?
Would it help anything, like reducing identity theft?
Would it help if it were biometric in some way, say relate to your birthdate or birthplace or fingerprint or retinal scan?
Would it simply appear in every data bank in a short time anyway?
Would it help if it were biometric in some way, say relate to your birthdate or birthplace or fingerprint or retinal scan?
[QUOTE]
Generally the term “biometric” refers to something you are, such as (a mathematical string generated from) your fingerprint; not something you know, such as your birthdate…
In any case, I’d like to see an optional extension for a biometric identifier to any master identifier so that I could always “prove” it’s me.
Going forward, for casual use, I think an email address or a phone number is just fine. For government use I don’t see much use for a second identifier. What problem would that solve that an SSN has not solved already. What problem would it not create that an SSN has already created?
The security of any “identity code” is only as good as the recipient. If there is a way for the data to be compromised by those with nefarious purposes, then the number is no more useful than the current system.
Biometrics have a lot of appeal, but I can’t see a way in which they could be used in e-commerce, which is a large market vulnerable to fraud. Would everyone who wanted to purchase a book from Amazon need to look into a desktop eyescanner?
Stores are another problem. Who is going to pay for the biometric scanners? Little Mom and Pop businesses can’t always afford a new gadget, and for large stores like the Big Boxes, it would require putting a machine at every register which would be a hefty expense even for very wealthy corporations.
A national identity number that stays with you for your entire life cannot be expected to remain secret. It must be treated as public information, just as public as your name.
The trouble comes when banks and other financial institutions make the bone-numbingly stupid mistake of treating your SSN as if it were a password.
In the computer world, a social security number is a user name. User names are public information. Anyone can see your user name, that’s how they know who to send email to. Then you have a password, which is secret, no one knows my password, not even the system administrator. Treating your user name as a password is so obviously stupid the stupidity of it should be obvious.
My username, my unique identifier here on the Dope is Lemur866. There are no other Lemur866s allowed, and I am only allowed one unique identifier. At work I have an email alias that is my unique identifier, no one else in the company has the same alias and I am only allowed one alias. For the government I have a SSN that is my unique identifer, there are plenty of John Smiths in the country, but each one has one and only one SSN.
If someone could go to the Dope and identify themselves as Lemur866 simply because they knew the user name Lemur866 it would be obviously unworkable. If I call a bank and tell them my name is John Smith, and I am able to prove my identity as John Smith by telling the bank John Smith’s SSN it would be obviously unworkable. Except this is what banks actually do.
Social Security Numbers are not secret, they are recorded in hundreds of places. Imagining that Social Security Numbers COULD be secret is ridiculous.
So any Unique Identity Code has to be treated as public information, it cannot be kept secret. Your password or PIN can be secret, because your password or PIN can be easily changed if your security is compromised. But the whole point of an SSN or Idenity Number is that the number NEVER changes so we can tell the 1.3 million John Smiths apart from each other.
The idea that your financial security could be compromised if someone finds out your SSN is incredible to me. Unbelievable. It is beyond my comprehension.
What Lemur866 said. I’d like to contribute a foreign perspective on this US use of SSN: It looks like a triumph of convenience over security to me.
As in (I believe) the majority of countries, here in Germany there is no secret number of any kind that I could use to prove my identity to a bank, etc. in a non-face-to-face situation. Any business partner wanting to make sure of my identity needs either to meet me in person and have me show them my ID card, or avail themselves of a third-party face-to-face authentication service.
For example, I signed up for a credit card from a non-local bank recently. They made sure of my identity by sending the credit card via the PostIdent service of the post office - I had to identify myself to the postal clerk with my ID card before being handed the letter.
I do have a number of account, serial, etc. numbers, among these my German Social Security number, but none of these numbers is of any use for impersonating me. If someone knows my Social Security number the only thing he can do with it is to have his social security contributions add to my future pension entitlement - which he’d be welcome to do.
The drawback to this system is that I cannot remotely assert my identity e.g. on the phone by giving a SSN-type supposed-to-be-secret number.
Nonsense. They also expect you to know that John Smith’s mother was named Jane, that John grew up in Anytown, USA, and that John’s best firend’s name is Joe.
Since it would take an imposter several minutes to discover this information, I think that we can all agree that our accounts are as secure as they need be.
But it IS perfectly possible to remotely prove your ID by giving secret information. This is how people get money from ATMs. They have the card…the equivalent of the username or SSN. But you can’t get money by typing in the name of the card owner or the account number, that would be ridiculous because your account number is stored in many places.
Instead you provide your PIN. Your password. And any time you feel uneasy that your PIN might be compromised, you simply change it. Note that your mother’s maiden name is not a strong password.
The bank clerk on the phone identifies you because you are able to provide the informatin he sees displayed on his CSR display…your account number, your SSN, your mother’s maiden name, whatever. But anything displayable in this way is not a password, and treating it as a password is a guarantee of identity theft.