Vulnerability to Identity Theft

The University of Georgia (which I attend) has instituted a “new” policy this year: our Student ID numbers are a sixteen-digit string assigned to us when we enroll as freshmen, whereas in previous years our Student ID was our SSN.

Semi-aside: For background, this sixteen-digit string is printed on our ID cards and has always been tied to keycard or PIN entry into dorms or dining halls (one must either scan their card or enter said string then stick their hand into a scanner to gain entry). They’ve just been expanded to serve as ID numbers in the classroom, as well. Officially, this is how it is supposed to have been all along, but up until this year our SSN’s were our classroom ID numbers (by which I mean they were used to identify us on class rosters).

Almost universally, up until this year, when a test was administered to us we were told to put our SSN and full name on the Scantron (multiple-choice, computer scored answer sheet). The policy change has gotten me to wondering: how dangerous was this practice? If a professor had accidentally dropped or otherwise misplaced one of these sheets, how easy would it be for someone to snatch the test-owner’s identity from just a full name and SSN?

Also, and I’m sure this goes without saying but I’ll say it anyway: let’s try to avoid writing out an instruction manual for stealing identities. I’m just curious as to the relative stupidity of the former policy.

If I may be so indulged, I thought I’d shove this back to page one at least once before letting it die a quiet death. Sorry for the self bumpage!

Unfortunately, I’m not a professional Identity Thief (IF), nor do I play one on TV, so I can’t give definitive answers.

Knowing just someone else’s SSN may or may not be enough to help an IF, but it adds another piece to the puzzle. When I call my credit card, they’ll ask indentifying questions, such as my birthday or home address. In America, often people are asked their mother’s maiden name. Knowing some information can help get others. For all the tricks in the trade, you would need to ask a real IF, and then not post that on this site.

I’ve got an uncommon last name, (not unusually rare, but not up in the Smiths or Jones catagory). Just before I moved over to Japan 17 years ago, my (now ex-) wife and I went on a trip to Yellowstone. We came back to an answering machine with numerious messages from various collection agencies and attorneys looking for someone with the same first and last name. I was listed in the phone book as the only one in Salt Lake City with the same first and last name, so they called me. I called people back and explained that I wasn’t who they were looking for.

One lady asked me for my SSN, and I just laughed and told her to tell me hers first.

If I have your name, SSN and ******, it’s relatively easy to use a few search engines to start digging more info about you. If I want to spend a couple of bucks for a records check, knowing the return on my investment would more to my liking, then Bob’s your uncle.

Of course, dumpster diving is always treasure trove. When we lived in an apartment, it was often the case someone else had dumped their canceled checks, utility bills, etc., intact, without shredding. We’ve always shredded everything that has any hint of identification on it; we will even shred the address labels from envelopes and magazine covers. I usually mix it with the most recently used (read that as fresh!) cat litter before it goes out in the trash.

Probably not stupid at all.

SSN’s are pretty easy to obtain.
Google it, and you will find lots of companies on the internet who offer to do that (usual cost seems to be about $25-$50). And it’s known to every company you ever worked for, and every bank or financial company where you’ve ever had an account or a credit card. It’s getting better, but still is fairly easy to persuade a gullible employee at one of these to ‘confirm’ a SSN for someone.

But because they are so easily obtained, a SSN by itself isn’t usually of much use in an Identity Theft. It’s another piece of info about you, but more is needed to do much thieving.

On the other hand, most people know their own SSN. (They don’t know this random 16-digit string, and almost none of them will bother to memorize it.) So the time the school saved by using a real number that was already known to the students is probably far more valuable.

The last point you made is a very interesting one that I had failed to consider. And you’re right – the switch to the new number was accompanied by at least an hour’s delay in every class explaining the new policy, people trying to recall their number on the next exam, etc. Considering that the weak link in the security chain seems to be human gullibility instead of faulty electronic security, I wonder if that time might not have been better spent educating instructors on the importance of SSN security. Hmmm.

Part of the problem is that the SSN is not and was never meant to be a Universal ID Number, and in fact federal statute restricts the number of cases in which a private or public entity can require its use.

Instead we saw a proliferation of the use of the SSN as unofficial UIDN on a “voluntary” basis …as in, “you’ll ‘voluntarily’ give us your SSN to use as account/member/ID/complaint/case number because we’ll ask for it and won’t tell you it’s up to you, and if you don’t you’ll have a huge hassle dealing with us 'cause we already programmed the computer that way, and anyway what are you some sort of tinfoil-hat nut?”. ISTM that becomes kind of self-defeating because (a) if the idea of an entity that does not *need * it (e.g. to crosscheck you with the IRS) is to use it as a number only you would know… then if EVERYONE you deal with has it and it’s hanging from your neck on your ID, it’s not private at all, is it? and (b) as mentioned, issuance of a SSN is not “secure” so counting on it as a reliable verificator of a unique identity is fallacious to begin with. It identifies a unique identity, but it can easily be a fictional one.

As mentioned, the SSN is but one piece of the puzzle but it’s an important piece of the puzzle because the individual SSN is your IRS Taxpayer Account Number, and due to that is required in transactions that may have to be reported for retention or payment of taxes; it also greatly facilitates looking up credit reports, and in times like the recent (?soon to end?) Age of Easy Credit, it makes it even easier than it already would be for an ID thief to run up debt in your name. So you just don’t want to make things easier than they should be.

OTOH, a hard-to-remember 16-digit ID is a stupid “solution”, IMO. How many universities have ten quadrillion THINGS to identify?

For comparison:

At my university in Sweden, often test results were posted on a public wall. They had three columns: the Swedish SSN equivalent, student’s name, and test score.

This really boggled some foreigners’ minds. Does it boggle yours?

For me, it meant I could let a friend check my score for me, and by telling him my birthday I could make sure he knew which result was mine if there was another student with the same name.

The activation date of the SSN, which is available free on the 'net, is also the birthdate of that person, if born after a certain year.