What's so special about social security numbers? Shouldn't it be harder to steal an identity?

So the state of Texas is the latest to expose people’s social security numbers:

I remember in the 1970s and 1980s, my dad (USAF) had his social stenciled on everything we owned, practically. I even know his SSN to this day, I’ve seen it so often. We didn’t worry about ID theft back then - were we dense, or was it safer back then?

It seems ID theft has been around for the past two decades if not longer. Shouldn’t businesses like credit agencies, etc. have much more secure ways of verifying identity by now, so even if someone has your SSN, they can’t do a lot of damage?

Such as? What commonly available form of ID in the USA is more secure than an SSID?

Note: I’m not a USAn and now haven’t been there for a few years, so may be OOT, but my impression is that driver’s licenses are still available like candy and passports are still rare.

Probably due to watching too many local television reports, my aunt in Hillsboro has become paranoid about shredding every piece of mail that contains her name and address. I’ve been too kind to tell her that every year the phone company distributes a book full of names and addresses that almost anybody can get a copy of.

The SSN was never intended to be a form of identity. :confused:

(not a cite)

… for some reason, I was thinking that in 2011, having someone else’s SSN, Name, and Address – and nothing else – didn’t get you all that far in stealing someone else’s identity.

The biggest issue is that the SSN is used in credit reports. Thus, someone with your SSN can apply for a credit card with your name, and then charge up to the limit and never pay. You probably won’t be held responsible, but you will have to go to a lot of work fending off creditors and getting your credit report repaired.

And if they have your address, and can access your mailbox (which in suburban areas is pretty easy), it’s even simpler for them to do this. And though the reporting agencies should be checking addresses, they can’t just turn down credit because of the address change – you may have moved.

Addresses alone are not much of a risk, but with the SSN, it’s giving people free rein to wreck your credit.

The credit agencies still haven’t come up with a better number to use. They need a number to match your record, but one which you will know when you apply for credit. Your name is no good – plenty of people probably have it. Your name and address is better – until you move.

Credit agencies could assign their own numbers, but there are major issues: there are three major credit agencies and they’d need to coordinate numbers, there are millions of numbers that need to be changed, and, again, the person applying for credit would need to know their new numbers. So would the banks who report. If a credit card company is using your SSN right now, how do they find out what your new number is? The change would cost millions of dollars – far less than keeping things the way they are and eating the loss.

I have less of an issue with a SSN, name, and address being used as ID per se. Given that identity theft is a problem, and credit card companies know this to be true, wouldn’t it be in their best interest to ask for MORE information? That is, why don’t they ask for a driver’s license number as well? Yes, you may not have one for whatever reason, but there must be something else you could use. If you have ‘moved’, couldn’t they at least ask your former address as some form of additional verification?

Obviously this doesn’t work with a dedicated thief who has all this extra information because you may have an usual name and be listed in the phone book, but I would bet if they asked for just one other form of ID, it would cut down the problem by 95%. Or is there some kind of “invasion of privacy”/ACLU thing that prevents this?

The credit ratings agencies are not issuing credit cards or giving bank loans. It is banks that are doing that. If someone gets a credit card in your name it is the fault of the bank for not verifying the identity of the applicant. If they were held more accountable for incorrectly issuing cards identity theft would go down.

Why? It’s not in their best interest to prevent somebody stealing and misusing your ID. Their best interest is to provide data to banks and other interested parties for money. Protecting your ID gives them no money, so they have no interest. They aren’t liable for bad information, either: if somebody has messed up your credit rating through ID theft, and the bank denies you a credit, or you can’t rent an apt., then you have the trouble clearing things up, and you can’t sue them in court. You can see this with other bad information* - a store mistakenly tells them you forgot to pay your monthly rate, and you get a bad mark. It’s problems for you, but you can’t sue them over this.

  • I don’t know how the US rating agencies do, but the German Schufa is said to have about 50% of people with wrong entries.

Yes, they want to know that you are really you. But that’s not their only concern. They also like being able to give instant credit, and asking more questions slows that down. Their “best interests” work against each other.

That sounds like my wife. I shred plenty of stuff myself, but she shreds junk mail just because it has our name and address on it. It’s just not worth the trouble to try to explain that anyone who is rummaging thru our garbage already knows where we live.

Banks and credit card companies do not hold consumers responsible for bad debts on fraudulently obtained credit cards, so that is a big incentive for them to protect against ID. If they can reduce ID theft, they can reduce the amount of fraudulent charges they have to eat.

Whuh? Really? You tell your bank “This card was obtained fraudulently” and the bank says “Ups, sorry, our bad” and cancels the charges? How does this work? Banks know how to write contracts that screw the customers over every other aspect of banking but are helpless with fraudulent credit cards? The courts side with customers not the bank, in how to prove this?

I have a hard time believing this, it’s counter to every bank behaviour and court verdict over here. (Though we don’t have many problems with fraudulent credit cards; the problems are mainly with stolen or copied EC-cards, that is, what I think is called debit cards, that access your account directly. The courts are hard to convince on how technology has changed).

Well now waitaminute… That’s decent practice I think. I have been asked for a second form of ID at times including something like a utility bill in my name. If I was stealing someone’s ID, along with my mocked up fake ID, it would be nice to have utility bills, credit card statements, and the like in their name. I think your Aunt is smart.

Yes, then they investigate.

The problem, as I have stated in other threads, is that your SSN is a public unique identifier, just like a username. Just like “Lemur866” identifies me to the administration and users on the Dope, a SSN identifies me to the Social Security office, and other entities that use that number.

Except, it only works if your identifier is public. If it’s secret, then it’s of no use. So if your name is secret, your address is secret, your phone number is secret, your SSN is secret, license plate number is secret, your email address is secret, no one can contact you or identify you.

And so your SSN is not secret. It’s written down in dozens or hundreds of places, like medical records and job applications and on and on and on. Remember this. Your SSN is public.

But there’s nothing wrong with a public unique identifier, in fact you pretty much need one if you’re going to, you know, identify people uniquely. You display your license plate number on your car every day, and never worry that someone is going to steal your car’s identity.

The problem comes when institutions confuse your username with your password. You call them up and say “Hey I’m Bob Smith”. And they say, “Oh yeah? If you’re really Bob Smith, what is your SSN?” And you say, “123-456-7890”. And they say, “Wow, it really is you! OK, let me hand over your private information!”

This is akin to being stopped by the cops, and them saying that they think the car you’re driving was stolen. So they come up with a foolproof way of finding out whether you’re the real owner of the car. If you can tell them the license plate number of the car, then you must be the real owner and will be free to go.

Your SSN is public and can’t be changed without a major hassle. This means it is not secret, and any institution that treats knowledge of your SSN as proof of identity should have their management dragged into the street and strung up by their testicles.

I have a unique identifier here on the Dope, “Lemur866”. Everyone knows what it is, everyone knows that this string of characters identifies me. But no one can post information here on the Dope as “Lemur866” just because they know my unique identifier, not even the administrators. To authenticate me, I must provide something else, my PASSWORD, and no one else, not even the administrators, know what my password is.

Yes, that’s exactly how it works in the United States.

SSNs are not public, and are considered PII (Personally Identifiable Information) and are protected data under Federal and state laws (US). You can do a lot of harm with a SSN (I do security and privacy stuff for a living).

The crux of the problem is that, lacking another way to verify identity, financial and other institutions started demanding SSNs. Legally, only the Federal government can demand your SSN. But good luck getting a loan, a phone, or a [insert something that rhymes] without one.

It’s not entirely different from going to Radio Shack and not being able to conduct a transaction without giving them a DNA sample…errr… phone number and zip code. One of the reasons I don’t do Radio Shack unless I’m hard up for a crossover cable in the middle of Nowhere, Texas.

CC theft works in several ways and often by the time it’s detected it’s hard to get things straight.

For instance, I get a person’s info and apply for a credit card. I then go to that person’s mailbox and get the actual card.

They call to activate the card, but this is no problem 'cause the phone number listed on the application is a payphone or other disposable phone number.

Then they make small charges and pay them off. Then they gradually make bigger and bigger charges, always paying them off. Usually by taking cash advances against another stolen card.

Then after a year or so, they go in for a few big charges and then default.

All the time the charges are being paid for by money orders which aren’t traced or and the bill is not being mailed but emailed to a email account that is accessed at a public place.

So now you have a $5,000 bill on a credit card that defaulted and you didn’t know about it. You tell the credit card company and do they write it off? Maybe? Maybe not?

The credit card company is not going to let you off so easy. If it were that easy to do anyone could pull that scam and claim they didn’t know. So the credit card company will report you as delinquent on your credit report while it investigates.

This causes the rest of your credit to suffer.

After all it would be very easy to sign up for a credit card let my friend use it and then claim it was all a fraud.

Then if the credit card company sells it to a collection agency, well good luck trying to get a collection company off your back, short of a bankruptcy.

Credit card companies want to make it EASY for you to use their cards. Therefore they will accept a certain amount of fraud. This is why places like Walgreens don’t require a signature if the charge is less than (in my area) $50.00. Because the fraud level is so low, it’s worth it for the CC and Walgreens to eat the few losses for the customer convenience.

You don’t know much about the FDCPA, do you? One letter telling them you dispute the debt and wish to conduct all communications by mail, and they can no longer call you on the phone. If they want to go to court, you can make your case to the judge. Never, ever deal with collection agents who do not have a judgement.