One Ring to rule them all, One Ring to find them, One Ring to bring them all, and in the darkness bind them.—J.R.R. Tolkien
David Haas doesn’t like to give out his Social Security number. He fends off all the requests he can, from doctors, credit card companies, the bureaucracy at large. In the end, it was summer camp that got him.
“If the camp refuses your child because you won’t divulge your Social Security number, you end up giving in,” said the Franklin Lakes, New Jersey, financial planner. Haas kind of caved to his daughter’s school, too.
Don’t be too hard on him. It is the number that rules us all.
Social Security numbers, which identify the retirement accounts Americans build up over a lifetime of paycheck deductions, are taken in the vast majority of data breaches, including the massive hack Equifax Inc. announced on Thursday, simply because they are ubiquitous. They’re a juicy target. Together with other basic information, like name and date of birth, the Social Security number is a passport to a person’s identity. Unlike a credit card number, which can be instantly canceled, the SSN serves most people for their entire lives, with some 496 million issued since the first batch of cards went out in 1936. Its use as authentication for personal accounts has expanded the opportunity for fraud.
The government has tried to lessen our dependence on the Social Security number as the ultimate identifier and authenticator—for example, some states ask for a driver’s license or state ID on income tax forms. Within its own ranks, the federal government is locked in a struggle to reduce the “unnecessary collection, use and display” of the number. In 2007, a presidential task force issued recommendations to “help prevent the theft and misuse of consumer’s personal information.” A decade later, on May 23, the Government Accountability Office testified about a GAO progress report on executive branch efforts to address the recommendations. The verdict: “These initiatives have had limited success.” Among the initiatives was a proposed “alternative federal employee identifier” on Office of Personnel Management forms. That was abandoned as impractical “without an alternate governmentwide employee identifier in place.”
An estimated 17.6 million people, or some 7% of American residents 16 or older, suffered at least one instance of identity theft in 2014, according to the Bureau of Justice Statistics. And that was before mega-breaches like the ones at Equifax, the health insurer Anthem, and the Office of Personnel Management itself.
“We are bleeding fraud with the use of SSNs,” said Eva Velasquez, chief executive officer of the non-profit Identity Theft Resource Center, which helps victims of identity theft.
According to Equifax, which discovered the hole in its defenses in late July, the private information of some 143 million people was compromised. In addition to Social Security numbers, it includes addresses, driver’s license data, and birth dates, as well as some credit card data. A proposed class-action lawsuit was filed against the company late Thursday.
Attempts to check the SSN’s proliferation have been failing for nearly half a century. As early as 1971, a Social Security Administration task force proposed that the agency take a ” ‘cautious and conservative position’ toward SSN use and do nothing to promote the use of the SSN as an identifier,” according to The Story of the Social Security Number, on the agency’s web site. No luck.
How about fingerprints? Government agencies including the Veterans Administration and the Post Office have tried them, but they came with the whiff of criminality. The bald string of numbers seemed the more practical way to go.
In its early days, the SSN wasn’t widely treated as sacrosanct. In 1938, a wallet manufacturer in New York, which wanted to advertise how well those new Social Security cards fit into its billfold, used the actual number of its Treasurer’s secretary, one Mrs. Hilda Schrader Whitcher. Mrs. Whitcher’s secret identifier (078-05-1120) was soon on display at Woolworth and other department stores around the country.
By 1943, nearly 6,000 people were using her number, according to the Social Security Administration, which voided it. Over the years, more than 40,000 people claimed the number as their own, and 12 people were found to be using it as late as 1977.
“They started using the number. They thought it was their own,” the real 078-05-1120 said, according to a history on the Social Security Administration web site. “I can’t understand how people can be so stupid.”
Since then, many companies and government agencies, while using SSNs internally, have at least stopped displaying them on ID cards and using them as subscriber numbers. Many use unique numbers, sent to a recognized device such as a cellphone, in place of the familiar request for the last four digits of the Social. Some have suggested creating individual encryption keys, sort of like the code-generating tokens that workers use to access their computers from outside the office. Another idea, a national identification card, “creeps people out, because it seems very Orwellian,” Velasquez said.
Even creepier, she said, one frustrated consumer proposed that the government “just microchip me so you can scan me and thieves can’t dig it out of me.”
Until we all get chipped, the only person who can sharply curb the use of your Social Security number is you.
“Don’t blindly provide it because you’re asked for it,” said Gary Davis, chief consumer security evangelist for anti-virus software provider McAfee.
The tricky part is that you can be denied service. The Social Security Administration recommends asking why the number is needed, how it will be used, what will happen if you refuse to give it, and what law requires you to give the number to a private business. For example, there’s no legal reason you must give it to your doctor. Doctors almost always ask for it, though, sometimes because they’re using outdated forms, or for patients on Medicare, since your Medicare number is your Social Security number.
On income tax forms and financial accounts that wend their way to the Treasury Department, the ritual asking for and giving of the Social Security number is all but inevitable. Same with food stamps, child support enforcement programs, and state commercial driver licensing programs. Credit bureau TransUnion says the nine-digit wonder is indispensable.
“We consider the SSN to be an important part of the consumer reporting and credit granting ecosystem, and many regulators and consumer advocates recommend this approach, where available, for accurate matching,” TransUnion spokesman Dave Blumberg said in an email. “The SSN is also an important tool in identity verification and can help lenders to detect and prevent identity theft.”
Opening a bank or brokerage account requires a customer identification number, most likely a Social Security number or Individual Taxpayer Identity Number, according to anti-money-laundering provisions in the Patriot Act, the security law passed after the 2001 terror attacks. An auto insurer might demand the Social to ensure, say, that the credit information for an applicant is really for the driver operating the vehicle. Life insurers want it because it’s a good way to find a “lost” policyholder, or find out if the policyholder has died, by consulting the Social Security Master Death File, said Loretta Worters of the Insurance Information Institute. An SSN can also help find beneficiaries, she said.
Still, if in doubt, ask: Why do you need it? How will you use it? Do I really have to give it?
New Medicare cards are going out without the SSN on them, but for those over 65 the number is sitting in their wallet. Medicare has until April 2019 to comply with a 2015 law requiring it to create a Medicare Beneficiary Identifier. An MBI generator will initially assign 150 million new 11-character identifiers made up of numbers and capital letters. Hassle alert: The transition will run from April 1, 2018, through December 31, 2019, the Medicare web site says. Medicare notes that the MBIs “will not contain inappropriate combinations of numbers or strings that may be offensive.” Because, of course, that’s our big worry.
The Social Security Administration is taking action, too. Americans can turn on multi-factor authentication on their My Social Security accounts, which have been targeted by thieves setting up accounts using stolen SSNs to collect benefits.
As for Haas’s kids, or, more to the point, yours, the American Camp Association says it doesn’t require member camps to gather SSNs. But browsing through camp applications online, one finds the camper’s Social, or its last four digits, in demand on camp financial aid forms, authorization forms for medical emergencies, and so forth, sometimes accompanied by a promise to destroy the documents at the end of the season.
Will the U.S. ever break its addiction to the Social Security number? The Office of Personnel Management did begin exploring the use of “multiple alternate identifiers for different programs and agencies” in 2015, the GAO report said. The idea was to collect a Social Security number just once, when an employee started working, and then use different identifiers for different programs, like health care benefits. The work was put on hold for lack of funding.
Some fear we’re just going to come up with another unique identifier that can be compromised, said Velasquez, of the Identity Theft Resource Center. But she’s hoping something will happen in her lifetime. She’s 45.
— Read IRS’ ‘Dirty Dozen’: 12 Tax Fraud Schemes to Avoid on ThinkAdvisor.