One Ring to rule them all, One Ring to find them, One Ring to bring them all, and in the darkness bind them.—J.R.R. Tolkien
David Haas doesn’t like to give out his Social Security number. He fends off all the requests he can, from doctors, credit card companies, the bureaucracy at large. In the end, it was summer camp that got him.
“If the camp refuses your child because you won’t divulge your Social Security number, you end up giving in,” said the Franklin Lakes, New Jersey, financial planner. Haas kind of caved to his daughter’s school, too.
Don’t be too hard on him. It is the number that rules us all.
(Related: Equifax Breach Causes Uproar in Financial Services Community)
Social Security numbers, which identify the retirement accounts Americans build up over a lifetime of paycheck deductions, are taken in the vast majority of data breaches, including the massive hack Equifax Inc. announced on Thursday, simply because they are ubiquitous. They’re a juicy target. Together with other basic information, like name and date of birth, the Social Security number is a passport to a person’s identity. Unlike a credit card number, which can be instantly canceled, the SSN serves most people for their entire lives, with some 496 million issued since the first batch of cards went out in 1936. Its use as authentication for personal accounts has expanded the opportunity for fraud.
The government has tried to lessen our dependence on the Social Security number as the ultimate identifier and authenticator—for example, some states ask for a driver’s license or state ID on income tax forms. Within its own ranks, the federal government is locked in a struggle to reduce the “unnecessary collection, use and display” of the number. In 2007, a presidential task force issued recommendations to “help prevent the theft and misuse of consumer’s personal information.” A decade later, on May 23, the Government Accountability Office testified about a GAO progress report on executive branch efforts to address the recommendations. The verdict: “These initiatives have had limited success.” Among the initiatives was a proposed “alternative federal employee identifier” on Office of Personnel Management forms. That was abandoned as impractical “without an alternate governmentwide employee identifier in place.”
An estimated 17.6 million people, or some 7% of American residents 16 or older, suffered at least one instance of identity theft in 2014, according to the Bureau of Justice Statistics. And that was before mega-breaches like the ones at Equifax, the health insurer Anthem, and the Office of Personnel Management itself.
“We are bleeding fraud with the use of SSNs,” said Eva Velasquez, chief executive officer of the non-profit Identity Theft Resource Center, which helps victims of identity theft.
According to Equifax, which discovered the hole in its defenses in late July, the private information of some 143 million people was compromised. In addition to Social Security numbers, it includes addresses, driver’s license data, and birth dates, as well as some credit card data. A proposed class-action lawsuit was filed against the company late Thursday.
Attempts to check the SSN’s proliferation have been failing for nearly half a century. As early as 1971, a Social Security Administration task force proposed that the agency take a ” ‘cautious and conservative position’ toward SSN use and do nothing to promote the use of the SSN as an identifier,” according to The Story of the Social Security Number, on the agency’s web site. No luck.
How about fingerprints? Government agencies including the Veterans Administration and the Post Office have tried them, but they came with the whiff of criminality. The bald string of numbers seemed the more practical way to go.
In its early days, the SSN wasn’t widely treated as sacrosanct. In 1938, a wallet manufacturer in New York, which wanted to advertise how well those new Social Security cards fit into its billfold, used the actual number of its Treasurer’s secretary, one Mrs. Hilda Schrader Whitcher. Mrs. Whitcher’s secret identifier (078-05-1120) was soon on display at Woolworth and other department stores around the country.
By 1943, nearly 6,000 people were using her number, according to the Social Security Administration, which voided it. Over the years, more than 40,000 people claimed the number as their own, and 12 people were found to be using it as late as 1977.
“They started using the number. They thought it was their own,” the real 078-05-1120 said, according to a history on the Social Security Administration web site. “I can’t understand how people can be so stupid.”
Since then, many companies and government agencies, while using SSNs internally, have at least stopped displaying them on ID cards and using them as subscriber numbers. Many use unique numbers, sent to a recognized device such as a cellphone, in place of the familiar request for the last four digits of the Social. Some have suggested creating individual encryption keys, sort of like the code-generating tokens that workers use to access their computers from outside the office. Another idea, a national identification card, “creeps people out, because it seems very Orwellian,” Velasquez said.
Even creepier, she said, one frustrated consumer proposed that the government “just microchip me so you can scan me and thieves can’t dig it out of me.”