SSNs are identifiers but not authenticators.

The benefit to use of SSNs is that they're assigned by a central authority which does a pretty good (though not perfect) job of ensuring that there's a 1:1 correspondence of SSN to person.

The issues of how they were to be used _other_ than by the Social Security Administration has been up in the air for a long time. I remember in college when "student identifiers" were just SSNs, and grades and other student data would be posted on office doors by Student ID (that is: SSN). That started getting phased out in the 1990s. There's the matter of the namespace -- it was kept intentionally small, and SSN exhaustion is something that will be faced eventually -- the space is sufficient for "several generations", some 450 million have been issued. The total namespace is around 890 million numbers.

The problem is that when you sign up for new services (online, financial, other), there's a desire though often not a specific need, to associated an account with a specific person. And so the SSN gets drafted to serve that purpose, as a proof of identity, not as an identifier based on other proven identity.

It's a misuse of the identifier

Don't pretend that the government is without fault here. There's plenty of tax fraud that happens using social security numbers. People can steal your tax refund or even evade taxes by pushing them onto you through your social security number. The system is messed up, and the government is largely responsible for the mess. The Social Security Administration has to same security holes.

What you describe is ideal, but it's not what actually happened. The social security number has been used as identifier and proof of identification for a long time. Part of the problem is that it's from a time when technology did not allow anything more complicated. That's no longer an excuse though. Social security numbers should have been upgraded long ago.

Precisely: identity management is a house of cards. It actually seems, at this point, completely indefensible for the credit system to rely on name, SSN and address as identifiers, since there's really no guarantee that the person who ran out on a loan over here who claimed to have that name/SSN is the same as the person over here who is applying for a mortgage who supplies the same name/SSN.

If a bank got screwed on a loan deal by someone, and all they have to claim it was youis that the person told them your name and SSN? Really, at this point, with so many SSNs leaked, how can they justify blacklisting you with a credit check bureau?

I think you're right. Publish them all. Force banks to come up with a better solution.

> how can they justify blacklisting you with a credit check bureau

On the last Anthem story, someone linked this Mitchell & Webb audio clip: https://www.youtube.com/watch?v=CS9ptA3Ya9E which completely nails it.

> Publish them all. Force banks to come up with a better solution.

But then banks would incur additional expenses, and they would have to, like, reduce executive bonuses or something. That would be terrible!

/s

Reduce bonuses? Ha. More like passing the buck to their customers?

SSN's are not considered secret pieces of information you could easily publish all SSN's loop{ xxx-xx-xxx//following ssn format }

However, when they are tied in with other identifying information this is when they become unique identifiers. The more associated information that is tied to the SSN the "more secure" the mechanism of identification is. I have noticed this proposal of just not using SSN at all and incorporating something else. An alternative is the password which has been proven to not be the best case scenario as users pick easy passwords to remember. Then 2fa become popular and is becoming much easier to use. Then there were gaps in the sms or voicemail method of 2fa. My point being that no matter the mechanism put into place to uniquely identify an individual there is no silver bullet. The more layers a company adds on the better. Not to say I support HIPPA or any other archaic legislation (PCI etc) these organizations are tasked with instituting laws or guidelines that are being outdated as fast as they are implemented and are required to make it as reasonable for every entity that is covered under these laws.

Not only could you publish them in a loop, until 2011 they were not random at all. Rather, the first 3 digits behaved much like an area code - if you know where someone was born, you can pretty easily guess the first 3 digits of their SSN.

Apparently in 2011 they changed this, and now none of the numbers are significant.

There's no silver bullet, but it can't be hard to do better than a nine-digit number you reuse everywhere and is almost impossible to change.

SS Numbers are definitely becoming increasingly problematic. I don't know if public disclosure is the solution, but within the next 10 years some major changes will need to be enacted.

IMHO, these companies (and a lot of people) are pretending that social security numbers will be treating with extra care. Clearly, this is not the case.

Imagine how interesting this is going to get. You call up some bank to plead with them that you're the real you, the loan wasn't your doing, and the person you're talking to, who's disbelieving you, just spent their morning on the other end of the stick.