back to article White House plan to nuke social security numbers is backed by Equifax's ex-top boss

White House cybersecurity coordinator Rob Joyce has won the backing of Equifax's ex-CEO for a plan to stop using social security numbers as personal identifiers in the US. We have no idea of Joyce's opinion of the endorsement, but what we do know is that he floated the notion in a speech given to a Washington Post-sponsored …

  1. td97402

    Once Upon a Time

    You actually had to show up in person at the bank, savings & loan, credit union or finance company. You needed to have multiple forms of ID. You had to provide verifiable employment, credit and personal references. Then you had to wait anywhere from a few days to a few weeks to find out if you were approved for your home, car or personal loan. Then you had to go sign paperwork in person and collect a check.

    A few other niceties also existed. Like a reasonable maximum on your interest rate, by law it could only be so high. Your loan wasn’t immediately sold to some faceless corporation. If you had a situation you could likely go talk to a live person at the same place you made the loan and arrange to be late on a payment without the world coming to an end.

    So, how about this modern computer age then?

    1. Mage Silver badge
      Coat

      Re: You needed to have multiple forms of ID

      Still do need multiple ID to open an account, or to get additional ID (new Social Services Card or driving licence), inc utility bills to your address in Ireland. Then they post to the address. Some ID only accepted if you have Birth Cert too. EU anti-money-laundering laws. Preventing Money Laundering doesn't seem to apply to activities of major London based Financial institutions or major international companies stockpiling money in places like UK controlled Bahamas.

      Now which pocket is my passport? Some countries even belatedly plugging hole of using dead people's birth cert to get passport. (see this 1971 manual)

    2. anothercynic Silver badge

      Re: Once Upon a Time

      You still do in the UK. You might be able to provide it electronically (by PDF), but that is as good as paper and being checked... and only in the US will your mortgage be resold to some other investor (in the UK this only happens when the original vendor goes pop)... :-)

    3. Anonymous Coward
      Anonymous Coward

      Re: Once Upon a Time

      Unfortunately, as I have just proved, it is possible in the UK to obtain a certified copy of a birth certificate with nothing more than the date and place of birth of the individual, and with no requirement to prove eligibility at all.

      Following a house fire, I have just had to request new birth certificates for myself, wife and daughter, using the very convenient government website. At no point did I have to prove who I was. The new certificates were happily sent through the post to an address totally unconnected to me or any member of my family without any quibble.

      And of course, once in possession of said birth certificates, I can now get a passport, driving licence, etc, using the birth certificates as proof of identity.

      Now I have perfectly legitimate cause to have to do this, but it is obvious to me that this same process could be used to gain false documents, bank accounts etc with very little trouble.

    4. Yet Another Anonymous coward Silver badge

      Re: Once Upon a Time

      You also had to be white, male and belong to the same church and country club as the local bank manager to get a mortgage.

      You also had to pay the costs associated with all this personal attention, which is why only white male breadwinners were worthwhile as bank customers

    5. TomG

      Re: Once Upon a Time

      In the modern computer age an individual has more time to work, play and enjoy life because of the time saved by the computer.

  2. Anonymous Coward
    Anonymous Coward

    Not to be used as a form of identification

    That is what is said on my Parent's SS cards. This was a promising made to the American people when the program started. Then the courts started ruling that if one Government agency had access to it then they all did. Colleges used it for student ID's etc.

  3. ocratato

    Confused identification with authentication.

    The basic problem with the USA's SSN is that it confused identification with authentication.

    They should keep the SSN as an identifier, but introduce something new for authentication - something that can be revoked or changed when it becomes compromised.

    The best answer from the point of view of security would be something based on public-private keys. However the hard bit is finding a way where everyone can safely and securely manage and use their key(s).

    1. Anonymous Coward
      Anonymous Coward

      Re: Confused identification with authentication.

      That is what the rest of the world does.

      If I am, let's say in Bulgaria and I know your EGN (their equivalent of SSN) I can do you a favor - pay your local taxes, parking tickets or even traffic fines. I cannot, however, draw credit or in any other way impersonate you which results in me being given money or assets. For that you need a valid ID which is a choice of Eu biometric ID or passport (which has biometrics). Rest if Europe (except UK which continues with "utility bill idiocy") is the same.

      However, what can we expect. It is USA - constantly moralizing and teaching everyone how we are supposed to live while forgetting to wipe their bottoms and flush the toilet.

      1. Dan 55 Silver badge

        Re: Confused identification with authentication.

        1. ID cards un Europe are not as compulsory as you think they are.

        2. It's not all sorted out either. In Spain the SSN is only used by Social Security, so that's a step forward. On the other hand your ID number is used by everyone else, state or private company or credit reference agency, so that's pretty idiotic. There is no way to get a new number if the old one is compromised, it follows you around for life.

        1. LDS Silver badge

          "ID cards un Europe are not as compulsory as you think they are."

          They may not be compulsory - but in many countries, because not everybody has a driving licenses or a passport (especially the latter) - and you are still required an ID in many situations (i.e. to get a a utility contract...), and you need to prove your identity to police when stopped (including checks at airports for internal flights), the simpler and cheaper way is to get an ID card - it's very rare to see someone without even if its' not compulsory.

          We are also issued a smartcard already (needed to access health services, for examples) which also holds a private/public key pair. I can use it to authenticate to several services...

      2. DavCrav Silver badge

        Re: Confused identification with authentication.

        "For that you need a valid ID which is a choice of Eu biometric ID or passport (which has biometrics). Rest if Europe (except UK which continues with "utility bill idiocy") is the same."

        In the UK, you need a utility bill or something similar to establish your address, and a photographic piece of identification (passport or driving licence) to establish your identity. I'm glad my passport doesn't have my address on it, or otherwise it would be even more costly to move when a student. Driving licences do have your address on them, so they can form the second piece of ID, but you still need two.

    2. Lee D Silver badge

      Re: Confused identification with authentication.

      At one point I was issued a Government Gateway ID.

      It allows me to file tax returns, get a new passport, change the photo on my driver's license etc.

      At the start it was a long random code and a key-pair.

      Then it was just an identifier and a strong password.

      Even businesses have such an ID to themselves, to file tax and various other information.

      If the UK government has this kind of thing worked out for the last 10+ years, then I'm sure the US government can work it out, given our history of government IT projects.

      The only thing is that we haven't rolled it out to ABSOLUTELY everyone (it's probably a bit early for that, while we still have pensioners that have never used a computer in their life), but it's there.

      1. Anonymous Coward
        Anonymous Coward

        Re: Confused identification with authentication.

        It is painful and sometimes it fails. I now have two GG IDs because the first one won't work with some systems, it took eight weeks to work it out and be asked to create a GG ID.

    3. anothercynic Silver badge

      Re: Confused identification with authentication.

      Same with the UK NI number...

  4. Anonymous Coward
    Anonymous Coward

    The Trumpcard!!!

    - Your photo super-imposed with a photo of the great leader himself

    - Political and religious affiliate information (if we approve)

    - 5% discount at all Trump hotels worldwide (except the USA)

    - Space to write your golf handicap

    - Small form factor for those with dainty hands

    1. Anonymous Coward
      Anonymous Coward

      Re: The Trumpcard!!!

      Why have space to write religious affiliation when 'Christian' will be the only one allowed? Ditto for political, the only party you can select is 'Republican' but it isn't the republican party of pre-2016. It is 'Republican' as defined by Donald Trump at any given moment.

      That's the only way you explain how overnight it went from the party of free trade to the party of tariffs and economic isolationism, and how it went from supporting Ukraine's independence from Russia to supporting Russia's annexation of Crimea. Next week it may be the party of socialized medicine, so long as a health care bill is passed and put on Trump's desk and he gets to claim it "repeals Obamacare".

  5. GermanDude

    SSN needs to go

    I hope they find something better. When I came to the US I had to learn everything about Social Security Numbers. Little did I know that Americans did not know anything about those. At all!

    Everybody I asked had no clue. So to me this system seemed not secure. Especially when I saw that my Health insurance Account number was my SSN. What??

    That was 20 years ago and they don't do this anymore but just yesterday I saw a commercial for Medicare, where they bragged that "Next Year" They won't have that number on their cards anymore.

    Next Year???

    SSNs needs to be changeable. Just like a Credit Card Number that I can change whenever somebody uses it.

    Find something better... Please! This is such a ridiculous system.

    1. Orv Silver badge

      Re: SSN needs to go

      As a primary database key of sorts, changing an SSN is probably not practical. But there should be some other authenticator that *can* be changed. We should also consider modifying the SSN system going forward to include a check digit. A lot of issues with credit reports, identity theft, screwed-up government records, etc are caused by typos or transposed digits.

  6. DropBear Silver badge
    Facepalm

    It boggles the mind how on Earth could have SSNs, as something you're required to occasionally reveal to others, be ever considered something in any way shape or form security-related. What kind of idiot goes "you need to keep this number secret from strangers except of course any official of any organization who might conceivably need to ask for it, because those are all Good Guys"...?!?

    1. Orv Silver badge

      There's also that ironclad proof of identity, your mother's maiden name. I hate when forms ask for it because it's way too easy to find out. Why anyone thought it was any kind of secret, I can't imagine.

      1. The Nazz Silver badge

        An alternative to mothers maiden name?

        If the "families" around here are anything to go by, they'd be better (and more secure) to start asking for the fathers name. Guessing that would take far more than three goes. I'd wager that some of the mothers no longer know, if ever they did.

        I still recall a news clip from way back in the 80's when the Tories were looking at single parent benefits and a woman, sweeping her arm across her four kids, says "I don't receive a penny from any of their fathers."

        1. Anonymous Coward
          Anonymous Coward

          Re: An alternative to mothers maiden name?

          Problem is, at least mothers generally have a maiden name (the name they had before they married); otherwise the child was born out of wedlock which complicates things.

          Fathers do not necessarily have a middle name. They could easily have an even number of names (no middle name at all, or two which begs the question of which middle name is THE middle name).

  7. James 51

    This topic has been around for a long time. I can't remember the article now (probably on the BBC given this quote) but an expert said that the situation in the UK wasn't as bad as the US as companies did not use NI numbers as an ID field, therefore it was less useful for collating data from various organisations/hacked databases. Like biometrics though these are IDs and should never be passwords.

    1. Anonymous Coward
      Anonymous Coward

      How often have you been asked for your NI number lately. Combine this with having all your relevant personal details on driving licences including home address and there really is no security on an individual level if someone gets access to this.

      1. James 51

        The only private companies that have asked me for my NI have been my employers. SSNs are used by everyone and their dogs to id their customers in the US.

        1. Orv Silver badge

          Banks and employers are currently *required* to collect them for tax purposes. (For a US citizen, your TIN (Tax Identification Number) and your SSN are the same.)

          1. Charles 9 Silver badge

            Employers MUST collect the SSN because SS taxes are levied and withheld against the employee's wages and needs to be processed accordingly.

            Banks generally need you SSN if they need to get a credit report. If any account you have pays interest or dividends, that's taxable income. If you hold a mortgage, the interest you pay on it is tax-deductible and a frequent reason to itemize deductions (Schedule A). If taxes are involved (the latter two), the bank MUST know your SSN.

            PS. If you have an SSN, yes it is your TIN. But aliens can have a TIN but not an SSN.

  8. Primus Secundus Tertius

    Obscure number

    WTF is 8008135? It is meaningless to the average Brit.

    1. James 51

      Re: Obscure number

      Put it into a calculator then turn it upside down.

      1. Guus Leeuw

        Re: Obscure number

        Dear Sir,

        luckily Brits now think with their brain, rather than their naughty bits. It also seems that Brits have grown out of a juvenile state of mind.

        From the Dutch Overlord,

        Guus

      2. Charles 9 Silver badge

        Re: Obscure number

        Then it's not quite right. I think you meant 5318008.

    2. optimusdrone

      Re: Obscure number

      Wut? They don't have calculators in the UK? BooBies...

    3. Kevin Johnston

      Re: Obscure number

      Really? Really?

      Dial your sense of humour back to early schooldays and maybe it will be a little more obvious...as a clue it is also a large (Southern Hemisphere?) bird which tend to crash land rather than float gracefully down.

    4. GrapeBunch

      Re: Obscure number

      That one stumped me, too, for about 8 seconds.

  9. J.G.Harston Silver badge

    At least UK NINOs are checksummed and aren't a contunuous sequential set of numbers, so you can't just string together a random string of numbers (and two letters) and get a valid NINO.

    1. johnB

      NINO checksummed ?

      Not to my knowledge.

      Staff at NI HQ always denied to me when I worked there that there was any such checksum. Not surprising for a system devised in the 1940's, long before computers. The first two (alpha) characters can give some indication of age, but that's more or less it, as far as I'm aware.

      (VAT numbers are, however).

  10. Tikimon
    Devil

    Le roi est mort, vive le roi

    Assume we get rid of Socialist Security Numbers. It won't make any useful difference because the entities that wish to track and trace us want us to have a unique Identifier of some kind. Everyone was assigned an SSN by a government entity and could not change it. No better human-tagging system existed so it became the default US ID Number. But times have moved on.

    If we stop using the SSN for identification some other Primary Key will be chosen to tag us with. The easiest new identifier choice would be an existing one that has lots of data attached to it already. What fits the bill best? Your Google or Facebook ID. The one they're sharing with the Feds already.

    So my informed-cynicism take is that we can kill SSN for ID but it will be quickly replaced with something worse, probably your electronic ID from Google. I hope I'm wrong, but...

    1. Charles 9 Silver badge

      Re: Le roi est mort, vive le roi

      My thought exactly. SOMETHING will take the SSN'S place as primary key (already does for aliens and others without a SSN). Plus with today's database and computing technology, tracking a hundred numbers may as well be as easy as tracking one.

  11. FrankAlphaXII

    And just how the hell is that supposed to work? Are they going to issue everyone ITINs? If they do, it'll just replace the SSN/SIN as something new for criminals to steal with the exact same results as getting your SSN stolen now. Ask anyone who lives in the US and pays taxes but isn't a citizen about what happens if someone steals your ITIN. Its more difficult to deal with than having your SSN stolen, and that's saying something as SSN fraud isn't exactly a walk in the park.

    It'll never happen, especially with the group of clowns occupying both houses of congress and the white house but something has to give. When even a credit bureau can't seem to do the job right, it doesn't say much for any of these fools. And I'm in the same boat as the disgraced ex-CEO here, I've had my SSN (and medical files, and security paperwork, as well as biometrics with my military files) stolen four times in as many years, twice from OPM/NARA, once with Anthem and now with Equifax.

    Instead of treating the symptoms, and giving us yet another number that's going to get stolen, they need to treat the disease itself, and the only way to do that is to make corporations that mishandle NPPI liable for the theft itself to the tune of a thousand dollars (or more) plus any losses incurred by their customers through their mishandling and make it an immediate discharge from Federal service for the agency directors if a Federal Agency mishandles NPPI. I'm sick of hearing how much they value my business and how seriously they take their security when its plain to see that they simply do not.

    1. Orv Silver badge

      I think a lot of the problem is we're using the same number as both an identifier and a form of authentication. I'm not sure how to solve that problem, because not's not just the government -- in fact, the worst parts of identity theft often don't involve the government at all, but the credit agencies.

      I think mostly I'd like to see credit agencies regulated so heavily that they get a fine if their CEO so much as farts without filing paperwork authorizing it ahead of time.

      1. Charles 9 Silver badge

        But the credit agencies are BIG companies, SO powerful they can push the legislators (and with them, the LAWS) as they please, and there's little the citizens can do about it since they have enough to influence the stupid. And as the comedian says, you can't fix stupid. Makes you wonder if this whole government by the people is overrated.

        1. TomG

          government by the people

          No, government by the people is not overrated. Maybe government by the uninformed is overrated. Having worked in government for 31 years I have noted it is voting people who has the power.

          1. Charles 9 Silver badge

            Re: government by the people

            But you have to assume that most people are uninformed because, frankly, they have better things to do. Perhaps that was why the Founding Fathers originally required voters to be landowners: on the assumption that people with actual skin in the game would pay attention to the government.

  12. allthecoolshortnamesweretaken

    "Joyce suggested using a "modern cryptographic identifier" [...]"

    But, but, but - anything "cryptographic" is bad because terrorists?

  13. Kev99

    If you were to read the original Social Security Act of 1935(date?) you'd see the law clearly stated the director of the social security administration was to develop a means of identifying beneficiaries and for n other reason. The idiots in congress kept piling on other uses, some of which were never necessary.

  14. GrapeBunch
    Devil

    Canada

    In Canada we have SIN. It's not Original, it's the Social Insurance Number, since the 1960s. For a little bit, it threatened to go the way of the SSN, but the Federal gov't throttled it back. For example, for a while your Provincial medical number (also confidential, right) might have been a version of your SIN. But they stopped that a couple of decades back. AFAIK, SIN is now used only for income tax-related matters and pensions. Somehow fitting that, as, "the wages of SIN is death". Which must mean that the number is no longer useful to you once you've popped yer clogs.

    1. Anonymous Coward
      Anonymous Coward

      Re: Canada, SIN uses

      SIN was meant for only government, CPP, then Social programs and Income Tax use. Canadians were assured repeatedly that it would never become a universal identification number for business and government it is. Today it is part of many private and corporate databases. In Canada getting a new SIN, usually due to abuse, is all too often undone by a private company linking and referencing databases.

      Often a person is only identified enough to find them on one of many databases and then that information is used to populate the new database, information that contains SIN and other data often in violation of provincial privacy laws. Seen that first hand. IMO If any Canadian thinks otherwise they need to ask more questions, pay more attention and stop thinking the government and industry has their best at heart.

      In Canada any company dealing with any of your money in anyway, including just receiving it as payment, can claim a need for your SIN and avoid legal action. Some claim they need it because while they do not directly deal with an individual and their money the companies they work with do.

      In Canada many private companies still have and use SIN as an identifier but things are better than a decade ago when there were more active SIN than Canadians. The government at the time was trying to reduce the most obvious abuses but the political climate has changed IMO we can expect increased abuse of the SIN and related government systems.

      And of course we can expect more lies about the information being collected and stored on Canadians both by governments and businesses.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020