Why the heck are SSNs nonetheless handled as passwords within the US? • TechCrunch


A few weeks in the past yet one more of my pals was a sufferer of id theft, and I acquired yet one more deep look into how fantastically damaged the U.S. could be relating to safety. “They’ve my social safety quantity,” she mentioned, and I used to be reminded of how loads of methods within the U.S. are woefully poorly designed. To wit: This morning I referred to as my financial institution and was requested for the final 4 digits of my SSN and so they in some way accepted my id as a result of I knew these 4 digits. LOLWUT? If my financial institution was a startup, I’d name up the chairman of the board and demand its chief safety officer be fired on the spot for gross incompetence.

After I moved to the U.S. a few years in the past, my pals made positive that I knew I needed to preserve my Social Safety quantity (SSN) secret and hidden. After I began opening a checking account and arrange a cellular phone plan, it turned apparent why: All types of establishments that actually ought to know higher are treating this string of numbers as a password. There’s an enormous, evident downside with that. I preserve that Equifax ought to obtain the company equal of capital punishment for permitting this to occur, however 145 million social safety numbers have been stolen by hackers a couple of years in the past, which signifies that the Social Safety numbers — sure, the identical numbers which are being handled as “passwords” — for about half the U.S. grownup inhabitants are within the wind.

We’ve gotten used to passwords by now, however at the least, usually, passwords could be modified when they’re hacked. Your social safety quantity? Not a lot. In case your SSN leaks simply as soon as, you’re boned. It’s not attainable to alter it, and that brings up the true depth of idiocy in all of this: Counting on safety that is determined by protecting an unchangeable piece of data secret is actually bloody silly.

The corollary is that this: Think about that your e-mail has been hacked however your e-mail supplier tells you you could’t change your password, you possibly can’t change your e-mail supplier, and also you’ll simply need to take care of it. That’s the scenario we presently have with Social Safety numbers.

Most nations have equivalents of a Social Safety quantity that the state or the taxman makes use of to determine you. In most nations, nonetheless, it’s by no means assumed that this quantity is secret. You log in to your financial institution accounts with it. You freely inform your employers what it’s. You possibly can spray paint it on the facet of the home or tattoo it in your brow. I might do neither, however that’s extra a matter of my style vis-a-vis brow tattoos and storage graffiti. From a safety viewpoint, there’s no specific purpose why you shouldn’t.

In a lot of the remainder of the world, your SSN-equivalent is handled as a singular identifier. In different phrases: It’s your distinctive username. Along with your consumer identify, you’ll want a password to take care of something. For a similar purpose you shouldn’t use your username as a password, you shouldn’t depend on any public info as a part of your safety matrix. “What’s your mom’s maiden identify” is a horrible safety query. In case your mum is on Fb, it’s seemingly that you simply’re 2-3 clicks away from the reply to that query. Guess what? With all of the hacks and leaks, your SSN is de facto public info.

One a part of me thinks that maybe the Equifax hack might have been a very good factor, however provided that everybody who depends on SSN numbers as passwords reviewed and amended their safety protocols. It actually ought to have been a wake-up name. And but, right here we’re, 5 years later, nonetheless utilizing our SSN numbers to enroll in automobile insurance coverage, open bank cards and determine ourselves to our banks. It’s completely ridiculous and it must cease.



Supply hyperlink