Editorial: Your Number Is Up

Re-thinking how we guard our identities

August 2009


In the late-1930s, wallets from a certain manufacturer contained a mock-up card for display. The insert was designed to look like a legitimate Social Security card -- it listed a number, no name, and was stamped “Specimen.” The problem: the number was legitimate. It belonged to Mrs. Hilda Schrader Whitcher, who was an assistant to the Vice President of the company. Thousands of others claimed the number belonged to them, too, once the wallets (holding the offending card) were in circulation among the public. The wallet company’s dubious promotional efforts spawned the epic case for what the Social Security Administration calls “The Most Misused Number of All Time.” All told, the SSN “issued by Woolworth,” as it wryly came to be known, has been claimed -- not legitimately, mind you -- by 40,000 people. File this episode under Stupid Pet Tricks.

The embattled Mrs. Whitcher endured a visit from the FBI over the prolific use of her number, endless bureaucratic headaches and the annoyance of being the subject of office wisecracks. The Social Security Administration eventually did something it reserves for extreme cases of SSN misuse: it issued her a new number.

Today, it’s practically unfathomable that a company could engage in such idiotic behavior. Unfortunately, government entities, companies and organizations of all stripes engage in careless behavior to this day that, while not so outrageous as the above example, exposes all of us to the risk of identity theft. As if it weren’t enough that many Web sites for state, county and local jurisdictions are waving our Social Security numbers on virtual flags, tens of thousands of entities in the private sector are using SSNs as proof of identity for transactions that have absolutely nothing to do with the number’s original intent (which was to track employment and wage-earning for tax purposes).

It’s no secret that the vast network of entities entrusted with our data is essentially a sieve. And now the new study by Carnegie Mellon additionally reminds us why the use of the SSN-as-ultimate-identifier is a doomed endeavor: Because the numbers are predictable. We have yet another facet of weakness in a system that’s treated as the almighty of personal identification.


The first step toward meaningful change is to determine where the problem lies; the next step – to develop and implement a plan to solve it. And the Carnegie Mellon study led by Alessandro Acquisti and Ralph Gross proposes a number of solutions. For years, we’ve advocated for a paradigm shift in the handling of personal data. In the realm of personal data collection—by the private sector specifically—Acquisti and Gross present the beginnings of a roadmap here. It’s clear that there is no easy solution; it’s multi-faceted and requires cooperation from all sectors.

Let’s start with the SSA. The administration has stated it will begin to randomize the SSNs it issues starting next year. That’s nice, but as the researchers point out, what does that do for the hundreds of millions of people who’ve already been assigned non-random numbers?

Those numbers are still predictable. Therefore, this step alone is clearly not enough. The researchers want it taken several steps further: reward those who stop using SSNs for authentication, and punish those who don’t. Beyond that, the study calls for the government to support deeper research aimed at creating “more efficient, secure, and privacy-preserving means of electronic authentication.” Build a better barrier. But we can’t stop there.

What about financial institutions and other organizations? The study insists that credit-reporting agencies and financial institutions stop using SSNs for identification purposes because it is such a flawed method of verification. Because credit reports can contain errors, the study says, financial institutions have been known to accept incorrect information, including addresses and SSNs, in their approval of new accounts. So much for “authentication.”

Never mind the 11th-hour, it’s way past midnight. Closing time has come and gone. The private sector—credit- reporting agencies and financial institutions included—must ask themselves whether they want to continue to be complicit in this mess, or do they want to face cold, hard reality and develop their own system of identity verification. Given the billions of dollars banks lose each year to identity theft, they cannot afford not to do this.


Divorce – nope. Trial separation – not gonna happen. Unless your number is misused as though it were issued by Woolworth, you and your SSN will be together ’til death do you part. Untangling your SSN, your so-called “true” identity, from the misdeeds of others can be painful, disruptive and a very time-consuming and expensive process. So—as with any lifelong relationship—you need to pay serious attention to it, manage it and protect it. All the regulation, enforcement and perp walks in the world are no substitutes for personal vigilance. Just the same, the careless behavior of the alleged guardians of your data—be it the government or private sector— doesn’t excuse you from your own role in the identity game. Don’t assume someone else has your best interests at heart. The ultimate guardian of your information security is you. However, you can also be its ultimate saboteur.

The Carnegie Mellon study shows that personal details harvested from social networking sites can be useful to identity thieves trying to crack the code for somebody’s Social Security number.

We already know the various and sundry ways in which thieves can pluck enough factoids from the mind-numbing annals of online quizzes, blogs and biographical information to figure out the “security questions” on password-protected accounts. (Does the world really need to know the name of the your first pet?) And it doesn’t take a rocket scientist to cobble together the various pieces—in particular, birthdays—identity thieves need to provide in order to persuade creditors that their bogus identities are in fact true.

In the online world, too many people crave the roar of the greasepaint and the smell of the crowd. Unfortunately, they don’t pause long enough whilst chronicling in grand fashion every minute detail of their lives in daily (perhaps hourly) Twitter, Tumblr and Facebook updates to reflect upon the consequences of what they are doing and what is at stake.

Before posting anything online, perhaps we should ask ourselves whether what we’re about to release into the ether will bring us tens of thousands of dollars’ worth of fraudulent debt and a decimated credit rating. Not to mention buy us a ticket in the medical and criminal identity theft lottery.

The realization of these potential scenarios may seem far-off and remote, maybe even impossible. Until, of course, they actually happen to you.

At the risk of alienating millions of social networking devotees around the globe, let me pose this one question: Why exactly is it a rite of passage to post the exact date of your birth online? If you can’t live without your annual flood of birthday wishes on Facebook maybe (just maybe) you could disclose your birthday sans the real year. Even so, why would you want to make life easier for identity thieves? There’s enough information out there about you already. These guys are digging your grave; don’t get in there with a shovel and help them.

But let’s not forget that the assault on our identities comes from all sides here. Let’s not forget that many private businesses use your Social Security number to discern whether you are who you say you are. The private sector has created an SSN-based authentication system against the government’s best advice, yet it is we—the people—who must deal with the fallout. And let’s certainly not forget how woefully incompetent the government, too, has been in protecting our private data, and how abundantly they have contributed to the data breach chronicles.

No, the system won’t change overnight. We can’t expect a miracle. But that doesn’t mean it shouldn’t change at all. Responsibility lies with each party, at each juncture, and if we want to get serious about fixing this—really fixing it—then the problem needs to be addressed holistically. The sheer number of data breaches alone should be enough to convince private industry that SSNs aren’t the closely guarded secrets they once were, and it should be enough for the government to put an end to improper use of this information.

The Social Security system was enacted nearly 75 years ago. The world has changed; how we prove who we are has changed. Today we stand to lose so much more if the number that is treated as the mooring to our financial, legal and medical identity slips out of our hands. Why shouldn’t the system of identifying us evolve now that the dangers are clear? We’re past helpful suggestions for change; it’s time for a call to arms. Nothing meaningful can happen until those who are responsible stop taking baby steps and start making the great strides that are so critically needed.
Your Not-So-Confidential Social Security Number