Why the heck are SSNs still treated as passwords in the US?

A couple of weeks ago yet another of my friends was a victim of identity theft, and I got yet another deep look into how fantastically broken the U.S. can be when it comes to security. “They have my social security number,” she said, and I was reminded of how a lot of systems in the U.S. are woefully poorly designed. To wit: This morning I called my bank and was asked for the last four digits of my SSN and they somehow accepted my identity because I knew those four digits. LOLWUT? If my bank was a startup, I’d call up the chairman of the board and demand its chief security officer be fired on the spot for gross incompetence.

When I moved to the U.S. a couple of years ago, my friends made sure that I knew I had to keep my Social Security number (SSN) secret and hidden. When I started opening a bank account and set up a cell phone plan, it became obvious why: All sorts of institutions that really should know better are treating this string of numbers as a password. There’s a huge, glaring problem with that. I maintain that Equifax should receive the corporate equivalent of capital punishment for allowing this to happen, but 145 million social security numbers were stolen by hackers a few years ago, which means that the Social Security numbers — yes, the same numbers that are being treated as “passwords” — for about half the U.S. adult population are in the wind.

We’ve gotten used to passwords by now, but at least, in most cases, passwords can be changed when they are hacked. Your social security number? Not so much. If your SSN leaks just once, you’re boned. It’s not possible to change it, and that brings up the true depth of idiocy in all of this: Relying on security that depends on keeping an unchangeable piece of information secret is really bloody stupid.

The corollary is this: Imagine that your email has been hacked but your email provider tells you that you can’t change your password, you can’t change your email provider, and you’ll just have to deal with it. That’s the situation we currently have with Social Security numbers.

Most countries have equivalents of a Social Security number that the state or the taxman uses to identify you. In most countries, however, it is never assumed that this number is secret. You log in to your bank accounts with it. You freely tell your employers what it is. You can spray paint it on the side of the house or tattoo it on your forehead. I would do neither, but that’s more a matter of my taste vis-a-vis forehead tattoos and garage graffiti. From a security point of view, there’s no particular reason why you shouldn’t.

In most of the rest of the world, your SSN-equivalent is treated as a unique identifier. In other words: It is your unique username. In addition to your user name, you’ll need a password to deal with anything. For the same reason you shouldn’t use your username as a password, you shouldn’t rely on any public information as part of your security matrix. “What is your mother’s maiden name” is a terrible security question. If your mum is on Facebook, it’s likely that you’re 2-3 clicks away from the answer to that question. Guess what? With all the hacks and leaks, your SSN is de facto public information.

One part of me thinks that perhaps the Equifax hack could have been a good thing, but only if everyone who relies on SSN numbers as passwords reviewed and amended their security protocols. It really should have been a wake-up call. And yet, here we are, five years later, still using our SSN numbers to sign up for car insurance, open credit cards and identify ourselves to our banks. It’s absolutely ridiculous and it needs to stop.