How Social Security numbers became skeleton keys for fraudsters
a shift in thought
The Social Security number is overused and abused by hospitals, banks, and even retailers, putting millions of Americans at risk of identity theft. But experts say it doesn't have to be this way.
—Social Security numbers may be the worst kept secrets in America.
But the originators of the individualized codes first distributed in 1936 by the Social Security Administration never intended them to become de facto identifiers relied on by hospitals, insurers, banks, cable companies, and even retailers.
"Unfortunately, it's becoming so ubiquitous, and so many businesses are being breached, that it’s the skeleton key to your life," says Adam Levin, chairman of IDT911, an identity protection firm. "It's a social insecurity number at this point."
And as a result, the Social Security Number (SSN) has become a valuable commodity among fraudsters and identity thieves. When crooks have it – along with your name and date of birth – they can use it not only to take over existing bank accounts but also to open new ones and access benefits and health care in your name.
"Once they have your SSN, you will be looking over your shoulder for the rest of your life," Mr. Levin says.
The Identity Theft Resource Center reports that the number of breached records with SSNs totaled more than 164.4 million in 2015. And it's not just bad actors hacking online databases — hard drives are stolen from doctors' offices; paper records are left unsecured.
But experts such as Levin – and even the Social Security Administration – say that people should be guarded about giving over their SSNs, stop writing it down on forms at doctors' offices, and push back when anyone asks for it.
"People are not required to give their number to private businesses," said a spokesperson at the Social Security Administration, which advises people not to carry their Social Security cards on them and to closely guard their numbers. "The Social Security number is used to keep a record of workers' earning and to monitor benefits paid under the Social Security program."
So, how did these ubiquitous numbers become so overused – and abused – in the first place?
The Social Security Administration issued 25 million of the nine-digit codes through local post offices within the first six months of the program. At the outset, the numbers got you access to your government benefits and nothing else.
Originally, the agency assigned the first three digits according to the geographical region in which the person resided in at the time he or she obtained the number. By 2009, researchers were able to determine a person's SSN with great certainty based on birth date; in 2011, Social Security Administration began assigning numbers randomly.
Overusing SSNs isn't a new phenomenon. In the mid-20th century, newspapers published full SSNs as local lottery drawings. In some cases, the newspapers printed the past week's winners' names and locations.
When Passcode reached out to the Social Security Administration, the press office said it had no record of fraud occurring around SSN lotteries. Even by 1988, New Jersey was awarding affordable housing to recipients of computer-selected SSNs that were printed in local newspapers.
The first outside organizations to require SSNs were the Civil Service Commission (which later became the Office of Personnel Management) in 1961 and the Internal Revenue Service in 1962. Keeping track of federal tax returns or government employees with those immutable numbers made sense.
But then savings and loans started requiring it to open accounts in the 1970s, says Sean McCleskey, director of organizational education and measurement at the Center for Identity at the University of Texas at Austin.
Then, banks began requiring SSNs for interest-bearing accounts 1983, says Mr. McCleskey. Children often didn’t apply for SSNs until they were of working age until 1986, when a tax reform act required parents to list a child’s SSN to qualify for the dependent deduction.
The number of organizations asking for SSNs has "grown consistently every few years," McCleskey says. School lunch programs, public assistance, and food stamps – funded by federal money – all require a SSN from participants. "But one of the biggest problems with SSNs is the medical field. They can get it but they don’t really need it."
McCleskey studied the history of the SSN for the Secret Service, where he ran the identity theft and cybercrime unit for a decade. Law enforcement considered identity theft only a financial crime until recently, he says. It wasn't until 2004 that lawmakers enacted a federal statute, 18 USC 1028A, that gave prosecutors greater abilities to pursue criminals for identify theft crimes. The law imposed a two-year minimum for each identity stolen.
The medical industry may be the biggest collectors – and holders – of Americans' SSNs. And while doctors commonly request SSNs, they rarely require them.
The trouble is that health care has the highest incidence rate of breaches of any industry, according to Healthcare IT News, and cybercriminals target health care organizations specifically because they lag behind in security.
The number of health data breaches has risen dramatically this year, from 63 in the first quarter of 2016 to 118 in the third. Many of those are small compared to the Anthem breach, which in 2015 exposed 80 million SSNs along with customers' names, addresses, and employers.
Levin of IDT911 says doctors often ask for SSNs just because they’ve been doing it for so long. "Someone says, 'It's because we won’t get reimbursed by the insurance company.' But you have my insurance information, and they have my SSN," he says. "Or, 'I need it for your death certificate.' My response to that is, 'Here’s my wife's phone number or my lawyer's phone number.' "
Until 2015, SSNs were emblazoned on Medicare cards; the agency is now phasing in new ID numbers and cards for the millions of existing and new users. "We tell people never carry your SSN card, but you carry a Medicare card," Levin says.
If your Medicare card still shows your full SSN, he has this advice: "Make a copy of that card, and then redact all but two numbers of the SSN. On the back, add your emergency contact info. Only when you know you’re going to the doctor, take the card with you. But otherwise carry this redacted version of it, so if you faint or have a heart attack they will know that you have a Medicare card, but they’ll need to call your emergency contact to get the info."
We'd all be smart to be selective when it comes to giving out our SSNs, say experts. Certain federal government agencies rightfully require it, and a company needs it if they want to hire you or run a credit check. But most of the time "it’s a lazy way to identify a person," says McCleskey of the Center for Identity.
If an organization requests your SSN, you should ask why they need your number, how it's going to be used, if you're required by law to give it, and what happens if you refuse. "Then you have to decide how bad you want to conduct the transaction with that organization," McCleskey says. "At least you’re making an educated decision."
Utilities and telecommunication companies aren't required by law to have your SSN; it’s likely that they want to check your credit to know whether you're at risk of dodging bills or not returning equipment. If you don't want to give them your SSN, offer to pay a deposit, which is what they’d ask of people with bad credit anyway.
"It’s a weird economy where people don’t want to cause a scene so they say, 'OK, here’s all my stuff,' " McCleskey says. "You’ll fight over paying an extra $5, but then you'll just hand over the farm when it comes to data."
Ask organizations why they need your SSN, and, "If they can't cite a law or regulation that requires them to have it, they’re just using it as a way to identity proof you." McCleskey suggests offering your Driver’s License number and date of birth as an alternate proof of identity.
Mitigating the damage
If you believe you've been a victim of identity fraud, you should file a report with the police, keep a copy as proof of the crime, and then notify the Federal Trade Commission, which maintains a centralized database.
Levin says consumers should follow the three M's: Minimize your risk of exposure, monitor your credit reports and accounts; and have a plan to minimize damage. And many people have access to free identity theft response programs through their employers, insurers or financial organizations.
Anyone can get their annual free credit reports to check for fraudulent accounts and review their Social Security statements annually. If you know your information has been breached, put a fraud alert on your credit file through one of the three main agencies, or consider freezing it.
"The great thing about a credit freeze is that no one can open a new account," Levin says. "But that’s not the silver bullet, because it doesn’t freeze existing accounts or affect medical identity theft."
Businesses and organizations can help mitigate the problem of identity theft by considering whether they really need to collect as much data as they do.
"Breaches have become the third certainty of life after death and taxes," Levin says. "It would be great to believe we can prevent ID theft, that companies are thoughtful and advanced enough, but we can’t believe that when the HR department for the US government gets breached as horribly as the OPM did. How’s the guy down the street going to be able to protect me?"