19 January 2018
Robert Siciliano

Identity Theft Expert

Robert Siciliano - IDTheftSecurity.com

741Posts 2,063,926Views 62Comments

Continued Use of Social Security Numbers Leads to ID Theft

17 June 2009  |  2975 views  |  1

 

A patient at a Washington state medical clinic was asked for his Social Security number numerous times. Many of us have endured this familiar process. Considering the recent buzz about identity theft, this patient became concerned about releasing his own sensitive personal data, and requested that the facility remove his Social Security number from their records. The clinic refused, the patient put up a stink, and was ultimately ejected from the facility. The clinic considered his request unreasonable, and a violation of their rules and regulations. So, who’s right and who’s wrong in this scenario?

One Saturday afternoon, years ago, my spouse and I went to a major chain that rents videos. Without naming them, let’s just say they rent some block buster movies. The account was under my wife’s name, but she didn’t have her card with her that day. Upon checkout, the pimply faced 17-year-old clerk said, “No problem,” and asked for her Social Security number, which appeared on the screen in front of him. I freaked out and was ejected from the store. So, who’s right and who’s wrong?

In both cases, the customer is wrong. That may not be the answer you were expecting. I was wrong and the patient was wrong.

In general, routine information is collected for all hospital patients, including the patient’s name, address, date of birth, Social Security number, gender and other specific information that helps them verify the individual’s identity, as well as insurance enrollment and coverage data. And due to federally mandated laws like HIPAA, they are careful to maintain confidentiality of all patient information in their systems.

Corporations such as banks, credit card companies, automobile dealers, retailers and even video rental stores who grant credit in any form are going to ask for your name, address, date of birth, Social Security number and other specific information that helps them verify your identity and do a quick credit check to determine their risk level in granting you credit.

The Social Security Administration says, “Show your card to your employer when you start a job so your records are correct. Provide your Social Security number to your financial institution(s) for tax reporting purposes. Keep your card and any other document that shows your Social Security number on it in a safe place. DO NOT routinely carry your card or other documents that display your number.” But beyond that they have no advice and frankly, no authority.

Over the past fifty years, the Social Security number has become our de facto national ID. While originally developed and required for Social Security benefits, “functionality creep” occurred. Functionality creep occurs when an item, process, or procedure designed for a specific purpose ends up serving another purpose, which it was never intended to perform.

Here we are decades later, and the Social Security number is the key to the kingdom. Anyone who accesses your number can impersonate you in a hospital or bank. So what do you do when asked for your Social Security number? Many people are refusing to give it out and quickly discovering that this creates a number of hurdles they have to overcome in order to obtain services. Most are often denied that service, and from what I gather, there is nothing illegal about any entity refusing service. Most organizations stipulate access to this data in their “Terms of Service” that you must sign in order to do business with them. They acquire this data in order to protect themselves. By making a concerted effort to verify the identities of their customers, they establish a degree of accountability. Otherwise, anyone could pose as anyone else without consequence.

So where does this leave us? I have previously discussed “Identity Proofing,” and how flawed our identification systems are, and how we might be able to tighten up the system. But we have a long way to go before we are all securely and effectively identified. So, in the meantime, we have to play with the cards we are dealt in order to participate in society and partake in the various services it offers. So, for the time being, you’re going to have to continue giving up your Social Security number.

I give up mine often. I don’t like it, but I do things to protect myself, or at least reduce my vulnerability:

How to protect yourself;

  • You can refuse to give your Social Security number out. This may lead to a denial of service or a request that you, the customer, jump through a series of inconvenient hoops in order to be granted services. When faced with either option, most people throw their arms in the air and give out their Social Security number.
  • You can invest in identity theft protection. There are dozens of companies offering a variety of services to protect you in different ways. These services can monitor credit reports, set fraud alerts or credit freezes, restore damaged credit, and sweep the net looking for stolen data.  I’m working with Intelius Identity Protect and like them. Secure and cost effective.
  • You can attempt to protect your own identity, by getting yourself a credit freeze, or setting up your own fraud alerts. You can use Google news alerts to sweep the net and take precautions to prevent social media identity theft.
  • Protect your PC. Regardless of what others do with your Social Security number, you still have to protect the data you have immediate control over. Make sure to invest in Internet security software.

Robert Siciliano, identity theft speaker, discusses the ubiquitous use of Social Security numbers.

What have you done in the past when asked for your SSN? Did you refuse? What happened?

 

TagsSecurityRisk & regulation

Comments: (1)

Keith Appleyard
Keith Appleyard - available for hire - Bromley | 18 June, 2009, 08:27

Do these retail organisations actually validate the SSN on-line against governent records? NO - so just give them any old 9 digit number in the format 3-2-4. There is no check digit to worry about. If you can't make one up, use the one that used to appear in wallets bought at Woolworths since 1938 : 078-505-1120. Will you have actually broken any law giving any old number to Blockbusters?

As a UK resident who is a frequent visitor to the USA, I don't have a US Social Security Number. However I do have to complete certain US IRS Forms, so I invented my own SSN/TIN (Taxpayer Identification Number) as my UK Payroll number padded out with zeros - eg 000-12-3456. That has been accepted for over 20 years, even on official IRS papers such as W9(BEN) - and I've never been prosecuted or denied my Tax Refunds or Dividends.

That way - the bureaucrats are satisfied, but you have the personal satisfaction knowing you've beaten the system.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Latest posts from Robert

Top 10 Tips for Securing Your Mobile Devices and Sensitive Client Data

11 January 2018  |  2765 views  |  0 comments | recomends Recommends 0 TagsSecurity

Your Social Security Card Gets Stolen: Now What?

04 January 2018  |  3385 views  |  0 comments | recomends Recommends 0 TagsSecurity

What Was Scary About Blackhat 2017?

02 August 2017  |  6402 views  |  0 comments | recomends Recommends 0 TagsSecurity

Black Hat 2017 was an Amazing Event

29 July 2017  |  6909 views  |  0 comments | recomends Recommends 0 TagsSecurity

Blackhat Hackers Love Office Printers

28 July 2017  |  5538 views  |  0 comments | recomends Recommends 0 TagsSecurity

Robert's profile

job title Security Analyst
location Boston
member since 2010
Summary profile See full profile »
Security analyst, published author, television news correspondent. Deliver presentations throughout the United States, Canada and internationally on identity theft protection and personal security....

Robert's expertise

Member since 2009
739 posts62 comments

Who's commenting on Robert's posts

Ketharaman Swaminathan