Home > Identity Theft > Should We Kill the Social Security Number?

Comments 3 Comments

While tax season is still producing eye twitches around the nation, it’s time to face the music about tax-related identity theft. Experts project the 2014 tax year will be a bad one. The Anthem breach alone exposed 80 million Social Security numbers, and then was quickly followed by the Premera breach that exposed yet another 11 million Americans’ SSNs. The question now: Why are we still using Social Security numbers to identify taxpayers?

From April 2011 through the fourth quarter of 2014, the IRS stopped 19 million suspicious tax returns and protected more than $63 billion in fraudulent refunds. Still, $5.8 billion in tax refunds were paid out to fraudsters. That is the equivalent of Chad’s national GDP, and it’s expected to get worse. How much worse? In 2012, the Treasury Inspector General for Tax Administration projected that fraudsters would net $26 billion into 2017.

While e-filing and a lackluster IRS fraud screening process are the openings that thieves exploited, and continue to exploit, the IRS has improved its thief-nabbing game. It now catches a lot more fraud before the fact. This is so much the case that many fraudsters migrated to state taxes this most recent filing season because they stood a better chance of slipping fraudulent returns through undetected. Intuit even had to temporarily shut down e-filing in several states earlier this year for this reason. While the above issues are both real and really difficult to solve, the IRS would have fewer tax fraud problems if it kicked its addiction to Social Security numbers and found a new way for taxpayers to identify themselves.

Naysayers will point to the need for better data practices. Tax-related fraud wouldn’t be a problem either if our data were more secure. Certainly this is true. But given the non-stop parade of mega-breaches, it also seems reasonable to say that ship has sailed. No one’s data is safe.

Identity thieves are so successful when it comes to stealing tax refunds (and all stripe of unclaimed cash and credit) because stolen Social Security numbers are so plentiful. Whether they are purchased on the dark web where the quarry of many a data breach is sold to all-comers or they are phished by clever email scams doesn’t really matter.

In a widely publicized 2009 study, researchers from Carnegie Mellon had an astonishingly high success rate in figuring out the first five digits for Social Security numbers, especially ones assigned after 1988, when they applied an algorithm to names from the Death Master File. (The Social Security Administration changed the way they assigned SSNs in 2011.) In smaller states where patterns were easier to discern the success rate was astonishing — 90% in Vermont. Why? Because SSNs were not designed to be secure identifiers.

That’s right: Social Security numbers were not intended for identification. They were made to track how much money people made to figure out benefit levels. That’s it. Before 1972, the cards issued by the Social Security Administration even said, “For Social Security purposes. Not for Identification.” The numbers only started being used for identification in the 1960s when the first big computers made that doable. They were first used to identify federal employees in 1961, and then a year later the IRS adopted the method. Banks and other institutions followed suit. And the rest is history.

In fact, according to a Javelin Research study last year, 80% of the top 25 banks and 96% of the top credit card issuers provide account access to a person if they give the correct Social Security number.

There are moves to fix related fraud problems elsewhere in the world, in particular India where, in 2010, there was an attempt to get all 1.2 billion of that nation’s citizens to use biometrics as a form of identification. The program was designed to reduce welfare fraud, and according to Marketwatch, 160 similar biometric ID programs have been instituted in other developing nations.

In 2011, President Obama initiated the National Strategy for Trusted Identities in Cyberspace, a program that partnered with private sector players to create an online user authentication system that would become an Internet ID that people could use to perform multiple tasks and aid interactions with the federal and state governments. There may be a solution there — but not yet.

The first Social Security card was designed in 1936 by Frederick Happel. He got $60 for it. It was good enough for what it had to do (and was clear that the card wasn’t a valid form of identification). That is no longer the case. That card is nowhere near good enough. Perhaps one solution is a new card design — one with chip-and-PIN technology. Just how something like that might work — i.e., where readers would be located, who would store the information & support authentication, etc. — would have to be a discussion for another day.

The point is, we need to do something.

This story is an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its partners.

More on Identity Theft:

Image: iStock

Comments on articles and responses to those comments are not provided or commissioned by a bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by a bank advertiser. It is not a bank advertiser's responsibility to ensure all posts and/or questions are answered.

Please note that our comments are moderated, so it may take a little time before you see them on the page. Thanks for your patience.

  • M. Abel

    Chip-and-PIN technology does not obfuscate the account number which remains in the clear and so does not provide any benefit to this problem. All that Chip-and-PIN does is ensure that a real card was used, rather than a counterfeit card, but it does not protect against theft of the SSN or use of stolen identity in online contexts. And there are no SSN card readers. Without readers, there will be no EMV SSN cards to read.

    Tokenization, by contrast to Chip-and-PIN, replaces the SSN with a random, and limited or one-time use, number. The token number can be safely provided in place of the SSN and the requester must ask for specific information that is normally associated with the SSN, such as a credit report or tax records. The provided records can have identifying information removed before they are provided to the requestor and only the contractually agreed information would be returned without enabling over-disclosure of irrelevant but private information of the SSN holder.

    Tokenization requires limited changes to existing systems, no new hardware or card readers, and no cards. it can be deployed easily by the Social Security Administration (or a private contractor) as a federated system to credit agencies, the IRS, and other agencies with a need to request SSNs to access associated records. Commercial business could join and pay a fee to use the tokenization system, if they want the strength of SSN identity to improve their private service. And this would be done with greatly reduced risk to the SSN holder that their private information would be disclosed and potentially misused.

  • John Formerfed

    Seriously, people saying the Social Security Administration should not use the SSN? If any organization has the right to use it, it’s Social Security and that includes the partner agency who receives the taxes paid using the number, the IRS.

    The issue isn’t the SSN it’s the fact that it has become a defacto national ID and it was never designed to do that and all the tinkering in the world, all the PINS and biometrics won’t change the fact it wasn’t supposed to be used how it’s being used.

    The solution is to eliminate the use of the SSN for anything other the payment of taxes, and the issuance of social security benefits. Give the financial and credit industry a 4 year deadline to come up with alternatives (heck many competing alternatives, from free to ones you pay for) and let consumers choose which ID(s) they will use. Give people 2 years to pick 1 or more of these IDs to use with credit cards etc. Impose big fines on any non-federal governmental organization using the SSN as an identifier at the start of year 7. Make sure these systems are federated (i.e., they work together) so we can establish an identity ecosystem that leaves the SSN relegated to history.

    But that will cost so much! How large are the current costs in fraud and theft for the current system? I bet you the gross savings in reduced fraud cover the costs of the development and transition to alternatives. At a fraud conference I attended in 2011, the numbers used to annual financial fraud in the US alone was at $36 Billion. Certainly that shows that spending money to develop improved systems would be cost effective and a good investment by the financial services industry.

    Folks wedded to the existing system, especially private investigators, went crazy a few years back when the FTC looked into this. There is a huge amount of resistance to the idea of using anything other than the SSN, so they want to buttress it, like so many here.

    The real solution is to abandon it, make it worthless except for filing taxes and getting SSA benefits, as it was intended to do. Take away the power it has inadvertently been given by those organizations that piggybacked on it. Insist that those who are finding the cost of fraud acceptable instead spend some money on competing personal ID systems that will better serve this intended use and reduce theft and fraud.

    The horse has already left this barn, it’s time for a new way to do this and leave the SSN alone to do the job it was designed to do.

  • Michael S.

    One simple change would be to increase the size of the number, either by changing the length or counting base. It is absurd that numbers EVER have to be recycled. That alone makes them much easier to guess.

Certain credit cards and other financial products mentioned in this and other articles on Credit.com News & Advice may also be offered through Credit.com product pages, and Credit.com will be compensated if our users apply for and ultimately sign up for any of these cards or products. However, this relationship does not result in any preferential editorial treatment.

Hello, Reader!

Thanks for checking out Credit.com. We hope you find the site and the journalism we produce useful. We wanted to take some time to tell you a bit about ourselves.

Our People

The Credit.com editorial team is staffed by a team of editors and reporters, each with many years of financial reporting experience. We’ve worked for places like the New York Times, American Banker, Frontline, TheStreet.com, Business Insider, ABC News, NBC News, CNBC and many others. We also employ a few freelancers and more than 50 contributors (these are typically subject matter experts from the worlds of finance, academia, politics, business and elsewhere).

Our Reporting

We take great pains to ensure that the articles, video and graphics you see on Credit.com are thoroughly reported and fact-checked. Each story is read by two separate editors, and we adhere to the highest editorial standards. We’re not perfect, however, and if you see something that you think is wrong, please email us at editorial team [at] credit [dot] com,

The Credit.com editorial team is committed to providing our readers and viewers with sound, well-reported and understandable information designed to inform and empower. We won’t tell you what to do. We will, however, do our best to explain the consequences of various actions, thereby arming you with the information you need to make decisions that are in your best interests. We also write about things relating to money and finance we think are interesting and want to share.

In addition to appearing on Credit.com, our articles are syndicated to dozens of other news sites. We have more than 100 partners, including MSN, ABC News, CBS News, Yahoo, Marketwatch, Scripps, Money Magazine and many others. This network operates similarly to the Associated Press or Reuters, except we focus almost exclusively on issues relating to personal finance. These are not advertorial or paid placements, rather we provide these articles to our partners in most cases for free. These relationships create more awareness of Credit.com in general and they result in more traffic to us as well.

Our Business Model

Credit.com’s journalism is largely supported by an e-commerce business model. Rather than rely on revenue from display ad impressions, Credit.com maintains a financial marketplace separate from its editorial pages. When someone navigates to those pages, and applies for a credit card, for example, Credit.com will get paid what is essentially a finder’s fee if that person ends up getting the card. That doesn’t mean, however, that our editorial decisions are informed by the products available in our marketplace. The editorial team chooses what to write about and how to write about it independently of the decisions and priorities of the business side of the company. In fact, we maintain a strict and important firewall between the editorial and business departments. Our mission as journalists is to serve the reader, not the advertiser. In that sense, we are no different from any other news organization that is supported by ad revenue.

Visitors to Credit.com are also able to register for a free Credit.com account, which gives them access to a tool called The Credit Report Card. This tool provides users with two free credit scores and a breakdown of the information in their Experian credit report, updated twice monthly. Again, this tool is entirely free, and we mention that frequently in our articles, because we think that it’s a good thing for users to have access to data like this. Separate from its educational value, there is also a business angle to the Credit Report Card. Registered users can be matched with products and services for which they are most likely to qualify. In other words, if you register and you find that your credit is less than stellar, Credit.com won’t recommend a high-end platinum credit card that requires an excellent credit score You’d likely get rejected, and that’s no good for you or Credit.com. You’d be no closer to getting a product you need, there’d be a wasted inquiry on your credit report, and Credit.com wouldn’t get paid. These are essentially what are commonly referred to as "targeted ads" in the world of the Internet. Despite all of this, however, even if you never apply for any product, the Credit Report Card will remain free, and none of this will impact how the editorial team reports on credit and credit scores.

Our Owners

Credit.com is owned by Progrexion Holdings Inc. which is the owner and administrator of a number of business related to credit and credit repair, including CreditRepair.com, and eFolks. In addition, Progrexion also provides services to Lexington Law Firm as a third party provider. Despite being owned by Progrexion, it is not the role of the Credit.com editorial team to advocate the use of the company’s other services. In articles, reporters may mention credit repair as an option, for example, but we’ll also be sure to note the various alternatives to that service. Furthermore, you may see ads for credit repair services on Credit.com, but the editorial team isn’t responsible for the creation or implementation of those ads, anymore than reporters for the New York Times or Washington Post are responsible for the ads on their sites.

Your Stories

Lastly, much of what we do is informed by our own experiences as well as the experiences of our readers. We want to tell your stories if you’re interested in sharing them. Please email us at story ideas [at] credit [dot] com with ideas or visit us on Facebook or Twitter.

Thanks for stopping by.

- The Credit.com Editorial Team