[Cryptography] After Equifax pwning, what is the best means for replacing the SSN?

John Levine johnl at iecc.com
Tue Sep 12 17:51:06 EDT 2017


In article <13702759.1bt7j2b2zW at lovemachine> you write:
>It make syou wonder, however, why a single 9-digit number is capable of such 
>destruction. Why is your identity 9 digits long?

Because it was never supposed to be a national ID.  SSNs were invented
in the 1930s when Social Security was invented, as an account number
to track people's contributions and benefits.  Back in the 1930s,
account numbers were not common.  The minority of people who paid
income tax put their names at the top of their form 1040.  Your bank
account had your name, not a number.  (Account numbers arrived in the
1950s when the Bank of America started automated check sorting.)  

Unfortunately for us, the people who designed the account system for
the Social Security Administration did a really good job, and even
though it's 80 years later, the numbering system is still adequate for
its original purpose, and as we have seen sort of adequate for way too
many other purposes with which it has been overloaded.

It seems to me that the worse abuse of the SSN is the fiction that it
is secret, and so anyone who presents your SSN must be you.  I'd pass
a law that says that any account or transaction or database
authenticated only or primarily with an SSN is presumed fraudulent and
uncollectable.  This specifically includes credit bureaus.

As far as a better national ID, there are lots of countries with
national IDs, some of which work better than others.  You might start
by looking at Estonia which is small and sophisticated, and India
which is huge.

R's,
John
 


More information about the cryptography mailing list