How Social Security numbers became skeleton keys for fraudsters
Social Security numbers may be the聽worst kept secrets in America.
But the originators聽of the聽individualized codes by the聽Social Security Administration never intended them to become de facto identifiers relied on by hospitals, insurers, banks, cable companies, and even retailers.
"Unfortunately, it's becoming so ubiquitous, and so many businesses are being breached, that it鈥檚 the skeleton key to your life," says Adam Levin, chairman of聽, an identity protection firm. "It's a social insecurity number at this point."
And as a result, the Social Security Number (SSN) has聽become a valuable commodity among fraudsters and identity thieves. When crooks have it 鈥 along with your聽name and date of birth 鈥 they can use it not only to take over existing bank accounts but also to open new ones and access benefits and health care in your name.
"Once they have your SSN, you will be looking over your shoulder for the rest of your life," Mr. Levin says.
The Identity Theft Resource Center聽聽that the number of breached records with SSNs totaled more than 164.4 million in 2015. And it's not just bad actors hacking online databases 鈥斅爃ard drives are stolen from doctors' offices; paper records are left unsecured.
But experts such as Levin 鈥 and even the Social Security Administration 鈥 say that people should be guarded about giving over their SSNs, stop writing it down on forms at doctors' offices, and push back when anyone asks for it.聽
"People are聽not聽required to give their number to private businesses," said a spokesperson at聽the Social Security Administration, which聽advises people not to carry their Social Security cards on them and to closely guard their numbers.聽"The Social Security number is used to keep a record of workers' earning and to monitor benefits paid under the Social Security program."
So, how did these ubiquitous numbers become so overused 鈥 and abused 鈥 in the first place?聽
Social origins
The Social Security Administration issued 25 million of the nine-digit codes through local post offices within the first six months of the program. At the outset, the numbers got you access to your government benefits and nothing else.
Originally, the agency assigned the first three digits according to the geographical region in which the person resided in at the time he or she obtained the number. By 2009, researchers聽were able to determine a person's SSN with great certainty based on birth date; in 2011, Social Security Administration began assigning numbers randomly.
Overusing SSNs isn't a new phenomenon. In the mid-20th century, newspapers published full SSNs as local lottery drawings. In some cases, the newspapers printed the past week's winners' names and locations.
When Passcode reached out to the Social Security Administration, the press office said it had no record of fraud occurring around SSN lotteries.聽,聽New Jersey was awarding affordable housing to recipients of computer-selected SSNs that were printed in local newspapers.
The first outside organizations to require SSNs were the Civil Service Commission (which later became the Office of Personnel Management) in 1961 and the Internal Revenue Service in 1962. Keeping track of federal tax returns or government employees with those immutable numbers made sense.
But then savings and loans started requiring it to open accounts in the 1970s,聽says聽Sean McCleskey, director of organizational education聽and measurement at the Center for Identity at the University of Texas at Austin.
Then,聽banks began requiring聽SSNs for interest-bearing accounts 1983, says聽Mr. McCleskey.聽Children often didn鈥檛 apply for SSNs until they were of working age until聽, when a tax reform act required parents to list a child鈥檚 SSN聽to聽qualify for the聽dependent deduction.
The number of organizations asking for SSNs has "grown consistently every few years," McCleskey says. School lunch programs, public assistance, and food stamps 鈥 funded by federal money 鈥 all require a SSN from participants. "But one of the biggest problems with SSNs is the medical field. They can get it but they don鈥檛 really need it."
McCleskey聽studied the history of the SSN for the Secret Service, where he ran the identity theft and cybercrime unit for a decade. Law enforcement considered identity theft only a financial crime until recently, he says. It wasn't until 2004 that lawmakers enacted a federal statute, , that gave prosecutors greater abilities to pursue criminals for identify theft crimes. The law imposed聽a two-year minimum for each identity stolen.
Medical malpractice
The medical industry may be the biggest collectors 鈥 and holders 鈥 of Americans' SSNs. And while doctors commonly聽request SSNs, they聽rarely require them.聽
The trouble is that health care has the highest incidence rate of breaches of any industry, according to , and cybercriminals target health care organizations specifically because they lag behind in security.
The of health data breaches has risen dramatically this year, from 63 in the first quarter of 2016 to 118 in the third. Many of those are small compared to the Anthem breach, which in 2015 exposed 80 million SSNs along with customers'聽names, addresses, and employers.
Levin of IDT911 says doctors often ask for SSNs just because they鈥檝e been doing it for so long. "Someone says, 'It's because we won鈥檛 get reimbursed by the insurance company.' But you have my insurance information, and they have my SSN," he says. "Or, 'I need it for your death certificate.' My response to that is, 'Here鈥檚 my wife's phone number or my lawyer's phone number.' "
Until 2015, SSNs were emblazoned on Medicare cards; the agency is now聽聽for the millions of existing and new users. "We tell people never carry your SSN card, but you carry a Medicare card," Levin says.
If your Medicare card still shows your full SSN, he has this advice: "Make a copy of that card, and then redact all but two numbers of the SSN. On the back, add your emergency contact info. Only when you know you鈥檙e going to the doctor, take the card with you. But otherwise carry this redacted version of it, so if you faint or have a heart attack they will know that you have a Medicare card, but they鈥檒l need to call your emergency contact to get the info."
Pushing back
We'd all be smart to be selective when it comes to giving out our SSNs, say experts. Certain federal government agencies rightfully require it, and a company needs it if they want to hire you or run a credit check. But most of the time "it鈥檚 a lazy way to identify a person," says McCleskey of the聽Center for Identity.
If an organization requests your SSN, you should ask why they need your number, how it's going to be used, if you're required by law to give it, and what happens if you refuse. "Then you have to decide how bad you want to conduct the transaction with that organization," McCleskey says. "At least you鈥檙e making an educated decision."
Utilities and telecommunication companies aren't required by law to have your SSN; it鈥檚 likely that they want to check your credit to know whether you're at risk of dodging bills or not returning equipment. If you don't want to give them your SSN, offer to pay a deposit, which is what they鈥檇 ask of people with bad credit anyway.
"It鈥檚 a weird economy where people don鈥檛 want to cause a scene so they say, 'OK, here鈥檚 all my stuff,' " McCleskey says. "You鈥檒l fight over paying an extra $5, but then you'll just hand over the farm when it comes to data."
Ask organizations why they need your SSN, and, "If they can't cite a law or regulation that requires them to have it, they鈥檙e just using it as a way to identity proof you." McCleskey suggests offering your Driver鈥檚 License number and date of birth as an alternate proof of identity.
Mitigating the damage
If you believe you've been a victim of identity fraud, you should file a report with the police, keep a copy聽as proof of the crime, and then notify the , which maintains a centralized database.
Levin says consumers should follow the three M's: Minimize your risk of exposure, monitor your credit reports and accounts; and have a plan to minimize damage. And many people have access to free identity theft response programs through their employers, insurers or financial organizations.聽
Anyone can get their annual free credit reports to check for fraudulent accounts and review their Social Security statements annually. If you know your information has been breached, put a fraud alert on your credit file through one of the three main agencies, or consider .
"The great thing about a credit freeze is that no one can open a new account," Levin says. "But that鈥檚 not the silver bullet, because it doesn鈥檛 freeze existing accounts or affect medical identity theft."
Businesses and organizations can help mitigate the problem of identity theft by considering as much data as they do.
"Breaches have become the third certainty of life after death and taxes," Levin says. "It would be great to believe we can prevent ID theft, that companies are thoughtful and advanced enough, but we can鈥檛 believe that when the HR department for the US government gets breached as horribly as the OPM did. How鈥檚 the guy down the street going to be able to protect me?"
