Every few months I (like all employed Americans) get a statement from the Social Security Administration reminding me how much I would get if I were to retire (that is if Social Security were still around when I retire); first off its not much, that’s bad enough ;) but what I just noticed as they include the last four of my Social Security number in this print out with the note that they included it for my protection.
This is a complicated topic, after all social security is what the social security number is for but the fact is that it has been co-opted for many other purposes and the only part of social security number that is needed for identity theft is the last four digits (all they print).
Now the letter does come in a envelope to prevent casual readers, but then again it’s not like it comes in a plain brown envelope to obscure its contents (Playboy does, or so I hear) it comes in a white envelope with neon green text advertising its contents and origin.
The theory here goes that the U.S. Mail is protected by Federal Law and if a attacker was to steal the mail from the mailbox and get caught it would be a federal crime resulting in the attacker ending up in the federal prison system which is supposed to be enough to discourage mail theft problem is this has proven not to be true.
Most identity theft today still occurs in the physical world, in other words both mail and garbage theft is a key way that folks get information about you. To mitigate these risks we installed locking mailbox and purchased a high quality cross shredder that we use religiously, but before we did this we had numerous cases of our mail being stolen and our garbage being gone through.
So clearly the threat of Federal imprisonment is insufficient to deter attackers from mail theft, the neon green labeled envelop simply makes it easier for the attacker to find this useful information amongst all the other junk in the mail.
So what about their claim that by only showing the last four they help prevent identity theft? Well it’s true that I need more than the last four of my social security number to open a new account (home loan, credit, car, etc) but that is all I need to take over a existing bank or stock account.
I guess that makes the question which is more likely someone taking out a home loan in my name or taking over my existing accounts, I doubt statistics on this are readily available as its in the banks best interest to “make these cases go away” after all their businesses are dependent on people feeling comfortable spending money with them and large frauds like home and car loans are not something you can systematically push off on the consumer without negative repercussions to their business.
I guess that takes us to the last point what other things could they do to “help reduce the risk of identity theft”, without giving this much thought it seems the best thing they could do would be not to include this information in these print outs; of course they need to provide a means to authoritatively cross reference back to your social security number so why not generate a unique identifier that’s good for some pre-determined period of time and provide a number in which you could call into with that number where you could prove you know the social security number associated with the report and not the other way around?
Something else they could consider doing is applying a little security through obscurity (like Playboy) and use a plain envelope to cary this information, this probably comes at a cost of some folks not opening the mail but the greater good is probably served.
The last thing that comes to mind is that they could provide a means to opt out of receiving these notices and make a way for me to register to see them online in a "secure" way.
In a few days I will write about some things you as the consumer can do to mitigate the risks of identity theft, but for now I am out a here J
[update July 18th] Today a co-worker pointed me at a document that describes the history of the ssn, its worth a look.