77 comments

[ 2.6 ms ] story [ 143 ms ] thread
If it was already notorious... what took them this long?
> SSNDOB listed the personal information for approximately 24 million individuals in the United States, including names, dates of birth, SSNs, and credit card numbers

Great, good to shut it down, but how long until its replacement springs up? It probably already has.

Instead of going through all this effort and expense to track the sellers of this information, it would be better to make "names, dates of birth, SSNs, and credit card numbers" valueless on their own. I'm not sure what the alternative looks like, but posession of this kind of personal information about someone should not be useful or valuable.

Put it in a public phone directory and maybe SSN will finally not be used as some layer of security. Credit card numbers likewise.
It would certainly be a darkgrayhat move to do such a thing. It would be effective at deprecating SSNs as identifiers but would cause a lot of pain and suffering for a lot of people in the interim.
I don’t have much worry about the use of SSNs as an identifier; it’s the fact of knowing them being used as an authentication mechanism which continues to puzzle me.
Sorry, I misspoke, but yes deprecating them for authentication would be the goal.
Credit card numbers aren't supposed to be private, are they? We use them all the time to send money. It's the expiry date and the CVC that should be kept secret, but even then 3dsecure is a thing.
We give the cards to strangers in restaurants etc. The CVC or date should not be on the card really if it is some sort of safe guard.

The whole credit card setup is quite insane when you think about it.

The checking system is so much worse. The only parameters needed to make an ACH payment are a name, a routing number, and the account number -- all of which are printed on every check. There is very little fraud protection, and it is difficult for an account holder to dispute an incorrect or fraudulent transfer.
There is very little fraud protection, and it is difficult for an account holder to dispute an incorrect or fraudulent transfer.

I see a cause and effect here. Make it easier (by law) for the account holder to dispute a transfer, and I'm sure the banks will suddenly spend more effort on fraud prevention.

There is a whole layer of security and compliance around the handling of credit card numbers that anyone who processes them has to go through. They are not considered publish information.
SSNs are coincidentally almost the same number of digits as US phone numbers, so just make it so you can register your SSN as an alternate phone number for your cell phone.

You'd probably need a separate country code for it ...

(comment deleted)
Yup. This stuff is all so deeply compromised at this point it's almost surprising you can still sell it. I guess fraud is still rare enough that companies would rather ask for SSN and say "hey we tried" than actually bother to look deeper.
FULLZ (a text file containing this information) sell for about $.99 per file/person on darknet markets, mostly to build up the seller's reputation.

There are 20,000,000 from just this one source and sellers seemingly randomly chose them. Thats just a lot of people. The buyer can use the same social security number for a different purpose than the last buyer.

Like, maybe the prior buyer wanted to try something easy like opening a credit card. The compromised person has a low but improving chance of noticing and locking their credit report, making their social security number useless(-ish) for credit card applications. The next buyer though may have never considered that and might just open a bank account with an online bank. You wouldn't know if a bank account has been opened in your name. And the account itself doesn't have to be used for anything flag worthy or that could frame you (I wanted to say "anything criminal" but obviously some laws are being violated even if the funds are clean).

On darknet markets, many people chose to skip laundering money, and just open bank and brokerage accounts in any developed nation under anyone's name. They just trade stocks and accumulate dollars. Eventually, whenever they want, they will laundering to cash out completely. But people can fly under the radar for a very long time, staying liquid, and not really doing any kind of consumptive spending from those accounts.

So the same social security numbers can be used many times, and there are also too many social security numbers for the level of interest in this, for now.

Places that ask for your SSN are usually not doing so for auth, it's mostly as a taxpayer ID, or a unique identifier because names aren't unique. (banks, employers, etc)

For fraud prevention they typically do behavior analysis or use a composite of personal data. SSN + DOB + Name + last address you lived at + etc.

"Don't hold criminals accountable because there will always be more criminals"
This is an unnecessarily reductionist interpretation.

“Don’t clean and bandage the gaping wound because it’ll just keep bleeding”

The point isn’t to stop going after criminals, the point is that just going after criminals is as pointless in the long run as just dressing a wound that actually requires a different solution - stitches.

Given limited resources, addressing the root of the problem would be more valuable than continuing to go after the symptoms.

Since I doubt the same agency would be part of a real solution, it probably becomes a conversation about where funding is directed.

I agree with the core of your argument but I think it's more complicated. If SS weren't important criminals would move onto something else. If you stop going after criminals would there be more or less SS theft?

If the solution is to phase out whatever criminals are using against people then you'll just be on a different path that never ends.

I think this is fair. The ideal path is probably not just one or the other, but a combination of both.
The problem is that a SSN was designed to be secret, and then everyone decided to use them as a UUID for people, which are generally not secret.

The solution is to split them. Give everyone some kind of citizen ID number that isn't private, but is unique. Then give everyone some kind of auth mechanism that identifies a person when combined with their ID number.

What we currently do is using SSN as the identifier, with DOB as the auth mechanism. That's terrible because the SSN is supposed to be secret, and DOB is basically public knowledge at this point.

They also can't be easily re-issued, which is it's own problem.

There are obvious and substantial differences between SSN and some of the newer cryptography-based ID cards other countries are using.

It's the other way around. SSNs were designed to be UUIDs, and everyone decided to use them as a secret.

> At its inception, the SSN's only purpose was to uniquely identify U.S. workers

> The card was never intended to serve as a personal identification document—that is, it does not establish that the person presenting the card is actually the person whose name and SSN appear on the card.

https://www.ssa.gov/policy/docs/ssb/v69n2/v69n2p55.html

You're right that it wasn't intended that way, but it's incredibly incompetent of them to think it would work that way. They discarded the idea of using names/addresses to identify people because it was unmanageable, so how did they propose people authenticate to these systems if it wasn't via SSN?

I.e. if your SSN is a UUID, then what's the password to authenticate into these systems? Your name? That's even less secret than your SSN. Your address?

Historically and today, if you want to update the address your checks get sent to, you can send them a letter with your name, SSN, old address and new address. One of those obviously has to be a secret, or anyone can reroute your SSA checks wherever they want. Which one of those is meant to be a secret? Names and addresses are void due to phone books, which only leaves the SSN.

That means the SSA is using SSNs as a personal identification document, regardless of whether they claim it was designed that way or not.

(comment deleted)
Whatever tokens you use to identify someone will be a target for identity theft. You can make the tokens harder to guess or harder to replicate, but with an associated decreased accessibility. The convenient thing about names and DOBs is that most people have them, and most people remember them. The issue with most surrogate tokens is that a remediation process is necessary for when people lose or forget them, and those processes fall back on, you guessed it, name/DOB, etc.

Fraud is just a very difficult problem to solve.

No, it's not. Estonia solved it by issuing ID cards with a private key that signs for a public key identifier. [1] Then proving your identity requires the presence of the physical token rather than just the identifier. Unfortunately most Western nations are so embroiled in bureaucracy that this obvious solution will not be available for a long time.

[1] https://en.wikipedia.org/wiki/Estonian_identity_card

What do you do when you lose it though? Or it burns in a fire? A surrogate token still needs a replacement mechanism
It's pretty easy to implement that if you have a central authority to manage the public keys, which a government can do.

A bigger issue is how to handle it being stolen (if the "card" also needs something like a passphrase it can reduce this risk, but it's probably better to make it relatively easy to "cancel" if you lose yours, and then you have to head to the DMV or whatever to procure a replacement).

Certainly better than knowing 10 digits and where you were born and to whom.

"Better" depends on which specific problem that someone is experiencing.

If your problem is that someone stole the token, then you're better off with a PKI token.

If your problem is that you have lost your token, then you're better off with a non-PKI memorable token.

Go to a government office and use biometric identification methods, then remove the old public key from databases and replace it with a new public key from a newly issued ID card.
SSN already suffers from the same exact problem and has ways to request a new SSN card. You are limited to 3 replacement cards in a year and 10 during your lifetime.
That is mitigated by the fact that SSNs can often be used without the physical card.
Estonia was exactly what I had in mind when I wrote my comment. You can't just guess PKI keys, but they are less accessible. You need the physical card, you must have a process for issuing/reissuing, and the technology must be available to use it. There are trade-offs. They can be good trade offs, but they exist.
>you must have a process for issuing/reissuing

Can't you piggyback off of the processes for social security cards?

You can. But, if I lose my SSN card I can still (usually) use my SSN because it exists in a functional form inside of my head. If it was a PKI card, I would physically need to have the card.

I have family who tried to get a replacement SSN card during COVID and the process has been entirely impossible. This a drawback to using physical tokens.

Also, this doesn't eliminate identity theft, the point of issuing is the weak-point for fraud.

Ok, but I got a replacement card several years ago and it was really not too hard. Took a few minutes at the SSA office with my passport (advice is to get their obscenely early to avoid waiting), and then waiting for the mail. Took a while to get in the mail, but wasn't hard, just slow.
Normally, it shouldn't be. But, my family ran into issues such as:

1. The office was physically closed for business during COVID.

2. They needed to get documentation which was physically in another country.

3. They could not travel to that country due to travel restrictions.

Lost my card, can confirm it's entirely tedious to replace
In Mexico the SAT (IRS) adopted something similar: A PKI to identify taxpayers for which you have to sign electronic documents with your password-protected private key. So far it has worked quite well, and it is being used for things other than taxes.

I consider people in Mexico way less technically sophisticated than people in the US, and adoption has been going well. So I believe implementing something like that would be possible in the US as well.

The issuing/reissuing process has been solved and is working fine, reissuing can even be done online (key-pairs have a longevity limit).

You can't just transfer a process/technology that works in Estonia to a country like the U.S. which has 300x the population and decades of processes that are dependent on SSNs, many of which aren't controlled by the government.

Want to open a bank account? Need an SSN. Healthcare: SSN Employment: SSN

Want a STATE driver's license? Need some form of government ID, depending on the state. An SSN card is often an option.

My point is, to adopt a system like you suggest would require reforming ALL of these systems across public (federal, state and local) and private sectors.

It's not just bureaucracy. Doing this at scale across public/private domains is hard.

I do not see what is wrong with starting somewhere, that somewhere being what Estonia has already proven works.
> Want to open a bank account? Need an SSN. Healthcare: SSN Employment: SSN

You don't need a SSN to open a bank account. Health, I believe it depends on the provider, not sure.

I never miss a plug for the idea that the United States Postal Service should get into the PKI game and issue hardware tokens. They have immense infrastructure they could leverage to be a very effective trust provider.

They already serve in that capacity to some extent evidenced by the various government entities who accept an addressed piece of mail as proof of residency. I don't think there'd be enough bipartisan support to make it happen, but I think it'd work great.

Totally agree with you. I think they should get into simple banking too. Even just a no fee simple savings account with debit cards would do wonders for the unbanked.
There are so many things we could do though. At least make it so I can easily rotate my SSN if it gets leaked. Currently I'm stuck with a SSN that gets used for fraud every once in a while. While it can be changed, it isn't easy.
We should just expect financial institutions to stop using primary keys as secret keys. SSNs were never supposed to be secrets, they're supposed to be fixed identifiers.
It's not easy, but victims of identity theft can request a new SSN.

https://faq.ssa.gov/en-us/Topic/article/KA-02220

As a practical matter, the best approach for most consumers is to freeze all of your credit reports. That way if an identity thief gets your SSN, at least they can't apply for loans in your name.

Identity theft can be solved by going more hands-on. Make KYC really mean KYC.

If you couldn't get a line of credit without an in-person appearance and fingerprint, that form of identity theft becomes unviable. You have detailed info as to who tried to commit fraud, that can immediately be used for prosecution or tracking repeat offenders.

Just stop using a number as something to autehticate people with, it is just stupid.
The issue isn’t just ssns. The issue is that they made the whole package available. Ssn, dob, etc.
Just stop using semi-public information that anyone curious enough can piece together as something to authenticate people with, it is just stupid.
You run into the same issue you do with 2FA -

I cannot remember my own SSN. What happens if I lose my license, SSN, and master password manager password in a fire? What happens if someone has a stroke and forgets a recent pin code, etc.

Do I go to my state and request new IDs? How do they authenticate me?

This has been solved by just about any other western country, and probably a lot of other countries.

E.g. I have an eID card. The gov can reset the pin. There are procedures to request a new one. Therecare revocation lists. Fake eIDs are rare. Its not perfect, but it works great compared to the USA.

The real problem is a semi religious fear of the US governement having working ID systems. So there are all kinds of half baked substitutes in use, that barely work and push the trouble on the end user. ID theft is a solved problem just about anywhere, if the US wants it, it can solve it too.

Tell the credit rating agencies that.
Credit rating is more about authorization than authentication.
The basic purpose of credit rating agencies is to condition the public to tolerate theft in the form of usury at the like 18.3 power (1.2^x) of the going international rates (1.01^x). ((1.01^x)^18.3 ~ 1.2^x). That's demonic.

But to carry it out, you gotta get people to buy into your bullshit, by like getting a usurious credit card to "build up your credit", only to max it out before getting fired at the start of an economic depression. Then the point system you put so much faith into says you're a complete piece of shit and says you need to pay much more interest on your mortgage, can't get a card at work, shit like that.

How come the spreads are so high, you get 1.01x on savings (actually .93x right now) but have to pay 1.2x interest on credit card because "it's so convenient?" It's not fucking convenient, they get you to use it by stealing from the merchant and giving you 1% of your spending. That's theft no matter what law says otherwise.

They should force card companies to at most square the interest and receive deposits at the square root at which they lend. Want to charge 21% interest on debt? Fine, but then you have to pay 10% on deposits. No matter how many people want to deposit money at 10% interest with you, if you want to charge 21% interest annually, you have to let all of them deposit their money with you and better come up with the money. Even if the Norway Sovereign Fund wants to park all their money with you, meaning you have to come up with 100 Billion a year for their interest, if you want to charge 21% interest for anything, too bad.

Maybe instead of charging interest, charge fees, or if there's a high chance of default, start at a higher principal. Banks generally want as their only goal the highest possible interest, so they rejigger the math. Badly, they're incompetent mathematicians. It's disgusting.

Credit rating agencies you generally can't them to cooperate with anything, they think of the public as chattel, it's disgusting. They hold dearly onto made up shit, like what patio11 said about a problem from before he was birth, and close their ears and lalala if you try to call them to fix it. They're flat out disgusting, money is the root of all evil those credit rating agencies are in the center of the pentagram. Literally fucking Satanic, demonic.

Counterpoint, I have 5 credit cards and have yet to pay one cent for any of them. No interest, no fees.

I do remember when using them that it's a loan I'll repay shortly, and not free money.

I know what that is, I get that, I could have done that.

I just consider it a trap for some moment when you are up against strife, like some tragedy, or you're traveling. That's a great way to get deep into debt right there, especially if you're renting a car, that's why everyone pushes you into traveling (credit cards spesh, double miles on the plane, cover you getting chiseled supposedly, need them to rent a car) and why I flat out refuse to travel. Like I can take the subway to a pretty park, there's so many, or go for a walk any direction I choose, no waiting for anything. I speak two many languages as it is, the fuck am I going to go to uh, ¡Singapore! as though it were at the bottom bottom bottom any different than Santiago from the tourist angle. Take photographs of what?! Like cool buildings yeah but $4500 plane ticket not including the enormous damage to my spine of that seat for that amount of time, flying coach obviously. And dealing with a chiropractor douche for the rest of my life.

I mean really? Like you'll find yourself in Singapore, or Islamabad, or Casablanca. Or Dubai, craven debt machine right there. Plus like everything that credit cards are for are basically harmful things. Like a car, or a medical emergency (frequently a scam, and if you can't pay they don't bother malpracticing on you in order for you to need their shitty grudgingly delivered treatment), or what else. Renting a hotel room to FUCK, for what else? Well one thing, if you get evicted you have somewhere to go. And then what you use it for, which is to get 1% or 2% back (or 3% back for some shit, I correctly assume that's why you have 5, different points rewards). It's not 3% back for ANYTHING, that's THEFT. If I am cornered brutally into having a credit card I will tally those small "cash back" shits of points and give that money right back to the store. It's theft, it's THEFT, I don't care if every article in the Bill of Rights is exclusively dedicated to saying it's not theft it's THEFT, you're stealing from Christians, in your case you're stealing from me ultimately, for refusing to participate by either paying or receiving compound interest.

And that's why they make it 1% or 2%, so you don't say "Hey I'm stealing from Daniel Cussen" (or any Christian) you say "it's just one percent, it rounds down to nothing, good little bonus at the end of the month. Cash back." Dude next time I'm at the teller I'm going to ask her 2% cash back for not paying with a credit card, see what she says.

See! Told you it's stealing!

The state cant even keep its own house in order, why do people continue to trust them to act in the public's best interest? They are abusing their authority to cover up their mistakes!

Lets face it, if arguably the most important job in the country needs zero qualifications, what hope does that country have?

> ...to seize four domains hosting the SSNDOB marketplace...

So they just got control of 4 domains pointing to the site, put up a takedown page and then issued a press release?

Did they actually do anything to stop the owners of the site from pointing another domain to the marketplace?

it's not the first time they just put a random seized photo on a domain then do a press release. take for example joker stash, after seizing one of their proxies they made a press release saying that after years of hard work they took it down. after two hours it came back online on the same domain.
It doesn't sit well with me that law enforcement can just seize domains like that.

In situations like these, is there anything you can do to reduce risk of your domain name being seized? Does it help to register them on ccTLDs of countries that won't care? like .ru? How have The Pirate Bay clones managed to be so resilient?

They can't just seize domains like that - it was done in conjunction with the courts.
If you are physically in the US and your domain is seized, it's the least of your worries, because you almost certainly have been seized yourself.
SSNs really should be treated as (at most) usernames and not passwords.
They mostly are. If they are used in the process of authenticating it is almost always in composite with other data.
As a European/French, why is the SSN so important to Americans ? I mean my SSN in France was automatically generated at my birth (basically from my birth gender, date, location, and the Nth baby I was this year in this location). I could generate the correct SSN of most my close friends from my head to maybe 3 digits on the first try if I had to.

They took a bit more than that ok (credit card numbers, but you can't do much with this without the CVV and the expiration date anyway, and you'll need to send a confirmation to your bank anyway).

So why is that such a big deal ?

American infrastructure uses SSNs as a form of authentication for sensitive things like bank accounts, medical records, loan applications, housing applications, etc. With a SSN, it is much easier to steal someone's identity.
Because SSN are the main way that banks and credit agencies use to identify people (which is not at all what they were intended for originally).

If you know somebody else's SSN plus a couple of semi public details (name, date of birth, address), you can go to a bank and borrow money under their name.

in croatia there is a personal identification number as well as the unique birth number of citizen (my transaltion). the latter is what you describe and the former i think is similar to the us ssn. the former should only be known to you. you use it, for example, when you sell your property or apply for credit. i think it is a huge fraud risk, especially in times of airbnb, because at least in croatia this is written on your id and passport and the national health card
So in the US you can do "credit freezes" which prevent people from taking out new loans/new cards in your name.

HOWEVER - you can't do anything about the fact they can call up your bank, say "I forgot my password" and then give them your SSN. Your bank will happily reset the password for them. If someone has your SSN they essentially have everything they need to get access to any of your financial, medical, or utility accounts, and can also use it for KYC/AML to open say a crypto account in your name. You cannot do anything to prevent this option.

Have you gone into your bank and asked about additional security measures? For my credit union, I have a call center password I have to give them and mom's maiden name is not mom's maiden name. I think—I'd have to double check—but I think I had them put a note in my file that I would have to go into unlock my account and show 2 forms of ID
once that data is out in the wild it lives forever. better to assume a kind of "no critical PII is actually secret anymore" and work to upgrade our systems to no longer be so naive