The Last Four Digits of Your Social Security Number

Not long ago I had to visit my bank. Yes, I actually had to go down to the branch, walk in and talk to someone. I needed to make a deposit and this one was too big to be done via my smartphone. That’s a nice problem to have of course, but it’s inconvenient because the closest branch is not really close at all. I handed the friendly teller my check and deposit slip. She then asked for my ID. Apparently, they don’t want just anyone depositing money into my account. I handed over my new driver’s license so there was little doubt I was who I claimed to be. I took my receipt and walked out.

Comparing a person to the ID they present is not a foolproof way to ensure they are who they say they are, fake IDs are not THAT difficult to obtain after all, but it’s better than nothing. It’s certainly better than the way so many companies verify your identity: with your Social Security Number (or government ID outside the US).

In the US, when you call a company with whom you have an account, you often get asked for the last four digits of your Social Security Number as proof that you are who you say you are. The obvious problem with this is that it’s not that difficult to obtain someone’s Social Security Number. Plus anyone working in customer service at any of these companies has access to a nearly unlimited database of social security numbers or at least the relevant digits. They attempt to add security by having you set up a few security questions when creating your account. There are two problems with this. First, they provide the questions and often use the same questions used elsewhere. What was the name of your elementary school? Where were you born? Second, the questions are about things that would not be difficult to answer with a bit of dedicated snooping, as exemplified by the hacking of Sarah Palin’s email back in 2008. And since so many of them use the same questions, a less than honest employee at any one of these companies could use this information to gain access to your accounts on other sites. Any hacker who breaks into a system with this information could also use it to gain access to accounts on other sites. And of course even worse, if someone has your Social Security Number, they can steal your identify, opening new credit accounts in your name. Undoing that kind of damage can be time-consuming and expensive.

There’s a better solution: text messaging. When you set up your account with most companies they ask for your phone number and often, specifically, your cell number. Later when you call the company, their phone system could get you number via caller ID, find you in their database and send you a text message with a four character passcode that you will provide the customer rep when they come on the phone. That code would change with every call so you’d need to have your cell phone to authenticate your identity. Apple and Google use a system like this as part of the two-step authentication system they provide as an extra level of security when making changes to your account profile such as your account password. This system is simple but certainly not foolproof. If someone steals your phone, they could authenticate as you. However, the first thing people typically do when they determine their phone has been lost (and potentially stolen) is call their phone company and have them temporarily shut off the number so whomever has it cannot make phone calls. Technology is making it less and less profitable to steal cell phones anyway. Not long ago, Apple changed iOS to require the user’s Apple ID password to change SIM cards or erase a phone so stealing an iPhone is no longer very profitable. Last year, the New York Times reported that banks are starting to take steps in the right direction and move away from using Social Security Numbers as a means of authentication.

Companies need follow suit and stop using US Social Security Numbers (and the equivalent in other countries) as a means of authentication not only because of the identify theft issue, but because it’s simply not a secure way to identify someone. Cell phones are so ubiquitous that most customers will have provided their cell phone number to a company they do business with and would most likely provide one if it increased their account security.